5.29.24 / Wade Hansen

It was a strange thing to be shot at.

The emotions one feels as the alarms sound and rockets careen closer are a mix of fear, indignation, adrenaline-fueled exhilaration, and sadness. I was not surprised by the attack – as an intelligence officer deployed to Iraq, I knew we were surrounded by insurgent elements with both the means and the motive.

In Iraq, I was part of the world’s most powerful warfighting force. We had amazing resources at our disposal – sophisticated technologies to detect and neutralize rockets, Predator drones to patrol the skies above, training, weaponry, and blast walls to protect the personnel deployed to our contingency operating base. Yet, some rockets still made it through. On Iraq’s roads, improvised explosive devices  that cost a few hundred dollars to make took down million dollar Mine Resistant Ambush Protected vehicles and ended human lives.

Clashes in cyber space reflect a similar asymmetry. A Deloitte survey suggested that cyber security spending amounts to around $2500 per employee per year or $25 million for a company with 10,000 employees. Yet, each year thousands of these companies fall victim to hackers, who conduct attacks with little more than an internet-connected laptop.

Among the factors that led to a reduction in the violence in Iraq starting in the 2007-2008 timeframe was a unified counterinsurgency strategy. Building upon lessons learned in Vietnam and other guerilla-like conflicts in the annals of military history, General David Petraeus led a team that rewrote the book on asymmetric conflict: US Army Field Manual 3-24: Counterinsurgency.

Among the themes that apply to combatting both physical and cyber insurgency are:

Unity of Effort: In the cyber domain, we recognize that we are all interconnected by definition on the Internet. We aim to unify effort through groups like the Cyber Security Summit, ISACs and ISAOs, InfraGard, Cloud Security Alliance, and others. We confer with each other at RSAC, BlackHat, Defcon, and B-Sides to stay abreast of trends and developments.

Secure the Populace:  People are the greatest vulnerability any entity has – and the greatest strength. They are susceptible to social engineering, phishing, and a variety of other schemes that bypass technology controls. Insider threats are a major threat. Just as no amount of force could win the hearts and minds of the Iraqi people, it takes soft power – education, training, and leadership to get buy-in from the rank-and-file members of our organizations to remain vigilant from cyber threats.

Intelligence:  The goal of intelligence is to shift from reacting to an attack to preventing an attack – to “get left of boom.” While there is no crystal ball to see the future, analysis of trends in tactics, targeting, and attack vectors can help cyber defense teams to focus on the most likely and worst-case scenarios – and guides the allocation of resources to control these risks. In other words, cyber leaders need to know the details of breaches at analog companies. How did the intruders gain access? How did they expand privileges? Who are the threat actors? What motivates them? Do they target a particular industry? Why? Arming oneself with this knowledge allows a cyber leader to take action to reduce the likelihood of being similarly victimized.

Conceptualizing the cyber threat landscape as analogous to the battlefield of Vietnam, Iraq,  Afghanistan, and the other historical guerilla-style kinetic conflicts punctuates the reality that the world is already at undeclared war in cyberspace. Corporations can no longer be bystanders – they’re under attack from online pirates, counterculture vigilantes, and nation-state sponsored hacking units. Bleakly, there will likely be no end to this war – unity of effort, vigilantly securing the populace, and continued commitment to intelligence operations must be part of the strategy for dealing with this reality.

Wade Hansen, Director / Great Lakes Region, Flashpoint

Wade is the senior representative to the Great Lakes region for Flashpoint, a global threat intelligence firm. In this role, he helps companies solve complex intelligence problems related to cyber and physical security threats, and fraud.  

Prior to joining Flashpoint, Wade was a U.S. Air Force cyber intelligence officer, and led cyber threat intelligence operations for the National Security Agency defensive cyber operations directorate. Other military assignments focused on counterterrorism operations and asymmetric warfare and included a deployment to Iraq in support of a Navy SEAL team. 

Following active duty in 2016, Wade was based in Saudi Arabia, where he helped American companies connect with partners and opportunities in the Middle East.  

Wade holds a Master of Business Administration from George Mason University, a master’s degree in intelligence studies from American Military University, and a Bachelor of Arts in Middle East Studies/Arabic from Brigham Young University. 

4.17.24 / Massoud Amin / Think Tank Advisor Emeritus

What is in the News affecting our security? The Foreign Intelligence Surveillance Act (FISA) permits government surveillance of foreigners without court approval, even those suspected of communication with U.S. citizens, raising concerns about civil liberties. A bill renewing a national security surveillance program faced bipartisan opposition. The Republican-led House blocked the bill, leaving its progress uncertain before the April 19 deadline. The house vote count was 228 in favor and 193 against, blocking the bill’s progress [https://lnkd.in/g_i35-sP].

While the FBI and the Department of Justice correctly argue for the program’s necessity in combating various threats, including drug smuggling and cybersecurity risks, recent political tensions have exacerbated the debate. President Trump’s public opposition, fueled by his previous experiences with intelligence agencies, adds complexity to the discourse.

Under FISA, surveillance of U.S. citizens mandates adherence to legal procedures and oversight to uphold Fourth Amendment rights. Although citizens can be monitored if suspected of foreign espionage or terrorism, stringent measures are in place to ensure constitutional protections are respected, minimizing unwarranted data collection.

CISA shares critical infrastructure defense tips against Chinese hackers

By Sergiu Gatlan /Bleeping Computer

CISA, the NSA, the FBI, and several other agencies in the U.S. and worldwide warned critical infrastructure leaders to protect their systems against the Chinese Volt Typhoon hacking group.

Together with the NSA, the FBI, other U.S. government agencies, and partner Five Eyes cybersecurity agencies, including cybersecurity agencies from Australia, Canada, the United Kingdom, and New Zealand, it also issued defense tips on detecting and defending against Volt Typhoon attacks.

Last month, they also warned that Chinese hackers had breached multiple U.S. critical infrastructure organizations and maintained access to at least one of them for at least five years before being discovered.

