Search Results

Earn 8 CPE Credits (CS)²AI is proud to continue to partner with the Official Cyber Security Summit throughout its Official 2021 Virtual Cyber Security Summit Series. Admission is normally $95 but we have secured Exclusive FREE Admission. Secure your pass to your respective region’s Official Cyber Security Summit with code CS2AI21 at CyberSecuritySummit.com Join us virtually and learn about the latest cyber security threats facing your company, best cyber hygiene practices, solutions to protect against a cyber attack, and much more – all from the comfort and safety of your home/office. Silicon Valley / Northern California - June 9 Seattle, WA / Portland, OR / Pacific Northwest - June 23 Philadelphia, PA - June 29 St. Louis, MO / Oklahoma City, OK - July 7 Detroit / MI - July 14 DC Metro - July 21 Chicago / IL - August 24 Miami / South Florida - September 16 Charlotte / Carolinas - September 23 Columbus / OH - September 30 Scottsdale / AZ - October 13 New York Metro - October 20 Los Angeles - October 27 Boston / New England - November 17 Houston / San Antonio - December 2 Hear from thought leaders from the NSA, U.S. DHS / CISA, Center for Internet Security, Verizon, Darktrace, Google, IBM, Cybercrime Support Network, and many more. Please note: These virtual events are for C-Suite/Senior Level Executives, Directors, Managers, and other Cyber Security Professionals & Business Leaders. Those in Sales/Marketing and Students are not permitted. You are welcome to share this invitation with your IT Security Team & Colleagues also. Attendance is limited so please RSVP today to confirm your participation. If you are interested in speaking/sponsoring at an upcoming Cyber Security Summit, please contact Megan Hutton at MHutton@CyberSummitUSA.com. For full details and registration, please visit https://CyberSecuritySummit.com/

Submitted by: Steve Mustard President & CEO at National Automation, Inc. and (CS)²AI Fellow May 16, 2021 REGISTER HERE FOR OUR SPECIAL INCIDENT DEBRIEF THURSDAY, MAY 20 @11:30AM - 1:00PM EST If your incident response plan for recovering from a ransomware attack is to pay the ransom, you need to rethink your plan. Reporting indicates that Colonial Pipeline did just this, and still ended up recovering their billing system from backups. Some voices in the ICS security community have pointed out that Colonial Pipeline’s ransomware incident involved IT, and not ICS equipment. While this is true, in a critical infrastructure organization this distinction is surely meaningless. The IT and ICS equipment is there to provide a series of services that allow the company to operate and impacting any equipment to the point where operations are shutdown has serious implications for the nation. In this case, panic buying and gas shortages across the southeast of the country, and the potential for interruption of critical services, such as airports, that are dependent upon fuel supply. Whenever there is an attack on a critical infrastructure organization, we in the ICS security community should be concerned. We should also help organizations like Colonial Pipeline learn from such incidents to improve their response plans for all scenarios, IT and ICS. Will this incident trigger some long-awaited action from critical infrastructure operators to improve their security posture? Back in 2005 I organized a conference in the UK on security of distributed control systems and said “Process automation systems are key to the organizations behind the UK’s Critical National Infrastructure (CNI) as they both monitor and control critical processes involved in the production and transportation of gas, electricity and water. As these systems become more ‘open’ – using Ethernet, TCP/IP and web technologies – they become vulnerable to the same threats that exist for normal IT systems”. Sixteen years later we are still saying the same thing, but given the fact that incidents like Colonial Pipeline, Oldsmar, Ellsworth, and others continue to happen, it appears we are still not adequately addressing this problem. It is unfair to say that all critical infrastructure operators have the same security posture. Many operators are taking action, but the type of incidents we see indicate that we still collectively have a long way to go. As cyber incidents like Oldsmar, Ellsworth, and Colonial Pipeline continue to make the news, along with non-cyber incidents like the Texas freeze, there will be increasing pressure on the government to take action. Regulations already exist in some sectors, notably electricity and chemical. Views vary on the effectiveness of the regulatory approach. Many see the approach as a check-box exercise, and even the threat of fines for non-compliance does not deter some operators – Duke Energy was fined $10M in 2019 for 127 violations of NERC CIP, many of which were easily actionable, such as providing awareness training to employees. Reporting indicates that Colonial Pipeline’s did have cyber insurance with $15M cover. Although there is no confirmed reporting that their insurer did pay, it is likely. Perhaps this is one reason why some critical infrastructure operators are not making more effort to reduce their risk. This form of risk transfer may, on the surface, seem effective: Colonial Pipeline may have incurred little or no financial loss as a result of this incident, depending on what the insurance policy covered. This raises the question of how long insurers will be prepared to support this transfer of risk within the current parameters. Perhaps policies will become prohibitively expensive, or even not offered, to operators who cannot demonstrate a basic level of cybersecurity preparedness, such as a good incident response plan supported by regular validation exercises. While there may not be regulations for all critical infrastructure sectors, there are international standards that can be used to define the reasonable expectations of an operator. The ISA/IEC62443 standard, security for industrial automation and control systems, defines the requirements for a cybersecurity management system needed to manage cybersecurity risk in critical infrastructure organizations that depend on ICS equipment. Some sectors already base their internal policies on this standard, but it is clear that it is far from universal across all sixteen sectors in the US. Some may say that the likelihood of a cybersecurity incident in an ICS environment is vanishingly small. Even if this is true, the consequences of such an incident are extremely serious, and high impact, low probability events must be properly managed – they cannot be dismissed simply because they have either never happened or seem unlikely. In many cases, even moderate expectations such as the application of basic cyber hygiene are not being met in our critical infrastructure operations. We are long past the point where this is acceptable.

