U.S.
Department of Homeland Security Science and Technology Directorate
officials are helping other nations create cyber testbeds that can be
linked, forming one large, international virtual laboratory for cyber
systems. In addition, they already have in place bilateral agreements
with a number of countries and are in discussions with France, Spain,
Germany, Mexico and South Korea, which ultimately could expand
international cooperation on cybersecurity research and development.
“We’ve used the phrase team sport. Cyber is a global team sport. It’s all about building partnerships and doing collaborative work to try to solve some of the problems we have in cybersecurity,” says Doug Maughan, who directs the Science and Technology (S&T) Directorate’s Cybersecurity Division.
The directorate has bilateral agreements with 13 countries. The agreements cover a range of technological areas, including chemical and biological detection, counter-explosives, border protection, maritime surveillance, cyber, first responders support and resilient systems. They essentially allow two countries to collaborate to develop and deploy technologies. For example, the United Kingdom can invest in a technology being developed in the United States or vice versa. Or, researchers in both countries can work together to develop a system.
The Cybersecurity Division currently is working on projects with nine of the 13 nations and is holding discussions with two more, New Zealand and Spain. It has more than 30 ongoing projects with Australia, Canada, the European Union, Israel, Singapore, Sweden, the Netherlands, New Zealand and the United Kingdom. The division also is working with Japan and South Korea, which have similar agreements in place through the U.S. State Department.
The Defense Technology Experimental Research (DETER) testbed is one project drawing a lot of international attention. Built in partnership with the National Science Foundation, DETER provides the necessary infrastructure networks, tools, methodologies and processes to support testing of emerging and advanced security technologies. The testbed is freely available and has more than 3,000 users in 25 countries.
“The idea behind DETER is that we want researchers doing experiments in cybersecurity, testing new ideas. We don’t want them doing that on the open Internet,” Maughan explains. The last thing officials need is a headline reading “Researcher Funded by DHS Takes Down the Internet,” he quips.
“This is an emulation and simulation environment, with even some live fire, where people can run their new ideas and new tests. It’s a 600-node infrastructure. It can be virtualized and people can do all kinds of security experiments on this testbed. It’s not as big as the Internet, but it tries to mimic the Internet in all the ways that we can,” he elaborates.
Now, Maughan’s team is working to expand DETER into an international capability. “Last year, we open-sourced the base code, and we are now working with Canada, Israel, the United Kingdom and Singapore to try to help them—using our DETER code—to stand up their own national research testbeds,” Maughan offers. “If we have systems in other countries, we can now federate these technologies together and have a testbed that is much larger than just the testbed we now have here in the United States.”
Canada has provided about $1 million in funding for the project and could have the testbed completed this year, Maughan estimates. The United Kingdom and Singapore may not be far behind. “It just depends on the priorities in their countries and their resources. We’re not providing resources to them other than giving them the code base from the DETER project,” Maughan points out.
Meanwhile, Japan partners with Cybersecurity Division officials on the Protected Repository for the Defense of Infrastructure Against Cyber Threats (PREDICT) system, which is intended to provide insights into cyber attack phenomena occurring across the Internet, as well as intelligence on the health of the Internet, including outage detection. PREDICT was initiated to assist technology developers and evaluators in need of real-world data to test the effectiveness of their technologies.
Additionally, the division works with the Netherlands Forensics Institute, which Maughan describes as a quasi-governmental organization. “In forensics, the Netherlands is the best in the world. They’re better than us,” he declares.
The Cybersecurity Division decided to fund malware analysis and memory analysis work at the institute after Secret Service officials visited the Netherlands and were impressed with what they saw. The investment satisfies requirements for the Cybersecurity for Law Enforcement program. “The deliverables will be handed back to us, and we will make them available to our law enforcement partners at the Secret Service and Immigration and Customs Enforcement,” he notes. “They were interested in having us fund the development of this work in the Netherlands because the Netherlands is ahead of us. We didn’t have anything going on, so rather than start from scratch, we’ll put money on the project in the Netherlands and get the technology quicker. That was initiated in 2014, and we expect the project to finish by the end of this year.”
The United Kingdom is the closest cybersecurity partner, Maughan indicates. “In our November meetings with the U.K., there was some discussion about adding new work to our Cybersecurity for Law Enforcement program. They just stood up, in their reorganization of the U.K. government, a new National Crime Agency [NCA]. It’s a consolidation of a lot of their federal and regional law enforcement agencies that they’re trying to coordinate and consolidate. We’re starting to work with the NCA and are looking at some long-term projects to support the law enforcement community,” he says.
Australia is another solid partner. The Cybersecurity Division funded about $1.25 million for the development of a routing security technology known as the Border Gateway Protocol Monitor (BGPmon) at Colorado State University and the University of Oregon. The Australians wanted BGPmon for their Computer Emergency Response Team and received an early version last year. “They’ve provided us some feedback, and this round they’ve come back and added about $160,000 where they want some additional capabilities added into this technology. It’s a win-win for both countries,” Maughan declares.
While all of the agreements are bilateral, some projects take on a multilateral flavor. DETER is one example, but there are others. “In several instances, we’ve ended up with two countries expressing interest in the same project. We have several where it’s us and Canada and Sweden or us and the Netherlands and Sweden. They might not be quite truly multilateral, but they have turned out to be multinational,” he states.
In addition, officials just recently initiated the first project with New Zealand. The S&T Directorate already has an agreement in place with Germany, but the two have not yet begun a cybersecurity project. “They have a different way of doing their government research, and it makes it a little bit difficult for us because of the policies for government-to-government participation. Often, their government organizations hand the execution and management of research to nongovernmental university research centers, and our lawyers don’t like that arrangement,” Maughan reveals.
The possibility of a partnership with Spain and Mexico appears more promising. “Spain has had a big turnaround in their economic activity, and they see cybersecurity as a real future for them,” Maughan states. The first meeting with Spain should occur by the end of April.
“Mexico, too, is now all of sudden waking up to cybersecurity. We’ve only had one conversation with them,” he adds. Maughan also reveals he met with officials from the French embassy in late 2014, but the Cybersecurity Division does not yet have an agreement in place. The S&T Directorate does, however.
On average, Maughan’s team meets with their international counterparts about once a month to review progress and discuss other potential areas of participation. They were scheduled to meet with New Zealand in February and should meet with their Dutch partners next month, followed by Australia in May and Israel in June. “This allows us to help them accelerate the stand up of their research and development activities in cybersecurity. It’s also my belief that in the United States we don’t have all the best ideas either. This allows us to work with other governments to find the best ideas. It doesn’t matter where they’re coming from. We’re really just trying to find the best solutions,” he says.
http://www.afcea.org/content/?q=cyber-global-team-sport
“We’ve used the phrase team sport. Cyber is a global team sport. It’s all about building partnerships and doing collaborative work to try to solve some of the problems we have in cybersecurity,” says Doug Maughan, who directs the Science and Technology (S&T) Directorate’s Cybersecurity Division.
The directorate has bilateral agreements with 13 countries. The agreements cover a range of technological areas, including chemical and biological detection, counter-explosives, border protection, maritime surveillance, cyber, first responders support and resilient systems. They essentially allow two countries to collaborate to develop and deploy technologies. For example, the United Kingdom can invest in a technology being developed in the United States or vice versa. Or, researchers in both countries can work together to develop a system.
The Cybersecurity Division currently is working on projects with nine of the 13 nations and is holding discussions with two more, New Zealand and Spain. It has more than 30 ongoing projects with Australia, Canada, the European Union, Israel, Singapore, Sweden, the Netherlands, New Zealand and the United Kingdom. The division also is working with Japan and South Korea, which have similar agreements in place through the U.S. State Department.
The Defense Technology Experimental Research (DETER) testbed is one project drawing a lot of international attention. Built in partnership with the National Science Foundation, DETER provides the necessary infrastructure networks, tools, methodologies and processes to support testing of emerging and advanced security technologies. The testbed is freely available and has more than 3,000 users in 25 countries.
“The idea behind DETER is that we want researchers doing experiments in cybersecurity, testing new ideas. We don’t want them doing that on the open Internet,” Maughan explains. The last thing officials need is a headline reading “Researcher Funded by DHS Takes Down the Internet,” he quips.
“This is an emulation and simulation environment, with even some live fire, where people can run their new ideas and new tests. It’s a 600-node infrastructure. It can be virtualized and people can do all kinds of security experiments on this testbed. It’s not as big as the Internet, but it tries to mimic the Internet in all the ways that we can,” he elaborates.
Now, Maughan’s team is working to expand DETER into an international capability. “Last year, we open-sourced the base code, and we are now working with Canada, Israel, the United Kingdom and Singapore to try to help them—using our DETER code—to stand up their own national research testbeds,” Maughan offers. “If we have systems in other countries, we can now federate these technologies together and have a testbed that is much larger than just the testbed we now have here in the United States.”
Canada has provided about $1 million in funding for the project and could have the testbed completed this year, Maughan estimates. The United Kingdom and Singapore may not be far behind. “It just depends on the priorities in their countries and their resources. We’re not providing resources to them other than giving them the code base from the DETER project,” Maughan points out.
Meanwhile, Japan partners with Cybersecurity Division officials on the Protected Repository for the Defense of Infrastructure Against Cyber Threats (PREDICT) system, which is intended to provide insights into cyber attack phenomena occurring across the Internet, as well as intelligence on the health of the Internet, including outage detection. PREDICT was initiated to assist technology developers and evaluators in need of real-world data to test the effectiveness of their technologies.
Additionally, the division works with the Netherlands Forensics Institute, which Maughan describes as a quasi-governmental organization. “In forensics, the Netherlands is the best in the world. They’re better than us,” he declares.
The Cybersecurity Division decided to fund malware analysis and memory analysis work at the institute after Secret Service officials visited the Netherlands and were impressed with what they saw. The investment satisfies requirements for the Cybersecurity for Law Enforcement program. “The deliverables will be handed back to us, and we will make them available to our law enforcement partners at the Secret Service and Immigration and Customs Enforcement,” he notes. “They were interested in having us fund the development of this work in the Netherlands because the Netherlands is ahead of us. We didn’t have anything going on, so rather than start from scratch, we’ll put money on the project in the Netherlands and get the technology quicker. That was initiated in 2014, and we expect the project to finish by the end of this year.”
