TSA issues new cybersecurity requirements for passenger and freight railroad carriers

Agency News, Industry News, Transport sector

The Transportation Security Administration (TSA) announced a new cybersecurity security directive regulating designated passenger and freight railroad carriers. Today’s announcement demonstrates the Biden-Harris Administration’s commitment to strengthen the cybersecurity of U.S. critical infrastructure. Building on the TSA’s work to strengthen defenses in other transportation modes, this security directive will further enhance cybersecurity preparedness and resilience for the nation’s railroad operations.

Developed with extensive input from industry stakeholders and federal partners, including the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Transportation’s Federal Railroad Administration (FRA), this Enhancing Rail Cybersecurity – SD 1580/82-2022-01 strengthens cybersecurity requirements and focuses on performance-based measures to achieve critical cybersecurity outcomes.

“The nation’s railroads have a long track record of forward-looking efforts to secure their network against cyber threats and have worked hard over the past year to build additional resilience, and this directive, which is focused on performance-based measures, will further these efforts to protect critical transportation infrastructure from attack,” said TSA Administrator David Pekoske. “We are encouraged by the significant collaboration between TSA, FRA, CISA and the railroad industry in the development of this security directive.

The security directive requires that TSA-specified passenger and freight railroad carriers take action to prevent disruption and degradation to their infrastructure to achieve the following critical security outcomes:

1. Develop network segmentation policies and controls to ensure that the Operational Technology system can continue to safely operate in the event that an Information Technology system has been compromised and vice versa;
2. Create access control measures to secure and prevent unauthorized access to critical cyber systems;
3. Build continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect critical cyber system operations; and
4. Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers, and firmware on critical cyber systems in a timely manner using a risk-based methodology.

Passenger and freight railroad carriers are required to:

1. Establish and execute a TSA-approved Cybersecurity Implementation Plan that describes the specific cybersecurity measures the passenger and freight rail carriers are utilizing to achieve the security outcomes set forth in the security directive.
2. Establish a Cybersecurity Assessment Program to proactively test and regularly audit the effectiveness of cybersecurity measures and identify and resolve vulnerabilities within devices, networks, and systems.

This is the latest in TSA’s performance-based security directives; previous security directives include requirements such as reporting significant cybersecurity incidents to CISA, establishing a cybersecurity point of contact, developing and adopting a cybersecurity incident response plan, and completing a cybersecurity vulnerability assessment. Through this security directive, TSA continues to take steps to protect transportation infrastructure in the current threat environment. TSA also intends to begin a rulemaking process, which would establish regulatory requirements for the rail sector following a public comment period.

To view TSA’s security directives and guidance documents, please visit the TSA cybersecurity toolkit.

Leave a comment , , , ,

Burying short sections of power lines could drastically reduce hurricanes' impact on coastal residents

Industry News, Power/Energy/Oil & Gas sector

Princeton researchers funded by the U.S. National Science Foundation investigated the risk of this compound hazard occurring in the future under a business-as-usual climate scenario, using Harris County, Texas, as one example. They estimated that the risk of a hurricane-blackout-heat wave lasting more than five days in a 20-year span would increase 23 times by the end of the century.

But there is good news: Strategically burying just 5% of power lines — specifically those near main distribution points — would almost halve the number of affected residents.

"The results of this work, part of NSF's Coastlines and People Megalopolitan Coastal Transformation Hub, show the value of convergence science approaches for developing actionable solutions to society's major challenges, such as the increasing frequency of storm events," says Rita Teutonico, director of NSF's CoPe program.

Heat waves are among the deadliest types of weather events and can become even more dangerous when regions that rely on air conditioning lose power. Historically, a heat wave following a hurricane has been rare because the risk of extreme heat usually passes before the peak of the Atlantic hurricane season in late summer. As global temperatures rise, however, heat waves are expected to occur more often and hurricanes are likely to become more common and more severe, increasing the odds of hurricane-blackout-heat wave events.

"Hurricane Laura in 2020 and Hurricane Ida in 2021 both had heat waves following them after they destroyed the power distribution network," said Ning Lin, a civil and environmental engineer who led the study. "For this compound hazard, the risk has been increasing, and it is now happening."

