Search Results

Submitted by: Daryl Haegley, Director, Mission Assurance & Cyber Deterrence at Dod https://www.afwerx.af.mil/coronavirus.html COVID-19 National Response Team Industry Portal In a time of unprecedented change and disruption, the Department of the Defense has established the Joint Acquisition Task Force (JATF) for COVID-19 to assess and rapidly respond to challenges presented by this pandemic. To kick off the effort, we are collecting information from both government and non-government personnel who are interested in getting involved. All resources and solutions are welcome from industry, academia, venture capital firms, individual contributors and more. If you're a government employee who wants to get involved, click here. Join the Fight REQUEST FOR INFORMATION Your submission will help us assess opportunities, strategize our response, coordinate solutions, and provide you further information on ways to get involved. · Join the Effort · Mission Focus Areas · Contracting Opportunities · Additional Resources · Webinars · FAQs Mission Focus Areas 1. Combating the Spread (predictive analytics, next hotspot, threat to current activities, decision support, etc.) 2. Welfare of citizens (effects to transportation, movement of people and goods, education and development, physical training, regular HR functions, job transition, etc.) 3. Readiness (continuing operations through the outbreak, coordinating with allies and partners, continuing long term projects, etc.) 4. Logistics (security and protection, supply chain protection and assessment, etc.) 5. Industrial base impacts (small businesses, payments, contracts, large system programs, protection and expansion of critical assets, etc.) 6. Medical (telehealth, medical capacity and sustainment, medical supplies and equipment, etc.) Review specific urgent needs for the medical category here. 7. Other To get involved in the Department of Defense’s response efforts, non-government partities are encouraged to fill out the form below. If you're a government employee, visit our government page here. REQUEST FOR INFORMATION Contracting Opportunities COVID-19 PPE and Medical Supplies Solicitation The Federal Emergency Management Agency released a Request for Proposal (RFP) for COVID-19 PPE and Medical Supplies. View the full solicitation here. Air Force Small Business Innovation Research (SBIR) X20.R The application period for the upcoming SBIR Direct to Phase II Open Topic with a COVID-19 Interest Area is open from March 30 to April 30 at 12 p.m. EST, 2020. Visit the beta.SAM solicitation for application resources and apply on the DSIP portal. If your solution addresses one of the SBIR COVID-19 Interest Areas, please send an email to COVID@afwerx.af.mil with the subject line “SBIR 20.R - [Firm Name]” with a brief description of your proposed solution. Additional Resources Request for Information (RFI) Form Fill out this form for opportunities to share your capability and skill set with the COVID-19 Joint Acquisition Task Force. Webinars The following webinars will provide an overview of this initiative and give attendees the opportunity to ask questions. · April 9 at 1 p.m. EST · April 14 at 1 p.m. EST · April 16 at 1 p.m. EST · April 21 at 1 p.m. EST · April 23 at 1 p.m. EST Watch previous webinars here and download the webinar slide deck here. FAQs Who can be involved in the Unite and Fight effort? This initiative is open to anyone who wants to participate. We've broken our initial forms into two categories: non-government for industry, academica, investors, and individual contributors; government for Department of Defense personnel, federal and local government employees, and more. For more information regarding COVID-19, view the following websites: ·  Coronavirus Disease 2019 (COVID-19) - https://www.coronavirus.gov ·  U.S. Government Response - https://www.usa.gov/coronavirus ·  Coronavirus FAQ - https://faq.coronavirus.gov/ For any additional questions, feel free to shoot us an email at support@afwerx.af.mil.

Submitted by: Daryl Haegley, Director, Mission Assurance & Cyber Deterrence at Dod Expanding your pandemic reading list, “Prism” magazine specializes presenting the thoughts (and concerns) of top national security thinkers and decision-makers in mid-length articles—short enough to be accessible for people with too much to do (all of you), but long enough to present a fully fleshed-out set of topline arguments on each topic.  The editor has taken the liberty of recommending these particular articles for those with a cyber policy focus: NATO's Adaptation in an Age of Complexity, By General Denis Mercier (https://cco.ndu.edu/News/Article/1679427/natos-adaptation-in-an-age-of-complexity/) The Mandate to Innovate, By Ms. Christina Monaco (https://cco.ndu.edu/News/Article/1680572/the-mandate-to-innovate/) Examining Complex Forms of Conflict: Gray Zone and Hybrid Challenges, By Dr. Frank G. Hoffman (https://cco.ndu.edu/News/Article/1680696/examining-complex-forms-of-conflict-gray-zone-and-hybrid-challenges/) The Machine Beneath: Implications of Artificial Intelligence in Strategic Decisionmaking, By Lt Col Matthew Price, LTC Stephen Walker, CDR Will Wiley (https://cco.ndu.edu/News/Article/1681986/the-machine-beneath-implications-of-artificial-intelligence-in-strategic-decisi/) Interview with General John R. Allen, USMC (ret.), By Mr. Michael Miklaucic (https://cco.ndu.edu/News/Article/1683801/interview-with-general-john-r-allen-usmc-ret/) How is NATO Meeting the Challenge of Cyberspace, By Jamie Shea (https://cco.ndu.edu/PRISM-7-2/Article/1401835/how-is-nato-meeting-the-challenge-of-cyberspace/) Power Projection in the Digital Age, By Darren McDew (https://cco.ndu.edu/PRISM-7-2/Article/1401851/power-projection-in-the-digital-age/) A National Security Enterprise Response - Digital Dimension Disruption, By Charles Rybeck, Lanny Cornwell and Phillip Sagan (https://cco.ndu.edu/PRISM-7-2/Article/1401866/a-national-security-enterprise-response-digital-dimension-disruption/) Bridging the Cyberspace Gap - Washington and Silicon Valley, By Adam Segal (https://cco.ndu.edu/PRISM-7-2/Article/1401912/bridging-the-cyberspace-gap-washington-and-silicon-valley/) Battlefield Geometry in our Digital Age: From Flash to Bang in 22 Milliseconds, By Robert Allardice and George Topic (https://cco.ndu.edu/PRISM-7-2/Article/1402883/battlefield-geometry-in-our-digital-age-from-flash-to-bang-in-22-milliseconds/) Cyber Gray Space Deterrence, By Richard Andres (https://cco.ndu.edu/PRISM-7-2/Article/1401927/cyber-gray-space-deterrence/) Cyberdeterrence by Engagement and Surprise, By Jim Chen (https://cco.ndu.edu/PRISM-7-2/Article/1401948/cyberdeterrence-by-engagement-and-surprise/) A Three-Perspective Theory of Cyber Sovereignty, By Hao Yeli (https://cco.ndu.edu/PRISM-7-2/Article/1401954/a-three-perspective-theory-of-cyber-sovereignty/) An Interview with Marina Kaljurand, former Minister of Foreign Affairs of Estonia (https://cco.ndu.edu/PRISM-7-2/Article/1401967/an-interview-with-marina-kaljurand-former-minister-of-foreign-affairs-of-estonia/) Leading the National Security Enterprise, By Ronald Sanders (https://cco.ndu.edu/PRISM-7-1/Article/1298309/leading-the-national-security-enterprise/) European Union and NATO Global Cybersecurity Challenges: A Way Forward, By Luukas K. Ilves, Timothy J. Evans, Frank J. Cilluffo, and Alec A. Nadeau (https://cco.ndu.edu/PRISM/PRISM-Volume-6-no-2/Article/840755/european-union-and-nato-global-cybersecurity-challenges-a-way-forward/) They are offered to you to be the first word, not the last word, on their topics.

