Category: Agency News

DOE Should Address Lessons Learned from Previous Disasters to Enhance Resilience

Agency News, Industry News, Power/Energy/Oil & Gas sector

Natural disasters, such as cyclones, earthquakes, hurricanes, wildfires, and severe storms—and the power outages resulting from these disasters—have affected millions of customers and cost billions of dollars. The growing severity of wildfires and extreme weather events in recent years has been a principal contributor to an increase in the frequency and duration of power outages in the U.S. Federal agencies, such as DOE and the Federal Emergency Management Agency, play a significant role in disaster response, recovery, and resilience.

This report (1) identifies lessons learned from federal, state, and other entities' responses to selected disasters that affected the electricity grid from 2017 to 2021; and (2) examines federal agency actions to address those lessons learned. GAO selected a nongeneralizable sample of 15 of 35 disasters that affected the grid from 2017 to 2021. The 15 selected were among the most severe events across a range of types, locations, and years. GAO also examined agency and industry responses; reviewed relevant reports, policies, and documents; and interviewed federal, state, and local officials, as well as selected industry stakeholders.

Power outages caused by natural disasters have affected millions of customers and cost billions of dollars. The Department of Energy plays a key role in disaster response and long-term electricity grid recovery.

DOE has taken some steps to improve its workforce and training, tools and technology, and local capacity to respond to disasters. But, DOE doesn't have a comprehensive plan for coordinating response and recovery responsibilities within the agency. In addition, DOE hasn't used lessons learned from previous disasters to prioritize recovery efforts.

In responding to selected disasters occurring between 2017 and 2021, federal, state, and other stakeholders identified lessons learned in the areas of planning and coordination, workforce and training, tools and technology, and local capacity. In the area of planning and coordination, agency officials and reports highlighted that disaster responses were more effective when strong working relationships existed between federal, industry, and local stakeholders. Regarding workforce and training, a Department of Energy (DOE) report emphasized the importance of having a dedicated pool of responders with expertise in grid reconstruction and recovery, especially when responding to multiple, concurrent or successive disasters.

Federal agencies have taken steps to address lessons learned by improving workforce and training, tools and technology, and local capacity. For example, to address workforce lessons, DOE began deploying a Catastrophic Incident Response Team to quickly bring responders with subject-matter expertise to affected areas. However, DOE does not have a comprehensive approach for coordinating its broader grid support mission that includes disaster response, grid recovery, and technical assistance efforts. Specifically, roles and responsibilities within DOE for transitioning from response to recovery are unclear, as are how lessons learned from previous disasters are used to prioritize recovery and technical assistance efforts. GAO's Disaster Resilience Framework states that bringing together the disparate missions and resources that support disaster risk reduction can help build resilience to natural hazards. By establishing a comprehensive approach that clearly defines roles and responsibilities, and acting on lessons learned across DOE, the department could better target resources and technical assistance. This approach, in turn, can lead to enhanced grid resilience and reduced disaster risk.

 

Leave a comment , , , ,

NSA, CISA, and FBI Expose PRC State-Sponsored Exploitation of Network Providers, Devices

Agency News, Cyber Security CII sector

The National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI) released a Cybersecurity Advisory (CSA) today, “People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices.” The advisory highlights how People’s Republic of China (PRC) actors have targeted and compromised major telecommunications companies and network service providers primarily by exploiting publicly known vulnerabilities. Networks affected have ranged from small office/home office (SOHO) routers to medium and large enterprise networks.

The PRC has been exploiting specific techniques and common vulnerabilities since 2020 to use to their advantage in cyber campaigns. Exploiting these vulnerabilities has allowed them to establish broad infrastructure networks to exploit a wide range of public and private sector targets.

General mitigations outlined in the advisory include: applying patches as soon as possible, disabling unnecessary ports and protocols, and replacing end-of-life network infrastructure. NSA, CISA, and FBI also recommend segmenting networks and enabling robust logging of internet-facing services and network infrastructure accesses.

The advisory is broken down into three sections: an explanation of common vulnerabilities exploited by PRC state-sponsored cyber actors, an introduction of how telecommunications and network service provider targeting occurred through open source and custom tools, and an overview of recommended mitigations.

