Airports Efforts to Enhance Electrical Resilience

The nation's commercial service airports require continuous, reliable electricity to power airfield operations and airport facilities. FAA and airports are responsible for ensuring the resilience of airports' electrical power systems—including the ability to withstand and recover rapidly from electrical power disruptions.

GAO was asked to review major power outages at airports and steps federal agencies and airports are taking to minimize future disruptions. This report describes (1) the extent to which selected airports reported they had experienced electrical power outages since 2015, (2) actions selected airports have taken to improve the resilience of their electrical power systems, and (3) actions FAA has taken to help airports develop and maintain resilient electrical power systems.

GAO conducted semi-structured interviews with officials from 41 selected airports of varying sizes, representing 72 percent of passenger enplanements. GAO administered a follow-up survey to these 41 airports, focusing on the extent to which they had experienced electrical outages; 30 responded to the survey, representing 53 percent of total enplanements. GAO also reviewed applicable statutes and regulations and analyzed funding data to identify examples of electrical power projects. Further, GAO interviewed FAA officials and airport, academia, state government, and energy stakeholders.

A power outage can significantly disrupt an airport's operations. One 2017 outage at Hartsfield-Jackson Atlanta International Airport led to about 1,200 cancelled flights and cost an airline around $50 million.

Many of the nation's airports are enhancing their ability to withstand and rapidly recover from power disruptions. They're improving their electrical infrastructure, including installing backup generators or solar panels. Some airports are also considering installing microgrids—systems that independently generate, distribute, and store power. The FAA is offering new and expanded grant programs to help fund these projects.

Twenty-four of the 30 commercial service airports that responded to GAO's survey and interviews reported experiencing a total of 321 electrical power outages—i.e., an unplanned loss of power lasting 5 minutes or longer—from 2015 through 2022. Eleven of these airports reported having six or more outages over this 8 year period. Airports reported that these outages affected a range of airport operations and equipment (see table). Not all responding airports were able to provide detailed information about their outages, and some provided estimates about affected activities.

Selected airports reported taking several actions to improve the electrical power resilience of their airports, including (1) conducting electrical infrastructure assessments, (2) undertaking projects to improve electrical infrastructure, and (3) installing equipment to generate additional backup power. For example, 40 of the 41 airports GAO interviewed reported planning or completing an infrastructure project to increase electrical power resilience. Of these, four airports reported installing microgrids. Such microgrid systems are capable of independently generating, distributing, and storing power.

The Federal Aviation Administration (FAA) is administering new and expanded grant programs and issuing guidance to support airports' electrical resilience efforts. For example:

- Airport Improvement Program funding eligibility was expanded to include the Energy Supply, Redundancy, and Microgrids Program projects, which may include certain electrical power resilience projects.

- The new Airport Terminal Program provides funding for airport terminal development projects, including those that may strengthen resilience.

- FAA issued program guidance and conducted airport outreach to help increase airports' awareness of available federal funding for resilience projects.

CISA and FBI Publish Joint Advisory on QakBot Infrastructure

The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory (CSA), Identification and Disruption of QakBot Infrastructure, to help organizations detect and protect against newly identified QakBot-related activity and malware. QakBot—also known as Qbot, Quackbot, Pinkslipbot, and TA570—is responsible for thousands of malware infections globally.

Originally used as a banking trojan to steal banking credentials for account compromise, QakBot—in most cases—was delivered via phishing campaigns containing malicious attachments or links to download the malware, which would reside in memory once on the victim network. QakBot has since grown to deploy multiple types of malware, trojans, and highly-destructive ransomware variants targeting the United States and other global infrastructures, including the Election Infrastructure Subsector, Financial Services, Emergency Services, and Commercial Facilities Sectors.

CISA and FBI urge organizations to implement the recommendations contained within the joint CSA to reduce the likelihood of QakBot-related activity and promote identification of QakBot-facilitated ransomware and malware infections.

CISA, NSA, and NIST Publish Factsheet on Quantum Readiness

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA) and National Institute of Standards and Technology (NIST) released a joint factsheet, Quantum-Readiness: Migration to Post-Quantum Cryptography (PQC), to inform organizations—especially those that support Critical Infrastructure—of the impacts of quantum capabilities, and to encourage the early planning for migration to post-quantum cryptographic standards by developing a Quantum-Readiness Roadmap.