Authorities have observed that the cyber espionage group Volt Typhoon’s targets and tactics differ from typical activities, suggesting their goal is to obtain access to Operational Technology (OT) assets within networks, which could be exploited to disrupt critical infrastructure.

U.S. authorities are concerned that this Chinese group may exploit such access to further disrupt critical infrastructure and cause disruptions during military conflicts or geopolitical tensions.

Today, CISA and partner U.S. government agencies (including the Department of Energy, the Environmental Protection Agency, the Transportation Security Administration, and the Department of Treasury) advised critical infrastructure leaders to empower their cybersecurity teams to make informed resourcing decisions, secure their supply chain, and ensure that performance management outcomes align with their organization’s cyber goals.

“Key best practices for your cybersecurity teams includes ensuring logging, including for access and security, is turned on for applications and systems and logs are stored in a central system. Robust logging is necessary for detecting and mitigating living off the land,” the joint guidance says [PDF].

3.13.24 > Elizabeth Stevens

Back in 2013, FBI Minneapolis Special Agent Liz Lehrkamp was assigned to the cyber squad and served as the liaison to the InfraGard program. Liz joined the Cyber Security Summit to add government perspective alongside academic, military and private sector advisory board representatives, and that relationship continues today via FBI Private Sector Coordinator / Special Agent John Bonhage. Many members from the InfraGard have presented at and served as Think Tank Advisors to the Summit, including current President Tim Herman and past presidents Mike Johnson, Jerrod Montoya, and yours truly. Partnerships are at the heart of the Summit and its many industry partner organizations.  This week’s blog takes a look at the InfraGard.  Membership is free, so consider applying today https://www.infragard.org/Application/General/NewApplication.  -Elizabeth Stevens, Cyber Security Summit | The Event Group

InfraGard is a unique partnership between the Federal Bureau of Investigation (FBI) and individuals in the private sector for the protection of U.S. critical infrastructure and the American people. As one of the nation’s largest public/private partnerships, InfraGard connects critical infrastructure owners, operators, and stakeholders with the FBI to provide security-related education, networking, and information-sharing.

InfraGard members include corporate security managers, directors and C-suite executives, cybersecurity and IT professionals, chief information security officers, financial services executives, healthcare professionals, emergency managers, military and government officials, academics, state, local and tribal law enforcement, and more — all dedicated to contributing industry-specific insight to advance national security. Tens of thousands of members share one goal: to protect critical infrastructure, the foundation of American life.

Established in 1996, the InfraGard has more than 70 local InfraGard Member Alliances (IMA), who are represented nationally by the InfraGard National Members Alliance (INMA). Each IMA or “chapter” is affiliated with an FBI Field Office and supported by a Special Agent Private Sector Coordinator. John Bonhage is the Special Agent Private Sector Coordinator for the Minneapolis FBI, and serves as the liaison to the Minnesota as well as South Dakota and North Dakota IMA organizations. Tens of thousands of members share one goal: to protect critical infrastructure, the foundation of American life.

The InfraGard enhances our nation’s collective ability to identify and mitigate threats to critical infrastructure by fostering collaboration, education, and information-sharing through a robust private sector/government partnership. To accomplish this mission, InfraGard promotes ongoing dialogue and timely communication between its members and the FBI through local, regional, and national programs. This two-way exchange of information equips InfraGard members with the knowledge, information, and resources to protect their respective organizations, while the FBI benefits from private sector engagement, insight, and expertise that can help prevent terrorism, cybercrime, espionage, and more.

• Membership Benefits:
  • FBI and other government agency threat advisories, intelligence bulletins, analytical reports, and vulnerability assessments. 
  • Presentations and trainings by the FBI and other government agencies. 
  • Direct engagement with the FBI, other government agencies, and private sector experts at the local level.
  • Access to a members-only web portal that supports information-sharing and collaboration.
  • Access to subject matter experts within each critical infrastructure sector through special interest groups (SIGs).
  • Invitations to regional and national InfraGard events.
  • Registration discounts for selected conferences, seminars, and summits.

2.28.24

EDITOR’s NOTE: My role as Communications Director involves outreach with our professional association industry partners, and one of the first meetings I attended was a chapter gathering of the Military Cyber Professionals Association. Think Tank member and MCPA President Brian Morgan introduced me to the group, I gave a quick Summit pitch, and stayed for some people and pizza time. A former member of the military, Cheyne Taylor, introduced himself as a guy working a full-time gig and a future graduate of the UW Stout master’s program. Here’s a bit more from Cheyne as we kick off our 2024 Think Tank blog series.  -Elizabeth Stevens, Director

ES: When we first met at that MCPA meeting, my recollection is that you inquired about the various MCPA, early bird and student discounts, hoping to leverage the best deal. I mentioned the volunteer alternative, which is how you joined the event team at the Summit. Talk a bit about your first Summit experience.

CT: My first Summit went very well. As a graduate student, I do not have a lot of disposable income, so volunteering was really the best way for me to experience the Summit. Giving my time was the easy part. I find it difficult to start a conversation when networking because I’m more of an introvert. However, I knew that this event was a true goldmine for opportunities and wisdom from experienced professionals, so I forced myself to do it. There were so many amazing speakers that I learned quite a bit.

I also enjoyed connecting with various professional organizations and the vendors. Even though I’m a student, I found talking with different vendors beneficial too, so I could learn more about the services and technology that’s being used in the cybersecurity space currently. All the staff and volunteers were amazing to work with. We worked very well with each other, and if there was a specific session we wanted to see or an individual we wanted to network with, there was always someone willing to step in.

ES: You demonstrated great competence and customer service over those three days – we dubbed you MVP (Master Volunteer Professional) for the support you provided. Talk about some of the sessions you attended – including any that you caught from the recorded version after the Summit – and what you learned. Did you find the content and quality you wanted?

CT: With the theme of the Summit being on resilience, Evan Francen, CEO of FRSecure, delivered a fantastic talk on resilience and really made it timely by using a natural disaster as an example. Another great talk was the FBI Breakfast. I really liked how the topics spanned many aspects of  the resilience theme. Again, there were just so many amazing presentations that it’s challenging trying to choose a favorite. Overall, I thought there was great content for everyone, whether they’re a student or CISO. The quality of each presentation I attended was excellent. The presenters were very knowledgeable on their respective topics also.

