“The DoZor satellite provider (Amtel group of companies), which serves power lines, oil fields, military units of the Russian Defense Ministry, the Federal Security Service, the pension fund and many other projects, including the northern merchant fleet and the Bilibino nuclear power plant, went to rest,” the group’s first message read, according to a translation. “Part of the satellite terminals failed, the switches rebooted, the information on the servers was destroyed.”

The hackers also claimed to have defaced four seemingly unconnected Russian websites with messaging supportive of the Wagner private military company, the Russian mercenary group that made international headlines last weekend as it marched toward Moscow in an astonishing uprising that challenged the power of Russian President Vladimir Putin, before the group stopped short.

The group’s leadership was relocated to Belarus, a staunch Russian ally. Yevgeny Prigozhin, the head of Wagner, also created and funded the Internet Research Agency, a troll farm that the U.S. government sanctioned for its role in the sweeping Russian election interference operations targeting the 2016 U.S. presidential elections and then the 2018 elections.

Belarusian President Aleksandr Lukashenko said he argued against Putin’s contemplation of killing Prigozhin for leading the uprising, and instead brokered the deal to send Prigozhin to Belarus.

The message posted to the defaced websites showed the Wagner insignia, along with a message about the uprising and its results. “We agreed to a peaceful solution because we achieved the main thing — we showed our capabilities and full social approval of our actions,” the message read, according to a Google translation. “But what do we see instead? The current military leadership has not been removed from office, criminal cases have not been closed … You kicked us out of the NWO zone, out of Russia, but you can’t kick us out of the network.”

“We take responsibility for hacking,” the message continued. “This is just the beginning, more to come.”

The group posted a link to a zip file containing 674 files, including pdfs, images and documents. On Thursday morning, the group also posted three files that appear to show connections between the FSB and Dozor, and the passwords Dozor employees were to use to verify that they were dealing with actual FSB representatives, with one password valid for every two months in 2023, according to a Google translation.

Doug Madory, the director of internet analysis for Kentik, told CyberScoop Thursday that Dozor’s connection to the internet went down at about 10 p.m. ET Wednesday and remains unreachable. One of the routes the company uses was switched to Amtel-Svyaz, Dozor’s Moscow-based parent company.

Amtel-Svyaz could not be reached for comment.

The Wagner Group could not be reached for comment.

Oleg Shakirov, a cyber policy expert and consultant at the Moscow-based PIR Center think tank, tweeted Thursday that “Wagner’s involvement is very unlikely,” and that it looked “like Ukrainian false flag trolling.”

Shakirov told CyberScoop in an online message that “the whole hack and leak looks very real, but it’s not something Wagner does. They don’t have a motive now & no history of such attacks.”

The post Hackers attack Russian satellite telecom provider, claim affiliation with Wagner Group appeared first on CyberScoop.

The memo also said the budget submissions should be consistent with the Biden administration’s national cyber strategy released earlier this year. The OMB and ONCD will review agencies’ upcoming budget submissions to “identify potential gaps” and “potential solutions to those gaps.”

“OMB, in coordination with ONCD, will provide feedback to agencies on whether their submissions are adequately addressed and are consistent with overall cybersecurity strategy and policy, aiding agencies’ multiyear planning through the regular budget process,” the memo said.

The five in the memo are the same as the National Cybersecurity Strategy: defend critical infrastructure, disrupt and dismantle threat actors, shape market forces to drive security and resilience, invest in a resilient future and forge international partnerships to pursue shared goals.

The memo comes as the White House is preparing multiple strategies such as the implementation plan for the National Cybersecurity Strategy expected this summer as well as a national cyber workforce strategy. ONCD and OMB also said that a separate memo will be released with additional guidance focused on cybersecurity research and development priorities.

The memo said federal agencies need to defend critical infrastructure by modernizing federal defenses by implementing the federal zero-trust strategy, improving baseline cybersecurity requirements and scaling public-private collaboration.

Additionally, the memo pointed out that ransomware continues to be a national security threat and that some agencies should focus on dismantling threat actors by focusing on investigating and disrupting criminal infrastructure, “prioritize staff to combat the abuse of virtual currency,” and to participate in interagency task forces.

Beyond that, the administration directed agencies to use their buying power to influence the cybersecurity market, to use skills-based hiring methods to strengthen the cyber workforce, follow national security memorandums surrounding a post-quantum future, strengthen international partnerships and secure global supply chains for information, communication and operational technologies.