In a new study, published in Nature Communications, Lin and co-authors looked at the risks associated with the compound hazard and how infrastructure changes could mitigate the potentially deadly effects. They combined projections of how often and when hurricanes and heat waves would strike in the future with estimates of how quickly power could be restored in areas with outages after a major storm.

The team chose Harris County — the home of Houston — as their model county because it has the highest population density of any city on the Gulf Coast. Hurricanes Harvey and Ike both walloped Houston, causing an estimated 10% of residents to lose power.

The team also considered power grid improvements that would reduce the impact of a hurricane-blackout-heat wave for residents. Burying 5% of wires near the roots of the distribution network would reduce the expected percentage of residents without power from 18.2% to 11.3%.

"Mostly, our current practice is randomly burying lines," Lin said. "By burying lines more strategically, we can be more efficient and more effective at reducing the risk."

Leave a comment , , ,

The importance of early warning systems in disaster risk reduction

Agency News, Industry News, Water sector

It is not enough for an early warning system to correctly identify an incoming hazard, it must also ensure that the populations and sectors that are at risk can receive the alert, understand it, and most importantly, act on it.

Disasters, increasingly frequent and intense, have become a major issue requiring urgent action. In 2021, 432 catastrophic events took place, incrementing the average of 357 annual catastrophic events recorded in 2001-2020. Only last year, 101.8 million people were affected worldwide, and the economic losses amounted to 252.1 billion US dollars.

The impacts of a disaster are often unequally distributed, affecting disproportionately the most vulnerable. These events cause a disruption in the economy and livelihoods of people, producing dramatic socio-economic downturns that hamper short-term recovery and long-term development. On this basis, the promotion of resilience to face all kinds of shocks and stresses is considered a key element for the global development agenda.

In line with this perspective, and in accordance with its mandate, the International Labour Organisation (ILO) has focused on building resilience through the promotion of employment and decent work.

In order to achieve this, the ILO works with its tripartite constituents – governments and employers’ and workers’ organizations – to develop a response to disasters that can answer immediate needs, but also deploy a long-term vision to build resilience for risk management through employment-centred measures. These include skills development, job creation through employment-intensive investments, enterprise support and business continuity management, among others.

This year, the International Day for Disaster Risk Reduction focuses on early warning systems, a fundamental element to decrease the destructive impacts of a disaster. An effective early warning is capable of saving many lives and reducing damage by 30% if activated 24 hours before the event. However, today, one-third of the world’s population, mainly in the least developed countries, is still not covered by early warning systems.

The purpose of early warning systems is mitigating the risk produced by disasters, but these risks are compounded by the socio-economic vulnerability of the population exposed to the hazards. In this context, early warning systems must be inclusive and sensitive to the different sources of vulnerability. As indicated by the United Nations Office for Disaster Risk Reduction (UNDRR) , these systems must be people-centred, end-to-end, and multi-hazard.

Early warning systems play a significant role in the world of work. By disseminating timely and accurate information regarding disaster risk, they enable preparedness action as well as a rapid response from workers, employers, and national or local authorities, and can therefore prevent human and economic losses in the workplace. For instance, farmers, pastoralists, fishers, and foresters are among the most-at-risk communities to disasters. Moreover, early warning systems can also play a crucial role in decent work, as part of the occupational health and safety standards in disaster-prone countries.

Early warning systems are essential to prepare and respond effectively in the short term, corresponding to the first stages of disaster management. Moreover, the implementation of such systems can also contribute to building resilience, as enhancing preparedness strengthens the capacity to recover rapidly, and reduces vulnerability.

Leave a comment , , , ,

Forest fires: €170 million to reinforce rescEU fleet

Agency News, Health & Social Care, Industry News, Power/Energy/Oil & Gas sector, Telecomms sector, Transport sector, Water sector

Following a record-breaking forest fire season in Europe, the Commission is proposing today €170 million from the EU budget to reinforce its rescEU ground and aerial assets  starting from the summer of 2023. The rescEU transitional fleet would therefore have a total of 22 planes, 4 helicopters as well as more pre-positioned ground teams. As from 2025, the fleet would be further reinforced through an accelerated procurement of airplanes and helicopters.

