7-15-19 – News This Past Week

Cybersecurity should not be an afterthought within industrial environments
The basics of cyber security are still not being practized regularly and new cyber security risks are emerging as more and more untested technologies are integrated within the critical infrastructures upon which society depends, according to Applied Risk

Cybersecurity should not be an afterthought within industrial environments

U.S. Coast Guard Issues Cybersecurity Warnings for Commercial Vessels
The U.S. Coast Guard on Monday issued a safety alert advising commercial vessel owners and operators to ensure that effective cybersecurity measures are in place to protect the network and important control systems on their ships
https://www.securityweek.com/us-coast-guard-issues-cybersecurity-warnings-commercial-vessels

GE Says Anesthesia Machine Vulnerability Poses No Risk to Patients
Researchers have discovered a vulnerability that can be used to hack some of GE Healthcare’s hospital anesthesia devices, but the vendor says it does not pose a direct risk to patients
https://www.securityweek.com/ge-says-anesthesia-machine-vulnerability-poses-no-risk-patients

Coast Guard Warns Shipping Firms of Maritime Cyberattacks
A commercial vessel suffered a significant malware attack in February, prompting the US Coast Guard to issues an advisory to all shipping companies: Here be malware.
https://www.darkreading.com/vulnerabilities—threats/coast-guard-warns-shipping-firms-of-maritime-cyberattacks/d/d-id/1335198

Several Siemens Devices Affected by Intel MDS Vulnerabilities
Siemens informed customers on Tuesday that several of its products are affected by the Microarchitectural Data Sampling (MDS) vulnerabilities impacting a majority of the Intel processors made in the last decade
https://www.securityweek.com/several-siemens-devices-affected-intel-mds-vulnerabilities

Anaesthetic devices ‘vulnerable to hackers’
A type of anaesthetic machine that has been used in NHS hospitals can be hacked and controlled from afar if left accessible on a hospital computer network, a cyber-security company says.
https://www.bbc.com/news/technology-48935111

‘World’s first Bluetooth hair straighteners’ can be easily hacked
Glamoriser, a U.K. firm that bills itself as the maker of the “world’s first Bluetooth hair straighteners,” allows users to link the device to an app, which lets the owner set certain heat and style settings. The app can also be used to remotely switch off the straighteners within Bluetooth range.

‘World’s first Bluetooth hair straighteners’ can be easily hacked

Hacked Hair Straighteners Can Threaten Homes
Researchers have found a way to successfully hack connected hair straighteners to turn them on and increase the heating element up to its maximum temperature—causing a serious fire hazard for unsuspecting owners

Hacked Hair Straighteners Can Threaten Homes

7-8-19 – News This Past Week

US wants to isolate power grids with ‘retro’ technology to limit cyber-attacks
The US is very close to improving power grid security by mandating the use of “retro” (analog, manual) technologies on US power grids as a defensive measure against foreign cyber-attacks that could bring down power distribution as a result
https://www.zdnet.com/article/us-wants-to-isolate-power-grids-with-retro-technology-to-limit-cyber-attacks/

Cyberwarfare in space: Satellites at risk of hacker attacks
Old IT systems, supply-chain vulnerabilities and other technological issues leave military satellite communications open to disruption and tampering with potentially chaotic consequences, says research paper
https://www.zdnet.com/article/cyberwarfare-in-space-satellites-at-risk-of-hacker-attacks/

Intel and Auto Industry Leaders Publish New Automated Driving Safety Framework
Intel, in collaboration with 10 industry leaders in automotive and autonomous driving technology, today published “Safety First for Automated Driving,” a framework for the design, development, verification and validation of safe automated passenger vehicles

Intel and Auto Industry Leaders Publish New Automated Driving Safety Framework

Autonomous vehicles fooled by drones that project too-quick-for-humans road-signs
Such an attack would leave no physical evidence behind and could be used to trick cars into making maneuvers that compromised the safety or integrity of their passengers and other users of the road — from unexpected swerves to sudden speed-changes to detours into unsafe territory

Autonomous vehicles fooled by drones that project too-quick-for-humans road-signs

YouTube’s Policy on Hacking Tutorials is Problematic
Recently YouTube changed its policy on “hacking” tutorials to an essential blanket ban. In the past, such content was occasionally removed under YouTube’s broad “Harmful and Dangerous Content” clause, which prohibited videos “encouraging illegal activity”.

