5-13-19 – News This Past Week

Over 100 Flaws Expose Buildings to Hacker Attacks
He said an attacker can conduct a wide range of activities after hijacking the vulnerable systems, including trigger alarms, lock or unlock doors and gates, control elevator access, intercept video surveillance streams, manipulate HVAC systems and lights, disrupt operations, and steal personal information
https://www.securityweek.com/over-100-flaws-expose-buildings-hacker-attacks

Extinguishing the IoT Insecurity Dumpster Fire
And then as you mentioned, there’s industrial IoT, which has those high type of risk if there is some sort of security issue there. So there really are all these different types of devices and along with those, different types of security implications.

Extinguishing the IoT Insecurity Dumpster Fire

NIST Working on Industrial IoT Security Guide for Energy Companies
The U.S. National Institute of Standards and Technology (NIST), through its National Cybersecurity Center of Excellence (NCCoE), this week announced that it’s working on a project whose goal is to help the energy sector secure industrial Internet of Things (IIoT) systems
https://www.securityweek.com/nist-working-industrial-iot-security-guide-energy-companies

5-6-19 – News This Past Week

Hacking our way into cybersecurity for medical devices
Hospitals are filled with machines connected to the internet. With a combination of both wired and wireless connectivity, knowing and managing which devices are connected has become more complicated and, consequently, the institutions’ attack surface has expanded

Hacking our way into cybersecurity for medical devices

People Are Clamoring to Buy Old Insulin Pumps
How an obsolete medical device with a security flaw became a must-have for some patients with type 1 diabetes
https://www.theatlantic.com/science/archive/2019/04/looping-created-insulin-pump-underground-market/588091/

Plan to secure internet of things with new law
Security vulnerabilities that could be targeted by hackers have been found in everything from toy dolls to internet-connected ovens in recent years
https://www.bbc.com/news/technology-48106582

Two Vulnerabilities Expose Rockwell Controllers to DoS Attacks
Two vulnerabilities discovered by industrial cybersecurity companies CyberX and Nozomi Networks in some of Rockwell Automation’s controllers expose devices to denial-of-service (DoS) attacks
https://www.securityweek.com/two-vulnerabilities-expose-rockwell-controllers-dos-attacks

‘Denial of service condition’ disrupted US energy company operations
An energy company providing power in several western U.S. states experienced a “denial-of-service condition” serious enough to warrant reporting it to the government’s energy authority.

‘Denial of service condition’ disrupted US energy company operations

UK Publishes Proposed Regulation for IoT Device Security
The UK government has published a consultation document on the proposed regulation of consumer IoT devices. The consultation is not designed to see whether regulation is necessary, but to help the government “make a decision on which measures to take forward into legislation.”
https://www.securityweek.com/uk-publishes-proposed-regulation-iot-device-security

Security lapse exposed a Chinese smart city surveillance system
Security researcher John Wethington found a smart city database accessible from a web browser without a password. He passed details of the database to TechCrunch in an effort to get the data secured

Security lapse exposed a Chinese smart city surveillance system

4-29-19 – News These Past Two Weeks

TRITON Attacks Underscore Need for Better Defenses
After revealing last week that the same set of tools used by the TRITON attackers were also found in a second victim’s network, security services firm FireEye stressed that attackers are likely in the networks of some of the facilities that are home to the 18,000 Triconex safety systems installed in plants worldwide.
https://www.darkreading.com/vulnerabilities—threats/triton-attacks-underscore-need-for-better-defenses/d/d-id/1334418

A look at security threats to critical infrastructure
Threats to critical infrastructure, like Operation Sharpshooter, should motivate CI sectors to take cybersecurity seriously. Learn about the threats and how to defend against them
https://searchsecurity.techtarget.com/tip/A-look-at-security-threats-to-critical-infrastructure

