Search Results

Submitted by: Daryl Haegley Director, Mission Assurance & Cyber Deterrence at the DOD and (CS)²AI Fellow Original Source: https://www.bloomberg.com/news/articles/2020-12-07/nsa-warns-of-russian-hackers-urges-patching-of-defense-systems By Alyza Sebenius 12/07/20 The U.S. National Security Agency warned that Russia’s hackers are exploiting a flaw in products made by the software company VMware Inc. The NSA said in a Monday advisory that Russia was using the flaw to “access protected data” and urged administrators of national security and defense systems, as well as defense contractors, to patch their networks and take other measures to reduce the risk of attack. In a written statement, a VMware representative said that the company “responded to a new security issue” and that it “has provided the appropriate updates and patches to mitigate this issue.” The company encouraged “all customers to apply the latest product updates, security patches and mitigations made available for their specific environment.” Speaking at an event last month, the NSA’s cybersecurity lead, Anne Neuberger, said that Russia can weaponize publicly known digital flaws in as few as 48 hours -- making prompt patching important. The NSA warning comes a few days after the Department of Homeland Security issued an alert about Iranian hackers -- saying that they are becoming more sophisticated and improving their offensive arsenal, leading to the possibility of “cyber-enabled kinetic attacks” in the future. Iranian actors are defacing web pages, taking sites offline by flooding them with traffic, stealing personal data and conducting influence operations on social media, according to a Dec. 3 notice by the Department’s Cybersecurity and Infrastructure Security Agency.

On behalf of a tireless (CS)2AI annual report steering committee, I am proud to announce the availability of the very first (CS)2AI-KPMG Control System Cyber Security Annual Report. The report was based on survey results from industry members at large and a representative sample of (CS)2AI’s worldwide membership (approaching 19,000 members today), with questions regarding control system security events, trends in attack activities and protective technologies, and how organizations are adapting to changes in the threat landscape. The primary intent of this report is to provide a free and valuable decision support tool that helps guide control system cyber security practitioners and management to make well-informed and prioritized decisions regarding the protection of critical assets. From the start, we believed that by casting a very wide survey net globally and applying come careful evaluation of the data we could find some valuable insights. We did find those. Amongst other factors, the data revealed potentially overlooked aspects of the interactions between business, operations, personnel and technology, and how all of those affect the security of organizations (and society.) As we worked on this project with partners and members around the world it became clear that the very nature of our neutral not for profit organization coupled with our large and diverse membership base is ideal for such research and decision support tools. It is now a firm part of our organizational mandate to help identify which efforts to improve security are working, where they aren’t as effective as they should be, and even where they might be counterproductive. Moving forward, the (CS)2AI research program is squarely aimed at answering these questions and more. This comprehensive report is the result of significant participation from our Strategic Alliance Partner, KPMG, who we owe a heartfelt ‘thank you’ to for helping bring this to life. We must also thank Airbus CyberSecurity, Fortinet, Palo Alto Networks, and Waterfall Security Solutions for their important contributions to both the research phase and the final report. Through their direct support of (CS)2AI and this joint project, these companies continue to demonstrate their commitment to help solve the challenges the control systems cyber security workforce face today. We also want to express our gratitude to the annual report steering committee members who spent many hours pondering the exact questions before we launched the survey and each iteration of the report draft. Finally, I want to thank all of you who participated in this research for the benefit of others; without that there is no crowd wisdom to gather, study and share back with the community. This is yet another (CS)2AI "Members helping Members" initiative. I sincerely hope you find this report valuable and I invite you to provide feedback of all types. Though we'd all love to hear positive things, constructive criticism is a necessary ingredient to making this resource the best it can be. For feedback or if you want to get involved in the 2021 report project, please email us at research@cs2ai.org