YouTube’s Policy on Hacking Tutorials is Problematic

Many Phoenix Contact PLCs Still Vulnerable Months After Researcher Issues Warning
Several months after a researcher issued a warning about over 1,200 Phoenix Contact programmable logic controllers (PLCs) being exposed to remote attacks from the internet, many organizations still haven’t taken any measures to secure their systems
https://www.securityweek.com/many-phoenix-contact-plcs-still-vulnerable-months-after-researcher-issues-warning

Cybersecurity Experts Worry About Satellite & Space Systems
As nation-states and rogue actors increasingly probe critical infrastructure, policy and technology experts worry that satellite and space systems are on the front lines
https://www.darkreading.com/attacks-breaches/cybersecurity-experts-worry-about-satellite-and-space-systems/d/d-id/1335131

Cybersecurity Experts Worry About Satellite & Space Systems
As nation-states and rogue actors increasingly probe critical infrastructure, policy and technology experts worry that satellite and space systems are on the front lines
https://www.darkreading.com/attacks-breaches/cybersecurity-experts-worry-about-satellite-and-space-systems/d/d-id/1335131

Intel and the auto industry pen first safety rules for self-driving cars
Aptiv, Audi, Baidu, BMW, Continental, Daimler, Fiat Chrysler Automobiles, Here Technologies, Infineon and Volkswagen were all involved in crafting the paper, which established 12 principles for autonomous vehicles
https://www.engadget.com/2019/07/02/intel-safety-first-automated-driving-principles-paper/

Building a Higher Standard: NVIDIA Selected to Lead Industry Safety Group
These organizations, which count major automakers, suppliers and startups as members, are critical in developing regulations and standards for autonomous vehicles
https://blogs.nvidia.com/blog/2019/07/01/higher-standard-lead-industry-safety-group/

Senate passes cybersecurity bill to decrease grid digitization, move toward manual control
A 2015 cyberattack in Ukraine that led to a blackout for 250,000 people “inspired in part” the legislation, according to King’s statement. Manual controls on Ukraine’s system prevented the attack from having a larger impact.
https://www.utilitydive.com/news/senate-passes-cybersecurity-bill-to-decrease-grid-digitization-move-toward/557959/

Hardcoded Credentials Expose SICK Controllers to Remote Attacks
The affected controllers, which according to the U.S. Department of Homeland Security (DHS) are used worldwide, particularly in the critical manufacturing sector, are affected by a critical vulnerability tracked as CVE-2019-10979
https://www.securityweek.com/hardcoded-credentials-expose-sick-controllers-remote-attacks

7-1-19 – News This Past Week

Mission Possible: ICS Attacks On Buildings Are a Reality
In the 1996 thriller, Mission Impossible I, Ethan Hunt hacks the HVAC system of a building to breach its security controls and carry out his mission. Well, the future has arrived
https://www.securityweek.com/mission-possible-ics-attacks-buildings-are-reality

What is Critical Infrastructure and How Should We Protect It?
We hear a lot these days about critical infrastructure, and the importance of protecting it. But what exactly is “critical infrastructure,” what are the greatest threats to it, and what are the best ways to protect it from those threats?
https://www.tenable.com/blog/what-is-critical-infrastructure-and-how-should-we-protect-it

NIST Issues IoT Risk Guidelines
A new report offers the first step toward understanding and managing IoT cybersecurity risks
https://www.darkreading.com/iot/nist-issues-iot-risk-guidelines/d/d-id/1335080

Interoperability and security remain critical factors in any smart city deployment
Over half of respondents expect to see widespread smart city deployments in 10 or more years, while a third predict 5-10 years. Just 15 per cent expect it in less than 5 years

Interoperability and security remain critical factors in any smart city deployment

Medtronic recalls vulnerable MiniMed insulin pumps
The potential risks are related to the wireless communication between Medtronic’s MiniMed insulin pumps and other devices such as blood glucose meters, continuous glucose monitoring systems, the remote controller and CareLink USB device used with these pumps

Medtronic recalls vulnerable MiniMed insulin pumps

Scumbags can program vulnerable MedTronic insulin pumps over the air to murder diabetics – insecure kit recalled
Health implant maker MedTronic is recalling some of its insulin pumps following the discovery of security vulnerabilities in the equipment that can be exploited over the air to hijack them
https://www.theregister.co.uk/2019/06/28/medtronic_insulin_pump_recall/

Industry Reactions to Nation-State Hacking of Global Telcos
The immediate purpose was to steal mobile phone call data records (CDR), and Cybereason believes the primary targets may be foreign intelligence agents, politicians, opposition candidates in an election, or even law enforcement officers. The long-term potential would be to destroy the telcos’ networks in an attack against critical infrastructure
https://www.securityweek.com/industry-reactions-nation-state-hacking-global-telcos

6-24-19 – News This Past Week

Countering industrial cyberthreats with secure, standards-based, licensed wireless networks
This was the first documented digital attack known to have compromised electrical grid operations in the United States due to a moderately basic hack and showed us how the potential for far more significant disruption is a legitimate concern to industry professionals and consumers alike.