Leave a comment , , ,

DOD Needs to Improve Performance Reporting and Cybersecurity and Supply Chain Planning

Agency News, Cyber Security CII sector, Industry News

For fiscal year 2022, DOD requested approximately $38.6 billion for its unclassified IT investments. These investments included programs such as communications and command and control systems. They also included major IT business programs, which are intended to help the department carry out key functions, such as financial management and health care.

The NDAA for FY 2019 included a provision for GAO to assess selected DOD IT programs annually through March 2023. GAO's objectives for this review were to (1) examine how DOD's portfolio of major IT acquisition business programs has performed; (2) determine the extent to which the department has implemented software development, cybersecurity, and supply chain risk management practices; and (3) describe actions DOD has taken to implement legislative and policy changes that could affect its IT acquisitions.

To address these objectives, GAO determined that DOD's major IT business programs were the 25 that DOD reported to the federal IT Dashboard as of December 2021 (The IT Dashboard is a public website that includes information on the performance of IT investments). GAO examined DOD's planned expenditures for these programs from fiscal years 2020 through 2022, as reported in the department's FY 2022 submission to the Dashboard.

GAO obtained the programs' operational performance data from the Dashboard and compared the data to OMB guidance. It also met with DOD CIO officials to determine reasons why programs were not reporting data in accordance with guidance.

In addition, GAO aggregated program office responses to a GAO questionnaire that requested information about cost and schedule changes that the programs experienced since January 2020.

GAO also aggregated DOD program office responses to the questionnaire that requested information about software development, cybersecurity, and supply chain risk management plans and practices. GAO compared the responses to relevant guidance and leading practices.

Further, GAO reviewed actions DOD has taken to implement its plans for addressing previously identified legislative and policy changes that could affect its IT acquisitions. This included reviewing information associated with the department's efforts to (1) finalize strategies for its business system and software acquisition pathways; (2) implement modern approaches to software development such as transitioning to Agile; and (3) reorganize the responsibilities of the former Chief Management Officer throughout the department. GAO met with relevant DOD officials to discuss each of the topics addressed in this report.

According to the Department of Defense's (DOD) fiscal year (FY) 2022 submission to the federal IT Dashboard, DOD planned to spend $8.8 billion on its portfolio of 25 major IT business programs between FY 2020 and 2022. In addition, 18 of the 25 programs reported experiencing cost or schedule changes since January 2020. Of these programs, 14 reported the extent to which program costs and schedules had changed, noting cost increases ranging from $0.1 million to $10.7 billion and schedule delays ranging from 5 to 19 months. Program officials attributed the changes to various factors, including requirement changes or delays, contract developments, and technical complexities.

Programs also reported operational performance data to the federal IT Dashboard. As of December 2021, the 25 programs collectively identified 172 operational performance metrics consistent with Office of Management and Budget (OMB) guidance. These metrics covered a range of performance indicators such as the timeliness of program deliverables and the percentage of time that systems were available to users. However, programs only reported progress on 77 of the 172 operational performance targets.

Nineteen programs did not fully report progress on their operational performance. Officials from the Office of the DOD CIO stated that programs that have operational performance measures should be reporting them to the Dashboard. They added that there were multiple factors that could have led to programs not reporting the metrics, including a reorganization that shifted responsibilities for IT investment management and confusion about the reporting requirement. Nevertheless, by reporting incomplete performance data, DOD limits Congress' and the public's understanding of how programs are performing.

As of February 2022, DOD program officials from all 11 (of the 25) major IT business programs that we considered to be actively developing new software functionality reported using recommended iterative development practices that can limit risks of adverse cost and schedule outcomes. Officials from eight of the 11 programs reported using Agile software development, which can support continuous iterative software development. Officials for five of the programs also reported delivering software functionality every 6 months or less, as called for in OMB guidance. Officials for three programs reported a frequency greater than 6 months and officials from the remaining three did not indicate a frequency.

In addition, as of February 2022, officials from the 25 major IT business programs reported on whether they had an approved cybersecurity strategy as required by DOD.

Officials from DOD CIO stated that they will follow up with the programs that did not provide an approved cybersecurity strategy. Until DOD ensures that these programs develop strategies, programs lack assuance that they are effectively positioned to manage cybersecurity risks and mitigate threats.

Officials from the 25 programs also reported on whether they had a system security plan that addresses information and communications technology (ICT) supply chain risk management, as called for by leading practices.

