Tag Archives: TechNet Cyber

Securing Operational Technology with Cyber-Informed Engineering

Posted on by
Reply

Cyber-Informed Engineering (CIE) is an initiative by Idaho National Laboratory with funding from the Department of Energy (DOE). The goal of CIE is to secure physical operations through the combination of cybersecurity and engineering approaches. Today, engineering mitigations are used from time to time to address cyber risks but are used neither universally nor systematically. CIE recognizes the importance and necessity of using both engineering tools and conventional cybersecurity designs to secure operational technology (OT) networks.

Protecting Critical Infrastructure

Access to OT information in IT networks, very often through PI servers, is essential to many kinds of business automation, such as automatically ordering spare parts or scheduling maintenance crews. However, because all modern automation involves computers, as businesses continue to automate processes more targets for cyberattacks are created. In addition, data in motion is the lifeblood of modern automation, but all cyber-sabotage attacks on OT systems are information, and every connection between systems and IT/OT networks is an opportunity for attacks to spread. Thus, the more automation is deployed, the more opportunities are created to attack the ever-increasing number of targets. Cybersecurity is an issue that becomes steadily more pressing as businesses automate.

The IT/OT boundary, where PI servers tend to be deployed, is very often a consequence boundary. Worst-case consequences on the OT network are very often dramatically different and more severe than consequences on IT networks. Worst-case business consequences often include expensive incident response costs, such as businesses having to buy identity fraud insurance for customers whose information was leaked into the Internet. On the other hand, worst-case consequences for OT networks in a power plant or a high-speed passenger rail switching system often include threats to worker and public safety, or to the availability of critical infrastructure services to the nation. When worst-case OT consequences are unacceptable, engineering-grade protections must be deployed at the IT/OT interface to prevent worst-case scenarios from being realized.

Waterfall Security OT and Cyber-Informed Engineering Blog Embedded Image 2024

Conventional OT Security Programs

Using exclusively IT style mitigations to protect critical OT networks is often not enough—when public safety or critical infrastructures are at risk, it is not enough to hope that cyberattacks can be detected before they compromise critical infrastructure. It is not enough to hope that if detected in time, an incident response team can be assembled fast enough to prevent consequences. Engineering-grade designs are expected to reliably perform critical physical operations within a specified threat environment until the next scheduled opportunity to upgrade defenses, with a large margin for error.

The Threat Landscape

Remote-controlled attacks are the modern attack pattern used by hacktivists, ransomware criminals and nation-states. Modern remote-controlled attacks use social media research and clever phishing emails to trick potential victims into revealing passwords or opening malicious attachments. Once remote attackers gain a foothold in their target network, they control the compromised machine remotely, using it to attack other machines through layers of firewalls, including the IT/OT firewalls deployed to send OT data into PI servers to enable IT/OT integration. Attackers then repeat, spreading further until they reach essential OT systems or valuable information that a business would be willing to pay to recover.

‘Living off the land’ is another type of remote-controlled attack seen recently. After gaining a foothold in an IT network, attackers erase all hint of their presence, including any malware that was used to gain their foothold. Eventually compromising the IT domain controller, attackers create their own remote access and credentials. These new accounts look like a normal employee logging in; no alarms are raised as the attackers use normal operating system tools in their attacks, making them extremely difficult to detect.

Unbreachable Protection with Unidirectional Gateways

In the face of sophisticated remote-control attacks, safe integration of critical OT networks with PI servers and other business automations must involve network engineering. The most common approach to network engineering is to protect the IT/OT consequence boundary with a Unidirectional Gateway. The gateways are a combination of hardware and software; the software makes copies of PI and other OT servers from OT networks, while the hardware allows information to travel in only one direction, from the OT network out to the IT network. The gateways move OT data out to where the enterprise can use it while preventing any remote-control attacks or attack information getting back through into the OT network. Even if a deceived insider carries a piece of malware into an OT network and inadvertently activates it, that malware cannot connect out to the Internet through the gateway, much less receive any attack commands from the Internet.