The United Kingdom is the closest cybersecurity partner, Maughan indicates. “In our November meetings with the U.K., there was some discussion about adding new work to our Cybersecurity for Law Enforcement program. They just stood up, in their reorganization of the U.K. government, a new National Crime Agency [NCA]. It’s a consolidation of a lot of their federal and regional law enforcement agencies that they’re trying to coordinate and consolidate. We’re starting to work with the NCA and are looking at some long-term projects to support the law enforcement community,” he says.
Australia is another solid partner. The Cybersecurity Division funded about $1.25 million for the development of a routing security technology known as the Border Gateway Protocol Monitor (BGPmon) at Colorado State University and the University of Oregon. The Australians wanted BGPmon for their Computer Emergency Response Team and received an early version last year. “They’ve provided us some feedback, and this round they’ve come back and added about $160,000 where they want some additional capabilities added into this technology. It’s a win-win for both countries,” Maughan declares.
While all of the agreements are bilateral, some projects take on a multilateral flavor. DETER is one example, but there are others. “In several instances, we’ve ended up with two countries expressing interest in the same project. We have several where it’s us and Canada and Sweden or us and the Netherlands and Sweden. They might not be quite truly multilateral, but they have turned out to be multinational,” he states.
In addition, officials just recently initiated the first project with New Zealand. The S&T Directorate already has an agreement in place with Germany, but the two have not yet begun a cybersecurity project. “They have a different way of doing their government research, and it makes it a little bit difficult for us because of the policies for government-to-government participation. Often, their government organizations hand the execution and management of research to nongovernmental university research centers, and our lawyers don’t like that arrangement,” Maughan reveals.
The possibility of a partnership with Spain and Mexico appears more promising. “Spain has had a big turnaround in their economic activity, and they see cybersecurity as a real future for them,” Maughan states. The first meeting with Spain should occur by the end of April.
“Mexico, too, is now all of sudden waking up to cybersecurity. We’ve only had one conversation with them,” he adds. Maughan also reveals he met with officials from the French embassy in late 2014, but the Cybersecurity Division does not yet have an agreement in place. The S&T Directorate does, however.
On average, Maughan’s team meets with their international counterparts about once a month to review progress and discuss other potential areas of participation. They were scheduled to meet with New Zealand in February and should meet with their Dutch partners next month, followed by Australia in May and Israel in June. “This allows us to help them accelerate the stand up of their research and development activities in cybersecurity. It’s also my belief that in the United States we don’t have all the best ideas either. This allows us to work with other governments to find the best ideas. It doesn’t matter where they’re coming from. We’re really just trying to find the best solutions,” he says.
http://www.afcea.org/content/?q=cyber-global-team-sport
The
next big cyber attack likely will strike critical infrastructure assets
in the United States, which could bring the world’s remaining
superpower to its knees, according to cybersecurity experts. This would
constitute a crippling assault against national assets such as power
facilities, transportation networks, nuclear plants or the drinking
water supply, these experts warn.
While attackers’ modus operandi of using emails to gain entry into a network might be old school, the sophistication and meticulous focus on selected targets have become ominously modern. “In general, when you look at what the adversary is doing and how they’re approaching their methodology in a breach, they’re very focused in their efforts. They will try to find ways into critical infrastructure,” says Frank Mong, vice president and general manager of Solutions, Enterprise Security Products for Hewlett-Packard Company. “However, the playbook that they use and the framework that they use is very common. An approach that an adversary would take to break into Sony Pictures, for example, is the same approach they would try with a utility [company]. The most common tool they will use is email. They will use email first, find the system administrator and try to spear phish that guy or try to get some access through that person’s credentials.”
System administrators and those with privileged access pose a widely exploitable weakness to networks if infiltrated by hackers, who have increased the number of cyber attacks on critical infrastructure and already have targeted power facilities, traffic systems, water treatment plants and factories. The softer targets of infrastructure and businesses often are earmarked first and “present a significant vulnerability to our nation,” offers Gen. Martin E. Dempsey, USA, chairman of the Joint Chiefs of Staff. “We have authorities and capabilities that allow us to do a pretty good job of defending ourselves,” Gen. Dempsey says of military cyberdefense. “But the vulnerability of the rest of [the United States] is a vulnerability of ours, and that’s what we have to reconcile.”
From the Department of Homeland Security (DHS) spawns the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which operates cybersecurity centers in Virginia and Idaho to focus on control system security as a component of the National Cybersecurity and Communications Integration Center (NCCIC). ICS-CERT “works to reduce risks within and across all critical infrastructure sectors by forming a partnership with law enforcement agencies and the intelligence community and coordinating efforts among federal, state, local and tribal governments and control system owners, operators and vendors,” says Marty Edwards, its director. “Additionally, ICS-CERT collaborates with international and private-sector computer emergency response teams to share control systems-related security incidents and mitigation measures.” Analysts provide a round-the-clock cyber situational awareness and incident response, often conducting on-site visits when requested to discern how a company was breached.
“One of the things I think ICS-CERT has done is try to organize together intelligence around malware that’s relevant” for all entities within the critical infrastructure community, Mong says. “They have a distinct purpose. Their goal is to at least be an early warning to the industry about problems that could have a broad implication if they are not addressed quickly. The question becomes how well are they making their voice heard to the relevant folks. I think their content is actually meaningful.”
The lack of information sharing has hamstrung progress and continues to present a key challenge for the DHS across the board, not just amid the critical infrastructure community, offers Rob Roy, federal chief technology officer with HP Enterprise Security Products. “The concept of threat sharing among government agencies and between the public and private sector is lacking. It’s a huge challenge there. In the private sector, there are the fears that releasing certain pieces of information to the government or to somebody within their own industry could provide information for potential lawsuits,” Roy says. “The concept of liability is very real. Lawyers within organizations are going to be very protective.”
President Barack Obama recently opened a door with proposed legislation that would include language for increased information sharing between government and industry. “No foreign nation, no hacker should be able to shut down our networks, steal our trade secrets or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyberthreats, just as we have done to combat terrorism,” the president said during his State of the Union address in January.
In October, the DHS issued an alert that malware called BlackEnergy, designed to target critical energy infrastructure, had infected industrial critical infrastructure systems. “ICS-CERT has identified a sophisticated malware campaign that has compromised numerous industrial control systems (ICSs) environments using a variant of the BlackEnergy malware,” reads a portion of the alert. “Analysis indicates that this campaign has been ongoing since at least 2011. Multiple companies working with ICS-CERT have identified the malware on Internet-connected human-machine interfaces (HMIs).”
Attackers might use old-school email scams, but with tailor-made precision that enables the malware to differentiate between a retail business, for example, and a power plant, Mong evokes. “The malware that you see, like a BlackEnergy malware, targets very specific types of devices that would normally be used in a critical infrastructure environment.”
ICS-CERT has averaged about 250 reports of incidents each year over the past two years, Edwards says. “Any time ICS-CERT assists an organization with a cyber incident, ICS-CERT focuses on understanding the threat and initial infection vector so that tailored mitigation strategies can be applied to harden their networks and prevent future infections from occurring.”
The Advanced Analytical Laboratory (AAL) examines malware threats and provides analysis to support discovery, forensics and recovery efforts. An AAL survey of data in fiscal 2013 showed that phishing or spear-phishing attacks made up 21 of the 73 investigated incidents. Though the difference between the two is subtle, spear-phishing attempts typically come from organizations closely related to the target, such as particular companies with which employees interact on a regular basis. The hackers’ emails are sent to groups with common interests, jobs or characteristics. Phishing attempts appear more broad or general and look like they come from financial institutions, social media sites or the prince of an African nation looking to give away millions of his relatives’ money.
Among the 16 critical infrastructure sectors in fiscal 2013, energy had the highest number of ICS-CERT responses to specific cybersecurity threats, with 56 percent of the 257 threats; critical manufacturing had the second highest, with 15 percent. The 16 sectors are chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services; energy; financial services; food and agriculture; government facilities; health care and public health; information technology; nuclear reactors, materials and waste; transportation systems; and water and wastewater systems.
The fiscal 2015 budget for the DHS is $60.9 billion. Of that tally, the department wants to earmark $1.25 billion for overarching cybersecurity activities. More precisely, the department wants to allocate $67.5 million for cybersecurity/information analysis research and development in the science and technology directorate and $8.5 million to establish a voluntary program and an enhanced cybersecurity services capability to support the administration’s Improving Critical Infrastructure Cybersecurity executive order.
The department’s cybersecurity effort is not just a reactive endeavor. For example, in fiscal 2013, the program enabled more than 5,000 downloads and distribution of the Cybersecurity Evaluation Tool and trained 639 professionals on control system security best practices. The ICS-CERT conducts free training courses, performs assessments, provides alerts and advisories, conducts incident response activities and performs technical analysis of malware, artifacts and vulnerabilities. “These services are free to asset owners or operators of critical infrastructure as well as for those that support the network defense and protection of control systems,” Edwards says. Working with ICS-CERT is completely voluntary and at the request of the organization. Additionally, Edwards says, ICS-CERT takes proactive measures to raise awareness of threats through briefings, outreach, assessments, training and information products, and it works at a tactical level to provide guidance to specific organizations that might be targeted by malicious activity.
“The adversary is an ecosystem,” Mong concludes. “It’s very hard for us to pinpoint a specific actor, and what we find is that the threat actors have organized, and they’re working together. So whether they’re cybercriminal gangs to nation-states or hacktivists, they’re all collaborating and are very specialized. Some are very good at doing certain things, and they can sell that specialization to somebody else with a particular intent or a particular project or plan. We’re talking an entire marketplace, an entire ecosystem of highly specialized, highly talented people who have the ability to do lots of different things.”
- See more at: http://www.afcea.org/content/?q=critical-infrastructure-cyberterrorism%E2%80%99s-next-likely-target#sthash.bIjmaUeO.dpuf
While attackers’ modus operandi of using emails to gain entry into a network might be old school, the sophistication and meticulous focus on selected targets have become ominously modern. “In general, when you look at what the adversary is doing and how they’re approaching their methodology in a breach, they’re very focused in their efforts. They will try to find ways into critical infrastructure,” says Frank Mong, vice president and general manager of Solutions, Enterprise Security Products for Hewlett-Packard Company. “However, the playbook that they use and the framework that they use is very common. An approach that an adversary would take to break into Sony Pictures, for example, is the same approach they would try with a utility [company]. The most common tool they will use is email. They will use email first, find the system administrator and try to spear phish that guy or try to get some access through that person’s credentials.”
