@National Cybersecurity Center of Excellence

So good today to visit the NIST Cybersecurity Center of Excellence (NCCoE).
The cybersecurity solutions developed are aligned to the well-known Cybersecurity Framework (CSF). 


Got to see some of the laboratories, including demonstrations for securing the Healthcare and Energy Sectors. 


Interesting to hear about examples for securing hospitals records and even things like infusion pumps.  


The medical devices are tricky to secure, because they are built to potentially last decades and are expensive to replace, but the underlying technology changes every couple of years. 


Also, learned more about securing the energy sector and their industrial control systems.  


One scary notable item mentioned was about the “big red button” for shutdown in many of these facilities, but apparently there is malware that can even interfere in this critical function. 


It is imperative that as a nation we focus on critical infrastructure protection (CIP) and continuously enhancing our security.


Time is of the essence as our adversaries improve their game, we need to be urgently upping ours. 😉


(Source Photos: Andy Blumenthal)

Radio-Activity

So earlier in the week, I had a great opportunity to visit the NIST Center for Neutron Research (NCNR). 


It was fascinating to see the reactor, control room, and all the cool experiments–not things you see every day, right? 


For safety, we had to wear devices that measured radioactivity and also go through machines that checked us afterward. 


When one person in our group went through the scanner, it went off with a red alert, and the poor individual obviously got really scared–like OMG is there some contamination on me or something.


But they went through again and it turned out it was just a false positive, thank G-d. 


I guess these really can be dangerous substances to work around, but still so marvelous how the scientists harness these neutron beams and direct them to all sort of fascinating scientific experiments. 


Being around all this science makes me think whether if I could do it all again–wondering aloud–whether I would pursue an education in one of these amazing scientific disciplines and work in the lab like a “mad scientist”–exploring and discovering new things and figuring out the mysteries of the universe and how the world really works. 


What a fun, fun field to work in!  😉


(Source Photo: Andy Blumenthal and Art by 4th grader, Phillip Kenney)

Cybersecurity Vulnerabilities Database

Cybersecurity.jpeg

There is a very useful article in Bloomberg about how the U.S. is taking too long to publish cybersecurity vulnerabilities. 


And the longer we take to publish the vulnerabilities with the patch/fix, the more time the hackers have to exploit it!


Generally, the U.S. is lagging China in publishing the vulnerabilities by a whopping 20-days!


Additionally, China’s database has thousands of vulnerabilities identified that don’t appear in the U.S. version. 


Hence, hackers can find the vulnerabilities on the Chinese database and then have almost three weeks or more to target our unpatched systems before we can potentially catch up in not only publishing but also remediating them. 


Why the lag and disparity in reporting between their systems and ours?


China uses a “wider variety of sources and methods” for reporting, while the U.S. process focuses more on ensuring the reliability of reporting sources–hence, it’s a “trade-off between speed and accuracy.”


For reference: 


The Department of Commerce’s National Institute of Standards and Technology publishes the vulnerabilities in the National Vulnerability Database (NVD).


And the NCD is built off of a “catalog of Common Vulnerabilities and Exposures (CVEs) maintained by the nonprofit Mitre Corp.”


Unfortunately, when it comes to cybersecurity, speed is critical.


If we don’t do vastly better, we can be cyber “dead right” before we even get the information that we were vulnerable and wrong in our cyber posture to begin with.  😉


(Source Photo: Andy Blumenthal)

Never Ever More Vulnerable

Vulnerable.jpeg

So we have never been more technology advanced. And at the same time, we have never been more vulnerable


As we all know, our cybersecurity have not kept near pace with our ever growing reliance on everything technology.


There is virtually nothing we do now-a-days that does not involve networks, chips, and bits and bytes. 


Energy

Transportation

Agriculture

Banking

Commerce

Health

Defense

Manufacturing

Telecommunications


If ANYTHING serious happens to cripple our technology base, we are toast!


From a crippling cyberattack that disables or hijacks our systems, steals or locks down our data, or creates massive chaotic misinformation flow to a EMP blast that simply fries all our electronic circuitry–we are at the mercy of our technology underpinnings. 


