Last month, the US Federal Trade Commission (FTC) voted unanimously to enforce laws regarding consumers’ “Right to Repair” their electronic and automotive devices. The vote was seen as a validation of consumer rights and a rare bipartisan rebuke to manufacturers who have restricted repairs. An Executive Order from President Biden further advanced this right. These moves will make it harder for manufacturers to void warranties, restrict repair options or require consumers to return products only to them for costly repairs.

This is all great, but does it go far enough? The “Right to Repair” policy applies to hardware. For instance, you should now be allowed to replace your smart phone screen by yourself. But, what about the data on your phone? Should that be included in “Right to Repair” as well? According to Jason Kent, Hacker In Residence at Cequence Security, the answer is an emphatic “yes.”

“The data handling capabilities of your phone are a product feature that you should be able to modify under right to repair,” Kent explained. “We don’t think of the issue that way, because repair is usually seen as a mechanical issue, but we should broaden the definition of repair to include data.”

“Right to repair creates an environment where I am allowed to fix things and not be penalized.” – Jason Kent, Hacker In Residence at Cequence Security

In particular, Kent thinks consumers should have the right to repair a device’s data transmission settings and API interactions. “Your phone is constantly sending your information out to entities that you probably don’t know about,” Kent added. Telemetry data, location data, personal contacts and more are routinely transmitted by devices to third parties. The data may flow to the manufacturer, or it could go to totally unknown businesses.

Jason Kent

The repair does not have to be done by the owner, either. For Kent, the concept of “fixing” an API and the data the device owner exchanges needs to be functionality they can request to be fixed. He said, “Right to repair creates an environment where I am allowed to fix things and not be penalized. If I fix a cell in a Tesla battery the monitoring system knows and disables supercharging. If I roll my own OS on a new Samsung Phone, they disable the camera. These examples go against right to repair. If I disable location or photos in a messaging app, it shouldn’t disable the app entirely. I should be allowed to repair the overstep there.”

The recent scandal surrounding a Catholic priest whose publicly available phone data revealed that he had patronized gay establishments offers a good example of the potential for device data abuse. Consumers should have the right to fix their device’s API settings and restrict outbound data flow. According to Kent, “Manufacturers should not be able to hide behind IP protection as an excuse to limit this kind of user repair.”

The difficulty, however, is that the average consumer, or even a highly knowledgeable gadget repair person, probably doesn’t know how to repair a device’s data sharing settings. Specialized software tooling will probably be required. API monitoring solutions can help, but these are not geared to consumer usage at this point. This could change, though, if enough people want to fix how their phones handle their data.

Last month, troops various National Guard units conducted a large scale simulation of a major cyber breach knocking out utilities across the U.S. This is a long-feared scenario, and one that appears to become more likely with every passing year. The relative ease with which a ransomware gang took down the Colonial Pipeline shows that a cyber disruption of critical infrastructure may be in our future

It’s a positive sign that the National Guard is taking this risk seriously enough to practice for it. The fact that the exercise, known as “Cyber Yankee,” included rehearsing a collaboration with the FBI and private sector partners is further welcome evidence that the government is intent on not letting a major disaster unfold on their watch. If a serious incident occurs, the practice will pay off in a faster, more coherent response. And, the Guard may have countermeasures that are beyond the reach of some utilities and industrial concerns. However, it’s not enough.

The National Guard, along with other state and federal incident response mechanisms, are going to be slow in responding a cyber incident. Even if they can get organized and execute their response plan within hours, though it would probably be at least a day until they can really mobilize, attackers can still do a lot of damage—some of it nearly impossible to predict.

This is what concerns Nick Cappi, Cyber Vice President, Portfolio Strategy and Enablement at Hexagon. Cappi and his team help manufacturers, energy companies, water plants, and other Operational Technology (OT) clients with security and incident response processes. In his view, there is a risk of what he calls a “cascading effect” of a successful cyber attack on critical infrastructure.

Nick Cappi, Cyber Vice President, Portfolio Strategy and Enablement at Hexagon

“One incident can be a catalyst for other, hard-to-imagine events,” Cappi said. “Look at what happened to toilet paper during COVID. Who could have predicted that? With critical infrastructure, taking down a power station could lead to an unforeseen sewage backup, which leads to a disease outbreak that can’t be treated because the hospital is blacked out, and on and on.”

In the case of certain industrial concerns, the impact of an attack can be immediate and catastrophic. Cappi noted, “An oil refinery can be made to explode in minutes if attackers understand its cyber-physical vulnerabilities well enough. There isn’t time for the National Guard to show up.”