Commissioner for Crisis Management Janez Lenarčič said: "Due to climate change the number of regions affected by wildfires is increasing, going beyond the traditionally affected Mediterranean countries. The last summers have clearly shown that more firefighting assets are needed at EU-level. By building up our fleet of aerial means and ground forces, the EU will be able to ensure a prompt, flexible response, including in situations where fires are burning in multiple Member States at the same time.”

Commissioner for Budget and Administration, Johannes Hahn said: “While the record-breaking forest fires this summer may have been overshadowed by other crises, today's proposal to reinforce rescEU shows that the EU budget will continue to support those in need. European solidarity across EU Member States remains strong and we are ready to support this solidarity with financial means.”

Wildfires in the EU are increasing in scope, frequency, and intensity. By 1 October, the data for 2022 reveal a 30% increase in the burnt area over the previous worst year recorded (2017) and a more than 170% increase over the average burnt area since EU-level recording started in 2006.

This season, the Emergency Response Coordination Centre  received 11 requests for assistance for forest fires. 33 planes and 8 helicopters were deployed across Europe via the EU Civil Protection Mechanism, which were joined by over 350 firefighters on the ground. In addition, the EU's emergency Copernicus satellite provided damage assessment maps of the affected areas.

Leave a comment , , ,

CISA Directs Federal Agencies to Improve Cybersecurity Asset Visibility and Vulnerability Detection

Agency News, Cyber Security CII sector, Industry News, Power/Energy/Oil & Gas sector, Telecomms sector, Transport sector

The Cybersecurity and Infrastructure Security Agency (CISA) issued a Binding Operational Directive (BOD) 23-01, Improving Asset Visibility and Vulnerability Detection on Federal Networks, that directs federal civilian agencies to better account for what resides on their networks.

Over the past several years, CISA has been working urgently to gain greater visibility into risks facing federal civilian networks, a gap made clear by the intrusion campaign targeting SolarWinds devices. The Biden-Harris Administration and Congress have supported significant progress by providing key authorities and resources. This Directive takes the next step by establishing baseline requirements for all Federal Civilian Executive Branch (FCEB) agencies to identify assets and vulnerabilities on their networks and provide data to CISA on defined intervals.

“Threat actors continue to target our nation’s critical infrastructure and government networks to exploit weaknesses within unknown, unprotected, or under-protected assets,” said CISA Director Jen Easterly. “Knowing what’s on your network is the first step for any organization to reduce risk. While this Directive applies to federal civilian agencies, we urge all organizations to adopt the guidance in this directive to gain a complete understanding of vulnerabilities that may exist on their networks. We all have a role to play in building a more cyber resilient nation.”

CISA is committed to using its cybersecurity authorities to gain greater visibility and drive timely risk reduction across federal civilian agencies. Implementation of this Directive will significantly increase visibility into assets and vulnerabilities across the federal government, in turn improving capabilities by both CISA and each agency to detect, prevent, and respond to cybersecurity incidents and better understand trends in cybersecurity risk.

This Directive is a mandate for federal civilian agencies. However, CISA recommends that private businesses and state, local, tribal and territorial (SLTT) governments review it and prioritize implementation of rigorous asset and vulnerability management programs.

The new Directive can be found at Binding Operational Directive (BOD) 23-01.

Leave a comment ,

Public Health Emergencies: Data Management Challenges Impact National Response

Agency News, Cyber Security CII sector, Health & Social Care, Industry News

Public health emergencies evolve quickly, but public health entities lack the ability to share new data and potentially life-saving information in real-time—undermining the nation's ability to respond quickly.

To address this, the federal government must overcome three major challenges—specifically, the lack of:

- Common standards for collecting data (e.g., patient characteristics)
- "Interoperability" (meaning not all data systems work together)
- Public health IT infrastructure (the hardware, software, networks, and policies that would enable the reporting and sharing of data)

This snapshot discusses our related work and recommendations.

