3-25-19 – News This Past Week

New IoT Security Bill: Third Time’s the Charm?
The latest bill to set security standards for connected devices sold to the US government has fewer requirements, instead leaving recommendations to the National Institute of Standards and Technology.
https://www.darkreading.com/iot/new-iot-security-bill-third-times-the-charm/d/d-id/1334190

Hacked tornado sirens taken offline in two Texas cities ahead of major storm
A hacker set off the tornado emergency sirens in the middle of the night last week across two North Texas towns. Following the unauthorized intrusion, city authorities had to shut down their emergency warning system a day before major storms and potential tornados were set to hit the area.
https://www.zdnet.com/article/hacked-tornado-sirens-taken-offline-in-two-texas-cities-ahead-of-major-storm/

Boeing downplayed 737 MAX software risks, self-certified much of plane’s safety
Additionally, the MCAS system was designed to work based on input from only one sensor—despite the fact that Boeing rated a failure of the system as “hazardous.” That level of risk—which in itself was understated, according to engineers—should have been enough to require redundant sensors.
https://arstechnica.com/information-technology/2019/03/boeing-downplayed-737-max-software-risks-self-certified-much-of-planes-safety/

They didn’t buy the DLC: feature that could’ve prevented 737 crashes was sold as an option
The MCAS includes a feature that determines when the aircraft is pointed upward relative to the flow of air across its surface at an angle that could lead to the loss of sufficient lift to keep the airplane flying—what’s known as a stall. To prevent a stall, MCAS (like other anti-stall systems on commercial aircraft) adjusts the aircraft’s tail stabilizers to push the nose of the aircraft down, boosting its airspeed.
https://arstechnica.com/information-technology/2019/03/boeing-sold-safety-feature-that-could-have-prevented-737-max-crashes-as-an-option/

Boeing to make safety feature standard on troubled Max jets
The equipment, which had been offered as an option, alerts pilots of faulty information from key sensors. It will now be included on every 737 Max as part of changes that Boeing is rushing to complete on the jets by early next week, according to two people familiar with the changes
https://www.apnews.com/140576a8e9d4449eae646c8c479fdc3a

Schneider Electric Working on Patch for Flaw in Triconex TriStation Emulator
A serious denial-of-service (DoS) vulnerability has been found in Schneider Electric’s Triconex TriStation Emulator software. The vendor has yet to release a patch, but assured customers that the flaw does not pose a risk to operating safety controllers.
https://www.securityweek.com/schneider-electric-working-patch-flaw-triconex-tristation-emulator

Securing Industrial IoT in the Modern World
Manufacturing arguably offers the largest attack surface of almost any industry with regards to cybersecurity threats, and has long been a prime target for ‘everyday’ attacks like phishing, ransomware, data-theft – you name it, they’ve seen it.
https://www.securityweek.com/securing-industrial-iot-modern-world

8 ways to protect building management systems
Like any other computer system installed in buildings and factories, building management systems are vulnerable to attackers, such as disgruntled employees, industry competitors, industrial spies or a nation-state
https://searchsecurity.techtarget.com/tip/8-ways-to-protect-building-management-systems

Triton and the new wave of IIoT security threats
Triton malware, which can shut down industrial safety systems, causing damage to facilities and threatening human life, targets the industrial internet of things
https://www.networkworld.com/article/3375206/triton-and-the-new-wave-of-iiot-security-threats.html

Wireless vulns in Medtronic’s implanted defibrillators allow remote shocks, shutdown, denial-of-service battery attacks and data theft
Medtronic is the most notorious maker of insecure medical implants in America, with a long history of inserting computers into people’s bodies with insecure wireless interfaces, toolchains and update paths, and nothing has changed

Wireless vulns in Medtronic’s implanted defibrillators allow remote shocks, shutdown, denial-of-service battery attacks and data theft

DHS issues warning about Medtronic implantable defibrillator flaws
A warning issued by the department says over 20 Medtronic products are afflicted with vulnerabilities that could be exploited by attackers nearby. Sixteen of the products are implantable defibrillators — some still sold around the world today — while the others are the defibrillators’ bedside monitors and programmers.
https://www.engadget.com/2019/03/22/dhs-warning-medtronic-implantable-defibrillator-flaws/

Don’t have a heart attack but your implanted defibrillator can be hacked over the air
Medical gear maker Medtronic is once again at the center of a hacker panic storm. This time, a number of its heart defibrillators, implanted in patients’ chests, can, in certain circumstances, be wirelessly hijacked and reprogrammed, perhaps to lethal effect
https://www.theregister.co.uk/AMP/2019/03/22/medtronic_implanted_defibrillator_hackable/

Schneider Electric partners with Vericlave to protect customers’ critical IT and OT systems
Under the terms of the agreement, Schneider Electric will provide Vericlave’s advanced encryption technology to further secure and protect its customers’ critical IT and OT systems from the risk of cyberattack.

Schneider Electric partners with Vericlave to protect customers’ critical IT and OT systems

Posted in Uncategorized.