Tackling Security Challenges in 5G Networks

Agency News, Cyber Security CII sector, Industry News, Telecomms sector

The EU Agency for Cybersecurity (ENISA) proposes good practices for the secure deployment of Network Function Virtualisation (NFV) in 5G networks.

Network Function Virtualisation is a new technology in 5G networks, which offers benefits for telecom operators in terms of flexibility, scalability, costs, and network management. However, this technology also introduces new security challenges.

The report released today supports national authorities with the implementation of the 5G toolbox, and in particular the recommendation for EU Member States to ensure that Mobile Network Operators follow security good practices for NFV. It explores the relevant challenges, vulnerabilities and attacks pertaining to NFV within the 5G network. It analyses the relevant security controls and recommends best practices to address these challenges and solutions, taking into account the particularities of this highly complex, heterogeneous and volatile environment.

How does it work?

Traditionally, mobile network functions have been implemented using dedicated hardware and networking equipment, built especially for telecom operators and their networks. Network Function Virtualisation is a new technology used in 5G networks to implement networking functions using software, therefore running virtually on top of standard server hardware or standard cloud platforms.

Applying network function virtualisation will therefore reduce the number of operations and maintenance costs.

60 security challenges were identified in the report and classified under 7 categories:

- Virtualisation or containerisation;
- Orchestration and management;
- Administration and access control;
- New and legacy technologies;
- Adoption of open source or COTS;
- Supply chain;
- Lawful interception (LI).

How do we address the security challenges

The report explores vulnerabilities, attack scenarios and their impact on the 5G NFV assets. The work includes a total of 55 best practices classified under Technical, Policy and Organisational categories.

Some of the key findings the report include:

- Resource virtualisation:
The virtualisation layer provides unified computing resources based on generalised hardware to the layers above and is the basis of all cloud-native and virtualised network functions and service software. If the virtualisation layer is breached, all network functions come under direct attack with disastrous consequences.

- Resource sharing:
A single physical server may run several different tenants' virtual resources (e.g. virtual machines (VMs) or containers), and a single tenant's virtual resource might be distributed across several physical servers. Multi-tenancy resource sharing and the breaking of physical boundaries introduce the risks of data leaks, data residue and attacks.

- Use of open source:
There will be increasing use of open-source software. This introduces a new set of security challenges in terms of keeping a consistent and coherent approach to security-by-design and prevention of deliberate security flaws.

- Multi-vendor environment:
In such environment, it remains difficult to coordinate security policies and determine responsibility for security problems and more effective network security monitoring capabilities are required.

NFV is an important technology in 5G and its security is critical for the overall security of the 5G networks, especially because 5G networks are underpinning critical infrastructures.

Leave a comment , , ,

Building cyber secure Railway Infrastructure

Agency News, Cyber Security CII sector, Industry News, Transport sector

The European Union Agency for Cybersecurity (ENISA) delivers a joint report with the European Rail Information Sharing and Analysis Center (ISAC) to support the sectorial implementation of the NIS Directive.

The report released is designed to give guidance on building cybersecurity zones and conduits for a railway system.

The approach taken is based on the recently published CENELEC Technical Specification 50701 and is complemented with a guidance to help railway operators with the practical implementation of the zoning process.

The work gathers the experience of the European Rail ISAC and of their members such as European infrastructure managers and railway undertakings, which are Operators of Essential Services (OES) as defined in the Security of Network and Information Systems (NIS) directive and is designed to help them implement the cybersecurity measures needed in the zoning and conduits processes.

A number of requirements are set, such as:

- Identification of all assets and of basic process demands;
- Identification of global corporate risks;
- Performing zoning;
- Checking threats.

A risk assessment process is developed based on standards for the identification of assets and the system considered, and for the partitioning of zones and conduits. The report also addresses the cybersecurity requirements in terms of documentation and suggests a step-by-step approach to follow.

The report is released on the occasion of the General Assembly meeting of the European Rail ISAC which is taking place today.

The EU Agency for Cybersecurity engages closely with the European Rail Agency (ERA) to support the railway sector and is to host a joint event with ERA later this year.