Public health emergencies evolve quickly, but public health entities lack the ability to share new data and potentially life-saving information in near real-time. To address this, the federal government must overcome 3 major challenges in how it manages public health data. GAO has made a number of recommendations to help address these challenges. However, many of these recommendations have not been implemented.
The Big Picture

Longstanding challenges in the federal government’s management of public health data undermine the nation’s ability to quickly respond to public health emergencies like COVID-19 and monkeypox. These challenges include the lack of:

- common data standards—requirements for public health entitles to collect certain data elements, such as patient characteristics (e.g., name, sex, and race) and clinical information (e.g., diagnosis and test results) in a specific way;
- interoperability—the ability of data collection systems to exchange information with and process information from other systems; and
- public health IT infrastructure—the computer software, hardware, networks, and policies that enable public health entities to report and retrieve data and information.

Over 15 years ago, federal law mandated that the Department of Health and Human Services (HHS) establish a national public health situational awareness network with a standardized data format. This network was intended to provide secure, near real-time information to facilitate early detection of and rapid response to infectious diseases.

However, the federal government still lacks this needed network and has not yet overcome the challenges identified in previous GAO reviews. Having near real-time access to these data could significantly improve our nation’s preparedness for public health emergencies and potentially save lives.

Without the network, federal, state, and local health departments, hospitals, and laboratories are left without the ability to easily share health information in real-time to respond effectively to diseases.

GAO’s prior work identified three broad challenges to public health data management and recommended actions for improvement.

1. Common Data Standards

To ensure that information can be consistently reported, compared, and analyzed across jurisdictions, public health entities need a standardized data format. Due to the lack of common data standards, information reported by states about COVID-19 case counts was inconsistent. This in turn complicated the ability of the Centers for Disease Control and Prevention (CDC) to make comparisons. Public health representatives also noted challenges in collecting complete demographic data. This made it difficult to identify trends in COVID-19 vaccinations and the number of doses administered. Although CDC had intended to implement data standards, its strategic plan did not articulate specific actions, roles, responsibilities, and time frames for doing so.

- Re recommended that HHS establish an expert committee for data collection and reporting standards by engaging with stakeholders (e.g., health care professionals from public and private sectors). This committee should review and inform the alignment of ongoing data collection and reporting standards related to key health indicators.
- Recommended that CDC define specific action steps and time frames for its data modernization efforts.

2. Interoperability among Public Health IT Systems

The inability to easily exchange information across data collection and other data systems creates barriers to data sharing and additional burdens on entities that collect and transmit data. During the early stages of COVID-19, the lack of IT system interoperability caused health officials and their key stakeholders (e.g., hospitals) to manually input data into multiple systems. In addition, some state health departments could not directly exchange information with CDC via an IT system. This led to longer time frames for CDC to receive the data they needed to make decisions on the COVID-19 response.

- Recommended that, as part of planning for the public health situational awareness network, HHS should ensure the plan includes how standards for interoperability will be used.

3. Lack of a Public Health IT Infrastructure

The timeliness and completeness of information that is shared during public health emergencies can be impeded by the absence of a public health IT infrastructure. During the early stages of COVID-19, some states had to manually collect, process, and transfer data from one place to another. For example, a state official described having to fax documents, make copies, and physically transport relevant documents. The official noted by establishing a public health IT infrastructure, such as the network HHS was mandated to create, errors would be reduced. To help mitigate challenges in data management for COVID-19, HHS launched the HHS Protect platform in April 2020. However, we reported that public health and state organizations raised questions about the completeness and accuracy of some of the data.

- Recommended that HHS prioritize the development of the network by, in part, establishing specific near-term and long-term actions that can be completed to show progress.
- Recommended that HHS identify an office to oversee the development of the network.
- Recommended that HHS identify and document information-sharing challenges and lessons learned from the COVID-19 pandemic.

Leave a comment , , ,

The fastest-growing port in Texas just got even safer

Industry News, Transport sector

Mariners sailing in and around Port Freeport — the fastest-growing port in Texas — have something to celebrate.

The seaport, located outside of Houston, is now fitted with a NOAA system that improves safe and efficient marine navigation. The technology is part of a nationwide network called Physical Oceanographic Real-Time System, or PORTSⓇ.

Freeport PORTS is the 38th system in this network of precision marine navigation sensors. The integrated series of sensors track oceanographic and meteorological conditions as they unfold around the port. This will greatly increase the navigation safety of vessels entering and exiting Port Freeport.

