Tag: Cybersecurity

Trump Administration Launches First Cybersecurity Principles for Space Technologies


The Trump Administration announced the first comprehensive cybersecurity policy for systems used in outer space and near space on Friday.

Space Policy Directive- 5 (SPD-5) makes clear the lead role the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) have in in enhancing the nation’s cyber defenses in space, notably on key systems used for global communications, navigation, weather monitoring, and other critical services.

“From establishing CISA in 2018 to today’s directive to protect American interests on the final frontier, President Trump is empowering the Department of Homeland Security to defend the nation against ever-evolving cyber threats,” said Acting Homeland Security Secretary Chad F. Wolf. “The security of the homeland depends upon the security of our space systems, interests, and freedom of action in space. The policy unveiled today is a critical step in establishing a baseline standard for cybersecurity as America leads in space and cyberspace alike.” 

Legacy space systems, networks, and channels may be vulnerable to malicious cyber activities that can deny, degrade, or disrupt space-systems operations or even destroy a satellite with potential cascading effects into critical infrastructure sectors. 

Building security and resilience into space systems is essential to maximizing their potential and supporting the American people, economy, and homeland security enterprise.

SPD-5 establishes the following key cybersecurity principles of space systems:

  • Space systems and their supporting infrastructure including software, should be developed and operated using risk-based, cybersecurity-informed engineering;
     
  • Space systems operators should develop or integrate cybersecurity plans for space systems that include capabilities to ensure operators or automated control center systems can retain or recover positive control of space vehicles, and verify the integrity, confidentiality, and availability of critical functions and the missions, services, and data they provide;
     
  • Space system cybersecurity requirements and regulations should leverage widely-adopted best practices and norms of behavior;
     
  • Space system owners and operators should collaborate to promote the development of best practices and mitigations to the extent permitted by law and regulation; and,
     
  • Space systems security requirements should be designed to be effective while allowing space operators to manage appropriate risk tolerances and minimize undue burden to civil, commercial, and other non-government space system operators.

“The Department of Homeland Security looks forward to continue to work with its partner agencies to implement these principles to help protect the American people,” Acting Secretary Wolf concluded.

For more information regarding the provisions, please visit: https://www.whitehouse.gov/wp-content/uploads/2020/09/2020SPD5.mem_.pdf

Blogs to Follow:

DHS.gov (September 2020)  Trump Administration Launches First Cybersecurity Principles for Space Technologies

CISA Releases Guide for America’s Election Administrators


Federal authorities say one of the gravest threats to the November election is a well-timed ransomware attack that could paralyze voting operations. The threat isn’t just from foreign governments, but any fortune-seeking criminal.

As a result, the Cybersecurity and Infrastructure Security Agency (CISA) released the Guide to Vulnerability Reporting for America’s Election Administrators. The guide walks election officials through the steps of establishing a vulnerability disclosure program. 

Vulnerability disclosures can be an effective way for organizations to benefit from cybersecurity expertise without having it resident to their organization.  

CISA released two new assessments and infographics on Election Infrastructure Cyber Risk and Mail-in Voting in 2020 Infrastructure Risk.

Each method of voting carries risk that you, as election officials, manage.

These assessments and infographics are voluntary resources intended to help the Federal Government and election officials understand and manage risks to election infrastructure and operations.

“Election officials have spent years beefing up security to their systems and closing these vulnerability gaps to keep our elections safe and secure,” said CISA Director Christopher Krebs. “Cybersecurity researchers can be great and responsible partners in this effort and we are creating this guide as a way to help state and local election officials understand the support they can offer and how to work with them in our collective, whole of nation effort to protect our elections.”  

The guide aims to help election officials understand the role that the cybersecurity research community can play in helping officials keep systems secure so that the American public’s voice can be clearly heard.

The guide includes a number of best practices for improving and addressing vulnerabilities within election systems, and offers a step-by-step guide for election administrators who seek to establish a successful vulnerability disclosure program.  

Accordingly, an electoral process that is both secure and resilient is a vital national interest and one of CISA’s highest priorities.