DOD guidance does not require programs to address ICT supply chain risk management in security plans. According to officials from DOD CIO, IT programs might address supply chain risk management in program protection plans. In addition, they noted that recent supply chain efforts have been focused on weapons systems. However, 15 of DOD's major IT programs did not demonstrate that they had a supply chain risk management plan. Until DOD ensures that these programs have such plans, they are less likely to be able to manage supply chain risks and mitigate threats that could disrupt operations.

Regarding actions to implement legislative and policy changes, the National Defense Authorization Act (NDAA) for FY 2021 eliminated the DOD chief management officer (CMO) position. This position previously had broad oversight responsibilities for DOD business systems. In September 2021, the Deputy Secretary of Defense directed a broad realignment of the responsibilities previously assigned to the CMO. GAO will continue to monitor DOD's efforts to redistribute the roles and responsibilities formerly assigned to the CMO.

Leave a comment , , ,

Coordinated Vulnerability Disclosure policies in the EU

Agency News, Cyber Security CII sector, Industry News

Vulnerability disclosure has become the focus of attention of cybersecurity experts engaged in strengthening the cybersecurity resilience of the European Union. The valid source of concern comes from the cybersecurity threats looming behind vulnerabilities, as demonstrated by the impact of the Log4Shell vulnerability.

Security researchers and ethical hackers constantly scrutinise ICT systems - both open source and commercial closed source software - to find weaknesses, misconfigurations, software vulnerabilities, etc. A wide range of issues are thus revealed: weak passwords, fundamental cryptographic flaws or deeply nested software bugs.

Identifying vulnerabilities is therefore essential if we want to prevent attackers from exploiting them. It is important to consider that attackers can always develop malware specially designed to exploit vulnerabilities disclosed to the public. Besides the identification itself, vendors can also be reluctant to acknowledge vulnerabilities as their reputation might be damaged as a consequence.

What is CVD?

Coordinated vulnerability disclosure (CVD) is a process by which vulnerabilities finders work together and share information with the relevant stakeholders such as vendors and ICT infrastructure owners.

CVD ensures that software vulnerabilities get disclosed to the public once the vendor has been able to develop a fix, a patch, or has found a different solution.

What are national CVD policies?

National CVD policies are national frameworks of rules and agreements designed to ensure:

researchers contact the right parties to disclose the vulnerability;
vendors can develop a fix or a patch in a timely manner;
researchers get recognition from their work and are protected from prosecution.

What is the situation in the EU?

The report published today maps the national CVD policies in place across the EU, compares the different approaches and, highlights good practices.

The analysis allows a wide disparity to be observed among Member States in relation to their level of CVD policy achievement. At the time the data used in the report was collected, only four Member States had already implemented such a CVD policy, while another four of them were about to do so. The remaining Member States are split into two groups: those currently discussing how to move forward and those who have not yet reached that stage.

What are ENISA’s recommendations to promote CVD?

The main recommendations from the analysis of nineteen EU Member States include:

Amendments to criminal laws and to the Cybercrime Directive to offer legal protection to security researchers involved in vulnerability discovery;
the definition of specific criteria for a clear-cut distinction between “ethical hacking” and “black hats” activities prior to establishing any legal protection for security researchers;
incentives to be developed for security researchers to actively participate in CVD research, either through national or European bug bounty programmes, or through promoting and conducting cybersecurity training.

Apart from the above, additional recommendations are issued in relation to the economic and polical challenges and also address operational and crisis management activities.

Next steps

The Commission’s proposal for the revision of the Network and Information Security Directive or NIS2 proposal, provides for EU countries to implement a national CVD policy. ENISA will be supporting the EU Member States with the implementation of this provision and will be developing a guideline to help EU Member States establish their national CVD policies.

In addition, ENISA will need to develop and maintain an EU Vulnerability database (EUVDB). The work will complement the already existing international vulnerability databases. ENISA will start discussing the implementation of the database with the European Commission and the EU Member States after the adoption of the NIS2 proposal.

Background material

The report builds upon previous work performed by ENISA in the field of vulnerabilities. ENISA issued a report on good practices on vulnerability disclosure in 2016, and the economic impact of vulnerabilites was explored in detail in 2018. In addition, the limitations and opportunities of the vulnerability ecosystem were analysed in the ENISA 2018/2019 State of Vulnerabilities report.