Examining Triton Attack Framework: Lessons Learned in Protecting Industrial Systems
Recently, the infamous Triton (also known as Trisis) malware framework made news again after researchers from FireEye found evidence of the same attacker lurking in other critical infrastructure. In 2017, Triton was behind an attack that shut down Schneider Electric’s Triconex safety instrumentation system (SIS) at a petrochemical plant in Saudi Arabia — the malware went undetected for nearly a year and has been linked to a group called XENOTIME
https://www.securityweek.com/examining-triton-attack-framework-lessons-learned-protecting-industrial-systems

Hacker Finds He Can Remotely Kill Car Engines After Breaking Into GPS Tracking Apps
The hacker, who goes by the name L&M, told Motherboard he hacked into more than 7,000 iTrack accounts and more than 20,000 ProTrack accounts, two apps that companies use to monitor and manage fleets of vehicles through GPS tracking devices
https://motherboard.vice.com/en_us/article/zmpx4x/hacker-monitor-cars-kill-engine-gps-tracking-apps

Serious Vulnerabilities Found in Fujifilm X-Ray Devices
The flaws, described in an advisory published this week by ICS-CERT, affect Fuji Computed Radiography (FCR) XC-2 and Capsula X medical imaging products (CR-IR 357) — Capsula products are marketed as Carbon in the United States. The impacted devices are used in the healthcare sector worldwide
https://www.securityweek.com/serious-vulnerabilities-found-fujifilm-x-ray-devices

Rockwell Controller Flaw Allows Hackers to Redirect Users to Malicious Sites
A serious vulnerability affecting some of Rockwell Automation’s MicroLogix and CompactLogix programmable logic controllers (PLCs) can be exploited by a remote attacker to redirect users to malicious websites.
https://www.securityweek.com/rockwell-controller-flaw-allows-hackers-redirect-users-malicious-sites

NIST Tool Finds Errors in Complex Safety-Critical Software
The U.S. National Institute of Standards and Technology (NIST) this week announced that updates to its Automated Combinatorial Testing for Software (ACTS) research toolkit should help developers of complex safety-critical applications find potentially dangerous errors and make their software safer
https://www.securityweek.com/nist-tool-finds-errors-complex-safety-critical-software

4-15-19 – News This Past Week

Someone is targeting “critical infrastructure” safety systems in networked attacks
The Triton malware was first identified 16 months ago by researchers from Fireeye: it targets Triconex control systems from Schneider Electric, and was linked by Fireeye to the Central Scientific Research Institute of Chemistry and Mechanics in Moscow

Someone is targeting “critical infrastructure” safety systems in networked attacks

Triton ICS Malware Hits A Second Victim
According to researchers at FireEye, the cybercriminals behind Triton, also called Trisis, have once again targeted industrial control systems (ICS), this time at an undisclosed company in the Middle East. Further, FireEye has taken the additional step of linking Triton with high confidence to Russian state-sponsored hackers

SAS 2019: Triton ICS Malware Hits A Second Victim

The hacker group behind the Triton malware strikes again
The company was tight-lipped on the intrusion at the second facility, declining to describe the type of facility or its location — or even the year of the attack

The hacker group behind the Triton malware strikes again

Mysterious safety-tampering malware infects a second critical infrastructure site
Sixteen months ago, researchers reported an unsettling escalation in hacks targeting power plants, gas refineries, and other types of critical infrastructure. Attackers who may have been working on behalf of a nation caused an operational outage at a critical-infrastructure site after deliberately targeting a system that prevented health- and life-threatening accidents
https://arstechnica.com/information-technology/2019/04/mysterious-safety-tampering-malware-infects-a-2nd-critical-infrastructure-site/

Industry Reactions to New Triton Attacks on Critical Infrastructure
The existence of Triton came to light in 2017 after the malware had caused disruptions at an oil and gas plant in Saudi Arabia. FireEye, which previously linked Triton to a research institute owned by the Russian government, recently analyzed the threat actor’s tools and techniques after identifying another target
http://www.securityweek.com/industry-reactions-new-triton-attacks-critical-infrastructure

