In this essay, entitled “The Rise of the Cyber Industrial Complex and Expense in Depth,” ICIT Fellow Malcolm Harkins discusses how the lack of progress toward managing cyber risk, despite thousands of new security vendors and thousands of new capabilities sold that purport to control for these risks, is a result of a “cyber industrial complex” that has a lack of a proper economic incentive to solve the problem. Mr. Harkins explores the idea that it is the hidden hand of t

This spring, The Institute for Critical Infrastructure Technology (ICIT) sponsored a Capstone Project for students at the Heinz College at Carnegie Mellon University. As part of this project, students were tasked with conducting an assessment of the cybersecurity posture of the healthcare sector which included an analysis of threats to healthcare IT, IoT, and OT, supply chain security, emerging cybersecurity solutions, and technical and non-technical security controls to imp

This draft publication and the abstract below were released by NIST in June 2019. ICIT strongly encourages you to visit the NIST Publication Library to search for additional information security resources which are freely available. Draft NIST Special Publication 800-171B: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations The protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations is of par

ICIT CERTIFIED: In this paper from Federal News Network, and ICIT Fellow Circle Member, executives from Customs and Border Protection, NOAA, Veterans Affairs, Justice, Education, and Carbon Black discuss current best practices for threat hunting, compliance and cyber data analytics. It has been reviewed by ICIT researchers and is certified as an educational document. ICIT encourages stakeholders to read this paper and distribute it widely to share its contents. Threat hunting

ICIT CERTIFIED: In this essay, ICIT Contributor Luther Martin from Micro Focus Government Solutions (an ICIT Fellow Program Member) discusses how governments that do not enforce cybercrime laws may in effect be decriminalizing cybercrime; and offers a possible solution to incentivize governments to enforce cybercrime laws. It has been reviewed by ICIT researchers and is certified as an educational document. ICIT encourages stakeholders to read this paper and distribute it wid

ICIT CERTIFIED: In this paper, the researchers at IOActive, an ICIT Fellow Circle Member, offer three real-world scenarios involving serious vulnerabilities that affect the aviation, maritime, and military industries. It has been reviewed by ICIT researchers and is certified as an educational document. ICIT encourages stakeholders to read this paper and distribute it widely to share its contents. This research comprehensively details three real-world scenarios involving ser

Most of the 8 million people estimated to fly every day directly or indirectly interact with the technologies running the “typical airport’ experience” – avionics software on planes, air traffic control systems, fuel pumps, baggage handling systems, ticketing systems, security systems, etc. – without considering the resiliency and security of the software or equipment they interact with. However, like most technology, the software and equipment used to run the operations of

Software development that does not incorporate comprehensive security throughout the lifecycle of the application jeopardizes national security by increasing the threat landscape surrounding high-value networks and sensitive data. Unfortunately, many of today’s technology manufacturers prioritize speed to market over security, have adopted a ‘deploy now, patch later’ culture, and shift the liability of their vulnerable technology onto consumers through EULAs and SLAs. It is v

ICIT CERTIFIED: In this paper, the OT Research Team at Forescout, an ICIT Fellow Program Member, performed an exercise in vulnerability and malware research for devices commonly used in building automation system (BAS). It has been reviewed by ICIT researchers and is certified as an educational document. ICIT encourages stakeholders to read this paper and distribute it widely to share its contents. Vulnerabilities in smart buildings are very dangerous because they open thes

On February 21, 2019, Senator Mark Warner (D-VA), the vice chair of the Senate Intelligence Committee and co-chair of the Senate Cybersecurity Caucus, sent letters to twelve healthcare organizations and four federal agencies soliciting feedback via a series of questions on the security and resiliency of the healthcare sector. In the letter, he stated: “I would like to work with you and other industry stakeholders to develop a short- and long-term strategy for reducing cybers

This publication and the abstract below was published by GAO in March 2019. ICIT strongly encourages you to visit the GAO Reports and Testimonies Library to search for additional information security resources which are freely available. Why GAO Did This Study A key component of mitigating and responding to cyber threats is having a qualified, well-trained cybersecurity workforce. The act requires OPM and federal agencies to take several actions related to cybersecurity work

ICIT CERTIFIED: This brief from ICIT Fellow Circle Member Federal News Network offers viewpoints from USDA, Department of Energy, Booz Allen Hamilton and Mobile Iron Executives discussing mobile security and how DHS Continuous Diagnostics & Mitigation (CDM) program capabilities can secure enterprise mobile environments. It has been reviewed by ICIT researchers and is a valuable educational document the Institute encourages you to read and share among your community. With mob

Under new provisions to China’s 2017 National Cybersecurity Law (CSL), entitled “Regulations on Internet Security Supervision and Inspection by Public Security Organs,” Chinese authorities can remotely conduct penetration tests on the systems and networks of any Internet-related business with at least five internet-connected computers, operating in China [1]. International organizations in all sectors operating in China, including academia, healthcare, finance, energy, consul

This publication and Executive Summary below were published by HIMSS in February 2019. ICIT strongly encourages you to visit the HIMSS Publication Library to search for additional information security resources which are freely available. Executive Summary The 2019 HIMSS Cybersecurity Survey provides insight into the information security experiences and practices of US healthcare organizations in light of increasing cyber-attacks and compromises. Reflecting the feedback from

ICIT CERTIFIED : This brief from ICIT Fellow Circle Member Federal News Network offers viewpoints from U.S. Air Force, Office of the Director of National Intelligence, and GITLab executives discussing how DevOps can help overcome common obstacles in IT Modernization and Agile Development efforts including interoperability challenges and poor coding. It has been reviewed by ICIT researchers and is a valuable educational document the Institute encourages you to read and share