The post White House releases cybersecurity budget priorities for FY 2025 appeared first on CyberScoop.

CL0P, the ransomware gang executing the attacks, added both Schneider Electric and Siemens Energy to its leak site on Tuesday. Siemens confirmed that it was targeted; Schneider said it is investigating the group’s claims.

Since early June, the hacking campaign has added more than 100 victims after CL0P began to take advantage of a vulnerability in MOVEit, a widely used file transfer tool from Progress Software. Multiple federal agencies, including two Department of Energy entities, have been affected by the vulnerability, federal authorities have said. Additional reporting has indicated that the Department of Agriculture may have had a “possible breach” and the Office of Personnel Management is also affected.

Both Siemens Energy and Schneider Electric are among the largest vendors in industrial control systems, though there is little indicated of what information the hackers may have pilfered. Cybersecurity and Infrastructure Security Agency Director Jen Easterly has previously said that the MOVEit campaign appears to be largely opportunistic and the stolen files may be limited to what was in the software at the time the bug was exploited.

“As far as we know, the actors are only stealing information that is specifically being stored on the file transfer application at the precise time that the intrusion occurred,” Easterly said on June 15.

“Regarding the global data security incident, Siemens Energy is among the targets. Based on the current analysis, no critical data has been compromised and our operations have not been affected. We took immediate action when we learned about the incident,” a Siemens spokesperson said in an email.

A Schneider spokesperson said that the company became aware of the vulnerability on May 30 and “promptly deployed available mitigations to secure data and infrastructure and have continued to monitor the situation closely.”

“Subsequently, on June 26th, 2023, Schneider Electric was made aware of a claim mentioning that we have been the victim of a cyber-attack relative to MOVEit vulnerabilities. Our cybersecurity team is currently investigating this claim as well,” the spokesperson said in an email.

Since the Russian-speaking CL0P began publicizing its victims, state and local governments appear to have been heavily affected by the campaign as at least seven have been hit, including the nation’s largest public-employee pension fund the California Public Employees’ Retirement System. Over the weekend, around 45,000 New York City public school students had their personal data stolen which included information like Social Security numbers, StateScoop reported.

The State Department has offered a $10 million reward for information leading to the actors linking to the CL0P ransomware gang.

The post Two major energy corporations added to growing MOVEit victim list appeared first on CyberScoop.

“The Kremlin continues to target a key pillar of democracy around the world — free and fair elections,” Brian Nelson, under secretary at the Office of Terrorism and Financial Intelligence at the Treasury Department, said in a statement. “The United States will not tolerate threats to our democracy, and today’s action builds on the whole of government approach to protect our system of representative government, including our democratic institutions and elections processes.”

Aleksey Borisovich Sukhodolov and Yegor Sergeyevich Popov, both Moscow-based officers of Russian Federal Security Service, or FSB, were directly engaged in a years-long effort to recruit local “co-optees” to influence elections that benefit the Kremlin, the Treasury said. “In support of its influence operations, Russia has recruited and forged ties with people and groups around the world who are positioned to amplify and reinforce Russia’s disinformation efforts to further its goals of destabilizing democratic societies.”

The sanctions announcement Friday follow a criminal indictment against Sukhodolov and Popov that the Department of Justice unsealed in April alleging the two were involved in a years-long campaign to influence elections. The U.S. government has also said the two are suspected of attempting to sway elections in Ukraine, Spain, the United Kingdom and Ireland.

According to the Treasury Department, Popov was the main handler for “co-optees” Aleksandr Viktorovich Ionov and Natalya Valeryevna Burlinova who were previously sanctioned by the Treasury Department and have also been indicted for their alleged activities. “From as early as 2015 through at least 2022, Popov worked with Burlinova and oversaw her activities on behalf of the FSB,” Treasury said.

Ionov and Burlinova influenced multiple U.S. individuals and political groups all in an effort to “to create or heighten divisions within the country,” according to a sanctions announcement in July 2022.

While it’s unlikely any of the four Russians sanctioned by the U.S. government and facing charges related to election interference will see the inside of an American court, the actions are part of broader government effort to more aggressively push back against foreign influence on elections, which many experts believe is only expected to increase ahead of the 2024 presidential campaign.

Former Cybersecurity and Infrastructure Security Agency Director Chris Krebs said earlier this month to expect a “very, very active threat landscape” concerning election influence and interference.