Siemens Patches Serious DoS Flaws in Many Industrial Products
Siemens’ Patch Tuesday updates for April 2019 address several serious vulnerabilities, including some denial-of-service (DoS) flaws affecting many of the company’s industrial products
http://www.securityweek.com/siemens-patches-serious-dos-flaws-many-industrial-products

Critical Vulnerability in Siemens Spectrum Power (CVE-2019-6579) Patched in Monthly Advisory
On April 9, Siemens published its monthly Siemens Advisory Day release across a variety of Siemens products. This includes 11 CVEs newly addressed in Siemens products along with updates to previous advisories, including additional CVEs and product updates and mitigations. The most critical of these vulnerabilities could give an unauthenticated attacker administrative privileges
https://www.tenable.com/blog/critical-vulnerability-in-siemens-spectrum-power-cve-2019-6579-patched-in-monthly-advisory

Cars Exposed to Hacker Attacks by Hardcoded Credentials in MyCar Apps
A small aftermarket telematics unit from Montreal, Canada-based AutoMobility, MyCar provides users with a series of smartphone-controlled features for their cars, including geolocation, remote start/stop and lock/unlock capabilities.
http://www.securityweek.com/cars-exposed-hacker-attacks-hardcoded-credentials-mycar-apps

Medical Device Cybersecurity
Before long, just about everything in the medical world will be running on software – and even connected to the internet. That already applies to pacemakers and insulin pumps and a host of devices used in hospitals
http://www.byuradio.org/episode/e85c70f1-e81a-48d4-9c69-9c469fe23ce6/top-of-mind-with-julie-rose-israel-women-in-trucking-medical-device-cybersecurity?playhead=2219&autoplay=true

Hacking healthcare: A call for infosec researchers to probe biomedical devices
It is a brave new connected world out there and there is no shortage of cybersecurity risks associated with everything we do. We can’t even be sure that the technologies that keep as alive and healthy will work as intended if malicious actors set their sights on them

Hacking healthcare: A call for infosec researchers to probe biomedical devices

90% of OT organizations are cyberattack victims, yet visibility into OT systems is still limited
OT professionals have spoken — the people who manage critical systems such as manufacturing plants and transportation almost unanimously state that they are fighting-off cyberattacks on a regular basis

90% of OT organizations are cyberattack victims, yet visibility into OT systems is still limited

4-8-19 – News This Past Week

TXOne Networks Unveils First Industrial Cybersecurity Product
TXOne Networks, a joint venture between cybersecurity firm Trend Micro and industrial networking solutions provider Moxa, this week unveiled its first product, an industrial intrusion prevention system
https://www.securityweek.com/txone-networks-unveils-first-industrial-cybersecurity-product

Long Equipment Life Cycles Expose Manufacturing Industry to Attacks: Study
Using data from its Smart Protection Network infrastructure, Trend Micro has conducted a detailed analysis of the threats and risks impacting the manufacturing sector and drew comparisons to other industries
https://www.securityweek.com/long-equipment-life-cycles-expose-manufacturing-industry-attacks-study

Researchers trick radiologists with malware-created cancer nodes
Security researchers in Israel have developed malware that can add realistic-looking but entirely fake growths to CT and MRI scans or hide real cancerous nodules that would be detected by the medical imagining equipment
https://www.engadget.com/2019/04/03/malware-cancerous-nodes-ct-mri-scans/

Airports & Operational Technology: 4 Attack Scenarios
As OT systems increasingly fall into the crosshairs of cyberattackers, aviation-industry CISOs have become hyper-focused on securing them
https://www.darkreading.com/vulnerabilities—threats/airports-and-operational-technology-4-attack-scenarios-/a/d-id/1334282