Hexagon works with its clients on being proactive, avoiding catastrophic outcomes by staying a step ahead of cyber criminals. For instance, they recommend assuming that their security has already been compromised and developing a plan for what to do post-breach. This usually takes the form of an overall resiliency plan that brings together people, technology and processes. “We used to focus on uptime and reliability as our two key success metric,” Cappi said. “Now, we’re shifting our focus to safely regaining productive operations.”

A resiliency plan might call for improving backup systems to minimize the impact of an attack. Putting the plan together also usually includes maintaining a detailed OT asset inventory. “You have to know what you have running in your infrastructure,” Cappi said. “You can’t secure what you can’t see, but you would be astonished at what a utility or industrial plant might find on its network. ‘I thought we disconnected that last year,’ is a typical comment we hear.

Being prepared and staying resilient also usually requires some contemplation of realistic human behavior. It might be helpful, for example, to institute incentives and penalties to get people to comply with policies like patch deployment.

Cappi also expressed the sentiment that critical infrastructure security could benefit from more active government focus. As he sees it, industries by themselves are not good at developing and enforcing standards for security and resiliency. Instead, it might be better if the government mandated risk-based minimum standards for security and resiliency. The foundations of such standards already exist in the NIST frameworks and the like, but they need “teeth,” according to Cappi.

The state of security for critical infrastructure remains fragile. It’s a positive development that entities like the National Guard are preparing to address a likely but unknowable future crisis. At the same time, much more work needs to be done by private companies, ideally in partnership with a more engaged government.

Last week, CYBER.ORG, formerly the National Integrated Cyber Education Research Center (NICERC), released the first national learning standards for cybersecurity for K-12 students. The standards are envisioned as a way to increase student cybersecurity literacy while simultaneous building a robust pipeline of future cybersecurity talent

According to Kevin Nolten, Director of Academic Outreach, Cyber.org, “The national K-12 cybersecurity learning standards are critical to providing the next generation of students with the skills and knowledge to pursue cybersecurity careers, ultimately helping solve the cybersecurity workforce gap.”

He added, “For the first time, educators have a roadmap for uniformly teaching cybersecurity to students in each grade band across the country. We are thankful to all our partners who dedicated their time to making the standards an incredible success and look forward to helping states adopt the standards in the coming year.”

The K-12 cybersecurity learning standards center around three core themes – Computing Systems (CS), Digital Citizenship (DC) and Security (SEC) – all of which represent key fundamentals in cybersecurity education. Each core concept covers a range of pertinent cybersecurity topics, from the Internet of Things (IoT) to Threat Actors.

The first-ever K-12 cybersecurity learning standards will support CYBER.ORG’s mission to address the growing cybersecurity workforce crisis by increasing foundational cybersecurity awareness, access to cybersecurity education and interest in the cybersecurity profession.

Apple is under siege. It’s their time in the barrel, the apple barrel. Sorry, I can’t help myself. While the odds are the company will shrug off its current problems, it is nonetheless clear that the company is having a rough couple of months. Their decision to reduce device tracking and browser cookies has earned praise from privacy advocates, but howls of protest from ecommerce merchants who dubbed the move “the cookie apocalypse.”

Privacy concerns are still very much an issue with Apple. The recent scandal about a priest accused of sexual impropriety after activists got location data from his iPhone, reveals how much more work remains for Apple and others with regard to user privacy. Then, the explosive allegations that governments around the world had used sophisticated spyware to surveil journalists’ iPhones further inflamed the contentious debate about the right to privacy versus the abuse of technology by the state.

Then, there’s the not so minor matter of anti-trust momentum against Apple. As part of the “break up big tech” talking point that’s been floating around the political scene for the last year or so, a rare bipartisan consensus is forming that Apple must be held accountable for its allegedly anti-competitive business practices. Last month, Democratic Senator Amy Klobuchar and Republican Senator Mike Lee jointly sent letter scolding Apple for refusing to testify at a Senate anti-trust hearing on App Store competition.

Klobuchar, Lee and others in Congress may move to shut down the App Store through anti-trust measures. At issue is Apple’s requirement that developers pay a license fee to participate and then pay Apple a 30% commission for digital purchases made inside the apps. Apple also mandates use of their proprietary in-app payment service.

The anti-trust case may have merit, but security and privacy experts are warning, “not so fast.” For example, Aidan Fitzpatrick, Founder and CEO of Reincubate, has concerns about the unintended consequences of shutting down the App Store. Fitzpatrick has been immersed in the world of Apple security and privacy for over a decade, having founded Reincubate in 2008 after building the world’s first tool for iOS data recovery.

