Your latest issue of Critical Infrastructure Protection & Resilience News has arrived

Download your copy now at www.cip-association.org/CIPRNews
Please find here your downloadable copy of the Spring 2024 issue of Critical Infrastructure Protection & Resilience News, the official magazine of the International Association of CIP Professionals (IACIPP), for the latest views, features and news, including a Review of the recent Critical Infrastructure Protection & Resilience North America conference and exhibition in Lake Charles, LA.
Critical Infrastructure Protection & Resilience News in this issue:
- Protecting Life - Securing Agriculture
- Protect our Electric Grid – Before it’s Too Late
- Connecting Unrelated Industries Strengthens All Sectors
- Why Airspace Awareness Matters for Critical Infrastructure Security
- Critical Infrastructure Resilience: Are we addressing the real challenges? In the right way?
- Break down cyber and physical security silos to improve protection and operations
- An Interview with CITGO
- Is Cybersecurity As Enchanted as Sleeping Beauty?
- CIPRE Review
- Agency News
- Industry News
Download your copy at www.cip-association.org/CIPRNews

Custom-made Awareness Raising to enhance Cybersecurity Culture

The European Union Agency for Cybersecurity (ENISA) empowers organisations by publishing the updated version of the ‘Awareness Raising in a Box’.
Advanced protection of systems and a robust cybersecurity strategy have become a priority for all kinds of organisations, as cybersecurity issues and threats have evolved to be increasingly sophisticated and pervasive. Thus, awareness raising activities and having a relevant methodology in place are a fundamental to integrating cybersecurity in the organisational culture. With a view to achieve this goal, applying game design elements in cybersecurity awareness activities can simplify familiarisation with terms and concepts through a hands-on experience and motivate employees’ participation.
To test the new edition of the all-in-one toolkit, ENISA piloted the Awareness Raising in a Box (AR-in-a-BOX) with the Cypriot Digital Security Authority and the Cypriot National Coordination Centre.
The Head of the Cypriot Digital Security Authority, Diamantis Zafeiriades, highlighted that "The Digital Security Authority (DSA) and the Cyprus National Coordination Centre for Cybersecurity (NCC-CY) is proud to be working along with the European Union Agency for Cybersecurity (ENISA) to test and promote the Awareness Raising in a Box’ (AR-in-a-BOX), which aims to boost knowledge on cybersecurity awareness techniques. Acknowledging that cyber resilience is a constant training journey for the unpredictable, we are committed to support such initiatives on an ongoing basis."
AR-in-a-Box allows professionals from small and medium (SMEs) to big enterprises and public or private entities, to improve their knowledge on cybersecurity awareness techniques. This comprehensive toolkit offers a blend of theoretical frameworks and practical resources, enabling organisations to craft tailored cybersecurity awareness programmes, including gamification of content.
Notably, the updated version features an online Cyber Awareness Game accessible through the EU ACADEMY.
The updated version of AR-in-a-Box includes the existing catalogue of instructions, games and activities but has also been enriched with the addition of a new guide for the development of internal and external cyber crisis communication plans.
The cyber crisis communication guide aims to help organisations and experts improve their communicational preparedness and response, in times of a cybersecurity crisis. As such incidents may impact several aspects of their operations, the guide provides a holistic approach on their protection and mitigation of risks and damages.

CISA Publishes High-Risk Communities Webpage

The Cybersecurity and Infrastructure Security Agency (CISA) announces a new dedicated High-Risk Communities webpage today with cybersecurity resources for civil society communities at heightened risk of facing digital security threats because of their work. Through the Joint Cyber Defense Collaborative (JCDC) and building on priorities advanced through the Administration’s Summit for Democracy, CISA developed this valuable resource in collaboration with civil society organizations, government, and private industry partners to support these communities with their cybersecurity.
This webpage offers digital security resources specifically for high-risk communities, including Project Upskill, a suite of guides designed to equip non-technical individuals affiliated with high-risk organizations with simple steps to meaningfully improve their cyber hygiene. Other resources on the webpage include information on local cyber volunteer programs, and a repository of free or discounted cybersecurity tools and services available to high-risk communities.
“With experts across government and the private sector, we collaborated extensively to identify and develop actionable and easy-to-use resources for high-risk communities. We will continue to solicit input and feedback from partners across civil society as we collectively work to safeguard those organizations advancing democracy and human rights against cyber threats,” said CISA Director Jen Easterly. “CISA is especially pleased in the public-private collaboration that led to development and publication of these resources, reflecting shared commitment across government, industry, and civil society.”
The High-Risk Communities planning effort furthers JCDC priorities by bringing together government and the private sector to execute cyber defense plans that achieve specific risk reduction goals and enable more focused collaboration. To learn more about JCDC, visit CISA.gov/JCDC.
All civil society organizations are encouraged to visit the High-Risk Communities webpage intended to serve as a one-stop-shop for cybersecurity guidance.