By Michael Chipley PhD GICSP PMP LEED AP, President, The PMC Group, (CS)²AI Fellow November, 2020 INTRODUCTION In response to continued data breaches and exploits of the Defense Industrial Base and other DoD contractors/vendors such as A&E, construction and systems integrators, the DoD is replacing the current DFARS 7012 Protecting Controlled Unclassified Information (CUI) self-attestation with the Cybersecurity Maturity Model Certification (CMMC) process. The CMMC builds upon the current NIST SP 800-171 and 172 standards and adds additional enhancements based on Levels 1 through 5, with 5 being the most difficult and intended for larger organizations with full IT and SOC capabilities. For most small and medium size organizations, Level 3 will be the typical baseline meaning they have a CMMC compliant Cyber Risk Management Plan (CRMP) in place and can identify and report a cyber incident. The desired state is Level 4 where the organization has an active Hunt and Defend program in place and performs Continuous Monitoring and Audits for Advanced Peristent Threats (APTs).  DoD RFP’s will be scored against the Level and an organization will only be able to obtain an RFP for which they have been certified. DoD is currently in acquisition stage discussions with 3rd Party Assessor Organizations (3PAO’s) with the intent to go to full Rule Making for the large DIB primes and their suppliers/subcontractors to start in early 2021. https://www.acq.osd.mil/cmmc/index.html OFFICE OF SECRETARY OF DEFENSE FOR ACQUISITION A& SUSTAINMENT CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC) The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) recognizes that security is foundational to acquisition and should not be traded along with cost, schedule, and performance moving forward. The Department is committed to working with the Defense Industrial Base (DIB) sector to enhance the protection of controlled unclassified information (CUI) within the supply chain. OUSD(A&S) is working with DoD stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDC), and industry to develop the Cybersecurity Maturity Model Certification (CMMC). · The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced. For a given CMMC level, the associated controls and processes, when implemented, will reduce risk against a specific set of cyber threats. · The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements. · The goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels. · The intent is for certified independent 3rd party organizations to conduct audits and inform risk. The CMMC is divided into 17 Capability Domains and 5 Levels with associated Practices and Processes. The 5 Level Practices and Processes are intended to enable an organization to implement a cybersecurity program consistent with their cybersecurity contractual requirements as well as their financial and technical ability to obtain the desired Level of certification. The CMMC will have database (currently being developed as a DISA eMASS instance) of Certified organizations and as part of the Solicitation/RFP a Level will be assigned to the type of work/acquisition. The DoD will specify the required CMMC level in Requests For Information (RFIs) and Requests for Proposals (RFPs). Levels 1 an2 are intended primarily for Vendor/Suppliers and Level 3 is the minimum Level that most contractors/vendors must attain to be able to obtain RFP’s. Levels 4 and 5 are for organizations able to perform Hunt and Defend and/or have a SOC capability. The current year 2020 timeline is a bit behind schedule, but initial CMMC training and mock assessments are underway and the Final Rulemaking will hopefully occur in 2021. The CMMC Compliance matrix has been posted to the OSD website. The excel file can be used in conjunction with the ESTCP NIST SP 800-171 System Security Plan Word template. The CMMC Accreditation Body is now accepting applications for 3 PAO’s. https://www.cmmcab.org/ DFARS 701 CLAUSE AND CREATING A NIST 800-171 COMPLIANT CYBER RISK MANAGEMENT PLAN (CRMP) Established by Executive Order 13556, the Controlled Unclassified Information (CUI) program standardizes the way the Executive branch handles unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies. DoD issued the DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting in 2015 with compliance required by January 2018. The intent is for an organization to be able to Detect a cyber incident and report it within 72 hours so that the compromise or breach can be evaluated for other impacts to DoD and/or contractor/vendor/Defense Industrial Base partners. (a) Definitions. As used in this clause— “Adequate security” means protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information. “Compromise” means disclosure of information to unauthorized persons, or a violation of the security policy of a system, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media may have occurred. “Contractor