CISA Releases Second Version of Guidance for Secure Migration to the Cloud

Agency News, Cyber Security CII sector

The Cybersecurity and Infrastructure Security Agency (CISA) published the second version of “Cloud Security Technical Reference Architecture (TRA)” today, which strengthens guidance to fulfill a key mandate under President Biden’s Executive Order (EO) 14028 - "Improving the Nation's Cybersecurity." The Cloud Services TRA is designed to guide agencies’ secure migration to the cloud by defining and clarifying considerations for shared services, cloud migration, and cloud security posture management.

As the Federal Government, along with organizations across sectors, continues to migrate to the cloud, it is paramount that agencies implement measures to protect it. The Cloud Security TRA, co-authored by CISA, the United States Digital Service (USDS), and the Federal Risk and Authorization Management Program (FedRAMP), provides foundational guidance for organization to use public cloud more security and improve the ability of the federal government to identify, detect, protect, respond, and recover from cyber incidents.

“As the nation’s cyber defense agency, CISA works collaboratively with our interagency partners to implement improvements that make our federal civilian agencies more resilient to cyber threats,” said Eric Goldstein, Executive Assistant Director for Cybersecurity, CISA. “The updated Cloud Security TRA is a key step forward for each agency’s transition to the cloud environment. CISA and our partners will continue to provide expert, coherent, and timely guidance to help agencies modernize their networks with sound cybersecurity and resilience to protect against evolving cyber adversaries. While the TRA was developed for federal agencies, all organizations using or migrating to cloud environments should review this document and adopt the practices therein as applicable to most effectively manage organizational risk.”

In consultation with the Office of Management and Budget, the three agencies adjudicated more than 300 public comments received in September 2021. This feedback helped to further strengthen the Cloud Security TRA and fully address a host of considerations for secure cloud migration. A summary of the feedback received, as well as a Response to Comments (RTC), is available in the Response to Comments for Cloud Security Technical Reference Architecture.

Leave a comment , , ,

How to map the Cybersecurity Threat Landscape? Follow the ENISA 6-step Methodology

Agency News, Cyber Security CII sector, Industry News

The cybersecurity threat landscape methodology developed by the European Union Agency for Cybersecurity (ENISA) aims at promoting consistent and transparent threat intelligence sharing across the European Union.

With a cyber threat landscape in constant evolution, the need for updated and accurate information on the current situation is growing and this a key element for assessing relevant risks.

This is why ENISA releases today an open and transparent framework to support the development of threat landscapes.

The ENISA methodology aims to provide a baseline for the transparent and systematic delivery of horizontal, thematic and sectorial cybersecurity threat landscapes (CTL) thanks to a systematic and transparent process for data collection and analysis.

Who can benefit from this new methodology?

This new methodology is made available to ENISA’s stakeholders and to other interested parties who wish to generate their own cyber threat landscapes. Adopting and/or adapting the proposed new CTL framework will enhance their ability to build situational awareness, to monitor and to tackle existing and potential threats.

ENISA will also be using this new methodology to deliver an enhanced annual ENISA Threat Landscape (ETL). It will also be used to generate technical or sectorial threat landscapes.

How does the methodology work?

The framework is based on the different elements considered in the performance of the cybersecurity threat landscape analysis. It therefore includes the identification and definition of the process, methods and tools used as well as the stakeholders involved.

Building on the existing modus operandi, this methodology provides directions on the following:

- defining components and contents of each of the different types of CTL;
- assessing the target audience for each type of CTL to be performed;
- how data sources are collected;
- how data is analysed;
- how data is to be disseminated;
- how feedback is to be collected and analysed.

The ENISA methodology consists of six main steps with feedback foreseen and associated to each of these steps:

1. Direction;
2. Collection;
3. Processing;
4. Analysis and production;
5. Dissemination;
6. Feedback

This CTL methodology has been validated by the ENISA ad-hoc working group on the Cybersecurity Threat Landscape (CTL WG). The group consists of European and international experts from both public and private sector entities.

Leave a comment , , , ,

Defense Industrial Base: DOD Should Take Actions to Strengthen Its Risk Mitigation Approach

Agency News, Industry News

A healthy defense industrial base that provides the capacity and capability to produce advanced weapon systems is critical to maintaining U.S. national security objectives. The U.S. industrial base currently consists of over 200,000 companies. Mitigating risks—such as reliance on foreign and single-source suppliers—is essential for DOD to avoid supply disruptions and ensure that the industrial base can meet current and future needs.

