Advanced search Help
Searching for terms: ALL (Cyber AND Infrastructure AND Protection) in: title or summary
Clear all search criteria
Only 2/3! You are seeing results from the Public Collection, not the complete Full Collection. Sign in to search everything (see eligibility).
-
2013-2023 Transportation Industrial Control Systems (ICS) Cybersecurity Standards Strategy
"The Department of Homeland Security (DHS) National Cyber Security Division (NCSD) is working across the government, collaborating with the private sector, and empowering the public to create a safe, secure, and resilient cyber environment, and to promote cybersecurity knowledge and innovation. Homeland Security Presidential Directive-7 established U.S. policy for identifying, prioritizing, and protecting the Nation's eighteen critical infrastructure/key resources (CI/KR) from terrorist attacks. The NCSD's Control Systems Security Program (CSSP) mission is to reduce risk to the Nation's critical infrastructure by strengthening control systems security through public-private partnerships. This Plan focuses on how the U.S. DHS CSSP will advance industrial control system (ICS) cybersecurity standards development in the Transportation sector over the next five years."
United States. Department of Homeland Security
Kaiser, Lisa
-
National Cybersecurity and Communications Integration Center [website]
"Information sharing is a key part of the Department of Homeland Security's (DHS) mission to create shared situational awareness of malicious cyber activity. Cyberspace has united once distinct information structures, including our business and government operations, our emergency preparedness communications, and our critical digital and process control systems and infrastructures. Protection of these systems is essential to the resilience and reliability of the nation's critical infrastructure and key resources; therefore, to our economic and national security. DHS's National Cybersecurity and Communications Integration Center (NCCIC) is a 24x7 cyber situational awareness, incident response, and management center that is a national nexus of cyber and communications integration for the Federal Government, intelligence community, and law enforcement."
United States. Department of Homeland Security
-
Critical Infrastructure Protection: Challenges in Securing Control Systems, Statement of Robert F. Dacey, Director, Information Security Issues, Testimony Before the Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census, House Committee on Government Reform
"Computerized control systems perform vital functions across many of our nation's critical infrastructures. For example, in natural gas distribution, they can monitor and control the pressure and flow of gas through pipelines; in the electric power industry, they can monitor and control the current and voltage of electricity through relays and circuit breakers; and in water treatment facilities, they can monitor and adjust water levels, pressure, and chemicals used for purification. In October 1997, the President's Commission on Critical Infrastructure Protection emphasized the increasing vulnerability of control systems to cyber attacks. The House Committee on Government Reform, Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census asked GAO to testify on potential cyber vulnerabilities. GAO's [Government Accountability Office's] testimony focused on (1) significant cybersecurity risks associated with control systems; (2) potential and reported cyber attacks against these systems; (3) key challenges to securing control systems; and (4) steps that can be taken to strengthen the security of control systems, including current federal and private-sector initiatives."
United States. General Accounting Office
2003-10-01
-
Secretary Napolitano Opens New National Cybersecurity and Communications Integration Center [October 30, 2009]
"Department of Homeland Security (DHS) Secretary Janet Napolitano today opened the new National Cybersecurity and Communications Integration Center (NCCIC) -- a 24-hour, DHS-led coordinated watch and warning center that will improve national efforts to address threats and incidents affecting the nation's critical information technology and cyber infrastructure. 'Securing America's cyber infrastructure requires a coordinated and flexible system to detect threats and communicate protective measures to our federal, state, local, and private sector partners and the public,' said Secretary Napolitano. 'Consolidating our cyber and communications operations centers within the NCCIC will enhance our ability to effectively mitigate risks and respond to threats.'"