Leave a comment , ,

CREWS commits additional funding to strengthen Early Warning Systems in the Caribbean

Agency News, Industry News, Power/Energy/Oil & Gas sector, Water sector

Different and multiple hazards, such as severe weather conditions in land and at sea, droughts, hurricanes, floods, and earthquakes, pose a serious threat to the Caribbean, which is one of the most disaster-prone regions in the world. Combined, geological and hydro-meteorological hazards have affected more than 100 million people in the region, causing significant economic losses and casualties.

The development of Early Warning Systems has been identified by the Sendai Framework for Disaster Risk Reduction 2015–2030, the 2030 Agenda for Sustainable Development, and the Paris Agreement as a key pathway to prevent disasters and reduce the negative impacts of multiple hazards.

As defined by the UNDRR, Multi-hazard Early Warning Systems are "an integrated system of hazard monitoring, forecasting and prediction, disaster risk assessment, communication and preparedness activities systems and processes that enables individuals, communities, governments, businesses and others to take timely action to reduce disaster risks in advance of hazardous events".

The Climate Risk and Early Warning Systems Initiative (CREWS) is a mechanism that provides financial support to Least Developed Countries (LDCs) and Small Island Developing States (SIDS) to establish risk-informed early warning services, implemented by three partners, based on clear operational procedures. CREWS has recently donated an additional $1 million to support the project Strengthening Hydro-Meteorological and Early Warning Services in the Caribbean , which will be implemented by UNDRR in 2022.

The project aims to strengthen Early Warning Services (EWS) in the Caribbean and to articulate the response capacity of individuals, institutions, and communities through the development of a regional strategy to strengthen and streamline early warning and hydro-meteorological services. This includes developing appropriate approaches to risk-informed decision-making for EWS, identifying gaps in risk assessment at regional and national levels, and evaluating the resilience of already existing infrastructure such as forecasting centres, shelters, and National Meteorological and Hydrological Services. The project will also examine opportunities for building partnerships with the private sector and assess socio-economic benefits to ensure the sustainability of investments and activities.

This project aligns with the Sendai Framework and focuses on the implementation of target G, which aims to “substantially increase the availability of and access to multi-hazard early warning systems and disaster risk information and assessments to people by 2030”. The Sendai 7 campaign of the 2022 International Day for Disaster Risk Reduction will be focusing on this same target. Ensuring access to Multi -hazard Early Warning Systems in the Caribbean is regarded as a tool that enables individuals, communities, governments, businesses, and other stakeholders to take timely action to reduce disaster risk in advance of hazardous events.

This is also a matter of urgency, as disclosed in the Regional Assessment Report on Disaster Risk in Latin America and the Caribbean (RAR21), published last year: “In the short and medium term the occurrence of new mega-disasters in the region is almost inevitable given the extreme risk embedded there. It is therefore urgent to strengthen corrective and reactive management capabilities, especially early warning systems, preparedness and response.”

Leave a comment , , ,

Landmark IPCC report must be wake-up call for greater investment in disaster risk reduction

Agency News, Organisation Types, Transport sector, Water sector

Following the release of the IPCC Working Group II Report on Impacts, Adaptation and Vulnerability, Mami Mizutori, Special Representative of the UN Secretary-General for Disaster Risk Reduction, issued the following statement:

The findings of the latest IPCC report are dire. Communities around the world are being affected by climate change at a magnitude worse than expected. The devastating impacts of climate disasters are affecting every part of the world.

As the UN Secretary-General António Guterres said today “The IPCC report is an atlas of human suffering and a damning indictment of failed climate leadership.”

Many of the changes are at risk of becoming irreversible. On our current trajectory, the world is set to breach the 1.5 °C safe global temperature limit by the early 2030s, spiralling to dangerous levels of disaster risk. Almost half the human population is already in the danger zone

It is incomprehensible that we knowingly continue to sow the seeds of our own destruction, despite the science and evidence that we are turning our only home into an uninhabitable hell for millions of people.

Based on current trends, a record increase in medium and large-scale disasters is expected with droughts doubling, and extreme temperature events almost tripling to 2030. Overall, disaster events have doubled in the last 20 years compared to the previous 20 years. If countries and governments do not manage it properly and respond to the climate emergency with urgency, there’s a very real chance that we’ll see them double again.

Yet the world also has an opportunity to meet these challenges. At the Global Platform for Disaster Risk Reduction in Bali, Indonesia this May, organised by the UN and hosted by Indonesia, leaders will gather to discuss how to accelerate action for reducing these risks.