By Derek Harp, (CS)²AI Founder, Chairman and Fellow April, 2021 I am proud to announce today that the work to produce the 2021 (CS)²AI-KPMG Control System Cyber Security Report has begun! I would like to ask you to join our Members helping Members effort by doing two things today: Contribute to the body of knowledge and be one of the first to participate in the 2021 CS2AI annual survey right now today! Share this article and/or the survey link with your network. As the (CS)²AI organization continues to rapidly grow and evolve, foremost in my mind is the alignment of the diverse interests of key stakeholders among the people who make up our community. We are committed to increasing the range of respondents in every way to ensure the insights drawn from the data represent as many different stakeholders as possible. In studying the data for our 2020 report, we did find some things we want to understand more and one of those is coloration of answers from very different respondents. If we assume typically that leadership sets the goals and provides the resources needed to achieve those, it follows that operations focuses on using the supplied resources to accomplish the mission. Yet when looking at top priorities reported by these two groups, we find that executives and non-executives do not always hold the same set of targets. One area in which these two groups were in relatively close agreement is the low prioritization of cloud-based services in their control system environments. This caught my eye because the use of those same services is a major component of the technology trends variously referred to in terms such as the IT-OT Convergence, Industry/Industrie4.0, Digital Transformation, and Smart Factories (Cities, Grids, etc). Few if any control systems remain without multiple connections to one or more clouds, each creating potential exposures for attackers to exploit. So why isn’t the security of these connections and the services running over them a top priority? We have some clues and are working on further research to dig deeper into this question. Probably our greatest area of success in this research project has been identifying some clear differences between organizations at opposite ends of the cyber security program maturity scale. Areas like the use of managed security services, frequency and thoroughness of cyber security assessments, may seem self-evident places to find these differences, but we found the groups diverged in other important ways as well, such as what security technologies they had implemented and which attack vectors were used in cybersecurity incidents in their environments. It is findings like these, ones that help organizational leadership identify the gaps their teams can target for the greatest potential security ROI, that we search for most diligently. The range of threats, exposures and vulnerabilities, and the array of methods and tools to protect our people and assets against them, are dynamic and vast, while the resources which can be brought to bear are always going to be limited. The need to work smarter, to maximize the effectiveness of the people, skills and funds, is what drives demand for key decision-making tools, and I’m very glad to say that feedback for (CS)²AI first annual control system cyber security report has confirmed we achieved our goal in creating such a tool. If you did not get a chance to review the 2020 (CS)²AI-KPMG Control Systems Cyber Security Annual Report, A free copy can be downloaded here: https://www.cs2ai.org/reports I would like to thank our title sponsor and Platinum Strategic Alliance Partner, KPMG for continuing to underwrite and contribute resources to this project and decision support tool for the community. I also would like to thank Waterfall Security Solutions, Fortinet, Tempered, Industrial Defender, Verve, Applied Risk, Bedrock Automation, Fend and GBQ for joining the effort to make the research and annual report better each year.

Submitted by: Daryl Haegley Director, Mission Assurance & Cyber Deterrence at the DOD and (CS)²AI Fellow Original Source: https://www.lawfareblog.com/making-national-cyber-director-operational-national-cyber-defense-center By James N. Miller, Robert Butler Wednesday, March 24, 2021 The Biden administration has doubled down on cybersecurity, adding two senior positions in the Executive Office of the President: a new deputy national security advisor for cyber and emerging technology and a new national cyber director. To avoid churn within the administration and confusion elsewhere, the administration should clearly define the roles of these two positions. Perhaps the most critical role for the Office of the National Cyber Director (ONCD), one unsuited for the deputy national security advisor, is to lead interagency planning and operational coordination for cyber defense; it should fulfill this role through a new National Cyber Defense Center (NCDC). The United States needs a proactive whole-of-nation cyber defense campaign to bolster national security in the face of adversaries’ sustained efforts to steal U.S. intellectual property, sow disinformation, gather sensitive intelligence, and prepare to disrupt or destroy U.S. critical infrastructure through cyberspace. This cyber defense campaign should have four key elements: cyber deterrence, active cyber defense, offensive cyber actions in support of national cyber defense, and incident response. Planning and coordinating such a cyber defense campaign is an inherently interagency task, but it would fit poorly in the National Security Council (NSC) because of the NSC’s past difficulties with operational roles and its staff ceiling of 200. Such interagency planning and coordination would also fit poorly in the departments of Homeland Security, Defense, or Justice, or in the intelligence community, because none of these institutions has the full range of authorities necessary to the task. An NCDC needs to comprise personnel detailed from key departments and agencies, and liaisons from the private sector. Fortunately, such staffing is implicitly authorized in the recent legislation creating the ONCD. The degree of whole-of-government and whole-of-nation planning and coordination we propose for the NCDC would go beyond what the Cyberspace Solarium Commission has specifically recommended for the ONCD. This comprehensive approach is essential in the face of adversaries who are deliberately exploiting the seams between U.S. departments’ and agencies’ authorities, and between the U.S. government and the private sector. Without an NCDC, the ONCD will fail to move the needle in improving the U.S. cybersecurity posture. Roles of the National Cyber Defense Center The NCDC would conduct cyber defense campaign planning and coordinate U.S. government actions below the level of armed conflict, while also conducting contingency planning for cyber defense in the event of crisis or war. In support of each of these roles, the NCDC would plan and coordinate four intertwined lines of effort: cyber deterrence, active cyber defense, offensive cyber actions in support of defense, and incident management. On a day-to-day basis, below the level of armed conflict, the NCDC would plan and coordinate a sustained cyber defense campaign across the U.S. government, while also enabling appropriate coordination with the private sector, state and local governments, and key allies and partners. This cyber defense campaign would focus particular attention on China and Russia, as the most capable cyber adversaries of the United States, but would also address North Korea, Iran, the Islamic State and other cyber adversaries. The importance and urgency of having a proactive, coordinated and sustained whole-of-nation cyber defense campaign is difficult to overstate. The stakes in the ongoing competition below the level of armed conflict include the health of U.S. democracy, social cohesion, and U.S. technology advantages that undergird the nation’s military edge and economic growth. The NCDC would also lead interagency contingency planning for cyber defense of the United States in the event of a crisis or conflict. The most important work would focus on China and Russia, which have extensively infiltrated U.S. critical infrastructure with implanted cyber capabilities of a scale and sophistication that far exceed any other potential U.S. adversaries. In the event of a severe crisis or conflict, China and Russia could use cyber weapons to hobble the U.S. military, cripple the U.S. economy, and sabotage systems that deliver life-critical services— all while conducting cyber-enabled disinformation and deception efforts to sow discord among the American people. Contingency planning for cyber defense in crisis or conflict would