Study maps ‘extensive Russian GPS spoofing’
The analysis showed Russia was “pioneering” the use of GPS spoofing techniques to “protect and promote its strategic interests”, the report said
https://www.bbc.com/news/technology-47786248

Researchers trick Tesla Autopilot into steering into oncoming traffic
Researchers have devised a simple attack that might cause a Tesla to automatically steer into oncoming traffic under certain conditions. The proof-of-concept exploit works not by hacking into the car’s onboard computing system, but by using small, inconspicuous stickers that trick the Enhanced Autopilot of a Model S 75 into detecting and then following a change in the current lane
https://arstechnica.com/information-technology/2019/04/researchers-trick-tesla-autopilot-into-steering-into-oncoming-traffic/

Boeing’s 737 Max update is still ‘weeks’ away from FAA approval
This long wait wasn’t entirely unexpected. Leaks hinting at tentative approval warned that Boeing might have to make last-minute changes, and even an ideal update schedule would have airlines waiting a while to deploy the update to their fleets
https://www.engadget.com/2019/04/01/faa-will-take-long-time-to-approve-737-max-fix/

Critical Rockwell Automation Bug in Drive Component Puts IIoT Plants at Risk
The vulnerability was identified in Rockwell Automation’s PowerFlex 525 drive component, which is used in applications such as conveyors, fans, pumps and mixers. The drive offers a wide range of motor and software controls from regulating volts per hertz and software used to manage EtherNet/IP networks

Critical Rockwell Automation Bug in Drive Component Puts IIoT Plants at Risk

Critical Flaw Allows Hackers to Take Control of PowerFlex AC Drives
PowerFlex 525 AC drives are designed for controlling electrical motors. Unlike traditional drives, these devices offer advanced features, such as embedded Ethernet/IP communications and USB programming. Rockwell Automation says the product is ideal for conveyors, pumps, fans and mixers
https://www.securityweek.com/critical-flaw-allows-hackers-take-control-powerflex-ac-drives

The Consumerization of Industrial Cyber Security
If we look back to the internet boom of the mid 1990s, the general public was also unaware of how a computer security breach could impact their lives. Little attention was given to computer viruses (now called malware), websites that were compromised by hackers or data breaches
https://www.securityweek.com/consumerization-industrial-cyber-security

4-1-19 – News This Past Week

Critical Rockwell Automation Bug in Drive Component Puts IIoT Plants at Risk
A critical denial-of-service (DoS) vulnerability has been found in a Rockwell Automation industrial drive, which is a logic-controlled mechanical component used in industrial systems to manage industrial motors.

Critical Rockwell Automation Bug in Drive Component Puts IIoT Plants at Risk

Critical Flaw Allows Hackers to Take Control of PowerFlex AC Drives
PowerFlex 525 AC drives are designed for controlling electrical motors. Unlike traditional drives, these devices offer advanced features, such as embedded Ethernet/IP communications and USB programming. Rockwell Automation says the product is ideal for conveyors, pumps, fans and mixers
https://www.securityweek.com/critical-flaw-allows-hackers-take-control-powerflex-ac-drives

The Consumerization of Industrial Cyber Security
Little attention was given to computer viruses (now called malware), websites that were compromised by hackers or data breaches. But that all changed, once attackers began stealing credit card information and identities online.
https://www.securityweek.com/consumerization-industrial-cyber-security

3-25-19 – News This Past Week

New IoT Security Bill: Third Time’s the Charm?
The latest bill to set security standards for connected devices sold to the US government has fewer requirements, instead leaving recommendations to the National Institute of Standards and Technology.
https://www.darkreading.com/iot/new-iot-security-bill-third-times-the-charm/d/d-id/1334190

Hacked tornado sirens taken offline in two Texas cities ahead of major storm
A hacker set off the tornado emergency sirens in the middle of the night last week across two North Texas towns. Following the unauthorized intrusion, city authorities had to shut down their emergency warning system a day before major storms and potential tornados were set to hit the area.
https://www.zdnet.com/article/hacked-tornado-sirens-taken-offline-in-two-texas-cities-ahead-of-major-storm/