CISA, NSA, and NIST urge organizations to review the joint factsheet and to begin preparing now by creating quantum-readiness roadmaps, conducting inventories, applying risk assessments and analysis, and engaging vendors. For more information and resources related to CISA’s PQC work, visit Post-Quantum Cryptography Initiative.

Spanish EU Council Presidency: CoESS and APROSER make proposals for a future-oriented, more resilient, European Union

On 01 July 2023, Spain took over the rotating Presidency of the Council of the EU. It will thereby be responsible to lead the work in Brussels on important matters such as negotiations on the EU Artificial Intelligence (AI) Act and initiatives in the context of the EU Year on Skills.

In a Joint Statement, CoESS and APROSER declare the commitment of the European security industry to support the efforts of the Spanish Presidency on a large range of matters impacting not only the security services, but public security overall.

The timing of the Spanish Presidency comes at a particularly decisive stage. First, EU lawmakers will have to find agreement on a large range of open dossiers before the European elections in 2024, notably the EU AI Act. At the same time, European businesses and societies are confronted with a range of challenges, such as labour shortages and increasing threats to the protection of Critical Infrastructure and supply chains – to name only a few.

In their Joint Statement, the representatives of the European and Spanish private security industry, CoESS and APROSER, confirm their commitment to support the Spanish Presidency in its efforts to build a more future-oriented and resilient EU and make respective proposals for the way forward. These are grouped along four key messages:

- Recognising the value of private security services to European citizens and economy
- Adapt legislation to realities in a changing security landscape
- Public security empowered through qualified workers
- Enforce the provision of high-quality security services to European citizens

Important recommendations include the hosting of a private security roundtable in Brussels, principles of human-centred AI and legal certainty in the context of the future EU AI Act, and a call for a revision of the EU Public Procurement Directives.

ICS regulations, standards and directives improve cybersecurity in OT environments, though limitations prevail

Increasing instances of cybersecurity threats, geopolitical instability, and rising cyber insurance premiums call upon operational environments to strengthen and safeguard by implementing ICS regulations, standards, and directives. Weaving these measures into the organizational framework helps improve security posture, enhance resilience against cyber threats, minimize cyber risks, protect assets and operations, and safeguard public safety and national security while establishing a common baseline for cybersecurity practices.

Federal agencies around the world have recognized the importance of securing critical infrastructure systems and stepped up efforts to bolster cybersecurity measures in OT (operational technology) environments. These regulations outline specific requirements that organizations must follow regarding the management and protection of their OT assets. Compliance with these measures is mandatory and failure to comply can result in penalties or loss of licensing.

Assigning directives by regulatory bodies or industry-specific organizations also helps provide guidance on specific aspects of cybersecurity for OT environments. These measures serve as a roadmap for organizations to enhance their security posture and align their practices with industry best practices.

Standards are set by international organizations and industry consortiums to define best practices, frameworks, and technical specifications for securing OT environments. Standards such as ISO 27001, IEC 62443, IEC 63452, and NIST SP 800-82 provide organizations with a structured approach to implementing security controls, risk management, and incident response processes in OT environments. Compliance with these standards helps organizations demonstrate their commitment to cybersecurity and provides a benchmark for measuring their security posture.

Industrial Cyber contacted cybersecurity executives to assess the adequacy of existing regulations, standards, and directives in addressing Ransomware-as-a-Service (RaaS) attacks, nation-state hackers, and insider threats in OT/ICS environments. They also analyze how they contribute to building resilience and business continuity in OT environments and the critical infrastructure sector.

“CISA is at its core a partnership agency and our relationship with critical infrastructure entities is based on a voluntary collaboration and trust,” Eric Goldstein, executive assistant director for cybersecurity at the U.S. Cybersecurity and Infrastructure Security Agency (CISA), told Industrial Cyber. “In certain cases, CISA supports regulatory agencies in developing outcome-oriented requirements that appropriately incentivize adoption of the most effective security controls, including with agencies like TSA, EPA, and the U.S. Coast Guard.”

He added that in all cases, regulatory requirements do not replace the foundational value of voluntary operational collaboration to support shared security outcomes between the government and the private sector.

“The relative pervasiveness of RaaS and other intrusions into critical infrastructure demonstrate that our current regimes are insufficient to ensuring that critical infrastructure owners and operators have taken the necessary steps to secure their environments,” Mark Bristow, director of MITRE’s Cyber Infrastructure Protection Innovation Center (CIPIC), told Industrial Cyber. “This is particularly frustrating in the case of RaaS where financially motivated adversaries are often looking for the ‘low hanging fruit’ with vulnerabilities that are well understood and can be mitigated but are not providing ample examples of ransomware against our CI entities. Some industries already have regulations for cybersecurity, such as the NERC CIP regulations.”