The IPCC report points to many solutions on improving regional and local information, providing sound data and knowledge for decision makers. This does work. Countries have succeeded in saving many lives through improved early warning systems and preparedness.

But climate disasters will undoubtedly worsen. There are very low levels of investments in disaster prevention and disaster risk reduction for the world’s most vulnerable countries on the front lines of impacts. We need to ramp up investment in disaster prevention if we are to cope with the exponential rise of disaster events in recent decades.

A crucial recommendation in the report today is the need for climate-resilient development – inclusive governance that embeds finance and actions across governance levels, sectors and timeframes.

Furthermore, all countries are impacted by climate change, but not in the same way. The most vulnerable communities and nations are the hardest hit, and need greater support on climate finance to adaptation and to avert, minimize and address losses and damages. This means increasing financing for climate change adaptation from tens to hundreds of million dollars.

We need to ensure that regulations and funding take into account disaster risk and that climate risk in financial markets is disclosed. Governments need to make disaster resilience a priority through dedicated funding to prevention.

Leave a comment , , ,

Fourth radio interface technology added to 5G standards

Agency News, Industry News, Telecomms sector

Members of the International Telecommunication Union (ITU) today approved a fourth technology as part of ongoing standards development for 5G mobile services.

Known as “DECT 5G-SRIT", the new technology supports a range of uses, from wireless telephony and audio streaming to industrial Internet of Things (IoT) applications, particularly in smart cities.

It was added in the first revision to ITU's key recommendation IMT-2020, which broadly encompasses fifth-generation, or 5G, networks, services, and devices.

This ITU Radiocommunication Sector (ITU-R) Recommendation – providing a set of global technical 5G standards – reflects continual consultation and discussion among governments, companies, regulators, and other stakeholders dealing with radiocommunication worldwide.

Along with fostering connectivity across borders, ITU promotes the global rollout of 5G as a key driver to achieve the UN's 17 Sustainable Development Goals.​

“New and emerging technologies like 5G will be essential to build an inclusive, sustainable future for all people, communities and countries," said ITU's Secretary-General, Houlin Zhao. “Under the ongoing International Mobile Telecommunications or IMT programme, our diverse global membership continues its long-standing contribution to advance broadband mobile communications, furthering our mission to leave no one behind in connecting the world."

A new radio interface technology

ITU – the United Nations agency entrusted with coordinating radio-frequency spectrum worldwide - published the specifications for the new technology as Recommendation ITU-R M.2150-1.

The technology is designed to provide a slim but strong technical foundation for wireless applications deployed in a range of use cases, from cordless telephony to audio streaming, and from professional audio applications to the industrial Internet of Things (IoT) applications, such as building automation and monitoring.

The European Telecommunications Standards Institute (ETSI) laid the essential groundwork jointly with the DECT Forum, a worldwide association of the digital enhanced cordless telecommunications (DECT) or wireless technology industry.

Leave a comment , ,

NCSC advises organisations to act following Russia’s attack on Ukraine

Agency News, Cyber Security CII sector, Industry News

Following Russia’s unprovoked, premeditated attack on Ukraine, the National Cyber Security Centre continues to call upon on organisations in the UK, and beyond, to bolster their online defences.

The NCSC – which is a part of GCHQ – has urged organisations to follow its guidance on steps to take when the cyber threat is heightened.

While the NCSC is not aware of any current specific threats to UK organisations in relation to events in and around Ukraine, there has been an historical pattern of cyber attacks on Ukraine with international consequences.

The guidance encourages organisations to follow actionable steps that reduce the risk of falling victim to an attack.

For the NCSC Guidance visit https://www.ncsc.gov.uk/guidance/actions-to-take-when-the-cyber-threat-is-heightened

Leave a comment , , , ,

Information Technologies for Managing Federal Use

Agency News, Industry News, Transport sector

Radio-frequency spectrum is a scarce natural resource vital to many commercial and government activities, including weather observation, air traffic control, and national defense. NTIA and government agencies have a responsibility to manage their spectrum use wisely. To do so, agencies rely on different spectrum-related IT, but NTIA has recently highlighted that existing IT is out-of-date and hinders spectrum management.

