Category: Industry News

Industry News

UN aims to help prevent another Beirut disaster

Agency News, Industry News, Transport sector

The devastation caused by the Beirut explosions on 4 August has focused attention on the risks involved in the transportation and storage of dangerous goods around the world. The UN is at the forefront of international efforts to reduce these risks and save lives.

Many offices and agencies of the UN have been mobilized to respond to the aftermath of the disaster, provide emergency aid, and coordinate the international community’s response.

The cost of reconstruction is estimated to be in the range of several billion dollars and, on August 10, Mark Lowcock, the UN’s Emergency Relief Coordinator, called for donors to “come together and put their shoulder to the wheel” for the benefit of the Lebanese people.

Exposure to risk
Three days later, a group of independent UN human rights experts released a statement decrying the “level of irresponsibility and impunity surrounding human and environmental devastation” in the city, and called for an independent investigation that clarifies responsibility for the man-made disaster, and leads to justice and accountability.

In their statement, the experts also maintained the right of the Lebanese people to clear and accurate information about the health and environmental risks to which they are exposed.

The explosions have led to much soul-searching in Lebanon, but it is far from the only country whose citizens are at risk from sites containing dangerous materials: according to the Small Arms Survey, a research organization based in Geneva, Switzerland, tens of thousands of people have been killed by unplanned explosions at arms depots over the past four decades.

Follow the rules
However, several internationally agreed rules and regulations concerning the transportation of dangerous cargo have been in circulation for several years. From the International Maritime Dangerous Goods Code, published by the UN International Maritime Organization (IMO), to the International Labour Organisation (ILO) code of practice on safety and health in ports.

But, as Alfredo Parroquín-Ohlson, the head of Cargoes and Technical Cooperation Coordination at the IMO, explained to UN News, whilst the UN can convene countries to thrash out these rules and guidelines, the states themselves are responsible for making sure they are followed.

“Monitoring falls to shipping companies, and it is the responsibility of each country to verify that regulations are applied and implemented properly. If procedures are not followed, then there will, of course, be gaps. This clearly happened in the case of Beirut”, he said.

“We can only hope that this kind of catastrophe raises the general awareness of the risks involved”, added the UN official, “and we are sure that many ports are taking a closer look at the kind of dangerous materials they have on their hands, and are now revising their procedures.”

Framing the problem
The responsibility of governments around the world to identify risks, is included in the Sendai Framework for Disaster Risk Reduction, the first of the 2030 Agenda global agreements, adopted in 2015, which sets out how Member States can reduce risk. It calls for Member States to finalize their strategies for disaster risk reduction by the end of this year.

Mami Mizutori is the head of the UN Office for Disaster Risk Reduction (UNDRR), the UN’s lead agency for risk and resilience, charged with overseeing implementation of the Sendai Framework.

She told UN News that, whilst the current UN response in Beirut is necessarily focusing on the immediate needs of the affected citizens, it is also important to discuss how to reduce the likelihood of a similar incident hitting the city in the future.

Will it happen again?
“The essence of the Sendai Framework is about shifting attention from responding to disasters, to changing behaviour, so that we can mitigate risks from disasters before they hit and, in doing so, reducing deaths and economic loss, and make it more likely that we will achieve sustainable development”, she said. “In short, it’s about prevention and building resilience for the future.”

“Ports are critical infrastructure, and essential services, and they need to be built in a way that takes all kinds of risk into consideration, including the kinds of goods that are being brought into the port”, added Ms. Mizutori.

“We have robust international rules and regulations regarding the operation of ports, and the ways that substances are stored, but often we see that regulations are not implemented. Governments need to invest in the right people and the right infrastructure. If this doesn’t happen, we will see more technological hazards turning into disasters, whether it’s at a port, a mine, big industrial facilities, or at nuclear power plants.

“When we don’t have enough risk governance, the likelihood of a catastrophic event grows”, she said. “Beirut is a stark reminder that disasters don’t wait in turn to strike us.”

Prevention pays
The message from these UN officials is that fresh rules and regulations are not necessarily needed. What is more important, is a change in our behaviour and the way we factor risk into the way we live, whether at a personal level, or at a national level.