Don’t think it cannot happen!


Whether it’s Wannacry ransonware or the Equifax breach of our privacy data or the Kaspersky Labs hidden backdoor to our top secret files or North Korea threatening to hit us with an EMP–these are just a few of the recent cyber events of 2017!


Technology is both a blessing and a curse–we have more capability, more speed, more convenience, more cost-effectiveness than ever before, but also there is greater vulnerability to complete and utter death and destruction!


This is not just a risk that life could become more difficult or inconvenient–it is literally an existential threat, but who wants to think of it that way?


People, property, and our very society is at risk when our cybersecurity is not what it must be.


It’s a race of defensive against offensive capability. 


And we can’t just play defense, we had better actually win at this! 😉


(Source Photo: Andy Blumenthal)

Turn, Press, Pull — Gonna Get Ya

Controls.jpeg

So as I go around town, I see more and more of these industrial-type control panels. 

The problem is that they are stupidly in the open and unprotected or otherwise easily defeated.  

While probably not a serious threat of any sort, this one apparently is a unit to control some fans in an underground garage open to the public. 

You see the knobs you can just turn.

And one with a yellow warning sticker above it.

As if that will keep someone with bad intentions from messing with it. 

You also see the red and yellow lights…hey. let’s see if we can make those flash on, off, on.

Panel 13, nicely numbered for us–let’s look for 1 to 12 and maybe 14+.

It just continues to amaze me that in the age of 9/11 and all the terrorism (and crime) out there that many people still seem so lackadaisical when it comes to basic security. 

Anyone in the habit of leaving doors and gates open, windows unlocked, grounds unmonitored, computers and smart phones without password protection, data unencrypted and not backed up, even borders relatively wide open, and so on. 

Of course, we love our freedom and conveniences.

We want to forget bad experiences.

Could we be too trusting at times?

Maybe we don’t even believe anymore that the threats out there are impactful or real.

But for our adversaries it could just be as simple as finding the right open “opportunity” and that’s our bad. 😉

(Source Photo: Andy Blumenthal)

Dire Warnings On Cybersecurity

Security Camera
This week Adm. Michael Rogers, the Director of the National Security Agency and head of U.S. Cyber Command issued a stark warning to the nation about the state of cybersecurity:



With our cybersecurity over the next decade, “It’s only a matter of the ‘when,’ not the ‘if,’ that we are going to see something dramatic.



The Wall Street Journal reports that he gave ” a candid acknowledgement that the U.S. ISN’T yet prepared to manage the threat!”



China and “one or two others” [i.e. Russia etc.] are infiltrating our SCADA networks that manage our industrial control systems, including our power turbines and transmission systems,.



The cyber spies from the nation states are “leaving behind computer code that could be used to disable the networks  in the future.”



Can you imagine…you must imagine, you must prepare–not if, but when. 



(Source Photo: Andy Blumenthal)

SCADA In Pictures

SCADA In Pictures

SCADA 3 SCADA 4 SCADA

So SCADA are Supervisory Control and Data Acquisition systems.

They are a form of Industrial Control Systems (ICS) that monitor and control major industrial processes from power generation, transmission, and distribution, to water treatment, chemical production, air traffic control, traffic lights, building controls, and more.

These are part of our nation’s critical infrastructure.

In the lab, we are able to use tools to capture and analyze communication packets and edit and re-use them to:

– Turn on and off lights

– Open/close perimeter gates

– Control water and gas pipelines

– And even open and close a bridge

This was very scary!

No one, unauthorized, should be able to do this in real life, in the physical world.

This is a major security vulnerability for our nation:

– SCADA systems should not be openly available online, and instead they should be able to be controlled only either locally or remotely through an encrypted virtual private network (VPN).

– SCADA systems should not be available without proper access controls–there must be credentials for user id and passwords, and even two-step authentication required.

No one but vetted, cleared, authorized, and trained personnel should be able to monitor and control our critical infrastructure–otherwise, we are giving them the keys to disrupt it, destroy it, and use it for terror.

We owe our nation and families better, much better.

(Source Photos from lab: Andy Blumenthal)