The post Treasury sanctions two Russian intelligence officers for election influence operations appeared first on CyberScoop.

A new voluntary cyber incentive framework from the Federal Energy Regulatory Commission that was required by the Biden administration’s bipartisan Infrastructure Investment and Jobs Act will allow utilities to make the case for receiving an incentive-based rate recovery when they make certain pre-qualified cybersecurity investments or join a threat information-sharing program.

The new rule also helps clear the path for one of the biggest issue for critical infrastructure owners and operators: a lack of money to invest in cybersecurity.

“It’s about removing the excuses and one of the huge excuses for anyone in the utility space to do anything with cyber has to do with resources and dollars,” said Ron Fabela, field CTO at cybersecurity firm XONA Systems. “Whether it’s an investor-owned utility or a local co-op, they are still beholden to the approved rates for power and that rate is heavily regulated and they can’t necessarily go to the ratepayer — you and me — to cover all their expenditures.”

For instance, in most states public utility commissions are unlikely to approve a rate increase unless it’s directly tied to the ability to generate and deliver power to customers, says Fabela. Those requirements can change depending on the state but nearly all are an arduous process and how they will respond to new cyber investments is still an open question, he said.

“This is essentially telling the public utility commissions that utilities that wish to invest in cybersecurity in these areas and these ways can effectively get rate relief from their customers,” Fabela said.

The new rule that goes into effect July 3 comes as the federal government is grappling with ways to add cyber mandates for critical infrastructure and to help “target rich, cyber poor” owners and operators improve digital defenses. Additionally, the recently released National Cybersecurity Strategy outlined goals for the administration to pursue more cybersecurity regulations for critical infrastructure.

The electric sector is already regulated by FERC, an independent agency under the Energy Department, and the North American Electric Reliability Corp., an international nonprofit corporation. FERC can tell NERC to develop a certain standard to mitigate a threat with input from industry. Once NERC develops new rules, FERC considers whether to implement them. NERC then acts as the enforcer with regular audits and fines.

However, that process can take years from concept to enforcement. And the slow pace of NERC rule-makings has been a common concern among experts as cyberthreats can quickly outpace policy. The cyber incentives plan could help utilities adopt to new threats at a faster pace, experts say.

“There’s the carrot and the stick and sometimes the stick is going to have limitations,” said Jason D. Christopher, director of cyber risk at industrial cybersecurity firm Dragos. “If NERC CIP hasn’t made it mandatory, enforceable, then it’s harder for utilities to get rate recovery and it’s hard for them to necessarily fund the initiative and this provides that flexibility.”

For instance, one of the two pre-qualified investments is internal network security monitoring, which is also a new standard the NERC drafting team is exploring. That proposed rule would require covered utilities to have internal network security monitoring within environments that impact the bulk electric system. However, that rule is still in an early phase and will likely be years before the standard is in place.

“So, we’re talking about years of a period where there’s not going to be a mandatory regulation in place for internal network security monitoring, which is — in our [operational technology] context — how we detect whether or not attackers are in our systems,” said Christopher. “The incentives order says, ‘Hey, if you want to do this before it’s mandatory, enforceable we will help you with that and will provide an incentive in those areas.”

So far, only internal network security monitoring and joining an ISAC are on the pre-qualified list for investments. However, FERC plans on allowing for case-by-case incentives where a utility can make a case why the investment would “materially improve a utility’s security posture.”

Additionally, FERC would consider additional controls from the National Institute of Standards and Technology catalog of “security and privacy controls for information systems and organizations,” NIST’s cybersecurity framework technical subcategory, and specific recommendations from federal agencies like CISA, the FBI, National Security Agency, or DOE.

Other potential investments have yet to be defined as the commission needs “a high degree of confidence that such items will likely materially improve cybersecurity for all utilities,” according to the rule. FERC will re-evaluate the pre-qualified investment list “from time to time.”

The post Federal incentives could help utilities overcome major cybersecurity hurdle: money appeared first on CyberScoop.

While it’s unclear who infiltrated the DOE agencies, a ransomware group known as Cl0P has used the flaw in the widely used software to attack hundreds of organizations in recent weeks, including universities, banks and major multinational corporations. The group publicized online that it has victimized “hundreds of companies” and gave a June 14 deadline to negotiate a ransom price before they released stolen data.

So far, CLoP is the only threat group linked to the MOVEit vulnerability by the Cybersecurity and Infrastructure Security Agency and the FBI.

