Brian Lozada, Author at Security Current

An Assessment of the Framework for Improving Critical Infrastructure Cybersecurity – Part 5

Brian Lozada — Tue, 01 Mar 2016 16:07:34 +0000

In this five-part series CISO Brian Lozada examines the state of cybersecurity in our nation’s critical infrastructure, what is at risk, what makes it unique and what measures can be taken to bolster its safeguards.

Review of the first four installments

In the first article in this series, I addressed the growing possibility of cyberwarfare. Many cyber experts are debating the notion of whether a cyber war against our nation is a possibility in the near future and, thus, are preparing for it in the event it should occur. Read Part One

In the second article in this series, I more closely examined evolving threats, the challenges of cyberwarfare and the key adversaries the United States faces on the digital battlefield. As these threats grow, so does the need for a solution to protect our nation’s critical infrastructure. Read Part Two

In the third article in this series, I reviewed past initiatives to secure the nation’s critical infrastructure, including the Obama Administration’s 2013 executive order. The order set out to improve the cybersecurity of the nation’s critical infrastructure through voluntary, collaborative efforts involving federal agencies and owners and operators of privately owned critical infrastructures. Read Part Three

In the fourth article in this series, I broke down the framework and assessed its pros and cons. Although not a “quick fix” because it must be tailored to meet the needs of each organization, the framework is unique in that it is a bottom-up approach. It ensures that all organizations within both the public and private sectors are internally prepared for a cyber-attack and that the cybersecurity risk management approaches in place are well aligned with the organization’s business model. Read Part Four

Conclusion

While we are yet to truly see cyberwarfare develop on a larger scale, almost every conflict currently taking place around the world is being fought simultaneously in cyber space in some capacity.

This is just the tip of the iceberg for cyberterrorism. The world has yet to see the cyber equivalent of a 9/11 attack. President Obama’s prioritization of cyber security within our national defense through the Framework for Improving Critical Infrastructure Cybersecurity is just the first of many important steps needed to heighten awareness of the imminent cyber threats against the United States.

The private sector, which owns and/or controls most of our nation’s critical infrastructure, needs to invest in awareness programs that target critical operations based on risks that have been identified through a risk assessment process. These risk assessments should be conducted with guidance from the homeland security community, as well as with targeted information that has been shared by the intelligence community.

However, additional steps are still needed in order to ensure the most effective tactics are being employed to defend the nation in the event of cyberwarfare. The time to act is now, considering that technology is constantly evolving and advancing.

Collective working partnerships between the homeland security enterprise and the high-tech private industries need to become a priority to foster working together collaboratively to counter the threats of the ever-changing terrorist landscape in the cyber arena. The private sector is needed to help identify, remediate and mitigate the cyber threats that are currently facing our nation. Without these partnerships, cyberterrorists will continue to have the advantage.

If cyberterrorists take advantage of the lack of communication between the private sector and the homeland security community and tailor an attack that will cripple our nation’s response efforts, the impact would be significant; this could be managed with proper information and resource sharing and partnerships between the private sector and the homeland security community.

The post An Assessment of the Framework for Improving Critical Infrastructure Cybersecurity – Part 5 appeared first on Security Current.

An Assessment of the Framework for Improving Critical Infrastructure Cybersecurity – Part 4

Brian Lozada — Wed, 17 Feb 2016 16:58:35 +0000

Read Part One
Read Part Two
Read Part Three

In my last article, I reviewed past initiatives to secure the nation’s critical infrastructure, including the Obama Administration’s 2013 executive order. For this installment, I will break down the framework and assess its pros and cons.

Framework for Improving Critical Infrastructure Cybersecurity

Since the implementation of President Obama’s executive order in 2013, a framework of best practices in identifying and responding to cyber-attacks has been developed.

The Framework for Improving Critical Infrastructure Cybersecurity was issued on February 12, 2014, to supplement existing business and cybersecurity operations within the public and private sectors.

Through the implementation of the Framework, businesses are able to identify gaps in their organizations’ cybersecurity practices by following a set of proposed guidelines to protect their cyber networks, as well as processes to protect civil liberties at the same time.