Countering industrial cyberthreats with secure, standards-based, licensed wireless networks

For the industrial Internet of Things, defense in depth is a requirement
What the “4.0” revision adds compared to Industries 1.0 through 3.0 is a complex set of linkages between information and operational technologies. (IT stores, transmits, and manipulates data, while “OT” detects and causes changes in physical processes, such as devices for manufacturing or climate control.)
https://arstechnica.com/information-technology/2019/06/more-sensors-more-problems-industrial-iot-platforms-need-safeguarding/

Hospitals are being suffocated by robocalls
But it’s reaching a feverish pitch at the organizations for which it’s far more than an annoyance – rather, as hospital cybersecurity chiefs tell it, it’s a question of life and death. Spearphishers are placing spam calls to patients – using numbers spoofed to look like they’re coming from legitimate healthcare organizations and pretending to be hospital representatives
Hospitals are being suffocated by robocalls

Robocalls are overwhelming hospitals and patients, threatening a new kind of health crisis
But doctors, administrators and other hospital staff struggled to contain a much different kind of epidemic one April morning last year: a wave of thousands of robocalls that spread like a virus from one phone line to the next, disrupting communications for hours.
https://www.washingtonpost.com/technology/2019/06/17/robocalls-are-overwhelming-hospitals-patients-threatening-new-kind-health-crisis/?noredirect=on&utm_term=.0d8eb79835be

Power Outage Hits Millions in South America
The outage, which began in the interconnection system at the Yacyreta Dam, had a significant cybersecurity impact on one-third of the “CIA triad” — confidentiality, integrity, and availability of data
https://www.darkreading.com/iot/power-outage-hits-millions-in-south-america/d/d-id/1334983

Utilities, Nations Need Better Plan Against Critical Infrastructure Attackers
The attackers behind the Triton, or Xenotime, intrusions into critical infrastructure (CI) safety systems are testing their skills against electric power companies. Options for defense are still limited, however
https://www.darkreading.com/utilities-nations-need-better-plan-against-critical-infrastructure-attackers/d/d-id/1334977

Tiny TPM Promises to Secure IoT Devices
The Trusted Computing Group, founded by companies such as AMD, HP, IBM, Intel and Microsoft in 2003 to protect cryptographic keys on computers against tampering, recently announced its work to develop the specification for the “world’s tiniest Trusted Platform Module
https://www.tomshardware.com/news/smallest-tpm-chip-iot-devices-cybersecurity,39669.html

Smart TV Malware Is Another Thing We Have To Worry About, According To Samsung
As if worrying about our phones and computers being infected with malware wasn’t bad enough, it seems that Samsung might have caused a bit of undue panic and stress with a recent warning/reminder that the company issued
https://www.ubergizmo.com/2019/06/smart-tv-malware-samsung-warning/

Bugs in a popular hospital pump may let attackers alter drug dosages
Healthcare security firm CyberMDX has discovered two bugs affecting a popular infusion pump, allowing hijackers to remotely access and control it. Homeland Security has disclosed the vulnerabilities in the Alaris Gateway Workstation, a hospital pump that delivers fluids into a patient’s body in a controlled manner
https://www.engadget.com/2019/06/14/alaris-hospital-pump-vulnerabilities/

6-17-19 – News This Past Week

Hackproofing smart meters and boosting smart grid security
Smart electricity meters are useful because they allow energy utilities to efficiently track energy use and allocate energy production. But because they’re connected to a grid, they can also serve as back doors for malicious hackers

Hackproofing smart meters and boosting smart grid security

Critical Vulnerability Exposes Oil Tank Monitoring Devices to Attacks
A critical vulnerability has been found in oil tank monitoring devices from Tecson/GOK, but the vendor has released a patch and points out that there are less than 1,000 devices that could be affected.
https://www.securityweek.com/critical-vulnerability-exposes-oil-tank-monitoring-devices-attacks

