Check out the new cloud security requirements for federal agencies. Plus, beware of North Korean government operatives posing as remote IT pros. Also, learn how water plants can protect their HMIs against cyberattacks. And get the latest on the U.S. cyber incident response framework; the CIS Benchmarks; and local and state governments’ cyber challenges.

Dive into six things that are top of mind for the week ending Dec. 20.

1 – CISA issues cloud security mandate for federal agencies

To boost its cloud security, the U.S. government this week released a set of cybersecurity actions that federal civilian agencies will be required to take during the first half of 2025 — mostly focused on applying secure configuration baselines to their cloud apps.

The mandate to secure cloud environments comes via the Binding Operational Directive (BOD) 25-01 — titled “Implementing Secure Practices for Cloud Services” — from the Cybersecurity and Infrastructure Security Agency (CISA).

“Malicious threat actors are increasingly targeting cloud environments and evolving their tactics to gain initial cloud access. The actions required by agencies in this Directive are an important step in reducing risk to the federal civilian enterprise,” CISA Director Jen Easterly said in a statement.

The guidance, while applicable only to U.S. federal civilian agencies, can be helpful to all organizations in the public and private sectors, Easterly added. Its foundation is CISA’s Secure Cloud Business Applications (SCuBA) project, which offers recommendations for hardening the configuration of cloud services.

 
These are the directive’s cloud security requirements at a high level:

• Identify all cloud tenants by February 21, 2025, and update this inventory annually.
• Deploy all assessment tools from CISA’s SCuBA project by April 25, 2025, and report assessment results to CISA.
• Implement all mandatory SCuBA policies by June 20, 2025.
• Implement all future updates to mandatory SCuBA policies.
• Implement all mandatory SCuBA secure configuration baselines.

Agencies may deviate from mandatory SCuBA policies if needed, but they’ll have to identify these deviations and explain them to CISA.

To learn more about cloud security, check out these Tenable resources:

2 – Feds: North Korea plants IT workers to commit fraud in the U.S.

In a years-long fraud scheme, North Korean IT workers have gotten jobs in the U.S. using fake identities, and then have gone on to steal information, such as proprietary source code, and extort their employers.

That’s according to the U.S. Department of Justice, which recently indicted 14 North Korean nationals, charging them with sanctions violations, wire fraud, money laundering and identity theft.

The suspects worked as remote IT professionals for front companies controlled by the North Korean government. The six-year cyber conspiracy netted North Korea’s government at least $88 million, as it banked the IT workers’ hefty salaries and extortion payments. North Korea reportedly uses the money to fund its weapons-development efforts.

The North Korean IT workers got jobs with U.S. firms using fake identities crafted via the use of phony email addresses, fictitious social media profiles, fraudulent payment platform accounts, bogus job site profiles and sham websites; and by hiding their tracks with proxy computers and virtual private networks.

 
They also duped U.S. residents into unwittingly helping them by recruiting them to receive and set up laptops in their homes, which the fraudsters would then access remotely. That way, victimized employers would think the hired IT workers were based in the U.S.

The indictment “… should serve as a warning to companies around the globe — be on alert for this malicious activity by the DPRK regime,” Deputy Attorney General Lisa Monaco said in a statement.

The DOJ is offering a reward of up to $5 million for more information about this fraud scheme and about those involved with the North Korean front companies Yanbian Silverstar and Volasys Silverstar, based in China and Russia, respectively.

The U.S. government issued its first alert about North Korea’s attempts to plant IT workers in the U.S. in 2022 and updated it in 2023 with more due diligence recommendations for employers to avoid falling for the scam. Employers in other countries have also fallen victim to this North Korean IT worker scam.

For more information:

VIDEO

North Korean nationals indicted in scheme using IT workers to funnel money for weapons programs (KSKD News)

3 – Water treatment plants get tips for securing HMIs

Identifying human-machine interfaces (HMIs) as a weak cyber link in many water treatment plants, the U.S. government has published recommendations for protecting these operational technology (OT) components.

The fact sheet “Internet-Exposed HMIs Pose Cybersecurity Risks to Water and Wastewater Systems” is aimed at helping water and wastewater systems facilities harden remote access to HMIs.