Leave a comment ,

Suspected head of cybercrime gang arrested in Nigeria

Agency News, Cyber Security CII sector, Industry News

The cybercrime unit of the Nigeria Police Force arrested a 37-year-old Nigerian man in an international operation spanning four continents, coordinated and facilitated by the recently created Africa operations desk within INTERPOL’s cybercrime directorate.

The suspect is alleged to have run a transnational cybercrime syndicate that launched mass phishing campaigns and business email compromise schemes targeting companies and individual victims.

Law enforcement and cybersecurity firms have witnessed the striking increase in many forms of cybercrime in recent years, exploiting the context of COVID-19 and forming what INTERPOL Secretary General Jürgen Stock has called a “parallel pandemic”.

INTERPOL’s Africa desk, called the African Joint Operation against Cybercrime (AFJOC) and funded by the UK Foreign Commonwealth and Development Office, was launched in May 2021 to boost the capacity of 49 African countries to fight cybercrime.

Tracking the suspect’s movements, online and offline

That same month, the police operation, codenamed Delilah, was initiated by an intelligence referral from several INTERPOL partners from the private sector: Group-IB, Palo Alto Networks Unit 42 and Trend Micro.

The intelligence was enriched by analysts within INTERPOL’s Cyber Fusion Centre, which brings together experts from law enforcement and industry to turn information on criminal activities into actionable intelligence. INTERPOL’s AFJOC desk then referred the intelligence to Nigeria and followed up with multiple case coordination meetings supported by law enforcement in Australia, Canada and the United States.

Investigators began to map out and track the alleged malicious online activities of the suspect, thanks to ad hoc support from private sector firm CyberTOOLBELT, as well as tracking his physical movements as he travelled from one country to another. Nigerian law enforcement successfully apprehended the suspect at Murtala Mohammed International Airport in Lagos.
“The arrest of this alleged prominent cybercriminal in Nigeria is testament to the perseverance of our international coalition of law enforcement and INTERPOL’s private sector partners in combating cybercrime.” Garba Baba Umar, Assistant Inspector General of the Nigeria Police Force, Head of Nigeria’s INTERPOL National Central Bureau and Vice President for Africa on INTERPOL’s Executive Committee.

“I hope the results of Operation Delilah will stand as a reminder to cybercriminals across the world that law enforcement will continue to pursue them, and that this arrest will bring comfort to victims of the suspect’s alleged campaigns,” the Assistant Inspector General added.

“This case underlines both the global nature of cybercrime and the commitment required to deliver a successful arrest through a global to regional operational approach in combatting cybercrime,” said Bernardo Pillot, INTERPOL’s Assistant Director, Cybercrime Operations.

“The persistence of national law enforcement agencies, private sector partners and the INTERPOL teams all contributed to this result, analysing vast quantities of data and providing technical and live operational support,” Mr Pillot added. “Cybercrime is a threat that none of our 195 member countries face alone.”

Leave a comment , ,

Breaking silos to build resilience – Multi-hazard, multi-sectoral approaches to managing disaster risks

Agency News, Industry News, Power/Energy/Oil & Gas sector, Telecomms sector

Disasters unfold across national boundaries, involving a range of interrelated hazards and complex dynamics. To tackle disaster risks and build resilience in the face of increasing climate-related disasters, it will require a united effort to move beyond working in silos.

“Member states, the UN system, governments – whether national, local or community-level governments – will need to learn more and more how to work in an interdisciplinary manner,” said David Smith, coordinator of the Institute for Sustainable Development at the University of the West Indies, and moderator of the session Breaking the Silos – Towards multi-hazard, multi-sectoral approaches to managing risks at the 7th Global Platform for Disaster Risk Reduction.

“One ASEAN, one response”

Southeast Asia and the Pacific region are especially affected by natural hazards, and in recent years has been the site of numerous disasters – cyclones, floods, tsunami and seismic events, compounded by the COVID-19 pandemic. Susana Juangco, Director of the Philippines Office of Civil Defense, explained how ASEAN, the Association of Southeast Asian Nations, has taken steps towards better coordination in its disaster risk reduction (DRR) strategies.

