Securin Inc. will provide tech-enabled security solutions, vulnerability
intelligence and deep domain expertise.

**ALBUQUERQUE, N.M., March 7, 2023 /PRNewswire-PRWeb/ --** Cyber Security Works Inc., a leading security company, today announced that it is rebranding as  
Securin Inc. due to the evolution of its service capabilities and offerings.  
Under the new identity, it will provide tech-enabled security solutions to  
continuously improve customers' security posture and help them gain resilience  
against evolving threats.

CSW offers flagship services such as vulnerability management and penetration  
testing to customers around the globe. In 2020, CSW became a CVE Numbering  
Authority (CNA) to help the Department of Homeland Security (DHS) and MITRE  
validate newly discovered zero-day vulnerabilities.  

In 2022, CSW acquired Securin, an automated platform with solutions such as  
attack surface management (ASM) and vulnerability intelligence (VI). Since its  
launch, Securin ASM has been providing many leading tech companies with an  
outside-in view of their expanding attack surface from an adversary's  
perspective and helping them to prioritize and remediate their most dangerous  
exposures. Securin VI offers an entire spectrum of vulnerability intelligence  
powered by 700+ authentic intelligence feeds that continuously measure a  
vulnerability's risk. Through its artificial intelligence (AI) & machine  
learning (ML) models, Securin's VI platform warns its customers about  
vulnerabilities that will likely be exploited soon, enabling them to prioritize  
and patch proactively.  

After this rebrand, Securin will combine its offerings to provide customers with  
a comprehensive suite of security solutions such as ASM, VI, Vulnerability  
Management, and Penetration Testing to level up their security. Securin has  
grown to 250+ employees globally and will continue to operate from its offices  
in Albuquerque, New Mexico and Chennai, India.  

Ram Movva, Co-Founder and Chairman of Securin, said, "In the past few years, we  
have added many new capabilities to our offerings. With the shifting  
cybersecurity landscape and evolving threats, it is critical to implement tools  
and solutions that can provide actionable and timely intelligence to prevent  
cybersecurity breaches before they happen. As we forge ahead, we want to become a tech-enabled solution organization focused on increasing the security posture of our customers through our suite of offerings. We believe Securin, as our  
overall brand name, embodies our vision to secure organizations to build  
resilience against emerging threats."  

Expanding on Movva's comments, Aaron Sandeen, CEO of Securin, said, "We are very excited to rebrand as Securin. CSW has seen amazing growth in the past two years and evolved beyond recognition. We have been providing our customers with a full suite of capabilities, such as vulnerability management and penetration testing, bundled with ASM & VI. Rebranding into Securin is the next step in our business evolution, which will enable us to focus on our vision to improve security posture and reduce the attack surface of our customers."  

Sandeen added, "By combining our services - vulnerability management and  
penetration testing with products like Securin ASM and Securin VI, we will be  
offering customers a powerful suite of solutions that will manage and shrink  
their expanding attack surface and also keep them a step ahead of the bad guys."  
After the rebrand, Securin will continue to act as a CVE Numbering Authority  
(CNA) and help MITRE validate zero days and expedite their entry in the National  
Vulnerability Database (NVD).  
To learn more, visit http://www.securin.io.**About Securin**  
Securin is a leading provider of tech-enabled cybersecurity services, helping  
hundreds of customers worldwide gain resilience against emerging threats.  
Powered by accurate vulnerability intelligence, human expertise, and automation,  
its products and services have enabled enterprises to make critical security  
decisions to manage their expanding attack surface.

Cyber Security Works to Rebrand As Securin Inc.

The third iteration of the Exploit Prediction Scoring System (EPSS) performs 82% better than previous versions, giving companies a better tool for evaluating vulnerabilities and prioritizing patching.

A public effort to create a way of predicting the exploitation of vulnerabilities announced a new machine learning model that improves its prediction capabilities by 82%, a significant boost, according to the team of researchers behind the project. Organizations can access the model, which will go live on Mar. 7, via an API to identify the highest scoring software flaws at any moment in time.

The third version of the Exploit Prediction Scoring System (EPSS) uses more than 1,400 features — such as the age of the vulnerability, whether it is remotely exploitable, and whether a specific vendor is affected — to successfully predict which software issues will be exploited in the next 30 days. Security teams that prioritize vulnerability remediation based on the scoring system could reduce their remediation workload to an eighth of the effort by using the latest version of the Common Vulnerability Scoring System (CVSS), according to a paper on EPSS version 3 published to arXiv last week.