Since 2017, the White House has issued executive orders directing DOD and other agencies to assess risks to the defense industrial base and high priority supply chains such as semiconductors.

Congress also directed DOD to develop an analytical framework for mitigating risks and included a provision for GAO to review DOD's efforts. This report assesses (1) DOD's strategy for mitigating industrial base risks, and (2) the extent to which DOD is monitoring and reporting on its progress in mitigating risks. GAO analyzed DOD policies and reports and interviewed DOD officials.

More than 200,000 companies provide supplies, parts, and manufacturing for DOD's weapon systems. Risks to this defense industrial base include materials shortages, reliance on foreign suppliers, and more.

Various DOD offices and the military services monitor such risks and work to mitigate them. However, DOD doesn't have a robust strategy to mitigate risks or track progress department-wide.

Visibility over its department-wide efforts could help DOD determine whether the billions of dollars being spent are paying off. We recommended developing a robust strategy and measuring and reporting on DOD-wide industrial base risk mitigation efforts.

The Department of Defense's (DOD) Industrial Base Policy office does not yet have a consolidated and comprehensive strategy to mitigate risks to the industrial base—the companies that develop and manufacture technologies and weapon systems for DOD. The office is using a combination of four previously issued reports that were created for other requirements because it devoted its resources to completing other priorities. Collectively, the reports do not include several elements GAO has previously identified that would help DOD achieve results, evaluate progress, and ensure accountability.

DOD must update its industrial base strategy following the submission of the next National Security Strategy Report, which is expected to be issued later in 2022. By including all elements in a consolidated strategy, DOD could better ensure that all appropriate organizations are working toward the same priorities, promoting supply chain resiliency, and supporting national security objectives.

DOD is carrying out numerous efforts to mitigate risks to the industrial base. This includes more than $1 billion in reported efforts under Navy submarine and destroyer programs and $125 million to sustain a domestic microelectronics manufacturer. However, DOD has limited insight into the effectiveness of these efforts and how much progress it has made addressing risks. For example:

- The Industrial Base Policy office and military services have not established enterprise-wide performance measures to monitor the aggregate effectiveness of DOD's mitigation efforts.
- DOD's annual Industrial Capabilities Reports do not include information about the progress the department has made in mitigating risks.

GAO's prior work on enterprise risk management establishes that agencies should monitor and report on the status and effectiveness of their risk mitigation efforts. Without key monitoring and reporting information, DOD and Congress do not have sufficient information to help determine whether industrial base risks have been mitigated and what additional resources or actions may be needed.

GAO is making six recommendations, including that DOD develop a consolidated and comprehensive strategy to mitigate industrial base risks; develop and use enterprise-wide performance measures to monitor the aggregate effectiveness of its efforts; and report on its progress in mitigating risks. DOD generally concurred with the recommendations and identified some actions to address them.

Leave a comment , , ,

Coastal Navigation: Authorized Purposes of Marine Structures Can Impact Corps' Maintenance and Repair

Agency News, Industry News, Transport sector, Water sector

The movement of commerce involves the ability of the Corps to provide safe, reliable, efficient, and environmentally sustainable waterborne transportation systems. The agency is tasked with maintaining and repairing coastal navigation structures that are part of harbors and ports. The Corps' activities, including the type and scope of coastal navigation structures that the Corps may construct and maintain, are authorized by Congress. The authorization usually refers to the document or report recommending the project to Congress, which Congress then references in the legislation authorizing the project.

A number of the coastal navigation structures maintained by the Corps were built over a century ago and may no longer be sufficient to meet current conditions and changes in the climate. For example, increased wave and storm intensity in coastal areas threaten the integrity of jetties that shelter harbor basins and entrances from waves. This potentially jeopardizes lives and communities, disrupts commercial navigation traffic, and increases the frequency and cost of needed repairs.

A report accompanying the 2020 Energy and Water Development and Related Agencies Appropriations Bill includes a provision for GAO to review how to increase the Corps' capacity to repair and maintain existing projects before they deteriorate to the point of failure. This report describes what factors, if any, affect the Corps' ability to consider impacts not directly related to navigation when determining which existing coastal navigation structures to maintain and repair.