IACIPP Announces Launch of ‘CIP WEEK’ in Europe

The International Association of Critical Infrastructure Protection Professionals (IACIPP) has announced the launch of ‘Critical Infrastructure Protection Week’ in Europe as part of an initiative focused towards enhancing collaboration and cooperation amongst the industry.
With the imminent implementation of The Critical Entities Resilience Directive (CER Directive), which lays down obligations on EU Member States to take specific measures to ensure that essential services and infrastructures, for the maintenance of vital societal functions or economic activities, are provided in an unobstructed manner in the internal market. The deadline of 17th October 2024 is set for when Member States shall adopt and publish the measures necessary to comply with this Directive.
The NIS2 Directive, also known as the Network and Information Security Directive, is also a significant piece of legislation being implemented by 17th October 2024, aimed at improving cyber security and protecting critical infrastructure across the European Union (EU).
It builds upon the previous NIS Directive, addressing its shortcomings and expanding its scope to enhance security requirements, reporting obligations, and crisis management capabilities.
Compliance with the CER Directive and NIS2 Directive are crucial for businesses operating in the EU to safeguard their systems, mitigate threats, and ensure resilience. Penalties are enforceable on agencies and operators for non-compliance.
In light of the forthcoming challenges with the Directives, and the ever increasing threats against European critical infrastructures, IACIPP is launching ‘CIP Week’ in Europe to help raise awareness and promote greater collaboration amongst operators, agencies and the CI security community.
The first ‘Critical Infrastructure Protection Week’ will take place in Madrid Spain and will see IACIPP host the ‘Critical Infrastructure Protection & Resilience Europe’ conference and exhibition and ‘EU-CIP Horizon Project’ conference as the first two events as part of the initiative. Additional events are expected to be announced as part of the CIP Week in due course.
John Donlon QPM, Chairman of The International Association of Critical Infrastructure Protection Professionals, said, “IACIPP is delighted to be announcing this new initiative in Europe, with the important aim of encouraging greater information sharing, collaboration and co-operation within the industry.”
“The CER and NIS2 Directives are two of the most important pieces of legislation to arrive in Europe in recent years, and IACIPP along with other professional bodies have a degree of concern over the lack of preparation of some of the operators and agencies for the October deadline, and believe more needs to be done to ensure these minimum standards are met, and indeed exceeded in subsequent years.”
“We are delighted the ‘Critical Infrastructure Protection & Resilience Europe’ conference and exhibition and ‘EU-CIP Horizon Europe Project’ conference are the first two events to contribute towards CIP Week, which we aim to be an annual event. Madrid is an excellent location for the launch of this program, with the CN-PIC driving Spain’s efforts to meet the Directives’ deadlines and be prepared.” Added Mr Donlon.
Critical Infrastructure Protection & Resilience Europe (CIPRE) is the premier conference in Europe to discuss the operational threats and challenges, delivering though leadership and strategies for operators and agencies to plan security and resilience to their operations and assets.
The EU-CIP Horizon Europe Project* is set up to establish a novel pan European knowledge network for Resilient Infrastructures, which will enable policy makers to shape and produce data-driven evidence-based policies, while boosting the innovation capacity of Critical Infrastructures (CI) operators, authorities, and innovators (including SMEs).
Emilia Gugliandolo, Project Coordinator of EU-CIP, said, “The EU-CIP Project is delighted to be invited as part of the CIP Week initiative, enabling greater opportunities for the industry to explore the challenges and opportunities for bringing about synergetic, emerging disruptive solutions to security issues via cross-projects collaboration and innovation. We look forward to successful collaborations between the sectors and professionals in achieving the overall goals for the industry.”
IACIPP is an international association of practitioners and professionals involved in the security, resilience and safety of critical infrastructure, both physical and information infrastructure, open to critical infrastructure operators and government agencies, including site managers, security officers, government agency officials, policy makers, research & academia. The Association also aims to share ideas, information, experiences, technology and best practise to enhance these objectives.
IACIPP is inviting the industry to join in CIP Week in Madrid on 12th-14th November 2024.

CIPRNA Announced Preliminary Conference Programme

Critical Infrastructure Protection & Resilience North America, taking place on 12th-14th March 2024 in Lake Charles, Louisiana, and co-hosted by IACIPP and Infragard Louisiana, has announced the Preliminary Conference Program for the 2024 conference and exhibition, and you can download the agenda at www.ciprna-expo.com/PSG.