EPSS can be used as a tool to reduce workloads on security teams, while enabling companies to remediate the vulnerabilities that represent the most risk, says Jay Jacobs, chief data scientist at Cyentia Institute and first author on the paper.

"Companies can look at the top end of the list of scores and start to work their way down — factoring in ... asset importance, criticality, location, compensating controls — and remediate what they can," he says. "If it's really high, maybe they do want to bump it into critical — let's fix it in the next five days."

The EPSS is designed to address two problems that security teams face on a daily basis: keeping up with the increasing number of software vulnerabilities disclosed every year, and determining which vulnerabilities represent the most risk. In 2022, for example, more than 25,000 vulnerabilities were reported into the Common Vulnerabilities and Exposure (CVE) database maintained by MITRE, according to the National Vulnerability Database.

    

EPSS version 3 (red line) performs much better than previous versions. Source: Jacobs, Jay et al., "Enhancing Vulnerability Prioritization."

Work on EPSS started at Cyentia, but now a group of about 170 security practitioners has formed a Special Interest Group (SIG) as part of the Forum of Incident Response and Security Teams (FIRST) to continue to develop the model. Other research teams have developed alternative machine learning models, such as Expected Exploitability.

Previous measures of the risk represented by a particular vulnerability — typically, the Common Vulnerability Scoring System (CVSS) — do not work well, says Sasha Romanosky, a senior policy researcher at the RAND Corporation, a public-policy think tank and co-chair of the EPSS Special Interest Group.

"While CVSS is useful for capturing the impact \[or\] severity of a vuln, it's not a useful measure of threat — we've fundamentally lacked that capability as an industry, and this is the gap that EPSS seeks to fill," he says. "The good news is that as we integrate more exploit data from more vendors, our scores will get better and better."

**Connecting Disparate Data**

The Exploit Prediction Scoring System connects a variety of data from third parties, including information from software maintainers, code from exploit databases, and exploit events submitted by security firms. By connecting all of these events through a common identifier for each vulnerability — the CVE — a machine learning model can learn the factors that could indicate whether the flaw will be exploited. For example, whether the vulnerability allows code execution, whether instructions on how to exploit the vulnerability have been published to any of three major exploit databases, and how many references are mentioned in the CVE are all factors that can be used to predict whether a vulnerability will be exploited.

The model behind the EPSS has grown more complex over time. The first iteration only had 16 variables and reduced the effort by 44%, compared to 58%, if vulnerabilities were evaluated with the Common Vulnerability Scoring System (CVSS) and considered critical (7 or higher on the 10-point scale). EPSS version 2 greatly expanded the number of variables to more than 1,100. The latest version added about 300 more.

The prediction model carries tradeoffs — for example, between how many exploitable vulnerabilities it catches and the rate of false positives — but overall is pretty efficient, says Rand's Romanosky.

"While no solution is perfectly able to tell you which vulnerability will be exploited next, I’d like to think that EPSS is a step in the right direction," he says.

**Significant Improvement**

Overall, by adding features and improving the machine learning model, the researchers improved the performance of the scoring system by 82%, as measured by the area under curve (AUC) plotting precision versus recall — also known as coverage versus efficiency. The model currently accounts for a 0.779 AUC, which is 82% better than the second EPSS version, which had a 0.429 AUC. An AUC of 1.0 would be a perfect prediction model.

Using the latest version of the EPSS, a company that wanted to catch more than 82% of exploited vulnerabilities would only have to mitigate about 7.3% of all vulnerabilities assigned a Common Vulnerabilities and Exposures (CVE) identifier, much less than the 58% of the CVEs that would have to be remediated using the CVSS.

The model is available through an API on the FIRST site, allowing companies to get the score of a particular vulnerability or to retrieve the highest scoring software flaws at any moment in time. Yet companies will need more information to determine the best priority for their remediation efforts, says Cyentia's Jacobs.

"The data is free, so you can go get the EPSS scores, and you can go grab daily dumps of that, but the challenge is when you put it into practice," he says. "Exploitability is only one factor of everything that you need to consider, and the other things, we can't measure."

Machine Learning Improves Prediction of Exploited Vulnerabilities

The Android app unnecessarily accessed clipboard device contents, which often includes passwords and other sensitive data.

