NIST Seeks Comments on Cybersecurity Reports

SEATTLE—The US National Institute of Standards and Technology (NIST) has recently issued two draft reports on cybersecurity issues of interest to industrial IoT users, and is seeking industry comment before making their final revisions. One report describes the proposed manufacturing profile for NIST’s Cybersecurity Framework. The other addresses cryptography standards and practices for resource-constrained processors.

Recognizing that the national and economic security of the United States depends on the reliable functioning of critical infrastructure, NIST created in 2014 a voluntary Cybersecurity Framework, which is a compendium of industry standards and best practices to help organizations manage cybersecurity risks. Created through collaboration between government and the private sector, the Framework helps guide cybersecurity activities and encourages organizations to consider cybersecurity risks as part of their risk management processes. Profiles, a key element of the Framework, help an organization align its cybersecurity activities with its business requirements, risk tolerances, and resources. A profile is intended both to help identify opportunities for improving cybersecurity as well as providing a touchstone to compare against in order to prioritize process improvement activities.

While organizations are encouraged to develop their own custom profiles, NIST-issued profiles can serve as a roadmap for that effort in specific industry sectors. The recently-released draftManufacturing Profile focuses on the desired cybersecurity outcomes for manufacturing systems and provides an approach for achieving those outcomes. It defines specific cybersecurity activities and outcomes for the protection of the manufacturing system, its components, facility, and environment.

The report, issued in early September, is not yet finalized. NIST seeks additional input from the manufacturing industry on the draft profile to help refine it further before publication. Control engineers, system administrators, line- and senior-level managers, and researchers are all encouraged to review the document and return comments to (Subject: “Draft CSF Manufacturing Profile”). The deadline for receiving comments is November 4, 2016.

The second cybersecurity report, DRAFT NISTIR 8114 — Report on Lightweight Cryptography, outlines NIST’s effort to develop a strategy for the standardization of lightweight cryptographic primitives such as block ciphers, hash functions, and message authentication codes. Such primitives can help developers achieve a better balance between security, performance, and resource requirements in specific resource-constrained environments than the more general-purpose conventional cryptographic standards.

The draft report first defines the kinds of target devices the lightweight cryptography standards aim to serve, and describes the performance metrics for evaluating alternatives. It then describes the types of primitives available, lists the NIST-approved implementation of these primitives, and summarizes the existing industry standards for lightweight cryptography. Following this overview of lightweight cryptography, the report discusses how NIST seeks to arrive at its standard.

Rather than using the kind of competitive proposal and evaluation method it employed in setting the AES block cipher and SHA-3 hash function standards, NIST has adopted an open call for proposals to standardize algorithms. In addition, NIST is seeking information to help it define application profiles. It will then use these profiles as the basis of its call for proposals, which will request proposals that offer good solutions for the specified profiles.

To help develop these profiles, NIST asks lightweight cryptography stakeholders a series of questions in the draft report. Questions include:

  • What is the application?
  • Are any cryptographic algorithms currently used by the application?
  • If so, which algorithms and what motivated the choice for them?

A total of 18, multi-part questions are listed in the draft report to support the identification and categorization of profiles that NIST will develop. Stakeholders need to provide their answers before October 1, 2016 to ensure consideration. NIST will then hold a Lightweight Cryptography Workshop on October 17-18, 2016 to discuss the profiles as well as compare tools and methods.

Source –


President Barack Obama on 19th Feb 2016 sought a surge in funding to counter cyber security threats, as his top intelligence official warned Congress that computer attacks were among the most imminent security challenges facing the United States.

In his fiscal 2017 budget proposal, Obama asked for $19 billion for cyber security across the U.S. government, an increase of $5 billion over this year

Cyber threats are “among the most urgent dangers to America’s economic and national security,” Obama said in a Wall Street Journal

The request for a cash infusion is the latest signal that the White House intends to make cyber security a priority in the last year of Obama’s presidency.

It follows a series of high-profile hacks against the government and companies like Sony Pictures and Target that were largely met with legislative inaction and administrative uncertainty on how best to address evolving cyber threats.

Those difficulties played out publicly last year when the Office of Personnel Management announced it had fallen victim to a hack that lifted sensitive information on roughly 22 million individuals from its databases.