In addition, the Framework enhances interoperability by providing a common language through which government and private sector stakeholders can communicate to address and manage cybersecurity risks in the most effective ways. This common language is also used amongst independent stakeholders who are responsible for the delivery of essential critical infrastructure services (National Institute of Standards and Technology, 2014).

The Framework is comprised of three parts: the Framework Core, the Framework Profile, and the Framework Implementation Tiers. The first part, the Core, consists of “a set of cybersecurity activities, outcomes, and informative references that are common across critical infrastructure sectors, providing the detailed guidance for developing individual organizational Profiles” (pg. 4).

The Core also includes five concurrent and continuous functions (identify, protect, detect, respond, and recover) to manage cybersecurity risks that span the life cycle of an organization. The second part, the Profile, assists the organization in aligning its cybersecurity activities with “its business requirements, risk tolerances, and resources” (pg. 11).

The Profile consists of two concepts: the Current Profile of an organization, which indicates the current cybersecurity outcomes, and the Target Profile of an organization, which indicates the outcomes needed to achieve the desired cybersecurity risk management goals (National Institute of Standards and Technology, 2014).

The final part of the Framework, the Implementation Tiers, provides a tool for organizations to understand their individualized approaches to managing cybersecurity risks. Each Tier, ranging from Partial (Tier 1) to Adaptive (Tier 4), denotes the level of sophistication in cybersecurity risk management that the organization exhibits.

The level is determined based on a variety of characteristics, including how privacy and civil liberty protection is considered in regard to the management of cybersecurity risk and response tactics.

Based on the Framework, organizations are to identify their current tier, as well as their desired tier in an effort to determine how to improve their risk management initiatives to reduce cybersecurity risk to critical assets. In order to improve in their approach, organizations are encouraged to seek external guidance from federal government agencies (National Institute of Standards and Technology, 2014).

The Framework for Improving Critical Infrastructure Cybersecurity (2014) is the first step that the nation is taking in order to better prepare for the debilitating effects of a potential cyber-attack on the national critical infrastructure.

The Framework is unique in that it is a bottom-up approach, ensuring that all organizations within both the public and private sectors are internally prepared for a cyber-attack and that the cybersecurity risk management approaches in place are well aligned with the organization’s business model.

In addition, the Framework is the first step in creating unified guidelines and a common language in regard to cybersecurity that allow for more effective communicating and information sharing amongst all stakeholders to better prepare for, respond to, and recover from a cyber-attack.

Working from the inside out will not only provide guidance for individual organizations, but also will, in turn, improve the security and resilience of the entire national critical infrastructure as a whole.

Just as with any initiative, the Framework will need to be tailored to meet the individual needs of each organization that seeks to implement it; therefore, it is not a quick-fix or “a one-size-fits-all approach to managing cybersecurity risk for critical infrastructure” (pg. 2).

However, when implemented accordingly, the Framework will be successful in reducing and better managing cybersecurity risks and prioritizing the safeguarding of activities that are essential to critical service delivery within an organization. Further, the Framework will continue to be updated, improved, and developed as the nation’s cyber threat landscape continues to evolve and technology continues to advance, thereby creating a “living document” that will change as the industry evolves (National Institute of Standards and Technology, 2014).

In the final installment for this series, I will draw final conclusions about its effectiveness in preparing organizations for the possibility of cyberwar.

The post An Assessment of the Framework for Improving Critical Infrastructure Cybersecurity – Part 4 appeared first on Security Current.

An Assessment of the Framework for Improving Critical Infrastructure Cybersecurity – Part 3

Brian Lozada — Tue, 12 Jan 2016 17:57:35 +0000

Read Part One
Read Part Two
Read Part Four

In the second article, I more closely examined these evolving threats, the challenges of cyberwarfare and the key adversaries the United States faces on the digital battlefield. In this installment, I will review past initiatives to secure the nation’s critical infrastructure, including the Obama Administration’s 2013 executive order.

Part Three

Past Initiatives to Protect the Nation’s Critical Infrastructure

In President George W. Bush’s 2003 National Strategy to Secure Cyberspace, he identified the Department of Justice and the Federal Bureau of Investigation (FBI) as the two government agencies given the responsibility of leading “the national effort to investigate and prosecute cybercrime” (FBI).