A version of the Shein shopping application in the Google Play store with more than 100 million downloads was unnecessarily accessing Android-device clipboard contents, creating a potential security threat, according to Microsoft.

The software giant said in a blog post from Microsoft Threat Intelligence that it asked Shein to remove the feature from its Android app that accessed user clipboards, and the company complied. However, users need to update their apps to be free from danger. 

From passwords to account numbers, and auto-fill information of all kinds, device clipboards can contain a treasure trove of sensitive data.

"Microsoft discovered that an old version of the Shein Android application periodically read the contents of the Android device clipboard and, if a particular pattern was present, sent the contents of the clipboard to a remote server," the Microsoft blog post said. "While we are not specifically aware of any malicious intent behind the behavior, we assessed that this behavior was not necessary for users to perform their tasks on the app."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Shein Shopping App Glitch Copies Android Clipboard Contents

This is the latest in a line of law-enforcement actions busting up the ransomware scene.

On Feb. 28, multiple police forces carried out a coordinated action against two suspected members of the cybercrime gang behind the DoppelPaymer ransomware.

These latest raids, revealed on March 6 by Europol, follow a series of other law enforcement campaigns against prominent ransomware groups in recent years. "We've seen an increase in the velocity of law enforcement and government action against actors that are involved in ransomware or in the supporting ecosystem," Jeremy Kennelly, lead analyst in financial crime analysis for Mandiant, tells Dark Reading. "And that does, in aggregate, seem to be causing a bit of a chilling effect."

**Police Chip Away at DoppelPaymer**

DoppelPaymer is a 4-year-old ransomware derived from the BitPaymer ransomware and Dridex banking Trojan. Cybercriminals have used it to freeze corporations like Compal and Kia, sometimes demanding multimillion-dollar ransoms in the process. It has also been used in attacks against government agencies and critical infrastructure.

In September 2020, for example, DoppelPaymer cut off communications between emergency personnel and a Dusseldorf hospital. "At least one individual requiring emergency services was re-routed to a hospital 20 miles away," the FBI explained in a notice to the private sector. "This individual later died," though police "felt the individual’s health was poor and the patient likely would have died even if they had not been re-routed."

In a press release published March 6, Europol revealed that officers of the North Rhine-Westphalia Police raided the home of a German citizen "who is believed to have played a major role" in the group behind DoppelPaymer. At the same time, the agency noted that "despite the current extremely difficult security situation that Ukraine is currently facing due to the invasion by Russia," Ukrainian National Police officers interrogated a second suspected core member of the group, and searched two associated locations — one in Kiev and the other in Kharkiv.

In both cases, officers seized electronic equipment, which is currently under forensic examination. These coordinated actions were aided by Europol, the Dutch National Police Corps, and the FBI.

**Is Law Enforcement Having an Impact?**

Some of the darkest days in cybercrime history occurred in 2020 when, capitalizing on the COVID-19 pandemic, financially motivated cybercriminals ramped up their ransomware activity to never-before-seen levels. It "was hugely lucrative," Kennelly explains. "They just kept pressing that button, and money kept coming out of it." Worst of all, though, "their actions weren't getting disrupted, and people weren't getting arrested."

Eventually, the rampant attacks against hospitals, in particular, put an unignorable spotlight on the scourge of ransomware. Law enforcement responded, cracking down on some of the world's most prominent ransomware groups. For example, Hive has been thoroughly disrupted by a months-long campaign by the US Department of Justice, and REvil — once the scariest name in the game — was almost completely dismantled following coordinated arrests in Russia.

"Any one action won't completely stem the tide," Kennelly says, but "it's the aggregate result of pressure from all sides" that has caused a noticeable effect on the underground cybercrime economy.

"A lot of cyber-threat activity is still being monetized via ransomware," Kennelly explains, "but based on our own observations, and data from other data from public sources, it appears as though there has been an overall decline in the amount of ransomware activity globally."

By taking down infrastructure, removing key members of these groups, and intimidating those that remain, law enforcement is beginning to make a real impact on ransomware. But even these many good news stories only address a small fraction of the ecosystem at large. "It's still very prevalent," Kennelly warns. "So to say that ransomware is going away or that the criminal ecosystem is shifting away from it isn't reasonable."

Police Raid Rounds Up Core Members of DoppelPaymer Ransomware Gang

A team has found that the Crystals-Kyber encryption algorithm is open to side-channel attacks, under certain implementations.