Aidan Fitzpatrick, Founder and CEO of Reincubate

For one thing, as Fitzpatrick sees it, the App Store is the closest thing the world has to a secure app resource. Business impacts aside, Apple’s requirements that app developers purchase a developer license from Apple, coupled with Apple’s review of apps before they are sold in the store, provide a measure of security for iPhone users. “The license fee and app review may not seem like much, but they’re quite an effective deterrent against hackers who may want to spread malware through apps,” Fitzpatrick explained. “Hackers don’t necessarily like paying license fees and submitting to code reviews.”

Fitzpatrick is not sure consumers—or government regulators—are quite prepared for what would happen if apps can be “side loaded” onto iPhones, without going through App Store screening processes. “It makes life a lot easier for developers,” he said. “That’s great, up to a point. You can develop an app, and anyone can just install it on their device. Then, what happens when hackers start distributing malicious apps in that same way? It could quickly become a security and privacy nightmare.”

Such a scenario would threaten all iOS users, but in particular, Fitzpatrick worries about vulnerable groups like the elderly. “You could have a massive increase in fraud targeting the elderly and other groups that lack sophistication about their devices,” he added.

This is just one unintended consequence from possible anti-trust measures against the company. One might hope that if the government wants to break up the store, it could work to ensure that security and privacy measures remain in place.

Earlier this month, the American nuclear weapons contractor Sol Oriens revealed that it had suffered a cyberattack, allegedly at the hands of the REvil ransomware gang. REvil claims to be auctioning the firm’s stolen data. This attack prompted Chris Grove, technology evangelist with Nozomi Networks, to remark, “A small, veteran owned company, most likely bound by multiple NIST Standards, working on nuclear weapons secrets, is probably one of the more secure manufacturers out there. And yet, we see the same story repeat itself – when the ‘Big Game Hunter’ cybercriminals target an organization, they are likely to get in.”

“We see the same story repeat itself – when the ‘Big Game Hunter’ cybercriminals target an organization, they are likely to get in.” – Chris Grove, technology evangelist with Nozomi Networks

This is scary stuff. More than 300,000 companies comprise America’s Defense Industrial Base (DIB), which makes weapons and a huge range of supporting products for the Department of Defense (DoD). They all have their cyber vulnerabilities. And, as we know, attackers, often from America’s strategic adversaries, have perpetrated many highly successful penetrations of the DIB. As but one example, hackers stole 600 gigabytes of secret submarine codes and other classified data from a US Navy contractor in 2018.

In response, the DoD released the Cybersecurity Maturity Model Certification (CMMC) in 2020 with the goal of establishing high, uniform security standards for companies in the DIB. The National Institute of Standards (NIST) manages the framework for CMMC. The program focuses mostly on securing controlled unclassified information (CUI) handled by members of the DIB, mapping cybersecurity practices at defense contractors to best practices and processes according to five maturity levels.

CMMS is a smart, well-intentioned program, but like many efforts of its kind, it’s taking a long time to get started and the early reports on it are not encouraging. According to a report from BlueVoyant, 28% of companies they analyzed would likely would fail to meet the most basic, tier-1 CMMC requirement. Forty-eight percent showed severe vulnerabilities, including unsecured ports, unsecured data storage and ports and unsupported software.

“As regulations call for higher levels of cybersecurity hygiene, the reality is that many businesses struggle to keep up: organizations often have limited IT resources and implementing new technologies to meet security requirements can seem like an overwhelming investment.” – Bassam Al-Khalidi, Founder and Co-CEO of Axiad

Bassam Al-Khalidi, Founder and Co-CEO of Axiad, commented on these findings, saying, “It’s alarming but not unsurprising that over a quarter of companies wouldn’t meet the most basic CMMC requirements. As regulations call for higher levels of cybersecurity hygiene, the reality is that many businesses struggle to keep up: organizations often have limited IT resources and implementing new technologies to meet security requirements can seem like an overwhelming investment.”

The industry is starting to rise to the occasion. For example, Redspin, a division of CynergisTek (CTEK), recently announced that it was the first organization to successfully pass the CMMC Level 3 certification as a Candidate CMMC Third-Party Assessor Organization (C3PAO). The CMMC Accreditation Body has credentialed Redspin as an Authorized C3PAO ready to conduct CMMC assessments.

