Tag: criticalinfrastructureprotection

Risky business or a leap of faith? A risk based approach to optimise cybersecurity certification

Agency News, Cyber Security CII sector, Industry News

The European Union Agency for Cybersecurity (ENISA) has launched a cybersecurity assessment methodology for cybersecurity certification of sectoral multistakeholder ICT systems.

The Methodology for a Sectoral Cybersecurity Assessment - (SCSA Methodology) was developed to enable the preparation of EU cybersecurity certification schemes for sectoral ICT infrastructures and ecosystems. SCSA aims at market acceptance of cybersecurity certification deployments and supports the requirements of market stakeholders and the EU Cybersecurity Act (CSA). In particular, SCSA endorses the identification of security and certification requirements based on risks associated with the “intended use” of the specific ICT products, services and processes.

The SCSA Methodology makes available to the ENISA stakeholders a comprehensive ICT security assessment instrument that includes all aspects pertinent to sectoral ICT systems and provides thorough content for the implementation of ICT security and cybersecurity certification.

While SCSA draws from widely accepted standards, in particular ISO/IEC 27000-series and ISO/IEC 15408-series, the proposed enhancements tackle multi-stakeholder systems and the specific security and assurance level requirements concerning ICT products, processes and cybersecurity certification schemes.

This is achieved by introducing the following features and capabilities:

- Business processes, roles of sectoral stakeholders and business objectives are documented at ecosystem level, overarching the ICT subsystems of the individual stakeholders. Stakeholders are invited to actively contribute to the identification and rating of ICT security risks that could affect their business objectives.
- A dedicated method associates the stakeholders’ ratings of risks with the security and assurance level requirements to dedicated ICT subsystems, components or processes of the sectoral ICT system.
- SCSA specifies a consistent approach to implement security and assurance levels across all parts of the sectoral ICT system and provides all information required by the sectoral cybersecurity certification schemes.

Benefits of the SCSA Methodology for stakeholders

The sectoral cybersecurity security assessment provides a comprehensive approach of the multi-faceted aspects presented by complex multi-stakeholder ICT systems and it features the following benefits:

- The security of a sectoral system requires synchronisation across all participating stakeholders. SCSA introduces comparability of security and assurance levels between different stakeholders’ systems and system components. SCSA enables building open multi-stakeholder ecosystems even among competitors to the benefit of suppliers and customers.
- The risk-based approach supports transparency and a sound balance between the cost for security and certification and the benefit of mitigating ICT-security-related business risks for each concerned stakeholder.
- Security measures can focus on the critical components, optimising the security architecture of the sectoral system, hence minimising cost of security.
- SCSA generates accurate and consistent information on security and certification level requirements for all relevant ICT subsystems, components or processes. On this basis, suppliers can match their products to their customers’ requirements.
- SCSA supports the integration of existing risk management tools and information security management systems (ISMS).
- Due to a consistent definition of assurance levels, the re-use of certificates from other cybersecurity certification schemes is supported.

Leave a comment , ,

UNDRR ROAMC: How disaster preparedness makes the difference when disaster hits

Agency News, Industry News

When COVID began to infiltrate the Caribbean, the World Food Programme (WFP) quickly contacted governments to find how to best help funnel cash to people left struggling to feed their families as jobs began to melt away.

For Dominica, helping rapidly digitalize the country's largely paper-based data collection and payment systems was the speediest and most effective solution, says Regis Chapman, head of office for WFP in Barbados.

Within weeks, WFP helped Dominica implement systems to more efficiently collect and analyze the data needed to determine who was eligible for payments to help ride out the pandemic.

By printing scannable QR codes on payment envelopes and asking people to sign digitally to confirm receipt, Dominica quickly created a visualization dashboard to show where and when funds were distributed.

“We're now looking at developing an information management system to better manage data on all their social protection programs, not just the public assistance program," says Chapman.

“The socio-economic aspect of COVID has been devastating. The lowest income groups are the people who are most affected and we’ve seen huge spikes in food insecurity.”

WFP’s shock responsive social protection program is one of the many in the Caribbean supported by the European Commission Humanitarian Aid Office (ECHO) which has provided $183 million in aid to the region - excluding Haiti - since 1994.

Through its DIPECHO disaster preparedness program, $50 million of those funds have targeted disaster risk reduction and community resilience programs.

Now as middle-income Caribbean countries compete with other parts of the world for increasingly tight donor funding, it is more important than ever to show how projects support communities and protect lives and livelihoods, say experts.