Submitted by: Daryl Haegley, Director, Mission Assurance & Cyber Deterrence at Dod https://www.securityweek.com/chinese-hackers-target-air-gapped-military-networks A threat actor believed to be operating out of China has been targeting physically isolated military networks in Taiwan and the Philippines, Trend Micro reports. Tracked as Tropic Trooper  < https://www.securityweek.com/operation-tropic-trooper-hits-targets-taiwan-philippines-trend-micro > and KeyBoy, and active since at least 2011, the threat actor is known for the targeting of government, military, healthcare, transportation, and high-tech industries in Taiwan < https://www.securityweek.com/cyberspies-target-taiwan-government-energy-sector > , the Philippines, and Hong Kong. Previously, the group was observed targeting victims with spear-phishing emails containing malicious attachments designed to exploit known vulnerabilities < https://www.securityweek.com/keyboy-abuses-popular-office-exploits-malware-delivery > , such as CVE-2017-0199 Thanks to => Mike Walsh from CyberX Labs => for forwarding

Submitted by: Daryl Haegley Office of the Press Secretary FOR IMMEDIATE RELEASE May 1, 2020 EXECUTIVE ORDER - - - - - - - SECURING THE UNITED STATES BULK-POWER SYSTEM      By the authority vested in me as President by the Constitution and the laws of the United States of America, including the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.) (IEEPA), the National Emergencies Act (50 U.S.C. 1601 et seq.) (NEA), and section 301 of title 3, United States Code,      I, DONALD J. TRUMP, President of the United States of America, find that foreign adversaries are increasingly creating and exploiting vulnerabilities in the United States bulk-power system, which provides the electricity that supports our national defense, vital emergency services, critical infrastructure, economy, and way of life.  The bulk-power system is a target of those seeking to commit malicious acts against the United States and its people, including malicious cyber activities, because a successful attack on our bulk-power system would present significant risks to our economy, human health and safety, and would render the United States less capable of acting in defense of itself and its allies.      I further find that the unrestricted acquisition or use in the United States of bulk-power system electric equipment designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries augments the ability of foreign adversaries to create and exploit vulnerabilities in bulk-power system electric equipment, with potentially catastrophic effects.       I therefore determine that the unrestricted foreign supply of bulk-power system electric equipment constitutes an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States, which has its source in whole or in substantial part outside the United States.  This threat exists both in the case of individual acquisitions and when acquisitions are considered as a class.  Although maintaining an open investment climate in bulk-power system electric equipment, and in the United States economy more generally, is important for the overall growth and prosperity of the United States, such openness must be balanced with the need to protect our Nation against a critical national security threat.  To address this threat, additional steps are required to protect the security, integrity, and reliability of bulk-power system electric equipment used in the United States.  In light of these findings, I hereby declare a national emergency with respect to the threat to the United States bulk-power system.      Accordingly, I hereby order: Section 1.  Prohibitions and Implementation.  (a)  The following actions are prohibited:  any acquisition, importation, transfer, or installation of any bulk-power system electric equipment (transaction) by any person, or with respect to any property, subject to the jurisdiction of the United States, where the transaction involves any property in which any foreign country or a national thereof has any interest (including through an interest in a contract for the provision of the equipment), where the transaction was initiated after the date of this order, and where the Secretary of Energy (Secretary), in coordination with the Director of the Office of Management and Budget and in consultation with the Secretary of Defense, the Secretary of Homeland Security, the Director of National Intelligence, and, as appropriate, the heads of other executive departments and agencies (agencies), has determined that:           (i)   the transaction involves bulk-power system electric equipment designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary; and           (ii)  the transaction:                (A)  poses an undue risk of sabotage to or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of the bulk-power system in the United States;                (B)  poses an undue risk of catastrophic effects on the security or resiliency of United States critical infrastructure or the economy of the United States; or                (C)  otherwise poses an unacceptable risk to the national security of the United States or the security and safety of United States persons.      (b)  The Secretary, in consultation with the heads of other agencies as appropriate, may at the Secretary's discretion design or negotiate measures to mitigate concerns identified under section 1(a) of this order.  Such measures may serve as a precondition to the approval by the Secretary of a transaction or of a class of transactions that would otherwise be prohibited pursuant to this order.      (c)  The prohibitions in subsection (a) of this section apply except to the extent provided by statutes, or in regulations, orders, directives, or licenses that may be issued pursuant to this order, and notwithstanding any contract entered into or any license or permit granted prior to the date of this order.      (d)  The Secretary, in consultation with the heads of other agencies as appropriate, may establish and publish criteria for recognizing particular equipment and particular vendors in the bulk-power system electric equipment market as pre-qualified for future transactions; and may apply these criteria to establish and publish a list of pre-qualified equipment and vendors.  Nothing in this provision limits the Secretary's authority under this section to prohibit or otherwise regulate any transaction involving pre-qualified equipment or vendors. Sec. 2.  Authorities.  (a)  The Secretary is hereby authorized to take such actions, including directing the timing and manner of the cessation of pending and future transactions prohibited pursuant to section 1 of this order, adopting appropriate rules and regulations, and employing all other powers granted to the President by IEEPA as may be necessary to implement this order.  The heads of all agencies, including the Board of Directors of the Tennessee Valley Authority, shall take all appropriate measures within their authority as appropriate and consistent with applicable law, to implement this order.      (b)  Rules and regulations issued pursuant to this order may, among other things, determine that particular countries or persons are foreign adversaries exclusively for the purposes of this order; identify persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries exclusively for the purposes of this order; identify particular equipment or countries with respect to which transactions involving bulk-power system electric equipment warrant particular scrutiny under the provisions of this order; establish procedures to license transactions otherwise prohibited pursuant to this order; and identify a mechanism and relevant factors for the negotiation of agreements to mitigate concerns raised in connection with subsection 1(a) of this order.  Within 150 days of the date of this order, the Secretary, in consultation with the Secretary of Defense, the Secretary of Homeland Security, the Director of National Intelligence, and, as appropriate, the heads of other agencies, shall publish rules or regulations implementing the authorities delegated to the Secretary by this order.      (c)  The Secretary may, consistent with applicable law, redelegate any of the authorities conferred on the Secretary pursuant to this section within the Department of Energy.      (d)  As soon as practicable, the Secretary, in consultation with the Secretary of Defense, the Secretary of the Interior, the Secretary of Homeland Security, the Director of National Intelligence, the Board of Directors of the Tennessee Valley Authority, and the heads of such other agencies as the Secretary considers appropriate, shall:           (i)   identify bulk-power system electric equipment designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary that poses an undue risk of sabotage to or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of the bulk-power system in the United States, poses an undue risk of catastrophic effects on the security or resiliency of United States critical infrastructure or the economy of the United States, or otherwise poses an unacceptable risk to the national security of the United States or the security and safety of United States persons; and           (ii)  develop recommendations on ways to identify, isolate, monitor, or replace such items as soon as practicable, taking into consideration overall risk to the bulk-power system. Sec. 3.  Task Force on Federal Energy Infrastructure Procurement Policies Related to National Security.  (a)  There is hereby established a Task Force on Federal Energy Infrastructure Procurement Policies Related to National Security (Task Force), which shall work to protect the Nation from national security threats through the coordination of Federal Government procurement of energy infrastructure and the sharing of risk information and risk management practices to inform such procurement.  The Task Force shall be chaired by the Secretary or the Secretary's designee.      (b)  In addition to the Chair of the Task Force (Chair), the Task Force membership shall include the following heads of agencies, or their designees:           (i)    the Secretary of Defense;           (ii)   the Secretary of the Interior;           (iii)  the Secretary of Commerce;           (iv)   the Secretary of Homeland Security;           (v)    the Director of National Intelligence;           (vi)   the Director of the Office of Management and Budget; and           (vii)  the head of any other agency that the Chair may designate in consultation with the Secretary of Defense and the Secretary of the Interior.      (c)  The Task Force shall:           (i)    develop a recommended consistent set of energy infrastructure procurement policies and procedures for agencies, to the extent consistent with law, to ensure that national security considerations are fully integrated across the Federal Government, and submit such recommendations to the Federal Acquisition Regulatory Council (FAR Council);           (ii)   evaluate the methods and criteria used to incorporate national security considerations into energy security and cybersecurity policymaking;           (iii)  consult with the Electricity Subsector Coordinating Council and the Oil and Natural Gas Subsector Coordinating Council in developing the recommendations and evaluation described in subsections (c)(i) through (ii) of this section; and           (iv)   conduct any other studies, develop any other recommendations, and submit any such studies and recommendations to the President, as appropriate and as directed by the Secretary.      (d)  The Department of Energy shall provide administrative support and funding for the Task Force, to the extent consistent with applicable law.      (e)  The Task Force shall meet as required by the Chair and, unless extended by the Chair, shall terminate once it has accomplished the objectives set forth in subsection (c) of this section, as determined by the Chair, and completed the reports described in subsection (f) of this section.      (f)  The Task Force shall submit to the President, through the Chair and the Director of the Office of Management and Budget:           (i)    a report within 1 year from the date of this order;           (ii)   a subsequent report at least once annually thereafter while the Task Force remains in existence; and           (iii)  such other reports as appropriate and as directed by the Chair.      (g)  In the reports submitted under subsection (f) of this section, the Task Force shall summarize its progress, findings, and recommendations described in subsection (c) of this section.      (h)  Because attacks on the bulk-power system can originate through the distribution system, the Task Force shall engage with distribution system industry groups, to the extent consistent with law and national security.  Within 180 days of receiving the recommendations pursuant to subsection (c)(i) of this section, the FAR Council shall consider proposing for notice and public comment an amendment to the applicable provisions in the Federal Acquisition Regulation to implement the recommendations provided pursuant to subsection (c)(i) of this section. Sec. 4.  Definitions.  For purposes of this order, the following definitions shall apply:      (a)  The term "bulk-power system" means (i) facilities and control systems necessary for operating an interconnected electric energy transmission network (or any portion thereof); and (ii) electric energy from generation facilities needed to maintain transmission reliability.  For the purpose of this order, this definition includes transmission lines rated at 69,000 volts (69 kV) or more, but does not include facilities used in the local distribution of electric energy.      (b)  The term "bulk-power system electric equipment" means items used in bulk-power system substations, control rooms, or power generating stations, including reactors, capacitors, substation transformers, current coupling capacitors, large generators, backup generators, substation voltage regulators, shunt capacitor equipment, automatic circuit reclosers, instrument transformers, coupling capacity voltage transformers, protective relaying, metering equipment, high voltage circuit breakers, generation turbines, industrial control systems, distributed control systems, and safety instrumented systems.  Items not included in the preceding list and that have broader application of use beyond the bulk-power system are outside the scope of this order.      (c)  The term "entity" means a partnership, association, trust, joint venture, corporation, group, subgroup, or other organization.      (d)  The term "foreign adversary" means any foreign government or foreign non-government person engaged in a long‑term pattern or serious instances of conduct significantly adverse to the national security of the United States or its allies or the security and safety of United States persons.      (e)  The term "person" means an individual or entity.      (f)  The term "procurement" means the acquiring by contract with appropriated funds of supplies or services, including installation services, by and for the use of the Federal Government, through purchase, whether the supplies or services are already in existence or must be created, developed, demonstrated, and evaluated.      (g)  The term "United States person" means any United States citizen, permanent resident alien, entity organized under the laws of the United States or any jurisdiction within the United States (including foreign branches), or any person in the United States. Sec. 5.  Recurring and Final Reports to the Congress.  The Secretary is hereby authorized to submit recurring and final reports to the Congress regarding the national emergency declared in this order, consistent with section 401(c) of the NEA (50 U.S.C. 1641(c)) and section 204(c) of IEEPA (50 U.S.C. 1703(c)). Sec. 6.  General Provisions.  (a)  Nothing in this order shall be construed to impair or otherwise affect:           (i)    the authority granted by law to an executive department or agency, or the head thereof; or           (ii)   the functions of the Director of the Office of Management and Budget relating to budgetary, administrative, or legislative proposals.      (b)  This order shall be implemented consistent with applicable law and subject to the availability of appropriations.      (c)  This order is not intended to, and does not, create any right or benefit, substantive or procedural, enforceable at law or in equity by any party against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.                               DONALD J. TRUMP THE WHITE HOUSE,     May 1, 2020. ### The White House · 1600 Pennsylvania Ave NW · Washington, DC 20500-0003 · USA · 202-456-1111