The White House issued an executive order setting up a presidential commission on cyber security, which would make recommendations for strengthening defenses over the next decade. A new position of federal chief information security officer also would be established.

A government watchdog report last month concluded the government’s cyber defense system, known as Einstein, is ineffective at combating hackers.

Obama also signed another executive order creating a permanent Federal Privacy Council, which aims to connect privacy officials across the government to develop comprehensive guidelines for how personal data is collected and stored.

The president’s budget proposal also called for $62 million to expand efforts to attract and retain qualified cyber professionals working for the government.


Telecommunications Sector Security Reforms: Raising the bar too high?

When it comes to cyber-crime and national security, the Government understandably needs to take a robust approach to dealing with threats. The Telecommunications Sector Security Reforms or the Telecommunications and Other Legislation Amendment Bill 2015 (the Bill) is the latest in a series of new and proposed legislation directed at cyber-crime and national security, including the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth), Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Cth),  the Copyright (Online Infringement) Amendment Act 2015 (Cth) and the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015.

What does the Bill propose?

The Bill proposes to amend the Telecommunications Act 1997 (Cth), Telecommunications (Interception and Access) Act 1979(Cth), and other legislation to include:

  • new security obligations on carriers and carriage service providers to take ‘all reasonable steps’ to protect their networks and facilities from unauthorised access and interference, including demonstrating ‘competent supervision’ and ‘effective control’;
  • new obligations on nominated carriers and carriage service providers to notify the Government of proposed changes to their networks and services that could compromise these security obligations (e.g. new services, off-shoring network equipment and outsourcing arrangements);
  • new powers for the Government to request information from carriers and carriage service providers and issue directions to manage security risks; and
  • civil enforcement to address carrier and carriage service provider non-compliance, including Federal Court proceedings for pecuniary penalties, injunctions and enforceable undertakings.

Taken in the context of other existing and proposed cyber-crime and national security legislation, the Bill arguably means that, in order to avoid sanctions, carriers and carriage service providers now need to: implement network security measures under multiple legislative instruments and regimes; implement capabilities to record and retain metadata relating to network traffic; implement network emergency and intercept capabilities (extending to the content of communications); provide the Government with network information, access and control under multiple legislative instruments and regimes; notify the Government and the public of serious data breaches; and implement capabilities to identify offenders and disable access to online locations using their networks.  All while providing carriage services to the public that remain competitive in terms of technology, performance and price.

How has the Bill been received?

An exposure draft of the Bill was first introduced in June 2015 and then revised in November 2015 following initial industry consultation and feedback. In the context of an already highly regulated industry, it is no surprise that the Bill has been met with strong opposition.  The key issues raised by industry stakeholders were that:

  • industry already has a collaborative working relationship with Government and there is no evidence to suggest the existing legislative regime is deficient;
  • it is unclear how the proposed reforms will deliver the stated aim of identifying and mitigating risks to national cyber-security arising from the build and operation of telecommunications networks;
  • outsourcing and off-shoring are integral parts of 21st century business operations and Government restrictions or control over these arrangements will significantly impact costs and innovation;
  • Government involvement in technology development and roll out will halt network innovation in Australia and result in Australia being left behind;
  • Government acknowledges implementing the reforms will be costly, however, there is no clear cost recovery or funding model; and
  • the costs of complying with these reforms will deter investment in new technology and result in increased consumer prices.

What is the rest of the world doing?

The USA, Canada and UK appear to have taken a different and more collaborative approach – working together with industry to combat cyber-crime and national security threats. In the USA the Cybersecurity Enhancement Act 2014 supports the development of voluntary, industry-led cyber-standards and best practices for critical infrastructure and only imposes regulations as a last resort. Similarly, in Canada the Canadian Security Telecommunications Advisory Committee developed the Canadian Telecommunications Service Providers’ (TSP) Security Best Practices, which are voluntary standards for self-evaluating existing network security policies. In the UK, the government committed to the National Cyber Security Strategy in 2011 which again focuses on facilitating information sharing between industry stakeholders to identify and deal with cyber-crime and national security threats. This industry-led approach not only leverages the front-line expertise of carriers and carriage service providers, but is arguably more flexible and adaptive to technological progress and market forces.