“Soon, defense contractors will have to be certified at a given level of CMMC to qualify for contracts that specify the level,” explained Caleb Barlow, CEO of Redspin. “If you need to be at level 2, and you’re at level 1, well, you can’t bid on that contract. Our program can help contractors go up in the CMMC maturity, which we then certify.”

“The new rules have teeth. You have to show that you have the maturity. For instance, if you say your process involves creating log files for certain devices, we’re going to want to see that log.” – Caleb Barlow, CEO of Redspin

Redspin is able to work contractually with Organizations Seeking Certification (OSCs) in conducting assessments based on CMMC Levels 1-3. The process, according to Barlow, is similar to ISO 9000 and comparable standards initiatives. In preparation for certification, the OSC must undertake an intensive process of documentation. The goal is to demonstrate evidence of process maturity, along with appropriate resourcing of security controls and organization-wide training.

“This CMMC program is a great example of the government leveraging its massive purchasing power to effect change in cybersecurity,” Barlow added. “The new rules have teeth. You have to show that you have the maturity. For instance, if you say your process involves creating log files for certain devices, we’re going to want to see that log.”

The US National Security Agency (NSA) issued a Cybersecurity Advisory on April 29 titled Stop Malicious Cyber Activity Against Connected Operational Technology. The Advisory dealt with vulnerabilities in Operational Technology (OT) across the U.S. Government (USG) and the Defense Industrial Base (DIB). In particular, the Advisory stated, “As OT components continue being connected to information technology (IT), IT exploitation increasingly can serve as a pivot to OT destructive effects.”

In other words, OT, comprising the systems that control industrial operations and critical infrastructure, is vulnerable to attack by malicious actors who take over connected IT systems. The NSA is concerned that, for example, a foreign hacker might shut down or damage a defense plant by hacking into its accounting system and then moving laterally over the network to “brick” the SCADA system that runs the factory itself. The Advisory lays out a number of recommendations for mitigating OT/IT risks.

“Industrial enterprises dealing with IT/OT security face a variety of interlocking constraints that make remediation a lot harder than it first looks.” – Mark Carrigan, Chief Operating Officer of PAS

It’s good that that NSA is taking these threats seriously, but this is not exactly a new issue. OT risk exposure has been the subject of serious discussion in cybersecurity circles for years. Surely, the NSA was aware of this. (And sorry, I can’t resist… they were probably aware of it, and stop calling me “Shirley.”) One gets the sense that there is some strategic a$$ covering going on—that the NSA wants to go on record as being worried about this issue and offer guidance on remediating IT/OT vulnerabilities before they lead to serious problems.

Certainly, the NSA’s timing seems either prescient or inauspicious, depending on your point of view. A week later after the Advisory came out, a criminal gang most likely associated with the Russian government shut down the Colonial gas pipeline. Though Colonial has stated that its OT systems were not compromised by the ransomware attack, which crippled their business systems. They evidently shut down the pipeline as a precaution.

“If you’re running a refinery that produces $50 million worth of gas a day, how are you going to explain to your CEO that you need to shut it down for a month to repair a few OT applications?” – Mark Carrigan

Mark Carrigan, Chief Operating Officer of PAS, part of Hexagon

It’s hard to know exactly what this means, or if it’s even true. Was the pipeline’s operation endangered by the shutdown of the business systems, or was it simply a matter of not being able to invoice for gasoline and jet fuel they might have delivered? Indeed, Colonial itself may not know whether their OT systems were compromised by the ransomware attack. The actual answer might be that the company simply needed time to check the OT systems carefully to see if they, too, had been implanted with malware.

The NSA Advisory and the Colonial attack serve as helpful prompts for industrial companies to take a harder look at their risk exposure in these areas. Not that solving the problem will be easy, as industry experts well understand. “Industrial enterprises dealing with IT/OT security face a variety of interlocking constraints that make remediation a lot harder than it first looks,” explained Mark Carrigan, Chief Operating Officer of PAS, part of Hexagon, a company that delivers software solutions that prevent, detect and remediate cyber threats in OT environments.

As Carrigan revealed, “Most OT managers are now recognizing that ‘air gaps,’ which are recommended by the NSA, don’t work very well. There can be unknown Internet-connected devices on the OT network, for instance. At the same time, there simply isn’t time to shut down facilities long enough to fix the problem, even if you could.” According to Carrigan, some OT solutions are so old that they simply cannot be patched at all. Patches need to be tested carefully before deployment, in any event. With petroleum facilities, for example, the risks of a mis-handled software update include costly outages and even life-threatening malfunctions.