ES:  The need to recruit, engage and retain tech workers is ever-present. This year you joined the Summit Think Tank as a student and industry partner liaison. Talk a bit about continuing education, the value of an advanced degree, and how students might make some sense of the many certification options out there. There’s so much to consider!

CT: I have always been an advocate of lifelong learning. However, in today’s job market being a lifelong learner is absolutely essential to stay marketable. I personally am pursuing an advanced degree and hopefully another one after I graduate this year, so I think advanced degrees are great. However, the Cybersecurity and Information Technology space is very broad, it’s like saying you want to join the military, so I don’t think every position requires an advanced degree. I believe that everyone should pursue some sort of additional education or training after high school, whether it be obtaining a certificate, a PhD, or something in between. If I could offer a piece of advice to someone trying to decide on pursuing advanced study, I’d suggest aligning their interests to identify what they want to do in cybersecurity, and then search for those jobs on a job board like LinkedIn to see what employers are requiring. It’s easy to get overwhelmed with all the certifications, and it seems like most schools offer a cybersecurity degree of sorts.

10.18.23 > Paul Veeneman

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) are two pivotal entities in the U.S. responsible for maintaining the nation’s security and resilience against cyber threats. The NSA is largely tasked with global monitoring, collection, and processing of information and data for foreign intelligence and counterintelligence purposes. On the other hand, CISA defends the nation’s critical infrastructure from both physical and cyber threats, helping to ensure the security, integrity, and resilience of the nation’s critical infrastructure systems and networks. Both agencies collaborate to provide guidance and strategies to protect against evolving cyber threats.

From the perspective of both the NSA and CISA, cybersecurity is an expansive field that requires a proactive and comprehensive approach. It encompasses the protection of the nation’s critical infrastructure systems and networks against cyber threats and vulnerabilities. This includes areas such as identity and access management, vulnerability and patch management, systematic auditing, and monitoring of systems and networks. It also involves the implementation of multifactor authentication, single sign-on systems, and automated detection and response mechanisms. Essentially, cybersecurity is about implementing a layered defense strategy, which includes isolating and segmenting critical assets, and monitoring activity between applications, systems, and the associated network traffic. It’s about ensuring the confidentiality, integrity, and availability of data by fortifying the nation’s cyber infrastructure against both domestic and foreign threats.

The Role of NSA and CISA in Cybersecurity: Remember – It’s Guidance

NSA and CISA contribute significantly to cybersecurity through their guidance and strategies. They provide crucial intelligence, threat detection, and protection to the nation’s critical infrastructure. Both organizations advocate for a comprehensive approach to cybersecurity that includes identity and access management, vulnerability and patch management, and systematic auditing and monitoring of systems and networks.

However, it’s important to note that while NSA and CISA provide strong leadership and guidance in the cybersecurity realm, their influence and authority have limitations in certain industries. For instance, the private sector, which includes companies in various industries such as manufacturing, finance, and healthcare, often operate outside the direct regulatory control of NSA and CISA. While these agencies can provide recommendations and best practices, they cannot enforce compliance. Moreover, they rely on voluntary information sharing from these industries to gain a comprehensive view of the threat landscape. Therefore, the effectiveness of these agencies in improving the cybersecurity posture of these sectors is dependent on the extent of collaboration and cooperation from these industries.

Overview of Cybersecurity Misconfigurations

Cybersecurity misconfigurations represent a typical, albeit avoidable, risk that can have serious consequences. They occur when security settings are set up incorrectly, often leaving systems exposed or poorly protected. These misconfigurations might be as simple as leaving default passwords in place, failing to apply patches in a timely manner, or mismanaging user access permissions. The negative impacts of such oversights can be far-reaching. In the best-case scenario, a misconfiguration might result in a minor disruption to business operations. However; if exploited by a malicious actor, it could lead to data breaches, system downtime, reputation damage, regulatory penalties, or even financial loss. Furthermore, the process of resolving these issues can be costly and time-consuming, particularly if they’re identified late. Thus, proper configuration of security settings is a critical aspect of a robust cybersecurity strategy.

In the real world, we’ve seen a few notable examples of the consequences of security misconfigurations. In 2017, a misconfigured AWS S3 bucket exposed the personal information of nearly 198 million American voters. The data was publicly accessible for days before the error was identified and corrected. The incident highlights how a simple oversight can potentially lead to a massive data leak, compromising the privacy of millions.

Another example is the infamous Equifax data breach in 2017, where hackers exploited a known vulnerability in Apache Struts, a framework used for building Java applications. The company had failed to apply the necessary patch, resulting in a misconfiguration that left their systems exposed. The breach resulted in the theft of personal information of nearly 147 million people, leading to a hefty fine of $575 million and colossal reputation damage. These incidents underscore the importance of diligent vulnerability and patch management as part of a comprehensive cybersecurity strategy.

Top 10 Cybersecurity Misconfigurations According to NSA and CISA

1. Uncontrolled Cloud Storage: Data stored in the cloud without proper access controls can be easily exploited.

1. Inadequate Network Segmentation: When networks are not segmented properly, threats can spread more easily.

1. Unrestricted Admin Privileges: Unnecessary admin privileges can lead to accidental or malicious changes.

1. Lack of Regular Software Updates: Out-of-date software is an easy target for cyber-attacks.

1. Weak Password Policies: Simple, common, or unchanged passwords increase vulnerability.

1. Using Default Configurations: Default settings are well-known, making systems easier to breach.

1. Unsecured Remote Desktop Protocol (RDP) Connections: If not secured correctly, RDP can provide an easy entry for threats.

1. Absence of Multi-Factor Authentication (MFA): MFA dramatically improves account security by requiring multiple forms of proof of identity.