What’s next?

The Cyber and Information Security Policy Branch of the Attorney-General’s Department accepted submissions relating to the Bill until 18 January 2016. It remains to be seen whether the final Bill will accommodate industry feedback and follow the more collaborative approach taken by other key jurisdictions.

This article was originally published in

Algorithm & Analytics driving digital economy

Algorithm and Analytics – What you should know?

In today’s digital economy business – many should have noticed that most of the billion dollar companies have made platforms that allow the B2B and B2C segments to perform their need using ‘algorithms’ and ‘analytics’. It also has variety of terms that are interconnected such as ‘IoT’, ‘Big Data’, M2M’ and so on.

While I started exploring its importance in digital economy – Its too late for me; haven’t said that its worth sharing here for all of you (who doesn’t aware of). Here are few insights on how the legacy business model of respective industry segment has been distrubted by ‘Algorithm & Analytics’

  • The Chinese government has contracted China Electronics Technology Group to develop technology, similar to that used (big data surveillance) in the sci-fi thriller “Minority Report,” that can predict acts of terrorism before they occur based on large amounts surveillance data. Click here to read more
  • Amazon’s recommendation engine and Google’s PageRank as a couple of the many examples of the spectrum of transformative business models — and competitive differentiation — that algorithms have made possible. CIOs need to take note of a future where algorithmic business goes autonomous. Click here to read more
  • Scaling your business in an Algorithmic economy – Traditional industries have been using algorithms for decades. The difference now has been in the huge quantum of unstructured data continuously generated by the H2M and M2M interconnections that need a machine learning algorithm. Click here to read more
  • StreetScore is an algorithm that assigns a score to a street view based on how safe it looks to a human — but using a computer that algorithms to quantify urban perception can help us study crime patterns, gentrification and other phenomena of interest for urban economists, urban planners and architects.Click here to read more
  • The power of advanced audit analytics – Leading academics in accounting, for example, have argued that audits should be a continuous rather than annual process. Analytics, artificial intelligence, and direct linkages to transaction systems will allow audit processes to uncover anomalies in real time, all the time. Click here to read more
  • Banking industry drives algorithm analyzes, models, and predicts the stock market. The algorithm is based on Artificial Intelligence (AI) and Machine Learning (ML), and incorporates elements of Artificial Neural Networks and Genetic Algorithms. Ref 1, Ref 2
  • Programs that helps Hollywood studios to identify, enhance and deliver on-screen success, and guides investors in the creation of winning film investments –  with the selection and development of scripts by identifying likely successes and probable ‘Turkeys‘. Ref 3
  • Traditional solutions, which continue to fall short in detecting and stopping threats, can be enhanced with big data analytics.
  • Big data analytics + security technologies = stronger cyber defense posture‘.Ref 4, Ref 5
  • Telcos will need advanced data analytics to offer increased automation, predictive features, and creative use of AI and machine-learning techniques. They need to employ data analytics to create behavioral models to fully enable the services and provide customer control features. Ref 6, Ref 7, Ref 8
  • The truth about ‘Smart Cities’ is that there is only going to be one way that they can become truly ‘smart’: through data and analytics. Algorithms are also a fundamental tool for transforming big data, first into useful analytics and eventually into action. Smart cities will rely heavily on data and the algorithms. Ref 9, Ref 10, Ref 11
  • Chronic Illness Prediction and Prevention, Scoring the Quality and Efficiency of Care, On-Demand Peer Costs Comparison, Preventing Adverse Drug Reactions, Understanding the Prescribing Habits of Physicians
  • Improving Manufacturing Processes, Custom Product Design ,Better Quality Assurance, Managing Supply Chain Risk


[The End] Thanks for reading..

Should you think of leaving a comment below that helps to correct, improve and enhance my upcoming posts; please feel free to do so


IoT security guidelines released by GSMA

The GSMA released a set of security guidelines for the Internet of Things (IoT) in a bid to ensure services are reliable and trustworthy.

They take the form of separate documents targeted at the major component parts of the IoT value chain, such as the service, network and terminal. The idea is that by following these guidelines, the industry will develop IoT services and devices with security baked in from the start.