Increasingly, critical infrastructures are expected to have OT networks that operate reliably and independently of the IT network, even when the IT network is compromised. A Unidirectional Gateway provides OT data to PI servers and other business automation, with no ability for malware, remote-control commands or other attack information to penetrate the gateway into operations. By eliminating the risks associated with firewalls at the IT/OT consequence boundary, industrial enterprises can be confident of the integrity of their OT systems, even in the face of the most sophisticated of modern, network-based attacks.

As Cyber-Informed Engineering emerges as the most important change in OT security in a decade, Waterfall Security’s Unidirectional Security Gateways, certified to be truly unidirectional, are leading the world in safe IT/OT and OT/cloud integration, even in the face of the most sophisticated of cyber threats. Watch our webinar “Cyber-Informed Engineering for OT Security and AVEVA PI Users” to see how Waterfall’s solutions enable safe IT/OT integration and protect safe and reliable physical operations, especially for AVEVA PI installations.

The Evolution of Technology in the Defense Industry at DoDIIS

Posted on by
Reply

Innovation in Government benefits the changing and growing needs of the nation, and the Department of Defense (DoD) leads the way in both innovation and security. The Department of Defense Intelligence Information System (DoDIIS) is a conference for the nation’s top military and technology specialists to share insights revolving around the show’s theme – ‘Chaos to Clarity: Leveraging Emerging Technologies.’ Fed Gov Today joined Carahsoft on the show floor to discuss IT and OT updates, artificial intelligence (AI) and machine learning (ML) and priority technology updates with military thought leaders.

Departmental Shift to Information Technology

Carahsoft DoDIIS Defense Recap Blog 2023 Embedded Image 2024The DoD aims to refresh technology and standardize user experience across the department as a response to employee feedback. These standards are partially inspired by Zero Trust models and codifying existing standards. Through the implementation of office management and hiring defense digital service experts, agencies will update hardware and endpoints, refresh outdated technology and enhance overall IT capabilities. Executing these standards will require time and financial resources, and to properly utilize all acquired resources, a new generation of industry professionals will need to be onboarded. By building off effective processes from previous initiatives and hiring new talent that is optimally suited for these processes, the department can make strides in software such as cloud computing, generative AI and Zero Trust. The introduction of the Joint Operational Edge Cloud (JOEC) is also critical in accelerating cloud computing for combat tactical edge usage during the interim shifts in technology. At record speeds, the DoD must move from hardware defined enterprise towards modifying software.

AI Evolution

While AI is in its infancy, prototypes show a promising and interesting future where machines are trained to complete work. With more than 1,200 AI applications across civilian agencies, and various similarities and differences in the way AI is used by Government and commercial agencies, there is a lot the Federal sphere can learn from commercial agencies. In the private sector, companies tend to build back-end architecture for AI, providing fast access to all data. The Federal Government can optimize this plan by automating AI/ML to gain tactical advantage against machine adversaries. AI can also aid in predicting component failure. This helps agencies get hardware and software back on track as soon as possible, as well as help with mission planning. The private sector offers a myriad of ideas the Government can leverage for efficiency, such as AI in healthcare, sustainable energy and creative component and finance management.

DIA Initiatives

The Defense Intelligence Agency (DIA), a service provider on behalf of the defense industry, has a comprehensive IT strategy made up of five key priorities:

  1. Among both classified and unclassified networks, the DoD should implement top secret connection.
  2. With the transition to working from home, employers must enable workplace inclusivity through technology, especially for employees with disabilities.
  3. Enable workers to access data applications from one fully integrated place by consolidating network systems, such as desktop environments.
  4. As internally shared information becomes more complex, the DIA must update technology to strengthen intelligence sharing.
  5. Authorize worldwide connectivity for the Joint Worldwide Intelligence Communications System (JWICS), the DoD’s house for sensitive information. This means a reliable and secure connection regardless of environment and its proximity to data centers.

By maintaining pace with world class technology such as the cloud and AI, the DoD will lead the nation in secure communication and strategies.

Check our more resources, interviews and highlights from the event floor at DoDIIS at FedGovToday.com.

DevSecOps: Achieving Efficiency and Scale with Automation and Software Factories

Posted on by
Reply

In today’s rapidly evolving digital landscape, Government agencies face many challenges in delivering modern, secure software applications to the end-user. DevSecOps is a methodology that combines development, security and operations to create a more streamlined and secure software development process. This concept has emerged as a transformative approach that integrates security practices, automation and software factories into the software development lifecycles from its inception. At the Carahsoft DevSecOps Conference, industry experts and innovators shared their knowledge of emerging tools, effective strategies and methodologies in software engineering through several educational sessions.

