The FBI Investigating HHS Cyberattack During Coronavirus Crisis
The AP reported that Attorney General William Barr has announced that the FBI is investigating the HHS Cyberattack that took place on March 16, 2020 for the involvement of foreign governments. The incident that was originally reported on Sunday March 16, 2020 by Bloomberg, involved a cyberattack on the Department of Health and Human Services (HHS). The attack attempted to launch disruptive information and impede the agency’s response. Fortunately, the attempt failed to penetrate the network. The HHS was continually monitoring the infrastructure and detected a significant increase in activity.
Government Cybersecurity Preparedness
Government agencies are attractive targets for cyberattacks. In 2018 President Trump signed into law the creation of the Cybersecurity and Infrastructure Security Agency to bolster the government’s capacity to defend against cyberattacks. The HHS along with other agencies have been slow to implement improvements to its IT infrastructure. The Government Accountability Office report issued in February of 2020 states that all but two federal agencies had failed to “effectively monitor the implementation of a voluntary cybersecurity framework”. The HHS was among those criticized. The agency did however replace its cybersecurity operation with the HHS-DHS Health Cybersecurity Coordination Center. It may well be because of this change that this crisis was averted.
Health Industry Preparedness
The HHS published Health Industry Cybersecurity Practices (HICP) to move health providers towards effective practices to protect important and sensitive data. This information is provided in two volumes, one for small health care organizations and another for medium to large providers. This effort is well designed but its implementation is difficult to assess. This is due to the fact that there is no mandate for companies to their information to the government. Based on a general survey of business cyber preparedness most U.S. companies are not ready to protect critically sensitive data.
CVG Strategy Cybersecurity
CVG Strategy cybersecurity experts are committed to helping businesses attain effective cybersecurity programs. We can help you implement ISO 27001 Information Security Management Systems to develop a scalable solution to protect your valuable data. Contact Us today to see how we can help
There are growing concerns for business cybersecurity to meet the challenges of today’s hostile environment. The international insurance underwriter Hiscox recently released its Hiscox Cyber Readiness Report 2019 and the news was not good. The report showed that the number of cyber attacks has increased and that businesses of all sizes are being targeted. While cybersecurity spending has increased fewer companies have attained appropriate levels of cyber strategy and execution. The report included findings from companies located in Belgium, France, Germany, The Netherlands, Spain, United Kingdom, and the United States.
Trends in Cyber Attacks
Increases in the number of organizations reporting incidents of cyber attacks have occurred over the past year. While larger businesses are more likely to experience these attacks, large increases in rates among medium and small size firms have occurred. Reported losses from these attacks have increased by over dramatically, but the true value of damage done from loss or compromise of sensitive data is impossible to truly assess. While cybersecurity spending has increased by as much as 24%, the number of firms rated as having adequate cyber strategy and execution has fallen.
Particular Concerns for Business Cybersecurity
Supply Chain Vulnerabilities
Large numbers of companies reported incidents involving their supply chain in the last year. A majority of these organizations now recognize these vulnerabilities and are including cyber Key Point Indicators (KPI) in their contracts with suppliers. Other efforts included increased audit and evaluation of their supply chain.
Cloud Vulnerabilities
There was a marked increase in cloud vulnerabilities in the last year with 22% of respondents reporting outages from third-party cloud providers. This is a 9% increase from the previous year. This increase is likely due to more firms using cloud based solutions for sensitive data.
Costs of Losses
The mean losses from cyber attacks to businesses has risen as much as 61% in the last year. These losses were seen in all businesses regardless of size or sector. The greatest increases were seen in large businesses with between 250 and 999 employees.
Cyber Maturity
Overall progress in attaining effective cybersecurity programs has stalled out even though increases in cybersecurity spending have occurred. Of those who participated in the survey, 74% fell in to the Novice classification. This assessment included strategy, oversight, resourcing, technology, and processes. Of special concern, the United States ranked among the lowest in this category.
Some Take Aways
Businesses are beginning to take notice and are becoming less complacent. Many are being prompted by increased regulation from governments and those companies they supply goods and services to. Cybersecurity is an interdependent undertaking. For an fully effective program an Information Security Management System (ISMS) should be employed. A good example is ISO/IEC 27001. It employs a comprehensive that includes processes, people, and IT systems to maintain data security. Because it uses a constant improvement model, it can remain adaptable to changing threats through a risk management approach.