“As billions of devices become connected in the Internet of Things, offering innovative and interconnected new services, the possibility of potential vulnerabilities increases,” said the GSMA’s chief technology officer Alex Sinclair, in a statement.

“These can be overcome if the end-to-end security of an IoT service is carefully considered by the service provider when designing their service and an appropriate mitigating technology is deployed,” he said. “A proven and robust approach to security will create trusted, reliable services that scale as the market grows.”

The primary audience for the IoT Security Guidelines are:

  • IoT Service Providers – enterprises or organisations who are looking to develop new and innovative connected products and services.
  • IoT Device Manufacturers – who provide IoT devices to IoT service providers, in order to enable IoT services.
  • IoT Developers – who build IoT services on behalf of IoT service providers.
  • Network Operators – who provide services to IoT service providers.

In addition to outlining technologies and techniques to address potential threats, the guidelines also establish the need for risk assessment of an IoT service to ensure they are designed to securely collect, store and exchange data, and successfully mitigate cybersecurity attacks.

Reviewed by academics, analysts and industry experts, the guidelines have also been backed by a number of industry players, from operators like AT&T, Etisalat, NTT DoCoMo, and Orange, to vendors including Ericsson, Gemalto and Telit, among others.

“Security is paramount to something that touches and influences our lives as deeply as IoT. These guidelines are a vital initiative towards realising the vision of a robust and highly secure IoT ecosystem,” said Cameron Coursey, vice president of product development at AT&T’s IoT solutions unit.

The GSMA’s announcement follows a warning issued by Telefonica in late January that not enough is being done to address the security threat to IoT services.

The set of guideline documents promotes a methodology for developing secure IoT services to ensure security best practices are implemented throughout the life cycle of the service. The documents provide recommendations on how to mitigate common security threats and weaknesses within IoT services.

The scope the document set is limited to recommendations pertaining to the design and implementation of IoT services and network elements. This document set is not intended to drive the creation of new IoT specifications or standards, but will refer to currently available solutions, standards and best practice.

Cyber Security – Major trend likey to impact business

According to the “2016 Deloitte Analytics Trends” report. Organizations with a sophisticated approach to cybersecurity are no longer satisfied with locking the doors after the robbery has been committed. International Data Corporation (IDC) estimates that US federal government agencies alone would spend more than $14.5 billion on IT security in 2015. And the worldwide financial services industry would spend $27.4 billion on information security and fraud prevention

Companies adopting these types of offensive steps will no doubt fi nd that they need new capabilities. Many cyber professionals don’t have the skills to do predictive threat intelligence or predictive analysis of past breaches. At the very least, extensive collaboration between analytics and cyber professionals may be required. And cybersecurity projects will need to rapidly move up the priority list for analytics groups.

US president announces new Cybersecurity National Action Plan, backed by his proposal to increase federal cybersecurity funding by more than a third, to over $19 billion. This plan will address both short-term and long-term threats, with the goal of providing every American a basic level of online security.

According to him – First, I’m proposing a $3 billion fund to kick-start an overhaul of federal computer systems. It is no secret that too often government IT is like an Atari game in an Xbox world. The Social Security Administration uses systems and code from the 1960s. No successful business could operate this way. Going forward, we will require agencies to increase protections for their most valued information and make it easier for them to update their networks. And we’re creating a new federal position, Chief Information Security Officer—a position most major companies have already adopted—to drive these changes across government.

Second, we’re stepping up our efforts to build a corps of cyber professionals across government to push best practices at every level. We’ll do more—including offering scholarships and forgiving student loans—to recruit the best talent from Silicon Valley and across the private sector. We’ll even let them wear jeans to the office. I want this generation of innovators to know that if they really want to have an impact, they can help change how their government interacts with and serves the American people in the 21st century.

Third, we’re strengthening our partnerships with the private sector to deter, detect and disrupt threats, including to the nation’s critical infrastructure. Yesterday, we inaugurated a new cybersecurity Center of Excellence, which will bring together industry and government experts to research and develop new cutting-edge cyber technologies. We’re also establishing a national testing lab, where companies can test their systems’ security under simulated attacks. And because every enterprise is potentially vulnerable, the Small Business Administration is offering cybersecurity training to over 1.4 million small businesses and their workers.