The FBI, however, has a dual role in that it is expected to “prevent harm to national security as the nation’s domestic intelligence agency” and “enforces laws as the nation’s principal law-enforcing agency” (FBI). Because of this double responsibility, the FBI is able to handle cybersecurity threats to the nation that stem from any source, whether from nation-states, terrorist organizations or criminal enterprises.

In the same year, Bush issued the National Security Presidential Directive 54/Homeland Security Presidential Directive 23, which created the Comprehensive National Cybersecurity Initiative (CNCI), a formal effort to further protect federal government systems from cyber threats and attacks.

In 2004, The Department of Homeland Security formed the National Cyber Security Division (NCSD) to partner with government, industry, and academia to further safeguard the nation from such attacks.

The NCSD collaborates with other members of the U.S. Intelligence Community to formulate strategies and tactics, including the Cybersecurity Preparedness program and the National Cyber Alert System, to use in preventing and responding to the growing threat of cyberattacks on the nation (Kraft, 2012).

President Obama revised the National Security Presidential Directive 54 in May 2009 and appointed an Executive Branch Cybersecurity Coordinator in the White House; this appointment ensured that the Executive Branch would have a responsibility to work closely with both local and state governments to foster a unified response to cyber incidents, as well as to improve cyber-related information sharing amongst all levels of government and the private sector.

In May 2011, an International Strategy for Cyberspace was issued to state the nation’s intentions of continued deterrence of “malicious actors” who seek to disrupt internet networks. In addition, Obama announced legislative proposals intended to improve cybersecurity initiatives within the private sector (Kraft, 2012).

In 2012, Obama launched another legislative proposal in which he declared that “threats to cyberspace pose one of the most serious economic and national security challenges of the 21st century for the United States and our allies” (Dowdy, 2012, p. 129). The key threats, according to Dowdy (2012), target the critical national infrastructure, the government’s classified information, and the intellectual property of the private enterprise.

The following year, in his State of the Union Address on February 12, 2013, Obama made mention of the importance of dealing with the threats of cybersecurity and how those threats may impact our nation in years to come. In his address, he stated, “America must also face the rapidly growing threat from cyber-attacks and our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems” (Osawa, 2013).

He further revealed that he had signed a new executive order “that will strengthen our cyber defenses by increasing information sharing, and developing standards to protect our national security, our jobs, and our privacy” (Osawa, 2013).

The executive order further defined critical infrastructure as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters” (National Institute of Standards and Technology, 2014, p. 2). In this address, Obama brings to light the transformation of cybersecurity as a top priority in national and international security in recent years.

Further, in his State of the Union address, Obama expressed concern over the exposure of national critical infrastructures on the Internet, stating that “enemies of the U.S. are seeking the ability to sabotage our power grids, financial institutions, and air traffic control systems” (Salane, 2013, p. 1).

To support Obama’s proposed legislation to better safeguard the nation against potential cyberattacks, the government and private sector developed a voluntary, risk-based Cybersecurity Framework to set forth standardized guidelines to act as industry standards and best practices to assist organizations in managing cybersecurity risks (National Institute of Standards and Technology, 2014).

The executive order issued by the White House in response to this address, Improving Critical Infrastructure Cybersecurity, set out to improve the cybersecurity of the nation’s critical infrastructure through voluntary, collaborative efforts involving federal agencies and owners and operators of privately owned critical infrastructures.

One of the key elements that former DHS Secretary Janet Napolitano identifies in the 2013 executive order is to improve the sharing of information related to “cybersecurity threats, vulnerabilities, attacks, prevention, and response both within and across sectors” (Fischer, Liu, Rollins, & Theohary, 2013, p. 6). A second focus is to develop standards and best practices to prevent cyberattacks against the nation’s core critical infrastructures (Fischer, Liu, Rollins, & Theohary, 2013).

In my next article, I will break down the framework, assess its pros and cons, and draw final conclusions about its effectiveness in preparing organizations for future cyberwar.

The post An Assessment of the Framework for Improving Critical Infrastructure Cybersecurity – Part 3 appeared first on Security Current.

An Assessment of the Framework for Improving Critical Infrastructure Cybersecurity – Part 2

Brian Lozada — Mon, 28 Dec 2015 18:24:36 +0000

Read Part One
Read Part Three
Read Part Four

In the first article in this series, I addressed the growing possibility of cyberwarfare. In this installment, I will more closely examine these evolving threats, the challenges of cyberwarfare and the key adversaries the United States faces on the digital battlefield.

