homeland security perspectives for building cyber …

Franco CAPPA, CISSPCybersecurity Advisor (CSA)

C I S A | C Y B E R S E C U R I T Y A N D I N F R A S T R U C T U R E S E C U R I T Y A G E N C Y

1

HOMELAND SECURITY PERSPECTIVES FOR BUILDINGCYBER SECURITY CAPACITY, CAPABILITY AND RESILIENCE

PPA FALL ENERGY CONFERENCE & ANNUAL MEETING – 14 OCTOBER 2021

CISA Cybersecurity Advisor Program


October 12, 2021

CISA Mission and Vision

2

• Cybersecurity and Infrastructure Security Agency (CISA) mission: • Lead the collaborative national effort to strengthen the

security and resilience of America’s critical infrastructure

• CISA vision: • A Nation with secure, resilient, and reliable critical

infrastructure upon which the American way of life can thrive

“Defend Today, Secure Tomorrow”


October 12, 2021

Critical Infrastructure (CI) Sectors

3

“I don't know that much about cyber, but I do think that's the number one problem with mankind.”


October 12, 2021

CISA “Pillars” & Field Resources

4

• Cybersecurity—Cybersecurity Advisors (CSAs)

• Infrastructure Security—Protective Security Advisors

(PSAs) and Chemical Security Inspectors (CSIs)

• Emergency Communications—Emergency

Communication Coordinators (ECCs)

• National Risk Management—Risk analyst


October 12, 2021

Cyber-Physical Convergence

5

Today’s threats are targeting physical and cyber assets through sophisticated hybrid attacks with potentially devastating impacts to data, property and physical safety. CISA defines convergence as formal collaboration between previously disjoined security functions.

Source: https://www.cisa.gov/cybersecurity-and-physical-security-convergence


October 12, 2021

Cyber-Intrusion Campaigns—ICS

6

The cybersecurity threats posed to the industrial control systems (ICS) that control and operate critical infrastructure are among the most significant and growing issues confronting our Nation.To raise awareness of the risks to—and improve the cyber protection of—critical infrastructure, CISA and the Federal Bureau of Investigation (FBI) have released a Joint Cybersecurity Advisory as well as updates to five alerts and advisories. These alerts and advisories contain information on historical cyber-intrusion campaigns that have targeted ICS

Source: https://us-cert.cisa.gov/ncas/current-activity/2021/07/20/significant-historical-cyber-intrusion-campaigns-targeting-ics


October 12, 2021

Release date: 20 July 2021

7

Joint Cybersecurity Advisory: [AA21-201A: 2011 Gas Pipeline Sector Intrusion Campaign by PRC Actors] ICS Joint Security Awareness Report: [JSAR-12-241-

01B: Shamoon/DistTrack Malware (Update B)] ICS Advisory: [ICSA-14-178-01: ICS Focused Malware –

Havex] ICS Alert: [ICS-ALERT-14-281-01E: Ongoing

Sophisticated Malware Campaign Compromising ICS ICS Alert: [IR-ALERT-H-16-056-01: Cyber-Attack Against

Ukrainian Critical Infrastructure] Technical Alert: [TA17-163A: CrashOverride Malware]

Source: https://us-cert.cisa.gov/ncas/current-activity/2021/07/20/significant-historical-cyber-intrusion-campaigns-targeting-ics


October 12, 2021

Emerging Cyber Threat Trends

8

Interconnected systems enabling threat actors. Targets of opportunity.

Paths of least resistance.

PII and data: high value, high-demand commodities.

Hacking as a service (HaaS) Malicious tools readily available

for purchase or download.Source: DHS I&A


October 12, 2021

Threat Vectors

9

Phishing / Spear-phishing Social Engineering Business Email Compromise (BEC) Exploiting unpatched vulnerabilities on web-facing

systems Especially remote-access (e.g., VPN, RDP)

Exploiting third-parties (e.g., managed services) Compromising home networks of employees or family

members via emails & telework applications Focus on remote / collaboration platforms and cloud

services (O365, Webex, Google Drive credentials)


October 12, 2021

A Wide Range of Offerings for CI

10

• Information / Threat Indicator Sharing• Cybersecurity Training and Awareness• Cyber Exercises and “Playbooks”• National Cyber Awareness System• Vulnerability Notes Database• Information Products and Recommended Practices• Cybersecurity Evaluations

Preparedness Activities


October 12, 2021

Offerings for CI—continued

11

• Remote / On-Site Assistance• Malware Analysis• Hunt and Incident Response Teams• Incident Coordination

Response Assistance


October 12, 2021

CISA Resources & Reporting

12

TLP:WHITE


October 12, 2021

Cybersecurity Assessments

13

• Cyber Resilience Review (CRR)• External Dependencies Management (EDM)• Cyber Infrastructure Survey (CIS)• Cyber Security Evaluation Tool (CSET)• Cyber Hygiene Services (Systems & Web)• Phishing Campaign Assessment• Validated Architecture Design Review (VADR)• Remote Penetration Testing (RPT)• Risk and Vulnerability Assessment (aka “Pen” Test)

STRATEGIC(HIGH-LEVEL)

