Stood up last October—the Analysis and Resilience Center for Systemic Risk (ARC), a nonprofit, Arlington-Virginia-based organization—helps to protect the nation’s infrastructure by assessing the endemic cybersecurity risks to the critical energy, financial and other private sectors. A 2013 executive order identified some assets—on which the U.S. government relies but reside in the private sector—that if compromised by cyber attack could have a catastrophic impact on national security.
This week, the cybersecurity arm of the U.S. Department of Homeland Security, the Cybersecurity and Infrastructure Security Agency, known as CISA, held a virtual exercise and preparedness event with Major League Baseball’s (MLB's) Cactus League. The event aimed to boost physical security and cybersecurity at training, practices and games this spring in Arizona, CISA reported.
U.S. adversaries are trying to take control of cyberspace as a medium, resulting in implications to our freedom of maneuver and access in cyberspace, says Brig. Gen. Gregory Gagnon, USAF, director of Intelligence (A2), Headquarters Air Combat Command (ACC), Joint Base Langley-Eustis. Increasing cyberspace activity is coming from China, Russia, Iran and North Korea.
“We are seeing it not just in volume, but we are seeing an expansion in the ways that they use cyberspace, whether it is to steal information, whether it is to directly influence our citizens or whether it is to disrupt critical infrastructure,” Gen. Gagnon reports. The general spoke at the AFCEA Tidewater chapter’s recent monthly virtual luncheon.
Multiple decades of research have focused on building more secure and resilient systems by incorporating defensive techniques into computer systems. Such techniques range from enforcement-based defenses that apply some invariant to the execution of code on a machine to randomization-based defenses that enhance a system’s resiliency to attacks by creating uncertainty, diversity or dynamism in the internals of the system. Such defenses have evolved to address increasingly sophisticated attacks that bypass previous defensive technologies and minimize security-related overheads.
Leland Stanford Junior University, Stanford, California, was awarded a $30,114,182 cost reimbursement contract for a research project to study the securing of our national internet infrastructure using measurement, control, and verification for closed-loop control of networks, also known as the Pronto project. The Pronto project will research the creation and deployment of a network, to include 5G, under verifiable closed-loop control as an exemplar for others in government, industry, and education to replicate. Work will be performed in Stanford, California (17%); Menlo Park, California (68%); Ithaca, New York (8%); and Princeton, New Jersey (7%), with an expected completion date of May 2023.
To deter attempts to disable U.S. electrical utilities and to defend nuclear weapon systems from evolving technological threats, Sandia National Laboratories has begun two multiyear initiatives to strengthen U.S. responses.
Monitoring global lightning strikes could help detect cyber attacks on the U.S. electrical grid, according to Georgia Institute of Technology researchers who have a patent pending to do just that.
Lightning strikes roughly 3.5 million times per day on average. Each and every strike creates an electrical path miles tall that emits a very low frequency radio signal. Those signals bounce off the upper atmosphere and can be detected virtually anywhere in the world, explains Morris Cohen, an associate professor in the Georgia Tech School of Electrical and Computer Engineering.
The Department of Homeland Security’s new Cybersecurity and Infrastructure Security Agency, known as CISA, is charged with coordinating the protection of America’s critical infrastructure from cyber as well as physical attacks. Director Christopher Krebs recently released the agency’s top operational priorities. CISA, which was created in November 2018, will initially tackle supply chain risks, election security and industrial control system security, among other measures, according to the document, Cybersecurity and Infrastructure Security Agency: Strategic Intent.
The water and wastewater treatment industry is facing cybersecurity threats. The risks affect the sector disproportionately compared to other utilities, given local-level water processing operations.
Along with physically securing its critical infrastructure, the water industry has to leverage available tools to protect against cyber attacks, an expert says.
The growing interconnection among the elements of the critical infrastructure may hold the key to safeguarding it against an increasingly sophisticated threat picture. Many elements of the critical infrastructure depend on each other, and securing them in a coordinated endeavor holds promise for combatting adversaries who are targeting it on a daily basis.
A 2018 exercise developed by the Army Cyber Institute at West Point and hosted by the city of Houston provided participants with a full view of potential critical infrastructure crises while also offering a path to security and resiliency. Known as the Jack Voltaic 2.0 Cyber Research Project, the exercise exposed critical infrastructure issues to 200 participants from 44 organizations.