Submitted by: Daryl Haegley, Director, Mission Assurance & Cyber Deterrence at Dod By Lt. Gen. David W. Barno, U.S. Army (ret.) and Dr. Nora Bensahel War on the Rocks -- APRIL 28, 2020 The global pandemic is about to profoundly change the U.S. military’s role in defending the United States — even if Pentagon leaders don’t know it yet. As we noted in our last column, many Americans will look at the immeasurable damage wrought by the pandemic and conclude that defending the homeland from catastrophic threats is far more urgent than defending against foreign threats far from American shores. That fundamental shift is rapidly ushering in a new era for the Department of Defense, which will upend some of its bedrock assumptions about when, where, and how the U.S. military contributes to national security. The Department of Defense has been operating under a broad national security strategy that has remained remarkably unchanged since the end of World War II. The United States has maintained a large standing military that has been forward deployed around the world to prevent direct attacks on the United States and to secure the global commons. Though the Trump administration has challenged some parts of this strategy (especially its emphasis on global allies and partners), the most recent versions of the National Security Strategy and the National Defense Strategy nevertheless reaffirmed most of its core principles. Yet the pandemic has now suddenly and vividly demonstrated that a large, forward deployed military cannot effectively protect Americans from nontraditional threats to their personal security and the American way of life. In a deeply interconnected world, geography matters far less, and the security afforded by America’s far-flung military forces has been entirely irrelevant in this disastrous crisis. The number of Americans killed by the virus is about to exceed the number of U.S. troops killed in Vietnam, unemployment is higher than it has been since the Great Depression, and the social and human toll is simply incalculable. The ultimate damage will be so great that after the pandemic, the urgent need to defend the American people from devastating threats inside the homeland will quickly displace foreign threats atop the hierarchy of national security concerns. The inevitable national security reckoning after the pandemic will pose tremendous challenges for the Department of Defense. Since the vast majority of its efforts and its enormous budget focus on deterring and defending against external threats as far away from the homeland as possible, it will need to adapt to a deeply changed environment where serious threats inside the homeland matter far more to most Americans. There are at least five key changes that will shape the choices and decisions that lie ahead for Pentagon leaders: cyber and space will be higher priorities than land, sea, and air; reliance on forward presence will diminish; the reserve component will become much more important; legacy programs and end strength will be cut — by a lot; and the prestige of the U.S. military will be dimmed. Cyber and Space Will Be Higher Priorities Than Land, Sea, and Air The U.S. military currently recognizes five warfighting domains: land, sea, air, cyber, and space. After the pandemic, external threats to the United States from the land, sea, and air will become much lower national security priorities than protecting against threats to the homeland from newly emerging and unconventional dangers. For the Department of Defense, that means a much greater emphasis on the cyber and space domains. Protecting the United States from a large-scale cyber attack on the nation’s critical infrastructure will become an extremely high priority, since it could harm the American people, economy, heath care system, and way of life at least as much (if not more than) COVID-19 already has. As horrible as this crisis is, food, water, power, and basic medical care are still largely available throughout the country and enabled by a fully functioning internet. A concerted cyber attack could upend distribution networks, disrupt power supplies and online access, and wreak havoc on a vast range of essential services from banking to telecommunications. Helping to defend the nation against this will almost certainly require the Pentagon to significantly expand the Cyber Mission Force. In particular, many more Cyber Protection Teams will be needed, and their mission should expand beyond their primary focus on .mil networks so they can provide much greater support to civil authorities and the private sector when requested. The newly created Space Force will also need to invest significant amounts of time and effort to protect U.S. civilian as well as military space assets, since they undergird every aspect of modern American life and are therefore tempting targets as well. Reliance on Forward Defense Will Diminish Forward defense has long been the cornerstone of U.S. defense strategy, but it will become less important as the focus grows on countering catastrophic threats against the homeland. In a post-pandemic world characterized by huge deficits, massive debt, and economic recession, the United States will continue to defend its most vital interests overseas: keeping NATO alive, protecting Eastern Europe from Russia, supporting Israel, and deterring conflict in Asia. But U.S. forces across the Middle East, Afghanistan, Africa, and even in some parts of the Pacific are likely to be drawn down if not withdrawn completely. The economic crisis may also require changes to U.S. force posture in the places where military forces remain, since the sprawling network of overseas bases remains expensive. The United States spends about $10 billion a year to operate these bases, a figure that would be far higher without the very substantial amount of host nation support (which includes cash payments as well as various forms of in-kind support). Yet the global recession and rising debt levels spawned by the pandemic may make it harder for allies and partners hosting U.S. troops to continue providing such high levels of support. And here at home, the economic crisis will make members of Congress even more likely to support shuttering overseas bases in order to forestall any discussion of domestic base closures, since preserving jobs in their districts becomes even more critical at a time of such staggering unemployment levels. The Reserve Component Will Become Much More Important The increasing primacy of homeland defense means that the reserve component of the U.S. military may become equally if not more important to the nation than the active component, which would completely invert the traditional relationship between them. The vast majority of the military capabilities that have been used to respond to the pandemic, and that will be needed for future homeland crises, reside in the reserve component (which includes the National Guard and the reserve forces of the individual military services). The National Guard has been an especially valuable Swiss Army knife for governors and presidents, taking on a wide range of missions that have included ensuring public safety, moving critical supplies, and augmenting medical capabilities. The reserves also contain a disproportionate amount of support capabilities (such as engineering and medical units), which provide indispensable augmentation for civil authorities during domestic crises as well as reinforcements for large combat operations. By contrast, the warfighting units that comprise most of the active component have been largely irrelevant in this crisis. The active component has provided some field hospitals, and the (mostly civilian) U.S. Army Corps of Engineers has constructed some important health care facilities, but these contributions nevertheless remain quite limited. And, unlike the active component, the reserve component simultaneously provides critical capabilities for both homeland crisis response and overseas military missions, which provides a vital hedge against foreign conventional threats. Legacy Programs and End Strength Will Be Cut — By a Lot As we’ve argued, the massive economic crisis and growing political pressures for greater domestic spending mean that the defense budget will likely plummet — and may even make the sequestration-era cuts look rosy by comparison. The combination of sharply declining budgets, less emphasis on the land, sea, and air domains, and diminishing forward presence means that expensive conventional platforms like aircraft carriers, amphibious ships, and manned fighters will likely face severe cuts. Major legacy modernization programs that were already reaching unaffordable levels (like the F-35 fighter and the Ford-class aircraft carrier) will inevitably have to be significantly scaled back, and some may be canceled outright. The services must also accept that major cuts to end strength are inevitable, and that they will probably fall heavily on the active component. The average cost of compensating an active servicemember has grown by 64 percent during the past two decades (adjusted for inflation), and active forces require substantial training and other readiness investments