“If you’re running a refinery that produces $50 million worth of gas a day, how are you going to explain to your CEO that you need to shut it down for a month to repair a few OT applications? They’re not going to let you do it—and, in all honesty, if you really wanted to address every OT security issue, you’d need to shut the facility down for at least a year. No one is doing that.”

So, what can be done? There are solutions. PAS advises its clients to build a demilitarized zone (DMZ) around OT assets. “You have to isolate OT,” Carrigan said. “Once you’ve segmented OT away from IT using a DMZ, you can filter and monitor data going between the IT and OT environments. This approach reduces risk significantly, without requiring a facility shutdown.”

The ransomware attack on Colonial Pipeline, reported over the weekend, is disrupting deliveries of jet fuel to military installations on the east coast of the United States. So far, the pipeline shutdown has not affected military operations, however. According to Peter Hughes, Spokesman for the Assistant to the Secretary of Defense for Public Affairs, “The Defense Logistics Agency is monitoring inventory levels and awaiting any updates from Colonial Pipeline. Sufficient stocks are on-hand for downstream customers and there is no immediate mission impact.” Hughes added that DLA has the ability to leverage alternate supply means to mitigate long term impacts if delays continue.

“Hopefully, the DoD can learn a lesson from this episode,” said retired Air Force general Robert Spalding, author of Stealth War: How China Took Over While America’s Elite Slept. “While nothing bad has happened, yet, we can now see very clearly how the military’s dependence on civilian infrastructure creates vulnerability for the armed forces.” Air Force bases have long shared fuel pipelines with domestic air infrastructure. The same pipeline that supplies McCarran Airport in Las Vegas, for example, provides jet fuel to Edwards Air Force Base.

Colonial, which is one of the largest pipeline operators in the US, has indicated that the attack was only on its business systems. They evidently shut the pipeline down as a precaution. In such attacks, it is common for malicious actors to implant malware in systems other than those that have been directly targeted. At this time, it is impossible to know if the pipeline’s operational software has been affected. The company’s pipeline network provides fuel to over 50 million Americans. The disruption in supply sent gasoline prices higher this week.

Longtime observers of operational technology (OT) are expressing concern over vulnerabilities on display in the attack. As Kudelski Security CEO Andrew Howard put it, “Every day, more and more non-IT systems, such as pipelines and manufacturing floors, are connected to the internet for convenience, better performance and remote management. Cybersecurity is no longer just an IT issue, it impacts every electronic system. While IT environments are rarely perfectly secured, they get all of the attention. These non-IT systems are often the soft underbelly of many corporate networks. They are more difficult to secure and becoming more interconnected every day.”

Colonial hired Mandiant, a division of FireEye, to investigate. The FBI and Critical Infrastructure Security Agency (CISA) are also working with the company to determine the source of the attack and remediate the damage. The source of the attack has not been confirmed. However, according to government sources, the Eastern European cybercrime gang, DarkSide, is the leading suspect. It is not clear who, if anyone is behind DarkSide. Sometimes, such criminal gangs operate with the consent of nation state actors or even at the direction of their security services. Having a criminal group carry out an attack on another country, intelligence services preserve deniability.

Cybersecurity industry experts are weighing on what can be done to prevent the next attack of this kind. According to new analysis from Ric Longenecker, CISO at Open Systems, which provides a platform for the Secure Access Service Edge (SASE) featuring zero trust network access (ZTNA), “Cybersecurity investment and partnership today may reduce the impact of similar events in the future. Managed detection and response services in combination with technologies like Microsoft’s IoT Solution CyberX are within reach. Moving in this direction is the best course of action.”

Gary Kinghorn of Tempered Networks similarly spoke to the potential for Zero Trust in this kind of situation. He said, “Zero Trust can greatly mitigate the damage that can be done once a user or host is compromised. Lacking Zero Trust, the compromised host can likely navigate to critical infrastructure where it can do real damage. Zero Trust can reduce the lateral spread of attackers and malware by blocking access and communication that is not explicitly authorized.”

Guy Caspi, CEO and Co-Founder of Deep Instinct, offered this take: “The government should learn from countries that have built up cybersecurity programs that are stopping threats/tactics like those used against the U.S. For example, other nations execute protection in a multi-layer approach. In these cases, it’s not enough for malicious actors to break through one layer, because the next software is already waiting there. And underneath that, the next one. One product or solution is simply not enough. By implementing a layered approach to cybersecurity, including the use of groundbreaking technology like deep learning to prevent attacks, will make breaking through the U.S.’ protective shield like Mission Impossible.”