improve the U.S. posture to deter aggression or coercion and would also inform cyber defense campaign efforts below the level of armed conflict. On the one hand, an overly passive U.S. approach below the level of armed conflict could invite adversaries to keep pushing out the limits until U.S. leaders finally feel compelled to respond with decisive force. On the other hand, an overly aggressive approach by the United States could cause a spiral of escalation. A well-calibrated approach in peacetime—based on an assessment of adversary interests and goals, and an explicit assessment of escalation risks (which requires contingency planning for crisis or conflict)—is needed to minimize the prospects of both failed deterrence and inadvertent war. More broadly, U.S. cyber defense activities in peacetime provide the essential foundation for cyber operations in crisis or conflict, and so are essential to improving the U.S. ability to deter war. The organizations, processes, and trust relationships needed to inform and shape an effective active cyber defense of U.S. critical infrastructure, rapid decision-making for coordinated countermeasures at home and offensive cyber operations overseas, and cyber incident management cannot be created instantaneously when a crisis arises—they must be developed, exercised, and matured in peacetime if they are to be available in the event of crisis or conflict. U.S. peacetime cyber activities, including private-public partnerships that enable the real-time sharing of sensitive information and coordination of actions, provide a “platform” for cyber operations in crisis and conflict; adversary perceptions of these U.S. capabilities in action can help to reduce the risk of great power war. In furtherance of these two roles, the NCDC would plan and coordinate four interrelated lines of effort. Cyber deterrence aims to reduce adversaries’ perceived benefits and increase the perceived costs of major cyber intrusions, attacks or cyber-enabled campaigns. Such sustained adversary efforts have included China’s theft of intellectual property and Russia’s efforts to sow domestic discord in the United States. Because of the extensive vulnerabilities of existing U.S. networks, deterrence by denial will not be adequate against advanced adversaries, particularly China and Russia. Deterrence by cost imposition will be essential; this requires intelligence-driven planning to help policymakers assess what responses may be sufficient to promote deterrence but not so strong as to lead to undesired escalation. Shifting from a reactive to a proactive cyber deterrence posture will require integrating diplomatic, informational, military, financial, intelligence, and law enforcement tools, as well as coordination with the private sector and U.S. allies and partners. Active cyber defense presumes that advanced adversaries, China and Russia in particular, have substantial resources and highly skilled teams that will allow them to penetrate even well-protected U.S. networks and systems. Active cyber defense aims to rapidly detect and mitigate intrusions, increase the attacker’s “work factor” (time and resources required to achieve its aims by expanding laterally, exfiltrating information, and the like), and reduce the attacker’s confidence that intrusions have succeeded and that any information extracted is accurate. Examples of active cyber defense tactics including “hunting” for cyber intrusions on one’s own (and partners’) networks, creating “honeypots” and “tarpits” to lure and trap cyber intruders in decoy servers, embedding false information on networks that may mislead intruders, and publicly releasing insights into adversary cyber tools and tradecraft. Active cyber defense is increasingly being conducted by both the U.S. government and the private sector, but not in a comprehensive coordinated campaign approach. There is much room for improved sharing of operationally relevant (timely and specific) information, intelligence and insights. Offensive cyber actions in support of cyber defense can be both necessary and appropriate, as exemplified by U.S. Cyber Command’s reported operations to thwart the Russian Internet Research Agency troll farm in the 2018 and 2020 U.S. elections. While the Defense Department would retain the lead for offensive cyber operations, embedding its cyber defense-focused efforts in an interagency campaign would better posture the U.S. to deal with the reality that cyber adversaries are operating increasingly from within U.S. territory as well as overseas (as was reportedly the case in the expansive SolarWinds and the Microsoft Exchange cyber penetrations). U.S. Cyber Command’s actions in support of the 2018 and 2020 U.S. elections have been widely applauded for being carefully considered and well coordinated. However, as adversaries increasingly buy, lease, or hijack U.S. infrastructure to conduct subsequent cyberattacks, the United States will need greater interagency coordination between the actions taken domestically and abroad to be successful. Cyber incident response will always remain a key part of U.S. cyber defense efforts, quite simply because the United States faces capable and committed cyber adversaries. Unlike the other lines of effort proposed for the NCDC, a well-rehearsed interagency process for cyber incident response is already established. However, because cyber incident response is so intertwined with the other NCDC lines of effort, the NCDC should provide oversight of interagency Cyber Unified Coordination Groups. These were established under Presidential Policy Directive 41 to coordinate U.S. government responses to major cyber incidents. In parallel, the NSC would be able to shift its focus from operational coordination to strategic decision-making and oversight, including prioritizing U.S. government support in the event of widespread cyber intrusions or attacks, and holding the NCDC and the national cyber director accountable for conducting its operational role. To enable the NCDC’s planning and coordination efforts, it will need to share information and provide a shared perspective of the current situation including a visualization of potential developments, and do so at appropriate classification levels. This requires not only a platform for secure information sharing but also a platform for conducting (human and machine) simulations and analyses aiming to anticipate the most likely and most dangerous future adversary courses of actions—including responses to actions that the United States might take. Providing shared perspectives on the current situation and future developments, through tailored visualization tools based on a wide range of data sources, and at various classification levels, would be a key role of the NCDC. Such a continuous net assessment process could not “predict” precisely what the adversary will do, but over time with continued reality-testing it would help improve the United States’s ability to anticipate, deter, defeat and/or respond swiftly to potential adversary courses of action. A continuous net assessment process for cyberspace would be supported by intelligence/counterintelligence assessments and informed by tabletop war-gaming, modeling and simulation, and results from cyber range activities. Such a net assessment process would help highlight areas where additional information and intelligence is most needed. Because adversaries are adapting as they exploit emerging cyber vulnerabilities, this net assessment process could also generate testable hypotheses regarding next adversary moves, so that intelligence assets can be directed appropriately, defensive measures taken and offensive measures preplanned. To counter adapting adversaries, this net assessment process must exploit new technologies such as artificial intelligence and machine learning. NCDC Organizational Structure and Staffing Figure 1, which shows a potential organizational structure for the National Cyber Defense Center, illustrates the need for interagency planning and coordination outside the U.S. government to improve U.S. cyber posture. Figure 1. Potential organizational structure of the National Cyber Defense Center. The director of the NCDC would report to the national cyber director. The organizational structure of the NCDC could, and probably should, evolve over time, but a few guiding principles should be followed: The NCDC director should be a senior civilian with both senior-level U.S. government and private-sector experience, and the support of the national cyber director and the deputy national security advisor for cyber and emerging technology. The vice director should also be an experienced public leader, with complementary expertise and background, and would likely be