Unlocking Efficiency: The Power of Automation and AI/ML

Automation helps developers improve the efficiency and quality of code, reduce risk and combat security vulnerabilities. As a key component of DevSecOps, automation allows developers to simplify many of the tasks involved in software development, such as testing, deployment and monitoring. Once automated, developers can focus on writing high-quality code and addressing security vulnerabilities, rather than spending time on redundant manual tasks.

The use of AI has transformed the way developers work, compared to 20 years ago when code was primarily written from scratch. Today, external libraries — software code written by a third-party source — are used frequently which introduces a new set of risks and benefits. The benefits include making software development faster and more efficient as developers use pre-existing code to build their applications. However, if a third-party library has a security vulnerability, it can be exploited by malicious actors to gain access to sensitive data. If not maintained properly, the third-party library can become outdated and incompatible with other software components.

Carahsoft DevSecOps Conference Blog Embedded Image 2023Software Factories

Software development has become an essential part of today’s business operations, and Government agencies are constantly seeking ways to improve their processes. Recently, the concept of the software factory—a structured approach to software development that emphasizes standardization, automation and collaboration—has gained popularity. It establishes a set of tools, processes and best practices that enable teams to develop software more efficiently and effectively. The goal of a software factory is to create a repeatable and scalable process for software development that can be applied across different projects and teams. By implementing this strategy, agencies can improve the quality, speed and consistency of their software development efforts.

One of those best practices, Continuous Integration and Continuous Deployment, are combined in a single process known as CI/CD. CI is the practice of frequently merging code changes from multiple developers into a shared repository, where automated tests are run to address integration issues early in the development cycle. This ensures the code is always in a releasable state and reduces the risk of conflicts and errors when changes are merged. CD, on the other hand, is the practice of automatically deploying code changes to production as soon as they pass the necessary tests and checks. Thus, enabling teams to release software changes quickly and frequently. By utilizing CI/CD, teams can achieve a continuous flow of code changes from development to production, which is imperative for modern software development.

Elevating DevSecOps: A Blueprint for Integrating Early Software Security Measures

Securing software in a containerized environment presents unique challenges due to the dynamic nature of containers and the distributed nature of container orchestration platforms like Kubernetes. Government agencies must ensure that containers are properly configured and secured, as misconfigurations can lead to vulnerabilities that can be exploited by attackers. Another difficulty is detecting and responding to security incidents in a timely manner, as containers can be spun up and down quickly and may be spread across multiple nodes in a cluster. Securing software early can help agencies reduce risk, lower costs, deliver software faster and improve collaboration between development and security teams.

Another crucial component of DevSecOps—continuous delivery—enables teams to deliver software changes quickly, safely and sustainably. This means that teams can release software changes frequently and with confidence, knowing that the changes have been thoroughly tested and are ready for production. Through a combination of automation, collaboration and feedback loops, continuous delivery helps reduce the time and effort required to release software changes.

Agencies can adopt a DevSecOps approach that integrates security into the software development lifecycle from the beginning. This involves using tools and processes to automate security testing and validation, as well as incorporating security requirements into the development process. For instance, agencies can use tools like vulnerability scanners and security-focused container images to detect and remediate vulnerabilities in containers. They can also use automation to validate security requirements and ensure that containers are properly configured and secured.

Securing software early in the development process can lead to several benefits including:

  • Reduced risk of security incidents: By identifying and addressing security vulnerabilities early in the development process, agencies can minimize the risk of security incidents and data breaches.
  • Lower costs: Fixing security issues later in the development process is much more expensive than addressing them early on. By integrating security into the development process from the beginning, agencies can reduce the cost of fixing security issues and avoid costly rework.
  • Faster time to market: Adopting DevSecOps approach can help agencies to deliver software faster by automating security testing and validation. This decreases the time for manual testing and enables faster release cycles.
  • Improved collaboration: Agencies can strengthen collaboration between development and security teams to ensure requirements are properly understood and incorporated into the development process. This proactive initiative can help foster a culture of security throughout the agency.