CVG Strategy
CVG Strategy shares your concerns for business cybersecurity. We are committed to helping businesses secure their vital data. CVG Strategy can establish ISO 27001 and NIST 8001-171 programs that incorporate security architecture, detective controls, and preventative controls. We provide training so that a cooperative and coordinated effort can be made by all involved. We are also committed to helping those who provide serviced and goods the the U.S. Department of Defense in achieving requirements for Cybersecurity Maturity Model Certification (CMMC). Contact Us to see how we can help.
Effective Test Program Management Requires Planning
Effective Test Program Management can add value to product development when its true value has been identified. Too often product testing is left to the last moment, calls are made to test laboratories to ask what testing is required. Equipment and somebody from the engineering team is transported off to a test lab and money and time is spent. Hopefully testing is “passed” and requirements have been met to sell the product, but what has really been accomplished?
The Role of the Test Lab
Test Laboratories offer valuable services. As such, finding a lab that can fill your requirements, provide flexible scheduling, and help keep the project in budget is important. Maintaining good working relationships with those facilities is important.
The role of the lab, however, is by definition limited. As an accredited third party evaluator they cannot act as an advocate for your product. They can recommend a test matrix or provide a minimum criteria for product certification but ultimate responsibility for what testing is done lays with the test program manager. Recommendations for testing should be reviewed in detail however as in many instances unnecessary testing may be performed.
The Role of the Test Program Manager
Assessing Test Requirements
Developing a thorough understanding of relevant standards and compliance requirements is the responsibility of the test program manager. Understanding the procedures to be performed will allow for proper scheduling. It will also help in the development of appropriate fixtures, simulation equipment, and monitoring equipment.
Looking Beyond Compliance
Because product liability is becoming an increasing issue, product testing must consider testing beyond compliance requirements. Performing a Life Cycle Environmental Profile and/or Susceptibility Analysis can be valuable in identifying product vulnerabilities. A test matrix can then be created that includes appropriate evaluation methodologies to verify a design’s safety and ability to maintain customer satisfaction.
Test Program Documentation
Test Labs are beset with requests to perform testing without sufficient documentation. While many types of testing are not tailorable, most standards still require documentation that provides descriptions of operational modes, power requirements, emergency shutdown procedures, and definitions of normal operation. This documentation allows test lab personnel to make evaluations based on pass/fail criteria specific to the equipment being tested. For those test methodologies that do require tailoring such as MIL-STD-810 or EN 61326-1:2013 test plans must be developed that specify procedures, severities, and appropriate data collection.
Hardware for Testing
Time must be taken to design and construct the equipment needed for test. This equipment may include:
Vibration Fixtures
Extension Cables
Simulation Equipment
Stimulation Equipment
Monitoring Equipment
Dummy Loads
Care should be taken to consider test lab chamber and facility limitations when designing this equipment. Simulation, stimulation, and monitoring equipment are extremely important in capturing intermittent failures. This equipment is also required for pretest, during test, and post test functional and operational checks.
Many people will have the test lab provide a vibration fixture. Test lab fixtures are often in a constant state of modification as customers drill holes for their tests. This means that even if the same piece of hardware is available at subsequent tests it will not be the same as when used before. This may degrade the ability to accurately recreate previous testing. Therefore it is considered a best practice to have a custom fixture.
Test Witnessing
Effective test program management requires active test witnessing. Care must be taken to ensure that testing is performed as prescribed in the test plan. Proper set up and pre-test operational testing should confirm that the equipment under test is working and functional. Test witnesses can often assist lab personnel by monitoring equipment and confirming the status of the equipment. Test witnesses should also collect data over and beyond that required by the lab so that test can accurately be reproduced. Should any failure of test be encountered, the test witness should gather all data relevant for later analysis. The witness should also, when appropriate, troubleshoot and determine root causes for failures.
Documentation
Documentation of testing should be created from test witness gathered data and test lab reports into a summary document that provides an overview that can be used to show due diligence and act as a guide for future product development in term of “lessons learned. Any certifications or right to mark with regard to compliance testing should be noted as well.