One of the four post-quantum computing encryption algorithm standards selected by the US National Institute of Standards and Technology (NIST) for public key encryption is open to side-channel attacks, researchers warn.

A new paper published by a team from the Royal Institute of Technology in Sweden reported that Crystal-Kyber implementations under certain masked implementation conditions could be vulnerable.

"Crystals-Kyber has been selected by the NIST as a public-key encryption and key encapsulation mechanism to be standardized," the paper's abstract explained. "It is also included in the NSA's suite of cryptographic algorithms recommended for national security systems. This makes it important to evaluate the resistance of Crystals-Kyber's implementations to side-channel attacks."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

NIST's Quantum-Proof Algorithm Has a Bug, Analysts Say

**Bethesda, MD -** SANS Institute, the global leader in cybersecurity training and certifications, is proud to announce the launch of the SANS Cloud Diversity Academy (SCDA), brought to you by SANS & Google. This academy provides unparalleled training and certifications to Black, Indigenous, and People of Color (BIPOC), women, and other underrepresented groups who are passionate about pursuing a technical career in cybersecurity. The SCDA aims to reduce the skills gap in the industry, with a particular focus on cloud security, while also creating a more diverse and inclusive workforce.

"Empowering communities that have been traditionally underrepresented to pursue a career in cybersecurity is of utmost importance to SANS and Google.," said Max Shuftan, Director of Mission Programs and Partnerships at SANS Institute. "The White House just released the National Cybersecurity Strategy to secure the full benefits of a safe and secure digital ecosystem for all Americans. SCDA directly supports the Administration’s strategic objective of developing a national strategy to strengthen our cyber workforce and tackle the lack of diversity in the field head-on. We are committed to reducing the talent shortage and driving greater diversity, equity, and inclusion, ensuring careers in cybersecurity are well within reach for all Americans.”

"As more businesses adopt cloud technology, the need for skilled professionals in cloud security becomes increasingly vital,” said Frank Kim, SANS Institute Fellow, Cloud Curriculum lead, and CISO-in-Residence at YL Ventures. “SANS Cloud Diversity Academy equips professionals with essential skills to protect businesses and their data through SANS OnDemand training & hands-on labs with industry experts."

Applicants can currently be employed in an entry-level IT or STEM role, but priority may be given to those unemployed, underemployed, or interested in a career change. In addition, applicants must demonstrate their aptitude and passion for security, and also be currently living in the U.S. and have work authorization as a U.S. citizen or permanent legal resident.

“The SANS Cloud Diversity Academy is an exciting initiative that we're proud to support,” said M.K. Palmore, Director, Office of the CISO, for Google Cloud. “By partnering with SANS, we will reduce the critical shortage of skilled talent in cybersecurity by providing individuals from diverse backgrounds with the training they need to launch a career in cloud security. The program offers an exceptional opportunity for participants to develop hands-on, practical cloud security skills and gain industry-leading certifications. We're eager to see this initiative's impact on the cybersecurity workforce!”

The academy will provide scholarship-based training of up to three SANS courses and the associated GIAC certifications, the gold standard in the industry. This accelerated SANS training and GIAC certification will launch careers in months, not years, and provide valuable, validated skills and knowledge for graduates as they launch careers in cloud security.

The SANS Cloud Diversity Academy application window opens March 1, 2023, and ends April 14, 2023. To learn more and apply today, please visit https://www.sans.org/scholarship-academies/cloud-diversity-academy/.

**About SANS Institute**

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cybersecurity training and certification to professionals in government and commercial institutions worldwide. Renowned SANS instructors teach more than 60 courses at in-person and virtual cybersecurity events and on demand. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on technical certifications in cybersecurity. The SANS Technology Institute, a regionally accredited independent subsidiary, offers master's and bachelor's degrees, graduate certificates, and an undergraduate certificate in cybersecurity. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to manage their "human" cybersecurity risk easily and effectively. SANS also delivers a wide variety of free resources to the InfoSec community, including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners representing varied global organizations, from corporations to universities, working together to support and educate the global information security community.

SANS Institute Partners With Google to Launch Cloud Diversity Academy

As digital identity verification challenges grow, organizations need to adopt a more advanced and forward-focused approach to preventing hacks.

Online authentication is a challenge for organizations of all shapes and sizes. Despite increasingly sophisticated cybersecurity tools, hackers and criminals continually find new and more nefarious ways to enter enterprise systems.