System administrators and those with privileged access pose a widely exploitable weakness to networks if infiltrated by hackers, who have increased the number of cyber attacks on critical infrastructure and already have targeted power facilities, traffic systems, water treatment plants and factories. The softer targets of infrastructure and businesses often are earmarked first and “present a significant vulnerability to our nation,” offers Gen. Martin E. Dempsey, USA, chairman of the Joint Chiefs of Staff. “We have authorities and capabilities that allow us to do a pretty good job of defending ourselves,” Gen. Dempsey says of military cyberdefense. “But the vulnerability of the rest of [the United States] is a vulnerability of ours, and that’s what we have to reconcile.”
From the Department of Homeland Security (DHS) spawns the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which operates cybersecurity centers in Virginia and Idaho to focus on control system security as a component of the National Cybersecurity and Communications Integration Center (NCCIC). ICS-CERT “works to reduce risks within and across all critical infrastructure sectors by forming a partnership with law enforcement agencies and the intelligence community and coordinating efforts among federal, state, local and tribal governments and control system owners, operators and vendors,” says Marty Edwards, its director. “Additionally, ICS-CERT collaborates with international and private-sector computer emergency response teams to share control systems-related security incidents and mitigation measures.” Analysts provide a round-the-clock cyber situational awareness and incident response, often conducting on-site visits when requested to discern how a company was breached.
“One of the things I think ICS-CERT has done is try to organize together intelligence around malware that’s relevant” for all entities within the critical infrastructure community, Mong says. “They have a distinct purpose. Their goal is to at least be an early warning to the industry about problems that could have a broad implication if they are not addressed quickly. The question becomes how well are they making their voice heard to the relevant folks. I think their content is actually meaningful.”
The lack of information sharing has hamstrung progress and continues to present a key challenge for the DHS across the board, not just amid the critical infrastructure community, offers Rob Roy, federal chief technology officer with HP Enterprise Security Products. “The concept of threat sharing among government agencies and between the public and private sector is lacking. It’s a huge challenge there. In the private sector, there are the fears that releasing certain pieces of information to the government or to somebody within their own industry could provide information for potential lawsuits,” Roy says. “The concept of liability is very real. Lawyers within organizations are going to be very protective.”
President Barack Obama recently opened a door with proposed legislation that would include language for increased information sharing between government and industry. “No foreign nation, no hacker should be able to shut down our networks, steal our trade secrets or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyberthreats, just as we have done to combat terrorism,” the president said during his State of the Union address in January.
In October, the DHS issued an alert that malware called BlackEnergy, designed to target critical energy infrastructure, had infected industrial critical infrastructure systems. “ICS-CERT has identified a sophisticated malware campaign that has compromised numerous industrial control systems (ICSs) environments using a variant of the BlackEnergy malware,” reads a portion of the alert. “Analysis indicates that this campaign has been ongoing since at least 2011. Multiple companies working with ICS-CERT have identified the malware on Internet-connected human-machine interfaces (HMIs).”
Attackers might use old-school email scams, but with tailor-made precision that enables the malware to differentiate between a retail business, for example, and a power plant, Mong evokes. “The malware that you see, like a BlackEnergy malware, targets very specific types of devices that would normally be used in a critical infrastructure environment.”
ICS-CERT has averaged about 250 reports of incidents each year over the past two years, Edwards says. “Any time ICS-CERT assists an organization with a cyber incident, ICS-CERT focuses on understanding the threat and initial infection vector so that tailored mitigation strategies can be applied to harden their networks and prevent future infections from occurring.”
The Advanced Analytical Laboratory (AAL) examines malware threats and provides analysis to support discovery, forensics and recovery efforts. An AAL survey of data in fiscal 2013 showed that phishing or spear-phishing attacks made up 21 of the 73 investigated incidents. Though the difference between the two is subtle, spear-phishing attempts typically come from organizations closely related to the target, such as particular companies with which employees interact on a regular basis. The hackers’ emails are sent to groups with common interests, jobs or characteristics. Phishing attempts appear more broad or general and look like they come from financial institutions, social media sites or the prince of an African nation looking to give away millions of his relatives’ money.
Among the 16 critical infrastructure sectors in fiscal 2013, energy had the highest number of ICS-CERT responses to specific cybersecurity threats, with 56 percent of the 257 threats; critical manufacturing had the second highest, with 15 percent. The 16 sectors are chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services; energy; financial services; food and agriculture; government facilities; health care and public health; information technology; nuclear reactors, materials and waste; transportation systems; and water and wastewater systems.
The fiscal 2015 budget for the DHS is $60.9 billion. Of that tally, the department wants to earmark $1.25 billion for overarching cybersecurity activities. More precisely, the department wants to allocate $67.5 million for cybersecurity/information analysis research and development in the science and technology directorate and $8.5 million to establish a voluntary program and an enhanced cybersecurity services capability to support the administration’s Improving Critical Infrastructure Cybersecurity executive order.
The department’s cybersecurity effort is not just a reactive endeavor. For example, in fiscal 2013, the program enabled more than 5,000 downloads and distribution of the Cybersecurity Evaluation Tool and trained 639 professionals on control system security best practices. The ICS-CERT conducts free training courses, performs assessments, provides alerts and advisories, conducts incident response activities and performs technical analysis of malware, artifacts and vulnerabilities. “These services are free to asset owners or operators of critical infrastructure as well as for those that support the network defense and protection of control systems,” Edwards says. Working with ICS-CERT is completely voluntary and at the request of the organization. Additionally, Edwards says, ICS-CERT takes proactive measures to raise awareness of threats through briefings, outreach, assessments, training and information products, and it works at a tactical level to provide guidance to specific organizations that might be targeted by malicious activity.
“The adversary is an ecosystem,” Mong concludes. “It’s very hard for us to pinpoint a specific actor, and what we find is that the threat actors have organized, and they’re working together. So whether they’re cybercriminal gangs to nation-states or hacktivists, they’re all collaborating and are very specialized. Some are very good at doing certain things, and they can sell that specialization to somebody else with a particular intent or a particular project or plan. We’re talking an entire marketplace, an entire ecosystem of highly specialized, highly talented people who have the ability to do lots of different things.”
- See more at: http://www.afcea.org/content/?q=critical-infrastructure-cyberterrorism%E2%80%99s-next-likely-target#sthash.bIjmaUeO.dpuf
The
next big cyber attack likely will strike critical infrastructure assets
in the United States, which could bring the world’s remaining
superpower to its knees, according to cybersecurity experts. This would
constitute a crippling assault against national assets such as power
facilities, transportation networks, nuclear plants or the drinking
water supply, these experts warn.
While attackers’ modus operandi of using emails to gain entry into a network might be old school, the sophistication and meticulous focus on selected targets have become ominously modern. “In general, when you look at what the adversary is doing and how they’re approaching their methodology in a breach, they’re very focused in their efforts. They will try to find ways into critical infrastructure,” says Frank Mong, vice president and general manager of Solutions, Enterprise Security Products for Hewlett-Packard Company. “However, the playbook that they use and the framework that they use is very common. An approach that an adversary would take to break into Sony Pictures, for example, is the same approach they would try with a utility [company]. The most common tool they will use is email. They will use email first, find the system administrator and try to spear phish that guy or try to get some access through that person’s credentials.”
System administrators and those with privileged access pose a widely exploitable weakness to networks if infiltrated by hackers, who have increased the number of cyber attacks on critical infrastructure and already have targeted power facilities, traffic systems, water treatment plants and factories. The softer targets of infrastructure and businesses often are earmarked first and “present a significant vulnerability to our nation,” offers Gen. Martin E. Dempsey, USA, chairman of the Joint Chiefs of Staff. “We have authorities and capabilities that allow us to do a pretty good job of defending ourselves,” Gen. Dempsey says of military cyberdefense. “But the vulnerability of the rest of [the United States] is a vulnerability of ours, and that’s what we have to reconcile.”
From the Department of Homeland Security (DHS) spawns the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which operates cybersecurity centers in Virginia and Idaho to focus on control system security as a component of the National Cybersecurity and Communications Integration Center (NCCIC). ICS-CERT “works to reduce risks within and across all critical infrastructure sectors by forming a partnership with law enforcement agencies and the intelligence community and coordinating efforts among federal, state, local and tribal governments and control system owners, operators and vendors,” says Marty Edwards, its director. “Additionally, ICS-CERT collaborates with international and private-sector computer emergency response teams to share control systems-related security incidents and mitigation measures.” Analysts provide a round-the-clock cyber situational awareness and incident response, often conducting on-site visits when requested to discern how a company was breached.
“One of the things I think ICS-CERT has done is try to organize together intelligence around malware that’s relevant” for all entities within the critical infrastructure community, Mong says. “They have a distinct purpose. Their goal is to at least be an early warning to the industry about problems that could have a broad implication if they are not addressed quickly. The question becomes how well are they making their voice heard to the relevant folks. I think their content is actually meaningful.”
The lack of information sharing has hamstrung progress and continues to present a key challenge for the DHS across the board, not just amid the critical infrastructure community, offers Rob Roy, federal chief technology officer with HP Enterprise Security Products. “The concept of threat sharing among government agencies and between the public and private sector is lacking. It’s a huge challenge there. In the private sector, there are the fears that releasing certain pieces of information to the government or to somebody within their own industry could provide information for potential lawsuits,” Roy says. “The concept of liability is very real. Lawyers within organizations are going to be very protective.”
President Barack Obama recently opened a door with proposed legislation that would include language for increased information sharing between government and industry. “No foreign nation, no hacker should be able to shut down our networks, steal our trade secrets or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyberthreats, just as we have done to combat terrorism,” the president said during his State of the Union address in January.
In October, the DHS issued an alert that malware called BlackEnergy, designed to target critical energy infrastructure, had infected industrial critical infrastructure systems. “ICS-CERT has identified a sophisticated malware campaign that has compromised numerous industrial control systems (ICSs) environments using a variant of the BlackEnergy malware,” reads a portion of the alert. “Analysis indicates that this campaign has been ongoing since at least 2011. Multiple companies working with ICS-CERT have identified the malware on Internet-connected human-machine interfaces (HMIs).”
Attackers might use old-school email scams, but with tailor-made precision that enables the malware to differentiate between a retail business, for example, and a power plant, Mong evokes. “The malware that you see, like a BlackEnergy malware, targets very specific types of devices that would normally be used in a critical infrastructure environment.”
ICS-CERT has averaged about 250 reports of incidents each year over the past two years, Edwards says. “Any time ICS-CERT assists an organization with a cyber incident, ICS-CERT focuses on understanding the threat and initial infection vector so that tailored mitigation strategies can be applied to harden their networks and prevent future infections from occurring.”