Boeing downplayed 737 MAX software risks, self-certified much of plane’s safety
Additionally, the MCAS system was designed to work based on input from only one sensor—despite the fact that Boeing rated a failure of the system as “hazardous.” That level of risk—which in itself was understated, according to engineers—should have been enough to require redundant sensors.
https://arstechnica.com/information-technology/2019/03/boeing-downplayed-737-max-software-risks-self-certified-much-of-planes-safety/

They didn’t buy the DLC: feature that could’ve prevented 737 crashes was sold as an option
The MCAS includes a feature that determines when the aircraft is pointed upward relative to the flow of air across its surface at an angle that could lead to the loss of sufficient lift to keep the airplane flying—what’s known as a stall. To prevent a stall, MCAS (like other anti-stall systems on commercial aircraft) adjusts the aircraft’s tail stabilizers to push the nose of the aircraft down, boosting its airspeed.
https://arstechnica.com/information-technology/2019/03/boeing-sold-safety-feature-that-could-have-prevented-737-max-crashes-as-an-option/

Boeing to make safety feature standard on troubled Max jets
The equipment, which had been offered as an option, alerts pilots of faulty information from key sensors. It will now be included on every 737 Max as part of changes that Boeing is rushing to complete on the jets by early next week, according to two people familiar with the changes
https://www.apnews.com/140576a8e9d4449eae646c8c479fdc3a

Schneider Electric Working on Patch for Flaw in Triconex TriStation Emulator
A serious denial-of-service (DoS) vulnerability has been found in Schneider Electric’s Triconex TriStation Emulator software. The vendor has yet to release a patch, but assured customers that the flaw does not pose a risk to operating safety controllers.
https://www.securityweek.com/schneider-electric-working-patch-flaw-triconex-tristation-emulator

Securing Industrial IoT in the Modern World
Manufacturing arguably offers the largest attack surface of almost any industry with regards to cybersecurity threats, and has long been a prime target for ‘everyday’ attacks like phishing, ransomware, data-theft – you name it, they’ve seen it.
https://www.securityweek.com/securing-industrial-iot-modern-world

8 ways to protect building management systems
Like any other computer system installed in buildings and factories, building management systems are vulnerable to attackers, such as disgruntled employees, industry competitors, industrial spies or a nation-state
https://searchsecurity.techtarget.com/tip/8-ways-to-protect-building-management-systems

Triton and the new wave of IIoT security threats
Triton malware, which can shut down industrial safety systems, causing damage to facilities and threatening human life, targets the industrial internet of things
https://www.networkworld.com/article/3375206/triton-and-the-new-wave-of-iiot-security-threats.html

Wireless vulns in Medtronic’s implanted defibrillators allow remote shocks, shutdown, denial-of-service battery attacks and data theft
Medtronic is the most notorious maker of insecure medical implants in America, with a long history of inserting computers into people’s bodies with insecure wireless interfaces, toolchains and update paths, and nothing has changed

Wireless vulns in Medtronic’s implanted defibrillators allow remote shocks, shutdown, denial-of-service battery attacks and data theft

DHS issues warning about Medtronic implantable defibrillator flaws
A warning issued by the department says over 20 Medtronic products are afflicted with vulnerabilities that could be exploited by attackers nearby. Sixteen of the products are implantable defibrillators — some still sold around the world today — while the others are the defibrillators’ bedside monitors and programmers.
https://www.engadget.com/2019/03/22/dhs-warning-medtronic-implantable-defibrillator-flaws/

Don’t have a heart attack but your implanted defibrillator can be hacked over the air
Medical gear maker Medtronic is once again at the center of a hacker panic storm. This time, a number of its heart defibrillators, implanted in patients’ chests, can, in certain circumstances, be wirelessly hijacked and reprogrammed, perhaps to lethal effect
https://www.theregister.co.uk/AMP/2019/03/22/medtronic_implanted_defibrillator_hackable/

Schneider Electric partners with Vericlave to protect customers’ critical IT and OT systems
Under the terms of the agreement, Schneider Electric will provide Vericlave’s advanced encryption technology to further secure and protect its customers’ critical IT and OT systems from the risk of cyberattack.