United States. Department of Homeland Security. Press Office
2009-10-30
-
Cybersecurity: Threats Impacting the Nation, Statement of Gregory C. Wilshusen, Director, Information Security Issues, Testimony Before the Subcommittee on Oversight, Investigations, and Management, Committee on Homeland Security, House of Representatives
"Nearly every aspect of American society increasingly depends upon information technology systems and networks. This includes increasing computer interconnectivity, particularly through the widespread use of the Internet as a medium of communication and commerce. While providing significant benefits, this increased interconnectivity can also create vulnerabilities to cyber-based threats. Pervasive and sustained cyber attacks against the United States could have a potentially devastating impact on federal and nonfederal systems, disrupting the operations of governments and businesses and the lives of private individuals. Accordingly, GAO [Government Accountability Office] has designated federal information security as a governmentwide high-risk area since 1997, and in 2003 expanded it to include protecting systems and assets vital to the nation (referred to as critical infrastructures). GAO is providing a statement that describes (1) cyber threats facing the nation's systems, (2) vulnerabilities present in federal information systems and systems supporting critical infrastructure, and (3) reported cyber incidents and their impacts. In preparing this statement, GAO relied on previously published work in these areas and reviewed more recent GAO, agency, and inspectors general work, as well as reports on security incidents. [...] GAO has previously made recommendations to resolve identified significant control deficiencies."
United States. Government Accountability Office
2012-04-24
-
EMR-ISAC: InfoGram, Volume 22 Issue 8, February 24, 2022
The Emergency Management and Response Information Sharing and Analysis Center's (EMR-ISAC) InfoGram is a weekly publication of information concerning the protection of critical infrastructures relevant to members of the Emergency Services Sector. This issue includes the following articles: "National Fire Incident Reporting System [NIFRS] training during NFIRS Week, March 14-18"; "New prehospital pain management guidelines published, webinar March 9"; "National 911 Program Annual Report shows states' progress toward NG911 [Next Generation 911] implementation"; "FEMA offers exercise assistance through the National Exercise Program"; "CISA [Cybersecurity and Infrastructure Security Agency]: Free cybersecurity services and tools"; "NCSC-NZ [New Zealand National Cyber Security Centre] releases advisory on cyber threats related to Russia-Ukraine tensions"; "New Sandworm Malware Cyclops Blink replaces VPNFilter"; "NIST [National Institute of Standards and Technology] issues final guidance on RPM [remote patient monitoring], telehealth security"; and "New York opens joint cybersecurity center to serve state and city needs."
Emergency Management and Response-Information Sharing and Analysis Center (U.S.)
2022-02-24
-
COVID-19 and Cybersecurity
From the Document: "State cybersecurity concerns - critical for governors under normal circumstances - have only intensified during the COVID-19 [coronavirus disease 2019] pandemic. Malicious cyber actors have a history of exploiting the confusion and fear surrounding crises, which the current pandemic offers on an unprecedented scale. State agencies, critical infrastructure sectors, and the general public are experiencing waves of COVID-themed malicious cyber activity. The mass transition to remote work environments is a challenge for state networks while increasing their cyber vulnerability, providing threat actors even more opportunity. The stakes riding on states' abilities to prevent and protect its systems, staff, and entities within the state from cyberattacks is immense. A successful cyberattack on state networks or critical infrastructure, especially healthcare facilities, would cripple its ability to respond to and recover from COVID-19."
National Guard Association of the United States
McBride, Bill
2020-04-28
-
Critical Infrastructures: Background, Policy, and Implementation, CRS Report for Congress
"Prior to September 11, critical infrastructure protection was synonymous with cyber security to many people. Consequently, much of this report discusses cyber related activities and issues. However, the terrorist attacks of September 11, and the subsequent anthrax attacks, demonstrate the need to reexamine physical protections and to integrate this into an overall critical infrastructure policy. To the extent this happens, this report will capture it. However, specific physical protections associated with individual infrastructures is beyond the scope of this report."
Library of Congress. Congressional Research Service
Moteff, John D.
2006-02-04
-
NIPP Newsletter: August/September 2008
This edition of the NIPP [National Infrastructure Protection Plan] Newsletter contains the following articles: "2008 Chemical Sector Security Summit"; "DHS [Department of Homeland Security] Prepares for National Cyber Security Awareness Month in October"; "Infrastructure Protection Office Holds First Web-based Seminar"; "Cyber Storm II Exercise Yields Significant Benefits"; "New PCII [Protected Critical Infrastructure Information] Program Materials Provide Additional Guidance for Government Partners"; "Maritime Security Risk Analysis Model Supports Risk Assessment and Resource Allocation"; and "S. Department of Defense Receives PCII Accreditation".