The Advanced Analytical Laboratory (AAL) examines malware threats and provides analysis to support discovery, forensics and recovery efforts. An AAL survey of data in fiscal 2013 showed that phishing or spear-phishing attacks made up 21 of the 73 investigated incidents. Though the difference between the two is subtle, spear-phishing attempts typically come from organizations closely related to the target, such as particular companies with which employees interact on a regular basis. The hackers’ emails are sent to groups with common interests, jobs or characteristics. Phishing attempts appear more broad or general and look like they come from financial institutions, social media sites or the prince of an African nation looking to give away millions of his relatives’ money.
Among the 16 critical infrastructure sectors in fiscal 2013, energy had the highest number of ICS-CERT responses to specific cybersecurity threats, with 56 percent of the 257 threats; critical manufacturing had the second highest, with 15 percent. The 16 sectors are chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services; energy; financial services; food and agriculture; government facilities; health care and public health; information technology; nuclear reactors, materials and waste; transportation systems; and water and wastewater systems.
The fiscal 2015 budget for the DHS is $60.9 billion. Of that tally, the department wants to earmark $1.25 billion for overarching cybersecurity activities. More precisely, the department wants to allocate $67.5 million for cybersecurity/information analysis research and development in the science and technology directorate and $8.5 million to establish a voluntary program and an enhanced cybersecurity services capability to support the administration’s Improving Critical Infrastructure Cybersecurity executive order.
The department’s cybersecurity effort is not just a reactive endeavor. For example, in fiscal 2013, the program enabled more than 5,000 downloads and distribution of the Cybersecurity Evaluation Tool and trained 639 professionals on control system security best practices. The ICS-CERT conducts free training courses, performs assessments, provides alerts and advisories, conducts incident response activities and performs technical analysis of malware, artifacts and vulnerabilities. “These services are free to asset owners or operators of critical infrastructure as well as for those that support the network defense and protection of control systems,” Edwards says. Working with ICS-CERT is completely voluntary and at the request of the organization. Additionally, Edwards says, ICS-CERT takes proactive measures to raise awareness of threats through briefings, outreach, assessments, training and information products, and it works at a tactical level to provide guidance to specific organizations that might be targeted by malicious activity.
“The adversary is an ecosystem,” Mong concludes. “It’s very hard for us to pinpoint a specific actor, and what we find is that the threat actors have organized, and they’re working together. So whether they’re cybercriminal gangs to nation-states or hacktivists, they’re all collaborating and are very specialized. Some are very good at doing certain things, and they can sell that specialization to somebody else with a particular intent or a particular project or plan. We’re talking an entire marketplace, an entire ecosystem of highly specialized, highly talented people who have the ability to do lots of different things.”
- See more at: http://www.afcea.org/content/?q=critical-infrastructure-cyberterrorism%E2%80%99s-next-likely-target#sthash.bIjmaUeO.dpuf
While attackers’ modus operandi of using emails to gain entry into a network might be old school, the sophistication and meticulous focus on selected targets have become ominously modern. “In general, when you look at what the adversary is doing and how they’re approaching their methodology in a breach, they’re very focused in their efforts. They will try to find ways into critical infrastructure,” says Frank Mong, vice president and general manager of Solutions, Enterprise Security Products for Hewlett-Packard Company. “However, the playbook that they use and the framework that they use is very common. An approach that an adversary would take to break into Sony Pictures, for example, is the same approach they would try with a utility [company]. The most common tool they will use is email. They will use email first, find the system administrator and try to spear phish that guy or try to get some access through that person’s credentials.”
System administrators and those with privileged access pose a widely exploitable weakness to networks if infiltrated by hackers, who have increased the number of cyber attacks on critical infrastructure and already have targeted power facilities, traffic systems, water treatment plants and factories. The softer targets of infrastructure and businesses often are earmarked first and “present a significant vulnerability to our nation,” offers Gen. Martin E. Dempsey, USA, chairman of the Joint Chiefs of Staff. “We have authorities and capabilities that allow us to do a pretty good job of defending ourselves,” Gen. Dempsey says of military cyberdefense. “But the vulnerability of the rest of [the United States] is a vulnerability of ours, and that’s what we have to reconcile.”
From the Department of Homeland Security (DHS) spawns the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which operates cybersecurity centers in Virginia and Idaho to focus on control system security as a component of the National Cybersecurity and Communications Integration Center (NCCIC). ICS-CERT “works to reduce risks within and across all critical infrastructure sectors by forming a partnership with law enforcement agencies and the intelligence community and coordinating efforts among federal, state, local and tribal governments and control system owners, operators and vendors,” says Marty Edwards, its director. “Additionally, ICS-CERT collaborates with international and private-sector computer emergency response teams to share control systems-related security incidents and mitigation measures.” Analysts provide a round-the-clock cyber situational awareness and incident response, often conducting on-site visits when requested to discern how a company was breached.
“One of the things I think ICS-CERT has done is try to organize together intelligence around malware that’s relevant” for all entities within the critical infrastructure community, Mong says. “They have a distinct purpose. Their goal is to at least be an early warning to the industry about problems that could have a broad implication if they are not addressed quickly. The question becomes how well are they making their voice heard to the relevant folks. I think their content is actually meaningful.”
The lack of information sharing has hamstrung progress and continues to present a key challenge for the DHS across the board, not just amid the critical infrastructure community, offers Rob Roy, federal chief technology officer with HP Enterprise Security Products. “The concept of threat sharing among government agencies and between the public and private sector is lacking. It’s a huge challenge there. In the private sector, there are the fears that releasing certain pieces of information to the government or to somebody within their own industry could provide information for potential lawsuits,” Roy says. “The concept of liability is very real. Lawyers within organizations are going to be very protective.”
President Barack Obama recently opened a door with proposed legislation that would include language for increased information sharing between government and industry. “No foreign nation, no hacker should be able to shut down our networks, steal our trade secrets or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyberthreats, just as we have done to combat terrorism,” the president said during his State of the Union address in January.
In October, the DHS issued an alert that malware called BlackEnergy, designed to target critical energy infrastructure, had infected industrial critical infrastructure systems. “ICS-CERT has identified a sophisticated malware campaign that has compromised numerous industrial control systems (ICSs) environments using a variant of the BlackEnergy malware,” reads a portion of the alert. “Analysis indicates that this campaign has been ongoing since at least 2011. Multiple companies working with ICS-CERT have identified the malware on Internet-connected human-machine interfaces (HMIs).”
Attackers might use old-school email scams, but with tailor-made precision that enables the malware to differentiate between a retail business, for example, and a power plant, Mong evokes. “The malware that you see, like a BlackEnergy malware, targets very specific types of devices that would normally be used in a critical infrastructure environment.”
ICS-CERT has averaged about 250 reports of incidents each year over the past two years, Edwards says. “Any time ICS-CERT assists an organization with a cyber incident, ICS-CERT focuses on understanding the threat and initial infection vector so that tailored mitigation strategies can be applied to harden their networks and prevent future infections from occurring.”
The Advanced Analytical Laboratory (AAL) examines malware threats and provides analysis to support discovery, forensics and recovery efforts. An AAL survey of data in fiscal 2013 showed that phishing or spear-phishing attacks made up 21 of the 73 investigated incidents. Though the difference between the two is subtle, spear-phishing attempts typically come from organizations closely related to the target, such as particular companies with which employees interact on a regular basis. The hackers’ emails are sent to groups with common interests, jobs or characteristics. Phishing attempts appear more broad or general and look like they come from financial institutions, social media sites or the prince of an African nation looking to give away millions of his relatives’ money.
Among the 16 critical infrastructure sectors in fiscal 2013, energy had the highest number of ICS-CERT responses to specific cybersecurity threats, with 56 percent of the 257 threats; critical manufacturing had the second highest, with 15 percent. The 16 sectors are chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services; energy; financial services; food and agriculture; government facilities; health care and public health; information technology; nuclear reactors, materials and waste; transportation systems; and water and wastewater systems.
The fiscal 2015 budget for the DHS is $60.9 billion. Of that tally, the department wants to earmark $1.25 billion for overarching cybersecurity activities. More precisely, the department wants to allocate $67.5 million for cybersecurity/information analysis research and development in the science and technology directorate and $8.5 million to establish a voluntary program and an enhanced cybersecurity services capability to support the administration’s Improving Critical Infrastructure Cybersecurity executive order.
The department’s cybersecurity effort is not just a reactive endeavor. For example, in fiscal 2013, the program enabled more than 5,000 downloads and distribution of the Cybersecurity Evaluation Tool and trained 639 professionals on control system security best practices. The ICS-CERT conducts free training courses, performs assessments, provides alerts and advisories, conducts incident response activities and performs technical analysis of malware, artifacts and vulnerabilities. “These services are free to asset owners or operators of critical infrastructure as well as for those that support the network defense and protection of control systems,” Edwards says. Working with ICS-CERT is completely voluntary and at the request of the organization. Additionally, Edwards says, ICS-CERT takes proactive measures to raise awareness of threats through briefings, outreach, assessments, training and information products, and it works at a tactical level to provide guidance to specific organizations that might be targeted by malicious activity.
“The adversary is an ecosystem,” Mong concludes. “It’s very hard for us to pinpoint a specific actor, and what we find is that the threat actors have organized, and they’re working together. So whether they’re cybercriminal gangs to nation-states or hacktivists, they’re all collaborating and are very specialized. Some are very good at doing certain things, and they can sell that specialization to somebody else with a particular intent or a particular project or plan. We’re talking an entire marketplace, an entire ecosystem of highly specialized, highly talented people who have the ability to do lots of different things.”
- See more at: http://www.afcea.org/content/?q=critical-infrastructure-cyberterrorism%E2%80%99s-next-likely-target#sthash.bIjmaUeO.dpuf
The
next big cyber attack likely will strike critical infrastructure assets
in the United States, which could bring the world’s remaining
superpower to its knees, according to cybersecurity experts. This would
constitute a crippling assault against national assets such as power
facilities, transportation networks, nuclear plants or the drinking
water supply, these experts warn.
While attackers’ modus operandi of using emails to gain entry into a network might be old school, the sophistication and meticulous focus on selected targets have become ominously modern. “In general, when you look at what the adversary is doing and how they’re approaching their methodology in a breach, they’re very focused in their efforts. They will try to find ways into critical infrastructure,” says Frank Mong, vice president and general manager of Solutions, Enterprise Security Products for Hewlett-Packard Company. “However, the playbook that they use and the framework that they use is very common. An approach that an adversary would take to break into Sony Pictures, for example, is the same approach they would try with a utility [company]. The most common tool they will use is email. They will use email first, find the system administrator and try to spear phish that guy or try to get some access through that person’s credentials.”