The adoption of DevSecOps, along with its fundamental principles, empowers Government agencies to establish a more efficient and secure software development process. This is achieved through the implementation of automation, the adoption of a software factory approach and the early integration of security measures.

 

To learn more about DevSecOps best practices and trending innovations, visit Carahsoft’s DevSecOps vertical solutions portfolio. 

*The information contained in this blog has been written based off the thought-leadership discussions presented by speakers at Carahsoft’s annual DevSecOps Conference.*

Generative AI, DevSecOps and Cybersecurity Highlighted for the Air Force and Space Force at DAFITC 2023

Posted on by
Reply

Thousands of Space Force and Air Force personnel and industry experts convened to discuss the most current and significant threats confronting global networks and national defense at the 2023 Department of the Air Force Information Technology and Cyberpower Education & Training (DAFITC) Event. Throughout the many educational sessions, thought leaders presented a myriad of topics such as artificial intelligence (AI), DevSecOps solutions and cybersecurity strategies to collaborate on the advancement of public safety.

Leveraging Generative AI in the DoD

At the event, experts outlined three distinct use cases for simplified generative artificial intelligence in military training.

  • Text to Text: This type of generative AI takes inputted text and outputs written content in a different format. Text to Text is associated with tasks such as content creation, summarization, evaluation, prediction and coding.
  • Text to Audio: Text to Audio AI can enhance accessibility and inclusion by creating audio content from written materials to support elearning and education and facilitate language translation.
  • Text to Video: Text to Video AI is primarily geared towards generating video content from a script to aid the military with language learning and training initiatives.

Dr. Lynne Graves, representative of the Department of the Air Force Chief Data and Artificial Intelligence Office (CDAO), provided attendees with a brief timeline of how the USAF will fully adopt artificial intelligence. The overarching aim for AI integration is to make it an integral part of everyday training, exercises and operations within the Department of Defense (DoD).

  • In FY23, the DoD is focusing on pipeline assessment. Using red teaming where ethical hackers run simulations to identify weaknesses in the system, internal military personnel target improvement of their infrastructure and mitigation of the vulnerabilities in the different stages of the pipeline.
  • In FY24, the emphasis will be on the Red Force Migration policy, which involves developing, funding and scaling the necessary strategies.
  • In FY25, the goal is for the department to become AI-ready. This entails preparing for AI adoption at all agency levels, establishing a standard model card that explains context for the model’s intended use and other important information, creating a comprehensive repository of data and implementing tools for extensive testing, evaluation and verification.

Carahsoft AI, Cybersecurity, DevSecOps at DAFITC Tradeshow Blog Embedded Image 2023USSF Supra Coders Utilize DevSecOps for Innovation

The current operations of United States Space Force (USSF) Supra Coders involve a range of activities that combine modeling, simulation and expertise in replicating threats. These operations are conducted globally, and currently include orbit-related activities, replication of DA ASAT (Direct Ascent Anti-Satellite) capabilities and the reproduction of adversarial Space Domain Awareness (SDA).

The USSF Supra Coders have encountered limitations with software solutions, including restrictions tied to standalone systems, licensing structures with associated costs and limited adaptability to meet the specific needs of aggressors and USSF requirements. DevSecOps presents a multifaceted strategy for mitigating the identified capability gaps noted by the USSF Supra Coders. It can help create more effective and efficient software solutions through seamless integration of security protocols, streamlining system integration processes, optimizing costs and enhancing customizability.

Cybersecurity Within the Space Force

Cybersecurity is a shared responsibility across the DoD but is especially relevant for the U.S. Space Force. As a relatively newly emerging branch of the military, the Space Force is still developing its cyber strategies. Due to its completely virtual link to its capabilities, the USSF must prioritize secure practices from the outset and make informed decisions to protect its networks and data.