attributional/proprietary information” means information that identifies the contractor(s), whether directly or indirectly, by the grouping of information that can be traced back to the contractor(s) (e.g., program description, facility locations), personally identifiable information, as well as trade secrets, commercial or financial information, or other commercially sensitive information that is not customarily shared outside of the company. “Controlled technical information” means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth in DoD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions. “Covered contractor information system” means an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information. The DoD implementation of the EO was issued December 2015 as the “Guidance to Stakeholders for Implementing Defense Federal Acquisition Regulation Supplement Clause 252.204-7012 (Safeguarding Unclassified Controlled Technical Information). The protection of Controlled Unclassified Information (CUI) while residing in nonfederal information systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations. The requirements apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components. The CUI requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations. Technical data or computer software as defined in DFARS Clause 252.227-7013, Rights in Technical Data-Non Commercial Items, regardless of whether or not the clause is incorporated in the solicitation or contract. Examples of technical information include research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code. The data may be in tangible form, such as a blueprint, photograph, plan, instruction, or an operating manual, or may be intangible, such as a technical service or oral, auditory, or visual descriptions. Examples of technical data include research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software. DoD ESTCP WEBSITE CYBER RISK MANAGEMEN PLAN TEMPLATES The current 800-171 DFARS 7012 CRMP process is posted on the DoD ESCTP website at: https://serdp-estcp.org/Tools-and-Training/Installation-Energy-and-Water/Cybersecurity/FRCS-Protecting-CUI. All DoD projects that will collect, transmit, or store CUI data must have a current Cyber Risk Management Plan (CRMP) IAW with NIST SP 800-171 and the DFARS CUI Guide, compliance required by Dec 2017. Templates are provided for each of the documents and the IE and ESTCP offices will assist contractors/vendors to complete a CRMP. Note the templates can be used for both corporate IT business systems and OT FRCS projects. Typical CUI data on corporate IT systems includes design drawings and site information (CAD, BIM, GIS), specifications, test results, and consumption data (meter, site data). Typical CUI on OT projects includes network traffic (Modbus, BACNet, TCP/IP) between HMI and lower level controllers, configuration files, hardware/software versions and hashes, and consumption data (meter, site data). The following documents are typically included in the CRMP (presented in order of recommended completion): CRMP Table of Contents Checklist Event/Incident Communications Plan (EICP) Event/Incident Response Plan (EIRP) Information Systems Contingency and CONOPS Plan (ISCP) Information System Policies and Procedures (ISPP) Security Audit Plan (SAP) System Security Plan (SSP) Security Monthly (or Quarterly)Assessment Report (SMAR) Plan of Action & Milestones (POAM) DFARS CUI DIBNet Incident Response Form US-CERT Incident Response Form CJCSM 6510.01B Incident Response Form The DFAR 7012 Clause uses the NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations standard as the basis of a cybersecurity program. “ The protection of Controlled Unclassified Information (CUI) while residing in nonfederal information systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations. The requirements apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components. The CUI requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations. “ The NIST SP 800-171 controls originated in NIST SP 800-53 R4, condensed version – note the numbering scheme using the 3.X.X that differentiates it from NIST SP 800-53. The current DFARS 7012 requires an organization to have a System Security Plan (SSP) and Plan of Action and Milestones (POAM). · NIST SP 800-171, Security Requirement 3.12.4 (System Security Plan):−Develop, document, and periodically update, system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems · NIST SP 800-171, Security Requirement 3.12.2 (Plans of Action):−Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems The SSP and PAOM templates are provided on the ESTCP website. The DoD CMMC Compliance Matrix or the DHS CSET Tool can be used to generate the Security Controls and responses. Another key area to address is the Information System Contingency Plan and conducting a Table-Top Exercise. A Ransomware Table-Top Exercise is an