To address this objective, GAO selected coastal navigation structures at four projects for use as illustrative examples based on input from Corps officials. GAO reviewed legislation and Corps documents to verify statements about the Corps' oversight of the structures, as appropriate. GAO interviewed officials from Corps headquarters, all eight divisions based in the United States, and at least one district from each division (16 districts total). GAO also interviewed nonfederal partners, such as officials from state and local government and organizations representing the navigation industry.

The authorized purpose of coastal navigation structures can impact the U.S. Army Corps of Engineers' (Corps) maintenance and repair decisions. According to Corps officials in headquarters, divisions, and selected districts, the authorizing language for coastal navigation structures in some instances (1) designates navigation as the structures' authorized purpose and (2) can restrict flexibility or adaptive management.

Specifically, the authorizing language directs the Corps to consider navigation benefits and impacts for coastal navigation structures when making repair decisions. Corps officials said that because there is not enough funding to cover all the maintenance and repair needs for these structures in a given year, the agency prioritizes the structures based on navigation-focused criteria—primarily the amount of commercial tonnage. Yet some structures provide economic value even though they may not have the highest commercial tonnage, according to Corps officials. These officials said that they cannot incorporate nonnavigation benefits of structures, such as protection of coastal areas, when making decisions, absent a change to the authorizing language or an additional authorization.

The authorizing language can also restrict the Corps' ability to adapt structures to current conditions. The language can include or reference structure specifications—specific length or height—that do not allow the Corps to make updates to the structures that could better address current or changing conditions, according to Corps officials. The officials told GAO that although the authorizing language for structures varies in terms of the levels of specificity, the language for some structures requires the Corps to use original design specifications that can date back decades when repairing damaged structures when the authorizing language is restrictive. The Corps views repairs that do not adhere to the original specifications as unauthorized. However, these specifications may not reflect current design standards or changes in the conditions affecting the structures since the structures were built. For example, the structures' designs may not be able to address more frequent severe storms and wave action and sea level rise. Flexibility in making decisions on how to maintain and repair coastal navigation structures could better position the Corps to address these changing conditions, according to Corps officials.

Leave a comment , ,

EU-funded project supports stress testing of Tajikistan’s disaster risk management system

Agency News, Health & Social Care, Industry News, Water sector

Experts from the National Platform for Disaster Risk Reduction of Tajikistan, international and local organizations, and representatives of business and academia participated in a stress testing workshop of Tajikistan’s disaster risk management (DRM) system against the most impactful disaster scenarios in the country. The workshop was funded by the European Union (EU) and organized by the United Nations Office for Disaster Risk Reduction (UNDRR) within the joint project on disaster risk reduction in Central Asia.

Tajikistan’s Committee of Emergency Situations & Civil Defense and UNDRR concluded a comprehensive DRM system capacity assessment and planning exercise, which revealed major needs and challenges in the system and suggested a targeted plan of action to strengthen the disaster risk reduction (DRR) policy implementation in the country.

As the next step of the process, the EU-UNDRR project supported the National Platform to conduct a stress test analysis - a scenario-based multi-stakeholder assessment process to evaluate the state of national capabilities to reduce, absorb and transfer disaster risk and develop a targeted action plan to further support the strengthening of the DRM system. During the meeting, participants developed disaster scenarios for Tajikistan based on relevant sources, and prioritized required DRM system capacities against the disaster scenarios.

Over the past years, Tajikistan has made significant progress in increasing its capacity in DRM and in the implementation of the Sendai Framework for Disaster Risk Reduction 2015-2030. As part of the work towards reducing disaster risks, Tajikistan has developed and adopted the National Strategy for Disaster Risk Reduction in 2019, its implementation is guided by the National Platform for DRR. However, the increasing challenges posed by climate change and the rapid change of the global hazard trends may create strong stress for the DRM system of the country.

Leave a comment , ,

Cyber Insurance: Action Needed to Assess Potential Federal Response to Catastrophic Attacks

Agency News, Cyber Security CII sector, Industry News

U.S. critical infrastructure (such as utilities, financial services, and pipelines) faces increasing cybersecurity risks. Understanding these risks and associated vulnerabilities, threats, and impacts is essential to protecting critical infrastructure.

