HLSS603Wk6

Introduction: Cyber Resilience and the Homeland Unless you have been marooned on an island cut off from any media you know that cyber threats have evolved and grown in number, sophistication, and capability. Terrorists, criminals and hacktivits are looking to exploit any vulnerability they can find. Attackers can be nation-states, like the Russians attacking social media sites to influence the 2016 election in the United States and criminals who exploit sites to gain personal information and account data. A successful cyber attack on a well-known corporation can damage everything from the way financial institutions evaluate a company to determine risk, to reputation. The cycle is never ending.

Cyber attacks can also be undertaken to conduct industrial espionage which can lead to trade secrets being compromised. Successful cyber attacks can bring successful companies to their knees as the competition uses the stolen information to manipulate the ball field. If the ball field is not level one company is put at a competitive disadvantage.

To begin our discussion of this top I want to define two phrases because although they may seem to be the same thing, they are most definitely not. For the purpose of a homeland security course focused on resilience the distinction is critical. I am referring to the terms cybersecurity and cyber resilience.

The cybersecurity rating firm BITSIGHT’s Jake Olcott considered this subject and provided the following thoughts, “Cybersecurity refers to your methods and processes of protecting electronic data, including identifying it and where it resides, and implementing technology and business practices that will protect it”. Olcott than explored cyber resilience from his perspective, since there is not an official term either a U.S. government lexicon or within the industry. Olcott noted, “you can think of it as your organization’s ability to withstand or quickly recover from cyber events that disrupt usual business operations”.

Does this make sense? There is a difference. Simply put Cyber resilience is about the management of risk and not its elimination. Why? Because the complete elimination of cyber risk is never going to occur.

(CISA.gov)

There is a difference. Simply put, cyber resilience is about the management of risk and not its elimination. Why? Because the complete elimination of cyber risk is never going to occur.

Cyber Resilience Review Daniel Dobrygowski, who is a Global Fellow for the World Economic Forum wrote, “The idea of resilience, in its most basic form, is an evaluation of what happens before, during and after a digitally networked system encounters a threat. Resilience should not be taken to be synonymous with “recovery”. It is not event-specific: it accrues over the long term and should be included in overall business or organizational strategy”.

The U.S government has been especially active in establishing cyber resilience. Three efforts are most visible. The first is the National Institute of Standards and Technology (NIST) establishment of a Cybersecurity Framework or CSF. The second is the Department of Homeland Security’s Office of Cybersecurity and Communications developed a Cyber Resilience Review or CRR. The third is the establishment of Cybersecurity and Infrastructure Security Agency or CISA within DHS which has been discussed in previous lessons.

The NIST CSF “focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes. The Framework consists of three parts: the Framework Core, the Framework Profile, and the Framework Implementation Tiers”.

These sections each play an important role in establishing a foundation for resilience. For example,

the Framework Core is centered on activities, outcomes, and informative references that are common across critical infrastructure sectors. This provides voluntary guidance for the creation of individual organizational profiles” It is through use of the profiles, that the CST will help the organization align its cybersecurity activities with its business requirements, risk tolerances, and resources. There is one more component of the CSF that needs to be highlighted. That is when developed this document was looked upon as a living document and that through input from industry it will be made even more cable of meeting the ever-evolving threat matrix. The Department of Homeland Security developed guidance for the implementation of CSF for different sectors.

(How to Achieve Cyber Resilience in 7 Steps? Twitter)

The other key document in cyber resilience is the CRR which was developed based by the world-famous Carnegie Mellon University’s Software Engineering Institute who used their CERT Resilience Management Model or CERT-RMM. This model has been used nationally across a series of sectors.

CISA's National Cybersecurity and Communications Integration Center The CERT-RMM is an important homeland security initiative which can be used to determine a company’s organizational capability to instill a resilience framework. The CRR makes a series of assumption such as a company is using their employees and systems to support specific operational missions, The CRR looks at ten specific domains within a specific organization to determine practices which may impact resilience. These five include among others…

1. Asset Management 2. Controls Management 3. Configuration and Change Management 4. Vulnerability Management 5. Incident Management

One other area that has been receiving significant cyber threats is the communication sector. The GAO noted how serious this threat is in their November 2021 report entitled, “CRITICAL INFRASTRUCTURE PROTECTION: CISA Should Assess the Effectiveness of its Actions to Support the Communications Sector. In the report CISA noted:

The cyber-related threats to the Communications Sector include threats from both malicious actors (e.g., adversaries who intentionally cause network disruptions) and non-malicious actors (e.g., employees that accidently cause network disruptions). For example, a malicious actor could intentionally affect software or exploit security gaps in an effort to change or disrupt the systems on a communications network, potentially making the data managed on the network or systems unreliable. Alternatively, a non-malicious actor (e.g., a vendor) could accidentally alter a communication network’s configuration, negatively affecting the network’s ability to function properly. (GAO22-104462)

The newest threats that resilience must address are those from Botnets. Noted the GAO report:

A botnet is a network of internet-connected end-user computing devices infected with bot malware and that are remotely controlled by third parties for nefarious purposes. A botnet attack happens when a network of computers, Internet of Things, or other internet protocol-enabled devices are commandeered to run unauthorized code in support of malicious activities such as spam, phishing, click-fraud, and distributed denial of service”. (GAO-22-104462)

The serious nature of the Botnet attack was re-enforced joint advisory Alert (AA21-076A) from CISA and the FBI on TrickBot malware, which are threats against businesses and individuals. First identified in 2016 TrickBot is a Trojan Horse attack designed to steal financial data. To see the complete advisory, click here.

Here is one example of this issue. On March 5, 2019, this country was recorded its first malicious cyber event. An anonymous Western Utility company reported a “denial of service attack which caused a loss of visibility to certain parts of the utilities supervisory control and data acquisition (SCADA) system” (Sobczak, 2019, p. 1). Although there was very little impact from this cyber attack. However, hackers did gain access to a secure U.S cyber system. Sobczak (2019) noted that there are ongoing investigations to learn more about the attack and ways to make the systems more resilient. Cyber vulnerabilities are elements of the energy sector that pose a significant concern. The Department of Homeland Security has started to address these issues. In November of 2021 the Cybersecurity and Infrastructure Security Agency (CISA) issued the Cybersecurity Incident & Vulnerability Response Playbooks. This document provides operational procedures for Planning Conducting Cybersecurity Incident and Vulnerability Response Activities in FCEB Information Systems.

Finally, besides these two active programs, there is now an agency responsible for protecting the Nation’s critical infrastructure from physical and cyber threats – CISA. The impact of this agency is wide-ranging. For example, CISA's National Cybersecurity and Communications Integration Center (NCCIC) provides 24x7 cyber situational awareness, analysis, incident response and cyber defense capabilities to the Federal government; state, local, tribal and territorial governments; the private sector and international partners. In addition, CISA coordinates security and resilience efforts using trusted partnerships across the private and public sectors, and delivers training, technical assistance, and assessments to federal stakeholders as well as to infrastructure owners and operators nationwide.

Experts assess damage after first cyberattack on U.S. grid

B Y : | 0 5 / 0 6 / 2 0 1 9 0 7 : 1 3 A M E D T

ENERGYWIRE | Last week, the U.S. power sector marked a sober milestone: an anonymous Western utility became the first to report a malicious "cyber event" that disrupted grid operations.

The hack itself occurred two months ago, on March 5, when a "denial-of-service" attack disabled Cisco Adaptive Security Appliance devices ringing power grid control systems in

B L A K E S O B C Z A K

Reports of an unprecedented grid "cyber event" caused a stir last week in power sector and cybersecurity circles.| Ian Muttoo/Flickr

Utah, Wyoming and California, according to multiple sources and a vague summary of a Department of Energy filing.

There were no blackouts, no harm to power generation and evidently very little effect on the Western transmission grid, according to multiple sources and officials. The most direct impact was likely a temporary loss of visibility to certain parts of the utility's supervisory control and data acquisition (SCADA) system, though all major transmission operators in the regions affected denied having been hit by the denial-of-service attack.

The "cyber event that causes interruptions of electrical system operations," as the attack was categorized in the jargon of DOE electric disturbance forms, made waves in critical infrastructure security circles as a first-of-its-kind case study.

...

© 2023 POLITICO LLC

Continue reading this article. Join the decisionmakers who trust our essential energy and environment news to stay prepared.

Login Get a Trial

References GAO. (2021, Nov). Critical infrastructure protection: CISA should assess the effectiveness of its actions to support the communications sector. https://www.gao.gov/assets/gao-22-104462.pdf

Cybersecurity and Infrastructure Security Agency (CISA) & Federal Bureau of Investigation (FBI). (2021). TrickBot Malware Alert (AA21-076A). https://us-cert.cisa.gov/ncas/alerts/aa21-076a