Search Results

Submitted by: Daryl Haegley Director, Mission Assurance & Cyber Deterrence at the DOD and (CS)²AI Fellow Original Source: https://thehill.com/policy/cybersecurity/520410-senate-democrat-raises-concerns-around-united-health-services-breach By MAGGIE MILLER 10/09/20 Sen. Mark Warner (D-Va.) on Friday raised concerns around a recent cyberattack on hospital chain Universal Health Services (UHS) that resulted in the data of millions of customers potentially being compromised. In a letter to UHS Chairman and CEO Alan Miller, Warner, who serves as vice chairman of the Senate Intelligence Committee, asked a series of questions in relation to a ransomware attack on UHS last month that crashed systems at hospital facilities across the nation. UHS has more than 400 facilities in the U.S. and United Kingdom, with more than 90,000 employees, and it has previously stressed that there is no evidence any data was stolen or accessed. NBC News reported last week that the incident had the potential to be one of the largest cyberattacks on the medical sector in U.S. history. “I write you with grave concerns about United Health Services’ digital medical records and clinical healthcare operations succumbing to an apparent ransomware attack,” Warner wrote to Miller. “As one of the nation’s largest medical facility operators with 3.5 million patient visits a year, it is imperative that medical care is provided to all patients without any interruption or disturbance created by inadequate cybersecurity.” Warner noted that “while initial reports suggest that the attackers did not access patient or employee data, an incident such as this sharply highlights the need to ensure adequate cybersecurity hygiene in a healthcare setting.” The cyberattack took place in the midst of the COVID-19 pandemic, which has placed huge stress on health care groups around the world, with Warner noting that the attack on UHS “only exacerbates the consequences of insufficient cybersecurity.” Warner asked Miller and UHS to respond to a series of questions around the attack within two weeks, including asking him to detail the company’s cybersecurity and risk management protocols and whether UHS has paid the ransom to the hackers. “Patients deserve to know that healthcare systems are secure, particularly as the nation faces a pandemic straining resources nationwide,” Warner wrote. “When a cybersecurity failure occurs, patients need reassurance that their healthcare provider is committed to learning from and responding to this truly concerning incident, and that it is taking all appropriate steps to help ensure it cannot happen again.” UHS did not respond to The Hill’s request for comment on the letter. The health care company put out a statement last month acknowledging the attack and emphasizing that as of Sept. 29, the company had “no evidence that patient or employee data was accessed, copied or misused.” “The Company has implemented extensive information technology security protocols and is working diligently with its security partners to restore its information technology operations as quickly as possible,” UHS said. “In the meantime, while this matter may result in temporary disruptions to certain aspects of our clinical and financial operations, our acute care and behavioral health facilities are utilizing their established back-up processes including offline documentation methods,” it added. “Patient care continues to be delivered safely and effectively.” Cyber criminals and nation state hackers have increasingly zeroed in on the health care sector during the COVID-19 pandemic, with ransomware attacks, which involve a hacker accessing and encrypting a system and demanding payment to reinstate access, becoming a major concern.

Submitted by: Daryl Haegley Director, Mission Assurance & Cyber Deterrence at the DOD and (CS)²AI Fellow Original Source: https://www.csiac.org/resources/the-dod-cybersecurity-policy-chart/ By Cyber Security and Information Systems Information Analysis Center (CSIAC)10/13/20 The Cyber Security and Information Systems Information Analysis Center (CSIAC), which is sponsored by the Defense Technical Information Center (DTIC), updated the DoD Cybersecurity Policy Chart on Oct 9, 2020.  Below lists the specific changes in this new version. Other resources available at www.csiac.org #            Document Name   Change/Justification 1.            Title 14, U.S. Code, Cooperation with Other Agencies Replaced with new hyperlink 2.            NIST Special Publication 800-53, Rev. 5, Security and Privacy Controls for Information Systems and Organizations Long awaited and very important update, published September 2020, supersedes Rev. 4 3.            CNSSD 507: National Directive for Identity, Credential, and Access Mgmt. Capabilities on the U.S. Federal Secret Fabric Provides a minimum set of requirements for Identity, Credential, and Access Management (ICAM) implementation and management that applies to the Federal Secret Fabric. Updated July 7, 2020. 4.            DoD Directive 8140.01, Cyberspace Workforce Management              Published October 5, 2020, superseding the earlier version dated August 11, 2015 5.            DoD Instruction 8531.01, DoD Vulnerability Management              Released on September 15, 2020 6.           DoD Data Strategy                                                                                  The DoD Data Strategy supports the National Defense Strategy and Digital Modernization, published October 9, 2020 7.            DTM 17-007, Ch. 3, Defense Support to Cyber Incident Response                            Change 3 issued May 29, 2020