Mr. Parroquín-Ohlson notes that personnel working at ports should not necessarily shoulder the blame, when disaster strikes.

“Staff need to be supported by their institutions, who have robust rules and regulations available to them. In some examples we have seen, staff were not well trained, but, in others, we saw that there was a lack of internal procedures within the administration as a whole”, he said. “For example, there needs to be a clear policy, stating who is responsible for the storage of such cargo, up to the point that it leaves on a ship.”

For Ms. Mizutori, part of the answer is for countries to put disaster risk reduction at the heart of government: “The countries need to put money behind this, and establish national disaster management agencies, which are connected to all the other ministries, working directly under the Head of State, or the Cabinet Office, to ensure that they can take charge of putting prevention at heart of policy-making.

The difficulty, of course, is convincing people that it is worth putting money into something that might happen only happen every 30, or even 100 years. Our job is to help explain why investing in prevention pays.”

[Source: UN]
Leave a comment

Private sector experience in Japan: Supporting disaster preparedness for evacuations under COVID-19

Health & Social Care, Industry News

The shared trauma and experiences of disasters over the decades have helped shape Japan’s unique disaster culture, where all segments of society contribute to disaster prevention and mitigation. The current COVID-19 pandemic has been no exception, and under the guidance and coordination of the central government, the private sector has emerged as a key player in supporting prevention and response efforts.

The Japanese government’s current response phase is focused on trying to keep society running while preventing the spread of the virus. This has been coined as the ‘With Corona’ phase.

One area that has received considerable attention under this phase has been the country’s disaster evacuation protocols. To ensure preparedness and evacuation measures do not inadvertently fuel the pandemic, the Disaster Management division of the Cabinet Office has released a series of practical guidelines, which have been compiled into a general manual document accompanied by YouTube tutorials.

One of the key recommendations is wider engagement with the private sector to support the implementation of the revised evacuation procedures. This is where the member companies of ARISE Japan – the Japanese branch of UNDRR’s partnership alliance of private sector entities committed to DRR – along with other private sector actors, are playing instrumental roles.

To satisfy physical distancing guidelines at disaster shelters while securing the necessary capacity, the government recommends that local governments tap locally available private-owned facilities, such as hotels. The dual-use of private-owned facilities in times of disaster is a well-established practice in Japan that pre-dates the pandemic. But under COVID-19, the practice is being urgently expanded. Responding to these calls, four major accommodation industry associations have announced the preparation of 1,256 facilities nationwide to serve as emergency evacuation shelters, according to ARISE Japan member, JTB Tourism Research & Consulting.

In Japan, cross-utilization of business facilities for DRR purposes is not limited to hotels. Across the nation, 55 metropolitan areas have been designated as ‘Special Districts for Urban Regeneration,’ where facilities, such as shopping complexes, serve necessary disaster preparedness functions such as evacuation shelters or supply depots.

The private sector is also playing a part in raising awareness and educating the public on the importance of reassessing their preparedness plans in light of the pandemic. Under ‘With Corona’ evacuation protocols, people are being asked to consider additional evacuation destinations, such as the homes of family and friends or the higher floors of structurally-sound buildings. To help with this, Japan Conservation Engineers & Co., the creators of the game EVAG - a role-playing game that tests evacuation behavior - updated their simulation script, which already accounted for pandemic disasters, to encourage players to consider alternative evacuation destinations.

In the area of risk communication and closing the “last-mile” gap, the private sector is supporting the delivery of accurate and up-to-date information. In Japan, where a significant information barrier exists for non-Japanese speakers, multi-language call centers such as the Japan Visitor Hotline for the Japan National Tourism Organization are working to reduce this vulnerability. Since the start of the COVID-19 pandemic, BRICK’s Corporation, an ARISE member which operates the hotline, have handled a surge in calls from a few hundred per month before COVID, to over 1,000 calls per month, which peaked in March at 5,300 calls.