The Guide provides you the outline program, excellent international expert speakers and schedule of events to help you plan your participation.

You can also register online today and save with the Early Bird delegate rates at www.ciprna-expo.com/register

Confirmed Speakers include:
– Dr David Mussington, Executive Assistant Director for Infrastructure Security, Department of Homeland Security (DHS), Cybersecurity and Infrastructure Security Agency (CISA)
- Brian Harrell, VP & Chief Security Officer, AVANGRID
- Michael Hill, Program Specialist, Cybersecurity and Infrastructure Security Agency
- Emilio Salabarria, Senior Program Manager for Cybersecurity, The Florida Center for Cybersecurity: Cyber Florida
- Dr. Srinivas Bhattiprolu, Global Head of Advanced Consulting Services, Nokia
- Ed Landgraf, Chairman, Coastal And Marine Operators
- Kimberly Heyne, ChemLock Program Manager, Cybersecurity and Infrastructure Security Agency (CISA)
- Dan Frazen, CO-CEM, Agriculture Emergency Coordinator (All-Hazards), Colorado Department of Agriculture
- Dr. Joshua Bergerson, Principal Infrastructure Analyst, Argonne National Laboratory
- Chris Essid, Sector Branch Chief, Cybersecurity and Infrastructure Security Agency (CISA)
- Budge Currier, Assistant Director Public Safety Communications, California Office of Emergency Services (Cal OES)
- Terrence Check, Senior Legal Council, CISA
- Rola Hariri, Defense Industrial Base Liaison, Cybersecurity and Infrastructure Security Agency (CISA)
- Lester Millet, President, Infragard Louisiana & Safety Risk Agency Manager, Port of South Louisiana
- Michael Finch, Technology Services Director, Lane County Department of Technology Services
- Richard Tenney, Senior Advisor, Cyber, Cybersecurity and Infrastructure Security Agency (CISA)
- Andrew A Bochman, Senior Grid Strategist-Defender, DOE / Idaho National Lab
- Jim Henderson, CEO, Insider Threat Defense Group

Full speaker list: www.ciprna-expo.com/speakers2024
Download Agenda: www.ciprna-expo.com/PSG
Schedule of Events/Agenda: www.ciprna-expo.com/schedule
List of Exhibitors: www.ciprna-expo.com/exhibition/exhibitors
Registration: www.ciprna-expo.com/register

Join the community in Lake Charles on 12th-14th March 2024 for some more great discussions on securing America's critical infrastructure and assets.

Download latest Preliminary Conference Programme Guide for CIPRE

As someone responsible in your organisations for critical assets and/or infrastructure, Critical Infrastructure Protection and Resilience Europe is the leading conference that will keep you abreast of the changes in legislation, current threats and latest developments.

Download the Preliminary Conference Programme Guide at www.cipre-expo.com/guide.

What is the new directive on the Resilience of Critical Entities...

The Directive on the Resilience of Critical Entities entered into force on 16 January 2023. Member States have until 17 October 2024 to adopt national legislation to transpose the Directive.

The Directive aims to strengthen the resilience of critical entities against a range of threats, including natural hazards, terrorist attacks, insider threats, or sabotage, as well as public health emergencies.

Are you up to date on this legislation, and do you know what you need to do to be compliant?

Get updated on the NIS2 Directive and what it means to you...

An important discussion will centre around the EU cybersecurity rules introduced in 2016 and updated by the NIS2 Directive that came into force in 2023. It modernised the existing legal framework to keep up with increased digitisation and an evolving cybersecurity threat landscape.

By expanding the scope of the cybersecurity rules to new sectors and entities, it further improves the resilience and incident response capacities of public and private entities, competent authorities and the EU as a whole.

Businesses identified by the Member States as operators of essential services in the above sectors will have to take appropriate security measures and notify relevant national authorities of serious incidents. Key digital service providers, such as search engines, cloud computing services and online marketplaces, will have to comply with the security and notification requirements under the Directive.

What will this mean for you and how can you meet the Directives goals?

Critical Infrastructure Protection and Resilience Europe is Europe's leading discussion that brings together leading stakeholders from industry, operators, agencies and governments to collaborate on securing Europe's critical infrastructures.
The conferences top quality programme looks at these developing themes and help create better understanding of the issues and the threats, to help facilitate the work to develop frameworks, good risk management, strategic planning and implementation.