“The disaster risk landscape is becoming more complex and challenging,” she said. “There is a need to strengthen and broaden cooperation, not only within the ASEAN region but also externally, including with non-traditional partners.”

One example is the ASEAN Joint Taskforce on Humanitarian Assistance, which draws in expertise from many sectors – political, defence, health, social welfare and development.

“Disaster management should be everyone’s business,” she said, “Instead of working in silos, inter-operativeness and coordination should be the essence of all our DRR initiatives.”
Understanding risk from community viewpoints

Bijay Kumar, Executive Director of the Global Network of Civil Society Organisations for Disaster Reduction (GNDR) described how an inclusive, community-based approach can strengthen DRR and resilience building by drawing on local perspectives.

“As a global network… we are trying to see how risks are understood from the perspective of the people experiencing them.”

A GNDR programme has examined how communities have been included in various governance systems, and how this inclusion has changed over a ten-year period, drawing on the experiences of representative samples of communities across 48 countries worldwide.

In Indonesia, for example, the study found that a consultative process helped to activate a penta-helix approach involving local governments, civil society, academia and the media in developing plans which were then taken up at a national level.

“It is possible to bring a comprehensive analysis to inform a sustainable way of building resilience,” he noted.

Finding the right tools for the job

Scientists have a range of tools at their disposal for assessing disaster risk. There are well-established methods for assessing primary impacts from external shocks, but in many of the places that experience disasters, data is often in short supply. However, when it comes to assessing systemic risks and the complex dynamics that cause wider impacts, there are fewer options.

Olaf Neußner, an independent expert for the German Committee for Disaster Reduction (DKKV) believes that recent global events – the pandemic and the war in Ukraine – could help to break down silos between different avenues of research, and create new opportunities for risk analysis.

“There is a lot of information available, and researchers can look into this and see what the cascading effects actually are,” he said.

In order to process the enormous volume of data, risk assessments could draw on machine learning and artificial intelligence to better understand causal relationships and connections between hazards and impacts.

Economic models could also be useful in understanding the socio-economic impacts of disasters – this requires that the two silos of economic and DRR analysis are bridged.
“Breaking silos takes time and energy, but it is worth it.”

Peter Binder, Director-General of MeteoSwiss and the Swiss Permanent Representative to the World Meteorological Organisation (WMO), offered examples of how DRR initiatives in Switzerland have deliberately set up structures to break down silos.

This entailed establishing the Steering Committee on Intervention in Natural Hazards, which brings together government and academic institutes dealing with weather, fire, civil protection, seismic events, avalanches and topography. The Committee operates on three hierarchical levels, each involving all of the parties.

A similar collaborative approach is applied by the National Centre for Climate Services, bringing together seven federal offices with academic institutions.

“Breaking silos takes time and energy, but it is worth it,” he said.

An earth system approach

At an international level, Binder noted that the WMO – with responsibility for weather, water and climate – provides another example of breaking silos.

“The three disciplines are intimately linked in nature and, therefore, should also be in our scientific and operational treatment,” he said. “This is the earth system approach, indispensable for managing multi-hazard risk.”

Switzerland is promoting an initiative to take this further, to bolster global preparedness for natural hazards.

Under the WMO Coordination Mechanism, “all available authoritative information on meteorological and hydrological threats from WMO members should be directed into the information channels of the pertinent UN and humanitarian aid organisations. This constitutes a multi-organizational and multinational effort to mitigate risk related to meteorological, hydrological and climate hazards,” he said.

[Source: UNDRR]
Leave a comment , , ,

NSA, Allies Issue Cybersecurity Advisory on Weaknesses that Allow Initial Access

Agency News, Cyber Security CII sector, Industry News

The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the FBI, along with allied nations, published a Cybersecurity Advisory today to raise awareness about the poor security configurations, weak controls and other poor network hygiene practices malicious cyber actors use to gain initial access to a victim’s system.

“Weak Security Controls and Practices Routinely Exploited for Initial Access” also includes best practices that can help organizations strengthen their defenses against this malicious activity.

“As long as these security holes exist, malicious cyber actors will continue to exploit them,” said NSA Cybersecurity Director Rob Joyce. “We encourage everyone to mitigate these weaknesses by implementing the recommended best practices.”