1. Inadequate Log Management: Without proper logging, detecting and investigating attacks becomes difficult.

1. Lack of Regular Backups: Regular backups are essential to recover from a cyber-attack.

Let’s Drill Down on Two Critical Aspects

Identity and Access Management

Identity and Access Management (IAM) is the cornerstone of cyber security, making sure the right people have the right access to the right resources at the right time. The recent guidance released by NSA and CISA emphasizes the importance of implementing robust IAM practices. These include multifactor authentication and single sign-on for enhancing security while maintaining user convenience. The guidance also outlines the significance of auditing and monitoring to track user activities, detect potential security threats, and respond swiftly. Furthermore, it calls for prudent management of privileged accounts due to their high-risk nature, advocating for behavioral monitoring of such accounts. Lastly, it stresses the importance of isolation and segmentation of critical assets and stringent monitoring of activity between applications, systems and the associated network traffic.

According to NSA and CISA guidance, identity and access management is crucial in mitigating cybersecurity misconfigurations. Two of the top 10 misconfigurations directly relate to identity and access management: Unrestricted Admin Privileges and Absence of Multi-Factor Authentication (MFA).

Unrestricted Admin Privileges: This aspect amplifies the potential for damage, as it can lead to accidental or malicious changes that could compromise the security of the entire system. The guidance emphasizes the need to grant admin privileges judiciously and monitor their use closely.

Absence of Multi-Factor Authentication (MFA): This is another significant misconfiguration. MFA greatly enhances account security by requiring multiple forms of proof of identity before granting access. Its absence weakens defenses by relying solely on passwords, which can be breached or guessed. Implementing MFA is a vital step in reducing vulnerability to cyberattacks.

Information Systems and Critical Asset Management

NSA and CISA have also provided insights on the aspect of understanding the importance of maintaining the integrity of critical assets and information systems. The agencies strongly advocate for rigorous asset management practices to enhance the security of vital information systems. They recommend a detailed inventory of all digital assets, including hardware and software components, to help identify potential vulnerabilities and ensure timely patch management.

Critical assets, due to their significant role in the functioning of a system or organization, require additional protective measures. The guidance highlights the necessity of isolation and segmentation of these assets to mitigate the risk of a broad system compromise in the event of a security breach. Moreover, it calls for the monitoring of all activity between applications, systems, and the associated network traffic to swiftly detect and react to any anomalies, reinforcing the security of critical assets and the entire information system as a whole.

The NSA and CISA guidance underscore the importance of effective Information Systems and Critical Asset Management in mitigating cybersecurity misconfigurations. It highlights that a lack of knowledge about the organization’s network and the absence of an accurate and complete software inventory are among the top 10 misconfigurations that increase vulnerability to cyber-attacks. Information Systems management includes having an accurate inventory of software, as well as ensuring all software is up-to-date with patches. Critical Asset Management, on the other hand, involves knowing and managing all network-connected devices, especially those housing sensitive information. In the absence of such management, it is impossible to fully secure assets, as unknown or unmanaged assets can easily become entry points for cyber threats.

The Gaps Between “Guidance” & Your Organization’s Specific Needs

The NSA and CISA guidance on Identity and Access Management, MFA, and SSO offer valuable insights and recommendations for organizations looking to strengthen their security practices and mitigate cyber risks and threats. In today’s ever-evolving digital landscape, the importance of cybersecurity standards and guidance from CISA and NSA, as well as guidance from other national and international entities, such as ISO 27001, ISA/IEC 62443, SOC2 and NIST cannot be understated. However; it is crucial to recognize that these frameworks alone are not a panacea for ensuring resilience against cyber threats and risk.

International standards such as ISO 27001 and ISA/IEC 62443 play a crucial role in ensuring the security of information systems and operational technology for organizations, entities, and the larger scope of critical infrastructure. SOC2 process attestation, on the other hand, is a reporting framework developed by the American Institute of Certified Public Accountants (AICPA) assesses the effectiveness of an organization’s controls related to security, availability, processing integrity, confidentiality, and privacy. Lastly, NIST cybersecurity guidance for government and nonfederal organizations, provides a comprehensive framework for managing and mitigating cybersecurity risks, offering guidelines and best practices that can be adopted to enhance resilience and security posture.

Leaders, stakeholders, and decision-makers must take an active role in “filling in the gaps” specific to their organizations and the unique risks they face. While CISA and NSA directives, national and international standards provide a foundation, it is the responsibility of these individuals to adapt and implement the necessary measures to safeguard critical data and assets effectively. By combining the guidance offered by these agencies and standards bodies with a proactive and tailored approach, organizations can create a comprehensive security strategy that aligns with their specific needs, mitigating risks, and creating the resilience needed in the today’s digital cyber landscape.

References

• National Security Agency (NSA) https://www.nsa.gov/

• Cybersecurity and Infrastructure Security Agency (CISA) https://www.cisa.gov/

• NSA Guidance on Top 10 Cybersecurity Misconfigurations

• • CISA Guidance on Top 10 Cybersecurity Misconfigurations

PAUL VEENEMAN > Secretary of the Board, MN ISSA

With over 27 years of experience across various industries including Finance, Oil and Gas, Healthcare and Manufacturing, Paul has been actively working within the Nation’s critical infrastructure, addressing challenges, providing guidance, insight and innovation in Operations Technology, Industrial Controls, IoT, IIoT, SCADA cyber security knowledge, expertise, and education.  Paul currently holds the CISSP, CISM, and CRISC certifications, and serves on several boards, including the local Minnesota chapters of InfraGard, the Information Systems Security Association (ISSA), and the International Society of Automation (ISA).

Click for Paul’s Recent Blog Feature

Connect with Paul on LinkedIn

8.28.23 > Guest Blog Feature >Thomas Tomalla, Jr.

History and Conflicting Priorities

I’ve worked in situations where Information Technology (IT) teams and Operational Technology (OT) teams are different and don’t get along. The goal of this article is to demystify OT systems for IT teams, and help find common ground – Technology and Risk Management.

IT is the use of computers to handle data, rather than handling it with paper or manual processes. This should be centered around the needs of the business and therefore, the needs of the users.