CISA is committed to working collaboratively with those on the front lines of elections—state and local governments, election officials, federal partners, and vendors—to manage risks to the Nation’s election infrastructure. CISA will remain transparent and agile in its vigorous efforts to secure America’s election infrastructure from new and evolving threats.

While ultimate responsibility for administering the Nation’s elections rests with state and local governments, CISA offers a variety of free services to help states ensure both the physical security and cybersecurity of their elections infrastructure.

Additionally, election infrastructure’s critical infrastructure designation enables CISA to provide services on a prioritized basis at the request of state and local elections officials.

Blogs to Follow:

CISA.gov (August 2020) CISA RELEASES GUIDE TO VULNERABILITY REPORTING FOR AMERICA’S ELECTION ADMINISTRATORS; ELECTION INFRASTRUCTURE SECURITY

CISA RELEASES NEW STRATEGY TO IMPROVE INDUSTRIAL CONTROL SYSTEM CYBERSECURITY


The Cybersecurity and Infrastructure Security Agency (CISA) released a strategy to strengthen and unify industrial control systems (ICS) cybersecurity for a more aligned, proactive and collaborative approach to protect the essential services Americans use every day.

The strategy, Securing Industrial Control Systems: “A Unified Initiative is intended to help architects, owners and operators, vendors, integrators, researchers, and others in the ICS community build capabilities that lead to more secure ICS operations”.

Ultimately, it strives to move CISA and the ICS community beyond reactive measures to a more proactive ICS security focus.

“In recent years, we have seen industrial control systems around the world become a target for an increasing number of capable, imaginative adversaries aiming to disrupt essential services,” said Christopher Krebs, Director of CISA. “As attackers continue trying to exploit vulnerabilities in ICS, we need to make sure we’re staying ahead of them. Together with our partners in the ICS industry and the security community, this strategy will lead us to new, unified initiatives and security capabilities that will markedly improve the way we defend and secure ICS.”

Although ICS owners and operators manage their own security, CISA’s mission is to assist through delivery of a broad portfolio of ICS security products and services, especially when exploitation may threaten people or property or undermines confidence in critical infrastructure safety and reliability.

The CISA ICS initiative is a five-year plan that builds on the collaborative work already done and the existing support CISA provides to the community.

It also elevates ICS security as a priority within CISA, coalescing CISA’s organizational attention around the implementation of a unified, “One CISA” strategy.

The initiative organizes our efforts around four guiding pillars:

Pillar 1: Ask more of the ICS Community, deliver more to them.

Pillar 2: Develop and utilize technology to mature collective ICS cyber defense.

Pillar 3: Build “deep data” capabilities to analyze and deliver information that the ICS community can use to disrupt the ICS cyber kill chain.

Pillar 4: Enable informed and proactive security investments by understanding and anticipating ICS risk.

The CISA ICS Strategy can be found at www.cisa.gov/ICS.

Blogs to Follow:

Cisa.gov (July 2020) CISA RELEASES NEW STRATEGY TO IMPROVE INDUSTRIAL CONTROL SYSTEM CYBERSECURITY

FDA Informs Patients, Providers and Manufacturers About Potential Cybersecurity Vulnerabilities in Certain Medical Devices with Bluetooth Low Energy


On Wednesday, the U.S. Food and Drug Administration is informing patients, health care providers and manufacturers about a set of cybersecurity vulnerabilities, referred to as “SweynTooth,” that – if exploited – may introduce risks for certain medical devices.

SweynTooth affects the wireless communication technology known as Bluetooth Low Energy (BLE). BLE allows two devices to “pair” and exchange information to perform their intended functions while preserving battery life and can be found in medical devices as well as other devices, such as consumer wearables and Internet of Things (IoT) devices.

These cybersecurity vulnerabilities may allow an unauthorized user to wirelessly crash the device, stop it from working, or access device functions normally only available to the authorized user.

To date, the FDA is not aware of any confirmed adverse events related to these vulnerabilities. However, software to exploit these vulnerabilities in certain situations is publicly available. Today, the FDA is providing additional information regarding the source of these vulnerabilities and recommendations for reducing or avoiding risks the vulnerabilities may pose to a variety of medical devices, such as pacemakers, glucose monitors, and ultrasound devices.

Soffe Men’s 3 Pack-USA Poly Cotton Military Tee

“Medical devices are becoming increasingly connected, and connected devices have inherent risks, which make them vulnerable to security breaches. These breaches potentially impact the safety and effectiveness of the device and, if not remedied, may lead to patient harm,” said Suzanne Schwartz, M.D., MBA, deputy director of the Office of Strategic Partnerships and Technology Innovation in the FDA’s Center for Devices and Radiological Health. “The FDA recommends that medical device manufacturers stay alert for cybersecurity vulnerabilities and proactively address them by participating in coordinated disclosure of vulnerabilities as well as providing mitigation strategies. An essential part of the FDA’s strategy is working with manufacturers, health care delivery organizations, security researchers, other government agencies and patients to address cybersecurity concerns that affect medical devices in order to keep patients safe.”

The FDA is currently aware of several microchip manufacturers that are affected by these vulnerabilities: Texas Instruments, NXP, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics and Telink Semiconductor. Their microchips may be in a variety of medical devices, such as those that are implanted in or worn by a patient (such as pacemakers, stimulators, blood glucose monitors and insulin pumps) or larger devices that are in health care facilities (such as electrocardiograms, monitors and diagnostic devices like ultrasound devices).

Medical device manufacturers are already assessing which devices may be affected by SweynTooth and are identifying risk and remediation actions. In addition, several microchip manufacturers have already released patches. For more information about SweynTooth cybersecurity vulnerabilities – including a list of affected devices, see ICS-ALERT-20-063-01 SweynTooth Vulnerabilities, Department of Homeland Security Cybersecurity Infrastructure Security Advisory.

The agency is asking medical device manufacturers to communicate to health care providers and patients which medical devices could be affected by SweynTooth and ways to reduce associated risk. Patients should talk to their health care providers to determine if their medical device could be affected and to seek help right away if they think their medical device is not working as expected.

The FDA takes reports of vulnerabilities in medical devices very seriously and today’s safety communication includes recommendations to manufacturers for continued monitoring, reporting and remediation of medical device cybersecurity vulnerabilities.

The FDA is recommending that manufacturers conduct a risk assessment, as described in the FDA’s cybersecurity postmarket guidance, to evaluate the impact of these vulnerabilities on medical devices they manufacture and develop risk mitigation plans.

Medical device manufacturers should work with the microchip manufacturers to identify available patches and other recommended mitigation methods, work with health care providers to determine any medical devices that could potentially be affected, and discuss ways to reduce associated risks.

The FDA will continue to assess new information concerning the SweynTooth vulnerabilities and will keep the public informed if significant new information becomes available.

Furthermore, the FDA will continue its ongoing work with manufacturers and health care delivery organizations—as well as security researchers and other government agencies—to help develop and implement solutions to address cybersecurity issues throughout a device’s total product lifecycle.

FDA.gov (March, 2020) FDA Informs Patients, Providers and Manufacturers About Potential Cybersecurity Vulnerabilities in Certain Medical Devices with Bluetooth Low Energy

Help a veteran in need by donating here.

DOD to Require Cybersecurity Certification in Some Contract Bids


By the end of September 2020, the Department of Defense (DOD) will require at least some companies bidding on defense contracts to certify that they meet at least a basic level of cybersecurity standards when responding to a request for proposals.

DOD released its new Cybersecurity Maturity Model Certification on Friday, billed by the undersecretary of defense for acquisition and sustainment as “Version 1.0.”

By June, the department plans to publish as many as 10 requests for information on contracts that include CMMC requirements, Ellen M. Lord said during a Pentagon news conference announcing the certification effort. By September, she said, the department will also publish corresponding requests for proposals that include those requirements. By fiscal year 2026, all new DOD contracts will contain the CMMC requirements, Lord said.