so they can respond rapidly to international crises. Because personnel are so expensive, budget cuts always force down end strength numbers, as happened during the first years of sequestration. But this time around, there will also be a lot of pressure to maintain, or possibly even to increase, reserve component end strength instead of spreading the cuts evenly between the two components. The reserve component offers a tremendous amount of bang for the defense buck. It provides essential capabilities for both domestic and international crises, and it is cheaper to maintain since its personnel serve on a part-time basis and are called up only when needed. As shrinking defense budgets force tough tradeoffs, the nation may have to rely more heavily on its reserve component to preserve important warfighting and homeland defense capabilities. The Prestige of the U.S. Military Will Be Dimmed The U.S. military will also face a profound cultural challenge after the pandemic, as its place in American society inevitably shifts. Since September 2001, the United States armed forces have been uncritically revered by the American people. The amount of deference and praise heaped on the all-volunteer force fighting overseas for almost two decades has been enormous, and largely warranted. But it has grown so excessive that even some in uniform now find it a source of embarrassment. Every year has brought new pay raises, more benefits, and greater visibility, which has sometimes raised expectations of ever more prestige and perquisites. Yet most of that same military, as we noted last month, has been largely on the sidelines during the coronavirus crisis. Doctors, nurses, truck drivers, and grocery store clerks are among the many types of people whose usually invisible role in making the nation function has now become blindingly obvious. Many of them are now risking their lives to keep doing their jobs, in a different but no less important way than U.S. military personnel have always done. After the pandemic, the U.S. military may receive less unchecked adulation by ordinary Americans, who have seen that there are other heroes among us every day — some of whom have sacrificed their lives during this crisis in order to keep their fellow citizens safe. Furthermore, the U.S. military may seem far less relevant to the concerns of most Americans, especially as they demand much stronger security at home, and as a military no longer conducting large-scale combat operations recedes from public visibility. This may come as an unpleasant shock for the many U.S. servicemembers who have known nothing but extraordinary accolades since 2001. It may also harm military recruiting and retention over the long term and exacerbate the already gaping chasm between the military and the society it serves. This shift may remind servicemembers that strong public support for the military is not automatic, and that they are not the only Americans who are willing to risk their lives in times of crisis in order to protect the nation. These five changes, and others that emerge after this calamitous disruption to the nation and its way of life, will all dramatically change ways in which the U.S. military approaches its core mission of defending the country. We will one day look back upon this pandemic as a major inflection point in U.S. history. In the same way that the end of the Cold War ushered in a decade of peacekeeping operations, and the Sept. 11 attacks led to the long wars in Afghanistan and Iraq, the pandemic will lead to a new era focused more on domestic rebuilding and resilience than external threats. Pentagon leaders need to start thinking now, even while the pandemic continues to tear through the fabric of the country, about how to adapt to these trends so they can best position the U.S. military for the very different environment of the years to come. Lt. Gen. David W. Barno, U.S. Army (ret.) and Dr. Nora Bensahel are visiting professors of strategic studies at the Johns Hopkins School of Advanced International Studies and senior fellows at the Philip Merrill Center for Strategic Studies. They are also contributing editors at War on the Rocks, where their column appears monthly.

Submitted by: Daryl Haegley, Director, Mission Assurance & Cyber Deterrence at Dod Zoom or Not? NSA Offers Agencies Guidance for Choosing Videoconference Tools. The agency weighs in on the questions federal employees and contractors should ask as they select collaboration platforms. By Mariam Baksh NextGov Today - APRIL 27, 2020 Video conferencing platforms Zoom and Microsoft Teams are both FedRAMP-approved, but while Zoom offers end-to-end encryption, Microsoft Teams does not. These are just two of nine factors the National Security Agency cites in its guide to help federal workers choose commercial telework tools for “safely using collaboration services,” as necessitated by the coronavirus pandemic. The guide, which NSA released Friday, applies only to commercial applications, and one strong recommendation from the agency is that, when possible, workers use U.S. government services such as Defense Collaboration Services, Intelink Services and others, which were designed specifically for secure government communications. But government workers still need to interact with external entities which might be sending them invitations via commercial applications, and the NSA has detailed a number of factors for them to weigh in deciding which ones to facilitate: Does the service implement end-to-end encryption? Are strong, well-known, testable encryption standards used? Is multi-factor authentication used to validate users’ identities? Can users see and control who connects to collaboration sessions? Does the service privacy policy allow the vendor to share data with third parties or affiliates? Do users have the ability to securely delete data from the service and its repositories as needed? Has the collaboration service’s source code been shared publicly (e.g. open source)? Has the service and/or app been reviewed or certified for use by a security-focused nationally recognized or government body? Is the service developed and/or hosted under the jurisdiction of a government with laws that could jeopardize U.S. government official use? The NSA guidance includes a disclaimer noting it is not in any way an endorsement of any specific company’s service and stressed workers should make their decisions based on further consultation with information technology support or chief information officer guidance from their own agencies or departments. Analysis by a cybersecurity expert for Project Spectrum—an initiative supported by the Defense Department’s Office of Small Business Programs—advises entities within the defense industrial base to avoid using Zoom. Among other things, the researcher cites the company’s connections to China. The Project Spectrum paper notes servers running Zoom software are located in China, along with 28% of the company’s workforce. One domestic alternative Project Spectrum recommends is Microsoft Teams. But while the NSA guide touts the benefits of open source applications, it notes that the code for Microsoft Teams is not shared. “Open source development can provide accountability that code is written to secure programming best practices and isn’t likely to introduce vulnerabilities or weaknesses that could put users and data at risk,” reads the NSA guide. NSA considered 13 service providers, including Cisco Webex, Google’s G Suite, and WhatsApp. Only three of the providers—Mattermost, Signal and Wickr—were listed as publicly sharing their source code. Without mentioning China specifically, NSA said country of origin should be a factor for assessing the safety of telework services. It did not classify the 13 providers according to this criteria, as it did with the other eight factors. “Since it is well documented that some countries require that communications be provided to law enforcement and intelligence services, it may not be wise for certain USG missions to be performed on services hosted or developed under certain foreign legal jurisdictions,” NSA says. “Users should be aware that the country of origin where products were developed is not always public knowledge.” A joint statement from the General Services Administration and the Department of Homeland Security reportedly advised federal employees to use “Zoom for Government” and not the commercial version of the company’s popular video conferencing platform. The NSA did not respond by deadline to a request for comment on whether Zoom for Government sufficiently addresses the concerns the Project Spectrum white paper raised. Click below to download a .pdf of the NSA guidelines to teleworking