Full story at Industrial Cyber >>

CISA and Partners Release Joint Cybersecurity Advisory on Newly Identified Truebot Malware Variants

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigations (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security (CCCS) released a joint Cybersecurity Advisory (CSA), Increased Truebot Activity Infects U.S. and Canada Based Networks, to help organizations detect and protect against newly identified Truebot malware variants. Based on confirmation from open-source reporting and analytical findings of Truebot variants, the four organizations assess cyber threat actors leveraged the malware through phishing campaigns containing malicious redirect hyperlinks.

Additionally, newer versions of Truebot malware allow malicious actors to gain initial access by exploiting a known vulnerability with Netwrix Auditor application (CVE-2022-31199). As recently as May 2023, cyber threat actors used this common vulnerability and exposure to deliver new Truebot malware variants and to collect and exfiltrate information against organizations in the U.S. and Canada.

CISA, FBI, MS-ISAC, and the CCCS encourage all organizations to review this joint advisory and implement the recommended mitigations contained therein—including applying patches to CVE-2022-31199, to reduce the likelihood and impact of Truebot activity, as well as other ransomware related incidents.

CISA CyberSentry Program Launches Webpage

Cybersecurity & Infrastructure Security Agency (CISA) has published a blog and webpage on the CyberSentry program, a CISA-managed threat detection and monitoring capability with critical infrastructure partners that operate significant networks supporting National Critical Functions (NCFs): cisa.gov/CyberSentry

The CyberSentry program enables our agency to proactively hunt for malicious cyber activity, advise on mitigation strategies, and provide critical infrastructure partners with recommendations for improving overall network and control system security. The new CyberSentry webpage includes an informational video about the program, a fact sheet and details on how to contact CISA CyberSentry program.

Critical infrastructure organizations are experiencing network intrusions at an increasing frequency. To enhance detection of threats, CISA operates CyberSentry, which is a voluntary, proactive program that leverages its capabilities and partners with a select number of critical infrastructure organizations.

CyberSentry technology supports sensing and monitoring for information technology (IT) and operational technology (OT) networks. CyberSentry has added significant value to both CISA’s national mission and to our partners’ enterprise cybersecurity efforts.

Recent successes include:

- Infected OT Equipment: CyberSentry discovered an infection on a partner’s Human Machine Interface (HMI) equipment that had not been properly patched and secured. CISA analysts quickly notified the partner about the issue and offered guidance on preventive techniques for the future.

- Unintentional Exposure: CyberSentry tools spotted cleartext authentication occurring on a partner’s network, and further investigation revealed that a misconfiguration had caused the issue. A detailed report was provided to the partner, including specific guidance on remediating the situation.

- Private Sector Coordination: During the Colonial Pipeline disruption, CISA analysts coordinated closely with its pipeline partners to share information and monitor for adversary activity.

- SolarWinds Response: CyberSentry data helped to quickly identify partners affected by the SolarWinds supply chain compromise. All impacted partners were notified, and the program worked closely and expediently with these partners to confirm remediation of the threat.

- Identification of Malicious Activity: On multiple occasions, CISA analysts identified possible malicious activity at partner sites and worked with affected partners to identify the root causes of activity.

- Malware Discovery: CyberSentry tools quickly discovered and identified malware in a partner’s IT network. Working with the partner, CISA analysts were able to locate the infected device so the partner could remove it from the network and verify that the threat was contained.

- Attacker Exfiltration Detected: CyberSentry discovered that an attacker was actively exfiltrating information. CyberSentry worked with the partner to identify information that had been exfiltrated. After conferring with CyberSentry analysts, the partner was able to isolate infected systems that same evening, eliminating the threat.

ENISA Report - Good Practices for Supply Chain Cybersecurity

Directive (EU) 2022/2555 (the NIS2 directive) 1 requires Member States to ensure that essential and important entities take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems, which those entities use in the provision of their services. Supply chain cybersecurity is considered an integral part of the cybersecurity risk management measures under Article 21(2) of the NIS2 directive.

This new ENISA report provides an overview of the current supply chain cybersecurity practices followed by essential and important entities in the EU, based on the results of a 2022 ENISA study which focused on investments of cybersecurity budgets among organisations in the EU.