One method gaining attention for fighting account compromise attacks is verifiable credentials. The concept refers to using digital credentials that adhere to an open standard. These credentials typically include data and elements from vetted physical artifacts, like a driver's license, passport, or digital equivalent, such as a bank account.

Verifiable credentials are appealing because they use digital signatures, making them far more resistant to tampering and theft than physical identifiers. It's possible to carry these digital credentials in a digital wallet within a smartphone or on a PC, enabling trust to be established within and across organizations.

At a time when identity theft, fraud, and malware are rampant, verifiable credentials are rapidly gaining traction. Moreover, security protections multiply when these digital artifacts are combined with a verifiable data registry. Additionally, verifiable credentials allow for selective disclosure, which means individuals can choose to share only necessary information with a specific party rather than sharing all of their personal data. This helps to protect sensitive information and reduce the risk of identity theft.

**Truth or Consequences**

Verifying a person's identity is a simple task in the physical world. Birth certificates, utility bills, and government IDs demonstrate that a person is who they say they are. A trusted authority has authenticated the person and presented them with an artifact they can use to verify pieces of information. This makes it possible for a person to board a flight, apply for government benefits, or open a bank account.

Online, there's no central authority for identity. Every company, website, or account requires a specific username and password. While a few large companies like Google, Apple, and Facebook have attempted to consolidate identity using their login credentials for single sign-on (SSO), there's still no central authority to verify actual identity.

Enter verifiable credentials and verifiable data registries — an approach that transforms the security of the physical world into the digital realm.

**Resilience in Any Situation**

Verifiable credentials can improve system resilience in an identity provider outage or network interruption. For example, if a natural disaster like a hurricane occurs — and takes an identity provider offline — it's still possible to verify a user's identity. Since the user's device holds their signed credentials, it can be presented to an application that can verify the credential using a cached copy of the user's public key. For another example, consider cruise ships, which are notorious for their satellite Internet connections dropping or becoming slow. Using the previously discussed verifiable credentials flow, onboard applications could still verify a user's identity and allow users to make dinner or entertainment reservations, or book excursions.

**Making the Move**

Migrating to verified credentials with verifiable data registries involves a few challenges. Typically, it's necessary to rewrite applications to support them. One way to overcome this roadblock is by decoupling identity from applications through orchestration. This makes it possible to migrate from legacy and brittle services to distributed and resilient systems without touching the codebases of those legacy applications.

Orchestration delivers a highly flexible and secure framework. For example, a company may want to establish only essential criteria like the user's citizenship and employer, or impose any other requirements, each of which may need to be validated by different identity services or systems. All these criteria and conditions can be managed seamlessly and invisibly using orchestration.

Companies looking to adopt verifiable credentials should focus on two key areas. First, ensuring that the initial verification process is secure and that the entity issuing the credential is entirely trustworthy. Second, it's essential to establish a process to handle edge cases and issues, such as when a network outage occurs. 

As digital identity verification challenges grow, many organizations are recognizing the need to adopt a more advanced and forward-focused approach. Verifiable credentials and verifiable data registries offer a path to more robust and resilient security.

The Role of Verifiable Credentials In Preventing Account Compromise

Come up with a clever caption, and our panel of experts will reward the winner with a $25 Amazon gift card.

Why is this person lining up her gadgets as if they were dominoes? For the answer we need you! Come up with a witty cybersecurity-related caption to explain the above cartoon. Our favorite will win a $25 Amazon gift card.

The contest ends on March 29, 2023. Here are four convenient ways to submit your ideas:

*   Email _\[email protected\]_ with the subject line "The Edge March 2023 Toon."
*   Via social media: Twitter, Facebook, and LinkedIn.

**Last Month's Winner**

Chad F., a retired software developer for the Department of Defense, came up with the imaginative (and winning) caption for February's "For the Birds" contest, below. Congratulations, Chad!

    

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Edge Toon: Domino Effect

The Rapid7 Cyber Threat Intelligence Laboratory at the University of South Florida will provide data on real-world threats for faculty and students to use in their research.

At the most basic level, security research happens when curious people poke around data. What makes it good security research is when these people have access to good data and the right kind of skills.

That is what Rapid7 hopes to accomplish with its new partnership with the University of South Florida to create a cyber threat intelligence laboratory. The Boston company recently made a $1.5 million donation via the Rapid7 Cybersecurity Foundation to set up the Rapid7 Cyber Threat Intelligence Laboratory at the school.