At a media briefing Thursday afternoon, CISA Director Jen Easterly said that “we are not tracking significant impact on civilian .gov enterprise but are continuing to work with our partners on this.” Additionally, she said, no federal agency has received extortion demands and no federal data has been leaked so far.

“As far as we know, the actors are only stealing information that is specifically being stored on the file transfer application at the precise time that the intrusion occurred,” she said, adding that the attack appears to be largely opportunistic and not “like SolarWinds that presents a systemic risk to our national security or our nation’s network.”

CNN first reported that “several federal agencies” had been victims as a result of the file transfer flaw at the Cybersecurity and Infrastructure Security agencies was urgently working with them to remediate the problem.

A Department of Energy spokesperson told CyberScoop on Thursday afternoon that “upon learning that records from two DOE entities were compromised in the global cyberattack on the file-sharing software MOVEit Transfer, DOE took immediate steps to prevent further exposure to the vulnerability and notified the Cybersecurity and Infrastructure Security Agency (CISA).”

DOE considers an entity any facility, office, or laboratory run by DOE or a DOE contractor. The agency is home to the national laboratories such as Sandia and Los Alamos National Labs that conduct nuclear power and weapons research.

The Federal News Network reported that Oak Ridge Associated Universities and a Waste Isolation Pilot Plant located around Carlsbad, New Mexico were the two DOE entities impacted by the vulnerability.

“The Department has notified Congress and is working with law enforcement, CISA, and the affected entities to investigate the incident and mitigate impacts from the breach,” the spokesperson said.

Speaking on background, an official at the briefing said that they are not aware of any federal agency that has not placed mitigations against the vulnerability.

CL0P claimed on its dark website to have “information on hundreds of companies” as part of its attack. The group also said that if the victim organization was “a government, city or police service do not worry, we erased all your data. You do not need to contact us. We have no interest to expose such information.”

The group added 27 victim organizations to its leak page since June 14, according to data collected by eCrime.ch, however it’s not clear whether all of those entities were MOVEit users or that they were targeted by CL0P in separate extortion attacks.

Censys, a company that tracks internet-connected devices, said on Tuesday that government and military organizations represent 7.56% of the visible MOVEit hosts, with more than 80% of those being in the U.S.

CISA acknowledged on Thursday that several federal agencies were impacted as a result of the MOVEit compromise.

Eric Goldstein, executive assistant director for cybersecurity at CISA, said in a statement that “CISA is providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications. We are working urgently to understand impacts and ensure timely remediation.”

CyberScoop asked multiple federal departments and agencies if they were impacted as part of the MOVEit compromise. Only the Department of Energy reported any kind of compromise. Other agency officials responded their departments had taken steps to patch the vulnerability.

A Veterans Affairs official told CyberScoop that the department had “three systems that were running software susceptible to the MOVEit vulnerability. These systems were immediately remediated and there was no impact to VA or Veteran data.

“We have network blocks in place at their perimeters to prevent port connections, secure protocols, and safeguard inbound data, and VA has installed the latest patches to the systems that used the MOVEit Transfer software. We have also worked with security technology vendors to develop more robust detection capabilities for the vulnerability.” 

The post Two Energy Department entities breached as part of massive MOVEit compromise appeared first on CyberScoop.

Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency, said that the quick declassification of sensitive information about Russian cyber operations in Ukraine and potential threats to U.S. targets was a “great model for what we need to do” to ensure that both sources and methods are protected while also ensuring that the information is getting “to people who need it so they can reduce risk to our nation.”

“I think it set the stage for how we need to deal with a whole range of threats to include, really, I think the epoch defining threat of China,” Easterly said at an Aspen Institute event on Monday.

Speaking at a separate event on Monday, Rep. Raja Krishnamoorthi, D-Ill., echoed Easterly’s call for transparency, saying that Ukraine’s “radical disclosure and radical sharing” help effectively combat cyber attacks during the invasion.

“That’s the type of attitude I think we need to take with regard to any adversarial regime, whether it’s Russia and certainly in the case of the CCP,” said Krishnamoorthi, who is the ranking member of the House Select Committee on Strategic Competition between the United States and the Chinese Communist Party.

Easterly noted that CISA created a “Ukraine tensions plan” at the start of the invasion and carried out an exercise alongside critical infrastructure owners and operators that explored how to respond and communicate with the private sector in the event of an significant attack on U.S. soil and make U.S. information sharing more proactive.