Fourth, we’re doing more to help empower Americans to protect themselves online. In partnership with industry, we’re launching a new national awareness campaign to raise awareness of cyberthreats and encourage more Americans to move beyond passwords—adding an extra layer of security like a fingerprint or codes sent to your cellphone. At the same time, leading technology firms like Google, Facebook, Dropbox and Microsoft are making it easier for millions of users to secure their online accounts, while credit-card and payment companies such as Visa, MasterCard and PayPal are making transactions more secure.

Finally, because government doesn’t have all the answers to these complex challenges, we’re establishing a bipartisan Commission on Enhancing National Cybersecurity to focus on long-term solutions. Working together, my administration and congressional leaders will appoint top business, strategic and technology thinkers from outside government to provide specific recommendations for bolstering cybersecurity awareness and protections across the public and private sectors over the next decade.



Importance of ‘Cyber Security’ in MiddleEast

Middle East is not prepared for a major cyber attack – According to the recent article published in ; the author asks – What would happen to any GCC country if a cyber attack significantly degraded or disrupted the electric power grid, the water desalinisation and distribution system, the oil and gas pipeline network, air traffic control or airline operations, hospital networks, banking systems, stock markets or even motorway traffic controls? Imagine any GCC city deprived of its mobile telephone system or connectivity to the internet for just a day.

There is little such regulation in the Middle East. There is less money being spent of the defensive side of cyber security, and there are fewer experts dedicated to protecting networks in this region than in comparable countries elsewhere.

DarkReading has released a list of what it deems the “boldest” cybersecurity predictions for 2016. Among the threat predictions are that a cyberattack will impact the 2016 presidential race, there will be a significant rise in extortion attacks, and that we’ll see the creation of borders within the Internet “that divide access to information along country lines.

However – there are good news too

The National Electronic Security Authority (NESA) is a UAE federal authority that operates under the Supreme Council for National Security. NESA is responsible for the advancement of the nation’s cybersecurity, expanding cyber awareness and creating a collaborative culture rooted in information technology and innovation. The National Electronic Security Authority (NESA) has officiallyannounced the publication of a range of key strategies, policies and standards to align and direct national cybersecurity efforts in the United Arab Emirates (UAE). The announcements were made during a briefing session in Abu Dhabi on June 25th, 2014 with senior officials representing federal and local entities from the entire spectrum of UAE Government as part of ‘National Cyber Security Program’.

The growing security threat posed by cyber-attacks as Saudi Arabia becomes ever more reliant on IT has led to the development of a national information security strategy (NISS) and increasing investment in cybersecurity. Demand for cybersecurity products comes from both the government and private sectors. “Cybersecurity is big business in Saudi Arabia. All the major companies have dedicated significant budgets to ensuring they have the proper protection, Jean Yves Tolot, CEO of the electronic security firm Thales, told OBG.

This has drawn a large number of multinational IT and security companies to the market, with some of them forming innovative partnerships with local IT and telecommunications firms. Meanwhile, one challenge for the Saudi cybersecurity industry will be training sufficient numbers of people to meet the growing demand for technical experts in the field.

In 2011 the Ministry of Communications and Information Technology began developing the NISS. Its objectives include increasing the security and integrity of online information; promoting greater use of IT; developing resilience in information systems; increasing awareness of security risks; and creating national guidelines for information security management based on international standards and best practices.

According to the NISS, “National and international interconnectivity create significant new vulnerabilities and present new types of threats to the Kingdom’s economic and cultural activities. These new threats could in some cases shutdown, corrupt or even destroy critical information and communication technologies (ICT) systems.” Such threats include the possibility that an adversary might “seize control and use an ICT system to directly harm or go against the Kingdom’s interests”.

Among the most serious cybersecurity incidents in recent years was the August 15, 2012 cyber-attack on Saudi Aramco, which damaged 30,000 of the firm’s computers. According to Saudi Aramco executives and the Ministry of Interior, the attack was designed to hurt the Saudi economy by shutting down Saudi Aramco’s exports and imports of oil and gas.

“The opportunities in cyber are enormous, both in the defence and commercial sectors,” Andy Carr, CEO of BAE Systems Saudi Arabia, told OBG. Indeed, Saudi Arabia’s cybersecurity market is predicted to expand by 30% between 2014 and 2016 to $37.5bn, according to a 2014 study by the George Mason University School of Public Policy.