OT is the use of computers to interface with things in the real world by sensing inputs and controlling outputs. This is typically centered around the needs of the business as well, but in this case, the business usually produces something physical like products, energy, or food. Users interact with these systems, but the main purpose of OT systems is to control or monitor something physical.

Early on, these were often separate groups for a few reasons. IT focused on data processing, efficiency, and business processes. It evolved from mainframes to PCs to the cloud, and now distributed architecture.

OT focused on control, safety, and uptime. It evolved from electro-mechanical controls like relays and timers, to Programmable Logic Controllers (PLCs). As time progressed, more IT-like systems were introduced like data historians and computer-based user interfaces. Now we see cloud and Machine Learning as part of OT environments similar to IT environments.

Yet these two teams often remain separate, and sometimes at odds with each other. The three pillars of Information Security are Confidentiality, Integrity, and Availability. IT would often put Confidentiality at the top of their list, while OT would put Availability at the top of their list. This is where conflicts begin. For example, IT wants to patch systems as soon as possible to minimize vulnerabilities, lock sessions after 15 minutes, and keep passwords long – thereby maximizing Confidentiality. OT wants to hold off on patches, and make sure operators can always access the system – maximizing Availability. The reality is that we can’t prioritize one pillar over another. They are ALL important to both IT and OT. The best way to make balanced decisions is to use risk as a deciding factor.

We are starting to see a combination of IT and OT in Industry 4.0. It is the fourth industrial revolution where we use information to make decisions, integrate that information from the top to the bottom of the organization, and also between its suppliers. Many industries have been collecting data for decades, but the barrier of entry for data analysis tools and skillsets has been high. These barriers have been coming down quickly as Machine Learning becomes commonplace. To accomplish Industry 4.0 ideals, IT/OT collaboration and teamwork is necessary. An air gap as a security measure is likely no longer an option, aside from a few very specific industries. Things will be connected, and both IT and OT need to understand each other for an optimal outcome.

Overview of Operational Technology

OT can take many forms. The majority of OT systems can be classified into two main categories: Building Automation Systems (BAS) and Industrial Control Systems (ICS). Then the lines get blurry with Internet of Things (IoT), and Industrial Internet of Things (IIoT). There are also specialty systems such as laboratory, medical device, and life safety systems that are beyond the scope of this conversation.

Building Automation Systems help maintain occupant comfort and safety. Heating, Ventilating and Air Conditioning (HVAC) controls, lighting controls, card access, and security systems would fall into this category. These systems are often optimized for a specific use, which drives down cost and makes scalability easier. BAS systems require proprietary software and tools to program and install them, and in larger systems there is often a user interface that maintenance and security staff can use to manage the system. In most cases, the manufacturer that provides the hardware also provides the user interface. When these systems need to communicate with each other, there is usually a common protocol such as BACnet that allows systems to send and receive data in real time.

Industrial Control Systems are used to control physical processes or systems that you would see in industries like manufacturing, energy, and transportation. Reliability is paramount, so these systems have many more components to make up a working system. The Purdue Model, also referred to as the Purdue Enterprise Reference Architecture, provides a good outline that will introduce many of the terms that might be encountered with industrial controls. It’s worth noting that not all ICS systems adhere to the Purdue model, and the efficacy of it in modern architectures is under debate. The Purdue model is comprised of five distinct levels.  Level 5 references the Internet, and Level 4 represents the organization’s Business Systems. Levels 4 and 5 are typically the responsibility of the IT department. Level 3 would include things like the Human Machine Interface (HMI), databases, and historians (trend data or time series data). Level 2 may include the Supervisory Control and Data Acquisition (SCADA) Systems, Distributed Control Systems (DCS), or a local HMI. Level 1 is where field controllers are typically found such as Programmable Logic Controllers (PLC), Remote Terminal Units (RTUs), and Safety Controllers. Level 0 is where the real world connects – sensors, motor controllers, actuators, lights, etc. This reference is not exhaustive, nor accurate for every industry.

With the basics out of the way, let’s compare the BAS and ICS.

The use cases for an ICS controller are non-specific. Many are freely programmable, so the same model of the controller can serve many purposes. It may need to make decisions in milliseconds to maintain the process. The controllers may reside outdoors or in harsh environments, and may be deployed in highly available architectures. Additionally, some enable the system engineer to change the program on the fly, without interrupting the process. Generally, the lifetime on these systems is very long.

The use cases for a BAS controller are usually specific. An HVAC controller generally controls HVAC equipment, and a lighting controller generally controls lights. The programming is sometimes locked to those specific cases although it varies by the manufacturer. While many controllers are capable of making decisions in milliseconds, the processes often don’t require that level of control. The controllers are often in conditioned spaces such as mechanical rooms or data closets – but not always. Highly available architecture is not typically a requirement, therefore, programming changes often require a controller restart (although that trend seems to be changing). These systems are expected to last a long time but controller failure is less of an issue and systems tend to get replaced as a building is remodeled or as energy efficiency requirements increase.

Now let’s tackle two other categories that may be classified as OT – IoT and IIoT. The reality is that the lines are often blurred, and what a manufacturer calls their device is irrelevant. Every organization needs to understand what is on their network and what it is communicating with.

IoT is the Internet of Things. These are devices that were born in the Internet era – and with Internet connectivity often being a requirement for them to be functional. They also tend to be paired with an app or service. Security and privacy may be an afterthought or loosely defined. Smart cameras, smart watches, smart doorbells, smart toasters, smart speakers – the list goes on and on. We run into complications when these cross out of the consumer environment and into a workplace network. Let’s explore a smart security camera. It’s cheap, easy to set up, and has an app that can provide remote viewing. For many small businesses without an IT department this is a natural choice to help improve physical security. It’s even tempting for medium businesses when a full-blown Network Video Recorder (NVR) and network camera system could easily cost ten times more. But what happens when the employee that set up the camera leaves? What happens when the manufacturer decides not to support the device anymore or the service goes defunct? I’m not saying an IoT device serves no place in business or that everyone must purchase business or industrial grade equipment. The business should assess the risks of IoT devices and their associated services and make an active risk decision, rather than a passive decision to accept that risk.