United States. Department of Homeland Security. Office of Infrastructure Protection
2008-09
-
Executive Order 13010: Critical Infrastructure Protection
Certain national infrastructures are so vital that their incapacity or destruction would have a debilitating impact on the defense or economic security of the United States. These critical infrastructures include telecommunications, electrical power systems, gas and oil storage and transportation, banking and finance, transportation, water supply systems, emergency services (including medical, police, fire, and rescue), and continuity of government. Threats to these critical infrastructures fall into two categories: physical threats to tangible property ("physical threats"), and threats of electronic, radio-frequency, or computer-based attacks on the information or communications components that control critical infrastructures ("cyber threats"). Because many of these critical infrastructures are owned and operated by the private sector, it is essential that the government and private sector work together to develop a strategy for protecting them and assuring their continued operation. Order continues with details on establishment, membership, committee structure, and mission of the President's Commission on Critical Infrastructure Protection.
United States. Office of the Federal Register
Clinton, Bill, 1946-
1996-07-15
-
Way to Operationalize the DoD's Critical Infrastructure Protection Program Using Information Assurance Policies and Technologies
"The Department of Defense (DoD) Defense Critical Infrastructure Protection Program has recently reorganized under the Office of the Assistant Secretary of Defense for Homeland Defense under the Under Secretary of Defense for Policy. Requirements have been set forth in DoDD 3020.ff Defense Critical Infrastructure which is in final coordination and is anticipated to be published later this fiscal year. This policy states that Defense Critical Infrastructure and non-DoD infrastructures are essential to planning mobilizing deploying and sustaining military operations within the U.S. as well as globally shall be available when required. Today's Combatant Commanders do not have the ability to quickly and efficiently share information that identifies critical infrastructure assets and single points of failure to prevent physical or cyber attacks from impairing the Global Information Grid. The intent of this paper is to provide a construct to Operationalize the DoD's Critical Infrastructure Protection Program through the use of Information Assurance policies methodologies and technologies and to identify strategic implications of vulnerabilities to the Combatant Commander and supporting agencies."
Army War College (U.S.)
Friedman, Arthur R.
2005-03-18
-
Common Cyber Security Vulnerabilities Observed in DHS Industrial Control Systems Assessments
"The U.S. Department of Homeland Security (DHS) National Cyber Security Division's Control Systems Security Program (CSSP) performs cyber security assessments of Industrial Control Systems (ICS) to help industry improve the security of the ICS used in critical infrastructures throughout the United States. A key part of this mission is the assessment of ICS to identify vulnerabilities that could put critical infrastructures at risk from a cyber attack. This report presents results from 15 ICS assessments performed under the CSSP from 2004 through 2008. Although information found in individual stakeholder reports is protected from disclosure, the security of the critical infrastructure as a whole can be improved by sharing information on common security problems with those in industry responsible for developing and maintaining ICS. For this reason, vulnerability information was collected, analyzed, and organized in a way that the most prevalent issues could be identified and mitigated by those responsible for individual systems without disclosing the identity of the associated ICS product. [...] This report represents a steadily growing understanding of ICS security issues and methods for mitigating current vulnerabilities as well as new technologies and approaches being developed in response to ICS security challenges. The assessment effort is expanding to new technologies as CSSP seeks a continuing understanding of the control systems being planned and deployed."
United States. Department of Homeland Security
2009-07
-
Election Infrastructure Security Resource Guide: Cybersecurity and Infrastructure Security Agency U.S. Department of Homeland Security
From the Document: "Americans' confidence that their votes count--and are counted correctly--relies on secure election systems. In recent years, American citizens have become increasingly uneasy about potential threats to the Nation's election infrastructure. Cyber intrusions to voting machines and voter registration systems diminish the overall public confidence elected officials need to perform their public duties and undermine the integrity of the Nation's democratic process. If left unaddressed, system vulnerabilities will continue to threaten the stability of our Nation's democratic system. Election infrastructure security is a priority for the Cybersecurity and Infrastructure Security Agency (CISA), based in the Department of Homeland Security (DHS). As the lead agency for securing the Nation's homeland, DHS, through CISA, is responsible for maintaining public trust and confidence in America's election system. CISA works directly with election officials throughout the United States to help them protect election systems by sharing timely and actionable threat information and offering cybersecurity services to safeguard their election systems."