System administrators and those with privileged access pose a widely exploitable weakness to networks if infiltrated by hackers, who have increased the number of cyber attacks on critical infrastructure and already have targeted power facilities, traffic systems, water treatment plants and factories. The softer targets of infrastructure and businesses often are earmarked first and “present a significant vulnerability to our nation,” offers Gen. Martin E. Dempsey, USA, chairman of the Joint Chiefs of Staff. “We have authorities and capabilities that allow us to do a pretty good job of defending ourselves,” Gen. Dempsey says of military cyberdefense. “But the vulnerability of the rest of [the United States] is a vulnerability of ours, and that’s what we have to reconcile.”
From the Department of Homeland Security (DHS) spawns the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which operates cybersecurity centers in Virginia and Idaho to focus on control system security as a component of the National Cybersecurity and Communications Integration Center (NCCIC). ICS-CERT “works to reduce risks within and across all critical infrastructure sectors by forming a partnership with law enforcement agencies and the intelligence community and coordinating efforts among federal, state, local and tribal governments and control system owners, operators and vendors,” says Marty Edwards, its director. “Additionally, ICS-CERT collaborates with international and private-sector computer emergency response teams to share control systems-related security incidents and mitigation measures.” Analysts provide a round-the-clock cyber situational awareness and incident response, often conducting on-site visits when requested to discern how a company was breached.
“One of the things I think ICS-CERT has done is try to organize together intelligence around malware that’s relevant” for all entities within the critical infrastructure community, Mong says. “They have a distinct purpose. Their goal is to at least be an early warning to the industry about problems that could have a broad implication if they are not addressed quickly. The question becomes how well are they making their voice heard to the relevant folks. I think their content is actually meaningful.”
The lack of information sharing has hamstrung progress and continues to present a key challenge for the DHS across the board, not just amid the critical infrastructure community, offers Rob Roy, federal chief technology officer with HP Enterprise Security Products. “The concept of threat sharing among government agencies and between the public and private sector is lacking. It’s a huge challenge there. In the private sector, there are the fears that releasing certain pieces of information to the government or to somebody within their own industry could provide information for potential lawsuits,” Roy says. “The concept of liability is very real. Lawyers within organizations are going to be very protective.”
President Barack Obama recently opened a door with proposed legislation that would include language for increased information sharing between government and industry. “No foreign nation, no hacker should be able to shut down our networks, steal our trade secrets or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyberthreats, just as we have done to combat terrorism,” the president said during his State of the Union address in January.
In October, the DHS issued an alert that malware called BlackEnergy, designed to target critical energy infrastructure, had infected industrial critical infrastructure systems. “ICS-CERT has identified a sophisticated malware campaign that has compromised numerous industrial control systems (ICSs) environments using a variant of the BlackEnergy malware,” reads a portion of the alert. “Analysis indicates that this campaign has been ongoing since at least 2011. Multiple companies working with ICS-CERT have identified the malware on Internet-connected human-machine interfaces (HMIs).”
Attackers might use old-school email scams, but with tailor-made precision that enables the malware to differentiate between a retail business, for example, and a power plant, Mong evokes. “The malware that you see, like a BlackEnergy malware, targets very specific types of devices that would normally be used in a critical infrastructure environment.”
ICS-CERT has averaged about 250 reports of incidents each year over the past two years, Edwards says. “Any time ICS-CERT assists an organization with a cyber incident, ICS-CERT focuses on understanding the threat and initial infection vector so that tailored mitigation strategies can be applied to harden their networks and prevent future infections from occurring.”
The Advanced Analytical Laboratory (AAL) examines malware threats and provides analysis to support discovery, forensics and recovery efforts. An AAL survey of data in fiscal 2013 showed that phishing or spear-phishing attacks made up 21 of the 73 investigated incidents. Though the difference between the two is subtle, spear-phishing attempts typically come from organizations closely related to the target, such as particular companies with which employees interact on a regular basis. The hackers’ emails are sent to groups with common interests, jobs or characteristics. Phishing attempts appear more broad or general and look like they come from financial institutions, social media sites or the prince of an African nation looking to give away millions of his relatives’ money.
Among the 16 critical infrastructure sectors in fiscal 2013, energy had the highest number of ICS-CERT responses to specific cybersecurity threats, with 56 percent of the 257 threats; critical manufacturing had the second highest, with 15 percent. The 16 sectors are chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services; energy; financial services; food and agriculture; government facilities; health care and public health; information technology; nuclear reactors, materials and waste; transportation systems; and water and wastewater systems.
The fiscal 2015 budget for the DHS is $60.9 billion. Of that tally, the department wants to earmark $1.25 billion for overarching cybersecurity activities. More precisely, the department wants to allocate $67.5 million for cybersecurity/information analysis research and development in the science and technology directorate and $8.5 million to establish a voluntary program and an enhanced cybersecurity services capability to support the administration’s Improving Critical Infrastructure Cybersecurity executive order.
The department’s cybersecurity effort is not just a reactive endeavor. For example, in fiscal 2013, the program enabled more than 5,000 downloads and distribution of the Cybersecurity Evaluation Tool and trained 639 professionals on control system security best practices. The ICS-CERT conducts free training courses, performs assessments, provides alerts and advisories, conducts incident response activities and performs technical analysis of malware, artifacts and vulnerabilities. “These services are free to asset owners or operators of critical infrastructure as well as for those that support the network defense and protection of control systems,” Edwards says. Working with ICS-CERT is completely voluntary and at the request of the organization. Additionally, Edwards says, ICS-CERT takes proactive measures to raise awareness of threats through briefings, outreach, assessments, training and information products, and it works at a tactical level to provide guidance to specific organizations that might be targeted by malicious activity.
“The adversary is an ecosystem,” Mong concludes. “It’s very hard for us to pinpoint a specific actor, and what we find is that the threat actors have organized, and they’re working together. So whether they’re cybercriminal gangs to nation-states or hacktivists, they’re all collaborating and are very specialized. Some are very good at doing certain things, and they can sell that specialization to somebody else with a particular intent or a particular project or plan. We’re talking an entire marketplace, an entire ecosystem of highly specialized, highly talented people who have the ability to do lots of different things.”
- See more at: http://www.afcea.org/content/?q=critical-infrastructure-cyberterrorism%E2%80%99s-next-likely-target#sthash.bIjmaUeO.dpuf
While attackers’ modus operandi of using emails to gain entry into a network might be old school, the sophistication and meticulous focus on selected targets have become ominously modern. “In general, when you look at what the adversary is doing and how they’re approaching their methodology in a breach, they’re very focused in their efforts. They will try to find ways into critical infrastructure,” says Frank Mong, vice president and general manager of Solutions, Enterprise Security Products for Hewlett-Packard Company. “However, the playbook that they use and the framework that they use is very common. An approach that an adversary would take to break into Sony Pictures, for example, is the same approach they would try with a utility [company]. The most common tool they will use is email. They will use email first, find the system administrator and try to spear phish that guy or try to get some access through that person’s credentials.”
System administrators and those with privileged access pose a widely exploitable weakness to networks if infiltrated by hackers, who have increased the number of cyber attacks on critical infrastructure and already have targeted power facilities, traffic systems, water treatment plants and factories. The softer targets of infrastructure and businesses often are earmarked first and “present a significant vulnerability to our nation,” offers Gen. Martin E. Dempsey, USA, chairman of the Joint Chiefs of Staff. “We have authorities and capabilities that allow us to do a pretty good job of defending ourselves,” Gen. Dempsey says of military cyberdefense. “But the vulnerability of the rest of [the United States] is a vulnerability of ours, and that’s what we have to reconcile.”
From the Department of Homeland Security (DHS) spawns the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which operates cybersecurity centers in Virginia and Idaho to focus on control system security as a component of the National Cybersecurity and Communications Integration Center (NCCIC). ICS-CERT “works to reduce risks within and across all critical infrastructure sectors by forming a partnership with law enforcement agencies and the intelligence community and coordinating efforts among federal, state, local and tribal governments and control system owners, operators and vendors,” says Marty Edwards, its director. “Additionally, ICS-CERT collaborates with international and private-sector computer emergency response teams to share control systems-related security incidents and mitigation measures.” Analysts provide a round-the-clock cyber situational awareness and incident response, often conducting on-site visits when requested to discern how a company was breached.
“One of the things I think ICS-CERT has done is try to organize together intelligence around malware that’s relevant” for all entities within the critical infrastructure community, Mong says. “They have a distinct purpose. Their goal is to at least be an early warning to the industry about problems that could have a broad implication if they are not addressed quickly. The question becomes how well are they making their voice heard to the relevant folks. I think their content is actually meaningful.”
The lack of information sharing has hamstrung progress and continues to present a key challenge for the DHS across the board, not just amid the critical infrastructure community, offers Rob Roy, federal chief technology officer with HP Enterprise Security Products. “The concept of threat sharing among government agencies and between the public and private sector is lacking. It’s a huge challenge there. In the private sector, there are the fears that releasing certain pieces of information to the government or to somebody within their own industry could provide information for potential lawsuits,” Roy says. “The concept of liability is very real. Lawyers within organizations are going to be very protective.”
President Barack Obama recently opened a door with proposed legislation that would include language for increased information sharing between government and industry. “No foreign nation, no hacker should be able to shut down our networks, steal our trade secrets or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyberthreats, just as we have done to combat terrorism,” the president said during his State of the Union address in January.
In October, the DHS issued an alert that malware called BlackEnergy, designed to target critical energy infrastructure, had infected industrial critical infrastructure systems. “ICS-CERT has identified a sophisticated malware campaign that has compromised numerous industrial control systems (ICSs) environments using a variant of the BlackEnergy malware,” reads a portion of the alert. “Analysis indicates that this campaign has been ongoing since at least 2011. Multiple companies working with ICS-CERT have identified the malware on Internet-connected human-machine interfaces (HMIs).”
Attackers might use old-school email scams, but with tailor-made precision that enables the malware to differentiate between a retail business, for example, and a power plant, Mong evokes. “The malware that you see, like a BlackEnergy malware, targets very specific types of devices that would normally be used in a critical infrastructure environment.”