Federal officials said modernization of spectrum-related federal IT could provide benefits such as greater sharing of the limited spectrum and improved efficiency. For example, the current process for assigning spectrum relies on manual reviews of frequency requests and manual input of data. Automation could reduce errors and speed the process.

The FY21 NDAA contains a provision for GAO to review the current spectrum-related IT of covered agencies. This report describes (1) the existing spectrum-related IT that covered agencies employ to manage their spectrum use, and (2) the opportunities covered agencies and NTIA identified for improving spectrum management through IT modernization. The FY21 NDAA also contains a provision for GAO to conduct oversight of the implementation of agencies' spectrum-related IT modernization plans. This topic will be the subject of future GAO work.

Federal agencies use a variety of information technologies (IT) to manage their use of radio-frequency spectrum. The William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (FY21 NDAA) required the National Telecommunications and Information Administration (NTIA) and covered agencies to develop plans to modernize their spectrum-related IT (i.e., the software, databases, and other tools that comprise their spectrum infrastructure).

Currently, the NTIA provides agencies with some spectrum-related IT systems, such as software, databases, and engineering tools, so that they can participate in NTIA's spectrum management processes. These processes include assigning frequencies for agencies to use and certifying spectrum-dependent equipment. GAO found that all 20 agencies covered by the FY21 NDAA modernization requirement rely at least in part on NTIA-provided IT to manage their spectrum use. Additionally, most of these agencies—DOD and the Federal Aviation Administration, in particular—augment NTIA-provided IT with additional spectrum-related IT that meets their unique mission needs.

Many of the officials GAO interviewed broadly agreed that modernizing spectrum-related IT could provide opportunities to improve spectrum management, mostly related to the following: (1) improving current spectrum management processes by addressing some limitations in existing spectrum-related IT and (2) facilitating the potential for greater spectrum sharing (i.e., enabling more than one spectrum user to use the same frequency band without interfering with each another). As NTIA and the covered agencies advance their modernization efforts in 2022, it is not yet clear if their plans will target these opportunities.

 

Leave a comment , ,

CISA and FBI Publish Advisory to Protect Organizations from Destructive Malware Used in Ukraine

Agency News, Cyber Security CII sector, Industry News

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint Cybersecurity Advisory today providing an overview of destructive malware that has been used to target organizations in Ukraine as well as guidance on how organizations can detect and protect their networks. The joint Advisory, “Destructive Malware Targeting Organizations in Ukraine,” provides information on WhisperGate and HermeticWiper malware, both used to target organizations in Ukraine.

Destructive malware can present a direct threat to an organization’s daily operations, impacting the availability of critical assets and data. While there is no specific, credible threat to the United States at this time, all organizations should assess and bolster their cybersecurity. Some immediate actions that can be taken to strengthen cyber posture include:

- Enable multifactor authentication;
- Set antivirus and antimalware programs to conduct regular scans;
- Enable strong spam filters to prevent phishing emails from reaching end users;
- Update software; and
- Filter network traffic.

“In the wake of continued denial of service and destructive malware attacks affecting Ukraine and other countries in the region, CISA has been working hand-in-hand with our partners to identify and rapidly share information about malware that could threaten the operations of critical infrastructure here in the U.S.,” said CISA Director Jen Easterly. “Our public and private sector partners in the Joint Cyber Defense Collaborative (JCDC), international computer emergency readiness team (CERT) partners, and our long-time friends at the FBI are all working together to help organizations reduce their cyber risk.”

"The FBI alongside our federal partners continues to see malicious cyber activity that is targeting our critical infrastructure sector," said FBI Cyber Division Assistant Director Bryan Vorndran. "We are striving to disrupt and diminish these threats, however we cannot do this alone, we continue to share information with our public and private sector partners and encourage them to report any suspicious activity. We ask that organizations continue to shore up their systems to prevent any increased impediment in the event of an incident."

Executives and leaders are encouraged to review the advisory, assess their environment for atypical channels for malware delivery and/or propagation through their systems, implement common strategies, and ensure appropriate contingency planning and preparation in the event of a cyberattack.

CISA has updated the Shields Up webpage to include new services and resources, recommendations for corporate leaders and chief executive officers, and actions to protect critical assets. Additionally, CISA has created a new Shields Up Technical Guidance webpage that details other malicious cyber activity affecting Ukraine. The webpage includes technical resources from partners to assist organizations against these threats.