BLUEPRINTS

Presenting evidence of successful schemes also helps create templates that can be used in other parts of the world, says Saskia Carusi, external relations officer for the United Nations Office for Disaster Risk Reduction, Regional Office for the Americas and the Caribbean (UNDRR).

“It’s important to show how successful projects are from an accountability point of view," says Panama-based Carusi.

"But for ECHO, it’s important to show evidence that projects save lives and make a difference, and that there are still needs in the region."

The best evidence should be a combination of quantitative data showing how losses are reduced by disaster risk reduction projects, alongside qualitative examples of how schemes work on the ground, says Carusi.

Evidence should also examine whether localized, pilot projects can be rolled out in neighboring communities or even scaled up to a national level, she says.

With EU funding, UNDRR has created the dipecholac.net platform where organizations can highlight their Caribbean projects and show how they relate to the Sendai Framework for Disaster Risk Reduction 2015-2030.

It now wants organizations to upload videos, documents and infographics to the site that show how Caribbean projects have been adapted to make a difference during the pandemic and other emergencies.

For the International Federation of Red Cross and Red Crescent Societies (IFRC), the pandemic has underscored the importance of preparing Caribbean communities to deal with multiple hazards, says Marisa Clarke-Marshall, IFRC coordinator, partnerships and planning.

During the crisis, Community Disaster Response Teams (CDRTs) trained by the Red Cross with ECHO funding to deal with hazards such as hurricanes, have rapidly adapted to help communities cope with COVID, she says.

Trained primarily to conduct initial damage assessments, give first aid and coordinate immediate response, CDRTs have helped identify those most in need in their communities, and deliver cash vouchers and hygiene kits.

The CDRT project has attracted attention from major donors keen to set up similar teams elsewhere, while an ECHO-funded tool to assess risk and vulnerabilities is now used globally, she says.

HIGH-LEVEL IMPACT

Events such as November’s UNDRR co-organized VII Regional Platform for Disaster Risk Reduction in the Americas and the Caribbean provide an opportunity for both governments, multilaterals and non-profits to show which projects best helped tackle COVID while continuing to ramp up preparedness.

For UNDRR, its projects to boost Caribbean business resilience reaped dividends during the pandemic as companies adapted their continuity plans that were primarily designed to tackle climate-related crises, says Carusi.

Its EU-funded project to increase preparedness and disaster risk reduction through the Caribbean Safe Schools Initiative is now generating interest from other countries in Latin America, says Carusi.

"UNDRR’s work on policy and advocacy in the long run has a higher impact," says Carusi.

For WFP, EU funding is supporting its work with the Caribbean Disaster Emergency Agency (CDEMA) to pre-position generators, prefabricated units and other gear to help countries better prepare, save lives and reduce losses.

"A lot of what we're looking at is how do we help government systems to become more resilient," says Chapman.

"One of the region's prime ministers recently said, everybody says the Caribbean is so resilient, it's that we have to be. You have to stand up when you're knocked down and start all over again because what other choice do you have."

[Source: UNDRR]
Leave a comment , ,

CISA and FBI observe the increased use of Conti ransomware

Agency News, Cyber Security CII sector, Industry News

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have observed the increased use of Conti ransomware in more than 400 attacks on U.S. and international organizations. (See FBI Flash: Conti Ransomware Attacks Impact Healthcare and First Responder Networks.) In typical Conti ransomware attacks, malicious cyber actors steal files, encrypt servers and workstations, and demand a ransom payment.

To secure systems against Conti ransomware, CISA, FBI, and the National Security Agency (NSA) recommend implementing the mitigation measures described in this Advisory, which include requiring multi-factor authentication (MFA), implementing network segmentation, and keeping operating systems and software up to date.

Technical Details

While Conti is considered a ransomware-as-a-service (RaaS) model ransomware variant, there is variation in its structure that differentiates it from a typical affiliate model. It is likely that Conti developers pay the deployers of the ransomware a wage rather than a percentage of the proceeds used by affiliate cyber actors and receives a share of the proceeds from a successful attack.

Conti actors often gain initial access to networks through:

- Spearphishing campaigns using tailored emails that contain malicious attachments or malicious links;
- Malicious Word attachments often contain embedded scripts that can be used to download or drop other malware—such as TrickBot and IcedID, and/or Cobalt Strike—to assist with lateral movement and later stages of the attack life cycle with the eventual goal of deploying Conti ransomware.
- Stolen or weak Remote Desktop Protocol (RDP) credentials
- Phone calls;
- Fake software promoted via search engine optimization;
- Common vulnerabilities in external assets.

