National Institute of Standards – РИСК-АКАДЕМИЯ – АНО ДПО ИСАР

The clock is ticking for compliance with IMO’s 2021 cyber regulations.

riskacademy — Sun, 15 Nov 2020 17:19:27 +0000

Maritime organisations have long focused on safety and the management of risks, however, bringing cyber threats into play can often be challenging as these are usually harder to quantify, understand and relate to the physical world. Some lessons can be brought across from other industries and frameworks, including that of the National Institute of Standards and Technology (NIST), which can be very helpful in aligning thinking and practice to cyber risks. But there are unique considerations that need to be factored in when applying a robust risk management process to cyber risks within marine and offshore organisations.

In 2017, the IMO issued MSC-FAL.1/Circ.3 ‘Guidelines on maritime cyber risk management’. These guidelines provide high-level recommendations to safeguard shipping from current and emerging cyber threats and vulnerabilities, including functional elements that support effective cyber risk management. The IMO’s Maritime Safety Committee then adopted these guidelines through Resolution MSC.428(98) ‘Maritime Cyber Risk Management in Safety Management Systems’. This resolution encourages administrations to ensure that cyber risks are appropriately…

US DOE and NIST Partner to Improve Cybersecurity in Energy, Maritime Transportation Industries

riskacademy — Fri, 23 Oct 2020 12:02:54 +0000

On October 5, the US Department of Energy’s Office of Cybersecurity, Energy Security and Emergency Response (CESER) reached a $3 million partnership agreement with the National Institute of Standards and Technology (NIST) in order to “research and develop tools and practices that will strengthen the cybersecurity of the nation’s energy sector and maritime transportation system.”

According to CESER, 40% of all maritime traffic is comprised of energy products, which highlights the importance of addressing cybersecurity risks at seaports and in maritime transportation to safeguard US energy security. In the past several years, the incidence of cyber-intrusions, malware attacks and other dangerous lapses in cybersecurity impacting the maritime and energy sectors has increased tremendously across the globe.

As of September 2020, APM-Maersk, COSCO Shipping, CMA CGM, and Mediterranean Shipping Company have all fallen victim to multiple cyberattacks. These attacks include but are not limited to company data centers being breached/taken offline, disabling onboard vessel navigation systems and tampering with container booking systems. In 2018, one attack on Maersk’s global IT…

Want to Improve Bulk Electric System Cybersecurity? Focus on Specific NIST Controls

riskacademy — Tue, 29 Sep 2020 15:26:44 +0000

In late June 2020, the Federal Energy Regulatory Commission (FERC) released a Notice of Inquiry¹ (NOI) in which they asked detailed questions about the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the risk and impact of a coordinated cyberattack on the bulk electric system (BES). A recurring question throughout the NOI was whether low-impact cyber systems should be subject to the same North American Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards currently required of medium- and high-impact BES cyber systems.

The policy outcome that arises from this attention on the BES will need to balance the government interest in protecting the nation against a coordinated cyberattack and industry concerns about regulatory burden. This is especially important as low-impact systems are usually smaller and often have fewer resources than their larger, medium- and high-impact system counterparts. To balance these interests, one potential solution would be to implement certain NERC CIP controls and NIST concepts for low-impact cyber systems that will have the most impact:

NERC-CIP’s Asset inventory (CIP 002-5.1a)²…

Acquired Data Solutions, KDM Analytics Partner on Cyber Risk Analysis Offering for Federal Sector

riskacademy — Sat, 22 Aug 2020 23:52:04 +0000

cybersecurity

Acquired Data Solutions and KDM Analytics have partnered to market an automated cyber risk analysis and measurement platform to federal agencies and equipment providers.

The Blade RiskManager product is designed to help organizations monitor possible system and operational risks through artificial intelligence approaches, ADS said Wednesday.

The partnership aims to help customers reduce the time they will spend when pursuing evaluations with the National Institute of Standards and Technology’s risk management framework.

Steve Seiden, president of ADS, said online exposure of older operational technology devices has created new risks that could affect critical infrastructure assets.

“Urgent, proactive strategies are needed to ensure OT cybersecurity develops to the same maturity as IT cybersecurity,” Seiden added.

!function(f,b,e,v,n,t,s){if(f.fbq)return;n=f.fbq=function(){n.callMethod?
n.callMethod.apply(n,arguments):n.queue.push(arguments)};
if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version=’2.0′;
n.queue=[];t=b.createElement(e);t.async=!0;
t.src=v;s=b.getElementsByTagName(e)[0];
s.parentNode.insertBefore(t,s)}(window,…

FERC Considers Enhancements to Cybersecurity in Notice of Inquiry and Staff White Paper | Davis Wright Tremaine LLP

riskacademy — Wed, 08 Jul 2020 04:34:36 +0000

The Federal Energy Regulatory Commission (FERC) issued a Notice of Inquiry (NOI) on June 18, 2020, requesting comments on potential enhancements to the current U.S. Critical Infrastructure Protection (CIP) Reliability Standards (CIP Standards). In the NOI, FERC also seeks input on the potential risk of a coordinated cyberattack on geographically distributed targets and the need for FERC to address such risk.

In a related development, that same day FERC Staff (Staff) issued a Cybersecurity Incentives Policy White Paper (the White Paper) that discusses a potential new framework for providing transmission incentives to utilities for cybersecurity investments. The Staff presents a framework for providing transmission incentives to utilities “for cybersecurity investments that produce significant benefits for actions that exceed” the CIP Standards.

The NOI

CIP Standards are mandatory and enforceable following their approval by FERC. They are intended to provide a risk-based, defense-in-depth approach to cybersecurity of the bulk electric system (BES).

An important source for improving the CIP Standards to address evolving cyber threats is the National Institute of Standards…

Top 25 Cyber Execs to Watch in 2020: Peraton’s Jim Schifalacqua

riskacademy — Mon, 25 May 2020 21:40:06 +0000

Jim Schifalacqua, Peraton

Joining Peraton in 2018, Jim Schifalacqua has worked to integrate an entirely new infrastructure and cybersecurity architecture using a cloud-first approach. This architecture proved critical during the COVID-19 crisis, when employees were able to quickly pivot to a remote working environment, having the same secure capabilities as they had in their offices.

The Peraton approach uses high-assurance cloud services, multiple software-as-a-service security components and integrated multifactor authentication to achieve a zero-trust architecture with private access, advanced information protection and advanced security threat detection. Peraton was able to rapidly comply with the National Institute of Standards and Technology’s 800-171 cybersecurity requirements.

Schifalacqua’s team of motivated cybersecurity experts transitioned Peraton’s SOC from a bloated proprietary managed security services provider solution with low-visibility into the environment to a high-performance, cost-effective hybrid model where in-house threat hunters easily work across the enterprise with advanced detection and response tools. Schifalacqua…