“Precision navigation is critical to our nation’s data-driven blue economy and helps our environment,” said NOAA Administrator Rick Spinrad, Ph.D. “The real-time information tracked by NOAA allows ships to move safely within U.S. waterways to make operations more efficient and lower fuel consumption, which also lowers carbon emissions.”

More than 30 million tons of cargo moved through Port Freeport in 2019, which supported more than 279,000 jobs nationwide, for a total economic impact of $149 billion. The new system will allow all mariners to have access to real-time water level, currents and meteorological information, helping them to better plan vessel transits and prevent accidents.

Studies prove that the NOAA PORTS program reduces shipping collisions, groundings, injuries and property damage. When a new PORTS is designed, local stakeholders determine the sensor types and location requirements to support their safety and efficiency decisions.

“This new system, and the others like them around the country, reduce ship accidents by more than 50%, and allow for larger ships to get in and out of seaports and reduce traffic delays,” said Nicole LeBoeuf, director of NOAA’s National Ocean Service. “PORTS can also provide real-time data as conditions rapidly change, giving our coastal communities time to prepare and respond.”

Newly installed current meters collect and transmit real-time current observations in waterways where those conditions can change quickly and over small distances. One current meter that is mounted on a buoy is installed along the port entrance channel to capture critical cross currents data outside of the Surfside Jetty. A second current meter is installed on a pier in the intercoastal waterway near the Surfside Bridge to collect data that will indicate the strength of currents near an important turning point for vessels coming in and out of Freeport Harbor.

The new system also integrates real-time water level and meteorological information from the NOAA Freeport Harbor National Water Level Observation Network station. That equipment is installed on a specialized single platform structure which is common in the Gulf of Mexico. Wind speed and directional data will help users plan for safe pilot boarding and ship passages during adverse weather.

Leave a comment , , ,

Makati City becomes the second Resilience Hub in Asia-Pacific

Agency News, Health & Social Care, Industry News, Water sector

The City of Makati in the Philippines is named as the second Resilience Hub of Making Cities Resilient 2030 (MCR2030) in the Asia-Pacific region on 27 September 2022.

Makati has already been recognized as a Role Model City of the MCR 2010-2020 initiative by sharing know-how and experiences for reducing disaster risk, building urban resilience with other cities and participating in regional forums.

Under the leadership of Mayor Mar-len Abigail S. Binay, the city has adopted the principle of “Resilience is everybody’s business” at all sectors of society to manage disasters and build urban resilience in the country.

“We’re committed to continuing the journey of advocating resilience as a way of life through a Resilience Hub by collaborating with our constituents, partners and other local government units,” said Ms. Binay.

The Chief of the Regional Office for Asia and the Pacific at the United Nations Office for Disaster Risk Reduction (UNDRR), Mr. Marco Toscano-Rivalta, congratulated the Mayor, the City of Makati and its people for their vision and determination to continue strengthening disaster resilience and supporting other cities along the resilience pathway.

“Disaster risk is local, and it is at the local level where leadership, partnerships and solutions make a difference. MCR2030 is a catalyst for local action, a platform for collaboration and sharing of knowledge to localize disaster risk management and the implementation of the Sendai Framework for Disaster Risk Reduction,” said Mr. Toscano-Rivalta.

Makati, also known as a financial hub of the country, has developed a three-year plan of the Resilience Hub, which focuses on creating and building an online knowledge portal. The portal’s objective is to enhance peer-to-peer support, and disseminate risk data, information and expertise by conducting workshops, seminars and events related to strengthening urban resilience towards disaster risk reduction.

The plan also aims to improve city-to-city cooperation by working with other local governments in the Asia Pacific Region and beyond, promote synergies between cities to learn from each other and other disaster risk reduction activities, including capacity building, disaster preparedness, response and prevention.

The city is also in the process of developing the Makati Disaster Risk Reduction and Management Academy to learn from its best practices, using case studies and knowledge bases from other cities, leveraging experiences from an international group of practitioners who already participated in the initiative.

Notably, the city has continually mainstreamed and institutionalized disaster risk reduction management across all levels of the city since signing up to the MCR campaign in 2010.