Leave a comment , ,

Critical Infrastructure Protection: Agencies Need to Assess Adoption of Cybersecurity Guidance

Agency News, Cyber Security CII sector, Health & Social Care, Industry News, Power/Energy/Oil & Gas sector, Space Sector, Telecomms sector, Transport sector, Water sector

Federal agencies with a lead role to assist and protect one or more of the nation's 16 critical infrastructures are referred to as sector risk management agencies (SRMAs). The SRMAs for three of the 16 have determined the extent of their sector's adoption of the National Institute of Standards and Technology's (NIST) Framework for Improving Critical Infrastructure Cybersecurity (framework). In doing so, lead agencies took actions such as developing sector surveys and conducting technical assessments mapped to framework elements. SRMAs for four sectors have taken initial steps to determine adoption (see figure). However, lead agencies for nine sectors have not taken steps to determine framework adoption.

Status of Framework Adoption by Critical Infrastructure Sector

Regarding improvements resulting from sector-wide use, five of the 16 critical infrastructure sectors' SRMAs have identified or taken steps to identify sector-wide improvements from framework use, as GAO previously recommended. For example, the Environmental Protection Agency identified an approximately 32 percent overall increase in the use of framework-recommended cybersecurity controls among the 146 water utilities that requested and received voluntary technical assessments. In addition, SRMAs for the government facilities sector identified improvements in cybersecurity performance metrics and information standardization resulting from federal agencies' use of the framework. However, SRMAs for the remaining 11 sectors did not identify improvements and were not able to describe potential successes from their sectors' use of the framework.

SRMAs reported various challenges to determining framework adoption and identifying sector-wide improvements. For example, they noted limitations in knowledge and skills to implement the framework, the voluntary nature of the framework, other priorities that may take precedence over framework adoption, and the difficulty of developing precise measurements of improvement were challenges to measuring adoption and improvements. To help address challenges, NIST launched an information security measurement program in September 2020 and the Department of Homeland Security has an information network that enables sectors to share best practices. Implementing GAO's prior recommendations on framework adoption and improvements are key factors that can lead to sectors pursuing further protection against cybersecurity threats.

The U.S. has 16 critical infrastructure sectors that provide clean water, gas, banking, and other essential services. To help protect them, in 2014 the National Institute of Standards and Technology developed cybersecurity standards and procedures that organizations within these sectors may voluntarily use. Federal agencies are charged with leading efforts to improve sector security.

The GAO have found agencies have measured the adoption of these standards and procedures for 3 of 16 sectors and have identified improvements across 2 sectors. For example, the EPA found a 32% increase in the use of recommended cybersecurity controls at 146 water utilities.

Leave a comment , ,

2021 Trends Show Increased Globalized Threat of Ransomware

Agency News, Cyber Security CII sector, Industry News

In 2021, cybersecurity authorities in the United States, Australia, and the United Kingdom observed an increase in sophisticated, high-impact ransomware incidents against critical infrastructure organizations globally. The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) observed incidents involving ransomware against 14 of the 16 U.S. critical infrastructure sectors, including the Defense Industrial Base, Emergency Services, Food and Agriculture, Government Facilities, and Information Technology Sectors. The Australian Cyber Security Centre (ACSC) observed continued ransomware targeting of Australian critical infrastructure entities, including in the Healthcare and Medical, Financial Services and Markets, Higher Education and Research, and Energy Sectors. The United Kingdom’s National Cyber Security Centre (NCSC-UK) recognizes ransomware as the biggest cyber threat facing the United Kingdom. Education is one of the top UK sectors targeted by ransomware actors, but the NCSC-UK has also seen attacks targeting businesses, charities, the legal profession, and public services in the Local Government and Health Sectors.

Ransomware tactics and techniques continued to evolve in 2021, which demonstrates ransomware threat actors’ growing technological sophistication and an increased ransomware threat to organizations globally.

This joint Cybersecurity Advisory—authored by cybersecurity authorities in the United States, Australia, and the United Kingdom—provides observed behaviors and trends as well as mitigation recommendations to help network defenders reduce their risk of compromise by ransomware.

Full report can be downloaded here >>

Leave a comment , ,
1 23 24 25 26 27 60