At a glance.
- US plans for water utility cybersecurity.
- Update on the US Cyber Safety Review Board.
- Russian authorities shut down carder fora.
- ASIO warns about private sector cybersecurity.
White House plans for water utility cybersecurity.
Last month the Biden administration and the US Environmental Protection Agency (EPA) announced a new plan for protecting the country’s industrial control systems (ICS), which support the water utilities, from cyberthreats. The plan will begin by launching pilot programs in the nation’s largest population centers, supporting efforts to detect, report, and address vulnerabilities.
The plan involves unfunded mandates, meaning the utility companies and customers will bear the financial burden, but the hope is that the guidance from the EPA and Cybersecurity and Infrastructure Security Agency (CISA) will help to keep the costs of implementing these cyber protections down. As Fitch Ratings explains, Historically, the nation’s water utility systems cyber defenses have been neglected, as they were not developed with a cyber resiliency in mind, and recent events have shown that susceptibility of these systems to attack poses a threat to national security.
First steps for Cyber Safety Review Board.
As we noted last week, the US Department of Homeland Security (DHS) has finally named the members of the newly established Cyber Safety Review Board (CSRB), a cybersecurity advisory panel composed of government and industry leaders created in response to a May executive order from President Joe Biden. MSSP outlines the board’s operation structure, which denotes that the Cybersecurity and Infrastructure Security Agency (CISA) will manage, support, and fund the Board, while CISA Director Jen Easterly will be tasked with appointing CSRB members and calling the group to convene in response to major cyber events, in consultation with the CSRB chair, DHS Under Secretary for Policy Rob Silvers.
That said, the CSRB does not have regulatory powers and is not an enforcement authority, merely an advisory body that will “thoroughly assess past events, ask the hard questions, and drive improvements across the private and public sectors,” according to Secretary of Homeland Security Alejandro Mayorkas. As its first action, the CSRB will be investigating the Log4j vulnerability, and a report is expected to be offered publicly “to the greatest extent possible,” allowing for any appropriate redactions to protect sensitive information.
Kremlin shuts down underground stolen credit card traders.
A Russian law enforcement operation has taken down four online marketplaces that facilitated the trade of stolen credit cards and together made an estimated $263 million in digital currency. Hacker News details that the domains operated by the forums Ferum Shop, Sky-Fraud, Trump's Dumps, and UAS were confiscated by the Ministry of Internal Affairs of the Russian Federation’s Department "K,” and to add insult to injury, the HTML source code was embedded with a message asking, "Which one of you is next?" In a possibly related move, Russian news outlet TASS reports that six Russian individuals were being charged with "the illegal circulation of means of payment." This is the Kremlin’s third big operation this year against cybercrime, following the arrests of fourteen members of the REvil ransomware gang and the arrest of Andrey Sergeevich Novak, alleged leader of the now-inoperative Infraud Organization, and three other associates involved in an identity theft ring.
ASIO head issues strong warnings about corporate cybersecurity.
CRN Australia reports that Michael Burgess, Director-General of the Australian Security Intelligence Organization, spoke during an annual threat assessment address this week, and he signaled that the agency will be taking a more proactive approach to business cybersecurity. “I find it infuriating when companies say they were done over by an adversary so powerful there was no way to defend against it,” Burgess said in a recent speech. “Certainly, in the cyber field, the overwhelming majority of compromises are foreseeable and avoidable.” A critical infrastructure bill passed last year strengthened the government's power to intervene in cyberattacks targeting private companies responsible for critical infrastructure, requiring companies to notify authorities of cyberincidents with twelve hours of discovery and allowing the government to enforce external security auditing and mandate that the installation of security software.