Easterly also pointed to the role government can have in helping critical infrastructure to develop secure by design code by leveraging the “purchasing power” of the federal government.

To encourage U.S. businesses and institutions to improve their cybersecurity posture and defend against potential Russian attacks amid the invasion of Ukraine, Easterly’s CISA launched the “Shields Up” campaign, and Easterly said on Monday that ultimately “we’ll see a Shields Up campaign extended to what we see from China.”

Easterly’s call for a focus on the threat posed by China comes on the heels of Microsoft and U.S. intelligence agencies revealing that a Chinese-linked hacking group dubbed “Volt Typhoon” targeted critical infrastructure in the United States, including telecommunications infrastructure in Guam. Microsoft said with moderate confidence that the campaign aimed to give China the ability to disrupt communications between the United States and Asia in the event of a crisis.

Easterly noted that the U.S. intelligence community’s annual threat assessment recently warned that Chinese cyber operations are increasingly focused on disruptive and destructive impacts in the past and are beginning to resemble Russian operations.

“In the event of a conflict, China will almost certainly use aggressive cyber operations, to go after our critical infrastructure to include pipelines and rail lines to delay military deployment and to induce societal panic,” Easterly said. “This, I think, is the real threat that we need to be prepared for and to focus on and to build resilience against.”

Amid these threats, Easterly said that the panicked reactions in the United States to events such as the Colonial Pipeline ransomware attack in 2021 that disrupted gas supplies and the Chinese spy balloon that drifted over U.S. territory earlier this year points to a society ill equipped to respond. “We’ve lost a bit of societal resilience,” Easterly said.

The post Ukraine information sharing a model for countering China, top cyber official says appeared first on CyberScoop.

Furthermore, the Cybersecurity and Infrastructure Security Agency — the key agency inside the Department of Homeland Security responsible for helping defend critical infrastructure — is not set up to quickly and effectively facilitate rapid response to cyberattacks on the most sensitive systems, according to CSC 2.0, which is a continuation of the Cyberspace Solarium Commission that Congress established in 2019.

In a lengthy and detailed report released Wednesday, the commission pointed to the 2021 Colonial Pipeline ransomware attack, which crippled gas deliveries across the country, as a key example of how current policies and government agencies aren’t optimized for the nature of today’s threats.

“This incident illustrates the challenges faced by the national critical infrastructure system in a moment of crisis and the limits of the public-private partnership model that the government has tried to cultivate,” the group said.

The White House and many government officials have acknowledged there needs to be a different approach to protecting U.S. critical infrastructure. In November, the Biden administration announced it is in the process of rewriting presidential policy directive 21, which established in 2013 for how federal agencies engage with private critical infrastructure owners and operators.

The threat landscape has drastically changed over the past decade. Ransomware attacks have become a scourge for both the federal and private sector with criminals holding critical infrastructure in the U.S. hostage and Russian and Chinese hackers increasingly targeting sensitive U.S. networks.

Meanwhile, the full scope of cyberattacks in the U.S. remains a large question mark as most organizations do not have to notify anyone that they were the victim of a cyberattack. Recently passed legislation would require certain critical infrastructure owners and operators to report cyberattacks to CISA, but the agency is still in the rule-making process.

PPD-21 outlines the 16 critical infrastructure sectors — such as dams, chemicals hospitals and emergency services — as well as the agencies that are the federal go-to for support of incident management and mitigating vulnerabilities. But while the document outlines the overall responsibilities for federal departments such as DHS, it lacks guidance on how to carry out key cybersecurity responsibilities.

“Why is it so important to update this? It’s a 2013 era policy. It’s outdated. The security environment has shifted substantially over the past decade. Technologies have evolved, the risk environment has evolved. And as policies and regulations have evolved with those risks, it’s been done very frequently in an ad hoc way and not really in a systemic or holistic manner,” Mary Brooks, a public policy fellow at the Wilson Center and co-author of the report, said during a briefing on the report earlier this week.

The report comes amid major policy updates on federal cybersecurity such as the release of the Biden administration’s National Cybersecurity Strategy, a forthcoming strategy implementation plan and other documents such as a cybersecurity workforce strategy.

A strategy intended for a different time

The inadequacies in the current framework for critical infrastructure date back years and are “not the fault of this administration,” said report co-author Mark Montgomery, senior director of the Foundation for Defense of Democracy’s Center on Cyber and Technology Innovation and former executive director of the Cyberspace Solarium Commission.