By Eddie Habibi, Founder & CEO of PAS and Jason Haward-Grau, Managing Director at KPMG US April 21, 2020 Traditionally, the worlds of IT (the hoodie) and OT (the hard hat) have been separate. That must change. For nearly 30 years, operational technology (OT) in industrial facilities was considered relatively safe from outside hacking risk. The so-called air gap between IT and OT, paired with the heavy use of proprietary industrial control systems, created a mindset of "security via obscurity." In recent years, there have been multiple, well-publicized cyberattacks on industrial facilities, which are now occurring with greater frequency and sophistication. As a result, industrial operations leaders, IT executives, and the CEOs they report to are taking significant interest in improving OT cybersecurity. One challenge to that effort is the different worlds IT (the hoodie) and OT (the hard hat) practitioners come from. Historically, these two groups have stayed out of each other's areas because of the deep and different complexity of the two domains and the rightful separation of responsibilities. To improve awareness, we've outlined the top five things IT and OT should learn from one another. 1. Operational facilities no longer are — and frankly never were — an island. The air gap between IT and OT systems and networks is no longer valid, if it ever was. IT professionals have understood that a persistent, smart hacker can eventually find a way into your network. It's not a question of if but when you will be breached, and IT leaders design their security strategy based on this premise. It's time for OT to do the same. The assumptions OT has made regarding security via obscurity are also no longer valid. With the large revenue generated by industrial facilities and hazardous processes/chemicals used, hackers have been taking more interest in distributed control systems (DCSs), programmable logic controllers, safety instrumented systems, and process control networks. These systems appear as complex black boxes to most IT people. 2. IT people don't fully appreciate the meaning of OT reliability. When discussing reliability, IT people use terms like MTTR (mean time to repair) and MTBF (mean time between failure) and, in a cloud-based world, it's common to remove a bad or compromised server and just spin up a new one. That approach doesn't fly in an industrial plant. You can't just shoot a DCS that is managing hundreds of different control valves and monitoring thousands of measurements. That can have a catastrophic impact on the personnel, the environment, and the surrounding community, not just a disruption to production and lost revenue. Today, most IT people think of servers like cattle, not pets. This has been one of the huge benefits of shared or cloud infrastructure. But this approach cannot apply when you are talking about machines that move molecules and where things can go boom — literally. 3. The concept of defense-in-depth applies to both IT and OT. Enterprise CISOs know reliance on a single solution or silver bullet puts them at risk. This is why we implement multiple firewalls, intrusion-detection tools, antivirus software as well as identity, data, and endpoint security technologies. They create multiple layers of defense, often using multiple vendors within each layer. It's like a moat around your moat backed up by a castle wall with another wall beyond that, and so on. Embracing defense-in-depth from web apps to Level 0 components (e.g., valves, sensors, actuators, robots) that move molecules in a plant is key. The concept of defense in depth isn't foreign to the OT world, which uses a similar approach called independent protection layers (IPLs). These safety layers protect, monitor, and respond when critical measurements (such as pressure and temperature) exceed predefined boundary limits. These IPLs are also a high-consequence hacking risk. One of the most prominent industrial hacking attacks recently was the inadvertent tripping of a safety instrumented system in a major refinery. This caused the entire industrial sector to take notice. 4. There's no such thing as Patch Tuesday in OT. In an industrial plant, changes must be well planned and coordinated with operations and maintenance groups. In the OT world, you might not be able to introduce changes more often than once a year or longer. Furthermore, many of the control systems have been in place for more than 15 years. We don't replace OT every three to five years like IT does. When managing security vulnerabilities, it's critical to take this into account. You also can't just put a network packet sniffer on a plant control network and build a comprehensive inventory and identify all vulnerabilities. You need much more granularity to see if a vulnerability exists on a specific I/O card or a controller within a DCS, and that requires capturing data from configuration backups. 5. OT needs to understand digital transformation will have a profound effect and it's going to be driven primarily from people who come from outside of OT. Chief digital officers and chief data officers are being appointed every day. The hiring profile rarely includes an understanding of OT. This poses a challenge because these new leaders don't know what they don't know. However, it also presents an opportunity to help them understand how a "digital plant" can drive revenue growth through improved efficiency, expanded operations, and production visibility. It also means ensuring the integrity of industrial operations from both a cybersecurity and a process safety perspective is paramount, and that requires IT and OT to work together. This article originally appeared in Dark Reading. Reprinted here with the authors’ permission.

By Larry Grate: Director of Technology at PREMIER System Integrators April 21, 2020 The need for business to become more efficient by leveraging the data available in their manufacturing networks, already had us on a high-speed chase to connect those systems. Now with the current COVID-19 pandemic, manufacturers are racing to make those systems available remotely to support work-from-home for configuration and troubleshooting. The challenge, as we all know, is that those systems were never designed with security in mind. Even without unanticipated vulnerabilities, the protocols already operate largely unauthenticated and unencrypted. So how do you keep systems secure when time is of the essence? Several of our customers have started working to implement one or more of the following approaches. One straightforward solution is to leverage existing virtual environments (if you have one) and spin up engineering servers so you can keep all that vulnerable traffic home. Then, if possible, we put jump hosts in a DMZ and provide a secure way to get to that engineering server. Solutions like MS RDG, or VMWare View work well for this method. Alternate solutions include installing devices with outbound only connections to cloud servers and allowing the connections to occur in the cloud, preferably coming back to an on-premise engineering server in a DMZ but, if that’s not possible then allowing direct access to equipment. A third option is allowing VPN directly into their manufacturing networks, with the obvious corollary requirement of validating the security of those connections, if a secure VPN solution was not already in place. A fourth method we’re seeing is allowing a temporary internet connection to an engineering server and using a tool such as WebEx for remote control of that asset by a support person. What has concerned me is the number of companies implementing solutions that allow connection directly into the ICS trusted environment from potentially untrusted locations. When you are in the middle of a crisis, the last thing you need is to be fighting unwanted malware with reduced staffs. I understand the need to provide remote support and allow remote work, but I encourage you to consider the risks created by your choice of methods and technologies, and document everything. Make informed decisions to allow these connections in an appropriate manner. If you are unsure what that looks like, or you want more details on some of the secure options listed, then reach out to your local CS2AI chapters. Whatever you do, consider the risk, and don’t forget you have done it when this is all over. As a side note, if possible, monitor what you have done ideally using technical controls. Especially if you are using administrative controls to disconnect your solution when it is not needed. Unfortunately, you never know who may find that connection.