excellent way to also test the Event/Incident Communications Procedure (EICP) and the Event/Incident Response Plan (EIRP). DFARS CYBER INCIDENT REPORTS DFARS cyber incidents are reported to the Defense Cyber Crime Center (DC3) via the DIBNet portal. Note: DIBNet is a web portal for sharing threat information between DoD and DIB companies. See appendix F for a list of reportable fields. If the contractor does not have all the information required by the clause within the 72-hour time constraint, specified in paragraph (d)(1) of the safeguarding clause, the contractor should report the details available at the time. Having created and exercised all of the CRMP documents, an organization is ready to Self-Attest compliance. An additional DFARS requirement is to flow down the DFARS CUI security requirements to all subcontractors/teammates. CMMC IMPACT ON OTHER FEDERAL AGENCIES The recently released GSA STARS III RFP includes requirements for all bidders to become CMMC compliant as they expect the CMMC will become the baseline for other federal agencies. H.6.3.3 While CMMC is currently a DoD requirement, it may also have utility as a baseline for civilian acquisitions; so it is vital that contractors wishing to do business on 8(a) STARS III monitor, prepare for and participate in acquiring CMMC certification. H.6.3.4 8(a) STARS III contractors should begin preparing for CMMC and SCRM accreditation by staying aware of developing requirements and by implementing the appropriate NIST SP 800-series documents. Examples of appropriate actions include the following: (1) Determine if your company receives federal funds from the Department of Defense either directly as a prime contractor or indirectly via subcontracts, purchase orders, or other contractual agreements. If so, and/or if Civilian agencies adopt the same program, you should be prepared to obtain at least a Level 1 certification. (2) Determine whether your company currently or in the future expects to electronically process, store, or transmit CUI in the performance of its defense contracts. If so, you should be prepared to obtain at least a Level 3 certification. (3) Review your company’s current compliance with NIST SP 800-171 Rev 1 in relationship to your expected CMMC level requirements. Begin drafting a System Security Plan (SSP) in accordance with NIST SP 800-18 Rev 1, If you currently have a Plan of Action and Milestones (POAM) in place or identify additional concerns, dedicate appropriate resources to ensure that progress is being made to close any gaps as quickly as possible. Examine Draft NIST SP 800-171B for enhanced security requirements to improve cybersecurity maturity capabilities as applicable given the CMMC level you intend to attain. (4) Review your company’s current compliance with NIST SP 800-161 to include the establishment of a SCRM Plan. (5) Investigate your subcontractor base as CMMC and SCRM requirements may flow down to subcontractors, including commercial item subcontractors. It is expected that consent to subcontract at the Order level may also consider subcontractor CMMC level. SUMMARY Any organization can download the ESTCP CRMP templates and start on the process to become NIST SP 800-171 and CMMC compliant. Organizations wishing to do business with the DoD and soon the GSA will need to ensue they have a CMMC Compliant Cyber Risk Management Plan in place and perform Continuous Monitoring and Auditing to ensure the IT systems are not compromised. The government does not penalize an organization that experiences a compromise or data breach, however, an organization MUST be able to DETECT and REPORTa cyber incident within 72 hours. The CMMC costs to achieve a 3PAO compliance assessment has not been published, but the FAQ’s state “The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive.” The CMMC Accreditation Board website says a 3PAO must be ISO 17021 certified and they are now accepting applications.

Submitted by: Daryl Haegley Director, Mission Assurance & Cyber Deterrence at the DOD and (CS)²AI Fellow Original Source: https://thehackernews.com/2020/10/antivirus-software-vulnerabilities.html By Ravie Lakshmanan 10/05/20 Excerpt: “Chief among the flaws is the ability to delete files from arbitrary locations, allowing the attacker to delete any file in the system, as well as a file corruption vulnerability that permits a bad actor to eliminate the content of any file in the system. Per CyberArk, the bugs result from default DACLs (short for Discretionary Access Control Lists) for the "C:\ProgramData" folder of Windows, which are byapplications to store data for standard users without requiring additional permissions. Given that every user has both write and delete permission on the base level of the directory, it raises the likelihood of a privilege escalation when a non-privileged process creates a new folder in "ProgramData" that could be later accessed by a privileged process.”