active duty, a reservist, or a member of the National Guard. Deputy directors should, as a group, have experience across all key departments and agencies, including the departments of Homeland Security, Defense, Justice, State, and Treasury, as well as various elements of the intelligence community. Offices should be organized not by department or agency, but by function, with each having an interagency composition and comprised mainly of detailees from key departments and agencies. To ensure a continued focus on cyber adversaries, critical planning and coordination activities should be organized as “country cells” (China, Russia, and the like), staffing for each of which would be drawn from multiple departments and agencies. Federal cyber centers, such as the Federal Bureau of Investigation’s National Cyber Investigative Joint Task Force and the Department of Homeland Security’s Cyber and Infrastructure Security Agency (CISA) Central, would continue their work, while supporting planning and coordinated campaigns orchestrated by the NCDC. Similarly, the intelligence community’s Cyber Threat Intelligence Integration Center would see the NCDC as a critically important customer—even as it continued to provide strategic intelligence to the NSC—as it would build on its capacity to provide operationally relevant and timely intelligence to the NCDC. The NCDC would be an extraordinarily lucrative target for cyber espionage and attack and, as such, it would need a top-notch chief information officer and chief information security officer, who would both need to exemplify as well as enable a diverse set of advanced tools and techniques for active cyber defense. How a National Cyber Defense Center Would Operate The NCDC’s interagency staff would conduct planning, coordinate already-approved interagency actions, and raise new proposals and any concerns regarding department or agency noncompliance with the NSC. The NCDC director would also request approval for new activities from the department(s) or agency head(s) with the requisite authorities, sending the request simultaneously to the deputy national security advisor for cyber and emerging technology for interagency consideration. The deputy national security advisor would have the prerogative—and the responsibility—to determine whether to call for NSC meetings, and if so with what urgency at what level (full NSC chaired by the president, Principals Committee chaired by the national security advisor, Deputies Committee chaired by the deputy national security advisor, or a supporting interagency working group). For extremely urgent decisions, department and agency heads could approve actions prior to interagency consideration. In this case, an operation could be initiated before the NSC had given its concurrence. The relevant department or agency head would be accountable to the president for justifying the choice to proceed. In cases that involved both urgency and limited escalation risks, this decision authority could be delegated further over time, with the objective of having as many actions as reasonably possible delegated to department and agency heads. Of course, the president may still direct execution, or nonexecution, of a proposed new activity at any time. Making Use of the Office of the National Cyber Director’s Authorities The legislation creating the Office of the National Cyber Director (ONCD) specifies a range of responsibilities that would be appropriately executed by the NCDC. Table 1 shows that the enabling legislation for the ONCD already provides authorities for each of the four key lines of effort proposed for the NCDC, as well as for the coordination of U.S. government engagement with the private sector. Table 1. NCDC-related responsibilities and the associated statutory text highlighting the national cyber director’s relevant responsibilities. Why the ONCD Is the Right Place for the NCDC The NCDC would not fit in the NSC, quite literally, given the legislative cap of 200 personnel on NSC staffing. Even if the cap were increased, the NSC staff should be focused on coordinating and overseeing the implementation of strategy and policy, not conducting ongoing campaign planning and coordinating operations. Placing the NCDC in CISA, or in another department or agency, would be a prescription for failure. Developing and coordinating the execution of national campaign and contingency plans for cyber defense—plans that really matter—will require departments and agencies to share sensitive operational planning and intelligence; a standing interagency body in the Executive Office of the President is needed to make this work. In addition to the question of location is the question of seniority: An NCDC director reporting to the CISA director would sit two levels below the Deputies Committee, whereas an NCDC director reporting to the (Principal-level) national cyber director could operate at the Deputies level. Anyone with experience working in the U.S. interagency process understands how important these differences of location and seniority would be in practice. This reality raises a bit of a conundrum: In the same defense authorization bill that created the ONCD, Congress mandated the creation of a Joint Cyber Planning Office (JCPO) in CISA with the mission of developing plans for cyber defense operations. Congress might in principle be persuaded to reverse itself, but there is another viable option: The director of the JCPO could be dual-hatted as the lead for private-sector and state/local government engagement in the NCDC. Wearing the CISA “hat,” this person could make use of all Homeland Security authorities as JCPO director; wearing the NCDC “hat” with presidential top-cover, this person would have significant additional influence with others beyond the reach of Homeland Security authorities, including national security departments and agencies, and U.S. allies and partners. Setting a Course for Success Like all organizations, an NCDC will have growing pains and will make mistakes. The goal for the U.S. cyber posture should be to advance to a new national cyber defense culture and an organization within the next 18-24 months. This timeframe will allow for mistakes and learning to arise from war games and simulations, rather than in the real world. The NCDC could achieve an initial operating capability with fewer than 100 personnel, perhaps with as few as 30 to 40 . Although the enabling legislation for the Office of National Cyber Director caps total personnel at 75, the legislation specifically allows for the ONCD to “utilize, with their consent, the services, personnel, and facilities of other Federal agencies.” Thus, for example, a 100-person NCDC that was 60 percent detailees would count only against 40 of the allowed 75 Office of National Cyber Director slots. To succeed over time, the NCDC will need to compete successfully for its share of talented cyber professionals. Given the importance of this national center, the president might direct department and agency heads to provide their best personnel to field an all-American cyber defense “dream team” and could further make a personal appeal to industry CEOs. Over the course of a decade or so, after there had been five or more rotations of detailed/assigned personnel from the U.S. government and private sector, there could be a cadre of 250 or more highly trained, experienced, and networked personnel who had rotated through the NCDC. This reality creates an important opportunity for the NCDC to serve as a flywheel for interagency and national-level training and education on cyber defense (including in particular experiential learning through exercises and real-world operations). An NCDC leadership team would work to maximize this benefit, through training and education efforts, and the encouragement of continued professional relationships among those who had served in the NCDC. If an NCDC existed today and functioned reasonably well in its planning and operational coordination missions, and in its net assessment function, any proposal for its elimination would clearly create a major gap in the ability of the U.S. government to compete in cyberspace below the level of armed conflict and, if necessary, to coordinate national cyber defense in the context of a crisis or war. That gap exists today, and is evident to U.S. competitors and adversaries, thus putting U.S. national security at avoidable risk. This piece is based on research supported by the Johns Hopkins University Applied Physics Laboratory (APL), where the authors serve as senior fellow (Miller) and consultant (Butler). The views expressed are solely those of the authors, and not of any U.S. governmental agencies or departments, of APL, or of any other organizations.