Some of the most common weaknesses include not enforcing multifactor authentication, incorrectly applying privileges or permissions and errors within access control lists and not keeping software up to date. The advisory recommends mitigations that control access, harden credentials, establish centralized log management and more.

CISA produced the advisory with help from NSA and other partners. That includes the FBI, the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team (CERT NZ), the Netherlands National Cyber Security Centre (NCSC-NL), and the United Kingdom National Cyber Security Centre (NCSC-UK) on the advisory. Many of the same cybersecurity authorities collaborated to release a complementary advisory on 27 April, which highlighted the top routinely exploited vulnerabilities from 2021.

Leave a comment ,

UK joins international cyber agency partners to release supply chain guidance

Agency News, Cyber Security CII sector, Industry News

THE UK and its international partners have today (Wednesday) issued advice to IT service providers and their customers as part of wider efforts to protect organisations in the wake of Russia’s invasion of Ukraine.

The joint advisory from the National Cyber Security Centre (NCSC) – a part of GCHQ – and its partners sets out a series of practical steps for managed service providers (MSPs) and their customers.

The advisory has been issued alongside the US’s Cybersecurity and Infrastructure Security Agency (CISA), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NZ NCSC), National Security Agency (NSA), and Federal Bureau of Investigation (FBI).

It is being released on the second day of the NCSC’s CYBERUK conference in Wales, which a number of these partners are attending.

MSPs provide IT support to their customers in various ways, for example through software or cyber security services, and in order to do so they are granted privileged access to a customer’s network.

This can create opportunities for attackers, who can gain access to an organisation’s network by compromising their MSPs.

One of the most significant examples of these supply chain attacks was that carried out in 2020 against US software company Solarwinds, which impacted customers throughout the world.

Organisations are being encouraged to consider the advisory, Protecting Against Cyber Threats to Managed Service Providers and their Customers, in conjunction with guidance from the NCSC and others in relation to the heightened tensions as a result of events in Ukraine.

NCSC CEO Lindy Cameron said:

“We are committed to further strengthening the UK’s resilience, and our work with international partners is a vital part of that.

“Our joint advisory with international partners is aimed at raising organisations’ awareness of the growing threat of supply chain attacks and the steps they can take to reduce their risk.”

CISA Director Jen Easterly said:

“I strongly encourage both managed service providers and their customers to follow this and our wider guidance – ultimately this will help protect not only them but organisations globally.

“As this advisory makes clear, malicious cyber actors continue to target managed service providers, which is why it’s critical that MSPs and their customers take recommended actions to protect their networks.

“We know that MSPs that are vulnerable to exploitation significantly increases downstream risks to the businesses and organisations they support. Securing MSPs are critical to our collective cyber defense, and CISA and our interagency and international partners are committed to hardening their security and improving the resilience of our global supply chain.”

Abigail Bradshaw CSC, Head of the Australian Cyber Security Centre, said:

“Managed Service Providers are vital to many businesses and as a result, a major target for malicious cyber actors.

“These actors use them as launch pads to breach their customers’ networks, which we see are often compromised through ransomware attacks, business email compromises and other methods. Effective steps can be taken to harden their own networks and to protect their client information. We encourage all MSPs to review their cyber security practices and implement the mitigation strategies outlined in this Advisory.”

Sami Khoury, Head, Canadian Centre for Cyber Security, said:

“We’ve seen the damage and impact cyber compromises can have on supply chains, managed service providers, and their customers.

“These compromises can result in costly mitigation activities and lengthy downtime for clients. We strongly encourage organizations to read this advisory and implement these guidelines as appropriate.”

Lisa Fong, Director of NZ NCSC, said:

“Supply chain vulnerabilities are amongst the most significant cyber threats facing organisations today.

“As organisations strengthen their own cyber security, their exposure to cyber threats in their supply chain increasingly becomes their weakest point. Organisations need to ensure they are implementing effective controls to mitigate the risk of cyber security vulnerabilities being introduced to their systems via technology suppliers such as managed service providers. They also need to be prepared to effectively respond to when issues arise.”

Rob Joyce, Director NSA, said:

“This joint guidance will help MSPs and customers engage in meaningful discussions on the responsibilities of securing networks and data.

“Our recommendations cover actions such as preventing initial compromises and managing account authentication and authorization.”