The private sector is also helping officials better understand the risk environment and vulnerabilities through market research. Since the start of the pandemic, Japan has experienced a major climate-related disaster in the form of the July heavy rains which affected multiple regions. Web-based surveys conducted across all 47 prefectures by Survey Research Center Co., an ARISE member, revealed areas for improvement in the evacuation protocols developed under the ‘With Corona’ phase. Specifically, the analysis showed that public expectations were unsustainably skewed towards greater reliance on local governments to provide infection control measures, and less on personal or community preparedness.

One reason Japan’s private sector is able to serve as a reliable government partner is thanks to the investments it made in building its own resilience. ARISE Japan member companies report that their existing pandemic scenarios for business continuity, along with peer-to-peer communication through networks such as ARISE, have helped them guide their decision-making during this crisis. Their priorities include maintaining a healthy and productive workforce and maintaining their social responsibilities as a stakeholder organization, as highlighted in the testimony of Ms. Sandra Wu, CEO of Kokusai Kogyo Co. Ltd., an ARISE member.

Tackling far-reaching disasters, like COVID-19, requires a multi-stakeholder approach that brings together the strengths of each sector to fill in the gaps and augment the government’s reach. The examples highlighted of ARISE Japan’s contributions in the area of evacuation preparedness is only one aspect of how the private sector is lending their expertise, resources, and capabilities to build resilience for all.

Leave a comment

CISA Release 5G Strategy for Secure and Resilient Critical Infrastructure

Agency News, Industry News, Telecomms sector

The Cybersecurity and Infrastructure Security Agency (CISA) has released its strategy to ensure the security and resilience of fifth generation (5G) technology in our nation.

As the Nation’s risk advisor, CISA serves the unique role as a trusted information broker across a diverse set of public and private stakeholders. In this role, CISA fosters increased information sharing to help these stakeholders make more informed decisions when identifying and addressing future 5G technology priorities.

CISA’s 5G Strategy seeks to advance the development and deployment of a secure and resilient 5G infrastructure, one that promotes national security, data integrity, technological innovation, and economic opportunity for the United States and its allied partners. The strategy establishes five strategic initiatives that align to the Lines of Effort defined in the National Strategy to Secure 5G. Guided by the core competencies of risk management, stakeholder engagement, and technical assistance, CISA’s 5G activities will help ensure there are policy, legal, security, and safety frameworks in place to fully leverage 5G technology while managing its significant risks.

“The promise of 5G is undeniable, but with 5G technology posed to underpin a wide range of critical infrastructure functions, it’s vital that we manage these risks adequately and promote a trusted ecosystem of 5G componentry,” said CISA Director Christopher Krebs. “CISA is committed to working with partners to build a resilient 5G infrastructure, and this strategy identifies a roadmap of how we will bring stakeholders together to achieve this.”

In addition to the Strategy, CISA has released a 5G Basics Infographic to educate stakeholders on challenges and risks associated with 5G. Working in close collaboration with the critical infrastructure community, the Agency plans to publish sector-specific 5G risk profiles in the coming months.

To learn more about CISA’s role in 5G and to view the strategy, visit www.cisa.gov/5G.

Leave a comment

Australian Government launch consultation on protection of critical infrastructures

Agency News, Cyber Security CII sector, Health & Social Care, Industry News, Power/Energy/Oil & Gas sector, Telecomms sector, Transport sector, University/Research/Academia sector, Water sector

The Australian Government is committed to protecting the essential services all Australians rely on by uplifting the security and resilience of critical infrastructure.

The Government’s commitment to the continued prosperity of its economy and businesses is unwavering. The impacts of recent events only reinforce the need for collaboration between and across critical infrastructure sectors and Government to protect our economy, security and sovereignty.

At the same time, Government recognises the additional economic challenges facing many sectors and entities in the wake of the COVID-19 pandemic. The outcome it seek is clear - they want to work in partnership to develop proportionate requirements that strike a balance between uplifting security, and ensuring businesses remain viable and services remain sustainable, accessible and affordable. An uplift in security and resilience across critical infrastructure sectors will mean that all businesses will benefit from strengthened protections to the networks, systems and services we all depend on.

An enhanced critical infrastructure framework

The primary objective of the proposed enhanced framework is to protect Australia’s critical infrastructure from all hazards, including the dynamic and potentially catastrophic cascading threats enabled by cyber attacks.