Submitted by: Daryl Haegley Director, Mission Assurance & Cyber Deterrence at the DOD and (CS)²AI Fellow Original Source: https://www.energy.gov/articles/us-department-energy-provides-65-million-connected-communities-buildings-powered-transform By U.S. Department of Energy (DOE) 10/13/20 WASHINGTON, D.C. – The U.S. Department of Energy (DOE) announced up to $65 million through its Connected Communities funding opportunity announcement (FOA) to expand DOE’s network of grid-interactive efficient building communities nationwide. “As our Nation’s energy system continues to undergo dramatic transformations, there is a growing need for solutions that integrate and optimize all of our energy resources on the grid to provide Americans with the most reliable and affordable electricity possible,” said Secretary of Energy Dan Brouillette. “With today’s announcement, DOE will broaden its capability to evaluate and demonstrate the growing flexibility of one such solution—smart, grid-interactive, efficient buildings—to best serve the needs of building occupants and the grid while reducing energy consumption overall.” America’s 125 million homes and commercial buildings currently use almost 40% of U.S. energy, 74% of its electricity, and account for the great majority of peak electricity demand. Connected communities can leverage the latest advancements in building science, like state-of-the-art sensors, controls, and analytics, to more flexibly manage and deploy grid-scale energy efficiency and distributed energy resources. “The integration of emerging technologies and systems is essential to the success of efforts to maximize the effectiveness of advanced building technologies,” said Assistant Secretary for Energy Efficiency and Renewable Energy Daniel R. Simmons. “Our Grid-Interactive Efficient Buildings Initiative helps the U.S. further modernize its power grid and thus improve reliability, integrate renewable power sources, improve environmental performance, and make electricity more affordable for America’s households and businesses.” Integration is at the heart of the Connected Communities FOA, and the Building Technologies Office (BTO) within DOE’s Office of Energy Efficiency and Renewable Energy (EERE) is collaborating with EERE’s Solar Energy Technologies Office and Vehicle Technologies Office and DOE’s Office of Electricity and Lawrence Berkeley National Laboratory to bring together critical technologies and programs. The FOA, first described in a Notice of Intent and later shaped by responses to a Request for Information, could increase by five-fold the number of EERE-supported testbeds like Reynolds Landing in Hoover, Alabama. As a recent report by Oak Ridge National Laboratory shows, Reynolds Landing uses 44% less energy than comparable all-electric communities and 34% less power demand during winter peak hours, leading to lower utility bills for families while in higher-functioning houses. Teams of broad partners are necessary to undertake this innovative and ambitious endeavor. To learn more about this FOA and its teaming partner list and to submit a concept paper, please visit EERE Exchange. To see what DOE plans to learn about and demonstrate in these connected communities, click HERE.

Submitted by: Daryl Haegley Director, Mission Assurance & Cyber Deterrence at the DOD and (CS)²AI Fellow Original Source: https://www.usatoday.com/story/tech/columnist/2020/09/08/iphone-tracking-everywhere-you-go-how-find-setting/5695132002/ By Kim Komando 9/08/20 At this point, digital privacy is long gone. There’s always another device, feature or service tracking what we say, what we look at online and the places we go. Ever wonder how your iPhone is able to automatically pull up directions to work when you get in the car? Or when you leave for the day, do you wonder how your phone knows you’re heading home? It’s not only part of location services but a separate and more in-depth thing called “Significant Locations.” Prepare yourself for a shock when you look at yours. Want to know how to access it and, if you’d like, turn it off? Here are your steps: Open your iPhone’s settings; Tap on Privacy; Select Location Services; Then tap System Services; Scroll down until you see Significant Locations and tap on that After entering your password or opening up your phone with FaceID, you’ll see a list of locations you’ve visited. Now, some of them may seem a bit off to you, but that’s because the location is not always precise. Tap on a place and it will open up a page with more specifics, including a map. Even if it didn’t peg you exactly right, it will have you in the area. Individually, you can edit locations so they will no longer be stored in your phone. To do that, tap on any city it had you in. Then, on the next screen, tap on the “Edit” button in the upper right-hand corner. That will bring about a red circle next to the location, which you can then tap on to remove it. If you’d like to turn off Significant Locations altogether, you just need to scroll to the top of the page that lists the city locations and tap on the green button on the top-right in the tab. Stop tracking: If you use Google Maps, you may want to shut down that tracking, too. Tap or click to turn off Google location tracking for good.