IIoT is the Industrial Internet of Things. These are also devices born in the Internet era, but usually focus on a business segment rather than the consumer market. In this category you might find things like vending machines, remote sensors, and cellular connectivity, as well as the associated platforms to manage the services they provide. Security and privacy are usually thought of early on and may be contractual. These devices also tend to have longevity in mind, whereas the consumer IoT market does not. Many vendors will provide security architecture details – ask for them, seek to understand the architecture, and ask questions. The business is accepting the risk, so make it an informed risk decision.

The Common Ground

It’s important to find common ground to set the stage for improved IT/OT collaboration.

First, Confidentiality, Integrity, and Availability are important to both IT and OT. We both want the right person to have access to the right data at the right time in order to make the best decisions. Second, both systems are Internet Protocol (IP) based. We’re often dealing with the same networking stack. Third, both systems are usually dealing with the same software stack (Microsoft Windows) at some level. Fourth, while the embedded microcontrollers used in OT systems are not general purpose computers, they are still computers. In some cases we are seeing general purpose single board computers (SBCs) make their way into OT systems. Most Importantly, both IT and OT make risk decisions on behalf of the organization, whether this is formalized or not.

Benefits of this Collaboration

Let’s point out some benefits of Information Technology and Operational Technology having a good relationship.

• Many of the skill sets required to operate modern OT systems are similar to those needed for IT systems. When things are down or your preferred vendor isn’t available it’s good to have another team to help work through problems.
• If IT is going to be a hindrance OT may be resourceful and find their own way (Shadow IT). That isn’t always good from an overall risk perspective. Having IT and OT on the same page will result in better overall risk decisions.
• If you are serious about Digital Transformation and Industry 4.0 you need consensus at all levels of the organization. IT and OT being on the same page is one piece of that puzzle.
• With technology accelerating faster than ever we need all the technology players working together.
• When you are evaluating new OT vendors, you must talk about security early on. Vendors won’t always include the most secure end result unless you ask for it. I think this is where there is the most opportunity for IT to assist. Once IT knows OT they can help with these evaluations.
• In general, the more teams know each other, the better they can understand why things are done a certain way.

Where do we go from here?

IT and OT should have a good working relationship. IT and OT are more alike than they are different. Each absolutely has their own dialect and are specialized in their own ways. Here are some ideas to open the conversation. If you are an IT person who dabbles in electronics, home automation, programming, or just likes learning new things – talk to an OT person and find some common ground. If you are an IT person and have no idea where to start – grab your personal protective equipment (PPE) and head to the field with an OT person. Just get a tour, ask them what is new or where there are pain points. If you are an OT person who knows just enough about IP addressing and network information to get by – befriend the IT person and make that connection for when you need an extra set of eyes. If you are an OT person who really doesn’t understand why an IT policy is the way it is – ask.

The collaboration between IT and OT is essential for modern industries. While IT and OT may operate within distinct realms, a close partnership is essential to address the challenges of a rapidly evolving technological landscape. By recognizing common ground and understanding the unique strengths each brings to the table, IT and OT professionals, practitioners, engineers, and technicians can bridge the gaps that have historically separated them. This alone won’t prepare an organization for digital transformation, but it is a necessary step. The traditional boundaries of technology will continue to blur even beyond IT and OT, and a unified approach to technology becomes more crucial than ever.

Tom Thomalla, Jr., CISSP, GICSP, GCIH

Thomas is the Director of Information Systems for Ever-Green Energy. He has over 20 years of experience in IT, building automation, industrial automation, and information security. He holds a Bachelor of Applied Science in Information Technology Infrastructure from the University of Minnesota.

You can Connect with Thomas on LinkedIn at https://www.linkedin.com/in/tthomallajr/

8.23.23 > Eric Roeske

Cyber Security Summit Think Tank representatives bring a fantastic mix of experience and expertise to ensure the Summit offers quality for a variety of audiences. Captain Eric Roeske of the Minnesota State Patrol is a Think Tank member who has more than 20 years of public service and additionally holds a Master of Science in Security Technologies from the University of Minnesota Technological Leadership Institute. “Serving all communities to build a safer Minnesota” is the mission of the State of Minnesota Department of Public Safety, under which the State Patrol is organized. This week’s blog highlights public sector efforts to enhance safety, protect data and focus on cyber security with an excerpt from the Minnesota Department of Public Safety strategic plan. It’s just a small part of the whole program. The Summit offers a full day Public Sector Seminar on Tuesday, October 24.  Join us as we focus on the unique considerations for state, local, tribal, territorial and other government leaders and organizations.

The Minnesota Department of Public Safety Strategic Plan excerpt we highlight below can be found on page 11 within the full document https://dps.mn.gov/divisions/co/Documents/DPS-Strategic-Plan-2023-2027.pdf.  Like the State Patrol, the Bureau of Criminal Apprehension (BCA) is a division of the DPS and holds primary responsibility for the security of criminal justice data. The other 18 pages include information about school safety, reducing violent crime, and enhancing crime analytics capabilities, among other topics, as well as a documented commitment to hiring and developing a more diverse workforce.

Minnesotans deserve to live in communities where they feel safe. DPS, through the efforts of many of its divisions, works to improve or maintain the safety of all Minnesotans. The strategies outlined in this priority area identify the current risks and ways the department intends to mitigate those risks to build a safer Minnesota for all.

Strategy — Protect sensitive criminal justice data from cybersecurity threats through increased IT security and compliance efforts.

The Minnesota Bureau of Criminal Apprehension (BCA) is responsible for the appropriate maintenance and

dissemination of criminal justice information at the local, state and federal levels. The BCA provides authorized access to these data via more than 30 different systems to law enforcement, the judicial system, corrections, prosecution, public defense and other non-criminal justice agencies.

• What we want to accomplish:

              o Manage access of authorized users to BCA data more effectively.

              o Maintain more comprehensive asset management of hardware and software.

              o Ensure hardware and software are updated to protect against vulnerabilities.

              o Improve scanning and monitoring to detect security vulnerabilities.

              o Meet FBI IT security compliance requirements.