Currently, the Space Force is engaged in the initial phases of pre-mission analysis for its cyber component which serves as a critical element for establishing and maintaining infrastructure through the integration of command and control (C2). These cyber capabilities encounter a series of complex challenges, which necessitate a multifaceted approach including the following solutions:

  • Enforcing Consistent Cybersecurity Compliance
  • Developing Secure Methods to Safely Retire Old Technology
  • Enhancing Cryptography Visibility
  • Understanding Security Certificate Complexity
  • Identifying Vulnerabilities and Mitigating Unknown Cyber Risks

While the Space Force faces a uniquely heightened imperative to bolster its cybersecurity capabilities with its inherent reliance on information technology and networks in the space domain, the entire community must collaborate effectively to achieve military leaders’ targeted cybersecurity capabilities by the goal in 2027.

The integration of generative AI in military training, innovations through DevSecOps by the USSF Supra Coders and cybersecurity initiatives of the Space Force collectively highlight the evolving landscape of advanced technologies within the Department of Defense. Technology providers can come alongside the military to support these efforts with new solutions that enhance the DoD’s capabilities and security.

 

Visit Carahsoft’s Department of Defense market and DevSecOps vertical solutions portfolios to learn more about DAFITC 2023 and how Carahsoft can support your organization in these critical areas. 

*The information contained in this blog has been written based off the thought-leadership discussions presented by speakers at DAFITC 2023.*

Software, AI, Cloud and Zero Trust as Top Priorities for the Army and DoD at Large at TechNet Augusta 2023

Posted on by
Reply

Many of the major cybersecurity, data, DevSecOps and other trends from the past couple of years continue to grow and be top priorities for every segment of the Department of Defense (DoD). At TechNet Augusta 2023, Government and industry experts shared the specific needs of their organizations across those areas and solutions to help achieve their goals. The main theme of the event was “Enabling a Data-Centric Army” and expanding those principles and their mobilizing technologies to the entire DoD. For the Army in particular, the shift from hardware to software, the use of artificial intelligence (AI), cloud capabilities and Zero Trust were headlining topics at the conference.

Shifting from Hardware to Software

In an effort to increase agility and expand access to resources, the Army is transitioning its equipment from hardware to software. Amending its materiel release process to decouple software from hardware allows the Army to deploy software outside of the long hardware acquisition cycle. To mobilize this endeavor, the Army Futures Command (AFC), is modifying its software requirements to focus on high-level overviews that are then refined by operators. Alongside this shift, the Army and other departments requested that technology providers ensure that their software solutions integrate with each other. Going forward, the Army also asked industry to provide software that is not tied to specific hardware. This separation will be key to establishing data-centricity. Nearly every speaker echoed the importance of this shift for their departments.

Utilizing AI

With this major transition to a software-heavy environment, Army Chief Data and Analytics Officer David Markowitz believes it will be an ideal use case for generative AI in software development. Having a controlled environment in software development would make it easier to properly govern compared to the complexity of some of the other uses. As AI usage increases across the DoD, military leaders requested industry create AI platforms with layered complexity of features enabling users of any skill level to utilize the technology effectively. In regard to AI applications for data, Army CIO Leonel Garciga stated that additional guidance on “Data Use on Public/Commercial Platforms” would be released soon to clarify its policy. Overall, officials concurred that the DoD is not looking to become 100% reliant on AI aid but instead maximize AI’s strengths to augment human critical thinking and empower commanders to make data-driven decisions.

Enabling Cloud Capabilities

Over the past year, the Army has exponentially increased its cloud migration and virtualized capabilities. Housing information in the cloud optimizes data storage and simplifies ease of access particularly with the increase in data output, and the push for AI data analytics and data-driven decisions. Hybrid cloud solutions offer the readiness, adaptability and duplication of vital information necessary for military operations to continue smoothly in any situation. Currently, DoD leaders seek industry solutions for modernizing and moving applications to the cloud simultaneously. Acquiring technology with this ability would reduce both the security risk and the work required from the military to implement it.

