12-11-17 – News This Past Week

Top-selling handgun safe can be remotely opened in seconds—no PIN needed
The Vaultek VT20i handgun safe, ranked fourth in Amazon’s gun safes and cabinets category, allows owners to electronically open the door using a Bluetooth-enabled smartphone app. The remote unlock feature is supposed to work only when someone knows the four- to eight-digit personal identification number used to lock the device. But it turns out that this PIN safeguard can be bypassed using a standard computer and a small amount of programming know-how

Rockwell Automation Patches Serious Flaw in FactoryTalk Product
FTAE provides a consistent view of alarms and events via a View SE HMI system. The product is used worldwide in sectors such as critical infrastructure, entertainment, automotive, food and beverage, and water and wastewater

“Everything you interact with that you don’t typically think of as a computer has some kind of microcontroller in it, and over the next five to 10 years we believe that those devices will all be replaced by versions of the devices that will be interconnected,” says Galen Hunt, the managing director of Project Sopris. Think blenders, hair dryers, and other unlikely but inevitable connected accessories.

Given how aggressively Iran has pursued infrastructure hacking, previously targeting the financial sector and even a dam in upstate New York, the new findings serve as a warning, and highlight the evolving nature of the threat

Serious Flaw Found in Many Siemens Industrial Products
According to Siemens, the list of affected products includes SIMATIC S7-200 Smart micro-PLCs for small automation applications, some SIMATIC S7 CPUs, SIMATIC WinAC RTX software controllers, SIMATIC ET 200 PROFINET interface modules, SIMATIC PN/PN couplers, SIMATIC Compact field units, development kits for PROFINET IO, SIMOTION motion control systems, SINAMICS converters, SINUMERIK CNC automation solutions, SIMOCODE motor management systems, and SIRIUS 3RW motor soft starters

Hackers Can Steal Data From Air-Gapped Industrial Networks via PLCs
Researchers have discovered a method that hackers could use to stealthily exfiltrate data from air-gapped industrial networks by manipulating the radio frequency (RF) signal emitted by programmable logic controllers

Nearly 2/3 of Industrial Companies Lack Security Monitoring
While more than half of the 130 decision-makers from industrial organizations in the survey say they work in a facility that has suffered a breach, just 37% of the respondents say their organizations monitor networks for suspicious activity and traffic

Industrial Firms Slow to Adopt Cybersecurity Measures: Honeywell
A survey of 130 strategic decision makers from around the world revealed that more than half of industrial organizations have suffered a cybersecurity incident, including ones involving removable media, denial-of-service (DoS) attacks, malware, hackers breaking into plant IT systems, state-sponsored attacks, and direct attacks on control systems.

The Year to Come in ICS / Critical Infrastructure Security
Here, I wanted to address some of my thoughts about what the New Year will hold for Industrial Control Systems/Critical Infrastructure cybersecurity. It is “Security Prediction Season” after all and I’d be remiss not to offer my thoughts. Below I’ve outlined a few things I think that will definitely manifest – some are bad, some offer more promise for placing us on a path to combatting an adversarial scourge which is growing in this absolutely critical area

Critical Flaw in WAGO PLC Exposes Organizations to Attacks
The flaw, discovered by a researcher at security services and consulting company SEC Consult, impacts Linux-based WAGO PFC200 series PLCs, specifically a total of 17 750-820X models running firmware version 02.07.07 (10). The affected devices are advertised by the vendor as ultra-compact and secure automation systems that can be used for traditional machine control, process technology, and in the offshore sector

The Rising Dangers of Unsecured IoT Technology
While this is perhaps one of the most potentially life-threatening examples of unsecured Internet of Things (IoT) security, it drives home the point that manufacturers are not building these devices with security as a priority. As IoT devices grow in popularity, seemingly endless security- and privacy-related concerns are surfacing

Posted in Uncategorized.