Submitted by: Daryl Haegley Director, Mission Assurance & Cyber Deterrence at the DOD and (CS)²AI Fellow Original Source: http://rdp21.org/mosaics-industry-day/ By MOSAICS 10/13/20 November 4 & 5 The More Situational Awareness for Industrial Control Systems (MOSAICS) Joint Capability Technology Demonstration (JCTD) will conduct Industry Days on 4 and 5 November 2020. The event will be virtual on MS Teams.  The agenda for the two-day event has 22 vendors briefing as well as DoD and Services cyber leaders briefing to stimulate discussions. The purpose of the Industry Day is to share with industry/vendors the MOSAICS cyber defense capability for Industrial Control Systems (ICS). The MOSAIC capability based on the Integrated Adaptive Cyber Defense(IACD) standards developed by the National Security Agency (NSA) provides for solutions based on open system standards. Sharing this information will enable industry to develop IACD based solution/capabilities that DoD then can acquire competitively.

Submitted by: Daryl Haegley Director, Mission Assurance & Cyber Deterrence at the DOD and (CS)²AI Fellow Original Source: https://www.hackthebuilding.tech/ By MISI10/19/20 There are an estimated 2.5 million unique ICS systems that are used in over 300,000 buildings and over 250,000 linear structures. This Maryland Innovation & Security Institute and DreamPort event is inspired by a DoD request for an offensive and defenseive exercise that demonstrates the impact of IT, IoT and OT cyber attacks against critical building automation and mission operations. The event will feature an entire 150,000 SQFT 2 story office building, acres of free parking & space for social distancing. Offensive & defensive OT, IT and IoT technology staged in support of critical functions throughout the facility. Multiple diesel generators, IP cameras, access control, business systems, WiFi and onsite factory operations. Event Dates & Schedule: November 16 – 19 November 16: Offense November 17: 2nd day of Offensive exercise- ends at 3:00pm November 17: Building Automation and Control Systems Cybersecurity Virtual Conference and Pitch competition November 18: Offense versus Defense November 19: Offense versus Defense

Submitted by: Daryl Haegley Director, Mission Assurance & Cyber Deterrence at the DOD and (CS)²AI Fellow Original Source: https://www.hackthebuilding.tech/control-systems-cyber-conference/ By MISI10/19/20 At the November 17 conference businesses will present their solutions for addressing critical infrastructure cyber challenges. Hack the Building is a cyber exercise and technology showcase that includes a conglomerate of offensive and defensive teams from across the military, government, academia and industry. For the conference event, there will be presentations on a broad range of ICS/SCADA topics including security of SCADA systems, building automation systems, plant control systems, engineering workstations, substation equipment, programmable logic controllers (PLCs), and other field control system devices. Presentations on cyber standards that address building automation and facilities cyber as critical infrastructure are important to our audience to include ideas on how facilities architecture and construction, including  manufacturing facilities can be designed with cybersecurity in mind and not an after thought. Buildings are critical infrastructure.  Assessing vulnerabilities in crucial government and commercial facilities is a labor intensive and often filled with gaps due to the expansive nature of some facilities and the myriad of IoT and control systems technologies that are involved in the building’s management and safety and security.  Reducing the labor involved in conducting assessments while yet increasing the visibility of assets and their configurations continues to be a challenge.  In addition there remains a mostly legitimate fear that and challenge encountered  that some of the facility related control cyber systems (FRCS) cannot not be scanned for known vulnerabilities because the FRCS cannot support the scanning, as it would lead to the FRCS malfunctioning and result in an impact to the facility that could also introduce a safety risk. IoT Cybersecurity threats are increasing – many of the technologies available today, cannot detect or defend against vulnerabilities and attacks that leverage the lack of IoT cyber defenses.  A typical facility has its installed base of IoT,  but the tenants in a facility also install and operate IoT devices that could pose a threat to the facility and its tenants. Detecting and defending against malicious AI based cyber attacks.  While AI has many positive capabilities and continues to evolve, there is a trend line developing that indicates AI cyber based attacks could be devastating and there is little in the way of tools. Counterfeit  technology continues to be an active threat to US critical infrastructure, detecting vulnerabilities in devices and verifying their true origin could provide some degree of fidelity to facilities infrastructure.  A methodology or solution that provides best practices and solutions for ensuring that as a building’s critical systems are being selected and prior to installation as part of the design and construction process, could reduce vulnerabilities facilities cyber threats.