• What activities we will undertake to support this strategy:

              o Implement new identity and access management (IAM) system.

              o Implement new asset management tool and processes.

              o Implement new tool to automatically update hardware and software.

              o Implement real-time detection of security vulnerabilities.

              o Update BCA’s IT security policies and standards.

• Metrics and milestones:

              o Identify new IAM solution by October 2023.

              o Implement new IAM system by June 2024.

              o Migrate BCA Priority 1 systems to new IAM system by June 2025.

              o Define and start tracking all IT assets by December 2023.

              o Implement new patch management tool to automate 90 percent of hardware and

              software updates by June 2024.

              o Implement real-time notifications for BCA’s intrusion prevention and intrusion detection

              systems by June 2024.

              o Ensure BCA has all IT security policies required by the FBI approved by June 2024.

ERIC ROESKE > Captain, Minnesota State Patrol

Captain Eric Roeske is the Director of Capitol Security and Executive Protection division of the Minnesota State Patrol.

Captain Roeske has 26 years of law enforcement experience at the municipal, county and state level. In his 22 years with the Minnesota State Patrol, he has been a patrol trooper, SWAT team member, firearms and crowd management instructor and public information officer prior to his current role.

Captain Roeske holds a bachelor’s degree in sociology from the University of Wisconsin-River Falls and master’s degree in security technologies from the University of Minnesota Technological Leadership Institute.

You can Connect with Eric here at the Cyber Security Summit

and on Linked In at https://www.linkedin.com/in/eric-roeske-46528420/

8.9.23 > Jeffrey Peal III

Artificial intelligence (AI) is rapidly changing the way we live and work, and the field of information security is no exception. AI can be used to automate many of the tasks involved in information security, such as threat detection, incident response, and compliance reporting. However, AI can also be used to improve information security awareness training.

Information security awareness training is essential for any organization that wants to protect its data and systems from attack. However, traditional information security awareness training can be boring and ineffective. AI can be used to make information security awareness training more engaging and effective.

For example, AI can be used to create personalized training modules that are tailored to the individual needs of each employee. AI can also be used to create interactive training exercises that help employees learn how to identify and respond to security threats.

In addition to making information security awareness training more engaging, AI can also be used to measure the effectiveness of the training. AI can track employee progress and identify areas where additional training is needed. This information can be used to improve the training program over time.

Overall, AI has the potential to revolutionize information security awareness training. AI can help organizations reduce the risk of data breaches and other security incidents by making training more engaging and effective.

Here are some specific examples of how AI is being used to improve information security awareness training:

• PhishMe: uses AI to create realistic phishing simulations that help employees learn how to identify and avoid phishing attacks.
• KnowBe4: uses AI to track employee progress and identify areas where additional training is needed.
• SANS Institute: offers a variety of AI-powered security awareness training courses.

These are just a few examples of how AI is being used to improve information security awareness training. As AI continues to develop, we can expect to see even more innovative and effective ways to use AI to protect our data and systems from attack.

In addition to the benefits mentioned above, AI can also be used to improve information security awareness training in several other ways. For example, AI can be used to:

1. Identify and target employees who are most at risk of falling for phishing attacks. AI can analyze employee behavior and identify those who are more likely to click on malicious links or open infected attachments. These employees can then be targeted with more specific training focusing on the threats they are most likely to encounter.
2. Personalize training content to meet the individual needs of each employee. AI can be used to assess each employee’s knowledge and understanding of security risks. This information can then be used to create personalized training modules that are tailored to the individual’s needs.
3. Make training more engaging and interactive. AI can be used to create interactive training exercises that help employees learn how to identify and respond to security threats. These exercises can be more engaging and effective than traditional training methods, such as lectures and presentations.

Overall, AI has the potential to revolutionize information security awareness training. AI can help organizations reduce the risk of data breaches and other security incidents by making training more engaging, effective, and personalized.

JEFFREY ALLEN PEAL, III, Information Security Officer, SullivanCotter

Through his 20 years of security and technology experience, Jeff Peal lived on the front lines of cybersecurity operations as an individual contributor/security practitioner working his way to leading the development of varying Information Security programs as the Information Security Officer at the Federal Reserve Bank of Minneapolis. Jeff is an instructor at Dunwoody Technical College and a Community Faculty at Metro State University and holds board positions with Cloud Security Alliance and MN Cyber.

You can Connect with Jeffrey here at the Cyber Security Summit 

Or on LinkedIn at https://www.linkedin.com/in/jeffery-allen-peal-iii-70b24120/

8.7.23 > Jeff Norem

“We have enough security budget to properly protect the organization and meet all of our risk and compliance obligations,” said almost no CISO ever – especially those at small- to midsized organizations. Most of us know budgets will always be tight, so how can we continue to improve without budget busting? Below are three ideas you can use to get more out of your security budget.

1. Define your operating model – craft and share your security story

How good is your security program documentation? Do you have a standard control and operating procedure formats and quality? Do you have a strategy and was it made generically based on industry analyst documents or was it discussed with your peers and leadership for how security can support the business objectives? Your program documentation is all that explains your security story when you are not there to talk about it, so spend time making sure it explains your intent and approach.

Make sure your Standard Operating Procedures  are clear — and then evaluate them. The next time you bring in a new SOC analyst, see if they can complete their duties simply by reviewing the runbooks and documentation. Remember to answer these questions: What are you cyber capabilities, what are the most relevant threats to your organization and how do your capabilities help you? Not all controls and capabilities are created equal, so which are the most important and why?

Go beyond awareness. Could you better explain the security expectations to all stakeholders? It is common for teams to write a new security policy or requirement and assume that everybody (including their own teams) fully understand all the expectations to comply with the requirement. Do not assume that awareness and understanding is a given.

I often harp on controlling the narrative or telling a better story. We all know all the small, not-earth-shattering improvements we can make, do not “wow” our stakeholders or might not be headline-grabbing. That doesn’t mean they are not just as valuable. Focus on better explaining how hygiene and simple efficiencies or enhancements also move the needle. By using storytelling techniques like framing the problem or citing real-world, relevant examples, much can be done at a small cost to improve the security story.