Expanding Zero Trust

Overarching every aspect of the DoD is the critical need for cybersecurity. Garciga plans to emphasize Zero Trust implementation heavily in conjunction with improving user experience and cyber posture. While multi-factor authentication offers a great starting point, military leaders explained that it is not enough and that they look to partner with industry to close virtualization vulnerabilities through continuous monitoring and regular red teaming. At the conference, the Army Cyber Command (ARCYBER) outlined seven principles for IT providers to follow for all capabilities they deliver:

  • Rapidly Patch Software
  • Assess All Production Code for Security Flaws
  • Improve Security of Development Networks
  • Isolate Development Environments from the Internet and from the Vendor Business Network
  • Implement Development Network Security Monitoring
  • Implement Two-Factor Authentication (2FA) on Development Network and Testing Services
  • Implement Role-based Permissions on Development Network

Empowering DoD Success

A consistent thread woven throughout the event was the vital nature of open communication and partnership between the DoD and technology companies to achieve the established goals. Within each of these areas including the shift from hardware to software, use of AI, cloud capabilities and Zero Trust, the DoD looks to innovate and explore new methods and solutions to stay ahead on the world platform. Together through collaboration, industry can have a vital role in keeping American citizens safe one technology update at a time.

 

Explore our Federal Defense Technology Solutions Portfolio to learn how Carahsoft can support your organization through innovative, agile defense resources and IT capabilities.

*The information contained in this blog has been written based off the thought-leadership discussions presented by speakers at TechNet Augusta 2023.*

Cybersecurity Initiatives from TechNet Cyber 2023

Posted on by
Reply

The global prominence of technology, cyber power and cybersecurity is vital to U.S. political and economic success. At TechNet Cyber 2023, a conference held in Baltimore, Maryland, Government, industry and academic partners discussed solving global security needs. This year’s conference, which took place May 2-4, focused on numerous topics including Zero Trust, multicloud and defense strategies against bad actors.

Thunderdome: The New Zero Trust Framework

Thunderdome is the new Zero Trust framework to improve cyber security and posture, created by the Defense Information Systems Agency (DISA), a combat support agency that provides information technology and communications support. Lieutenant General Robert Skinner, the director of DISA, attests that Thunderdome meets 131 of 153 key standards that were laid out by the Department of Defense (DoD) as a part of its strategy for Zero Trust. With that and further growth, Thunderdome is well on its way to being a vital part of Zero Trust cybersecurity.

Carahsoft TechNet Tradeshow Blog Embedded Image 2023However, Thunderdome is not a one size fits all solution, as its scalability and modularity will require ongoing assessment. At the event, Lieutenant General Skinner highlighted three key components to understanding where Thunderdome fits into agencies. They are known as the “three Ps:” posture, position and partnerships. The first part, posture, evaluates where an agency stands with its technology and processes in relation to its cyber posture. The second element, position, is the utilization of these resources to achieve the best results. And lastly, partnerships form the cornerstone of maximizing business capabilities. In relationships with allies and partners, all participants can help each other and ensure that they are all on the same page.

Much of this manifests in Thunderdome’s process of improving agency posture with regards to the workforce. Through education, the right training, retention and hiring those with the right skillsets, agencies can improve their industry posture. Lieutenant General Skinner stressed that to support the current workforce, it is vital for agency leaders to “know and understand what their capabilities are to move them in the right place.”

The Pentagon’s MultiCloud Environment

The Pentagon’s multicloud environment is designed to give practitioners access to the best of technology. However, the complexity of the multicloud environment can lead to issues if not managed correctly. To combat this, Armon Dadgar, HashiCorp’s CTO and Co-founder, recommends forming a consistent way for practitioners to set up cybersecurity infrastructure on other platforms. As agencies seek to decomplexify systems, one way to achieve this in both the public and commercial sector is by establishing a consistent approach to the multicloud. Agencies should be intentional about instituting abstraction layers and begin by defining a central platform team to create a common blueprint across environments. This way, there is an organized standard for future processes.

Threats to Cybersecurity

Wanda Jones, a principal cyber advisor of the U.S. Air Force, discussed how to protect against hackers with evolving threats. Bad actors are aggressive, always moving and attacking industry’s weak spots. The best way to defend capabilities is to detect threats early on and respond in a timely manner. Agencies must always be monitoring and improving to stay on the offensive. A solid start to improving the Zero Trust is improving security architecture and providing access to those with known identities within the agency.

With the continued focus on cybersecurity, the Federal Government maintains the public’s safety and security.

 

To learn more about the topics discussed at TechNet Cyber, View the full Fed Gov Today episode co-sponsored by Carahsoft.

*The information contained in this blog has been written based off the thought-leadership discussions presented by speakers at TechNet Cyber 2023.*