Using HMIs, OT operators are able to read supervisory control and data acquisition (SCADA) systems connected to programmable logic controllers (PLCs). By tampering with HMIs, hackers could disrupt water and wastewater treatment, endangering people’s health.

 
Here are some of the recommendations in the fact sheet, which was jointly published by CISA and the Environmental Protection Agency:

• Inventory all internet-exposed devices.
• Identify HMIs that don’t need to be accessible from the internet and take them offline.
• Secure with a strong password the HMIs that must be connected to the internet.
• Track remote logins to HMIs, including failed and atypical attempts. 
• Protect with multifactor authentication and a strong password the HMI and OT network.
• Segment your network by adding a DMZ or bastion host at the OT network boundary; and by implementing geo-fencing.

For more information about securing operational technology (OT) systems in water plants, check out these Tenable resources:

4 – U.S. publishes national cyber incident response plan update

Curious about how the U.S. government would respond to a major cybersecurity crisis? Now you can find out — and give your opinion about it.

CISA has just released an update to the U.S. National Cyber Incident Response Plan (NCIRP), whose current version dates back to 2016, and is asking for the public to comment on it. The NCIRP update has been in the works since October 2023.

“CISA is seeking more perspectives to help strengthen the NCIRP and invites stakeholders from across the public and private sectors to share their knowledge and experiences, further informing our findings and contributing to this revision,” CISA said in a statement. 

The NCIRP aims to provide a flexible, agile, coherent and repeatable framework for how the U.S. federal, state and local governments, along with the private sector and international partners, will collaborate to respond to a major cybersecurity incident.

“This draft NCIRP Update leverages the lessons learned over the past several years to achieve a deeper unity of effort between the government and the private sector,” CISA Director Jen Easterly said in a statement.

 
The NCIRP addresses coordination mechanisms, decision points and priority activities; and it focuses on four aspects of the cyber response:

• Asset response to assist affected parties in protecting their assets
• Threat response, which would be led by federal law enforcement agencies like the Department of Justice and the FBI
• Intelligence support, which would be overseen by the Office of the Director of National Intelligence (ODNI)
• Affected entity response, led by the affected federal agencies in coordination with CISA (civilian agencies); the U.S. Cyber Command (Defense Department agencies); or the IC Security Coordination Center (intelligence agencies)

You can provide feedback on the new NCIRP in the Federal Register. The public comment period ends on January 15, 2025.

For more information about cyber incident response planning:

5 – CIS updates Benchmarks for Cisco, Google, Microsoft products

Cisco IOS XE, Google Kubernetes Engine and Microsoft 365 are among the products whose CIS Benchmarks got updated in November by the Center for Internet Security.

Specifically, these secure-configuration recommendations were updated:

In addition, CIS released a brand new Benchmark: CIS Microsoft Azure Storage Services Benchmark v1.0.0. 

The CIS Benchmarks’ secure-configuration guidelines are designed to help organizations harden products against attacks. Currently, CIS offers more than 100 Benchmarks for 25-plus vendor product families in categories including: 

• cloud platforms
• databases
• desktop and server software
• mobile devices
• operating systems

To get more details, read the CIS blog “CIS Benchmarks December 2024 Update.”

For more information about the CIS Benchmarks list, check out its home page, as well as:

6 – Local gov’t cybersecurity hurt by lack of funds, complex threats

Insufficient funding and more sophisticated threats top the list of cybersecurity concerns among U.S. state and local governments.

That’s according to the “2023 Nationwide Cybersecurity Review (NCSR),” a free cybersecurity assessment program from the Center for Internet Security (CIS).

The 4,210 state, local, tribal and territorial government organizations that participated also reported being concerned about: 

• emerging technologies
• lack of cyber incident-documentation processes
• difficulty finding qualified cybersecurity professionals

On the positive side, the number of program participants increased 14%, with K-12 school districts recording their highest participation ever.  

Returning participants saw their cyber maturity level increase by an average of 4%. Those that have participated at least two years scored 23% higher in cyber maturity, while those with nine years in the program scored 41% higher.

Overall, NCSR participants are doing a good job monitoring and protecting their IT environments. They also have incident response plans in place, as well as access-control policies.

Areas for improvement include:

• Risk management
• Disaster recovery plans
• Cyber team understaffing