Submitted by: Daryl Haegley Director, Mission Assurance & Cyber Deterrence at the DOD and (CS)²AI Fellow Original Source: Caution-https://selinc.com/company/podcast/ Episode 14: Safeguarding Civilization: A Few Thoughts on Cybersecurity with Robert Lee. In our increasingly technology dependent world, cybersecurity threats have become an unfortunate feature of our daily lives. So many of us have been victims of identity theft or data breeches. But what happens when the target is an industrial control system like those that control large campuses, industrial operations, or the power grid? In this episode, Dave Whitehead talks about industrial control system cybersecurity with Robert M. Lee, the CEO of Dragos and a leading expert in the fields of industrial security incident response and threat intelligence. You might also be interested in Episode 5 - Supply Chain Management: Getting Parts to Make Parts, and Episode 4 - The Need for Speed and the Future of Power System Protection.

Submitted by: Daryl Haegley Director, Mission Assurance & Cyber Deterrence at the DOD and (CS)²AI Fellow Original Source: https://www.washingtonpost.com/opinions/2021/03/28/united-states-has-major-hole-its-cyberdefense-heres-how-fix-it/ Opinion by: Robert M. Gates March 28, 2021 at 8:00 a.m. EDT Robert M. Gates served as director of central intelligence from 1991 to 1993 and as defense secretary from 2006 to 2011. In recognition of the danger posed by foreign cyberattacks against the U.S. military, economy, infrastructure and political system, I directed the creation of U.S. Cyber Command on May 21, 2010. I concluded that the mission to defend "the nation from significant cyberattacks” required a new, overarching military command, consolidating previously disparate units into one integrated command structure. For Cyber Command to be able to respond instantly to attacks, the commander also had to be in charge of the National Security Agency, the only U.S. institution with the capability to defend the country against such attacks and retaliate. Cyber defense and cyber offense, I was convinced (and still am), needed to be commanded by one person. The commander of Cyber Command could not be in the position of having to ask for or negotiate NSA support, thus increasing the danger of delays in our response time. Even in 2010, we recognized a fundamental legal and structural problem in defending the United States against cyberattack: The Defense Department and NSA had limited legal authority to defend against such an attack originating inside the United States. By law, primary responsibility for defending against domestic-based attacks belonged to the Department of Homeland Security. Unfortunately, DHS had the authority but little capability. More than 10 years later, that conundrum continues to make the country vulnerable to attacks initiated from abroad but launched from within this country, such as the SolarWinds attack (likely of Russian origin) and those against Microsoft’s Exchange servers (likely of Chinese origin). Some contend the solution is for the government to partner with private-sector companies. Others argue that Congress should give NSA additional authority to conduct cyber defense domestically — thus breaking the decades-long prohibition against intelligence agencies operating inside the United States. The latter path is almost certainly not politically feasible. And any kind of formal partnering with the private sector is likely to encounter resistance from most such companies and, in any case, would be challenging to operationalize in such a way as to provide the necessary rapid responses. (That said, improved informal cooperation between the government and private cybersecurity companies could enhance protection of the U.S. private sector.) The NSA is the only U.S. government organization with the vast capabilities to conduct both cyber defense and cyber offense at home and abroad. Civil libertarians and privacy advocates might hope to see creation of a purely domestic organization to defend against attacks launched from within the United States — with appropriate legal safeguards — but that is a fantasy. There is not enough money, human talent or time to establish a domestic equivalent to the NSA. We recognized this dilemma in 2010 within weeks of establishing Cyber Command. In an attempt to resolve it, I reached out to then-DHS Secretary Janet Napolitano with a proposal that would organizationally empower her department to draw directly on NSA resources to deal with cyberattacks originating inside the United States. Recognizing DHS’s legal authority and responsibility for cyber defense internally, I proposed that we agree to appoint a “dual hat” senior DHS officer who would also serve as a deputy NSA director with the authority to task the NSA in real time to defend against cyberattacks of domestic origin. That deputy director would have her or his own legal staff and general counsel, and we would create firewalls and regulations to ensure that DHS tasking would be kept separate from and follow different rules than the foreign intelligence operations of the NSA. Napolitano and I took this proposal to President Barack Obama, who, after proper vetting by the Justice Department and White House lawyers, authorized us to implement this proposal. Sadly, the initiative came to naught, mainly because of bureaucratic foot-dragging and resistance. I still believe the most expeditious path to an effective U.S. defense against cyberattacks launched from within the United States — through servers located here or other means — is to return to the initiative of a decade ago: to enable DHS to fulfill its domestic cyber defense responsibility through new arrangements giving it authority to use NSA’s incomparable resources with appropriate structural and regulatory safeguards. The challenge for DHS Secretary Alejandro Mayorkas and Defense Secretary Lloyd Austin would be to ensure that their designees make the arrangement work. SolarWinds and the attack on Microsoft make clear that prompt action is necessary. The approach we devised in 2010 would not require new legislation and could be implemented quickly. We are under attack. There might be a more elegant solution to our vulnerability, but a better means of defense is available now.