Cybersecurity Vulnerabilities, Threats, and Impacts

Vulnerabilities. Critical infrastructure has become more vulnerable to cyberattacks for reasons that include greater use of interconnected electronic systems.

Threats. Threat actors—such as nation-states, criminal groups, and terrorists—have become increasingly capable of carrying out cyberattacks on critical infrastructure.

Impacts. Federal and industry data indicate that cyberattacks—including those affecting critical infrastructure—generally have increased in frequency and cost.

Source: Prior GAO reports and GAO analysis of agency and industry documentation.

The effects of cyber incidents can spill over from the initial target to economically linked firms—magnifying damage to the economy. For example, in May 2021 the Colonial Pipeline Company learned that it was the victim of a cyberattack that led to short-lived gasoline shortages.

Cyber insurance and the Terrorism Risk Insurance Program (TRIP)—the government backstop for losses from terrorism—are both limited in their ability to cover potentially catastrophic losses from systemic cyberattacks. Cyber insurance can offset costs from some of the most common cyber risks, such as data breaches and ransomware. However, private insurers have been taking steps to limit their potential losses from systemic cyber events. For example, insurers are excluding coverage for losses from cyber warfare and infrastructure outages. TRIP covers losses from cyberattacks if they are considered terrorism, among other requirements. However, cyberattacks may not meet the program's criteria to be certified as terrorism, even if they resulted in catastrophic losses. For example, attacks must be violent or coercive in nature to be certified.

The Department of the Treasury's Federal Insurance Office (FIO) and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) both have taken steps to understand the financial implications of growing cybersecurity risks. However, they have not assessed the extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warrant a federal insurance response. CISA is the primary risk advisor on critical infrastructure and FIO the federal monitor of the insurance sector. Accordingly, they are well-positioned to jointly perform such an assessment. Doing so and reporting the results to Congress can inform deliberations on whether a federal insurance response is warranted.

If such a response were deemed necessary, GAO's framework for providing federal assistance to private market participants (GAO-10-719) could help inform its design. The framework notes the need to define the problem, mitigate moral hazard (that the existence of a federal backstop could result in entities taking greater risks), and protect taxpayer interests. Consistent with these elements, any federal insurance response should include clear criteria for coverage, specific cybersecurity requirements, and a dedicated funding mechanism with concessions from all market participants.

Cyber threats to critical infrastructure represent a significant economic challenge. Although cyber incident costs are paid in part by the private cyber insurance market, growing cyber threats have created uncertainty in this evolving market.

The Further Consolidated Appropriations Act, 2020, includes a provision for GAO to study cyber risks to U.S. critical infrastructure and available insurance for these risks. This report examines the extent to which (1) cyber risks for critical infrastructure exist; (2) private insurance covers catastrophic cyber losses and TRIP provides a backstop for such losses; and (3) cognizant federal agencies have assessed a potential federal response for cyberattacks.

GAO reviewed cyber insurance coverage literature and reports on cyber risk and the insurance market. GAO interviewed CISA and FIO officials and industry stakeholders (e.g., critical infrastructure owners, insurers, and brokers) that were selected based on factors such as expertise and market share.

Cyber insurance can help offset costs of some common cyber risks, like data breaches or ransomware. But cyber risks are growing, and cyberattacks targeting critical infrastructure—like utilities or financial services—could affect entire systems and result in catastrophic financial loss.

Insurers and the government's terrorism risk insurance may not be able to cover such losses. For example, the government's insurance may only cover cyberattacks if they can be considered "terrorism" under its defined criteria.

CISA and FIO should jointly assess the extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warrant a federal insurance response, and inform Congress of the results of their assessment. Both agencies agreed with the recommendations.