The enhanced framework outlines a need for an uplift in security and resilience in all critical infrastructure sectors, combined with better identification and sharing of threats in order to make Australia’s critical infrastructure – whether industry or government owned and operated – more resilient and secure. This approach will prioritise acting ahead of an incident wherever possible.

Government has agreed that the proposed enhanced framework will apply to an expanded set of critical infrastructure sectors, comprising of three key elements:

  1. Positive Security Obligation, including:
    a. set and enforced baseline protections against all hazards for critical infrastructure and systems, implemented through sector-specific standards proportionate to risk.
  2. Enhanced cyber security obligations that establish:
    a. the ability for Government to request information to contribute to a near real-time national threat picture;
    b. owner and operator participation in preparatory activities with Government; and
    c. the co-development of a scenario based ‘playbook’ that sets out response arrangements.
  3. Government assistance for entities that are the target or victim of a cyber attack, through the establishment of a Government capability and authorities to disrupt and respond to threats in an emergency.

These three initiatives will be underpinned by an enhanced Government-industry partnership across all hazards.

The Government intends to consult with stakeholders during and after receiving submissions. This will also allow us to assess the impact of proposed reforms and refine the development of the enhanced framework.

Further details can be viewed at https://www.homeaffairs.gov.au/reports-and-pubs/files/protecting-critical-infrastructure-systems-consultation-paper.pdf

Leave a comment

INTERPOL report shows shift in cyber attacks from individuals to governments and critical health infrastructure

Agency News, Cyber Security CII sector, Industry News

An INTERPOL assessment of the impact of COVID-19 on cybercrime has shown a significant target shift from individuals and small businesses to major corporations, governments and critical infrastructure.

With organizations and businesses rapidly deploying remote systems and networks to support staff working from home, criminals are also taking advantage of increased security vulnerabilities to steal data, generate profits and cause disruption.

In one four-month period (January to April) some 907,000 spam messages, 737 incidents related to malware and 48,000 malicious URLs – all related to COVID-19 – were detected by one of INTERPOL’s private sector partners.

“The increased online dependency for people around the world, is also creating new opportunities, with many businesses and individuals not ensuring their cyber defences are up to date.

“The report’s findings again underline the need for closer public-private sector cooperation if we are to effectively tackle the threat COVID-19 also poses to our cyber health,” concluded the INTERPOL Chief.

Key findings highlighted by the INTERPOL assessment of the cybercrime landscape in relation to the COVID-19 pandemic include:

Online Scams and PhishingThreat actors have revised their usual online scams and phishing schemes. By deploying COVID-19 themed phishing emails, often impersonating government and health authorities, cybercriminals entice victims into providing their personal data and downloading malicious content.Around two-thirds of member countries which responded to the global cybercrime survey reported a significant use of COVID-19 themes for phishing and online fraud since the outbreak.

Disruptive Malware (Ransomware and DDoS)Cybercriminals are increasingly using disruptive malware against critical infrastructure and healthcare institutions, due to the potential for high impact and financial benefit.In the first two weeks of April 2020, there was a spike in ransomware attacks by multiple threat groups which had been relatively dormant for the past few months.Law enforcement investigations show the majority of attackers estimated quite accurately the maximum amount of ransom they could demand from targeted organizations.

Data Harvesting MalwareThe deployment of data harvesting malware such as Remote Access Trojan, info stealers, spyware and banking Trojans by cybercriminals is on the rise. Using COVID-19 related information as a lure, threat actors infiltrate systems to compromise networks, steal data, divert money and build botnets.

Malicious DomainsTaking advantage of the increased demand for medical supplies and information on COVID-19, there has been a significant increase of cybercriminals registering domain names containing keywords, such as “coronavirus” or “COVID”. These fraudulent websites underpin a wide variety of malicious activities including C2 servers, malware deployment and phishing.From February to March 2020, a 569 per cent growth in malicious registrations, including malware and phishing and a 788 per cent growth in high-risk registrations were detected and reported to INTERPOL by a private sector partner.