In the execution phase, actors run a getuid payload before using a more aggressive payload to reduce the risk of triggering antivirus engines. CISA and FBI have observed Conti actors using Router Scan, a penetration testing tool, to maliciously scan for and brute force routers, cameras, and network-attached storage devices with web interfaces. Additionally, actors use Kerberos attacks to attempt to get the Admin hash to conduct brute force attacks.

Conti actors are known to exploit legitimate remote monitoring and management software and remote desktop software as backdoors to maintain persistence on victim networks. The actors use tools already available on the victim network—and, as needed, add additional tools, such as Windows Sysinternals and Mimikatz—to obtain users’ hashes and clear-text credentials, which enable the actors to escalate privileges within a domain and perform other post-exploitation and lateral movement tasks. In some cases, the actors also use TrickBot malware to carry out post-exploitation tasks.

According to a recently leaked threat actor “playbook,” Conti actors also exploit vulnerabilities in unpatched assets, such as the following, to escalate privileges and move laterally across a victim’s network.

Leave a comment , , , ,

UK and US cyber security leaders meet to discuss shared threats and opportunities

Agency News, Cyber Security CII sector, Industry News

National Cyber Security Centre CEO and Director of the US Cybersecurity and Infrastructure Security Agency met in London.

Top cyber security officials from the UK and US affirmed their commitment to tackling ransomware in their first official face-to-face engagement.

Lindy Cameron, CEO of the National Cyber Security Centre – a part of GCHQ – met with Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency to discuss their organisations’ priorities, including combatting ransomware.

During their bi-lateral meeting in London they reflected on the impact of ransomware attacks this year and the need for industry collaboration to complement government’s operational efforts against ransomware.

NCSC Chief Executive Lindy Cameron said:

“It was a pleasure to host Director Easterly for our first in-person bi-lateral meeting to discuss the critical issues in cyber security today.

“Ransomware is a serious and growing security threat that cuts across borders, and it is important for us to maintain a continuing dialogue with our closest ally to tackle it.”

The issue of gender diversity was also on the agenda, with both agreeing that more needed to be done to remove barriers to entry into the profession for women and girls.

They discussed the NCSC’s CyberFirst Girls Competition, which aims to get more girls interested in cyber through fun but challenging team events for teenagers, and CISA’s ongoing commitment to expanding opportunities for young women and girls to pursue careers in cyber security and technology and closing the gender gap that exists in these fields.

The two leaders also discussed government collaboration with industry, including the NCSC’s Industry 100 scheme and CISA’s Joint Cyber Defense Collaborative.

The Industry 100 scheme has integrated public and private sector talent in the UK to pool their knowledge to tackle key cyber security issues. The Joint Cyber Defense Collaborative has similarly bought American public and private sector entities together to unify crisis action planning and defend against threats to U.S. critical infrastructure.

Leave a comment , , , ,

Electricity Grid Resilience

Agency News, Power/Energy/Oil & Gas sector

The nation’s grid delivers electricity that is essential for modern life. However, the grid faces risks from events that can damage electrical infrastructure (such as power lines) and communications systems, resulting in power outages. These outages can threaten the nation’s economic and national security.

They can also disproportionately affect low-income groups, in part because such groups have fewer resources to invest in backup generators and other measures to minimize the impact of outages.Even though most of the electricity grid is owned and operated by private industry, the federal government plays a key role in enhancing grid resilience.
• The Department of Homeland Security (DHS) is responsible for coordinating the overall federal effort to promote the security and resilience of the nation’s critical infrastructure sectors.
• The Department of Energy (DOE) leads federal efforts to support electricity grid resilience, including research and technology development by national laboratories.
• The Federal Energy Regulatory Commission (FERC) reviews and approves standards developed by the North American Electric Reliability Corporation, the federally designated U.S. electric reliability organization.

Key Issues
The electricity grid faces multiple risks that can cause widespread power outages.
Risks:
- Extreme weather and climate change
- Cyber- and physical attacks
- Electromagnetic events

In addition to the risks described in the prior page, the electric utility industry faces complex challenges and transformations, including:
• aging infrastructure;
• adoption of new technologies, such as information and communication systems
to improve the grid’s efficiency; and
• a changing mix of power generation. The traditional model of large, centralized power generators is evolving as retiring generators are replaced with variable wind and solar generators, smaller and more flexible natural gas generators, and nontraditional resources. Such resources include demand-response activities which encourage consumers to reduce their demand for electricity when the cost to generate electricity are high, and various technologies (e.g., solar panels) that generate electricity at or near where it will be used—known as “distributed generation.”

Key Opportunities
Agencies have implemented several of GAO’s recommendations for improving electricity grid resilience. For example, in March 2016, we recommended that DHS designate roles and responsibilities within the department for addressing electromagnetic risks, which DHS did in 2017. However, as of September 2021, agencies had not yet implemented a number of GAO recommendations that represent key opportunities to mitigate risks in the following areas:

- Extreme weather and climate change - Prioritize efforts and target resources effectively. Enhance grid resilience efforts. Better manage climate-related risks
- Cyberattacks - Assess all cybersecurity risks. Address risks to distribution systems Consider changes to current standards. Evaluate potential risks of a coordinated attack

Leave a comment , , ,

Panama City, FL Strengthens Critical Infrastructure for Future Disasters

Agency News, Industry News, Power/Energy/Oil & Gas sector

FEMA has approved grants of more than $4.7 million for two hazard mitigation projects for the city of Panama City to reduce its risk of critical facility failure during future disasters. Funding from FEMA’s Hazard Mitigation Grant Program (HMGP) was approved in response to a proposal by the city after Hurricane Michael in 2018.

Millville Wastewater Treatment Plant: $2,653,956 for the purchase and installation of twin permanent generators to support the critical operations of the plant. They will be connected to the main electrical transfer system by a switchgear and an underground duct bank, which provide a protected pathway for electrical transmission and allow the city to provide continued service to the community during future power outages.

Sanitary Sewer Lift Stations: $2,052,265 for Phase One in a proposed project to provide flood protection and improvements to 13 sanitary sewer lift stations within the city, including surveying, engineering, design, plan preparation, permitting and the bidding for Phase Two approval. If approved, the project proposes different mitigation actions depending on the needs and assessment of each of the 13 sites to include relocation, elevation or strengthening against storm surge and wave-action hazards.

The HMGP provides funding to help communities eliminate or reduce disaster-related damage. Following a major disaster, a percentage of a state’s total federal recovery grants is calculated to help develop more resilient communities. Florida has an Enhanced Hazard Mitigation Plan that allows more funding to be available for post-disaster resilience projects. States with the enhanced plan receive HMGP funds based on 20% of their total estimated eligible federal disaster assistance.

Leave a comment , ,

Early warning systems saving lives during Nepal’s monsoon

Agency News, Industry News, Water sector

For days leading up to the disaster, Mr. Harisaran Shrestha had been listening to warnings about floods in the Melamchi, a river that flows through the foothills of the Himalayas in central Nepal. At least one local FM radio was repeatedly broadcasting notices about the possible release of water from the reservoir of a nearby drinking-water project and urging the public to avoid river banks and to refrain from activities like fishing, sand mining, and gravel collecting.

The local police and representatives were also issuing similar warnings around the town via microphones and loudspeakers.

Owing to these forewarnings, when the flood eventually hit his hometown, Melamchi Bazar, northeast of Kathmandu in Sindhupalchowk district, in June 2021, Mr. Shrestha was better prepared to react to the deluge. “As soon as it became apparent that the flood was going to sweep the entire town, I used my bus to ferry women, children, and disabled people in the neighbourhood to a safer location,” said Mr. Shrestha.

On June 15, just an hour after the final warning from the radio and police announcement on loudspeaker, massive floods near the confluence of the Melachmi River and the Indrawati River swept through the settlements near Shrestha’s hometown, killing at least five people and destroying property worth millions of rupees. At least a dozen people remain missing more than two months after one of the worst disasters in the town's history.

Despite saving many lives, Mr. Shrestha could not save his belongings because he had underestimated the scale of the disaster. “Our home was at a considerable distance from the river. It never occurred to me that the swollen river’s waters would reach this far,” Mr. Shrestha recalled in an interview.

Now displaced by the flood, Mr. Shrestha, 38, has been living with a family of six in a temporary shelter. The river, which has changed its course, now runs through his home and farmland.

“The river took everything. Thankfully, all of us are safe,” said Mr. Shrestha.

Mr. Dev Raj Subedi, the manager of Radio Melamchi, which issued the flood warnings, said that the alerts had proved effective in saving hundreds of lives, although only a few households managed to save some of their possessions--those they could carry with them. Radio Melamchi has been ritually providing flood-related warnings to the municipality’s estimated 50,000 inhabitants for the last few years, especially after the Melamchi Drinking Water Project gathered momentum in the 2010s.

“We issued the warning as soon as a government official informed us about the flood upstream. The warning proved especially helpful in the town area, whose inhabitants had the means to access the warning. That was one of the reasons there were no deaths in the town area,” shared Mr. Subedi.

Melamchi’s case is the latest example of how the growing use of mass media and early warning systems through data collected from meteorological and hydrological stations and rainfall-runoff model is proving effective in saving lives in Nepal, which is highly susceptible to disasters, owing to its topography and its hundreds of big and small rivers.

Every year, floods and landslides wreak havoc in Nepal, leading to huge numbers of casualties and untold destruction of property. Hill settlements are particularly vulnerable to landslides and flash floods, while riverine floods routinely deluge the lowland areas bordering India.

Every year during the rainy season, hundreds of families lose their house, agricultural yield, and means of livelihood, pushing them further into poverty.

Between 13 April to 16 October in 2020, floods and landslides killed at least 337 Nepalis, wiped out thousands of houses, and destroyed property worth billions of rupees, according to an estimate by Nepal’s Ministry of Home Affairs. More than 100 people remain missing on account of those floods.

Numerous factors including the 2015 earthquake, infrastructural projects and climate change have contributed to increasing disasters, according to experts. For instance, Sindhupalchowk district, the epicenter of the 7.8 magnitude earthquake that rattled Nepal in 2015, has seen a marked increase in landslides and floods following the tragedy that killed over 9,000 people.

Mr. Bikram Shrestha Zoowa, a senior Divisional Hydrologist at the Department of Hydrology and Meteorology, in Kathmandu, said that climate-induced hazards and unplanned development are emerging as challenges in recent decades.

Examples include recent disasters such as the Setigandaki flood in Kaski, Jure landslide-Sindhupalchowk in 2014, a Glacial Lake Outburst Flood (GLOF) in Tibet immediately above the Bhotekoshi River in Sindhupalchowk in 2016; a dry landslide in the Kaligandaki Corridor after the 2015 earthquake, another GLOF in Barun valley obstructing the flow of Arun River in 2017, and numerous climate-induced landslides during the 2020 monsoon and this year, said Mr. Shrestha Zoowa.

“Human interventions such as road construction in hill slopes without considering geological studies are certainly the causes of the region’s geological fragility, which results in small and big landslides in hilly regions. This is the man-made effect in addition to earthquakes responsible for hazards.”

According to the latest Intergovernmental Panel on Climate Change report, global temperature is expected to reach or exceed 1.5 degrees Celsius of warming averaged over the next 20 years. In 2019, a landmark report

by the International Centre for Integrated Mountain Development, an intergovernmental center based in Nepal, warned that a two-degree temperature rise could melt half of the glaciers in the Hindu Kush Himalaya region, destabilising Asia’s rivers.

In recent years, to minimise loss of life and property, an increasing number of communities vulnerable to disasters have begun to integrate social media platforms--such as Facebook and Twitter--and other technologies to provide early warnings. And as with Radio Melamchi, more than 500 FM radio stations across Nepal are being used to disseminate news and timely warnings. Many other local bodies are integrating SMS text messages to provide real-time alerts for people living in disaster-prone zones.

In Kailali, a western Nepal district bordering India’s Uttar Pradesh, flood warnings through SMS alerts and phone calls have proven effective in saving lives in settlements spread along the Karnali River Basin.

“When massive floods hit our village in 2016, most of the villagers with mobile phones had received SMS alerts three hours before the disaster. Those three hours gave us ample time to save not just our lives, but also our livestock and essentials like some grains and documents,” said Ms. Sajita Tharu of Laxmipur village in Kailali district. “Thankfully, we have not faced that kind of flood in recent years but we continue to receive alerts if water rises above the danger level. That allows us to remain mentally prepared and save essentials in case the flood hits us.”

As part of the community-based early warning approach, residents living in catchment areas constantly pass on information about the water level in their area to residents of villages downstream. The community groups also get constant flood alerts from the Department of Hydrology’s regional station. The alerts--including text messages, phone calls, and information from weatherboards--are widely circulated by the members of the Community Disaster Management Committees, which were formed by programs designed to enhance the communities’ flood resilience. Most members of these user committees are women, as many working-age men migrate to India or other countries in search of jobs.

Ms. Manakala Kumari Chaudhari, the deputy mayor of Rajapur Municipality in far-western Nepal, said that the timely early warning system in his area has been instrumental in saving lives and properties. As soon as the water level rises above the danger level upstream, several people who own mobile phones in his municipality--a delta created by the Karnali River--receive warnings.

“Save for some exceptions, most locals respond to warnings and take the required safety measures. The timely alerts also provide ample time for all stakeholders to make the necessary preparations for disasters,” said Ms. Chaudhari.

Such timely warnings are critical because they provide enough time to save lives. The area is susceptible to constant floods from big rivers like the Karnali and Babai and from small streams, which are usually dry in other seasons.

In preparation for the seasonal floods, communities in western Nepal have also built community shelters, animal sheds to shelter their livestock and grain-storage facilities to save grains.

Since Nepal adopted federalism in 2015, there have been efforts at all three levels of government to embrace disaster-resilience policies. The central government, the provincial government, as well as many local governments have adopted policies related to disaster risk reduction. Recently, under the Home Ministry, the National Disaster Risk Reduction and Management Authority prepared the National Monsoon Early Preparedness and Response Work Plan

2021. However, questions remain around the implementation of these policies and the authorities’ ability to handle large-scale disasters, especially owing to their lack of resources. Moreover, growing landslides along newly constructed highways, hydropower projects and other infrastructures-- many of which were cleared after proper Environment Impact Assessment--- have reinforced the need for better policies to promote resilient infrastructure.

But overall, the early warning systems seem to be reducing the impacts of floods in many parts of Nepal. Mr. Shrestha Zoowa, the hydrologist, said that early warning systems have proven effective in saving hundreds of lives every year, especially in vulnerable settlements along big rivers such as the Karnali, Babai, Narayani, and Koshi. The data gathered from weather stations, rainfall-runoff models are disseminated in form of daily bulletins through various media platforms, while the weather forecast relies on the Weather Research and Forecasting model, an advanced numerical weather prediction framework designed for operational forecasting and atmospheric research needs.

In recent years, the Department of Hydrology and Meteorology has been working with various non-governmental organizations in developing disaster information management systems and online databases to provide real-time information to augment its early warning systems.

The Disaster Risk Reduction Portal and Nepal Government GeoPortal, among other platforms, provide information gathered from various hydro-meteorological stations in Rasuwa, Solukhumbu, Kaski, Dolpa, Humla, Dolakha, Jumla, Sankhuwasabha and Manang districts.

“For most flood events, we have effective plans, technologies, and historical information to issue timely and reliable warnings to vulnerable settlements. But we lack an effective early warning system for flash floods in the hills and for settlements along small rivers, which are highly unpredictable,” said Mr. Shrestha Zoowa.

Nepal also needs to do more to ensure that people respond to early warnings. Although many local communities are making good use of weather forecasts and flood alerts, some are unable to take advantage of the information, often because they lack the economic means and/or technical knowledge to know what to do. Often the warning messages come with technical jargon and they may not effectively relay the impact information of the disaster relevant to people’s day to day life and experience. “The early warning systems have become much better over the years but there is still a lot to be done,” said Mr. Shrestha Zoowa.

Leave a comment , , ,

The basis for safer digital finance

Cyber Security CII sector, Industry News

The transformations we are seeing in numerous fields – from energy and mobility to health care, agriculture, and financial services – all hinge on digital technologies, along with an array of associated business ecosystems. All these technologies and systems must be reliable, secure and deserving of our trust.

The Financial Inclusion Global Initiative (FIGI) is an open framework for collaboration led by the International Telecommunication Union (ITU), the World Bank Group, and the Committee on Payments and Market Infrastructures (CPMI).

Our partnership brings together the expertise to accelerate digital financial inclusion. With the support of the Bill & Melinda Gates Foundation, we have brought together the full range of stakeholders set to benefit from this expertise.

The World Bank Group and CPMI have helped to build a strong understanding of the policy considerations surrounding digital identity and incentivizing the use of electronic of payments.

ITU’s work has focused on security, infrastructure and trust – secure financial applications and services, reliable digital infrastructure, and the resulting consumer trust that our money and digital identities are safe.
No more secrets

Considering the prevalence of data breaches, the need for strong authentication is clear, with discussions in the industry often noting that “there are no secrets anymore.”

New ITU standards for a universal authenticator framework (X.1277) and client-to-authenticator protocol (X.1278) are helping overcome the security limitations of the "shared secret" approach, the basis for the widely familiar username-password model of authentication.

Users can now authenticate locally to their device using biometrics, with the device then authenticating the user online with public key cryptography. With the new standards, users are asked to authenticate locally to their device only once, and their biometric data never leaves the device. This model avoids susceptibility to phishing, man-in-the-middle attacks, or other forms of attack targeting user credentials.

FIGI engagement helped to usher these specifications, first developed by the FIDO (Fast Identity Online) Alliance, into the ITU standardization process to stimulate their adoption globally. Authentication options consistent with X.1277 and X.1278 are now supported by most devices and browsers on the market.
Fortifying a walled garden

In developing countries, digital financial services are often provided over Signalling System No.7 (SS7), a legacy network protocol standardized by ITU in the late 1970s. SS7 enables all network operators to interconnect and looks sure to remain in use for years to come.

But security was not considered in its design. SS7 was designed as a walled garden. Entry to the SS7 network was intended to be highly regulated, with only trusted network operators being granted access. But malicious actors have since found various ways to get hold of the keys, especially since some of the initial design and deployment assumptions were no longer valid with the introduction of deregulation, voice over IP, and mobile networks.

FIGI has worked to raise awareness about SS7’s security vulnerabilities and associated mitigation techniques. As the need to mitigate these vulnerabilities increases, network operators can look to ITU’s new Q.3057 standard outlining signalling requirements and architecture for interconnection between trustable network entities. This is another standard rooted in FIGI discussions.
Reliable, widely available connectivity

Trust in digital financial services is also acutely affected by the reliability and availability of connectivity. Network downtime and transaction failures resulting from dropped connections can erode the trust of consumers and merchants in digital financial services.

Investment in digital infrastructure must continue, with the industry adopting meaningful, widely accepted benchmarks for service quality. ITU standards specify the route towards reliable, interoperable network infrastructure, and they provide a wide range of tools to assess the performance and quality of the services running over this infrastructure.

FIGI highlighted the demand for service quality indicators specific to digital financial services. With the expertise on hand at ITU, we have delivered new standards describing key quality considerations for digital financial services (ITU G.1033) and a methodology to assess the quality of user experience (ITU P.1052).
Security across the value chain
Every industry player involved in providing digital financial services has to be concerned about security risks. Security is only as strong as its weakest link, and innovation in digital finance continues to extend the length and increase the complexity of the underlying value chain.

Secure digital finance calls for coordinated defences that are attuned to evolving security threats. A key FIGI report outlines the security assurance framework needed to achieve this for each actor in the digital finance value chain.

The best practices suggested by the framework could form the basis for a safer business ecosystem. They reflect the needs of everyone involved, from customers to network operators and digital finance providers, right through to third-party providers interfacing with the financial system.

[Source: ITU]
Leave a comment , , ,

FEMA Continues Ida Response and Recovery Efforts

Industry News

A week after Ida’s landfall in Louisiana, FEMA has given more than $165 million in grants to Louisiana survivors to help them begin their recovery. FEMA also received more than 13,500 National Flood Insurance Program claims from the affected states for processing.

People can help survivors and communities impacted by Hurricane Ida by donating to or volunteering with the voluntary or charitable organization of their choice, many of which are already in areas impacted by Ida and supporting survivors. Learn how to best help those in need.
Federal Actions to Support Areas Affected by Hurricane Ida

On Sept. 2, FEMA announced changes to its Individual Assistance program to better support disaster survivors by reducing the barriers to agency programs that aid underserved populations. Changes in this new policy include expanding acceptance of different forms of documentation to prove ownership or occupancy, while also expanding assistance for a disaster-caused disability.

There are eight FEMA Incident Management Assistance Teams deployed to support states affected by Hurricane Ida. Five are in Louisiana, New Jersey, New York and Pennsylvania. Seven AmeriCorps FEMA Corps teams are supporting Louisiana recovery efforts.

The National Emergency Management Association is helping facilitate additional resources to the Gulf Coast through the Emergency Management Assistance Compact. Resources from 14 states have been sent to assist with ongoing response and recovery efforts.

Commodities, equipment and personnel are working throughout the affected areas. This includes:
Disaster Survivor Assistance teams are on the ground in Louisiana providing in-person assistance in New Orleans and other parishes.

Urban Search and Rescue (US&R) teams have completed more than 39,000 structural evaluations in affected areas in Louisiana.

More than 278 ambulance crews and 30 air ambulances are deployed and working in Louisiana.

Additional ambulances and air ambulances are in Mississippi to support impacted areas.

Mobile Emergency Response Support assets, including emergency operations vehicles, are deployed to support communication needs in Louisiana and New Jersey.

The Defense Logistics Agency has been activated for fuel support and leasing of additional generators. High output generators are in Baton Rouge, La.

In Louisiana, The U.S. Army Corps of Engineers (USACE) has activated its Operation Blue Roof program for parishes approved for individual assistance. Residents can sign up for the program and complete a Right of Entry form at Blueroof.us. Residents can call toll free 1-888-ROOF-BLU (1-888-766-3258) for more information regarding this program.

USACE Temporary Emergency Power Planning and Response Teams, contractor support, and the 249th Engineer Battalion’s power generation team are mobilized in Mississippi and Louisiana to conduct power assessments and installations.