The packed event themes include:

- Interdependencies and Cascading Effects
- Emerging Threats against CI
- Crisis Management, Coordination & Communication
- Power & Energy Sector Symposium
- Government, Defence & Space Sector Symposium
- Communications Sector Symposium
- Information Technology (CIIP) Sector Symposium
- Transport Sector Symposium
- CBRNE Sector Symposium
- Technologies to Detect and Protect
- Risk Mitigation and Management
- The Insider Threat
- Business Continuity Management
- EU Horizon Projects Overviews

You are invited to be a part of this program, where you can meet, network and learn from the experiences of over 40 expert international speakers, as well as industry colleagues who share the same challenges and goals.

Please join us and the CI industry in the beautiful city of Prague, on 3rd-5th October, for a great programme of discussions that can help you to deliver enhanced security and resilience for your organisation.

Visit www.cipre-expo.com for further details

 

Your latest issue of Critical Infrastructure Protection & Resilience News has arrived

Please find here your downloadable copy of the Summer 2023 issue of Critical Infrastructure Protection & Resilience News for the latest views and news at www.cip-association.org/CIPRNews.

- The CNI / Crowded Places Security Debate
- Beyond Physical Protection
- Hybrid Threats
– A Comprehensive Resilience Ecosystem
- Artificial Intelligence and Cybersecurity Research
- Resilience in action
- An Interview with EU-CIP Project
- IBM Report: Half of Breached Organizations Unwilling to Increase Security Spend Despite Soaring Breach Costs
- Using the EU Space Programme for disaster risk management in Hungary
- An Interview with TIEMS
- Critical Infrastructure Protection and Resilience Europe Preview
- Agency and Industry News

Download your Critical Infrastructure Protection & Resilience News at www.cip-association.org/CIPRNews

Critical Infrastructure Protection and Resilience News is the official magazine of the International Association of Critical Infrastructure Protection Professionals (IACIPP), a non-profit organisation that provides a platform for sharing good practices, innovation and insights from Industry leaders and operators alongside academia and government and law enforcement agencies.

#CriticalInfrastructureProtection #CriticalInfrastructure #cybersecurity #help2protect #cisa #ciprna #cipre #resilience #cooperation #emergencymanagement #emergencyresponse #crisismanagement #businesscontinuity #crisisresponse #mitigation

IACIPP Speak at CyberCon Conference in Bucharest

John Donlon QPM FSyI, Chairman of the International Association of Critical Infrastructure Protection Professionals (IACIPP), was a guest speaker on behalf of the National Institute for Research & Development in Informatics (ICI Bucharest) at the CyberCon Conference which took place in Romania between the 22nd and 27th May.

John was on a panel session addressing the subject of Cyber Diplomacy. The session was moderated by Carmen-Elena CÎRNU, the Scientific Director of ICI Bucharest and opened by the Director General of ICI Bucharest, Victor Vevera. In his opening address Victor referenced the Romanian position on Cyber Diplomacy from his organisations perspective and also highlighted the continuing partnership with IACIPP and the successful joint conference held in the Romanian Royal Place in 2022.

John delivered a presentation where he outlined his views on how the type and nature of the crisis being faced within our increasingly interconnected, globalised and rapidly changing world were ever evolving referencing the pandemic, the war in Ukraine and the devastating earthquakes that hit Turkey and Syria at the start of this year.

He summarised the development of IACIPP and what it seeks to achieve as a platform for likeminded individuals. The aim being to create a space to share information, connect and communicate on all matters relating to the protection and resilience of national infrastructure and information. The focus being on the part that such an association can play in facilitating communication across both the public and private sectors.

That need for connectivity was a common thread throughout the session. It was acknowledged that the worlds infrastructure and cyber position is a greater target and more vulnerable than ever and in order to address issues of concern there is a requirement to continue to develop a comprehensive approach that aligns both physical and cyber security, protection and resilience through enhanced levels of cooperation and coordination.

There was consensus across the panel and from the audience, of the continued need for greater levels of coordination, cooperation and communication across both nation states and between public and private sector entities.

It was recognised that the development of Cyber Diplomacy along with the growth in Cyber Ambassadors across the globe could go some significant way to addressing cyber problems internationally and improving the connectivity that has to be in place.

Your latest issue of Critical Infrastructure Protection & Resilience News has arrived

Please find here your downloadable copy of the Winter 2022-23 issue of Critical Infrastructure Protection & Resilience News for the latest views and news at www.cip-association.org/CIPRNews.