By Derek Harp, (CS)²AI Founder, Chairman and Fellow October, 2020 Dear Colleagues, Control systems have become vital to ensure that our daily lives run smoothly, not only the obvious industrial applications like supplying power, fuel, or manufacturing products, but also running healthcare, transportation, building control, and logistics technologies. Essentially, more of our modern world is being automated and connected than ever and some projections indicate we could see more than 64 billion IoT devices worldwide by 2025*. At the same time, it is well known in the cybersecurity field that we have a longstanding workforce problem. In the research for our upcoming 2020 Annual Report, 58% of respondents cited insufficient security expertise as the greatest obstacle to resolving control system cyber security vulnerabilities. For many people not directly involved in this area the concern may be unknown, at best a distant concern unrelated to our common future; a future of critical reliance and vulnerability and not enough trained and knowledgeable people to keep up with attackers. It’s already whack-a-mole and with a steadily increasing “AS:QW” Ratio (attack-surface to qualified-worker) it is easy to see things going from challenging to worse. The exposure list is long and stakes are growing higher. Safeguarding operational assets from persistent threats while also moving our core business functions forward (maximizing efficiency, real time intelligence, system uptime, etc) is no small task. So, can we do anything about it? (CS)²AI members say yes. Undoubtedly some of the solution will come in the form of emerging or yet to be built technology as we currently rely on too many humans in the middle. However, in all scenarios we can and MUST do more to recruit, train, equip, and support the cyber workforce of tomorrow. We all must invest more in: Education (formal, degree programs, informal, continuing ed.) Measurement (knowledge and practical) Training (OJT, hands-on, in the field, Lab) Network strengthening (with real information, data, and knowledge sharing) Better job placement (efficiency, reach and transparency of qualified candidates) Certainly, education and training come in many forms, from activities like the (CS)²AI Online™ sessions we run multiple times a month to formal classroom or hands on lab training offered in the market place. It is clear we need more training that is appropriate for diverse roles, easily accessible, affordable and reinforced with real world applications. For our contribution, (CS)²AI will continue to expand our own educational opportunities and remain committed to a role of providing access to the wisdom of the few for the benefit of the many. We also see one of the roles of our association is to arrange relevant industry benefits on behalf of our Global Members and today I am proud to announce a new education & training discount partnership with The Mission Critical Institute. Finding the right person in the proverbial haystack is not easy. I am frequently contacted to help with searches and some of them had lasted far too long trying to fill the position. Its also common to see inadequacy of talent (or poor cooperate HR policy on salary bands) lead to filling a position with the wrong person. In our space the unicorns that truly understand IT, cybersecurity broadly AND the intricacies control systems are rarer, more expensive and often hard to identify. (CS)²AI wants to help with that and today, I am proud to announce that the new (CS)²AI Job Board (Version 1.0) is now live with more than 40 jobs now listed. All members of the community at large can see the listings and our Global Members are able to apply directly for jobs from the member portal. Helping directly address the workforce problem is THE reason why we founded (CS)²AI. Our mission to provide the platform for members to help members, foster meaningful peer-to-peer exchange, continue professional education and directly support cyber security professional development is something we can do together to make a dent in this problem. There is a great quote that sums up what we can do here together: “The whole is greater than the sum of its parts” -Aristotle In the end (CS)²AI is only as effective as its members helping members efforts are. When you join the (CS)²AI community as a global member, partner, contributor, committee member, (CS)²AI Fellow or research participant YOU impact the community personally. I am especially grateful for our Strategic Alliance Partners for their vision in our early years. In our case their support of our not for profit association has not been solely for business development purposes but these companies also are planting a stake in the ground that addressing the workforce challenge is important. By pooling and coordinating time and resources we can increase the magnitude of the impact. If you have not already added your voice to our discussion, I invite you to Join Today If you would like to do more you can also review multiple ways to Get Involved on our global website. Regards, Derek Founder & Chairman *https://techjury.net/stats-about/internet-of-things-statistics/ ***Copy and Paste Links**** https://www.cs2ai.org/cs2ai-online https://www.cs2ai.org/member-benefits https://www.cs2ai.org/jobs https://www.cs2ai.org/memberbenefit-mission-critical https://www.cs2ai.org/get-involved https://www.cs2ai.org/plans-pricing