The U.S. Department of Energy authorized the Strategic Petroleum Reserve to conduct an exchange of 300,000 barrels of crude oil between fuel storage companies in Louisiana to alleviate any logistical issues of moving crude oil within areas affected by Hurricane Ida. This action will help ensure the region has access to fuel as quickly as possible as they continue their recovery.

The U.S. Department of Agriculture (USDA) approved Louisiana’s request to allow Supplemental Nutrition Assistance Program households to use their benefits to purchase prepared meals and are assisting with program flexibilities needed for mass feeding operations. USDA’s Disaster Household Distribution program was approved and will provide food packages to 800,000 survivors in 19 parishes.
The U.S. Department of Health and Human Services (HHS) deployed more than 180 medical providers and other staff from the National Disaster Medical System to support the triage and treatment of patients in Louisiana. This includes three teams that will be providing Emergency Department decompression to three hospitals in Thibodaux, Kenner and Raceland. The team in Thibodaux will begin to see patients today. A 250-bed healthcare facility federal medical station at the New Orleans Ernest Morial Convention Center began seeing patients this weekend. Patients must be referred to the station.
The station is staffed by Disaster Medical Assistance personnel and credentialed medical volunteers identified by the Louisiana Department of Health.

The Salvation Army mobilized feeding kitchens and emergency response vehicles in Albany, Baton Rouge, Hammond, Houma, and Thibodaux Gonzalez, Kenner, LaPlace, Napoleonville, New Orleans and Raceland, La. These operations can feed up to 60,000 people a day.

The American Red Cross, with the help of their partners, has provided more than 49,000 meals and snacks for survivors in the Gulf Coast. There are more than 20 Red Cross and community shelters open in affected areas in Louisiana. There are 13 shelters open in New Jersey and three in New York.

The U.S. Department of Transportation (USDOT) Federal Motor Carrier Safety Administration announced an Emergency Declaration that provides truck drivers flexibility to move critical freight to areas damaged by Ida.

Additionally, USDOT activated an Emergency Relief Docket for railroads so they can get temporary safety regulations waivers to help them speed up service to move goods necessary for emergency relief efforts.

The Federal Communications Commission is working directly with wireless carriers so that those in affected areas can roam on any available network while restoration efforts are underway.

 

Leave a comment , , ,

ICC and RESNET to Develop Standard on Remote Virtual Inspections for Energy and Water Performance in Buildings

Industry News, Water sector

The International Code Council, the leading global source of model codes and standards and building safety solutions, and RESNET, a national standards-making body for energy efficiency ratings and certification systems, will continue their long history of collaboration by developing a new American National Standards Institute (ANSI) candidate standard on remote virtual inspections (RVI) for the energy and water use performance of buildings. Previously, the two organizations have worked together to develop a new certification designation, the International Energy Conservation Code (IECC)/Home Energy Rating System (HERS) Compliance Specialist, and four other ANSI standards. Most recently, they advocated and received recognition of the Home Energy Rating System (HERS®) Index within California.

The new standard will provide guidance for implementing RVI for energy code compliance and for energy and water efficiency performance. Performance raters will be provided criteria to check all aspects of permitted construction for compliance with energy codes and other energy-related applicable laws and regulations. As a next step, a new Standard Development Committee will be formed to develop and maintain the standard with the Code Council and RESNET appointing representatives – both separately and jointly.

“Building construction is rapidly evolving and jurisdictions are being challenged to adapt,” said Mark Johnson, Executive Vice President & Director of Business Development, International Code Council. “The need for new inspection methods has been building for a while as the inspector workforce has shrunk and jurisdictions’ resources have come under financial pressure. The pandemic also increased the pressure to evolve, and quickly.”

RVI is a tool to address these problems and organizations such as the Code Council have developed guidance documents to assist code enforcement entities.

“As more code enforcement departments begin their digital transformation and adopt technologies like RVI, there needs to be standardized criteria for how it is implemented,” said Steve Baden, Executive Director, RESNET. “A national consensus standard for RVI as it applies to energy- and water-use efficiency inspections and ratings will both provide code enforcement authorities with assurance that the ratings they adopt for code compliance are reliable, as well as advance the efficiency and efficacy potentials of these new approaches to determining code compliance.”

The standard would be co-sponsored by the Code Council and RESNET and developed using RESNET’s ANSI accredited procedures as an American National Standard by ANSI. For more information on RVI, the Code Council released a whitepaper, Recommended Practices for Remote Virtual Inspections (RVI), which will be the foundation for the development of the new consensus standard.

Leave a comment , , ,
1 17 18 19 20 21 30