2. Get more out of your current tooling

If you are reading this and in security, it is a coin flip that you have a “tool rationalization” project already going. Many of us would like the get the best-of-breed or shiny innovative technology product. Take a look at your email or LinkedIn, there are many partners that are happy to help sell it to us. Odds are that you will not always have the budget to get the best point solutions and ensure they are properly integrated across your security stack. Think about how you can work with your vendor partners.  The good ones are not just selling you a tool, they are trying to help you improve your capabilities and find the right tools at the right cost for your organization’s needs.

There is no right answer on the point solutions or integrated platform question, there is just what is right for your program and organization. If you have budget constraints, less tooling to manage, update, document, audit, etc., can result in cost and time savings. Take a deep look at the functionality of your tools to see if you are getting all the value from them or if there are modules or integrations that are “good enough” so you can get rid of other point solutions. My approach has been to look at the best point solutions for the protections that matter the most and try to consolidate all of the others where I can.

If you can’t afford more outsourced penetration testing or commercial automated testing tools, ask an intern or junior analyst learn Kali or burp suite. Not only can you do some cost-effective testing, but it also engages your talent and allows them to learn.

3. The best way stay on budget is to get the budget you need from the start!

Let us talk about cyber risk quantification.  If you are not aware of this approach to make better security decisions by looking at your cyber risk through the probability of financial loss, you are falling behind.   Use these approaches to improve your ability to justify your resource ask with financially based return on investment. How is the request supporting the business? The best way to not go over budget is to justify and get leadership to approve a realistic budget that meets your organization’s cyber needs.

A tight budget does not mean a great cyber program is impossible. With a strong vision, some creativity, quantification of your cyber risk, and partnership with your leaders, you can live within your means and meet – or even exceed – your program goals.

This post reflects the author’s opinion and does not necessarily reflect the position or viewpoint of Freddie Mac.

JEFF NOREM, VICE PRESIDENT, FREDDIE MAC 

Co-chair of 2022 Cyber Security Summit; Deputy CISO, Freddie Mac

Jeff is a data protection and privacy leader, CISO, board member and cyber product adviser with 20+ years of experience in security, privacy, fraud and risk management across multiple industries.  He is a frequent speaker at global security and risk conferences, author and active member in the community.

Jeff holds an MBA from the University of St. Thomas with a focus in the risk leadership, is a founding member of the UST Risk Leadership Advisory Board.  Certs include: CISSP, CISA, OpenFAIR.

His focus is building security programs that allow organizations to meet their objectives through effective decision making and prioritized security investments by truly understanding their risk in terms of probability of financial loss.

Check out his LinkedIn

Click Here for the original note >  hc3_remote_id_management

Click the link to access > joint_csa_preventing_web_application_access_control_abuse

7.26.23 > Lee Ann Villella

Protecting people and defending data in the face of cyber threats is crucial based on trends and patterns that have emerged in the cybercriminal landscape. Several key factors include:

1. Evolution of Cybercriminal Business Models: Cybercriminals have honed their strategies and now primarily focus on three profitable business models: ransomware, data extortion, and business email compromise (BEC). These models have proven to be highly lucrative, outcompeting other illicit activities.
2. Prevalence of Ransomware and Data Extortion: Ransomware attacks have become increasingly common, where cybercriminals encrypt victims’ data and demand ransom payments to release it. Data extortion is closely related, involving threats to publish sensitive information unless a payment is made.
3. Impact of BEC: Business Email Compromise (BEC) continues to be a major source of financial losses. This type of attack involves impersonating trusted individuals to deceive employees into transferring funds or sensitive data.
4. Focus on People and Data: The underlying theme across various threat types is the exploitation of human vulnerabilities. Whether it’s through phishing, social engineering, or insider threats, cybercriminals target people as the weakest link in the security chain. Moreover, data remains a prime target for insiders and is crucial for extortion actors to inflict maximum damage.
5. Worsening Trends: The overall threat landscape is showing alarming trends. Average ransom payments are on the rise, indicating that cybercriminals are successfully extorting more money from their victims. BEC losses are at record highs, causing significant financial damage. Additionally, data loss incidents are also increasing, posing severe risks to organizations and individuals.
6. Global Impact: Cyber threats are not limited to specific regions or countries. Incidents of intellectual property (IP) theft are rising worldwide and causing more significant damage than ever before. Major law enforcement agencies, such as the FBI in the U.S. and MI-5 in the UK, are actively involved in combating these threats.

Given these emerging patterns, protecting individuals and organizations from cyber threats and securing valuable data has become a critical priority. Cybersecurity measures such as robust data protection, employee training, threat detection, and incident response plans are essential to mitigate the risks posed by cybercriminals and safeguard against potential financial and reputational damages.

Protecting people and the data important to their organization and personal life is part of creating better cyber resilience. The philosophy is to break the links in the attack chain, as attackers rely on standardized techniques that exploit initial compromises, privilege escalation, and lateral movement.

Join Proofpoint at the Summit on Tuesday October 24. Bar Maor, Security Research Team Lead will lead a 50-minute tech session on “Unmasking AWS Deceptions: Unraveling Cloud Security’s Sneaky Side.”

Lee Ann Villella > Security Consultant, Proofpoint

Lee Ann has been a member of the Cybersecurity Summit Think Tank for 3.5 years. She volunteers with the Women in Cybersecurity MN Chapter (WiCyS MN) supporting membership and the annual golf tournament.

She is passionate about mentoring young people and those transitioning into cybersecurity careers. Lee Ann Villella serves customers via Proofpoint, a leading cybersecurity company protecting people, data, and brands against advanced threats and compliance risks.

Lee Ann brings over 20 years in sales and account management across a wide variety of industries. She holds a B.A. degree in English and Women’s Studies from St. Olaf College.

You can Connect with Lee Ann here at The Summit

And on LinkedIn at https://www.linkedin.com/in/leeannvillella/