Rapid7 will provide the laboratory with access to its massive data initiatives, including Metasploit, Velociraptor, and Sonar, says Corey Thomas, Rapid7's CEO. The laboratory will support interdisciplinary research efforts by faculty experts and students and help drive a deeper understanding of the challenges defenders are currently facing.

"We are already investing in the data, and we want more people to use the data," says Thomas, noting that people with varying experiences and backgrounds bring diverse perspectives and wind up using the data differently. "Start with the same data and get different insights," Thomas says.

**Improving Research Outcomes Through Data**

The students will have the opportunity for hands-on learning and cybersecurity skills development as well as real-world experience tracking global threat actors. Laboratory projects and research based on threat intelligence data will help students better understand the challenges security practitioners face as they protect users, Thomas says. The laboratory would play a role in helping to educate and develop the next generation of security professionals, he adds.

Through the laboratory, students and faculty will have access to real world data they can use for research and training, which is an "unprecedented opportunity," Robert Bishop, dean of the USF College of Engineering, says in an email to Dark Reading. "Most importantly, this partnership is going to bring the campus together on cybersecurity research."

The laboratory will launch by establishing an interdisciplinary faculty leadership foundation with a new directorship in the USF College of Engineering and endowed faculty positions created in four USF colleges: the College of Arts and Sciences, College of Behavioral and Community Sciences, College of Engineering, and the Muma College of Business. The laboratory will also work closely with the State of Florida's Cyber Florida initiative, a program based out of the university focused on expanding and enhancing the cybersecurity workforce in the Tampa Bay region.

Rapid7 already has a history of investing in the community, Thomas says. There are many areas of collaboration in threat intelligence, incident response, and information sharing. With this partnership with the University of South Florida, the company is "escalating our commitment to open data, open research, and open threat intelligence," Thomas says.

**Real-World Security Education**

Thomas says he is not going to try to predict what kind of research projects will come out of the laboratory. Rapid7 is providing the data, but the university faculty and students will be pushing forward their own ideas and perspectives. "We aren't controlling the outcome — the professors and students have their own plans," Thomas says.

Many universities have established cybersecurity laboratories to provide students with hands-on learning opportunities to gain cybersecurity skills and real-world experience in the field. A laboratory setting makes it possible to refine techniques, get access to different resources from outside partners, and collaborate across different fields to drive research in security technology and techniques. The results of the laboratory research will help improve the industry's understanding of attacker behavior, and those insights then flows back to practitioners to apply to their jobs.

Back in 2018, the Royal Bank of Canada (RBC) opened a cybersecurity laboratory at the University of Waterloo to help build advanced cybersecurity and privacy tools. The RBC investment supported researchers in the David R. Cheriton School of Computer Science and the Department of Combinatorics and Optimization at Waterloo's Faculty of Mathematics, according to the university. Research projects included data-driven software defined security, privacy-enhancing technologies, and post-quantum cryptography. Defense contractor Northrop Grumman partnered with California Polytechnic University back in 2014 to establish the Cal Poly–Northrop Grumman Cyber Lab as a cybersecurity teaching facility. The lab gave faculty and students the opportunity to engage with experts from other higher education institutions, private businesses, defense and government agencies, and research labs.

These private sector partnerships with educational institutions also focus on developing a cybersecurity workforce. For example, IBM partnered with Historically Black College & Universities to establish Cybersecurity Leadership Centers. As part of the partnership, IBM provides a customized security curriculum and learning platform to complement the university's cybersecurity education offerings. Faculty and students also have access to IBM Security's Command Center, an immersive training experience on how to respond to cyberattacks.

The Rapid7 Cyber Threat Intelligence Laboratory fits in with ongoing cybersecurity initiatives at the University of South Florida because of the focus on developing the skills needed to enter the cybersecurity workforce. The university recently received a $3.7 million grant from the National Science Foundation (NSF) to establish the Cybersecurity Research and Education for Service in Government (CREST) program. The NSF grant would provide scholarships for over two dozen graduate and undergraduate students to prepare them for in-demand and high-paying jobs with the federal government and other public institutions, according to a university press release. The funds will also be used to bolster educational and research resources at the Florida Center for Cybersecurity, or Cyber Florida, which is housed at USF and gives students access to classroom simulations and experiential learning opportunities. There is also a program to help professionals without a computer science background enter a master's program in the field, according to Dr. Sudeep Sarkar, distinguished university professor and department chair of computer science and engineering at the University of South Florida.