Misinformationn increasing amount of misinformation and fake news is spreading rapidly among the public. Unverified information, inadequately understood threats, and conspiracy theories have contributed to anxiety in communities and in some cases facilitated the execution of cyberattacks.Nearly 30 per cent of countries which responded to the global cybercrime survey confirmed the circulation of false information related to COVID-19. Within a one-month period, one country reported 290 postings with the majority containing concealed malware. There are also reports of misinformation being linked to the illegal trade of fraudulent medical commodities.Other cases of misinformation involved scams via mobile text-messages containing 'too good to be true' offers such as free food, special benefits, or large discounts in supermarkets.

Future primary areas of concern highlighted by the INTERPOL report include.

  • A further increase in cybercrime is highly likely in the near future. Vulnerabilities related to working from home and the potential for increased financial benefit will see cybercriminals continue to ramp up their activities and develop more advanced and sophisticated modi operandi.
  • Threat actors are likely to continue proliferating coronavirus-themed online scams and phishing campaigns to leverage public concern about the pandemic.
  • Business Email Compromise schemes will also likely surge due to the economic downturn and shift in the business landscape, generating new opportunities for criminal activities.
  • When a COVID-19 vaccination is available, it is highly probable that there will be another spike in phishing related to these medical products as well as network intrusion and cyberattacks to steal data.
Leave a comment

Protect Operational Technologies and Control Systems Against Cyber Attacks

Agency News, Cyber Security CII sector, Industry News

Cyber actors have demonstrated their willingness to conduct cyber attacks against critical infrastructure by exploiting Internet-accessible Operational Technology (OT) assets. Due to the increase in adversary capabilities and activities, the criticality to U.S. national security and way of life, and the vulnerability of OT systems, civilian infrastructure makes attractive targets for foreign powers attempting to harm to US interests or retaliate for perceived US aggressive.

Today, the National Security Agency and Cybersecurity and Infrastructure Security Agency released an advisory for critical infrastructure OT and control systems assets to be aware of current threats we observe, prioritize assessing their cybersecurity defenses and take appropriate action to secure their systems.

“Operational technology assets are pervasive and underpin many essential national security functions, as well as the Defense Industrial Base,” Anne Neuberger, Director of NSA's Cybersecurity Directorate noted. “We encourage all stakeholders to apply our joint recommendations with DHS CISA.”

“As we’ve said many times, our adversaries are capable, imaginative and aim to disrupt essential services, so it is important that we make sure we are staying ahead of them." Bryan Ware, Assistant Director for Cybersecurity, CISA. “Our goal at CISA is to lead and encourage a proactive ‘whole community’ assessment and response to significant threats and ensure we provide the right tools and services at the right time.”

NSA and CISA continue to collaborate on cybersecurity issues and share information about how to best secure National Security Systems, Department of Defense systems, and the Defense Industrial Base as well as other critical infrastructure, against foreign threats, ultimately keeping America and our allies safe.

Leave a comment

CISA Adds Top Cybersecurity Experts to Join Covid-19 Response Efforts

Agency News, Cyber Security CII sector, Industry News

The Cybersecurity and Infrastructure Security Agency (CISA) announced today the addition of two leading cybersecurity experts to support the agency’s COVID-19 response efforts. Josh Corman is joining CISA as a Visiting Researcher, and Rob Arnold will join CISA’s National Risk Management Center as a Senior Cybersecurity and Risk Management Advisor. Corman and Arnold were both hired using authorities granted under the CARES Act, which allows agencies to hire staff to temporarily support the COVID-19 response.

“The COVID-19 pandemic has resulted in noticeable shifts in cyber risk calculations for organizations of all sizes,” said CISA Director Christopher Krebs. “The hardware, software, and services that underpin our connected infrastructure have absolutely been tested and stressed in this telework-heavy environment. At the same time, certain organizations and sectors of our economy have become more attractive targets for adversaries.”

“This changing threat landscape demands an ‘all-hands-on-deck’ approach and for us to bring the best and brightest minds to the front lines, and the authority granted to us by the CARES Act makes it possible to quickly recruit and add top experts to our team,” added Director Krebs. “Josh and Rob are two examples of the type of innovative leaders that will help us build up our technical capabilities while at the same time improve our engagement with our industry and security researcher community partners during this critical time.”