Submitted by: Daryl Haegley https://www.gao.gov/products/GAO-20-241 FYSA regarding GAO report on DOD Cybersecurity. Note that cybersecurity refers to the entire enterprise of operational, informational, strategic, tactical, administrative and infrastructure of all kinds. GAO Report on DoD Cyber Security Risks April 14, 2020 12:20 PM · The following is the April 13, 2020 Government Accountability Office report, DOD Needs to Take Decisive Actions to Improve Cyber Hygiene. From the report What the GAO Found? The Department of Defense (DOD) has not fully implemented three of its key initiatives and practices aimed at improving cyber hygiene. Carnegie-Mellon University defines cyber hygiene as a set of practices for managing the most common and pervasive cybersecurity risks. In discussions with GAO, DOD officials identified three department-wide cyber hygiene initiatives: the 2015 DOD Cybersecurity Culture and Compliance Initiative, the 2015 DOD Cyber Discipline Implementation Plan, and DOD’s Cyber Awareness Challenge training. The Culture and Compliance Initiative set forth 11 overall tasks expected to be completed in fiscal year 2016. It includes cyber education and training, integration of cyber into operational exercises, and needed recommendations on changes to cyber capabilities and authorities. However, seven of these tasks have not been fully implemented. The Cyber Discipline plan has 17 tasks focused on removing preventable vulnerabilities from DOD’s networks that could otherwise enable adversaries to compromise information and systems. Of these 17, the DOD Chief Information Officer is responsible for overseeing implementation of 10 tasks. While the Deputy Secretary set a goal of achieving 90 percent implementation of the 10 CIO tasks by the end of fiscal year 2018, four of the tasks have not been implemented. Further, the completion of the other seven tasks was unknown because no DOD entity has been designated to report on the progress. The Cyber Awareness training is intended to help the DOD workforce maintain awareness of known and emerging cyber threats, and reinforce best practices to keep information and systems secure. However, selected components in the department do not know the extent to which users of its systems have completed this required training. GAO’s review of 16 selected components identified six without information on system users that had not completed the required training, and eight without information on users whose network access had been revoked for not completing training. Beyond the initiatives above, DOD has (1) developed lists of the techniques that adversaries use most frequently and pose significant risk to the department, and (2) identified practices to protect DOD networks and systems against these techniques. However, the department does not know the extent to which these practices have been implemented. The absence of this knowledge is due in part to no DOD component monitoring implementation, according to DOD officials. Overall, until DOD completes its cyber hygiene initiatives and ensures that cyber practices are implemented, the department will face an enhanced risk of successful attack. While two recurring reports have provided updates to senior DOD leaders on cyber information on the Cyber Discipline plan implementation, department leadership has not regularly received information on the other two initiatives and on the extent to which cyber hygiene practices are being implemented. Such information would better position leaders to be aware of the cyber risks facing DOD and make more effective decisions to manage such risks.

By: Jeff Hussey, President and CEO of Tempered Networks March 2020 Facility managers, technology leaders and others witnessing the blend of IT (information technology) ‎and OT (operational technology) in the modern industry likely feel an ironic connection to the 1966 ‎classic spaghetti western, The Good, the Bad and the Ugly.‎ Read about how to survive in this world. Facility managers, technology leaders and others witnessing the blend of IT (information technology) and OT (operational technology) in the modern industry likely feel an ironic connection to the 1966 classic spaghetti western, The Good, the Bad and the Ugly. We all know there are substantial benefits to be realized from a hybrid creation between the two previously disparate business units (the good). But we also understand that numerous villains lie in wait for access to the extra security loopholes created by such a convergence (the bad). Lastly, we want to prevent system downtime, costly data breaches or acts of international espionage (all ugly). Let’s dive into what it means for  IT and OT to be aligned. Living On The Edge If the data center is the heart of your network, then consider OT to live on the edge. That edge could consist of a manufacturing floor, a building, a city street or a ship at sea. In essence, it’s whatever comprises all the endpoints of a network that require connectivity by nature of the expanding industrial internet of things (IIoT). Why do we want a machine on a ship in the ocean to communicate with the heart of its network? It’s simple: data. Big data was a concept that began many years ago, but as the IIoT continues to grow, so does the impact of data. The ability to acquire real-time information from various networking endpoints has huge benefits to nearly all industries. This is where the “good” in our scenario starts to shine. The Good Simply put, actively harnessing your data enables process efficiencies, better products and lower costs. A fully connected edge also brings about the convenience of a centralized location to manage all network assets. This effectively eliminates the need for technicians at remote locations to activate, deactivate or repair devices on the outer edges of the network. Also, consider the potential for increased collaboration between IT and OT teams. With shared data, these two previously separate business units will now have more common ground, which should inspire creative solutions that could benefit the entire business ecosystem. The Bad If the eventual harmony of IT and OT convergence is Clint Eastwood — also known as Blondie from the aforementioned film —then the countless bad actors, hackers and other network intruders represent the “bad.” Melding IT and OT not only increases the potential for more data, greater convenience and improved collaboration, but it also increases the attack surface. More devices often equate to more exposure. If businesses attempt to converge IT and OT networks by force-fitting traditional network and security tools (e.g., VPNs, firewalls and VLANs), the increased exposure will only lead to more frequent, more damaging attacks. The Ugly This is a problem that’s not lost on the U.S. government. The supply chain residing on the OT side has become a big target for acts of foreign espionage. There has been growing suspicion that the Chinese and Russian governments have led efforts to attack supply chains of companies, with the goal of stealing U.S. government intellectual property. As such, there is currently a bi-partisan bill (believe it or not) to counteract this particularly dangerous form of cyberattack. If the broadened attack surface is problematic enough to make the government apprehensive, manufacturing companies, utilities, transportation and virtually all industries with a presence on the edge should be taking action as well. The stakes are high when foreign interests use the supply chain as an access point to steal military and commercial secrets, disrupt utilities or endanger public safety. Working Together To Find The Treasure It’s still the early days, but I do meet business leaders who recognize the importance of addressing both IT and OT initiatives. Recognizing this need is one thing, but execution remains a challenge for most people I speak with. Some businesses are looking to integrators with a keen understanding of both IT and OT priorities, like KPMG, a company that brings clarity to the blurry lines between the two worlds. I find that most solution providers and systems integrators still need to invest and educate their teams on IT and OT integration strategies. Those providers that do are better equipped to create a balanced strategy to unearth that buried gold for their clients. Set a solid foundation to prepare for IT and OT convergence by ensuring both IT and OT leadership are included in the journey. It’s vital they are closely aligned in their decision criteria. Consider these key imperatives for success: • IT must be cognizant of the criticality for 24/7 operations of OT systems, which may be new to your IT staff. • Reduce inherent risks with vulnerable OT systems by preventing cyber exploits and reducing human errors in network management. Both may cause catastrophic equipment failure, environmental failures or injuries. • Realize you can reduce cost and complexity by leveraging your existing untrusted networks — no rip and replace — for secure communications and operational availability and integrity Connecting "things" using traditional networking is not your biggest problem. The challenge is the growing attack surface created by inadequate networking of sensors, unconventional endpoints and outdated operating systems. Instead, modern zero-trust networking with automated, policy-based orchestration tools to provide ease-of-use and scalability should be on the agenda for organizations. The risks are too severe to continue moving forward in any other way. Bad actors and international threats have forced our technological hands. Nobody wants to have an itchy techno-trigger finger, but the time to act is now. Leaders must recognize that the world is a richer place with IT and OT teams at the same table. Because IT and OT have historically operated in silos with different objectives, a transformative networking solution is required to keep the bad guys out and prevent the ugly side effects. Follow Tuco’s advice from the film: Don’t let anyone’s spurs come into your network doors, windows or internet of things (IoT) devices. Adopt forerunners' IT/OT convergence strategies and seek zero-trust networking to reap the rewards of an expanded IIoT world, rather than lament its challenges. Note: This article was previously published on Forbes.com