Submitted by: Daryl Haegley Director, Mission Assurance & Cyber Deterrence at the DOD and (CS)²AI Fellow Original Source: https://selinc.com/company/podcast/texas-blackout/ Safe, reliable, and economical electric power is essential to our daily lives. The recent events in Texas are a reminder of just how important these adjectives are when it comes to providing power for homes, daycares, schools, businesses, hospitals—and the power generation facilities themselves. In this episode, Dave Whitehead talks with SEL power systems experts Dr. Ed Schweitzer and David Costello about what happened and how to prevent it from happening again.

Submitted by: Daryl Haegley Director, Mission Assurance & Cyber Deterrence at the DOD and (CS)²AI Fellow Register: https://icsvillage.us12.list-manage.com/track/click?u=ca4975df02e0625e3721731c7&id=f05e918fbf&e=f3e775d837 The ICS Village, in partnership with the R Street Institute, the Cyber Bytes Foundation, and the National Security Institute, presents Hack the Capitol 4.0. This event will be held virtually on Tuesday, May 4th from 9:00am - 5:30pm EDT. Hack the Capitol 4.0 is a day-long, multi-track event designed to educate congressional staffers, scholars, and press on some of the most critical cybersecurity challenges facing our nation today. Hack the Capitol 4.0 delivers programming along three tracks: 1) Policy Panels and Presentations, including keynotes and fireside chats by leading government officials; 2) “Technical Talks” designed to offer a deep dive into leading issues in cybersecurity; and 3) An Exhibition Hall, with demonstrations (including hands-on) of industrial control systems. RSVP < https://icsvillage.us12.list-manage.com/track/click?u=ca4975df02e0625e3721731c7&id=f05e918fbf&e=f3e775d837 > to participate in this free virtual conference with leading experts in cybersecurity. Attendees at last year’s Hack the Capitol 3.0 heard keynote speeches by Rep. Mike Gallagher (R-WI), Sen. Maggie Hassan (D-NH) and Sen. Mike Rounds (R-SD), and heard first-hand from top officials at the Departments of Energy and Homeland Security, leading national security journalists, and industry experts.

Submitted by: Daryl Haegley Director, Mission Assurance & Cyber Deterrence at the DOD and (CS)²AI Fellow Discover Tools: https://facilitycyber.labworks.org/ FCF helps facility owners and operators manage their cyber security risks in their OT & IT networks. FCF strictly follows the NIST Cybersecurity Framework (CSF).

By Derek Harp, (CS)²AI Founder, Chairman and Fellow January, 2021 Happy New Year Colleagues, It is hard to believe 2020 has finally come and gone as there were moments where it seemed it would never end. What an unprecedented year (to say the least) for our modern society. Like myself, I am sure most of you suffered some unexpected challenges. I hope yours were not too severe, that you also found a few silver linings and that you enjoyed the best of recent holidays with your loved ones. That was the case for my own family and (CS)²AI. During the recent holiday period as we discussed what we are thankful for, we discovered that, even this past year with some disappointments and loss, we still have much to be grateful for. There were more than a few things that (CS)²AI could celebrate at the end of 2020. One is our committed and growing group of strategic alliance partners and the other is our members growing direct involvement in support our workforce development goals. What started as just a single meetup meeting in Atlanta over five years ago has morphed into the fastest growing control systems cyber security, workforce development/support group in the world. Without more members helping members each quarter we simply could not be doing what we are now! We welcome more feedback, ideas and additions to the global committee teams. Just click here and register your interests or send us an email at Input@cs2ai.org It is a certain silver lining for (CS)²AI that we were already serving members virtually as most of our 19,000 associate members are distributed all around the globe. With some new found time on our hands, we just dug in to membership requests and simply did more. This was met with so much involvement and positive feedback that we are committed to a much higher operational tempo from here on. Our membership and partner support are now increasing every quarter and our corresponding abilities and outreach are increasing as well. I’d like to share quick summary of some of the (CS)²AI 2020 highlights. We now have more than 19,000 associate members. We are still adding nearly 1000 associate members a quarter and many of you are choosing to support the organization directly by upgrading to our paid Global Membership level. We will honor that commitment by steadily adding more program and member benefits this year. We are now regularly adding to our list of member benefits. Benefits include access to our entire recording’s library of past sessions and symposiums as well as discounts to a growing list of industry products or services. If you have a member benefit you would like to extend to our Global Members, please let me know. Our current list of benefits can be found here. We have expanded our online events in frequency and scope, and our members have responded in ever greater numbers. This includes our first ever Symposium, a half-day of content with a stellar group of leaders in health care cyber security. It was a solid success and established a significant new registration/attendance/attentive level for our organization. As a result, we will hold more Symposiums in 2021. We already have five new monthly (CS)2AI Seminar educational events published for the first quarter of 2021. If you or your company has great continuing education content to share with the membership please contact us at CE@CS2AI.org This year we added a long-desired (CS)2AI Job Board. The job board serves both our members seeking new opportunities and as a platform for companies looking to hire out of a specific talent pool. Let us know what we can do to improve this tool for you. We published the first annual (CS)²AI - KPMG Control System Cyber Security Report, a product of our ongoing – and growing – research efforts, which have been strengthened by an increasing number of external SMEs. The report can be downloaded for free and is getting excellent feedback. Work has begun on the 2021 edition. We could not have achieved this goal without the support of our title partner, KPMG and key support from Airbus Cyber, Fortinet, and Palo Alto Networks We have begun the project to develop the 2021 report and the steering committee is forming as we speak. It is our goal to complete critical review entire 2020 survey question bank before end of January and launch the 2021 survey shortly thereafter. During our early years it was sometimes a bit of a hard sales job to get companies to believe in the (CS)²AI vision and I am truly grateful to our first three SAP pioneers, KPMG, Waterfall Security, and Sable Lion Cyber for signing on in our early days and continuing to support us today. They were, of course, shortly followed by others, and today the landscape of our supporters is much broader and increasingly diverse. I cannot thank all of our Strategic Alliance