Josh Corman has an extensive private sector and nonprofit background in IT security and public policy. Corman recently served as the Chief Security Officer at PTC and the Director for the Cyber Statecraft Initiative at the Atlantic Council’s Brent Scowcroft Center for Strategy and Security. He is also the co-founder of IAmTheCavalry.org, a non-profit collection of volunteers dedicated to improving cybersecurity in areas that can save lives. Corman was also a member of the Congressional Health Care Industry Cybersecurity Task Force, which developed a report on the state of cybersecurity in the healthcare industry. In his new role, he will advise on CISA’s integrated industry engagement efforts supporting the COVID response, provide cybersecurity expertise on healthcare infrastructure, and support CISA’s control systems and life safety initiatives.

Rob Arnold most recently served as the founder and CEO of Threat Sketch, a strategic cyber risk management firm that helps small organizations manage cybersecurity at the executive level. He has a wealth of experience in advising businesses and organizations in implementing cyber risk management practices. In addition to co-founding the North Carolina Center for Cybersecurity and authoring a book that explains cyber risk management to business executives, Arnold serves on multiple academic advisory boards for cybersecurity degree seeking programs. At CISA, he will focus on helping the agency better understand shifts in cyber risk from COVID-related factors and how the critical infrastructure community can best fortify its defenses in response.

Leave a comment

A billion user hours lost in EU telecoms due to security incidents in 2019

Agency News, Industry News, Telecomms sector

The European Union Agency for Cybersecurity publishes the 9th annual report on telecom security incidents.

The report published today provides an analysis of root causes and impact of major incidents that happened in the course of 2019 and multiannual trends. The national telecom security authorities in Europe reported a total of 153 major telecom security incidents in 2019. These incident reports were submitted to the EU Agency for Cybersecurity as part of the annual summary reporting on major telecom security incidents in the EU. The reported incidents had a total impact of almost 1 Billion user hours lost.

Juhan Lepassaar, the Executive Director of ENISA, said: "Incident reporting is essential to understand different factors that play a role in cybersecurity incidents, as well as relevant issues. It helps us to see the trends and allows us to assess if the related legislation is working. This will help us to develop the right security measures, if further adjustments or clarifications are needed in the form of implementing acts, and thus improve the overall level of cybersecurity. National authorities use the reporting as a basis for targeted policy initiatives. Our role at ENISA is to make sure that the process is working and to allow the stakeholders, the Member States and the Commission to get the most out of it. We work to harmonise the security incident reporting processes across the Union, to reduce security risks and barriers to the internal market."

Jakub Boratyński, Acting Director of Directorate H in DG CONNECT commented: “Security incident reporting is important in order to get hard numbers about incidents, to analyse root causes and impact, which helps prevent future incidents. It is essential to collect this data not only at EU-level, but also at national level. The COVID-19 outbreak shows more clearly than ever the importance of securing telecom networks.”

The report published today presents an analysis of root causes, impact, and trends of major incidents. It is the 9th annual report on telecom security incidents.

Key takeaways from the 2019 incidents

  • System failures dominate in terms of impact: this category makes up almost half (48%) of the total user hours lost. It is also the most frequent root cause of incidents. Both the frequency and overall impact of system failures have been trending down significantly over the past 4 years;
  • More than a quarter (26%) of total incidents have human errors as the root cause. Human errors increased by 50% compared to the previous year;
  • Almost a third (32%) of the incidents were also flagged as a third-party failure. This means that these incidents originate at third parties, typically utility companies, contractors, suppliers, etc. This number tripled compared to 2018 when it was 9% then;
  • Looking inside the category of system failures, hardware failures are a major factor: almost a quarter of incidents (23%) were caused by hardware failures and they heavily impacted user hours amounting to 38%;
  • Power cuts continue to be an important factor: being either the primary or the secondary cause in over a fifth of the major incidents.