Submitted by: Daryl Haegley Director, Mission Assurance & Cyber Deterrence at the DOD and (CS)²AI Fellow Original Source: https://thehill.com/policy/cybersecurity/520410-senate-democrat-raises-concerns-around-united-health-services-breach By MAGGIE MILLER 10/09/20 Sen. Mark Warner (D-Va.) on Friday raised concerns around a recent cyberattack on hospital chain Universal Health Services (UHS) that resulted in the data of millions of customers potentially being compromised. In a letter to UHS Chairman and CEO Alan Miller, Warner, who serves as vice chairman of the Senate Intelligence Committee, asked a series of questions in relation to a ransomware attack on UHS last month that crashed systems at hospital facilities across the nation. UHS has more than 400 facilities in the U.S. and United Kingdom, with more than 90,000 employees, and it has previously stressed that there is no evidence any data was stolen or accessed. NBC News reported last week that the incident had the potential to be one of the largest cyberattacks on the medical sector in U.S. history. “I write you with grave concerns about United Health Services’ digital medical records and clinical healthcare operations succumbing to an apparent ransomware attack,” Warner wrote to Miller. “As one of the nation’s largest medical facility operators with 3.5 million patient visits a year, it is imperative that medical care is provided to all patients without any interruption or disturbance created by inadequate cybersecurity.” Warner noted that “while initial reports suggest that the attackers did not access patient or employee data, an incident such as this sharply highlights the need to ensure adequate cybersecurity hygiene in a healthcare setting.” The cyberattack took place in the midst of the COVID-19 pandemic, which has placed huge stress on health care groups around the world, with Warner noting that the attack on UHS “only exacerbates the consequences of insufficient cybersecurity.” Warner asked Miller and UHS to respond to a series of questions around the attack within two weeks, including asking him to detail the company’s cybersecurity and risk management protocols and whether UHS has paid the ransom to the hackers. “Patients deserve to know that healthcare systems are secure, particularly as the nation faces a pandemic straining resources nationwide,” Warner wrote. “When a cybersecurity failure occurs, patients need reassurance that their healthcare provider is committed to learning from and responding to this truly concerning incident, and that it is taking all appropriate steps to help ensure it cannot happen again.” UHS did not respond to The Hill’s request for comment on the letter. The health care company put out a statement last month acknowledging the attack and emphasizing that as of Sept. 29, the company had “no evidence that patient or employee data was accessed, copied or misused.” “The Company has implemented extensive information technology security protocols and is working diligently with its security partners to restore its information technology operations as quickly as possible,” UHS said. “In the meantime, while this matter may result in temporary disruptions to certain aspects of our clinical and financial operations, our acute care and behavioral health facilities are utilizing their established back-up processes including offline documentation methods,” it added. “Patient care continues to be delivered safely and effectively.” Cyber criminals and nation state hackers have increasingly zeroed in on the health care sector during the COVID-19 pandemic, with ransomware attacks, which involve a hacker accessing and encrypting a system and demanding payment to reinstate access, becoming a major concern.