Leave a comment , , , ,

ESA-backed project supports oil and gas safety by keeping an eye on the ground

Industry News, Power/Energy/Oil & Gas sector, Space Sector

Oil and gas supplies are dependent on multiple factors, including the stability of the ground wherever oil or gas is being stored or transported. In March 2021, LiveEO started assessment and development of an end-to-end solution for monitoring ground deformation for the entire value chain of the industry, based on interferometric synthetic aperture radar (InSAR) satellite data combined with artificial intelligence (AI). The aim was to help the industry ensure safety across its assets by providing an early warning system that could inform maintenance or safety actions.
Providing actionable insights

Founded in 2017, LiveEO has a background in using Earth observation (EO) data to provide a range of services to operators of large-scale infrastructure, such as railways, electricity grids and pipelines. It combines data analysis with risk analysis to create actionable insights on aspects such as vegetation management, detection of construction activity and ground deformation monitoring — all of which present challenges for reasons that include climate change and environmental factors.

With this Kick-Start activity, co-funded by ESA, LiveEO’s team used its experience in servicing pipeline customers to explore the feasibility of a holistic, end-to-end solution for ground deformation monitoring. The investigation included risk models that quantify the risk to specific assets resulting from ground deformation and how the insights could be delivered to customers and integrated into their processes to create automatic triggers.

The LiveEO team analysed the opportunities through surveys of more than 50 companies and countries, including existing clients in the pipeline industry, as well as researching the broader landscape. Initial data came from Sentinel-1 synthetic aperture radar (SAR) imagery, which will be enriched by higher resolution StripMap and SpotLight SAR imagery from Capella Space or ICEYE satellites to investigate any anomalies that have been detected.

Sven Przywarra, the Co-CEO and co-founder of LiveEO said: “The Kick-Start activity enabled LiveEO to validate a business case in a unique setting, and also created an environment that allowed our business development team to take the right steps from a business idea to product development. The combination of guidance, support and clear goal setting from ESA was greatly appreciated, because it gave us the entrepreneurial freedom necessary for the exploration of new ideas paired with acquiring a depth of knowledge similar to a classic research project."
The increasing need for ground deformation insights

The requirement for such insights results from an increasing number of oil wells, pipelines, storage facilities and other oil and gas related infrastructure exceeding their original lifespans. This is leading to more complex maintenance for operators and increased risks that impact both the industry itself and the surrounding environment and communities. One of the major sources of risk is ground deformation due to industrial operations or natural seismic activity. Where infrastructure and assets span large areas, these risks can be very difficult to measure and dangerous trends can go undetected.

Traditional monitoring methods, such as land surveying or sensors and drones, can only give a partial picture. Satellites enable monitoring of deformation trends across entire countries with weekly update intervals — something that would be prohibitively expensive or even impossible via other means. InSAR data delivers deformation values at individual pixel levels, allowing the identification of trends over long periods of time; this can be supplemented with historical data.

The company is currently developing the AI side of the project, with the aim of completing development by the end of 2022. The plan is then to undertake a demonstration project and have a marketable subscription service ready by the end of the following year.

Leave a comment , ,

NCSC joins industry to offer unprecedented protection for public from scams

Agency News, Cyber Security CII sector, Industry News

CITIZENS across the UK are set to benefit from a landmark partnership between government and industry which will see access to scam websites instantly blocked.

A new data sharing capability developed by the National Cyber Security Centre (NCSC) – a part of GCHQ – in collaboration with industry partners will present Internet Service Providers (ISPs) with real-time threat data that enables them to instantly block access to known fraudulent sites.

The new capability is being made available to all ISPs operating in the UK and will significantly bolster the nation’s ability to protect citizens from cyber criminals. In due course, even more defenders will be invited to join, including browser and manager service providers.

The NCSC has previously highlighted the problem of scam websites, including fake news pages where celebrities such as Ed Sheeran and Sir Richard Branson appear to be endorsing investment schemes that seek to trick people into parting with their money.

Leave a comment , , ,

The satellite-enabled emergency response system that could make a life-saving difference

Agency News, Health & Social Care, Industry News

The COVID-19 pandemic has challenged ambulance services like never before. First RESPonse was created to help professionals respond to emergency calls more rapidly through enhanced technology. With support by ESA Space Solutions, the system developed in a Demonstration Project streamlined communication and information sharing throughout the chain of response and reduced call-to-hospital times for patients by up to 17%.

During the worst months of the COVID-19 pandemic, emergency call centres experienced extremely high rates of urgent medical calls. Coordination of the ambulance response was challenging and made more complex by the changing landscape of medical resources; hospitals were filling up, and temporary emergency facilities were opening.