Partners enough. Without you we could not do we what we do. We are happy to report that over 90% of our SAP’s have or are currently renewing. I am excited to make a difference together and encourage you to thank people you know at these companies for their commitment to workforce development in our industry. Their commitment to the goals and missions of this not for profit go beyond simple marketing ROI. These companies know that when they support (CS)²AI the are directly supporting the most important aspect of our current cyber security challenge; the human beings! Our newsletter is only in its second year and we have already increased our publication from quarterly to monthly. Along with rapidly increasing circulation we’ve established a solid stream of original articles complementing for the present - and soon to entirely displace - our reprinted content. This is now integrated with our ongoing research projects, including our monthly survey activity. Each month Daryl Haegley, Director, Mission Assurance & Cyber Deterrence at the Department of Defense and (CS)²AI Fellow submits roughly 8 – 10 articles he believes to be important for our members to read. Those get posted on our blog site as News You Can Use and are published as well in our newsletters. If you want to join the (CS)²AI Editorial Board and contribute to this effort, please email us at Input@cs2ai.org ***Copy and Paste Links**** Get Involved https://www.cs2ai.org/get-involved (CS)²AI Member Benefits https://www.cs2ai.org/member-benefits (CS)²AI Online™ direct link https://www.cs2ai.org/cs2ai-online Job Board direct link https://www.cs2ai.org/jobs 2020 Annual Report https://www.cs2ai.org/reports Strategic Alliance Partners https://www.cs2ai.org/our-strategic-alliance-partners New You Can Use https://www.cs2ai.org/newsyoucanuse

Submitted by: Daryl Haegley Director, Mission Assurance & Cyber Deterrence at the DOD and (CS)²AI Fellow Original Source: https://facilitycyber.labworks.org/assessments Facility Cybersecurity Framework (FCF) provides a set of voluntary, risk-based standards and best practices to help facility owners and operators better manage cybersecurity risks. For facility stakeholders, FCF provides a common taxonomy and mechanism to enable you to: Describe your current posture Describe your current target state Identify and prioritize improvement opportunities Assess your progress

By Fred Gordy Director of Cybersecurity at Intelligent Buildings, LLC, (CS)²AI Fellow December, 2020 Threats to building control systems (BCS’s) have grown exponentially in the past two years. More importantly, the attacks on BCS has grown at an even higher rate. How can that be? Easy—There have always been threats to control systems. However, successful attacks are becoming more frequent, growing in intensity, and wreaking more havoc. In 2019, there was a 400% increase in attacks and 2020 is shaping up to a 600% increase(1). Attacks are not the only thing causing disruption of service to BCS’s. Informational technology (IT) is becoming more involved in securing control systems and their networks. This is a good thing; however, IT software, processes, and procedures are also causing interruptions in operations and damage. These systems and their devices require a different approach. The National Institute of Standards and Technology (NIST) realized that control systems cannot be managed like IT systems. The NIST report IR 8228(2) summarizes three key statements: Many Internet of Things (IoT) devices interact with the physical world in ways conventional IT devices usually do not. Many IoT devices cannot be accessed, managed, or monitored in the same ways conventional IT devices can. The availability, efficiency, and effectiveness of cybersecurity and privacy capabilities are often different for IoT devices than conventional IT devices. Over the past few years, Intelligent Buildings, LLC (IB) has completed cybersecurity risk assessments across the U.S., Canada, and overseas. The results of these assessments showcase that attacks and self-inflicted wounds are typically caused by well-meaning facility personnel not following basic best practices. The most common attack is ransomware. Ransomware is malicious software that locks all the files on a PC or server until either a ransom is paid, or the PC or server is wiped clean and reloaded. The delivery of ransomware is typically through email, but it can come from social media sites. Ransomware makes up 80% of the attacks to control systems(1). In all the cases IB has seen, ransomware was 100% avoidable. Historically, the BCS is located in the engineer’s office and is used like a workstation. Facility management (FM) staff tend to use it to check their company and personal email and to look at social media, all of which have been the ransomware delivery mechanism. Had operational technology (OT) policies been in place and enforced, these attacks could have been avoided. BASIC OT POLICY AND PROCEDURE Policies are important because they address issues, which reduces risk to the control systems. Procedures are the steps necessary to follow the policy guidelines. Policy and procedure are often missing from the building control space when it comes to OT cybersecurity. Ransomware can be avoided if policy is implemented that outlines the proper use and physical security of the application server/front-end server and compliance is enforced. Some basic policies that should be implemented are shown below: Some of these policies are not what you would find in a typical IT policy library. This list is not a full list of OT policies, but by enacting just these few, an organization can reduce risk to the building systems that supply comfort and safety and reduce financial and brand damage impact. CONSEQUENCES OF NOT HAVING AN OT POLICY AND PROCEDURE MISUSE OF THE APPLICATION HOST As stated earlier, using the application host as a personal PC/workstation puts it at high risk, especially for a ransomware attack. Ransomware is continually evolving and the consequences to an organization are ballooning. In recent history, two types of ransomware have emerged that can cause major reputation and financial damage, as well as negatively impact operations: 1) Nuclear and 2) Snake (Ekans). Nuclear ransomware has elevated ransomware to a lose-lose situation. Prior to nuclear ransomware, your choices were either to pay the ransom (not recommended) and get your files unlocked, or—if you had a good backup—ignore it and wipe your system clean, starting with a fresh copy. With this latest iteration, you can still pay the ransom; however, if you have good backups and refuse to pay, the threat actors will release your sensitive, private data to the web. This happened to Visser Precision, a third-party vendor for Tesla, SpaceX, Lockheed Martin, and Boeing—all of whom had non-disclosure agreements with Visser(3). The other ransomware type is Snake, also known as Ekans (snake spelled backward), Ransomware. Unlike typical ransomware that targets Windows and Linux operating systems, Snake targets industrial control systems (ICS’s). What makes it really nasty is its ability to climb outside of one system and spread throughout the network, infecting other devices. (4)(5) As nasty as these variations of