As one of the pilot cities applying MCR tools, Makati held multi-sectoral annual workshops, reviewed and reassessed the city’s progress in implementing the Ten Essentials for MCR2030 through the Local Government Self-Assessment Tool.

The city was one of the first municipalities to utilize the Disaster Resilience Scorecard for Cities, which was developed through then UNISDR’s collaboration with global technology companies such as IBM and AECOM.

In 2017, the city established a resilience roadmap called the Makati Disaster Risk Reduction and Management Plan, using the now adapted Disaster Resilience Scorecard. Makati used Disaster Resilience Scorecard for Cities - Public Health System Resilience Addendum to enhance the city’s disaster risk reduction management.

Leave a comment , , ,

UK and allies expose Iranian state agency for exploiting cyber vulnerabilities for ransomware operations

Agency News, Cyber Security CII sector, Industry News

The UK and international allies have issued a joint cyber security advisory highlighting that cyber actors affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC) are exploiting vulnerabilities to launch ransomware operations against multiple sectors.

Iranian-state APT actors have been observed actively targeting known vulnerabilities on unprotected networks, including in critical national infrastructure (CNI) organisations.

The advisory, published by the National Cyber Security Centre (NCSC) − a part of GCHQ − alongside agencies from the US, Australia and Canada, sets out tactics and techniques used by the actors, as well as steps for organisations to take to mitigate the risk of compromise.

It updates an advisory issued in November 2021 which provided information about Iranian APT actors exploiting known Fortinet and Microsoft Exchange vulnerabilities.

They are now assessed to be affiliated to the IRGC and are continuing to exploit these vulnerabilities, as well as the Log4j vulnerabilities, to provide them with initial access, leading to further malicious activity including data extortion and disk encryption.

Paul Chichester, NCSC Director of Operations, said:

"This malicious activity by actors affiliated with Iran’s IRGC poses an ongoing threat and we are united with our international partners in calling it out.

“We urge UK organisations to take this threat seriously and follow the advisory’s recommendations to mitigate the risk of compromise.”

The NCSC urges organisations to follow the mitigation set out in the advisory, including:

- Keeping systems and software updated and prioritising remediating known exploited vulnerabilities
- Enforcing multi-factor authentication
- Making offline backups of your data

This advisory has been issued by the NCSC, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), US Cyber Command (USCC), Department of the Treasury (DoT), the Australian Cyber Security Centre (ACSC) and the Canadian Centre for Cybersecurity (CCCS).

Leave a comment , , , ,

NSA, CISA: How Cyber Actors Compromise OT/ICS and How to Defend Against It

Agency News, Cyber Security CII sector, Industry News, Power/Energy/Oil & Gas sector, Telecomms sector

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) published a Cybersecurity Advisory that highlights the steps malicious actors have commonly followed to compromise operational technology (OT)/industrial control system (ICS) assets and provides recommendations on how to defend against them.

“Control System Defense: Know the Opponent” notes the increasing threats to OT and ICS assets that operate, control, and monitor day-to-day critical infrastructure and industrial processes. OT/ICS designs are publicly available, as are a wealth of tools to exploit IT and OT systems.

Cyber actors, including advanced persistent threat (APT) groups, have targeted OT/ICS systems in recent years to achieve political gains, economic advantages, and possibly to execute destructive effects. Recently, they’ve developed tools for scanning, compromising, and controlling targeted OT devices.

“Owners and operators of these systems need to fully understand the threats coming from state-sponsored actors and cybercriminals to best defend against them,” said Michael Dransfield, NSA Control Systems Defense Expert. “We’re exposing the malicious actors’ playbook so that we can harden our systems and prevent their next attempt.”

This joint Cybersecurity Advisory builds on previous NSA and CISA guidance to stop malicious ICS activity and reduce OT exposure. Noting that traditional approaches to securing OT/ICS do not adequately address threats to these systems, NSA and CISA examine the tactics, techniques, and procedures cyber actors employ so that owners and operators can prioritize hardening actions for OT/ICS.

Defenders should employ the mitigations listed in this advisory to limit unauthorized access, lock down tools and data flows, and deny malicious actors from achieving their desired effects.

Leave a comment , , ,
1 11 12 13 14 15 55