“This stretches back to the original setting up of all this in 2000 during the end of the twilight of the Clinton administration, but we are massively inconsistent across federal agencies in our performance as SRMA’s and across the sectors in their willingness to cooperate and participate,” he said.

PPD-21 has only been updated once since 2013 when officials added responsibilities to the sector-specific agencies in charge of those 16 critical infrastructure sectors. The Cyberspace Solarium Commission issued a recommendation that ultimately was signed into law in the 2021 defense bill that elevated those agencies to Sector Risk Management Agencies.

But while agencies were given new responsibilities, not all SRMA’s are up to the task, the CSC 2.0 report notes. Some agencies such as the Energy Department are largely known as among the most well-resourced and mature when it comes to collaboration with the private sector. Others, however, such as the Transportation Security Administration or the Environmental Protection Agency have either historically struggled or face many of the same issues as the private companies they are supposed to help protect: a lack of resources from funds to employees.

“While owners and operators bear some responsibility for the sector’s poor cybersecurity, an underlying cause is weak leadership and poor resourcing of the SRMA, for which both the EPA and Congress are to blame. Over the past 20 years, the EPA has not been organized or resourced to identify and support the sector’s cybersecurity needs,” the report reads.

The EPA’s efforts to issue cybersecurity standards using existing authorities has long been a point of contention with the private sector. Three states are suing EPA for the rule that they claim exceeded the agency’s authorities and two water trade associations have joined in as intervenor status. Furthermore, the EPA’s congressional request for a $25 million cybersecurity grant program for fiscal year 2023 was rejected by lawmakers, the report notes.

The gaps in the existing federal framework to protect critical infrastructure cybersecurity perhaps best exemplified in the Colonial Pipeline ransomware attack. While the incident was the largest to hit the energy sector, the federal government also had its own crisis of communication during the incident, the report notes.

Once Colonial Pipeline alerted the FBI about the attack, CISA should be informed since it’s the agency responsible for responding to these kinds of incidents and offering technical assistance and mitigation. But that didn’t happen, according to CSC 2.0. Neither Colonial Pipeline nor the FBI notified CISA, the Transportation Security Administration or the Transportation Department for hours.

“The whole process, the whole episode, really showed how the seams and the overlaps within the current framework means just the whole thing is poorly suited to speed and crisis response,” said Annie Fixler, director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies, one of the co-authors of the CSC 2.0 report.

But while Colonial highlighted the gaps in one area, the report notes that this isn’t an isolated incident. Federal agencies’ guidance for their sectors is not always easily available and it’s not clear how responsibilities are divided among the SRMA’s, the co-SRMA’s where multiple agencies are in charge of different portions of a sector, and CISA. The end result is a “complex and inconsistent web of responsibilities” the report notes.

Other strategy documents like the National Infrastructure Protection Plan, which outlines how government and critical infrastructure collaborate, hasn’t been updated since 2013, either. Sector specific plans that are statements of purpose identifying key assets, risks, and threats have similarly not been updated since 2015 even though the initial releases were little more than “cut and paste” versions of a template with little highlighting key differences.

CISA’s priorities and effectiveness

CISA, meanwhile, has its own share of issues as the national risk management agency, according to the CSC 2.0 report. “CISA is not, in many cases, serving as the leader that most interviewees said was needed to realize the full potential of the SRMA framework,” the authors note, going on to say that the agency has seemingly prioritized cybersecurity at the expense of physical security. DHS has warned that violent domestic extremist pose among the largest threats inside the U.S. and there has been a marked rise of physical attacks against substations and critical infrastructure in recent years.

Additionally, the report notes, CISA is not able to fulfill it’s responsibilities as “it does not receive the inter-agency support necessary to act effectively as the national risk manager.”

The report does offer a dozen recommendations for the administration to consider as they’re revamping PPD-21. For instance, it recommends that a new version of the policy identifies strategic changes such as improving the focus on resilience — keeping systems running when a breach happens — instead of just cyber defense.

The report also recommends that the government update responsibilities for key strategy documents and ensure accountability through clearly defined roles and expectations. Additionally, clarify CISA’s roles as the national risk management agency as well as the agency’s “ability to compel minimum security standards and to convene or require collaboration or engagement” such as information sharing.