Among the findings the following points are observed:
• 86 % of the surveyed organisations implement information and communication technology / operational technology (ICT/OT) supply chain cybersecurity policies.
• 47 % allocate budget for ICT/OT supply chain cybersecurity.
• 76 % do not have dedicated roles and responsibilities for ICT/OT supply chain cybersecurity.
• 61 % require security certification from suppliers, 43% use security rating services and 37% demonstrate due diligence or risk assessments. Only 9 % of the surveyed organisations indicate that they do not evaluate their supply chain security risks in any way.
• 52 % have a rigid patching policy, in which only 0 to 20 % of their assets are not covered. On the other hand, 13.5 % have no visibility over the patching of 50 % or more of their information assets.
• 46 % patch critical vulnerabilities within less than 1 month, while another 46 % patch critical vulnerabilities within 6 months or less.

The report also gathers good practices on supply chain cybersecurity derived from European and international standards. It focuses primarily on the supply chains of ICT or OT. Good practices are provided and can be implemented by customers (such as organisations identified as essential and important entities under the NIS2 directive) or their respective suppliers and providers. The good practices cover five areas, namely:
• strategic corporate approach;
• supply chain risk management;
• supplier relationship management;
• vulnerability handling;
• quality of products and practices for suppliers and service providers.

Finally, the report concludes the following.
• There is confusion with respect to terminology around the ICT/OT supply chain.
• Organisations should establish a corporate-wide supply chain management system based on third party risk management (TRM) and covering risk assessment, supplier relationship management, vulnerability management and quality of products.
• Good practices should cover all various entities which play a role in the supply chain of ICT/OT products and services, from production to consumption.
• Not all sectors demonstrate the same capabilities concerning ICT/OT supply chain management.
• The interplay between the NIS2 directive and the proposal for a cyber resilience act or other legislation, sectorial or not, which provides cybersecurity requirements for products and services, should be further examined.

Artificial Intelligence and Cybersecurity Research - an ENISA Research and Innovation Brief

The aim of this study, undertaken by ENISA, is to identify needs for research on AI for cybersecurity and on securing AI, as part of ENISA’s work in fulfilling its mandate under Article 11 of the Cybersecurity Act1. This report is one of the outputs of this task. In it we present the results of the work carried out in 20212 and subsequently validated in 2022 and 2023 with stakeholders, experts and community members such as the ENISA AHWG on Artificial Intelligence3. ENISA will make its contribution through the identification of five key research needs that will be shared and discussed with stakeholders as proposals for future policy and funding initiatives at the level of the EU and Member States.

Artificial Intelligence (AI) is a typical dual-use technology, where malicious actors and innovators are constantly trying to best each other’s work. This is a common situation with technologies used to prepare strategic intelligence and support decision making in critical areas. Malicious actors are learning how to make their attacks more efficient by using this technology to find and exploit vulnerabilities in ICT systems.

While it is recognised the immense potential in AI for innovation in cybersecurity and the many requirements needed to improve its security, we also acknowledge that there is still much work to be done to fully uncover and describe these requirements. This report is only an initial assessment of where we stand and where we need to look further in these two important facets of this technology.

ENISA has prepared this studies with the aim of using them as a tool to develop advice on cybersecurity R&I and present it to stakeholders.

For full report visit www.enisa.europa.eu/publications/artificial-intelligence-and-cybersecurity-research

CISA and Partners Release Joint Guide to Securing Remote Access Software

The Cybersecurity & Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), the National Security Agency (NSA), Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Israel National Cyber Directorate (INCD) released the Guide to Securing Remote Access Software. This new joint guide is the result of a collaborative effort to provide an overview of legitimate uses of remote access software, as well as common exploitations and associated tactics, techniques, and procedures (TTPs), and how to detect and defend against malicious actors abusing this software.

Remote access software provides organizations with a broad array of capabilities to maintain and improve information technology (IT), operational technology (OT), and industrial control system (ICS) services; however, malicious actors often exploit this software for easy and broad access to victim systems.

CISA encourages organizations to review this joint guide for recommendations and best practices to implement in alignment with their specific cybersecurity requirements to better detect and defend against exploitation. Additionally, please refer to the additional information below on guidance for MSPs and small- and mid-sized businesses and on malicious use of remote monitoring and management software in using remote software and implementing mitigations.

1 2 3 30