Officials with the U.S. Defense Department and Department of Homeland Security recently signed a memorandum of understanding outlining a partnership that will allow the Defense Department to take a greater role in sharing intelligence and proactively defending the nation’s critical infrastructure, including next week’s mid-term election.
The Defense Department’s unique role in assessing foreign threats means that it often has information that could benefit the other departments and agencies, the defense industrial base and others with a role in defending the nation’s critical infrastructure.
The Defense Information Systems Agency, or DISA, is applying both traditional and innovative infrastructure protection methods to its worldwide networking for U.S. defense installations. In some cases, conventional methods can hold services together. But in others, especially with cross-border telecommunications, DISA must secure its commercial connectivity without the benefit of the authorities inherent in a host country agency.
New ways of commercial networking widen the threat picture. Variety is the spice of vulnerability as networks evolve with innovative approaches. Having the right information for a network architecture is vital to moving information across global ranges, according to DISA officials.
President Donald Trump’s recent call for a U.S. Space Force that would potentially be on par with the Army, Navy, Marine Corps, Air Force and Coast Guard shows a renewed recognition of the importance of space. This presidential proclamation has been met with varying responses. Regardless of one’s position on the topic, it begs for a discussion that is long overdue. The Commission to Assess U.S. National Security Space Management and Organization, often referred to as the Rumsfeld Commission, put into place more than 17 years ago a solid set of findings and recommendations on national space policy. Some of the recommendations have been adopted, while others have fallen by the wayside for a variety of reasons.
U.S. Secretary of Energy Rick Perry today announced a request for proposals potentially worth up to $1.8 billion for the development of at least two new exascale supercomputers, to be deployed at U.S. Department of Energy (DOE) National Laboratories in the 2021-2023 timeframe. Among other benefits, the systems will help nuclear security, a major piece of the nation’s critical infrastructure.
Within the next 12 months, a fledgling program at the U.S. Department of Homeland Security will likely begin transitioning cybersecurity technologies to the finance sector in an effort to shore up the nation’s critical infrastructure. Technologies developed under the program ultimately could be made available to other sectors.
The U.S. infrastructure increasingly shows signs of aging, posing a threat to essential services. These conditions put the United States at a crossroads. Governments at all levels, working with the private sector, can either design the infrastructure of the future—one that will intelligently support community services and resident needs for decades to come—or continue to apply just-in-time repairs to the strained system.
The United States cannot adequately secure its entire critical infrastructure. The infrastructure is too broad and complex. Much of it consists of highly vulnerable legacy software running older supervisory control and data acquisition (SCADA) systems. But the nation can take steps to address vulnerabilities in key areas and mitigate losses in others.
Europe is taking on several socio-technological initiatives, including developing a digital single market and tackling consumer financial services reform. Add the need to balance privacy concerns and safeguards across 28 member countries of the European Union, and it may seem like a tall order for policy makers to help strengthen information security.
Enter the European Union Agency for Network and Information Security, the European Union’s cybersecurity agency known as ENISA. The agency, founded in 2004, equips the European Union (EU) to prevent, detect and respond to cybersecurity problems.
Although universities can be part of larger cyber attacks as unwitting victims like any other organization or enterprise, the institutions are distinguished by a collegial nature that renders them vulnerable. Academia has a more open atmosphere and a mindset of research and collaboration, making universities an enticing cyber target even for adversaries such as nation-states
A new project headed by Lawrence Livermore National Laboratory aims to use microgrid resources to boost the electric grid’s ability to bounce back more rapidly from blackouts or cascading outages, such as those following major storms or earthquakes.
In less than three years, researchers will attempt to demonstrate the potential of distributed energy resources, including the energy produced by solar panels on homes, to help restore power to the grid from scratch, an effort commonly known as a black start. The black start process is now done manually using special generators that can provide power to slowly bring other generators back online.
On September 29, 2017, 3e Technologies International Incorporated, Rockville, Maryland, was awarded a $16,163,099 modification to a previously awarded cost-plus-fixed-fee, firm-fixed-price contract (N00174-16-C-0046) to exercise option year one for continued implementation of a facilities critical infrastructure control and monitoring system interface to the Navy Virtual Perimeter Monitoring System that will allow for monitoring and control of critical facility infrastructure for potential operating hazards or intrusions.