ransomware are, the fix/prevention is easy. Remove the application host from the engineer’s office, place it in a locked location, and remove the keyboard, mouse, and monitor. Just like with IT application servers, no one should ever physically touch the machine unless they are performing maintenance or repair. You wouldn’t check your email on a SharePoint server, so why would do it on machine that is running your building? PUBLIC EXPOSURE It is easy to find exposed systems and no special tools are required. There are several free device search engines that anyone can use to search for publicly exposed systems. What does exposed mean? It means that the control system can be accessed by anyone, anywhere in the world. The only thing that stands between the attacker and access to the system is the application’s credential management. What makes this even more risky is the fact that the majority of BCS’s are not configured to withstand password cracking tools and shared user accounts are rampant. There is typically no access monitoring to indicate if the system is being attacked. Additionally, there is a large number of systems that are running outdated/unsupported operating systems and applications with well documented vulnerabilities that the threat actor can exploit. These search engines continually scour the Internet 24/7/365. A simple search at the time of this article revealed that are 37,622 exposed BCS’s. Don’t assume none of these are yours. In over 60% of the assessments, IB was told that there was nothing exposed; however, in every case, we found at least one system or one part of the system that was exposed. What is the consequence? Wasted time and money? In the past 18 months across eight IB-led assessments, there have been approximately 18,816 manhours lost for an approximate total of $1,505,280 for an average cost of $188,160 per incident. This does not include self-inflicted wounds, which will be discussed in the next section. To drive this point home, IB performed an assessment for a company that believed they had zero exposed devices. They had invested significant time and money on revamping their network architecture—IT was monitoring the networks using the tools they were accustomed to and would not believe they had any holes. Although IT was monitoring the switches, PC, and servers, they were not watching beyond these devices. Once we began hunting using the same free search tools that anyone could use, we found a single BACnet broadcast management device (BBMD), which is essentially a router. From this, IB discovered over 1,000 BACnet devices in locations throughout the U.S. No username and password is required for legacy BACnet. From here, we would have been able to fully control any or all of the devices. This is a good example of how IT cannot fully manage OT with the tools at their disposal. SELF-INFLICTED WOUNDS IT is beginning to engage in securing OT systems, which can be a good thing or a bad thing. IT and OT have to become partners in protecting systems, but only after OT policy is developed and IT has been educated on the dos and don’ts when interacting with OT systems. We have seen numerous examples of IT’s zealous attempts to manage control systems, such as: Patching the front-end application caused the local staff at 50 hospitals to be locked out of their control systems. Surgeries had to be cancelled for two days at these 50 hospitals. An employee was fired and IT began removing their user from central application server. This user was also the user that allowed communication and control between the application server and the supervisory control at numerous locations throughout the U.S. Communication and control was lost to over 100 locations before it was realized there was a problem. It over six weeks to fully recover. IT scanned the OT networks in a location with thousands of controllers. Over 60% of the controllers were locked up and required each individual device to be power cycled in order to bring them back online. After they were back online, each had to be checked to ensure functionality was fully restored. Over 96,000 manhours were lost. What is the consequence? Wasted time and money. In the past 18 months over 10 IT-induced events, there have been approximately 107,924 manhours lost for an approximate total of $8,633,920 for an average cost of $863,392 per incident. This does not include external attacks from threat actors. VENDORS ARE IN CONTROL Without policy, there are only verbal understandings. It’s great to have an understanding; however, these understandings have to backed up with written guidelines. We see time and again that the vendor is the primary knowledge keeper, user administrator, controller of remote access, controls data, and may or may not be backing up systems. Even if they are backing up systems, these backups are not usually readily accessible to onsite staff. The other risk a vendor usually introduces is a single, admin user in your system for all of their employees at every location they service, which hasn’t been changed in years. This means any of their employees, past or present, can get into your system anytime they choose without your knowledge. Some very basic policies you can enact now for vendor management are: Vendor training for staff to increase understanding regarding vendors and the abilities of systems. This will allow your staff to self-perform for better response to system events. Remote vendor access controlled by owner and not vendor. Unique users for each vendor employee. Vendor must provide a list of employees that need access to the system and no longer leave it open for any employee to access your system. Vendor must notify immediately when an employee either no longer needs access to your system or is no longer employed by the vendor. If the vendor is contracted to maintain backups, the vendor must provide you a copy of backups to be stored under your control. Create a vendor separation agreement to establish such things as turning over data, intellectual property, etc. By no means should this be considered a full list of policies. It will get you started and help you minimize risk. NO LONGER A POSSIBILITY, IT IS REALITY In 2010, Stuxet (6) was the first major attack on a control system. It was an attack on an Iranian nuclear facility (7). Most people didn’t see this as the beginning of attacks on control systems, regardless of their function. They believed that these types of attacks would only happen to large industrial systems and not to BCS’s. This opened a new attack vector for other threat actors to take advantage of, showcasing that control systems are vulnerable and easy to exploit in several different ways. The industry is seeing an increase in these types of attacks, occurring at an exponential rate, with no sign of slowing. If you haven’t taken a serious, unbiased look at your OT risk profile, you should. You can start by seeing if you have exposure to the world, if your application server is being used for anything other than its designed function(s), and who is in control of your system. Are you in control or is your vendor? The policies listed earlier can help you take control of your system(s), preventing external threats and internal self-inflicted wounds.