ICS-CERT has averaged about 250 reports of incidents each year over the past two years, Edwards says. “Any time ICS-CERT assists an organization with a cyber incident, ICS-CERT focuses on understanding the threat and initial infection vector so that tailored mitigation strategies can be applied to harden their networks and prevent future infections from occurring.”
The Advanced Analytical Laboratory (AAL) examines malware threats and provides analysis to support discovery, forensics and recovery efforts. An AAL survey of data in fiscal 2013 showed that phishing or spear-phishing attacks made up 21 of the 73 investigated incidents. Though the difference between the two is subtle, spear-phishing attempts typically come from organizations closely related to the target, such as particular companies with which employees interact on a regular basis. The hackers’ emails are sent to groups with common interests, jobs or characteristics. Phishing attempts appear more broad or general and look like they come from financial institutions, social media sites or the prince of an African nation looking to give away millions of his relatives’ money.
Among the 16 critical infrastructure sectors in fiscal 2013, energy had the highest number of ICS-CERT responses to specific cybersecurity threats, with 56 percent of the 257 threats; critical manufacturing had the second highest, with 15 percent. The 16 sectors are chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services; energy; financial services; food and agriculture; government facilities; health care and public health; information technology; nuclear reactors, materials and waste; transportation systems; and water and wastewater systems.
The fiscal 2015 budget for the DHS is $60.9 billion. Of that tally, the department wants to earmark $1.25 billion for overarching cybersecurity activities. More precisely, the department wants to allocate $67.5 million for cybersecurity/information analysis research and development in the science and technology directorate and $8.5 million to establish a voluntary program and an enhanced cybersecurity services capability to support the administration’s Improving Critical Infrastructure Cybersecurity executive order.
The department’s cybersecurity effort is not just a reactive endeavor. For example, in fiscal 2013, the program enabled more than 5,000 downloads and distribution of the Cybersecurity Evaluation Tool and trained 639 professionals on control system security best practices. The ICS-CERT conducts free training courses, performs assessments, provides alerts and advisories, conducts incident response activities and performs technical analysis of malware, artifacts and vulnerabilities. “These services are free to asset owners or operators of critical infrastructure as well as for those that support the network defense and protection of control systems,” Edwards says. Working with ICS-CERT is completely voluntary and at the request of the organization. Additionally, Edwards says, ICS-CERT takes proactive measures to raise awareness of threats through briefings, outreach, assessments, training and information products, and it works at a tactical level to provide guidance to specific organizations that might be targeted by malicious activity.
“The adversary is an ecosystem,” Mong concludes. “It’s very hard for us to pinpoint a specific actor, and what we find is that the threat actors have organized, and they’re working together. So whether they’re cybercriminal gangs to nation-states or hacktivists, they’re all collaborating and are very specialized. Some are very good at doing certain things, and they can sell that specialization to somebody else with a particular intent or a particular project or plan. We’re talking an entire marketplace, an entire ecosystem of highly specialized, highly talented people who have the ability to do lots of different things.”
- See more at: http://www.afcea.org/content/?q=critical-infrastructure-cyberterrorism%E2%80%99s-next-likely-target#sthash.bIjmaUeO.dpuf
The
next big cyber attack likely will strike critical infrastructure assets
in the United States, which could bring the world’s remaining
superpower to its knees, according to cybersecurity experts. This would
constitute a crippling assault against national assets such as power
facilities, transportation networks, nuclear plants or the drinking
water supply, these experts warn.
While attackers’ modus operandi of using emails to gain entry into a network might be old school, the sophistication and meticulous focus on selected targets have become ominously modern. “In general, when you look at what the adversary is doing and how they’re approaching their methodology in a breach, they’re very focused in their efforts. They will try to find ways into critical infrastructure,” says Frank Mong, vice president and general manager of Solutions, Enterprise Security Products for Hewlett-Packard Company. “However, the playbook that they use and the framework that they use is very common. An approach that an adversary would take to break into Sony Pictures, for example, is the same approach they would try with a utility [company]. The most common tool they will use is email. They will use email first, find the system administrator and try to spear phish that guy or try to get some access through that person’s credentials.”
System administrators and those with privileged access pose a widely exploitable weakness to networks if infiltrated by hackers, who have increased the number of cyber attacks on critical infrastructure and already have targeted power facilities, traffic systems, water treatment plants and factories. The softer targets of infrastructure and businesses often are earmarked first and “present a significant vulnerability to our nation,” offers Gen. Martin E. Dempsey, USA, chairman of the Joint Chiefs of Staff. “We have authorities and capabilities that allow us to do a pretty good job of defending ourselves,” Gen. Dempsey says of military cyberdefense. “But the vulnerability of the rest of [the United States] is a vulnerability of ours, and that’s what we have to reconcile.”
From the Department of Homeland Security (DHS) spawns the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which operates cybersecurity centers in Virginia and Idaho to focus on control system security as a component of the National Cybersecurity and Communications Integration Center (NCCIC). ICS-CERT “works to reduce risks within and across all critical infrastructure sectors by forming a partnership with law enforcement agencies and the intelligence community and coordinating efforts among federal, state, local and tribal governments and control system owners, operators and vendors,” says Marty Edwards, its director. “Additionally, ICS-CERT collaborates with international and private-sector computer emergency response teams to share control systems-related security incidents and mitigation measures.” Analysts provide a round-the-clock cyber situational awareness and incident response, often conducting on-site visits when requested to discern how a company was breached.
“One of the things I think ICS-CERT has done is try to organize together intelligence around malware that’s relevant” for all entities within the critical infrastructure community, Mong says. “They have a distinct purpose. Their goal is to at least be an early warning to the industry about problems that could have a broad implication if they are not addressed quickly. The question becomes how well are they making their voice heard to the relevant folks. I think their content is actually meaningful.”
The lack of information sharing has hamstrung progress and continues to present a key challenge for the DHS across the board, not just amid the critical infrastructure community, offers Rob Roy, federal chief technology officer with HP Enterprise Security Products. “The concept of threat sharing among government agencies and between the public and private sector is lacking. It’s a huge challenge there. In the private sector, there are the fears that releasing certain pieces of information to the government or to somebody within their own industry could provide information for potential lawsuits,” Roy says. “The concept of liability is very real. Lawyers within organizations are going to be very protective.”
President Barack Obama recently opened a door with proposed legislation that would include language for increased information sharing between government and industry. “No foreign nation, no hacker should be able to shut down our networks, steal our trade secrets or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyberthreats, just as we have done to combat terrorism,” the president said during his State of the Union address in January.
In October, the DHS issued an alert that malware called BlackEnergy, designed to target critical energy infrastructure, had infected industrial critical infrastructure systems. “ICS-CERT has identified a sophisticated malware campaign that has compromised numerous industrial control systems (ICSs) environments using a variant of the BlackEnergy malware,” reads a portion of the alert. “Analysis indicates that this campaign has been ongoing since at least 2011. Multiple companies working with ICS-CERT have identified the malware on Internet-connected human-machine interfaces (HMIs).”
Attackers might use old-school email scams, but with tailor-made precision that enables the malware to differentiate between a retail business, for example, and a power plant, Mong evokes. “The malware that you see, like a BlackEnergy malware, targets very specific types of devices that would normally be used in a critical infrastructure environment.”
ICS-CERT has averaged about 250 reports of incidents each year over the past two years, Edwards says. “Any time ICS-CERT assists an organization with a cyber incident, ICS-CERT focuses on understanding the threat and initial infection vector so that tailored mitigation strategies can be applied to harden their networks and prevent future infections from occurring.”
The Advanced Analytical Laboratory (AAL) examines malware threats and provides analysis to support discovery, forensics and recovery efforts. An AAL survey of data in fiscal 2013 showed that phishing or spear-phishing attacks made up 21 of the 73 investigated incidents. Though the difference between the two is subtle, spear-phishing attempts typically come from organizations closely related to the target, such as particular companies with which employees interact on a regular basis. The hackers’ emails are sent to groups with common interests, jobs or characteristics. Phishing attempts appear more broad or general and look like they come from financial institutions, social media sites or the prince of an African nation looking to give away millions of his relatives’ money.
Among the 16 critical infrastructure sectors in fiscal 2013, energy had the highest number of ICS-CERT responses to specific cybersecurity threats, with 56 percent of the 257 threats; critical manufacturing had the second highest, with 15 percent. The 16 sectors are chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services; energy; financial services; food and agriculture; government facilities; health care and public health; information technology; nuclear reactors, materials and waste; transportation systems; and water and wastewater systems.
The fiscal 2015 budget for the DHS is $60.9 billion. Of that tally, the department wants to earmark $1.25 billion for overarching cybersecurity activities. More precisely, the department wants to allocate $67.5 million for cybersecurity/information analysis research and development in the science and technology directorate and $8.5 million to establish a voluntary program and an enhanced cybersecurity services capability to support the administration’s Improving Critical Infrastructure Cybersecurity executive order.
The department’s cybersecurity effort is not just a reactive endeavor. For example, in fiscal 2013, the program enabled more than 5,000 downloads and distribution of the Cybersecurity Evaluation Tool and trained 639 professionals on control system security best practices. The ICS-CERT conducts free training courses, performs assessments, provides alerts and advisories, conducts incident response activities and performs technical analysis of malware, artifacts and vulnerabilities. “These services are free to asset owners or operators of critical infrastructure as well as for those that support the network defense and protection of control systems,” Edwards says. Working with ICS-CERT is completely voluntary and at the request of the organization. Additionally, Edwards says, ICS-CERT takes proactive measures to raise awareness of threats through briefings, outreach, assessments, training and information products, and it works at a tactical level to provide guidance to specific organizations that might be targeted by malicious activity.
“The adversary is an ecosystem,” Mong concludes. “It’s very hard for us to pinpoint a specific actor, and what we find is that the threat actors have organized, and they’re working together. So whether they’re cybercriminal gangs to nation-states or hacktivists, they’re all collaborating and are very specialized. Some are very good at doing certain things, and they can sell that specialization to somebody else with a particular intent or a particular project or plan. We’re talking an entire marketplace, an entire ecosystem of highly specialized, highly talented people who have the ability to do lots of different things.”