With the Internet of Things promising—or perhaps threatening—to connect many more millions of devices, experts from industry, government and the military are urging action.
The critical infrastructure covers a lot of territory, including banking and finance, gas and oil, health care, agriculture, water distribution, transportation, communication, law enforcement and emergency services. Many outdated and poorly secured computers, experts say, operate a great deal of that infrastructure. Additionally, commercial or private entities own the vast majority of the infrastructure, meaning that government has little authority to protect it.
The U.S. federal government has not yet told state-level election officials whether their election systems were hacked by the Russians.
— George Seffers (@gseffers) September 7, 2017
A cyber strike may not be the most effective deterrent against adversaries, Tom Bossert, assistant to the president for homeland security and counterterrorism, National Security Council, told the audience at the 2017 Intelligence and National Security Summit in Washington, D.C.
If a “bad actor” is engaging in increasingly unacceptable behavior, he said, “I think what we’ll have to do is punch him in a way that’s real-world and not cyber-world.” Deterrent actions will be “commensurate with the expense” and also will be done in such a way that it will not “create a long-term escalatory posture.”
The U.S. government is expanding and enhancing training on how to protect the nation’s critical infrastructure from both cyber and physical attacks.
For more than a decade, the U.S. Department of Homeland Security (DHS) has offered a wide array of free training programs to government and private-sector infrastructure owners and operators. Critical infrastructure provides the essential services that underpin American society and serves as the backbone of the nation’s economy, security and health. It includes defense, transportation, finance, communications and other sectors.
Now that Donald Trump has become the 45th president of the United States, he will be exposed to the nation’s soft underbelly: cybersecurity. Given rapid advancements in information and communication technologies, continued coupling of the digital domain with the physical world and advanced persistent threats, critical infrastructure protection poses a major challenge for the United States.
This is where the president should focus his efforts. But is either the Department of Homeland Security or the Defense Department the right agency for cyber protection?
When we think about critical infrastructure, specifically the sectors the Department of Homeland Security has deemed essential to the wellbeing of the country, rarely does the idea center on public networking assets to support critical infrastructure. But a rapid transformation of network technology and security improved processes so that agencies now can take advantage of combined public and private networking to accomplish information technology goals.
U.S. military and civilian experts on protecting critical infrastructure control systems debated whether a cyber attack on common information systems or on industrial control systems would be more deadly in response to an audience question at the AFCEA TechNet Asia-Pacific conference in Honolulu.
The Department of Homeland Security’s Critical Infrastructure Security and Resilience (CISR) month serves as a reminder to not only understand, but appreciate, the various critical infrastructure sectors that play vital roles in the national and economic security of the United States. As a veteran of the telecom industry, my focus is to support those network infrastructure centers underlying these sectors. How do we improve networking capabilities within these sectors, not only addressing today’s complicated requirements, but allowing for continued innovation?
Discussions about the nation’s critical infrastructure usually focus on aging networks, some more than 50 years old. A most stunning fact was highlighted in a recent a Government Accountability Office report, which revealed some Defense Department control systems still use 8-inch floppy disks to store data related to nuclear operations.
Efforts to increasingly digitize networks that run the nation’s critical infrastructure enterprises also are boosting attack surfaces and vulnerabilities in an enduring cybersecurity contest in which hackers target those weaknesses with an elevated furor, experts admonished during a panel discussion on the issue.
The strongest assembled securities available today can’t fully safeguard the nation’s critical infrastructure assets. But the good news is that these vulnerabilities are front and center on official radars and primed for increased attention. For starters, the Department of Homeland Security (DHS) has designated November as Critical Infrastructure Security and Resilience (CISR) month.
AFCEA TechNet Augusta 2016
The SIGNAL Magazine Online Show Daily, Day 2
Quote of the Day:
“There isn’t a warfighting function that isn’t impacted by cyber, so securing, operating and defending the Army portion of the DODIN is a core warfighting capability.” —Ronald Pontius, deputy to the commanding general, U.S. Army Cyber Command and Second Army
On day two of the AFCEA TechNet Augusta conference, cyber experts from across the military and industry openly and bluntly discussed the challenges of cybersecurity.