Schneider Electric partners with Vericlave to protect customers’ critical IT and OT systems

3-18-19 – News This Past Week

Tripwire debuts pentesting and industrial cybersecurity assessment services
With Tripwire’s new services, organizations can establish and maintain a strong foundation of security. The Penetration Testing Assessment leverages highly skilled cybersecurity experts who discover and then exploit vulnerabilities to assess the security of an organization’s IT environment

Tripwire debuts pentesting and industrial cybersecurity assessment services

Quantum Physics Could Protect the Grid From Hackers—Maybe
Cybersecurity experts have sounded the alarm for years: Hackers are ogling the US power grid. The threat isn’t merely hypothetical—a group affiliated with the Russian government gained remote access to energy companies’ computers, the Department of Homeland Security published last March.
https://www.wired.com/story/quantum-physics-protect-grid/

Rockwell Automation Patches Critical DoS/RCE Flaw in RSLinx Software
Patches released by Rockwell Automation for its RSLinx Classic software address a critical vulnerability that can be exploited for denial-of-service (DoS) attacks and possibly for remote code execution
https://www.securityweek.com/rockwell-automation-patches-critical-dosrce-flaw-rslinx-software

IoT automation platforms open smart buildings to new threats
IoT automation platforms in smart buildings are presenting attackers with new opportunities for both physical and data compromise, Trend Micro researchers warn in a newly released report

IoT automation platforms open smart buildings to new threats

Triton is the world’s most murderous malware, and it’s spreading
The rogue code can disable safety systems designed to prevent catastrophic industrial accidents. It was discovered in the Middle East, but the hackers behind it are now targeting companies in North America and other parts of the world, too.
https://www.technologyreview.com/s/613054/cybersecurity-critical-infrastructure-triton-malware/

Firms Continue to Fail at IoT Security
He said, smart devices are still too easy a target with vectors such as man-in-the-middle attacks. Case and point, in February Checkmarx discovered a bevy of flaws in a consumer smart scale that could allow hackers to launch a variety of attacks, from man-in-the-middle to denial of service

RSA Conference 2019: Firms Continue to Fail at IoT Security

Pentagon reassures public that its autonomous robotic tank adheres to “legal and ethical standards” for AI-driven killbots
The Pentagon is seeking bids to improve its Advanced Targeting and Lethality Automated System (ATLAS) so that it can “acquire, identify, and engage targets at least 3X faster than the current manual process.”

Pentagon reassures public that its autonomous robotic tank adheres to “legal and ethical standards” for AI-driven killbots

DHS: No Investigation Planned for Electrical Grid Incursions
Despite concrete evidence of Russian infiltration of the US electrical grid and acknowledgment of the hacking by the US government, no formal investigation is planned, according to a Department of Homeland Security (DHS) official who spoke here at this week’s RSA Conference
https://www.darkreading.com/threat-intelligence/dhs-no-investigation-planned-for-electrical-grid-incursions/d/d-id/1334121

Flaws in Smart Alarms Exposed Millions of Cars to Dangerous Hacking
Serious vulnerabilities found in high-end car alarms could have been exploited to remotely hack millions of vehicles, including to track them, immobilise them and spy on their owners
https://www.securityweek.com/flaws-smart-alarms-exposed-millions-cars-dangerous-hacking