- See more at: http://www.afcea.org/content/?q=critical-infrastructure-cyberterrorism%E2%80%99s-next-likely-target#sthash.bIjmaUeO.dpuf
While attackers’ modus operandi of using emails to gain entry into a network might be old school, the sophistication and meticulous focus on selected targets have become ominously modern. “In general, when you look at what the adversary is doing and how they’re approaching their methodology in a breach, they’re very focused in their efforts. They will try to find ways into critical infrastructure,” says Frank Mong, vice president and general manager of Solutions, Enterprise Security Products for Hewlett-Packard Company. “However, the playbook that they use and the framework that they use is very common. An approach that an adversary would take to break into Sony Pictures, for example, is the same approach they would try with a utility [company]. The most common tool they will use is email. They will use email first, find the system administrator and try to spear phish that guy or try to get some access through that person’s credentials.”
System administrators and those with privileged access pose a widely exploitable weakness to networks if infiltrated by hackers, who have increased the number of cyber attacks on critical infrastructure and already have targeted power facilities, traffic systems, water treatment plants and factories. The softer targets of infrastructure and businesses often are earmarked first and “present a significant vulnerability to our nation,” offers Gen. Martin E. Dempsey, USA, chairman of the Joint Chiefs of Staff. “We have authorities and capabilities that allow us to do a pretty good job of defending ourselves,” Gen. Dempsey says of military cyberdefense. “But the vulnerability of the rest of [the United States] is a vulnerability of ours, and that’s what we have to reconcile.”
From the Department of Homeland Security (DHS) spawns the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which operates cybersecurity centers in Virginia and Idaho to focus on control system security as a component of the National Cybersecurity and Communications Integration Center (NCCIC). ICS-CERT “works to reduce risks within and across all critical infrastructure sectors by forming a partnership with law enforcement agencies and the intelligence community and coordinating efforts among federal, state, local and tribal governments and control system owners, operators and vendors,” says Marty Edwards, its director. “Additionally, ICS-CERT collaborates with international and private-sector computer emergency response teams to share control systems-related security incidents and mitigation measures.” Analysts provide a round-the-clock cyber situational awareness and incident response, often conducting on-site visits when requested to discern how a company was breached.
“One of the things I think ICS-CERT has done is try to organize together intelligence around malware that’s relevant” for all entities within the critical infrastructure community, Mong says. “They have a distinct purpose. Their goal is to at least be an early warning to the industry about problems that could have a broad implication if they are not addressed quickly. The question becomes how well are they making their voice heard to the relevant folks. I think their content is actually meaningful.”
The lack of information sharing has hamstrung progress and continues to present a key challenge for the DHS across the board, not just amid the critical infrastructure community, offers Rob Roy, federal chief technology officer with HP Enterprise Security Products. “The concept of threat sharing among government agencies and between the public and private sector is lacking. It’s a huge challenge there. In the private sector, there are the fears that releasing certain pieces of information to the government or to somebody within their own industry could provide information for potential lawsuits,” Roy says. “The concept of liability is very real. Lawyers within organizations are going to be very protective.”
President Barack Obama recently opened a door with proposed legislation that would include language for increased information sharing between government and industry. “No foreign nation, no hacker should be able to shut down our networks, steal our trade secrets or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyberthreats, just as we have done to combat terrorism,” the president said during his State of the Union address in January.
In October, the DHS issued an alert that malware called BlackEnergy, designed to target critical energy infrastructure, had infected industrial critical infrastructure systems. “ICS-CERT has identified a sophisticated malware campaign that has compromised numerous industrial control systems (ICSs) environments using a variant of the BlackEnergy malware,” reads a portion of the alert. “Analysis indicates that this campaign has been ongoing since at least 2011. Multiple companies working with ICS-CERT have identified the malware on Internet-connected human-machine interfaces (HMIs).”
Attackers might use old-school email scams, but with tailor-made precision that enables the malware to differentiate between a retail business, for example, and a power plant, Mong evokes. “The malware that you see, like a BlackEnergy malware, targets very specific types of devices that would normally be used in a critical infrastructure environment.”
ICS-CERT has averaged about 250 reports of incidents each year over the past two years, Edwards says. “Any time ICS-CERT assists an organization with a cyber incident, ICS-CERT focuses on understanding the threat and initial infection vector so that tailored mitigation strategies can be applied to harden their networks and prevent future infections from occurring.”
The Advanced Analytical Laboratory (AAL) examines malware threats and provides analysis to support discovery, forensics and recovery efforts. An AAL survey of data in fiscal 2013 showed that phishing or spear-phishing attacks made up 21 of the 73 investigated incidents. Though the difference between the two is subtle, spear-phishing attempts typically come from organizations closely related to the target, such as particular companies with which employees interact on a regular basis. The hackers’ emails are sent to groups with common interests, jobs or characteristics. Phishing attempts appear more broad or general and look like they come from financial institutions, social media sites or the prince of an African nation looking to give away millions of his relatives’ money.
Among the 16 critical infrastructure sectors in fiscal 2013, energy had the highest number of ICS-CERT responses to specific cybersecurity threats, with 56 percent of the 257 threats; critical manufacturing had the second highest, with 15 percent. The 16 sectors are chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services; energy; financial services; food and agriculture; government facilities; health care and public health; information technology; nuclear reactors, materials and waste; transportation systems; and water and wastewater systems.
The fiscal 2015 budget for the DHS is $60.9 billion. Of that tally, the department wants to earmark $1.25 billion for overarching cybersecurity activities. More precisely, the department wants to allocate $67.5 million for cybersecurity/information analysis research and development in the science and technology directorate and $8.5 million to establish a voluntary program and an enhanced cybersecurity services capability to support the administration’s Improving Critical Infrastructure Cybersecurity executive order.
The department’s cybersecurity effort is not just a reactive endeavor. For example, in fiscal 2013, the program enabled more than 5,000 downloads and distribution of the Cybersecurity Evaluation Tool and trained 639 professionals on control system security best practices. The ICS-CERT conducts free training courses, performs assessments, provides alerts and advisories, conducts incident response activities and performs technical analysis of malware, artifacts and vulnerabilities. “These services are free to asset owners or operators of critical infrastructure as well as for those that support the network defense and protection of control systems,” Edwards says. Working with ICS-CERT is completely voluntary and at the request of the organization. Additionally, Edwards says, ICS-CERT takes proactive measures to raise awareness of threats through briefings, outreach, assessments, training and information products, and it works at a tactical level to provide guidance to specific organizations that might be targeted by malicious activity.
“The adversary is an ecosystem,” Mong concludes. “It’s very hard for us to pinpoint a specific actor, and what we find is that the threat actors have organized, and they’re working together. So whether they’re cybercriminal gangs to nation-states or hacktivists, they’re all collaborating and are very specialized. Some are very good at doing certain things, and they can sell that specialization to somebody else with a particular intent or a particular project or plan. We’re talking an entire marketplace, an entire ecosystem of highly specialized, highly talented people who have the ability to do lots of different things.”
- See more at: http://www.afcea.org/content/?q=critical-infrastructure-cyberterrorism%E2%80%99s-next-likely-target#sthash.bIjmaUeO.dpuf
The
next big cyber attack likely will strike critical infrastructure assets
in the United States, which could bring the world’s remaining
superpower to its knees, according to cybersecurity experts. This would
constitute a crippling assault against national assets such as power
facilities, transportation networks, nuclear plants or the drinking
water supply, these experts warn.
While attackers’ modus operandi of using emails to gain entry into a network might be old school, the sophistication and meticulous focus on selected targets have become ominously modern. “In general, when you look at what the adversary is doing and how they’re approaching their methodology in a breach, they’re very focused in their efforts. They will try to find ways into critical infrastructure,” says Frank Mong, vice president and general manager of Solutions, Enterprise Security Products for Hewlett-Packard Company. “However, the playbook that they use and the framework that they use is very common. An approach that an adversary would take to break into Sony Pictures, for example, is the same approach they would try with a utility [company]. The most common tool they will use is email. They will use email first, find the system administrator and try to spear phish that guy or try to get some access through that person’s credentials.”
System administrators and those with privileged access pose a widely exploitable weakness to networks if infiltrated by hackers, who have increased the number of cyber attacks on critical infrastructure and already have targeted power facilities, traffic systems, water treatment plants and factories. The softer targets of infrastructure and businesses often are earmarked first and “present a significant vulnerability to our nation,” offers Gen. Martin E. Dempsey, USA, chairman of the Joint Chiefs of Staff. “We have authorities and capabilities that allow us to do a pretty good job of defending ourselves,” Gen. Dempsey says of military cyberdefense. “But the vulnerability of the rest of [the United States] is a vulnerability of ours, and that’s what we have to reconcile.”
From the Department of Homeland Security (DHS) spawns the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which operates cybersecurity centers in Virginia and Idaho to focus on control system security as a component of the National Cybersecurity and Communications Integration Center (NCCIC). ICS-CERT “works to reduce risks within and across all critical infrastructure sectors by forming a partnership with law enforcement agencies and the intelligence community and coordinating efforts among federal, state, local and tribal governments and control system owners, operators and vendors,” says Marty Edwards, its director. “Additionally, ICS-CERT collaborates with international and private-sector computer emergency response teams to share control systems-related security incidents and mitigation measures.” Analysts provide a round-the-clock cyber situational awareness and incident response, often conducting on-site visits when requested to discern how a company was breached.
“One of the things I think ICS-CERT has done is try to organize together intelligence around malware that’s relevant” for all entities within the critical infrastructure community, Mong says. “They have a distinct purpose. Their goal is to at least be an early warning to the industry about problems that could have a broad implication if they are not addressed quickly. The question becomes how well are they making their voice heard to the relevant folks. I think their content is actually meaningful.”
The lack of information sharing has hamstrung progress and continues to present a key challenge for the DHS across the board, not just amid the critical infrastructure community, offers Rob Roy, federal chief technology officer with HP Enterprise Security Products. “The concept of threat sharing among government agencies and between the public and private sector is lacking. It’s a huge challenge there. In the private sector, there are the fears that releasing certain pieces of information to the government or to somebody within their own industry could provide information for potential lawsuits,” Roy says. “The concept of liability is very real. Lawyers within organizations are going to be very protective.”
President Barack Obama recently opened a door with proposed legislation that would include language for increased information sharing between government and industry. “No foreign nation, no hacker should be able to shut down our networks, steal our trade secrets or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyberthreats, just as we have done to combat terrorism,” the president said during his State of the Union address in January.
In October, the DHS issued an alert that malware called BlackEnergy, designed to target critical energy infrastructure, had infected industrial critical infrastructure systems. “ICS-CERT has identified a sophisticated malware campaign that has compromised numerous industrial control systems (ICSs) environments using a variant of the BlackEnergy malware,” reads a portion of the alert. “Analysis indicates that this campaign has been ongoing since at least 2011. Multiple companies working with ICS-CERT have identified the malware on Internet-connected human-machine interfaces (HMIs).”