To access the report, please visit: https://www.enisa.europa.eu/publications/annual-report-telecom-security-incidents-2019

ENISA provides also an online visual tool - CIRAS - giving public access to the full repository of telecom security. This tool gives statistics and anonymized information about the 1200 major incidents reported over the past 9 years.

EECC broadening the scope of the telecom security incident reporting

The New EU telecom legislation, known as the European Electronic Communications Code (EECC), has to be transposed into national law by 21 December 2020.

These new rules are broader in scope, adapting to the changes in the EU’s electronic communications landscape. The new legislation will also cover so-called number-independent interpersonal communications services, such as Whatsapp and Skype. The reporting obligations will cover a broader range of telecom security incidents, including incidents having an impact on confidentiality, availability, integrity or authenticity of the communication networks and the data transmitted via those networks or services.

ENISA is working with the EU Member States to implement these changes. The annual reporting guideline is currently being updated to include new thresholds for the annual summary reporting. The EU Agency for Cybersecurity is also updating the guidelines on security measures.

General observations

National telecom authorities use incident reports for targeted policy initiatives and guidelines: the mandatory reporting helps to identify common root causes. This is how we start finding solutions to mitigate the impact of some of the biggest incidents.

Every year the annual summary reporting at EU level highlights important issues and trends: the national authorities then follow up these issues and trends in more details.

Reporting about threats: under the new provisions of the EECC, important threats will also have to be reported along with incidents. This means there is a clear need for national authorities to exchange information about ongoing attacks and important vulnerabilities, in addition to actual incidents with impact on telecom services.

The current incident reporting does not show the complete telecom security threat landscape: security incidents not causing large network disruptions currently remain out of the reporting obligations.
Background information

Electronic communication providers in the EU have to notify telecom security incidents having a significant impact to the national authorities for telecom security in their country. At the beginning of every calendar year, the authorities send summary reports about these incidents to the EU Agency for Cybersecurity.

Security incident reporting has been part of the telecom regulatory framework of the European Union (EU) since the 2009 reform of the telecom package: Article 13a of the Framework directive (2009/140/EC) came into force in 2011. The breach reporting in Article 13a focuses on security incidents with significant impact on the operation of services, such as outages of the electronic communication networks and/or services. Article 40 of the European Electronic Communications Code (EECC) will replace Article 13a by the end of 2020.

The Article 13a Expert Group was founded by ENISA back in 2010, under the auspices of the European Commission. Its purpose is to bring together experts from national telecom security authorities from across the EU to agree on a practical and harmonised approach to the security supervision requirements in Article 13a and to agree on an efficient and effective incident reporting process.

Warna Munzebrock, a representative of Agentschap Telecom, the Dutch Radiocommunications agency, now chairs the group. The Article 13 expert group meets 3 times per year and its work and deliverables can be found in the Article 13a Expert Group portal hosted by ENISA.

Leave a comment

NIST’s Post-Quantum Cryptography Program Enters ‘Selection Round’

Agency News, Cyber Security CII sector, Industry News

The race to protect sensitive electronic information against the threat of quantum computers has entered the home stretch.

After spending more than three years examining new approaches to encryption and data protection that could defeat an assault from a quantum computer, the National Institute of Standards and Technology (NIST) has winnowed the 69 submissions it initially received down to a final group of 15. NIST has now begun the third round of public review. This “selection round” will help the agency decide on the small subset of these algorithms that will form the core of the first post-quantum cryptography standard.

“At the end of this round, we will choose some algorithms and standardize them,” said NIST mathematician Dustin Moody. “We intend to give people tools that are capable of protecting sensitive information for the foreseeable future, including after the advent of powerful quantum computers.”

The latest details on the project appear in the Status Report on the Second Round of the NIST Post-Quantum Cryptography Standardization Process (NISTIR 8309) - https://csrc.nist.gov/publications/detail/nistir/8309/final - which was published recently. NIST is asking experts to provide their input on the candidates in the report.

“We request that cryptographic experts everywhere focus their attention on these last algorithms,” Moody said. “We want the algorithms we eventually select to be as strong as possible.”