Submitted by: Daryl Haegley Director, Mission Assurance & Cyber Deterrence at the DOD and (CS)²AI Fellow Original Source: https://www.csiac.org/resources/the-dod-cybersecurity-policy-chart/ By Cyber Security and Information Systems Information Analysis Center (CSIAC)10/13/20 The Cyber Security and Information Systems Information Analysis Center (CSIAC), which is sponsored by the Defense Technical Information Center (DTIC), updated the DoD Cybersecurity Policy Chart on Oct 9, 2020.  Below lists the specific changes in this new version. Other resources available at www.csiac.org #            Document Name   Change/Justification 1.            Title 14, U.S. Code, Cooperation with Other Agencies Replaced with new hyperlink 2.            NIST Special Publication 800-53, Rev. 5, Security and Privacy Controls for Information Systems and Organizations Long awaited and very important update, published September 2020, supersedes Rev. 4 3.            CNSSD 507: National Directive for Identity, Credential, and Access Mgmt. Capabilities on the U.S. Federal Secret Fabric Provides a minimum set of requirements for Identity, Credential, and Access Management (ICAM) implementation and management that applies to the Federal Secret Fabric. Updated July 7, 2020. 4.            DoD Directive 8140.01, Cyberspace Workforce Management              Published October 5, 2020, superseding the earlier version dated August 11, 2015 5.            DoD Instruction 8531.01, DoD Vulnerability Management              Released on September 15, 2020 6.           DoD Data Strategy                                                                                  The DoD Data Strategy supports the National Defense Strategy and Digital Modernization, published October 9, 2020 7.            DTM 17-007, Ch. 3, Defense Support to Cyber Incident Response                            Change 3 issued May 29, 2020

Submitted by: Daryl Haegley Director, Mission Assurance & Cyber Deterrence at the DOD and (CS)²AI Fellow Original Source: http://rdp21.org/mosaics-industry-day/ By MOSAICS 10/13/20 November 4 & 5 The More Situational Awareness for Industrial Control Systems (MOSAICS) Joint Capability Technology Demonstration (JCTD) will conduct Industry Days on 4 and 5 November 2020. The event will be virtual on MS Teams.  The agenda for the two-day event has 22 vendors briefing as well as DoD and Services cyber leaders briefing to stimulate discussions. The purpose of the Industry Day is to share with industry/vendors the MOSAICS cyber defense capability for Industrial Control Systems (ICS). The MOSAIC capability based on the Integrated Adaptive Cyber Defense(IACD) standards developed by the National Security Agency (NSA) provides for solutions based on open system standards. Sharing this information will enable industry to develop IACD based solution/capabilities that DoD then can acquire competitively.

Submitted by: Daryl Haegley Director, Mission Assurance & Cyber Deterrence at the DOD and (CS)²AI Fellow Original Source: https://www.hackthebuilding.tech/ By MISI10/19/20 There are an estimated 2.5 million unique ICS systems that are used in over 300,000 buildings and over 250,000 linear structures. This Maryland Innovation & Security Institute and DreamPort event is inspired by a DoD request for an offensive and defenseive exercise that demonstrates the impact of IT, IoT and OT cyber attacks against critical building automation and mission operations. The event will feature an entire 150,000 SQFT 2 story office building, acres of free parking & space for social distancing. Offensive & defensive OT, IT and IoT technology staged in support of critical functions throughout the facility. Multiple diesel generators, IP cameras, access control, business systems, WiFi and onsite factory operations. Event Dates & Schedule: November 16 – 19 November 16: Offense November 17: 2nd day of Offensive exercise- ends at 3:00pm November 17: Building Automation and Control Systems Cybersecurity Virtual Conference and Pitch competition November 18: Offense versus Defense November 19: Offense versus Defense

Submitted by: Daryl Haegley Director, Mission Assurance & Cyber Deterrence at the DOD and (CS)²AI Fellow Original Source: https://www.hackthebuilding.tech/control-systems-cyber-conference/ By MISI10/19/20 At the November 17 conference businesses will present their solutions for addressing critical infrastructure cyber challenges. Hack the Building is a cyber exercise and technology showcase that includes a conglomerate of offensive and defensive teams from across the military, government, academia and industry. For the conference event, there will be presentations on a broad range of ICS/SCADA topics including security of SCADA systems, building automation systems, plant control systems, engineering workstations, substation equipment, programmable logic controllers (PLCs), and other field control system devices. Presentations on cyber standards that address building automation and facilities cyber as critical infrastructure are important to our audience to include ideas on how facilities architecture and construction, including  manufacturing facilities can be designed with cybersecurity in mind and not an after thought. Buildings are critical infrastructure.  Assessing vulnerabilities in crucial government and commercial facilities is a labor intensive and often filled with gaps due to the expansive nature of some facilities and the myriad of IoT and control systems technologies that are involved in the building’s management and safety and security.  Reducing the labor involved in conducting assessments while yet increasing the visibility of assets and their configurations continues to be a challenge.  In addition there remains a mostly legitimate fear that and challenge encountered  that some of the facility related control cyber systems (FRCS) cannot not be scanned for known vulnerabilities because the FRCS cannot support the scanning, as it would lead to the FRCS malfunctioning and result in an impact to the facility that could also introduce a safety risk. IoT Cybersecurity threats are increasing – many of the technologies available today, cannot detect or defend against vulnerabilities and attacks that leverage the lack of IoT cyber defenses.  A typical facility has its installed base of IoT,  but the tenants in a facility also install and operate IoT devices that could pose a threat to the facility and its tenants. Detecting and defending against malicious AI based cyber attacks.  While AI has many positive capabilities and continues to evolve, there is a trend line developing that indicates AI cyber based attacks could be devastating and there is little in the way of tools. Counterfeit  technology continues to be an active threat to US critical infrastructure, detecting vulnerabilities in devices and verifying their true origin could provide some degree of fidelity to facilities infrastructure.  A methodology or solution that provides best practices and solutions for ensuring that as a building’s critical systems are being selected and prior to installation as part of the design and construction process, could reduce vulnerabilities facilities cyber threats.