United States. Cybersecurity & Infrastructure Security Agency
2020-09
-
ITL Bulletin: Framework for Improving Critical Infrastructure Cybersecurity (February 2014)
"Recognizing that the national and economic security of the United States depends on the resilience of critical infrastructure, President Obama issued Executive Order (EO) 13636, 'Improving Critical Infrastructure Cybersecurity,' in February 2013. It directed National Institute of Standards and Technology (NIST) to work with stakeholders to develop a voluntary framework-based on existing standards, guidelines, and practices-for reducing cybersecurity risks. In support of this directive, the Computer Security Division (CSD) of NIST's Information Technology Laboratory (ITL) led the development of the Cybersecurity Framework. The Cybersecurity Framework provides a prioritized, flexible, repeatable, and cost-effective approach, including information security measures and controls to help owners and operators of critical infrastructure and other interested entities to identify, assess, and manage cybersecurity-related risk while protecting business confidentiality, individual privacy, and civil liberties. To enable technical innovation and account for organizational differences, the Framework does not prescribe particular technological solutions or specifications."
National Institute of Standards and Technology (U.S.); Information Technology Laboratory (National Institute of Standards and Technology). Computer Security Division
Stine, Kevin; Quill, Kim; Witte, Greg
2014-02
-
Critical Infrastructure Protection: Additional Actions Needed to Identify Framework Adoption and Resulting Improvements, Report to Congressional Committees
From the GAO [Government Accountability Office] Highlights: "Cyber threats to the nation's critical infrastructure (e.g., financial services and energy sectors) continue to increase and represent a significant national security challenge. To better address such threats, NIST [National Institute of Standards and Technology] developed, as called for by federal law, a voluntary framework of cybersecurity standards and procedures. The 'Cybersecurity Enhancement Act of 2014' included provisions for GAO to review aspects of the framework. The objectives of this review were to determine the extent to which (1) SSAs [sector-specific agencies] have developed methods to determine framework adoption and (2) implementation of the framework has led to improvements in the protection of critical infrastructure from cyber threats. GAO analyzed documentation, such as implementation guidance, plans, and survey instruments. GAO also conducted semi-structured interviews with 12 organizations, representing six infrastructure sectors, to understand the level of framework use and related improvements and challenges. GAO also interviewed agency and private sector officials."
United States. Government Accountability Office
2020-02
-
President's National Security Telecommunications Advisory Committee: Satellite Taskforce Report, Fact Sheet [February 2004]
This fact sheet from the President's National Security Telecommunications Advisory Committee discusses the issues surrounding infrastructure protection for commercial satellite communications (SATCOM systems. "In January 2003, the Director, National Security Space Architect, requested that the President's National Security Telecommunications Advisory Committee (NSTAC) consider embarking on a study of infrastructure protection measures for commercial satellite communication (SATCOM) systems. The NSTAC established the Satellite Task Force (STF) to review and assess policies, practices, and procedures for the application of infrastructure protection measures to commercial SATCOM networks used for national security and emergency preparedness (NS/EP) communications. Specifically, the STF was established to (1) review applicable documentation addressing vulnerabilities in the commercial satellite infrastructure, (2) identify potential policy changes that would bring the infrastructure into conformance with a standard for mitigating those vulnerabilities, (3) consider Global Positioning System (GPS) timing capabilities during the deliberations, (4) coordinate this response with representatives from the National Communications System (NCS) and others, and (5) draft a task force report with findings and recommendations. The STF engaged broad and active participation from representatives of NSTAC member companies, non-NSTAC commercial satellite owners and operators, commercial satellite trade associations, Government agencies, and technical experts. The task force examined all types of commercial SATCOM systems, including Fixed Satellite Service, Broadcast Satellite Service, Mobile Satellite Service, and Satellite Digital Audio Radio Service. To gain a broad understanding of vulnerabilities, the STF compared the difficulty of potential threats against the degree of susceptibility of key elements in these services, including the radio frequency links, ground segment, cyber segment, and space segment."