Organizations Investing More in ICS Cyber Security: SANS Study
Organizations have been investing more in the cybersecurity of industrial control systems (ICS) and operational technology (OT), and the results are showing, but many still perceive the risk as severe or high, according to the SANS 2019 State of OT/ICS Cybersecurity Report published on Wednesday
https://www.securityweek.com/organizations-investing-more-ics-cyber-security-sans-study

IoT Cybersecurity Improvement Act: An Important Step Forward
At Tenable, we look forward to working with our partners on Capitol Hill to move the IoT Cybersecurity Improvement Act forward and strengthen the security of federal networks
https://www.tenable.com/blog/iot-cybersecurity-improvement-act-an-important-step-forward

Tool Links Internet-Exposed ICS to Google Street View
An open source tool named Kamerka allows users to generate a map of Internet-exposed industrial control systems (ICS) in a specified country and link results to Google Street View.
https://www.securityweek.com/tool-links-internet-exposed-ics-google-street-view

THE HIGHLY DANGEROUS ‘TRITON’ HACKERS HAVE PROBED THE US GRID
Over the past several months, security analysts at the Electric Information Sharing and Analysis Center (E-ISAC) and the critical-infrastructure security firm Dragos have been tracking a group of sophisticated hackers carrying out broad scans of dozens of US power grid targets, apparently looking for entry points into their networks
https://www.wired.com/story/triton-hackers-scan-us-power-grid/

Hackers behind dangerous oil and gas intrusions are probing US power grids
The most alarming thing about this attack was its use of never-before-seen malware that targeted the facility’s safety processes. Such safety instrumented systems are a combination of hardware and software that many critical infrastructure sites use to prevent unsafe conditions from arising
https://arstechnica.com/information-technology/2019/06/hackers-behind-dangerous-oil-and-gas-intrusions-are-probing-us-power-grids/

6-10-19 – News This Past Week

A backdoor in Optergy tech could remotely shut down a smart building ‘with one click’
An advisory said an attacker could gain “full system access” through an “undocumented backdoor script.” This, the advisory said, could allow the attacker to run commands on a vulnerable device with the highest privileges.

A backdoor in Optergy tech could remotely shut down a smart building ‘with one click’

Industrial cybersecurity strategies need a radical rethink and should be built from the ground up
Steering away from traditional “air-gapped” models (having no external connections) and embracing the underlying premise of Industry 4.0 for ICS is not an easy task. The same security procedures, protocols, network/user/device protection, and ID management that make sense in corporate IT environments cannot be applied to industrial ones.

Industrial cybersecurity strategies need a radical rethink and should be built from the ground up

IoT Security Regulation is on the Horizon
Perhaps the most infamous of these incidents is Genesis Toys’ My Friend Cayla doll, which was banned in Germany in 2017 and labeled an “espionage device” due to vulnerabilities that allowed takeover by third parties

IoT Security Regulation is on the Horizon

Several Vulnerabilities Found in Cisco Industrial Network Director
Cisco on Wednesday informed customers that several vulnerabilities, including a code execution flaw classified as “high severity,” have been found in the company’s Industrial Network Director product
https://www.securityweek.com/several-vulnerabilities-found-cisco-industrial-network-director

6-3-19 – News This Past Week

How likely are weaponized cars?
The modern vehicle can be described as electric, connected, software embedded, driverless, and even artificially intelligent. Left unmanaged and without security considerations, these properties render risks that manifest as software bugs and design flaws that may allow unauthorized remote access

How likely are weaponized cars?

Siemens LOGO!, a PLC for small automation projects, open to attack
LOGO!, a programmable logic controller (PLC) manufactured by Siemens, sports three vulnerabilities that could allow remote attackers to reconfigure the device, access project files, decrypt files, and access passwords

Siemens LOGO!, a PLC for small automation projects, open to attack

Industry is Not Prepared for the IIoT Attacks that Have Already Begun
Industrial Internet of Things (IIoT) is an essential part of business transformation and the Industry 4.0 revolution. Its use is burgeoning, with more than 7 billion devices in use worldwide. This is expected to grow to more 20 billion by 2025 — and does not include phones, tablets or laptops. It is a journey just beginning, and nobody yet knows the destination or route
https://www.securityweek.com/industry-not-prepared-iiot-attacks-have-already-begun

High-Risk Flaws Found in Process Control Systems From B&R Automation
According to the cybersecurity firm, the flaws impact 12 components of the APROL products, which are often used by oil and gas, energy, and mechanical engineering companies
https://www.securityweek.com/high-risk-flaws-found-process-control-systems-br-automation

IoT cyberattacks are the new normal, the security mindset isn’t
Eight in ten organizations have experienced a cyberattack on their IoT devices in the past 12 months, according to new research by Irdeto. Of those organizations, 90% experienced an impact as a result of the cyberattack, including operational downtime and compromised customer data or end-user safety.