“I believe it is absolutely critical to be crystal clear as to what expectations for cybersecurity are, what our metrics are, and how we will audit for those expectations,” Lord said. “CMMC is a critical element of DOD’s overall cybersecurity implementation.”

Lord said cybersecurity risks threaten the defense industry and the national security of the U.S. government, as well as its allies and partners. About $600 billion, or 1% of the global gross domestic product, is lost through cyber theft each year, she noted.

“Adversaries know that in today’s great-power competition environment, information and technology are both key cornerstones,” she said. “Attacking a sub-tier supplier is far more appealing than a prime [supplier].”

The CMMC gives the department a mechanism to certify the cyber readiness of the largest defense contractors — those at the top who win contracts are called “primes” — as well as the smaller businesses that subcontract with the primes.

The new CMMC provides for five levels of certification in both cybersecurity practices and processes.

“Something … simple in Level 1 would be, ‘Does your company have antivirus software? Are you updating your antivirus software? Are you updating your passwords?'” said Katie Arrington, DOD’s chief information security officer for acquisition. “CMMC Level 1 is the basic cyber hygiene skills we should be doing every day. They are there to protect yourself, your company and your own information.”

By CMMC Level 2, Arrington said, the department will also begin looking at cybersecurity processes as well, to ensure cybersecurity is not just practiced, but that a company is effectively documenting, managing, reviewing and optimizing its practices across its entire enterprise.

Arrington said that for the roughly 10 requests for information  and requests for proposals DOD is expected to publish later this year for potential contracts, she expects a mix of CMMC certification levels will be required.

“We’ll have some CMMC Level 3, CMMC Level 1, and there may be one or two with the 4 or 5 CMMC levels going out,” Arrington said.

The department will not be certifying potential defense contractors for CMMC on its own. Instead, Lord explained, a series of CMMC “third-party assessment organizations” or C3PAOs, will conduct those assessments. The C3PAOs will also not be paid by the department, Lord said. “That’s a private transaction between industrial base companies and those of certification bodies,” she added.

No C3PAOs have been designated to conduct the assessments yet, Lord said, noting that while multiple companies are interested, DOD has not yet designated who is qualified.

A newly created 13-member CMMC accreditation body, made up of members of the defense industrial base, the cybersecurity community and the academic community will oversee the training, quality and administration of the C3PAOs, Lord said.

Meanwhile, she said, the department is drafting a memorandum between DOD and the CMMC accreditation body to outline its roles, responsibilities and rules. She said one area of concern will be to ensure no conflicts of interest are involved in accreditation. For example, a C3PAO would not be able to accredit itself for CMMC.

No existing contracts with the department will have CMMC requirements inserted into them, Arrington said.

Subcontractors to a prime contractor will not all need to have the same level of CMMC certification to win a contract, Arrington said.

“Security is not one size fits all,” she added. Instead, she said, depending on how controlled unclassified information flows between those parties involved in a contract, subcontractors might need only be a CMMC Level 1 company.

CMMC will ensure a more level and fair playing field for companies bidding on DOD contracts, Arrington said. Today, she said, some small businesses bidding on work might self-attest that they meet requirements to handle certain kinds of information, but in fact only are planning to meet those requirements, while another business might actually be meeting the requirements. CMMC, she said, will ensure that only companies that actually meet requirements can compete for contracts.

“We need to make sure our industry partners are prepared to take on the work, and our third-party auditors will ensure that they are implementing the practices that we need in place to secure that national defense and our industrial base,” Arrington said.

Lord said the department is aware that CMMC requirements could be a burden to some smaller companies and that DOD is working with primes and smaller companies to help them overcome that burden.

“We need small and medium businesses in our industrial base, and we need to retain them,” she said. “We will continue to work to minimize impacts, but not at the cost of national security.”

Defense.gov (2020). DOD to Require Cybersecurity Certification in Some Contract Bids

Help me maintain this news reporting blog by donating here.