The First RESPonse (First Rapid Emergency System against Pandemic) project launched in Italy in July 2020, with the aim to improve coordination of the entire process of a medical emergency request: from a patient’s distress call to the point of hospitalisation.

The project brought together two major players in European emergency service software and telecommunications: GINA Software and Beta 80. Forming a new consortium, the companies achieved complete integration of their products and – supported by ESA – incorporated space technology for enhanced geolocation accuracy and communication coverage.
Digital links for a faster chain

First RESPonse digitally connects each link in the emergency chain of response. It begins with an app on a citizen’s smartphone, through which they can call for help, see when help has been dispatched and when it is due to arrive. Ambulance dispatchers in the call centre have a constant digital connection to their crews via a workstation. They can keep them updated on the scene and patient’s condition, and the status of the nearest hospital facilities. First responders have a tablet through which they receive up-to-date information about the patient, automatic SatNav to their location and can video consult with a doctor from the field. They can also scan the patient’s ID card so that receiving hospitals know who is coming in, as well as seeing when they are expected.

The system was piloted by selected ambulance services in Italy and the Czech Republic and used in almost 9,000 incidents. In this pilot project, First RESPonse accelerated the pre-hospital chain by between 12 and 17%.

Arnaud Runge, Medical Engineer at ESA said: “In a medical emergency every minute counts. Cutting the time it takes an ambulance to reach a critically ill patient, and to get them to hospital, can make a life-saving difference. We’re proud to have enhanced First RESPonse with space technology.”
From pandemic to systemic

Following the successful completion of the pilot, First RESPonse is being promoted to emergency services more widely in Italy and the Czech Republic – where GINA and Beta 80 have most of their customers – and beyond.

Martin Ingr from GINA said: “The products and services that were created during the project are aimed to remain sustainable also after the pandemic is overcome. Our goal is that the problems solved through the First RESPonse project become part of the standard operation procedure. The system can be used again against this or other pandemics, during the response to disasters such as earthquakes, as well as improving daily operations of emergency services.”

[Source: ESA]
Leave a comment , , ,

Closer stakeholder cooperation essential for ransomware investigations to succeed

Agency News, Cyber Security CII sector, Industry News

The scale and impact of ransomware attacks have increased significantly over the past years, in part due to the COVID-19 pandemic. As such, the success of criminal investigations and prosecutions depends more than ever on close cross-border cooperation between public authorities, private companies and victims. Public-private cooperation is particularly valuable in such cases, as companies can preserve and provide the data and evidence investigators need to investigate crimes and identify criminals.

These are some of the main conclusions from the latest edition of the Cybercrime Judicial Monitor, featuring a special focus on ransomware investigations, published this month.

Cooperation between stakeholders in ransomware investigations is essential. This includes the reporting of ransomware attacks by victims, the preservation and possible analysis of digital evidence by private companies, and the investigation and prosecution by public authorities. The international dimension of investigations and the complexity of identifying criminals require early and close cross-border coordination between judicial and law enforcement authorities. Actions by each stakeholder group play a key role in the mitigation of damages, disruption of attacks and the identification and prosecution of perpetrators.

The report, based on practitioners’ input, highlights the challenges encountered in ransomware investigations. These include:

the loss of data and important e-evidence;
the criminal use of encryption and anonymisation techniques preventing the identification of suspects;
the complexity of investigations and the lack or delay of international coordination;
the absence of a harmonised data-retention legal framework; and
insufficient resources and expertise of law enforcement authorities.

Despite these obstacles, practitioners can learn from the many good practices showcased in the report. These include the swift notification of ransomware attacks to relevant authorities and the creation of technical reports by the victim or affected company. Continuous information exchange between the authorities and the victim/technical team has proved highly important. The provision of guidelines for public authorities on how to deal with ransomware attacks, as well as specialised training for police and judicial authorities, is also key.

The report underlines the successful use of joint investigation teams facilitated by Eurojust, which have led to the identification, arrest and prosecution of cybercriminals. The building of trust between public authorities and private companies by sharing information and regular communication is also essential. Although most countries do not have a specific legal framework for public-private cooperation, experience has shown that such frameworks have enabled ransomware investigations to succeed and that they are therefore much needed.

Leave a comment , , ,
1 20 21 22 23 24 60