United States. President's National Security Telecommunications Advisory Committee
2004-02
-
NIPP News: July-August 2011
This edition of the NIPP [National Infrastructure Protection Plan] News contains the following articles: "Fifth Annual Chemical Sector Security Summit Highlights Progress in Voluntary and Regulatory Programs"; "DHS [Department of Homeland Security] Launches Cyber Risk Management Methodology"; "IP [Office of Infrastructure Protection] Continues Stakeholder Dialogue Aimed at Increasing Infrastructure Protection and Resilience"; "UASI [National Urban Areas Security Initiative] Conference Spotlights Critical Infrastructure Partnerships and Effective Information Sharing"; and "Resilient Constellation Exercise Series Focuses on Critical Infrastructure Owners and Operators".
United States. Department of Homeland Security. Office of Infrastructure Protection
2011-07
-
EMR-ISAC: InfoGram, Volume 21 Issue 48, December 9, 2021
The Emergency Management and Response Information Sharing and Analysis Center's (EMR-ISAC) InfoGram is a weekly publication of information concerning the protection of critical infrastructures relevant to members of the Emergency Services Sector. This issue includes the following articles: "IAFC [International Association of Fire Chiefs] releases update to Yellow Ribbon Report on behavioral health and wellness"; "NFPA [National Fire Protection Association] releases new NFPA 470 hazardous materials standard as part of its standards consolidation project"; "CISA [Cybersecurity and Infrastructure Security Agency] releases Infrastructure Dependency Primer to support infrastructure resilience planning"; "New virtual training on identification and treatment of sepsis in disaster settings"; "CISA and FBI release alert on active exploitation of CVE [Common Vulnerabilities and Exposures]-2021-44077 in Zoho ManageEngine ServiceDesk Plus"; "NSA [National Security Agency] guidance: Zero trust applied to 5G cloud infrastructure"; "Webinars: SLTT [state, local, tribal and territorial] feedback - the State and Local Cybersecurity Grant Program"; "SolarWinds hackers targeting government and business entities worldwide"; and "Cyberattack causes significant disruption at Colorado electric utility."
Emergency Management and Response-Information Sharing and Analysis Center (U.S.)
2021-12-09
-
Collaborating with the Private Sector
"Attacks on the nation's networks are increasing exponentially, as is a growing dependency on cyberspace. It is imperative that the nation's critical infrastructure is protected, especially telecommunications, financial systems, the water supply, electrical grids, and transportation. Currently, the private industry owns 85 percent of the nation's critical infrastructure, while the U.S. government owns only 15 percent. Thus, the U.S. government must work with the private industry to create a collaboration that will protect and defend cyberspace. Many experts emphasize the need to secure the nation's cyber domain, but also acknowledge that actually doing so will probably not occur until there is a cyber disaster, such as a cyber 9/11. The report focuses on discussing the legal barriers to collaboration between the U.S. government and the private sector. Initially, a list of over 30 bodies of law pertaining to cyberspace were compiled, but the focus was narrowed to include only those dealing specifically with collaboration. Non-legal barriers that hinder collaboration, including information-sharing, data classification, and differing motivations and culture are also addressed."
United States. Strategic Command (2002- ). Global Innovation and Strategy Center
Bartell, Frederick; Lacy, Carrie; Moraczewski, Melissa
2009-08
-
EMR-ISAC: InfoGram, Volume 22 Issue 19, May 12, 2022
The Emergency Management and Response Information Sharing and Analysis Center's (EMR-ISAC) InfoGram is a weekly publication of information concerning the protection of critical infrastructures relevant to members of the Emergency Services Sector. This issue includes the following articles: "Civil unrest: preparedness and planning resources for fire and EMS [emergency medical services] agencies"; "New mobile app brings timely counterterrorism intelligence to first responders and homeland security professionals"; "Webinar: FirstNet on communications in healthcare settings and special events"; "CISA [Cybersecurity and Infrastructure Security Agency]: Alert (AA22-131A) - Protecting Against Cyber Threats to Managed Service Providers and their Customers"; "U.S. Government attributes cyberattacks on SATCOM [satellite communication] networks to Russian state-sponsored malicious cyber actors"; "NIST [National Institute of Standards and Technology] updates cybersecurity guidance for supply chain risk management"; "Critical vulnerability exploited to 'destroy' BIG-IP appliances"; "Ransomware tracker: the latest figures [May 2022]"; and "Tenet says 'cybersecurity incident' disrupted hospital operations."