TECHNICAL(LOW-LEVEL)

C-SUITE Level

NET/SYS Admin


October 12, 2021

Protective Security Advisors

14

1. Plan, coordinate, and conduct security surveys and assessments (i.e., IST, SAFE)

2. Plan and conduct outreach activities 3. Support National Special Security Events (NSSEs) &

Special Event Activity Rating (SEAR) events4. Respond to incidents 5. Coordinate and support improvised explosive device

awareness and risk mitigation training

Five mission areas that directly support the protection of critical infrastructure


October 12, 2021

Integrated CISA Watch

15

The mission of CISA Central is to serve as a national center for reporting of and mitigating communications and incidents.• Provide alerts, warnings, common operating picture on

cyber and communications incidents in real time to virtual and on-site partners

• Work 24X7 with partners to mitigate incidents (On-site partners include the DoD, FBI, Secret Service, Information Sharing and Analysis Centers (ISACs) and other DHS components and public partners)


October 12, 2021

Federal Cybersecurity Response

16

PPD 41 Highlights: Released in July 2016, sets forth the principles governing

the Federal Government’s response to any cyber incident. Cybersecurity Act of 2018, landmark legislation that established CISA elevating their mission and authority within the Federal Government. Establishes the National Cyber Incident Response Plan

and Defines cyber incident and significant cyber incident severity schema scoring. CISA National Cyber Incident Scoring System (reference

below)Reference CISA NCISS: https://us-cert.cisa.gov/CISA-National-Cyber-Incident-Scoring-System


October 12, 2021

Key Federal Points of Contact

17

Threat Response Asset Response

Federal Bureau of Investigation855-292-3937 or [email protected] Field Office Cyber Task Forceshttp://www.fbi.gov/contact-us/fieldReport cybercrime, including computer intrusions or attacks, fraud, intellectual property theft, identity theft, theft of trade secrets, criminal hacking, terrorist activity, espionage, sabotage, or other foreign intelligence activity to FBI Field Office Cyber Task Forces

CISA Watch888-282-0870 or [email protected] suspected or confirmed cyber incidents, including when the affected entity may be interested in government assistance in removing the adversary, restoring operations, and recommending ways to further improve security.

FBI Internet Crime Complaint Centerhttps://www.ic3.gov/

U.S. Secret Servicehttps://www.secretservice.gov/contact/field-offices

mailto:[email protected]

http://www.fbi.gov/contact-us/field


https://www.ic3.gov/


October 12, 2021

CISA Mailing Lists and Feeds

18

• Alerts — timely information about current security issues, vulnerabilities, and exploits

• Analysis Reports — in-depth analysis on new or evolving cyber threats

• Bulletins — weekly summaries of new vulnerabilities. Patch information is provided when available

• Tips — advice about common security issues for the general public

• Current Activity — up-to-date information about high-impact types of security activity affecting the community at large

Source: US-CERT.gov


October 12, 2021

Critical Manufacturing

19

Source: https://www.cisa.gov/publication/critical-manufacturing-sector-security-guide


October 12, 2021

Securing ICS

20

Source: https://www.cisa.gov/publication/securing-industrial-control-systems


October 12, 2021

CISA Cyber Essentials

21

Source: https://www.cisa.gov/publication/cyber-essentials-toolkits


October 12, 2021

Telework Essentials Toolkit

22

Source: https://www.cisa.gov/publication/telework-essentials-toolkit


October 12, 2021

STOP Ransomware Website

23

Source: https://stopransomware.gov/


October 12, 2021

Resources

24

• CISA Cybersecurity: https://www.cisa.gov/cybersecurity• CISA Cyber Resource Hub (assessments): https://www.cisa.gov/cyber-

resource-hub• CSET + Ransomware Readiness Assessment (RRA):

https://github.com/cisagov/cset/releases• CISA Ransomware Resources: https://www.cisa.gov/stopransomware• CISA Cyber Essentials Toolkit: https://www.cisa.gov/publication/cyber-

essentials-toolkits• CISA Telework Guidance & Resources: https://www.cisa.gov/telework• Insider Threat Resources: https://www.cisa.gov/publication/insider-risk-

self-assessment-tool• CISA Incident Response: https://us-cert.cisa.gov/report• CISA Critical Infrastructure Exercises: https://www.cisa.gov/critical-

infrastructure-exercises• Training: https://www.cisa.gov/publication/stop-think-connect-toolkit and

https://fedvte.usalearning.gov

https://www.cisa.gov/cybersecurity

https://www.cisa.gov/cyber-resource-hub

https://github.com/cisagov/cset/releases

https://www.cisa.gov/stopransomware

https://www.cisa.gov/publication/cyber-essentials-toolkits

https://www.cisa.gov/telework

https://www.cisa.gov/publication/insider-risk-self-assessment-tool

https://us-cert.cisa.gov/report

https://www.cisa.gov/critical-infrastructure-exercises

https://www.cisa.gov/publication/stop-think-connect-toolkit

https://fedvte.usalearning.gov/


October 12, 202125

For more information:cisa.gov

Questions?General: [email protected]

CSA: [email protected]: [email protected]



homeland security perspectives for building cyber …

Documents