The authors recommend that the updated PPD-21 document identify critical infrastructure sub-sectors and detail how additional sectors will be added or removed from the list of 16. Additional resources for agencies responsible for the sectors will likely be needed to properly serve various industries, the report notes. “Not all sectors need the same amount of support. Not all SRMAs need the same budgets. But all SRMAs should have sufficient resources to meet the needs of their sector,” it says.

CISA should have more “consistent organization roles and responsibilities, as well as clear operational doctrine, for its [national risk management agency] role,” which may include reviewing responsibilities so that the agency doesn’t have too wide of a remit. “CISA also must have the appropriate taskings to implement its authorities to update all policy documents and instruct SRMAs to update their SSPs,” the report notes.

Critical infrastructure is undergoing rapid transformation with the increase in digitization and interconnectivity, creating a complex web of risks that are not fully understood. As such, the White House should organize more collaboration to understand systemic and cross-sector threats, the report notes. And, among the many other recommendations from the CSC 2.0, industries need a single point of contact in the government when the next Colonial Pipeline attack happens.

The post White House needs to urgently fix nation’s approach to protecting critical infrastructure, group says appeared first on CyberScoop.

Several small square-shaped satellites called cubesats were strapped to the SpaceX rocket launched for a resupply mission to the International Space Station. One of those cubesats — called Moonlighter — will be used as an experimental “hacking sandbox.” Security researchers will use that sandbox as part of a competition taking place at the annual DEF CON hacking conference in Las Vegas later this year. Teams will attempt to infiltrate it all in the service of identifying vulnerabilities in satellites to improve cybersecurity in space.

A collaboration between The Aerospace Corporation, the Air Force Research Laboratory and U.S. Space Systems Command, Moonlighter represents the latest iteration of the Hack-A-Sat competition. The Air Force has hosted Hack-A-Sat since 2020 as a multi-year effort to increase collaboration with cybersecurity researchers, but the past three capture-the-flag contests have all been simulations.

This year they wanted to take the competition to a whole new level. “We wanted a vehicle where the sole purpose was to understand how to do cyber operations in space,” said Aaron Myrick, senior project engineer at The Aerospace Corporation.

Securing space systems has become more of a focus for the space industry and the Biden administration as experts are growing increasingly alarmed about new commercial off-the-shelf products with potential vulnerabilities. Just last week, experts in the field launched a worldwide effort to create voluntary technical standards through the Institute of Electrical and Electronics Engineers to better secure commercial products by design.

“We’re really trying to wrap our heads around cybersecurity operations and how do we do cyber operations on a system that is starting to have a lot more commoditized hardware and software, but it’s also extremely remote,” said Myrick. “We can’t just go up there and flip the power switch or change a hard drive … it’s quite a challenging problem.”

Earlier this year, the White House held a space cybersecurity summit with some of the biggest players. Additionally, CSC 2.0 —a continuation of the congressional Cyberspace Solarium Commission — called for space systems to be designated as critical infrastructure.

While cyberattacks against space systems may not be common, the potential consequences for an attack was most recently seen during the start of the Russian invasion after state-backed hackers targeted U.S.-based Viasat’s satellite modems. The attack was aimed at impacting Ukrainian command and control during the start of the invasion, but also included cascading impacts that spread to thousands of German wind farms and satellite internet connections across Europe.

Myrick said the space industry understands many of the physical risks associated with space such as harsh radiation levels, but cybersecurity still presents many challenges that experts are just beginning to resolve. While simulating cyberattacks in a real-world environment will be helpful, Myrick explained, it won’t answer every question about how satellites could be affected in an attack outside the test environment.

“Moving to on-orbit actually introduces a lot of challenges, but it removes a lot of the sims you build into it,” Myrick said. For example, satellites actually spend much of their time disconnected from an operation center and are fairly automated, adding additional layers of complexity, Myrick said. Operators may simply not have full knowledge of what is impacting those space systems at particular periods of time.

Test-beds such as Hack-A-Sat allow for researchers to discover how hackers target networks in space systems they may not be familiar with, which will be mapped to a space-centric attack framework called SPARTA.

There will be limits to just how far Hack-a-Sat contestants can go. They will be able to hack at the Moonlighter’s cyber payload while in-orbit, but won’t be able to change the orbit.

“We are designing the flight software for the cyber payload to basically be able to operate the vehicle fully. So it will be able to change how the vehicle is pointed,” Myrick said. “There’s no orbit changes. That’s all pretty fixed, but where that vehicle was pointed that ability will be there.”