Bryan Vorndran, Cyber Division Assistant Director FBI, said:

“Through this joint advisory, the FBI, together with our federal and international partners, aims to encourage action by MSPs and their customers, as malicious cyber actors continue to target this vector for entry to threaten networks, businesses, and organisations globally.

“These measures and controls should be implemented to ensure hardening of security and minimise potential harm to victims.”

A range of steps are set out for MSPs and their customers in the latest advisory, including:

Organisations should store their most important logs for at least six months, given incidents can take months to detect.
MSPs should recommend the adoption of multi-factor authentication (MFA) across all customer services and products, while customers should ensure that their contractual arrangements mandate the use of MFA on the services and products they receive.
Organisations should update software, including operating systems, applications, and firmware, and prioritise the patching of known exploited vulnerabilities.

The advisory makes clear that organisations should implement these guidelines as appropriate to their unique environments, in accordance with their specific security needs, and in compliance with applicable regulations.

Leave a comment , ,

NSA Issues Recommendations to Protect VSAT Communications

Agency News, Cyber Security CII sector, Industry News

The National Security Agency (NSA) updated its Cybersecurity Advisory (CSA) today for securing very small aperture terminal (VSAT) networks, “Protecting VSAT Communications.” The advisory aims to help organizations understand how communications may be at risk of compromise and how they can act to reduce risk.

The recent U.S. and European Union public statements noted the Russian military launched cyber attacks against commercial satellite communications to disrupt Ukrainian command and control in February 2022. This cyber activity against Ukraine further underscores the risk to VSAT communications for both espionage and disruption.

A number of U.S. government missions use VSAT networks for remote communications when other options are not feasible. However, VSAT communication links were not built with security in mind — often resulting in traffic being sent unencrypted.

NSA recommends government VSAT networks, such as those designated as National Security Systems (NSS) and ones used by Defense Industrial Base (DIB) organizations, enable all available transmission security protections on VSAT networks. NSA also recommends encrypting all communications prior to transmitting across VSAT links, keeping hardware and firmware updated, and changing any default credentials before use.

Leave a comment , ,

Disaster Resilience: Opportunities to Improve National Preparedness

Agency News, Industry News, Water sector

Each year, disasters such as hurricanes and wildfires affect hundreds of American communities. The federal government provides billions of dollars to individuals and communities that have suffered damages. According to the U.S. Global Change Research Program, extreme weather events are projected to become more frequent and intense in parts of the U.S. as a result of changes in the climate. Investments in disaster resilience can reduce the overall impact of future disasters and costs.

This testimony discusses GAO reports issued from 2015 through 2021 on disaster preparedness and resilience. This includes FEMA's National Preparedness System and associated grants; hazard mitigation grant programs; and GAO's Disaster Resilience Framework for identifying opportunities to enhance resilience. The statement also describes actions taken to address GAO's prior recommendations through March 2022.

GAO has evaluated federal efforts to strengthen national preparedness and resilience and identified opportunities for improvement in several key areas:

FEMA Efforts to Strengthen National Preparedness. The Federal Emergency Management Agency (FEMA)—the lead agency for disaster preparedness, response, and recovery—assesses the nation's emergency management capabilities and provides grants to help state, local, tribal, and territorial governments address capability gaps. In May 2020, GAO found that FEMA and jurisdictions have identified emergency management capability gaps in key areas such and recovery and mitigation. GAO recommended that FEMA determine steps needed to address these capability gaps. FEMA agreed and plans to develop an investment strategy that aligns resources with capability gaps.

FEMA's Hazard Mitigation Grant Programs. In February 2021, GAO found that state and local officials faced challenges with FEMA's hazard mitigation grant programs. Specifically, officials GAO interviewed from 10 of 12 selected jurisdictions said grant application processes were complex and lengthy. This could discourage investment in projects that would enhance disaster resilience. FEMA officials said they intended to identify opportunities to streamline, but did not have a plan for doing so. GAO recommended that FEMA develop such a plan. FEMA agreed and is in the process of doing so.

Identifying Opportunities to Enhance Disaster Resilience. In October 2019, GAO issued a framework to guide analysis of federal actions to promote resilience to natural disasters and changes in the climate. For example, the framework can help identify options to address government-wide challenges that are of a scale and scope not addressed by existing programs.

Leave a comment , ,
1 19 20 21 22 23 44