CVG Strategy
CVG Strategy’s Test and Evaluation experts offer Test Program Management and Witnessing to assist you in getting real value from your testing program. Contact Us to see how we can put decades of experience in commercial and defense testing to work for you. Our experience includes climatic, dynamic, and EMI/EMC.
MIL STD 810H Humidity Method 507.6 is a test method for evaluating products that are likely to be stored and/or operated in a warm, humid environment. MIL-STD-810Environmental Engineering Considerations and Laboratory Tests is a Department of Defense (DoD) standard for military and commercial applications. It is a series of laboratory test method that replicate the effects of environments on products. These methods are meant to be tailored to the specific environmental effects expected during the life cycle of the product. This is an important consideration because there are few definable goal posts in this standard. Tailoring is required because the environmental effects likely to be encountered on equipment designed for aircraft, for example, will be quite different from those found on a vehicle.
Effects of Humidity
The effects of humidity are often overlooked when faced with more obvious environmental stressors such as temperature, shock, and vibration, but there are numerous physical and chemical effects that humidity can take place both within and on the exterior of equipment. For surface effects; oxidation, electrochemical breakdown of coatings, interaction with deposits of materials that produce corrosive films, and changes in friction coefficients. Other effects include; loss of physical strength of materials, degradation of insulative properties, changes in elasticity or plasticity, and degradation of lubricants.
Humidity Testing
Humidity is an extremely complex environmental phenomena that is intricately linked with temperature. There a limitations in what a laboratory method can reproduce and simulate. Method 507.6 is comprised of two procedures.
Induced (Storage and Transit) and Natural Cycles
Aggravated
For procedure I, induced cycles of temperature and humidity are used to simulate various storage and transit scenarios where equipment is packaged or stored in environmentally uncontrolled warehouses. The standard points out that multiple tests may be applicable for storage or transit based on the nature of those sequences and nature of packaging. Natural cycles are intended for the testing of equipment in its intended environmental conditions.
Procedure II exposes the test item to more extreme temperature and humidity levels than those found in nature, but for shorter durations. While this can be an advantage for early detection of design vulnerabilities, results may not accurately represent those found in nature.
Climatic Considerations
Conditions of humidity vary considerably across the globe. MIL-HDBK-310 defines three geographical categories that are used for generation of cyclic profiles.
B1 – Constant High Humidity
This profile is representative of conditions found in heavily forested areas with little solar radiation exposure. Geographical locations typical of this profile are Congo and Amazon Basins, the jungles of Central America, Southeast Asia (including the East Indies), the north and east coasts of Australia, the east coast of Madagascar, and the Caribbean Islands.
B2 – Cyclic High Humidity
B2 profile occurs in the same areas as B1 but is more representative of urban areas where solar radiation exposure is expected. Solar radiation when present in the diurnal cycle creates a wider variance in temperature and humidity.
B3 – Hot-Humid
This profile is found in areas near bodies of water with high surface temperatures, specifically the Persian Gulf and Red Sea. Testing for this extreme condition does not verify the unit under test’s ability to endure the rigors of B1 or B2.
Additional Categories
Additional categories are provided for induced environments where temperatures as high as 160 °F (66 °C) can be reached for enclosed environmental conditions where little or no cooling air is available. These induced categories are meant to replicate various transport and storage scenarios.
Test Duration
The effects of humidity require lengthy test durations to evaluate potential degradation. Often testing is not performed at adequate lengths to provide meaningful data. MIL STD 810H Humidity Method 507.6 durations are shown in the table below.
Hazardous Items
MIL-STD-810 states that hazardous test items will generally require longer tests than other items to achieve a desired confidence. The standard defines Hazardous test items as “those in which any unknown physical deterioration sustained during testing could ultimately result in damage to materiel or injury or death to personnel when the test item is used”. It calls for double the number of cycles for hazardous items.
Non-Hazardous Items
For Natural Cycles, generally intended for operational testing, Method 507.6 calls for 15 to 45 tewnty-four hour cycles of testing dependent on which geographical area the equipment may be used in.
Aggravated Cycles
For Aggravated testing per Procedure II, ten cycles are recommended in addition to a 24 hour conditioning period. Again the proviso for lengthening for hazardous items is called out but no exact measure is indicated.