Myrick said that the Moonlighter has a supervisory layer that can shut off the cyber payload so if something “inevitably” goes wrong, they can “figure out what went wrong and how we can be better.”

Five teams have made to the finals at DEF CON this August to compete for the $50,000 grand prize.

The post First in space: SpaceX and NASA launch satellite that hackers will attempt to infiltrate during DEF CON appeared first on CyberScoop.

Building security into the software and networks that control complex space systems is no easy task. But the U.S. government and many other nations around the world are dedicating more resources to protecting space systems such as GPS, space-based imaging and the satellites that provide internet service around the world over concerns that one successful cyberattack could have catastrophic consequences.

Cyberattacks aimed at satellite communication systems such as Viasat, which hackers attacked at the beginning of the Ukraine war, drove home the importance of building in more security into space systems. And the attacks and intrusions are ongoing; last year the Cybersecurity and Infrastructure Security Agency found Russian hackers sniffing inside U.S. satellite networks.

“We have the unique opportunity that we can build this from scratch because of the new space era. There [aren’t] many other industries where we can do that. But in space, we’re building all the infrastructure right now, so let’s just do it right,” said Gregory Falco, a professor at Cornell University who studies the cybersecurity of space systems and chair of the Space Systems Cybersecurity Standard working group that met on Thursday. “We need to create secure-by-design specifications for different components of a space system.”

Additionally, the working group comes at a turning point for the space industry that has moved from one mainly run by government agencies and the military industrial complex to private venture capital and Silicon Valley companies such as SpaceX.

The transformation that is well underway means there is a larger market for off-the-shelf space products that introduce more cybersecurity risks, said Falco, who also noted that most equipment for space systems is produced overseas.

“We have really needed to move onto an international model because we’re not getting access to American-made products in a reasonable time frame anymore, given the amount of scale that we’re encountering in the ecosystem,” Falco said. “So that’s something that has prompted questions like: What’s inside? And nobody really knows.”

Falco continued: “The ambition is to just rule out a whole bunch of classes on security issues for future generations of space systems, not looking backwards necessarily.”

Standards set by the Institute of Electrical and Electronics Engineers, which houses the Space Systems Cybersecurity Standard working group, will be voluntary. But the international organization is widely known and the standards are often adopted by regulatory bodies, says Gunes Karabulut Kurt, an associate professor at Polytechnique Montréal and member of the group.

“IEEE standards are very widely accepted around the world, the most famous one being the internet and Wi-Fi,” says Karabulut Kurt. “What standardization does is basically helps international partners be able to use the same products.

“The standardization aspect becomes very important and especially for security because these devices — I’m mostly talking about communication systems perspective — become more and more capable and, of course … attackers are becoming more and more capable,” she said.

Currently, some guidelines and standards exist for space systems such as those developed by the National Institute of Standards and Technology. But critics have said those standards aren’t specific enough. In a paper calling for space systems technical standards signed by more than 40 researchers last October, including individuals from multiple U.S. and international government agencies, noted that NIST is “still currently aimed at providing general guidance, not tailored recommendations for modular spacecraft.”

Similarly, space policy directive 5 issued under the Trump administration offers generic cyber risk management guidance but again nothing specific or tailored. Other regulatory bodies like NASA’s Space Asset Protection Standard and Japan’s Guidelines on Cybersecurity Measures for Commercial Space Systems similarly don’t cover the full gamut of cyber defenses.

“We need to get down to the nuts and bolts of actually providing people technical best practice guidance on how to protect your system,” said Brandon Bailey, senior project leader for the Cyber Assessments and Research Department at the Aerospace Corporation.

“The devils in the details on what you actually need to do about it. That’s where there’s a struggle, because historically people who build space systems that are not cyber professionals, right, they’re space people,” Bailey said. “Just like you saw this in industrial control systems in the last 20 years, where you have those the industrial control as the engineers, building these cyber physical systems, but they never were trained and educated on cyber threats and TPPs.”

What the working group and industry needs are more cybersecurity professionals participating, said Falco from Cornell.

“We need cyber folks at the table,” he said. “And we need we need space people at the table. We also need the policy folks at the table too, because we need someone to ultimately inform the future policy that’s written that will help people to comply with the standard, right? So we need all walks of life engaged in this process from all over the world.”

Correction June 1, 2023: This article has been updated to correct the affiliation and role of Gregory Falco.

The post Growing hacking threat to satellite systems compels global push to secure outer space appeared first on CyberScoop.