"By focusing on both continuing education for professionals and enhancing current cybersecurity education efforts, USF is working to fill the talent pipeline for one of the fastest growing and most lucrative fields in the United States," Sarkar tells Dark Reading in an email exchange.

Rapid7 Brings Threat Intel Data to USF Cybersecurity Lab

Attackers have already targeted electric vehicle (EV) charging stations, and experts are calling for cybersecurity standards to protect this necessary component of the electrified future.

As electric vehicle (EV) charging infrastructure rushes to keep pace with the dramatic rise in sales of electric vehicles in the United States, cyberattackers and security researchers alike have already started focusing on security weaknesses in the infrastructure.

In February, researchers with energy-network cybersecurity firm Saiflow discovered two vulnerabilities in the Open Charge Point Protocol (OCPP) that could be used in a distributed denial-of-service (DDoS) attack and to steal sensitive information. And the Idaho National Laboratory recently found that every charger it examined — more formally known as Electric Vehicle Supply Equipment (EVSE) — was running outdated versions of Linux, had unnecessary services, and allowed many services to run as root, according to a survey of EV charging vulnerability research in the journal Energies. Other potential attacks include adversary-in-the-middle (AitM) and services exposed to the public Internet, according to the paper.

The risks are not just theoretical: A year ago, after Russia invaded Ukraine, hacktivists compromised charging stations near Moscow to disable them and display their support for Ukraine and their contempt for Russian President Vladamir Putin.

The cybersecurity concerns come as electric vehicle sales have taken off in the United States, accounting for 5.8% of all vehicles sold 2022, up from 3.2% the previous year, according to JD Power. Currently, less than 51,000 Level 2 and DC Fast charging stations are available in the US, representing the capability to charge 130,000 vehicles simultaneously, according to the US Department of Energy. With more than 1.5 million electric vehicles registered as of June 2022, that means there are 11 vehicles for every public charging port.

To keep up with demand, the major players in the EV charging sector all have significant expansion plans, and the Biden administration aims to increase the number of vehicle chargers to 500,000 by 2030.

While cybersecurity experts worry that the rush to create a comprehensive charging infrastructure could come at the expense of cybersecurity, the question of its cybersecurity preparedness is especially piquant given the connectedness of the infrastructure and the ability to potentially cause damage using access to the high voltage available, says Phil Tonkin, senior director of strategy at Dragos, a provider of industrial cybersecurity.

"Most EV chargers can be considered an Internet of Things (IoT) technology, but they are one of the first that has control over such a significant amount of electrical load," he says. He adds, "The aggregated risk of so many devices, often connected to a small number of single systems, means that devices of this type need to be implemented with care."

**EV Chargers: IoT, OT & Critical Infrastructure**

In many ways, EV charging infrastructure represents a perfect storm of technologies. The devices are connected via mobile applications and carry the same risks as other IoT devices, but they're also set to become a critical part of transportation network in the United States, like other operational technology (OT). And because EV charging stations must be connected to public networks, ensuring that their communications are encrypted will be critical to maintaining the security of the devices, says Dragos' Tonkin.

"Hacktivists will always be looking for poorly secured devices on public networks, it's important that the owners of EV put in place controls to ensure they are not easy targets," he says. "The crown jewels of the operators of EV chargers have to be their central platforms, the chargers themselves intrinsically trust the instructions pushed down from the center."

Consumer devices are also a problem. About 80% of charging takes place in the home, according to ChargePoint session data. But unfortunately, those devices may be easier to disrupt because consumers are not focused, nor should they need to be focused, on cybersecurity, Tonkin says.

"It's not practical for the average domestic customer to have to put in place the right security, therefore making sure the device itself and the methods it uses to communicate with cloud-based services should always be on the vendor," he says.

**Government's Role in EV Cybersecurity**

The US government should make standards and best practices available to companies to prevent cybersecurity weaknesses, some say. Sandia National Laboratories, for instance, has recommended a number of initiatives to strengthen cybersecurity, including improving EV owner authentication and authorization, adding more security to the cloud component of the charging infrastructure, and hardening the actual charging units against physical tampering.

"The government can say 'produce secure electric vehicle chargers,' but budget-oriented companies don't always choose the most cyber-secure implementations," Brian Wright, a Sandia cybersecurity expert working on the vulnerability project, said in a statement. "Instead, the government can directly support the industry by providing fixes, advisories, standards, and best practices."

Source

DARKReading