- A Standard to help protect Critical Infrastructure
- Government and Industry Cooperation: More Important Than Ever for Cybersecurity Awareness
- Help2Protect: an eLearning program to counter Insider Threats
- Testing Environments Help S&T and CISA Secure Transportation Infrastructure
- Can responsible AI guidelines keep up with the technology?
- Infrastructure Resilience Planning Framework (IRPF)
- An Interview with Port of New Orleans
- Critical Infrastructure Protection & Resilience North America Preview
- Industry and Agency Reports and News

Download your Critical Infrastructure Protection & Resilience News at www.cip-association.org/CIPRNews

Critical Infrastructure Protection and Resilience News is the official magazine of the International Association of Critical Infrastructure Protection Professionals (IACIPP), a non-profit organisation that provides a platform for sharing good practices, innovation and insights from Industry leaders and operators alongside academia and government and law enforcement agencies.

#CriticalInfrastructureProtection #CriticalInfrastructure #cybersecurity #help2protect #cisa #ciprna #resilience #cooperation

CISA Issue Apache Log4j Vulnerability Guidance

CISA and its partners, through the Joint Cyber Defense Collaborative, are responding to active, widespread exploitation of a critical remote code execution (RCE) vulnerability (CVE-2021-44228) in Apache’s Log4j software library, versions 2.0-beta9 to 2.14.1, known as "Log4Shell" and "Logjam." Log4j is very broadly used in a variety of consumer and enterprise services, websites, and applications—as well as in operational technology products—to log security and performance information. An unauthenticated remote actor could exploit this vulnerability to take control of an affected system.

Apache released Log4j version 2.15.0 in a security update to address the CVE-2021-44228 vulnerability. However, in order for the vulnerability to be remediated in products and services that use affected versions of Log4j, the maintainers of those products and services must implement this security update. Users of such products and services should refer to the vendors of these products/services for security updates. Given the severity of the vulnerability and the likelihood of an increase in exploitation by sophisticated cyber threat actors, CISA urges vendors and users to take the following actions.

Vendors
Immediately identify, mitigate, and patch affected products using Log4j.
Inform your end users of products that contain this vulnerability and strongly urge them to prioritize software updates.
Affected Organizations
In addition to the immediate actions—to (1) enumerate external-facing devices that have Log4j, (2) ensure your SOC actions alerts on these devices, and (3) install a WAF with rules that automatically update—as noted in the box above, review CISA's upcoming GitHub repository

for a list of affected vendor information and apply software updates as soon as they are available. See Actions for Organizations Running Products with Log4j below for additional guidance. Note: CISA has added CVE-2021-44228 to the Known Exploited Vulnerabilities Catalog, which was created according to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities. In accordance with BOD 22-01, federal civilian executive branch agencies must mitigate CVE-2021-44228 by December 24, 2021.

Technical Details

This RCE vulnerability—affecting Apache’s Log4j library, versions 2.0-beta9 to 2.14.1—exists in the action the Java Naming and Directory Interface (JNDI) takes to resolve variables. According to the CVE-2021-44228 listing, affected versions of Log4j contain JNDI features—such as message lookup substitution—that "do not protect against adversary-controlled LDAP [Lightweight Directory Access Protocol] and other JNDI related endpoints."

An adversary can exploit this vulnerability by submitting a specially crafted request to a vulnerable system that causes that system to execute arbitrary code. The request allows the adversary to take full control over the system. The adversary can then steal information, launch ransomware, or conduct other malicious activity.
Actions for Organizations Running Products with Log4j

CISA recommends affected entities:

Review Apache’s Log4j Security Vulnerabilities page for additional information and, if appropriate, apply the provided workaround:
In releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.
For releases from 2.7 through 2.14.1 all PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m.
For releases from 2.0-beta9 to 2.7, the only mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.
Apply available patches immediately. See CISA's upcoming GitHub repository for known affected products and patch information.

Prioritize patching, starting with mission critical systems, internet-facing systems, and networked servers. Then prioritize patching other affected information technology and operational technology assets.
Until patches are applied, set log4j2.formatMsgNoLookups to true by adding -Dlog4j2.formatMsgNoLookups=True to the Java Virtual Machine command for starting your application. Note: this may impact the behavior of a system’s logging if it relies on Lookups for message formatting. Additionally, this mitigation will only work for versions 2.10 and above.
As stated above, BOD 22-01 directs federal civilian agencies to mitigate CVE-2021-44228 by December 24, 2021, as part of the Known Exploited Vulnerabilities Catalog.

Conduct a security review to determine if there is a security concern or compromise. The log files for any services using affected Log4j versions will contain user-controlled strings.
Consider reporting compromises immediately to CISA and the FBI.
.

1 2 3