Part Two

The Growing Cyber Threat

James Clapper, Director of National Intelligence, (2013) states that “the world is applying digital technologies faster than our ability to understand the security implications and mitigate potential risks,” which results in an increased amount of cyberattacks against the United States by both non-state and state actors (p. 2). Such attacks provide a heightened risk to the nation’s critical infrastructure.

The impact of cyber threats varies in intensity from small-scale, yet potentially damaging, cyberattacks on private organizations to large-scale, extensive hacking activity against the United States. Further, trends in cybercrime suggest that more serious cyberattacks on critical infrastructures are likely to occur in only a matter of time.

In recent years, the United States government has begun to recognize the scale and impact of the cyber security challenges that our nation now faces, and understand that addressing these threats is necessary for the protection of the United States’ economic prosperity. However, the nation is still struggling to implement an effective strategy to protect against such threats.

The threat of cyberattacks has a scope much broader than the civilian and corporate realms; as more critical national infrastructures are becoming computerized, the fear of computer network attacks on government agencies and organizations has become a risk to the nation’s security.

According to Geers (2010), “The urgency with which the FBI views the threat from cyberspace should no longer be surprising: information systems, including client and server computers, databases, and the networks that connect them are now used to facilitate the management of myriad government infrastructures. Many of these…provide the basic services necessary for the functioning of a modern society” (p. 124). Due to the pervasive nature of this threat, the government is not only responsible for its own assets but is also responsible for the cyber protection of the private sector as well.

United States’ national security must account for the growing threat of the cybersphere; how this should be achieved still remains unclear. Cyberwarfare is more difficult to combat because there are no clearly defined borders as to what is right or wrong.

Further, electronic armies are in operation without the formal backing of nation states, so forging alliances with such states may not prove as effective a tactic as it may be for physical warfare. A strategic approach would be for the United States to focus on the development of technology to protect the nation’s critical infrastructure, as the best offense is a good defense, especially in the world of cyber security.

Perpetrators of Cyberattacks

While there is yet to be a clear-cut definition of cyberterrorism, the North Atlantic Treaty Organization (NATO) (2008), attempts to describe it as “a cyberattack using or exploiting computer or communication networks to cause sufficient destruction to generate fear or intimidate a society into an ideological goal” (as cited in Infosec Institute, 2012). Among the perpetrators behind these cyberattacks are terrorist organizations, hacktivists and

cybercriminals. The United States’ most threatening adversaries in the cyberdomain, referred to as Advanced Persistent Threats (APT), continue to originate from China, Russia, and Iran.

China’s sophisticated cyber espionage capabilities and impressive number of cyberattacks “appear to be intended to amass data and secrets…that will support and further the country’s economic growth, scientific and technological capabilities, military power, etc. — all with an eye to securing strategic advantage in relation to competitor countries and adversaries,” including the United States (Cilluffo, 2013, p. 7).

One cyber espionage unit, APT1, which originates from the Shanghai region of China, conducted one of the largest state-sponsored cyberattacks in recent years. According to a report released by Mandiant in 2013, APT1 maintains “an extensive inventory of over 900 command and control servers in 13 different countries” and has conducted attacks on over 150 organizations during the past seven years (as cited in Salane, 2013, p. 2). The APT1 cyber espionage unit employed a packet transmission tool to enable communication between command and control servers.

This technique was also utilized by another Chinese hacker organization, which was responsible for obtaining information that compromised RSA’s SecureID Token, “a device used by organizations around the world to provide secure two factor authentication to highly sensitive systems” (p. 2). It was later confirmed that the compromised tokens were implicated in the breach of systems of defense contractor Lockheed Martin.

The primary interest of Chinese hacker organizations has been related to state sponsored cyber espionage. China remains a threat to our nation as the country continues to develop more sophisticated cyberwarfare tactics and capabilities (Salane, 2013).