By Chris Blask, Global Director Industrial and IoT Security at Unisys, (CS)²AI Fellow October, 2020 Maintaining visibility into the inventory of assets, supplies, and products entering and leaving industrial operations has been a key to reliable operations since the dawn of infrastructure. The proliferation of digital devices combined with the advantages of adaptive supply chains has put a sharp point on the need to evolve this practice significantly. Initiatives across public and private sectors over the past decade have laid the groundwork for the automation of high-surety attestation sharing among supply chain partners, with early adopters leveraging these systems to gain competitive advantages today. Tracking any item in a supply chain comes down to three simple questions: - What is being written? - Where is it being written? - Who gets to read it? With digital assets being used throughout industrial systems at increasing rates, and these assets becoming increasingly complex and capable, the traditional manual methods of tracking have been overwhelmed by volume and speed. Individual supply chain operators have evolved bespoke solutions to the challenges presented, but these do not translate upstream to their suppliers or downstream to their customers. Critical issues such as locating and remediating flawed software, hardware, or materials is still done with manual effort of individuals searching documents and exchanging emails. Due to a variety of related efforts over the past ten years, answers to these three supply chain questions have been developed that together form a functional system of attestation, sharing, and policy that is today being used by supply chain partners. Industrial operators and the subject matter experts they work with should begin integrating these structures into operational planning and execution of public and private systems. “What is being written?” - The necessity for reliable provenance for software has led to common taxonomies to describe sources and components. The Linux Foundation Software Package Data Exchange (SPDX) program has developed mature common taxonomies for open source software, which are being used in the US Department of Commerce Software Bill of Materials (SBOM) initiative alongside taxonomies from MITRE and ISO. There is workable agreement on What is to be written down to share attestations. “Who gets to read it?” - The necessity to ensure compliance with GDPR data privacy laws has led Bosch and partners to develop a policy framework for the handling of sensitive data produced and consumed by IoT devices. The Digital Trust Forum (DTF) provides a policy framework that is being applied to the creation and management of supply chain data shared in public and private channels, to answer the question of Who gets to read What. “Where is it being written?” - The Digital Bill of Materials (DBoM) Consortium is a Linux Foundation project that provides the backbone for attestation sharing among supply chain partners, created by Unisys in partnership with the aforementioned entities and other supply chain operators. Open source DBoM Node software will be available through the project in Q4 2020 to enable any organization to create or participate in attestation-sharing channels with supply chain partners. This common backbone answers the question of Where attestations can be shared. The DBoM Consortium will maintain processes to select common taxonomies so partners know What they are sharing, and common policy structures that ensure only those Who are authorized can access them. The economic drivers of Industry 4.0 and IIoT mandate the adoption of increasingly complex operational systems. To remain competitive industrial operators must reduce the effort needed to track an increasing quantity of assets, while increasing their ability to identify and remediate risks. If you have a duty to protect critical infrastructures, the time has come to automate the supply chains you rely on.