MIL-STD-810 H Table 507.6 II Test Cycles (days)
The Conundrum
For humidity testing there is often more questions than answers. Today’s defense and commercial equipment is liable to be used anywhere in the world. Given that time and money are major concerns for most product developers, it is unlikely that resources are available for testing all climatic categories for transit, storage, and operational profiles. While Aggravated testing is tempting due to its shortened test length it may not provide realistic findings. Unless product specifications specify exact testing requirements difficult decisions must be made.
Huawei’s Legal Problems in the United States continue on multiple fronts. The Chinese tech giant has been the target of the U.S. Senate, The Department of Justice, and has had a case against U.S. Government contracts ban dismissed before going to court.
Department of Justice Actions
In an ongoing indictment the U.S alleges that Huawei participated in a fraudulent scheme to export banned U.S. goods and technologies for its business in Iran. Although Huawei has denied these allegations, Reuters has reported that recently released company records show that the company was directly involved in these actions. This could lead to Huawei’s chief financial officer, Meng Wanzhou’s extradition from Canada where she is being held on bank fraud and other allegations.
US Senate Actions
The U.S. Senate approved a bill that would replace Huawei Technology Co. telecom equipment in rural areas. The bill would provide $ 1 billion in funding for approximately 40 rural carriers to replace equipment that could be used by the Chinese government to spy on communications routed through their equipment. The bill will now move on to President Trump who will likely sign it into law. Telecommunications Industry Association chief executive David Stehlin commented that the legislation was “a critical step in securing our network and ensuring the integrity of the telecommunications supply chain as we usher in the 5G era.”
Case Dismissed
A lawsuit that challenged a U.S. law barring the government from using Huawei equipment, was dismissed in a federal court in Texas before going to trial. This ban further underlines the U.S. governments security concerns of using the company’s products. These concern has been very strong among lawmakers in both parties in light of continued cyberattacks and intellectual property theft by agents of the Chinese government.
What This Means for U.S. Businesses
Businesses will have to exercise increased vigilance regarding the security of intellectual properties and technologies. This will involve developing and improving processes involving export compliance and cyber security. CVG Strategy has the expertise to help businesses of all sizes meet these challenges. Contact Us today to see how we can help.
Electronic products have Electromagnetic Pulse Vulnerabilities that could cripple infrastructure systems across the planet. It is a serious concern that a number of agencies have reported on at length. The Critical National Infrastructure Commission report of 2008 is one such example that outlines some dire possibilities.
Electromagnetic Pulses (EMP) can be both natural and man made. Naturally occurring, these transient electromagnetic disturbances can be caused by lightning strikes, meteor explosion in earth’s atmosphere, or Coronal Mass Ejections (CME) caused by solar flares. Man made disturbances include High Altitude Electromagnetic Pulses (HEMP) created by a nuclear explosions as high as thirty km above sea level and a variety of smaller weapons designed to disable pinpoint targets.
EMP events have a wide frequency range from DC to 1 GHz that have a duration of several nanoseconds. This results in electric fields in thousands of Volts that can induce extremely high currents into electrical and electronic systems resulting in damage or complete destruction. For those events caused by nuclear explosion, a second low frequency current caused by the disruption of the Earths magnetic field can cause major damage to power distribution systems.
Designing for EMP
A number of steps can be taken at the design stage for equipment that is considered safety critical. These include screening, filtering of all power and I/O leads, and inclusion of voltage limiting components into a circuit. Once a design has been implemented a variety of test methodologies are available for design evaluation. While most of these involve military standard developers of products for commercial applications are often not restricted from their usage. For example MIL-STD-461 RS105 is a standard used for shipboard equipment above and below deck to verify equipment’s ability to withstand transient electromagnetic field events.
Consideration of inclusion of such testing into a test program should be taken for equipment that is critical to infrastructure requirements. These types of equipment could include:
Electric Power
Telecommunications
Financial Service Industry Information Systems
Petroleum and Natural Gas Infrastucture
Transportation Infrastructure
Water Infrastructure
Food Infrastructure
Emergency and Health Services
CVG Strategy
CVG Strategy EMI/EMC consultants can perform a Susceptibility Analysis to identify Electromagnetic Pulse Vulnerabilities and provide design modifications to create products that can endure EMPs. We can also recommend appropriate test and evaluation methodologies to verify these designs. Contact us today to see how we can help.