Emergency Management and Response-Information Sharing and Analysis Center (U.S.)
2022-05-12
-
Subcommittee Field Hearing: Protecting Your Personal Data: How Law Enforcement Works With the Private Sector to Prevent Cybercrime, Hearing Before the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, Committee on Homeland Security, House of Representatives, One Hundred Thirteenth Congress, Second Session, April 16, 2014
This testimony compilation is from the Field Hearing before the House Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies titled, "Protecting Your Personal Data: How Law Enforcement Works With the Private Sector to Prevent Cybercrime." From the witness statement of Ari Baranoff: "Advances in computer technology and greater access to personally identifiable information (PII) via the Internet have created online marketplaces for transnational cyber criminals to share stolen information and criminal methodologies. As a result, the Secret Service has observed a marked increase in the quality, quantity, and complexity of cyber crimes targeting private industry and critical infrastructure. These crimes include network intrusions, hacking attacks, malicious software, and account takeovers leading to significant data breaches affecting every sector of the world economy. The recently reported data breaches of Target and Neiman Marcus are just the most recent, well-publicized examples of this decade-long trend of major data breaches perpetrated by cyber criminals who are intent on targeting our Nation's retailers and financial payment systems." Statements, letters, and materials submitted for the record include those of the following: Patrick Meehan, Ari Baranoff, Richard P. Quinn, John J. Whelan, Frederick Peters, Thomas Litchford, and Matthew Rhoades.
United States. Congress. House. Committee on Homeland Security
2014-04-16
-
Protecting Your Personal Data: How Law Enforcement Works With the Private Sector to Prevent Cybercrime, Field Hearing Before the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, Committee on Homeland Security, House of Representatives, One Hundred Thirteenth Congress, Second Session, April 16, 2014
This is the April 16, 2014 testimonyon, "Protecting Your Personal Data: How Law Enforcement Works With the Private Sector to Prevent Cybercrime," held before the U.S. House of Representatives, Committee on Homeland Security, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies. From the witness statement of Ari Baranoff: "Advances in computer technology and greater access to personally identifiable information (PII) via the Internet have created online marketplaces for transnational cyber criminals to share stolen information and criminal methodologies. As a result, the Secret Service has observed a marked increase in the quality, quantity, and complexity of cyber crimes targeting private industry and critical infrastructure. These crimes include network intrusions, hacking attacks, malicious software, and account takeovers leading to significant data breaches affecting every sector of the world economy. The recently reported data breaches of Target and Neiman Marcus are just the most recent, well-publicized examples of this decade-long trend of major data breaches perpetrated by cyber criminals who are intent on targeting our Nation's retailers and financial payment systems." Statements, letters, and materials submitted for the record include those of the following: Patrick Meehan, Yvette Clarke, Mike Fitzpatrick, Ari Baranoff, Richard P. Quinn, John J. Whelan, Frederick Peters, Thomas Litchford, and Matthew Rhoades.
United States. Government Printing Office
2014-04-16
-
Cybersecurity of DER Systems Cybersecurity Training for State Commissions [presentation]
From the Presentation: "[1] 'Should Solar/DER [Distributed Energy Resources] care about cyber "now?"' [2] 'Should State Utility Commissions care about DER cyber "now?"' [3] An Example: An order of magnitude comparison[;] [4] Western Interconnection Grid (i.e. west of the Rockies)[;] [5] Loss of Palo Verde 2,000 MW [megawatt]: Largest contingency event[;] [6] Rooftop/small solar in the West: ~30,000 MW[:] [a] This represents about 65% of all solar in the West, none of which is required to follow NERC CIP [North American Electric Reliability Corporation critical infrastructure protection][;] [b] And there is no widely recognized alternative cyber compliance standard for rooftop solar/DER."
United States. Department of Energy; National Renewable Energy Laboratory (U.S.)
Miller, Jeremiah; Saleem, Danish
2022-01-27?