Submitted by: Daryl Haegley (CS)²AI Fellow and Director, Mission Assurance & Cyber Deterrence at the DOD Original Source: https://www.infosecurity-magazine.com/news/cybersecurity-firms-expose/ By Phil Muncaster 9/8/20 Nearly all cybersecurity companies have exposed sensitive data including PII and passwords online, according to a new study from ImmuniWeb. The security vendor selected 398 of the world’s top security vendors and then scoured surface, dark and deep web sites including hacking forums and marketplaces, WhatsApp groups, public code repositories, social networks and paste websites. It claimed to have discovered verified sensitive data over 631,000 times, with 17% of these “incidents” estimated to have critical risk. This means they included logins with plaintext passwords, or data leaks such as PII and financial records that are recent and/or unique. In total, the research revealed PII and corporate data accounted for half (50%) of all incidents, with credentials taking 30% and backups and dumps 15%. Also concerning is the fact that 29% of the discovered passwords were “weak” — i.e. they featured less than eight characters, with no uppercase, no numbers and no special characters. In 41% of companies studied, employees were found to have reused passwords on different breached systems, further exposing their organization to breach risks.

Submitted by: Daryl Haegley (CS)²AI Fellow and Director, Mission Assurance & Cyber Deterrence at the DOD Original Source: https://www.meritalk.com/articles/cisa-director-lists-nation-state-actors-cybercriminals-disinformation-as-top-covid-attack-vectors/ By Katie Malone 9/8/20 Assessing the current threat landscape six months into the COVID-19 pandemic, Director of the Cybersecurity and Infrastructure Security Agency Christopher Krebs listed nation-state spies, cybercriminals committing fraud, and the spread of disinformation as top cyberattack vectors. “The intelligence services are doing what they always do. Spies are being spies,” Krebs said at the Billington Cybersecurity Summit today. “They’re looking to collect information on what’s really going on in the country, what’s the status of the vaccine development, what’s the economic health of the country, what are the policies that are shifting.” Krebs raised concerns with China and Russia-based actors as leaders of spy activities.

