Skip Navigation

Critical Infrastructure News

DHS Wants to Make Cyber Info Sharing Smarter, Secretary Says

The Homeland Security Department wants to upgrade its system for sharing cyber threat information with industry so companies receive information that’s more tailored to the threats they’re facing, Secretary Kirstjen Nielsen said Tuesday.

Homeland Security’s automated indicator sharing program has come under scrutiny from the department’s own inspector general which said DHS frequently bombards companies with more information than they can use and gives little indication of what information is most important.

In the future, officials hope to tailor information streams for particular sectors and companies, Nielsen told lawmakers on the Senate Judiciary Committee.

The department also hopes to gain a better understanding of what U.S. infrastructure is most important to secure against cyberattacks, Nielsen said.

Currently, Homeland Security has defined 16 “critical infrastructure” sectors that are vital to national security and should be guarded against physical and cyberattacks. Those sectors include energy utilities, dams and transportation hubs such as airports and train stations.

In the future, the department plans to focus more on “essential functions that may cross sectors” and work with the private sector to ensure those functions are secure, Nielsen said.

Nielsen, who took office in December, joined her predecessors in urging Congress to reorganize the department’s cyber and infrastructure protection agency, including changing its name from the National Protection and Programs Directorate.

“Do you know what NPPD is? Nobody does. That's the point,” Nielsen said, in response to a question from Sen. Sheldon Whitehouse, D-R.I.

Homeland Security is not asking Congress for new cyber authorities beyond the NPPD reorganization, Nielsen told Whitehouse, saying the department’s cyber authorities in various areas are sufficient.


Trisis has the security world spooked, stumped and searching for answers

At first, technicians at multinational energy giant Schneider Electric thought they were looking at the everyday software used to manage equipment inside nuclear and petroleum plants around the world. They had no idea that the code carried the most dangerous industrial malware on the planet.

More than four months have passed since a novel, highly sophisticated piece of malware forced an important oil and gas facility in the Middle East to suddenly shut down, but cybersecurity analysts still don’t know who wrote the code.

Since last August, multiple teams of researchers in the public and private sectors have been examining what the perpetrators planted inside a nondescript Saudi computer network. It’s a rare case involving a computer virus specially engineered to sabotage industrial control systems (ICS) — the gear that keeps factories and refineries running. Manipulating these systems can have a destructive impact far beyond the network.

Today, the incident’s magnitude and implications are becoming increasingly clear to the victim, to several foreign governments and to the private sector teams that led incident response. What they all found has been described to CyberScoop as the “next generation of cyberweaponry” — a tool so dangerous that its mere existence significantly intensifies the global digital arms race.

Clues unearthed from September to December suggest that an intricate but slightly misconfigured cyberattack caused the mysterious shutdown. The affected company and the teams investigating the incident still have not publicly revealed where it occurred.

One thing is clear about the code: Dubbed “Triton” or “Trisis,” the multi-stage malware framework is unlike anything the security research community has ever seen. It is considered to be just the fifth known variant of ICS-tailored malware. The most recent was “CrashOverride” in Ukraine in 2016, and perhaps the most famous was “Stuxnet” in Iran in 2010.

“Trisis’ impact is simple. It is the first piece of malware which can be used remotely to put civilian infrastructure into an unsafe state,” explained Sergio Caltagirone, director of threat intelligence with Maryland-based cybersecurity startup Dragos Inc. “When things like this happen, plants get shut down, people can get hurt.”

Not only has the case stumped some of the most talented people in cybersecurity forensics, but it also has highlighted the complications and conflicts inherent in investigations that are extremely important to governments but are ultimately controlled by private companies.