-
Critical Infrastructure Protection at the Local Level: Water and Wastewater Treatement Facilities
"The increasing number of Industrial Control System (ICS) vulnerabilities, coupled with continuing revelations about ICS compromises, emphasizes the importance of securing critical infrastructure (CI) against cyber threats. The ability to adversely affect the operation of an ICS through cyberspace is exacerbated by increasing use of automations and implementation of common routing protocols to communicate with control devices. Local water treatment facilities are particularly vulnerable to this attack vector due to the need to manage key functions with minimal staff. Reacting to specific cyber risks without developing a holistic method to manage risk provides only a modicum of protection. This monograph demonstrates how focusing on risk management as a mitigation strategy-not individual risks-maximizes the security efforts at the local level. Some basic IT [information technology] security practices such as access control, physical security, and operations security can be applied to ICS security. However, determining which security controls to select and evaluating their effectiveness requires a process or framework that holistically considers risk across the enterprise. A risk management framework (RMF) allows an organization to assess risk in terms of impact to overall business operation: instead of assessing risks isolated to particular divisions within the organization. The National Institute of Standards and Technology (NIST) RMF, National Infrastructure Protection Plan (NIPP) RMF, and the NIST Cybersecurity for Critical Infrastruture are three complementary frameworks water facilities can employ to facilitate risk mitigation in a cost effective way."
Army Cyber Institute, West Point
Brooks, Colin
2018-11-14
-
Methodology for Assessing Regional Infrastructure Resilience: Lessons Learned from the Regional Resiliency Assessment Program
From the Introduction: "The The [sic] Cybersecurity and Infrastructure Security Agency (CISA) has conducted thousands of critical infrastructure assessments nationwide since DHS began operations in 2003. Included among these efforts have been assessments of the resilience of regional critical infrastructure systems through the Regional Resiliency Assessment Program (RRAP). Since 2009, CISA has conducted more than 100 of these regional assessments, exploring issues related to the resilience of energy, water, transportation, communications, and other infrastructure systems in partnership with federal, state, local, tribal, and territorial stakeholders, as well as private sector owners and operators. Figure 1 provides an overview of RRAP activities and outcomes since the program's creation. The RRAP is a voluntary program that uses a structured assessment approach to build on the risk management process outlined in the 2013 'National Infrastructure Protection Plan (NIPP)' and conceptualize projects, collect data, analyze information, and present options for improving regional infrastructure resilience. CISA has learned valuable lessons while conducting this array of RRAP projects across the Nation in terms of what is required for successful regional assessments of infrastructure, what the likely challenges are in these efforts, and how strategies for collaborative engagement can enhance the value of these assessments over the long term."
United States. Cybersecurity & Infrastructure Security Agency
2021-06
-
National Critical Functions: Status Update to the Critical Infrastructure Community
From the Executive Summary: "In the Spring of 2019, the Cybersecurity and Infrastructure Security Agency (CISA), through the National Risk Management Center (NRMC), published a set of 55 National Critical Functions (NCFs) to guide national risk management efforts. Subsequent to the publication of the NCFs, the NRMC has worked closely with Sector Specific Agencies and private sector representatives of the Critical Infrastructure Partnership Advisory Council to develop a more robust understanding of critical infrastructure risk and risk management. The NCFs allows for a more robust prioritization of critical infrastructure and a more systematic approach to risk management. The NCFs effectively reset the critical infrastructure risk management framework established in the National Infrastructure Protection Plan. The previous version focused on entity level risk management as opposed to critical outcomes. By establishing a set of critical functions performed by critical infrastructure, the NCF approach enables a richer understanding of how entities come together to produce critical functions, which then contributes to understanding the key assets, systems and networks that contribute to the functions, as well as critical technologies, and dependencies that enable the function."
United States. Cybersecurity & Infrastructure Security Agency
2020-07
-
Federal Information Security Modernization Act of 2014: Annual Report to Congress, Fiscal Year 2018
From the Executive Summary: "The cybersecurity threats facing the Federal Government, and our Nation as a whole, clearly demonstrate the need for vigilance to protect the country's data and digital infrastructure. America's networks, both public and private, remain top targets of malicious actors the world over. This environment demonstrates that effective cybersecurity requires any organization -- whether a Federal agency or a public or private company -- to identify, prioritize, and manage cyber risks across its enterprise. [...] The Federal Government must continue to act to reduce the impact that cybersecurity incidents have on the Federal enterprise. Accordingly, this annual report to Congress on the implementation of the Federal Information Security Modernization Act of 2014 highlights government-wide programs and initiatives as well as agencies' progress to enhance Federal cybersecurity over the past year and into the future."