Despite the visibility of China’s cyberattacks, Russia’s cyber espionage capabilities are, perhaps, even more sophisticated. Russia’s extensive attacks on the United

States, especially in regard to our nation’s research and development, have resulted in Russia being named “a national long-term strategic threat” to the nation by the Office of the U.S. National Counterintelligence Executive (Cilluffo, 2013, p. 9). As recently as March 2013, Russian hackers released “personal information about the Vice President, the Director of the FBI, and other current and former senior U.S. officials” (p. 10).

Cybercrime perpetrators have been instrumental in increasing Russia’s global crime market to $2.3 billion. These attackers are comprised of patriotic hackers and organized crime organizations with assistance from government handlers and the Russian Intelligence Service; however, Russia denies official involvement in cyber espionage related events (Cilluffo, 2013).

Iran has been currently investing in its cyberwarfare expansion through the purchasing of capabilities, malware, and weapons. Unlike Russia, Iran has openly recruited hackers, such as the Iranian political/criminal hacker group Ashiyane, through the nation’s Revolutionary Guard Corps. Similarly, hacker organization Basij is hired to execute cyber espionage work on behalf of this regime (Cilluffo, 2013).

Since August 2012, Iranian cyber espionage unit Izz ad-Din al – Qassam Cyber Fighters have been engaged in powerful Denial of Service (DDoS) attacks on financial institutions, targeting bank servers and injecting infected applications (Salane, 2013).The Wall Street Journal reported “an intensifying Iranian campaign of cyberattacks against American financial institutions including Bank of America, PNC Financial Services Group, Sun Trust Banks, Inc., and BB&T Corp.” (Cilluffo, 2013, p. 11). Based on recent activity of Iranian cyber espionage organizations, the Los Angeles Police Department has elevated the government of Iran to a Tier One threat (Cilluffo, 2013).

Should this type of nation-state cyberterrorist activity continue to advance, a worst-case scenario could involve a catastrophic cyberattack on the United States’ critical infrastructure, including an attack on nuclear reactors, which would sustain significant damage and result in major threat to the nation (Rutherford, 2013).

As this threat grows, so does the need for a solution to protect our nation’s critical infrastructure. In the next article in this series, I will review past initiatives to address this need, including the Obama Administration’s executive order to improve critical infrastructure cybersecurity.

The post An Assessment of the Framework for Improving Critical Infrastructure Cybersecurity – Part 2 appeared first on Security Current.

An Assessment of the Framework for Improving Critical Infrastructure Cybersecurity

Brian Lozada — Sat, 19 Dec 2015 19:51:30 +0000

Read Part Two
Read Part Three
Read Part Four

Part One

As technology continues to advance, so does the potential for increased cyber threats against our nation’s critical infrastructure. Unlike physical warfare, the distance between the attackers and the victims is irrelevant in cyber attacks, thus creating a bigger threat that proves even more difficult to identify, prevent, respond to, and recover from.

The potential for an actual cyber war is being realized with the idea that violent extremist groups and nation-states can partner together and be just as destructive as the terrorist attacks of 9/11. Former U.S. Secretary of Defense Leon Panetta (2012), noted: “the collective result of these kinds of attacks could be a cyber Pearl Harbor; an attack that would cause physical destruction and the loss of life” (as cited in Osawa, 2013).

Many cyber experts are debating the notion of whether a cyber war against our nation is a possibility in the near future and, thus, are preparing for it in the event it should occur.

With the cyber sphere emerging as a new battleground for warfare, cyber crimes are expected to become increasingly sophisticated in the wake of this ever-changing threat landscape. Although fatalities may not occur as a direct result of a cyber-warfare scenario, cyber attacks —especially attacks against the nation’s critical infrastructure — are part of a larger act of aggression, which, in turn, could indirectly result in the loss of many lives.

Once cyber espionage turns to warfare and impacts our critical infrastructure (shutting down power grids, telecommunication lines, transportation, commerce, and every action of daily life) the world will finally realize the impact of cyber warfare. In addition, the recovery efforts of a major cyber warfare attack would be significantly greater given that most companies and infrastructures are not prepared and have not invested in cyber incident response and recovery tactics.

In the next article in the series I will more closely examine these evolving threats, the challenges of cyber warfare and the key adversaries the United States faces on the digital battlefield.

The post An Assessment of the Framework for Improving Critical Infrastructure Cybersecurity appeared first on Security Current.