By: Andrew Hall, CISSP Information System Security Manager at USAF April 21, 2020 Prefatory Note: CyberPatriot is the National Youth Cyber Education Program created by the US Air Force Association to inspire K-12 students toward careers in cybersecurity or other science, technology, engineering, and mathematics (STEM) disciplines. At the core of the program is the National Youth Cyber Defense Competition, the USA’s largest cyber defense competition that puts high school and middle school students in charge of securing virtual networks. The CyberPatriot program is an established IT cyber security  exemplifying one of the outreach efforts on the (CS)2AI projected developments board. We asked Andrew Hall to submit this article on his experience in order to provide some insight into the program for those (CS)2AI members not familiar with it, and also a greater understanding of our organizational objectives in this area. ************************************************ The CyberPatriot program started in 2009 and has grown from eight teams as a test run to now over 6,000 teams. It moved from being limited to Air Force Junior Reserve Officer Training Corps (AFJROTC) and Civil Air Patrol (CAP) units to full open division and now even down into elementary schools preparing children for futures in science, technology, engineering, and math (STEM) as well as cybersecurity. CyberPatriot competitions were initially geared toward blue team (defensive) as participants fix Red Hat and Windows (desktop and server) images while answering questions about the accounts or system configurations given to the teams within those images. More recently CISCO networking became a bigger part of the program, as well virtual network challenges. My own first interest into the program came after getting more involved in cybersecurity at work and obtaining my CISSP in 2013. After becoming friends with a mentor in the program (he mentored the winning Clearfield, UT team in 2009) I became a mentor during CyberPatriot VII in 2014-2015 for an open division team in Northern Utah where two of the teams placed in State. Mentoring a CyberPatriot team is dependent on the Coach and team you are working with as some are experienced while many are new to computers and security. Not all schools are equipped to participate and require computers to compete. A good coach (usually a teacher) will set ground rules for the students and help facilitate the mentoring for the competition. Mentors come from many different backgrounds and experience and it is good to have a few available for teams to utilize. Teams can learn from mentors between competitions, usually in formal weekly training sessions afterschool, but cannot use the mentors or coach during the competition phases. It is important to have the teams run through practice images and network questions before each competition so they can ask questions to mentors and help them learn. Mentors should also take time to prepare practice images if they are able to or do training on main principles of securing an OS such as; how to restrict accounts, setup a firewall rule, and basic CISCO switch setup. There is a lot of work to help teams prepare and compete in CyberPatriot challenges that is both difficult and rewarding, no matter where the team places in the contests. Schools wanting to participate should push for mentors to commit to multiple years of participation to help those that are interested in cybersecurity continued growth and development while also giving those with interest a place to get their feet wet. Mentors need to put forth consistent effort to help coaches and teams learn through the contest and make this a yearly activity for the school and get veteran participants encouraging and advising newcomers. Mentors then can focus on providing training at different levels and help the veteran teams get better each year. Control systems may never become part of CyberPatriot but you can influence the participants through training on all the other areas of cybersecurity while mentoring. I highly recommend working with your local schools to get them involved with CyberPatriot to provide an opportunity to youth interested in cybersecurity.