United States. Executive Office of the President; United States. Office of Management and Budget
2018-10-31
-
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions [June 20, 2013]
"For more than a decade, various experts have expressed increasing concerns about cybersecurity, in light of the growing frequency, impact, and sophistication of attacks on information systems in the United States and abroad. Consensus has also been building that the current legislative framework for cybersecurity might need to be revised. The complex federal role in cybersecurity involves both securing federal systems and assisting in protecting nonfederal systems. Under current law, all federal agencies have cybersecurity responsibilities relating to their own systems, and many have sector-specific responsibilities for critical infrastructure. More than 50 statutes address various aspects of cybersecurity either directly or indirectly, but there is no overarching framework legislation in place. While revisions to most of those laws have been proposed over the past few years, no major cybersecurity legislation has been enacted since 2002."
Library of Congress. Congressional Research Service
Fischer, Eric A.
2013-06-20
-
Cyber Operations in DOD Policy and Plans: Issues for Congress [January 5, 2015]
"This report presents an overview of the threat landscape in cyberspace, including the types of offensive weapons available, the targets they are designed to attack, and the types of actors carrying out the attacks. It presents a picture of what kinds of offensive and defensive tools exist and a brief overview of recent attacks. The report then describes the current status of U.S. capabilities, and the national and international authorities under which the U.S. Department of Defense carries out cyber operations. Of particular interest for policy makers are questions raised by the tension between legal authorities codified at 10 U.S.C. [US Code], which authorizes U.S. Cyber Command to initiate computer network attacks, and those stated at 50 U.S.C., which enables the National Security Agency to manipulate and extrapolate intelligence data--a tension that Presidential Policy Directive 20 on U.S. Cyber Operations Policy manages by clarifying the Pentagon's rules of engagement for cyberspace. With the task of defending the nation from cyberattack, the lines of command, jurisdiction, and authorities may be blurred as they apply to offensive and defensive cyberspace operations. A closely related issue is whether U.S. Cyber Command should remain a sub-unified command under U.S. Strategic Command that shares assets and its commander with the NSA [National Security Agency]. Additionally, the unique nature of cyberspace raises new jurisdictional issues as U.S. Cyber Command organizes, trains, and equips its forces to protect the networks that undergird critical infrastructure. International law governing cyberspace operations is evolving, and may have gaps for determining the rules of cyberwarfare, what constitutes an 'armed attack' or 'use of force' in cyberspace, and what treaty obligations may be invoked."
Library of Congress. Congressional Research Service
Theohary, Catherine A.; Harrington, Anne I.
2015-01-05
-
Compromise of U.S. Water Treatment Facility
From the Summary: "On February 5, 2021, unidentified cyber actors obtained unauthorized access to the supervisory control and data acquisition (SCADA) system at a U.S. drinking water treatment plant. The unidentified actors used the SCADA system's software to increase the amount of sodium hydroxide, also known as lye, a caustic chemical, as part of the water treatment process. Water treatment plant personnel immediately noticed the change in dosing amounts and corrected the issue before the SCADA system's software detected the manipulation and alarmed due to the unauthorized change. As a result, the water treatment process remained unaffected and continued to operate as normal. The cyber actors likely accessed the system by exploiting cybersecurity weaknesses, including poor password security, and an outdated operating system. Early information indicates it is possible that a desktop sharing software, such as TeamViewer, may have been used to gain unauthorized access to the system. Onsite response to the incident included Pinellas County Sheriff Office (PCSO), U.S. Secret Service (USSS), and the Federal Bureau of Investigation (FBI). The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the Environmental Protection Agency (EPA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have observed cyber criminals targeting and exploiting desktop sharing software and computer networks running operating systems with end of life status to gain unauthorized access to systems."
United States. Federal Bureau of Investigation; United States. Cybersecurity & Infrastructure Security Agency; United States. Environmental Protection Agency . . .
2021-02-05