Classical computers have many strengths, but they find some problems intractable — such as quickly factoring large numbers. Current cryptographic systems exploit this difficulty to protect the details of online bank transactions and other sensitive information. Quantum computers could solve many of these previously intractable problems easily, and while the technology remains in its infancy, it will be able to defeat many current cryptosystems as it matures.

Because the future capabilities of quantum computers remain an open question, the NIST team has taken a variety of mathematical approaches to safeguard encryption. The previous round’s group of 26 candidate algorithms were built on ideas that largely fell into three different families of mathematical approaches.

“Of the 15 that made the cut, 12 are from these three families, with the remaining three algorithms based on other approaches,” Moody said. “It’s important for the eventual standard to offer multiple avenues to encryption, in case somebody manages to break one of them down the road.”

Cryptographic algorithms protect information in many ways, for example by creating digital signatures that certify an electronic document’s authenticity. The new standard will specify one or more quantum-resistant algorithms each for digital signatures, public-key encryption and the generation of cryptographic keys, augmenting those in FIPS 186-4, Special Publication (SP) 800-56A Revision 3 and SP 800-56B Revision 2, respectively.

For this third round, the organizers have taken the novel step of dividing the remaining candidate algorithms into two groups they call tracks. The first track contains the seven algorithms that appear to have the most promise.

“We’re calling these seven the finalists,” Moody said. “For the most part, they’re general-purpose algorithms that we think could find wide application and be ready to go after the third round.”

The eight alternate algorithms in the second track are those that either might need more time to mature or are tailored to more specific applications. The review process will continue after the third round ends, and eventually some of these second-track candidates could become part of the standard. Because all of the candidates still in play are essentially survivors from the initial group of submissions from 2016, there will also be future consideration of more recently developed ideas, Moody said.

“The likely outcome is that at the end of this third round, we will standardize one or two algorithms for encryption and key establishment, and one or two others for digital signatures,” he said. “But by the time we are finished, the review process will have been going on for five or six years, and someone may have had a good idea in the interim. So we’ll find a way to look at newer approaches too.”

Because of potential delays due to the COVID-19 pandemic, the third round has a looser schedule than past rounds. Moody said the review period will last about a year, after which NIST will issue a deadline to return comments for a few months afterward. Following this roughly 18-month period, NIST will plan to release the initial standard for quantum-resistant cryptography in 2022.

Leave a comment

Protecting Operational Technologes and Control Systems Against Cyber Attacks

Agency News, Cyber Security CII sector, Industry News

Cyber actors have demonstrated their willingness to conduct cyber attacks against critical infrastructure by exploiting Internet-accessible Operational Technology (OT) assets. Due to the increase in adversary capabilities and activities, the criticality to U.S. national security and way of life, and the vulnerability of OT systems, civilian infrastructure makes attractive targets for foreign powers attempting to harm to US interests or retaliate for perceived US aggressive.

Today, the National Security Agency and Cybersecurity and Infrastructure Security Agency released an advisory for critical infrastructure OT and control systems assets to be aware of current threats we observe, prioritize assessing their cybersecurity defenses and take appropriate action to secure their systems.

“Operational technology assets are pervasive and underpin many essential national security functions, as well as the Defense Industrial Base,” Anne Neuberger, Director of NSA's Cybersecurity Directorate noted. “We encourage all stakeholders to apply our joint recommendations with DHS CISA.”

“As we’ve said many times, our adversaries are capable, imaginative and aim to disrupt essential services, so it is important that we make sure we are staying ahead of them." Bryan Ware, Assistant Director for Cybersecurity, CISA. “Our goal at CISA is to lead and encourage a proactive ‘whole community’ assessment and response to significant threats and ensure we provide the right tools and services at the right time.”

NSA and CISA continue to collaborate on cybersecurity issues and share information about how to best secure National Security Systems, Department of Defense systems, and the Defense Industrial Base as well as other critical infrastructure, against foreign threats, ultimately keeping America and our allies safe.

For more detailed information, please review the joint advisory - https://us-cert.cisa.gov/ncas/alerts/aa20-205a - which includes recently observed tactics, techniques, and procedures, as well as related recommendations.

Leave a comment
1 44 45 46 47 48 51