Daniel Ehrenreich, Consultant and Lecturer, SCCE March 2020 Educating ICS cyber security shall be high on the priority list of top-floor executives. This article explains how to do this. Introduction Educating ICS cyber security shall be high on the priority list of top-floor executives. That process shall involve a) ICS operators and engineers who must expand their cyber security knowledge, b) IT experts who must learn ICS basics and also learn key topics related to ICS architectures and finally c) managers who need to make correct decisions related to allocation of resources. ​ Boosting the awareness and knowledge of your workforce is the “P-People” part of the PPT (People-Policies-Technologies) Triad and it has the highest return on investments. This paper will highlight the most important measures and actions towards selecting the most appropriate program for your organization. ​ Differentiating among IT and ICS Employees interested becoming ICS cyber security experts, must learn the basic principles. Once understood these guidelines, they are a step ahead towards dealing with ICS. Prior dealing with cyber security, they must study ICS basics, which are primarily focusing on layers 0-2 of the Purdue Model. Important visiting few fields sites to learn the details. The main differences are, that IT experts are focusing on assurance of Confidentiality-Integrity and Availability, and ICS experts must focus on Safety-Reliability and Productivity. Cyber defense measures for IT and IC are different. While pen-testing of IT may cause an unexpected shutdown, ICS pen-testing might lead to damage and risk of lives. IT experts are constantly patching, updating and upgrading their systems. ICS experts cannot do that, as every change or update represent a risk to operating safety and reliability. While there is no single cyber defense method to prevent an attack, the best you can do is deploying layered cyber defense combined the principles of the PPT Triad. ​ Analyzing Cyber risk factors Understanding the attack vectors and the attack surface is a key principle. You may correlate these paths with the 7-steps of the LM Industrial Cyber Kill Chain Refer to the following: Non-attack factors: Consider 2 options which might affect the ICS process a) failure of a sensor, PLC or a software bug and b) incorrect action done by an authorized person. Negligence of people: Consider actions such and inserting a foreign USB stick, failure to detect social engineering attack, supply chain processes, use of simple password, etc. System oriented attacks: The adversary may attack the ICS through an internal or external utility system in buildings (HVAC, generators, data center cooling, UPS, etc. Attacking the ICS: Access to the network through a “backdoor” connection, might lead to an MitM access, DDoS attack on the ICS network, leaking out information. Attacking the process: Considering attacks on the HMI, Engineering station, PLCs, field sensors, which might manipulate the process. ​ ICS Cyber defense methods Deployment of cyber defense on ICS shall be selected based on the risk factor, calculated by the probability of occurrence and the impact of the attack. Adhere to corporate policies related to secured maintenance of the ICS appliances Deploy hierarchical zoning among segments which must communicate each with other Use of ICS oriented firewalls, DMZ or Data Diode between the IT and ICS sections Use strong authentication prior connecting any device to the ICS network Prevent remote access to the ICS unless it becomes mandatory for a critical purpose Use of IDS for detecting anomaly conditions at levels 0,1,2 of the Purdue Model Conduct periodic ICS-related assessment and detect hidden vulnerabilities Perform updates for the OS, antivirus and application program only after intensive testing Strengthen the physical security for all field-sites which attackers might access ​ Methods for educating the staff Experts know well that very high % of “successful” cyber-attacks were possible and not detected due to lack of awareness and experience. Therefore, educating of all personnel shall be considered as a mandatory requirement for ICS Cyber security awareness. Operators and ICS maintenance engineers must upgrade their ICS cyber security skills IT cyber personnel who must learn how ICS architectures can be correctly protected Decision makers who must understand this for properly approving the budget ​ Summary Organizations must have a methodology for educating employees related to cyber risk and response. These actions will help you preventing incidents that might risk lives, cause operating outages, damages to machinery and severely damage the reputation of your organization and complying with regulations. Therefore, management’s attention to ICS cyber security shall be high on the priority list, and investment budgets shall be approved ahead of time. ********************** Daniel Ehrenreich, BSc. is a consultant and lecturer at Secure Communications and Control Experts in Israel, teaches in colleges and present at industry conferences worldwide on integration of cyber defense with ICS; Daniel has over 27 years’ experience with ICS and OT systems for: electricity, water, gas and power plants as part of his activities at Motorola, Siemens and Waterfall Security. LinkedIn

By Larry Frenchwood CISSP, CISM, GICSP, CEH EnscoRowan – Lead Cyber Security Specialist IT/OT September, 2019 To better understand the relationship of safety implications of OT (Operational Technology) security, we must first explore the differences between IT & OT security. Often times IT & OT security get bundled together as general cyber security. Nothing could be further from the truth. They are both very different in implementation, operation and architecture.   IT computing environments are based on information and data.  OT or Industrial Control System environments (ICS) are based on processes.  These processes can involve or produce valuable data, but it’s the process that is the main component in an ICS environment.   Protecting information is fundamentally different than protecting processes. They also can have different consequences. If the company loses data or information due to a cyber-attack or breach, the impact often can mean financial losses and or reputational damage.  If the company losses critical processes, the impact could result in not only financial losses, but also loss of human life or damage to the environment.  This leads us to the topic of this discussion.  Why is OT Security just as important as Safety? For decades in OT environments, safety has been the #1 priority. No matter the industry, wherever ICS environments are present, historically safety has been the #1 driver in operations. Only in recent years has cyber security become a priority in OT, and this is mainly due to the increase of successful high profile cyber-attacks against ICS networks. In reality, cyber security has an ever increasing impact on safety, and it is for this reason that we need to marry safety and security. In this new era of inter-connectivity and growing business appetite for control systems data, it is imperative that we explore the evolving risks this brings into the picture.  This can best be explained through an example of how cyber security can directly impact safety.   Let’s say we are operating a production process that manufactures a product. Creating this product involves processes that combine chemicals at various stages of production. These chemicals must be regulated at certain temperatures before mixture in order to avoid serious chemical reactions. These temperatures are normally controlled by process logic controllers (PLC) which controls the equipment that regulates temperatures of the chemicals. Typically there are set points configured in the control system that provide the acceptable conditions for operating these processes. If the temperature exceeds the parameters of the configured set point, stop the process and alert someone. Safety systems can also be tied to these control systems to ensure the processes do not function beyond set limits. What if an attacker is able to modify or disable the safety systems and notifications? What happens if an attacker is able to manipulate the set points? They can essentially cause the system to allow temperatures in the chemicals that would cause a reaction that could also result in damage, or harm to people and or the environment. This would also lead to financial loss, reputational damage as well as potential legal liabilities.  Now we begin to understand the importance cyber security in relation to safety in operational technology environments and especially for ICS. There are a myriad of examples you could apply that all potentially have huge negative consequences.   I believe we have surpassed the days of elevating safety as the #1 priority for business or operations. In my opinion safety and security should be married to one another. You can’t have safety without security, and you can’t have security without safety. Both should be given equal priority from senior management in every organization. It is impossible to eliminate all risks, but it is completely possible to manage risks to acceptable levels. Providing robust and effective management of risks associated with safety and cyber security is essential for ensuring the company’s safe and effective delivery of products and services.