Attackers might use old-school email scams, but with tailor-made precision that enables the malware to differentiate between a retail business, for example, and a power plant, Mong evokes. “The malware that you see, like a BlackEnergy malware, targets very specific types of devices that would normally be used in a critical infrastructure environment.”
ICS-CERT has averaged about 250 reports of incidents each year over the past two years, Edwards says. “Any time ICS-CERT assists an organization with a cyber incident, ICS-CERT focuses on understanding the threat and initial infection vector so that tailored mitigation strategies can be applied to harden their networks and prevent future infections from occurring.”
The Advanced Analytical Laboratory (AAL) examines malware threats and provides analysis to support discovery, forensics and recovery efforts. An AAL survey of data in fiscal 2013 showed that phishing or spear-phishing attacks made up 21 of the 73 investigated incidents. Though the difference between the two is subtle, spear-phishing attempts typically come from organizations closely related to the target, such as particular companies with which employees interact on a regular basis. The hackers’ emails are sent to groups with common interests, jobs or characteristics. Phishing attempts appear more broad or general and look like they come from financial institutions, social media sites or the prince of an African nation looking to give away millions of his relatives’ money.
Among the 16 critical infrastructure sectors in fiscal 2013, energy had the highest number of ICS-CERT responses to specific cybersecurity threats, with 56 percent of the 257 threats; critical manufacturing had the second highest, with 15 percent. The 16 sectors are chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services; energy; financial services; food and agriculture; government facilities; health care and public health; information technology; nuclear reactors, materials and waste; transportation systems; and water and wastewater systems.
The fiscal 2015 budget for the DHS is $60.9 billion. Of that tally, the department wants to earmark $1.25 billion for overarching cybersecurity activities. More precisely, the department wants to allocate $67.5 million for cybersecurity/information analysis research and development in the science and technology directorate and $8.5 million to establish a voluntary program and an enhanced cybersecurity services capability to support the administration’s Improving Critical Infrastructure Cybersecurity executive order.
The department’s cybersecurity effort is not just a reactive endeavor. For example, in fiscal 2013, the program enabled more than 5,000 downloads and distribution of the Cybersecurity Evaluation Tool and trained 639 professionals on control system security best practices. The ICS-CERT conducts free training courses, performs assessments, provides alerts and advisories, conducts incident response activities and performs technical analysis of malware, artifacts and vulnerabilities. “These services are free to asset owners or operators of critical infrastructure as well as for those that support the network defense and protection of control systems,” Edwards says. Working with ICS-CERT is completely voluntary and at the request of the organization. Additionally, Edwards says, ICS-CERT takes proactive measures to raise awareness of threats through briefings, outreach, assessments, training and information products, and it works at a tactical level to provide guidance to specific organizations that might be targeted by malicious activity.
“The adversary is an ecosystem,” Mong concludes. “It’s very hard for us to pinpoint a specific actor, and what we find is that the threat actors have organized, and they’re working together. So whether they’re cybercriminal gangs to nation-states or hacktivists, they’re all collaborating and are very specialized. Some are very good at doing certain things, and they can sell that specialization to somebody else with a particular intent or a particular project or plan. We’re talking an entire marketplace, an entire ecosystem of highly specialized, highly talented people who have the ability to do lots of different things.”
- See more at: http://www.afcea.org/content/?q=critical-infrastructure-cyberterrorism%E2%80%99s-next-likely-target#sthash.bIjmaUeO.dpuf
While attackers’ modus operandi of using emails to gain entry into a network might be old school, the sophistication and meticulous focus on selected targets have become ominously modern. “In general, when you look at what the adversary is doing and how they’re approaching their methodology in a breach, they’re very focused in their efforts. They will try to find ways into critical infrastructure,” says Frank Mong, vice president and general manager of Solutions, Enterprise Security Products for Hewlett-Packard Company. “However, the playbook that they use and the framework that they use is very common. An approach that an adversary would take to break into Sony Pictures, for example, is the same approach they would try with a utility [company]. The most common tool they will use is email. They will use email first, find the system administrator and try to spear phish that guy or try to get some access through that person’s credentials.”
System administrators and those with privileged access pose a widely exploitable weakness to networks if infiltrated by hackers, who have increased the number of cyber attacks on critical infrastructure and already have targeted power facilities, traffic systems, water treatment plants and factories. The softer targets of infrastructure and businesses often are earmarked first and “present a significant vulnerability to our nation,” offers Gen. Martin E. Dempsey, USA, chairman of the Joint Chiefs of Staff. “We have authorities and capabilities that allow us to do a pretty good job of defending ourselves,” Gen. Dempsey says of military cyberdefense. “But the vulnerability of the rest of [the United States] is a vulnerability of ours, and that’s what we have to reconcile.”
From the Department of Homeland Security (DHS) spawns the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which operates cybersecurity centers in Virginia and Idaho to focus on control system security as a component of the National Cybersecurity and Communications Integration Center (NCCIC). ICS-CERT “works to reduce risks within and across all critical infrastructure sectors by forming a partnership with law enforcement agencies and the intelligence community and coordinating efforts among federal, state, local and tribal governments and control system owners, operators and vendors,” says Marty Edwards, its director. “Additionally, ICS-CERT collaborates with international and private-sector computer emergency response teams to share control systems-related security incidents and mitigation measures.” Analysts provide a round-the-clock cyber situational awareness and incident response, often conducting on-site visits when requested to discern how a company was breached.
“One of the things I think ICS-CERT has done is try to organize together intelligence around malware that’s relevant” for all entities within the critical infrastructure community, Mong says. “They have a distinct purpose. Their goal is to at least be an early warning to the industry about problems that could have a broad implication if they are not addressed quickly. The question becomes how well are they making their voice heard to the relevant folks. I think their content is actually meaningful.”
The lack of information sharing has hamstrung progress and continues to present a key challenge for the DHS across the board, not just amid the critical infrastructure community, offers Rob Roy, federal chief technology officer with HP Enterprise Security Products. “The concept of threat sharing among government agencies and between the public and private sector is lacking. It’s a huge challenge there. In the private sector, there are the fears that releasing certain pieces of information to the government or to somebody within their own industry could provide information for potential lawsuits,” Roy says. “The concept of liability is very real. Lawyers within organizations are going to be very protective.”
President Barack Obama recently opened a door with proposed legislation that would include language for increased information sharing between government and industry. “No foreign nation, no hacker should be able to shut down our networks, steal our trade secrets or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyberthreats, just as we have done to combat terrorism,” the president said during his State of the Union address in January.
In October, the DHS issued an alert that malware called BlackEnergy, designed to target critical energy infrastructure, had infected industrial critical infrastructure systems. “ICS-CERT has identified a sophisticated malware campaign that has compromised numerous industrial control systems (ICSs) environments using a variant of the BlackEnergy malware,” reads a portion of the alert. “Analysis indicates that this campaign has been ongoing since at least 2011. Multiple companies working with ICS-CERT have identified the malware on Internet-connected human-machine interfaces (HMIs).”
Attackers might use old-school email scams, but with tailor-made precision that enables the malware to differentiate between a retail business, for example, and a power plant, Mong evokes. “The malware that you see, like a BlackEnergy malware, targets very specific types of devices that would normally be used in a critical infrastructure environment.”
ICS-CERT has averaged about 250 reports of incidents each year over the past two years, Edwards says. “Any time ICS-CERT assists an organization with a cyber incident, ICS-CERT focuses on understanding the threat and initial infection vector so that tailored mitigation strategies can be applied to harden their networks and prevent future infections from occurring.”
The Advanced Analytical Laboratory (AAL) examines malware threats and provides analysis to support discovery, forensics and recovery efforts. An AAL survey of data in fiscal 2013 showed that phishing or spear-phishing attacks made up 21 of the 73 investigated incidents. Though the difference between the two is subtle, spear-phishing attempts typically come from organizations closely related to the target, such as particular companies with which employees interact on a regular basis. The hackers’ emails are sent to groups with common interests, jobs or characteristics. Phishing attempts appear more broad or general and look like they come from financial institutions, social media sites or the prince of an African nation looking to give away millions of his relatives’ money.
Among the 16 critical infrastructure sectors in fiscal 2013, energy had the highest number of ICS-CERT responses to specific cybersecurity threats, with 56 percent of the 257 threats; critical manufacturing had the second highest, with 15 percent. The 16 sectors are chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services; energy; financial services; food and agriculture; government facilities; health care and public health; information technology; nuclear reactors, materials and waste; transportation systems; and water and wastewater systems.
The fiscal 2015 budget for the DHS is $60.9 billion. Of that tally, the department wants to earmark $1.25 billion for overarching cybersecurity activities. More precisely, the department wants to allocate $67.5 million for cybersecurity/information analysis research and development in the science and technology directorate and $8.5 million to establish a voluntary program and an enhanced cybersecurity services capability to support the administration’s Improving Critical Infrastructure Cybersecurity executive order.
The department’s cybersecurity effort is not just a reactive endeavor. For example, in fiscal 2013, the program enabled more than 5,000 downloads and distribution of the Cybersecurity Evaluation Tool and trained 639 professionals on control system security best practices. The ICS-CERT conducts free training courses, performs assessments, provides alerts and advisories, conducts incident response activities and performs technical analysis of malware, artifacts and vulnerabilities. “These services are free to asset owners or operators of critical infrastructure as well as for those that support the network defense and protection of control systems,” Edwards says. Working with ICS-CERT is completely voluntary and at the request of the organization. Additionally, Edwards says, ICS-CERT takes proactive measures to raise awareness of threats through briefings, outreach, assessments, training and information products, and it works at a tactical level to provide guidance to specific organizations that might be targeted by malicious activity.
“The adversary is an ecosystem,” Mong concludes. “It’s very hard for us to pinpoint a specific actor, and what we find is that the threat actors have organized, and they’re working together. So whether they’re cybercriminal gangs to nation-states or hacktivists, they’re all collaborating and are very specialized. Some are very good at doing certain things, and they can sell that specialization to somebody else with a particular intent or a particular project or plan. We’re talking an entire marketplace, an entire ecosystem of highly specialized, highly talented people who have the ability to do lots of different things.”
- See more at: http://www.afcea.org/content/?q=critical-infrastructure-cyberterrorism%E2%80%99s-next-likely-target#sthash.bIjmaUeO.dpuf