Submitted by: Daryl Haegley (CS)²AI Fellow and Director, Mission Assurance & Cyber Deterrence at the DOD Original Source: https://www.darkreading.com/attacks-breaches/cyber-risks-explode-with-move-to-telehealth-services/d/d-id/1338890?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple By Jai Vijayan 9/10/20 The hasty shift to online delivery of primary care services since the COVID-19 outbreak has attracted significant attacker interest.  The mass adoption of telehealth applications and services in the months since the COVID-19 outbreak began has introduced new cyber-risks within the healthcare industry. New research by SecurityScorecard and Dark Owl found that the rapid onboarding of technologies for enabling the delivery of health services online has significantly broadened the attack surface at many healthcare organizations, putting both patient and provider data at risk. SecurityScorecard and DarkOwl analyzed data related to the use of telehealth products from 148 vendors by healthcare providers around the country. Prior to the pandemic, the use of such products hovered at less than 1% of the overall visits to healthcare providers by people seeking access to primary healthcare services. The public health emergency prompted by the pandemic resulted in primary care visits dropping precipitously after mid-March, while the use of telehealth apps soared 350%, SecurityScorecard said, referring to a report from the US Department of Health and Human Services. The speed at which the transition to online health-services delivery happened left little time for healthcare providers to properly vet telehealth products for security issues or to ensure their safe use, says Alex Heid, chief R&D officer at SecurityScorecard. "We examined the 148 most popular telehealth apps from a number of angles, and there are concerns across the board, from the development, deployment, and configuration of the applications themselves, as well as the digital supply chain that supports them," Heid says. To assess the increased risk from telehealth apps, SecurityScorecard and Dark Owlexamined the increase in security alerts sent by users of these apps to IT staff at their respective organizations. The two companies compared data from September 2019 to February 2020 and from March 2020 to April 2020. For the study, they looked at a variety of alerts, including those related to IP reputation, patching cadence, endpoint security, DNS health, application and network security, and leaked credentials. For example, for patching cadence, analysts from SecurityScorecard and Dark Owl looked at the number of alerts that were sent to IT staff involving irregularly installed or missing patches. The analysis uncovered a 117% increase in IP reputation alerts, a 65% increase in issues involving patches, and a 56% increase in endpoint alerts. The study revealed similar increases across every other single risk vector. Application security alerts, for instance, increased 16%. FTP issues jumped by 42%, and alerts related to the frequently abused Remote Desktop Protocol (RDP) went up by 27%. SecurityScorecard and Dark Owl also observed a sharp increase in chatter pertaining to telehealth apps and credentials on Dark Web markets and hacker forums. For example, mentions of names of telehealth vendors and products such as Teladoc, CareClix, and MeMD jumped noticeably after the pandemic began. They also noticed malicious code being shared in March via criminal forums that would allow attackers to collect patient identity and prescription information for telehealth systems. According to the researchers, the malware is likely being used presently to harvest patient data. In another instance, they discovered a hacker providing specifics on how to compromise a medical imaging system so X-rays and other medical images could be downloaded, altered, or sold. "Healthcare organizations need to fully and completely vet the telehealth vendors they integrate with their systems," Heid says. "As with any third-party vendor, their security risks become your security risks." The new cyber-risks within the healthcare sector since the COVID-19 outbreak started is by no means unique. Security vendors have reported similarly heightened risks across almost every other sector. Attackers trying to take advantage of the sudden shift to remote work have been hammering away at weaknesses in home networks and devices, videoconferencing and remote collaboration tools, virtual private networks, and other network equipment. Government organizations, educational institutions, and healthcare organizations have proved to be especially popular targets for ransomware, distributed denial-of-service attacks, and account takeovers. "We were surprised to find that, prior to the pandemic, the healthcare industry had improved its overall cybersecurity posture since our report last year." Heid says. "However, the mass adoption of telehealth applications has introduced new digital surface areas, which in turn introduce new risks." Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication.

Submitted by: Daryl Haegley (CS)²AI Fellow and Director, Mission Assurance & Cyber Deterrence at the DOD Original Source: https://www.c4isrnet.com/battlefield-tech/space/2020/09/04/white-house-issues-new-cybersecurity-policy-for-space-systems/ By Nathan Strout 9/4/20 The National Space Council issued new cybersecurity principles to help defend America’s space systems Sept. 4. According to the White House, Space Policy Directive-5, or SPD-5, will foster practices within the government and commercial space operations to protect space systems from cyberthreats. “From communications to weather monitoring, Americans rely on capabilities provided by space systems in everyday life. President [Donald] Trump’s directive ensures the U.S. Government promotes practices to protect American space systems and capabilities from cyber vulnerabilities and malicious threats,” Deputy Assistant to the President and Executive Secretary of the National Space Council Scott Pac said in a statement. “Through establishing cybersecurity principles for space systems, Space Policy Directive-5 provides a whole-of-government framework to safeguard space assets and critical infrastructure.”

Submitted by: Daryl Haegley (CS)²AI Fellow and Director, Mission Assurance & Cyber Deterrence at the DOD Original Source: https://threatpost.com/spyware-labeled-tiktok-pro-exploits-fears-of-us-ban/159050/ By Elizabeth Montalbano 9/9/20 “Researchers have discovered a new Android spyware campaign pushing a “Pro” version of the TikTok app that is exploiting fears among its young and gullible users that the popular social media app is on the cusp of being banned in the United States. The malware can take over basic device functions—such as capturing photos, reading and sending SMS messages, making calls and launching apps—as well as uses a phishing tactic to steal victims’ Facebook credentials.” “The rogue app called TikTok Pro is being promoted by threat actors using a variant of a campaign already making the rounds, which urges users via SMS and WhatsApp messages to download the latest version of TikTok from a specific web address, said Zscaler senior security researcher Shivang Desai, in a report published 8 September.”