When a hacker talks about a novel way to disrupt the power grid, people listen. At least that was the case on day two of the AFCEA TechNet Augusta conference taking place in Augusta, Georgia.
Shawn Wells, chief security strategist, public sector, Red Hat Inc., who was once busted—and then hired—by the NSA for breaking into the networks at Johns Hopkins University, said he recently learned at a Department of Energy cyber conference about a creative technique hackers used to mess with power distribution.
Wells did not specify when the attack took place.
A more diverse group of players is generating a growing threat toward all elements of the critical infrastructure through cyberspace. New capabilities have stocked the arsenals of cybermarauders, who now are displaying a greater variety of motives and desired effects as they target governments, power plants, financial services and other vulnerable sites.
But concerns come from not just evolving and future threats. Malware already in place throughout critical infrastructure elements around the world might be the vanguard of massive and physically destructive cyber attacks launched on the say-so of a single leader of a nation-state. Physical damage already has been wrought upon advanced Western industrial targets.
Imagery captured from unmanned aerial vehicles (UAVs) can be up to 10 times less expensive than from manned aircraft or satellites, prompting government agencies and private farmers alike to investigate using the economical method to scan miles and miles, from power lines for infrastructure maintenance to railroads for servicing or acres of farmland for precision agriculture.
The topic of critical infrastructure protection has been around for decades. In May 1998, President Bill Clinton issued Presidential Decision Directive (PDD)-63 on the subject of critical infrastructure protection. This represented a decision formally recognizing that key elements of our national infrastructure were critical to national security, the economic vibrancy of the United States and the general well-being of our citizenry. The PDD further highlighted the necessary actions to preserve and ensure the continuity of these critical infrastructures. In the wake of the terrorist attacks of September 11, 2001, President George W.
3e Technologies International Inc., Rockville, Md., is being awarded a $9,861,065 modification to previously awarded contract to design, develop, implement, test, deliver and install a functional and efficient facilities critical infrastructure control and monitoring system to increase infrastructure readiness and optimize critical systems, including energy and other systems. This SBIR Phase III extension effort is to integrate the technologies and concepts established under previous Phase I, II and III tasks with new and more advanced technologies and concepts. The Naval Surface Warfare Center, Indian Head, Md., is the contracting activity.
3e Technologies International Incorporated, Rockville, Maryland, is being awarded a $9,923,241 contract for the design, development, integration, testing and implementation of critical infrastructure sensor network at government sites for the Naval Surface Warfare Center, Corona Division. Work will be performed in Commander, Naval District Washington. Naval Surface Warfare Center, Port Hueneme Division, Port Hueneme, California, is the contracting activity.
3e Technologies International Incorporated, Rockville, Maryland, is being awarded a $9,408,612 contract modification to design, develop, implement, test, deliver, and install a functional and efficient facilities critical infrastructure control and monitoring system to increase infrastructure readiness. This requirement is for Facilities Critical Infrastructure Control and Monitoring System to extend current Navy Virtual Perimeter Monitoring System capabilities for Naval District Washington.
Booz Allen Hamilton Incorporated, Herndon, Virginia, is being awarded a $9,861,872 firm-fixed-price contract for the Survivability/Vulnerability Information Analysis Center to perform research and development in order to complete/deliver critical infrastructure facilities assessments to determine infrastructure vulnerability and survivability profile reports, critical infrastructure gap scenarios, and total life cycle management technology analysis reports. Enterprise Sourcing Group, Offutt Air Force Base, Nebraska, is the contracting activity.
Booz Allen Hamilton Incorporated, Herndon, Virginia, is being awarded three contracts. The first is a $24,966,507 cost-plus-fixed-fee, indefinite-delivery requirements contract to perform research and development in order to complete and deliver the "Emerging Leading-Edge Technological Advancement of Intelligence Surveillance Recon Capabilities Report", "Tactics, Techniques, and Procedures Report" and wargame/exercise lessons learned reports. These deliverables will be used to ultimately increase the situational awareness and survivability of the warfighter by helping them to better identify battlefield threats.