Non-military branches of government investing in cybersecurity range from city administrations to the Capital Market Authority. For instance, government cybersecurity spending in 2013 included $20m at the Saudi Arabian Monetary Agency, $8.7m at the Ministry of Petroleum and Mineral Resources, over $10m at Saudi Airlines, and $12m at the King Abdulaziz City for Science and Technology, according to the conveners of the Digital Security Summit.

A 2014 study by the George Mason University School of Public Policy described the Saudi civilian cybersecurity market as centred around protection of energy systems and the e-commerce space, with the provision of data management and cyber-attack detection and prevention services critical to the former. According to the same study, the Kingdom’s e-government campaign to streamline and construct electronic databases also offers foreign firms opportunities to enter the Saudi cybersecurity market. Potential partners in this area include the Saudi Electronic Data Interchange, which manages government transactions; the eGovernment Service Bus Programme, which is centralising online government databases; and Tabadul, the Saudi Arabian Electronic Info Exchange Company, which manages public investment in IT infrastructure.

Among the most eyecatching cybersecurity partnerships between a foreign and Saudi firm in recent years is the global security operations centre (SOC) set up in Riyadh jointly by IBM and Saudi Arabian mobile operator Mobily in July 2013. The centre is located inside Mobily’s data centre, which has been granted tier IV design and construction certification by Uptime Institute, the data centre authority. According to IBM, the SOC is completely self-contained and its activity logs never leave Saudi Arabia. The centre uses IBM security services infrastructure to assist analysts with the aggregation, correlation, analysis and prioritisation of security logs and events.

The SOC will draw on IBM’s expertise in analysing over 15bn daily security events from devices located in more than 140 countries. Khalid Al Kaf, CEO of Mobily at the time of the SOC’s opening, said that the SOC had been conceived as a response to the “increasing security threats [arising] globally from the adoption of new and existing technologies”. He said that cybersecurity was increasingly important to the business sector in Saudi Arabia as companies viewed securing their data as critical to protecting their reputation and value.

In May 2014, the alliance between IBM and Mobily was selected by the Ministry of Education to help boost the ministry’s information security. Under the agreement, IBM and Mobily will provide services including real-time analysis and an early warning system for potential threats, development of security correlation and analytics capabilities, and protection against third parties gaining access to the ministry’s data from abroad.

Cisco’s whitepaper predicts – Middle East and Africa will experience the highest CAGR of 72 percent, increasing 15-fold over the forecast period.

Cyber activism in the Middle East has so far been politically or ideologically motivated. DDoS attacks or “cyber vandalism” against websites of governments are the most typical form of cyber warfare techniques in the MENA.

As some of the region’s governments are heading towards implementing e-government applications, as well as encouraging the private businesses to be more technology-friendly, the region will become more prone to money-driven cyber-attacks. The lack of sufficient cyber security precautions could make the damage bigger.

In December 2015, a hacker stole customer data from a UAE bank and requested a US$ 3 million “ransom” in bitcoins. This is nothing but the start of a trend to grow in 2016. Several more recent attacks have shown that professional cyber criminals have recently been taking advantage of the undeveloped cyber infrastructure in the region.

Qatar’s  has put efforts to address current and emerging threats and risks, and in light of the strategic thrusts of Qatar’s National ICT Plan 2015 to protect the national critical information infrastructure and to provide a safe and secure online environment for the different sectors. To view the full text of the National Cyber Security Strategy, please visit this link

Oman, officially the Sultanate of Oman, an Arab country, faces similar security challenges faced by other nations: increasing cyber incidents and cybercrime. Recognizing the importance of a cyber-response team, Oman established OCERT(Oman Computer Emergency Response Team) in 2010.

The path to success lies in a comprehensive approach that enables stakeholders to collaborate in addressing shared, multidimensional cyber issues. All facets must be considered – technology, standards, policy, governance, leadership, strategy and execution. The dynamic expansion of digital life in gulf region is exciting and mitigating threats will emerge as prosperous and powerful nations

What do you think the future of the middle east cyber security? Leave your comments below. 

%d bloggers like this: