The IT Nerd

The Department of Energy announced it is offering $70 million for research and development into technologies that would protect energy delivery infrastructure against physical and cyber-related threats as part of an emphasis on taking care of “the operational technology side of the house.”

The All-Hazards Energy Resilience funding opportunity will be managed by the DOE’s Office of Cybersecurity, Energy Security and Emergency Response (CESER). The agency is specifically seeking OT-related proposals that address how one might implement a zero-trust architecture in an electrical or fuel environment.

“The entry vectors into the sector are many. There are IT pathways where you’re coming in the IT front door, traversing the network and getting into the OT network. There are other kinds of pathways to enter the infrastructure, all of which are being considered in this funding opportunity announcement, but also in the broader portfolio of research we run in our office,” the CESER senior official said.

Mark Cooper, President & Founder, PKI Solutions had this to say:

   “There is technology today, if implemented correctly, that would solve this problem such as tried and true Public Key Infrastructure (PKI).  The issue is that the problem is complex and many companies who implement these effective technologies do so without taking into consideration all the aspects of the technology or neglect to implement it fully or, worst of all, neglect to monitor it after it’s installed. Simply implementing any technology is not a one-and-done exercise.

   “OT environments that enable a resilient energy grid rely on foundational cryptography systems like PKI, but historically these systems have had challenges in monitoring threats and resilience. An investment like this by the DOE should help show the importance of real-time threat detection in OT environments.”

Companies need to get the message that there are technologies out there that make hacks a whole lot harder to pull off. Thus they should be investing in that technology before bad things happen to them.

This report from Fast Company illustrates why you should change the default passwords for any hardware or software that you buy and use:

Providers of critical infrastructure in the United States are doing a sloppy job of defending against cyber intrusions, the National Security Council tells Fast Company, pointing to recent Iran-linked attacks on U.S. water utilities that exploited basic security lapses.

The security council tells Fast Company it’s also aware of recent intrusions by hackers linked to China’s military at American infrastructure entities that include water and energy utilities in multiple states. Neither the Iran-linked or China-linked attacks affected critical systems or caused disruptions, according to reports.

“We’re seeing companies and critical services facing increased cyber threats from malicious criminals and countries,” Anne Neuberger, the deputy national security advisor for cyber and emerging tech, tells Fast Company. The White House had been urging infrastructure providers to upgrade their cyber defenses before these recent hacks, but “clearly, by the most recent success of the criminal cyberattacks, more work needs to be done,” she says. 

And:

Some of the compromised devices had been connected to the open internet with a default password of “1111,” federal authorities say, making it easy for hackers to find them and gain access. Fixing that “doesn’t cost any money,” Neuberger says, “and those are the kinds of basic things that we really want companies urgently to do.”

Really? Maybe they should have used 1234 as the password. Or perhaps 5678 as that would be harder to guess. In all seriousness, the is just wrong on so many levels. There needs to be way more accountability on this front because this is completely unacceptable.

In a new report published by the Government Accountability Office (GAO), 20 US federal agencies have failed to meet the deadline to implement advanced level cyber event logging and incident response capabilities required by law.

According to a 2021 Executive Order, all US federal agencies needed reach event logging tier three by August 2023. Currently, only 3 of the 23 agencies were at tier three, 3 agencies had reached the tier one level and 17 had not gone past the tier zero level.

“Until the agencies implement all event logging requirements, the federal government’s ability to fully detect, investigate, and remediate cyber threats will be constrained,” reads the GAO report.

After a recent investigation, the GAO found the critical challenges for agencies included:

• The lack of staff
• Event logging technical challenges
• Limitations in cyber threat information sharing

Efforts to address these challenges include:

• Onsite cyber incident response assistance from CISA
• Event logging workshops and guidance
• Enhancements to a cyber threat information-sharing platform
• Implementation of the National Workforce and Education Strategy  
• A new threat intelligence platform from CISA

Emily Phelps, Director, Cyware had this comment:
 
   “The GAO report findings are both concerning and indicative of broader challenges in the cybersecurity landscape, especially within the public sector. There is a critical gap in the government’s cybersecurity posture at a time when the threat landscape is increasingly complex and aggressive. These findings also underscore the urgent need for modernized cybersecurity measures and collaboration.

   “The proposed remedies are steps in the right direction, potentially enabling more real-time threat intelligence sharing and collaborative defense. To outpace adversaries, federal entities must have reliable intel sharing and security automation capabilities to defend against potential threats more effectively and efficiently.”

Hopefully someone within government is paying attention to this report as this is a pretty major alarm bell that is ringing.

As of Dec. 4th, federal government, cybersecurity employees can now apply for roles at other agencies via a new listing of open opportunities published by the Office of Personnel Management.

The new Federal Rotational Cyber Workforce Program, which stems from a 2022 law, aims to provide federal cybersecurity professionals with additional opportunities to learn how to defend networks from complicated and evolving threats benefitting agencies in the process.

Across 12 participating agencies, there are currently 53 postings representing 65, six-month to year-long rotations. Those interested will have to already be in a cyber-coded federal job, get approval from their home agency, and have the right level of security clearance.

According to Jason Barke, OPM’s deputy associate director for strategic workforce planning, agencies are excited and interest has exceeded expectations.

George McGregor, VP, Approov Mobile Security had this to say:

   “This is a creative way to offer a development opportunity to federal cybersecurity employees to allow them to enrich their skills. It also should improve retention in a highly competitive market.

   “Some programs must also focus on bringing in new talent of course, but this rotation scheme should help here too, offering an attractive path to achieving broad skills that private companies will struggle to match.”

Troy Batterberry, CEO and Founder, EchoMark follows with this:

   “Encouraging cross-pollination of individual and team skills is a wonderful technique I also utilized during my 30+ years at US Department of Defense, Sony, Microsoft, and now EchoMark. Leaders who selflessly lean in and actively participate in these “knowledge transfer” programs will see their overall organizational effectiveness and team morale grow. They will also see their professional network grow quickly as existing and potentially new team members see such leaders as acting on what is best for the team members and the broader community, and not just optimizing for themselves.”

This is an interesting strategy that I think will pay dividends in the long term as it will serve to be a great force multiplier in terms of having people available and able to defend against cyberattacks.

EU countries and EU lawmakers on Thursday agreed to rules to protect laptops, fridges, mobile apps and smart devices connected to the internet from cyber threats following a spate of such attacks and ransom demands in recent years around the world:

The European Commission, the European Union’s executive arm, proposed the new law last year in a bid to tackle the increasing risk from cyber threats to any smart devices, including a growing number of household goods as products become more connected.

The commission hopes the rules could save companies affected by such cyber incidents between 180 to 290 billion euros ($196-305 billion) every year.

The law will affect any product that is connected either directly or indirectly to another device or to a network.

The new rules introduce EU-wide cybersecurity requirements for the design, development and production of hardware and software products.

Manufacturers will also be forced to assess the cybersecurity risks of their products, and the rules demand greater transparency on the security of hardware and software products for consumers and business users.

Alongside CISA’s push for “secure by design” and the White House mandate for security nutrition labels on consumer devices by December 2024, this is a significant moment in the security of network-embedded devices. Pia McSharry, Security Strategist at Beyond Identity, shared the following commentary: 

Device health is of the utmost importance to an organization’s overall cybersecurity posture. Putting the onus back on the manufacturer to produce devices that are “secure by design” eases the responsibility on the end user. Between this move by the EU and CISA/White House push for consumer security labels on devices by December 2024, IoT manufacturers will have to change their current practices to meet these new requirements and change up software and production practices.

The importance of upholding specific security hardening guidelines which are monitored and maintained by manufacturers is extremely important for organizations to minimize their attack surface.  The management of the security posture of any connected device should be a shared responsibility between the manufacturer and the consumer.  The manufacturer should always communicate the security standards used to harden the device, and the consumer should be aware of any potential security gaps to assure they are mitigating the risks effectively.  This is a step forward to making security a priority for all.

Given that everything from lightbulbs to cars is on the Internet, this is a great move by the EU. Hopefully this forms the basis for devices that are assumed to be secure rather than something that you have to question its security.

UPDATE: George McGregor, VP, Approov Mobile Security Had This To Say:

   “Despite a lot of pushback, particularly on the 24 hour breach reporting requirements,  the EU Cyber Resiliency Act (CRA) is now on its way to being in force in 2024.  Companies will have a 21-month grace period before they must conform with the reporting obligation of manufacturers for incidents and vulnerabilities.

   “Any companies who operate in the EU would do well to make it a priority to study this legislation: it provides a cybersecurity framework and rules governing the planning, design, development and maintenance of any products, with obligations to be met at every stage of the value chain. The breach reporting requirements are particularly demanding. 

   “This is another sign that pressure is being put on all companies and organizations around the world to invest in their cybersecurity resilience and response. The SEC is also active, proposing new guidelines with a four business day reporting rule.   

   “This trend will continue and it is inevitable that all companies will have to increase their focus and investment on cybersecurity governance, protection and response. 

David Ratner, CEO, HYAS Infosec follows with this:

   “The Cyber Resiliency Act is a great start and will certainly help to increase transparency and responsibility.  However, organizations should not let attestations and compliance drive their overall operational resiliency and business continuity strategy. They still require solutions capable of giving them the visibility and observability required to move business forward with confidence in the face of a constant onslaught of new and innovative cyber attacks.”

The U.S. Navy has released its first cybersecurity strategy as the service tries to modernize its efforts in the space after years of staffing and preparedness issues.

The blueprint devised by Chris Cleary, the Navy’s principal cyber advisor, and its CIO, features the following seven lines of effort:

• Improve and support the cyber workforce
• Shift from Compliance to Cyber Readiness
• Defend Enterprise IT, Data, and Networks
• Secure Defense Critical Infrastructure and Weapon Systems
• Conduct and Facilitate Cyber Operations
• Partner to Secure the Defense Industrial Base
• Foster Cooperation and Collaboration

Troy Batterberry, CEO and founder, EchoMark had this comment:

   “In order for the USA to achieve and maintain information superiority, we must adopt new forms of insider risk management. Nearly all major government agencies have experienced highly damaging leaks in part because the leaker (insider) felt they would never be caught. An entirely new approach is required to help change human behavior. Information watermarking is one such technology that can help keep private information private.”

Stephen Gates, Principal Security SME, Horizon3.ai follows with this:

   “In the context of the Department of the Navy Cyber Strategy 2023, one line of effort stands out among the others: 2.0 Shift from Compliance to Cyber Readiness. As recent cyber events have repetitively proven, a purely defensive cyber strategy is not working and must be augmented by “adversarial assessments” of your own environments.

   “These adversarial assessments are not the run-of-the-mill vulnerability scans. These assessments are cyber red team exercises whereby organizations attack themselves using the same tools, tactics, and procedures (TTPs) attackers use. The reason for this is simple. If you cannot find that hidden chink in your armor, that crack in your layered walls of defense, that blind spot you didn’t even know existed, you will never be able to adequately defend yourself against a purposeful attacker with nothing but time on their side – and disruption on their mind.

   “Today, autonomous assessment solutions that let your see your environments through the eyes of an attacker are readily available. Having these solutions in the hands of highly skilled red teams allows them to force-multiply, meaning, they can do expansive cyber readiness exercises simultaneously, while using these solutions to accelerate their assessment analysis. Furthermore, these solutions also meet the objective of prioritizing mitigations and reassessment tracking to ensure issues have been remediated and readiness is confirmed.”

At least the Navy realizes that it has issues, and is moving to address them. That’s good. But everyone will be watching to see if the Navy “walks the walk” as opposed to just “talking the talk”.

According to a joint announcement by Minister for Cyber Security Clare O’Neil and Minister for Small Business Julie Collins, the Australian government is pledging an $18.2 million investment to help SMBs improve their cybersecurity resilience and response as part of the 2023-2030 Australian Cyber Security Strategy.
 
$7.2 million will be put towards establishing a voluntary cyber health-check program for SMBs to check their cyber security maturity and gain access to educational tools and materials they need to upskill. Also, high risk SMBs will have access to “a more sophisticated, third-party assessment to provide additional security across national supply chains.”
 
The remaining $11 million will go towards the Small Business Cyber Resilience Service which will provide one-on-one assistance to help small businesses navigate their cyber challenges, including walking them through the steps to recover from a cyber-attack.  

“Uplifting the cyber security of our small businesses is integral to a cyber secure and resilient nation, and this dedicated support will make a huge difference in their preparedness and resilience,” O’Neil said in a statement.

According to the Australian Small Business and Family Enterprise Ombudsman, there are more than 2.5 million small businesses in Australia, making it 97% of all businesses.

George McGregor, VP, Approov Mobile Security:

   “This is an important initiative – small businesses are especially vulnerable to cyber-attacks and don’t have the resources to invest heavily in skills and technology to defend their business. They also depend heavily on services and APIs offered by larger companies and without adequate protections can inadvertently provide a path for attackers to target those services too. We need to see more of these initiatives by governments to make implementing best in class security practices easy for SMBs.”

Anything that helps SMBs to protect themselves from cyberattacks is a good thing. SMB’s get the fact that they need to be protected, but they might need some help to get them across the finish line so to speak.