IoT cyberattacks are the new normal, the security mindset isn’t

5-28-19 – News This Past Week

‘Why do we need to wait for people to be hurt?’ Medical cyber attacks soar 1400%
Strapped to a stretcher, surrounded by medics, nurses and doctors, a middle-aged man was about to play patient zero in what America’s health care industry fears could be the next major pandemic: “cybergeddon.”
https://www.sfgate.com/healthredesign/article/medical-cyber-attacks-terrorism-hospital-health-13853912.php

General Motors designs a new “brain and nervous system” for its vehicles
A common criticism of the increasingly digital nature of new cars and trucks is that all these new features are being shoehorned into systems that were not designed with features like connectivity in mind.
https://arstechnica.com/cars/2019/05/general-motors-designs-a-new-brain-and-nervous-system-for-its-vehicles/

Hackers Are Holding Baltimore’s Government Computers Hostage, and It’s Not Even Close to Over
But the city has not paid. In the two weeks since, Baltimore citizens have not had access to many city services. The city payment services and email systems are still offline
https://gizmodo.com/hackers-are-holding-baltimores-government-computers-hos-1834948639

5-20-19 – News This Past Week

Wormable Windows RDS Vulnerability Poses Serious Risk to ICS
A critical remote code execution vulnerability patched recently by Microsoft in Windows Remote Desktop Services (RDS) poses a serious risk to industrial environments, experts have warned.
https://www.securityweek.com/wormable-windows-rds-vulnerability-poses-serious-risk-ics

We chat to boffins who’ve found a way to disrupt landings using off-the-shelf radio kit
In a research paper titled “Wireless Attacks on Aircraft Instrument Landing Systems,” scheduled to be presented at the 28th USENIX Security Symposium in August, computer scientists Harshad Sathaye, Domien Schepers, Aanjhan Ranganathan, and Guevara Noubir demonstrate that it’s possible to interfere with ILS data in real-time, potentially causing aircraft to discontinue a landing approach (“go around”) or miss the landing area entirely in a low-visibility situation
https://www.theregister.co.uk/2019/05/16/airplane_landing_security/

The Shortcomings of Network Monitoring in Fighting ICS Threats
The growing sophistication of industrial control system (ICS) networks, especially since the advent of the Industrial Internet of Things (IIoT), has improved numerous processes while also making them softer targets for attacks. Simply put, interconnectedness has broadened and weakened the attack surface
https://www.securityweek.com/shortcomings-network-monitoring-fighting-ics-threats

The six biggest cybersecurity risks facing the utilities industry
The utilities industry is rapidly modernizing its infrastructure, adding more digitized equipment and connectivity across devices, plants, and systems. This evolution to “smart infrastructure” represents a positive, paradigm shift for the industry

The six biggest cybersecurity risks facing the utilities industry

Siemens Addresses Vulnerabilities in LOGO, SINAMICS Products
According to the German industrial giant, SINAMICS Perfect Harmony GH180 medium voltage converters are impacted by two high-severity denial-of-service (DoS) vulnerabilities that can be exploited by an attacker who has access to the network housing the targeted device. The flaws can be exploited with no privileges and without any user interaction
https://www.securityweek.com/siemens-addresses-vulnerabilities-logo-sinamics-products

5-13-19 – News This Past Week

Over 100 Flaws Expose Buildings to Hacker Attacks
He said an attacker can conduct a wide range of activities after hijacking the vulnerable systems, including trigger alarms, lock or unlock doors and gates, control elevator access, intercept video surveillance streams, manipulate HVAC systems and lights, disrupt operations, and steal personal information
https://www.securityweek.com/over-100-flaws-expose-buildings-hacker-attacks

Extinguishing the IoT Insecurity Dumpster Fire
And then as you mentioned, there’s industrial IoT, which has those high type of risk if there is some sort of security issue there. So there really are all these different types of devices and along with those, different types of security implications.

Extinguishing the IoT Insecurity Dumpster Fire

NIST Working on Industrial IoT Security Guide for Energy Companies
The U.S. National Institute of Standards and Technology (NIST), through its National Cybersecurity Center of Excellence (NCCoE), this week announced that it’s working on a project whose goal is to help the energy sector secure industrial Internet of Things (IIoT) systems
https://www.securityweek.com/nist-working-industrial-iot-security-guide-energy-companies