Venezuela’s Maduro Says Cyber Attack Prevented Power Restoration
Venezuela President Nicolas Maduro claimed on Saturday that a new cyber attack had prevented authorities from restoring power throughout the country following a blackout on Thursday that caused chaos
https://www.securityweek.com/venezuelas-maduro-says-cyber-attack-prevented-power-restoration

We’re still bad at securing industrial controllers
The bugs range in severity and impact, though Positive Tech noted that even something as simple as a denial of service issue could have a profound impact when it comes to industrial control systems (ICS).
https://www.theregister.co.uk/2019/03/11/industrial_controllers/

Many Vulnerabilities Discovered in Moxa Industrial Switches
Over a dozen vulnerabilities, including ones classified as critical, have been found by Positive Technologies researchers in EDS and IKS switches made by industrial networking solutions provider Moxa. The vendor has released patches and mitigations that should address the flaws
https://www.securityweek.com/many-vulnerabilities-discovered-moxa-industrial-switches

Hacking 10 percent of self-driving cars would cause gridlock in NYC
That question inspired scientists at the Georgia Institute of Technology to quantify the likely impact of such a large-scale hack on traffic flow in New York City. Skanda Vivek, a postdoctoral researcher at Georgia Tech, described the study’s findings at the American Physical Society’s 2019 March meeting, held last week in Boston
https://arstechnica.com/science/2019/03/study-hacking-10-percent-of-self-driving-cars-would-cause-gridlock-in-nyc/

Boeing will release software updates for 737 Max jets by April
Both investigations are still in the early stages, but experts are concerned about the similarities in the accidents. “It’s highly suspicious,” aviation analyst Mary Schiavo told CNN.
https://www.engadget.com/2019/03/12/boeing-software-update-737-max/

Don’t be too shocked, but it looks as though these politicians have actually got their act together on IoT security
The legislation has been introduced into both the House and the Senate with politicians from both sides supporting it. What’s more, the Internet of Things (IoT) Cybersecurity Improvement Act has the backing of industry and security experts and is well written
https://www.theregister.co.uk/AMP/2019/03/13/congress_iot_security/

IoT Security Meets Healthcare: What You Need to Know
Like in any environment, more connected devices means a larger attack surface. I’s been proven time and again that security breaches are a significant challenge for healthcare organizations, resulting in major fallout. Security is not optional.
https://www.securityweek.com/iot-security-meets-healthcare-what-you-need-know

Security researchers reveal defects that allow wireless hijacking of giant construction cranes, scrapers and excavators
Using software-defined radios, researchers from Trend Micro were able to reverse-engineer the commands used to control massive industrial machines, including cranes, excavators and scrapers; most of these commands were unencrypted, but even the encrypted systems were vulnerable to “replay attacks” that allowed the researchers to bypass the encryption

Security researchers reveal defects that allow wireless hijacking of giant construction cranes, scrapers and excavators

IoT Security Bills for US Government Will Also Affect Business IT
Once the rules go into effect in 2020, the new requirements include making IoT devices patchable, certifying that they are free from known vulnerabilities and that the devices use standard protocols
https://www.eweek.com/security/iot-security-bills-for-us-government-will-also-affect-business-it

Dragos Acquires NexDefense, Releases Free ICS Assessment Tools
The second tool, developed by members of the Dragos team before the company was founded, is CyberLens, an assessment tool designed for quickly processing packet captures and visualizing ICS environments
https://www.securityweek.com/dragos-acquires-nexdefense-releases-free-ics-assessment-tools

3-4-19 – News Since February

How to Attack and Defend a Prosthetic Arm
The IoT world has long since grown beyond the now-ubiquitous smartwatches, smartphones, smart coffee machines, cars capable of sending tweets and Facebook posts and other stuff like fridges that send spam. Today’s IoT world now boasts state-of-the-art solutions that quite literally help people. Take, for example, the biomechanical prosthetic arm made by Motorica Inc. This device helps people who have lost their limb to restore movement.

How to Attack and Defend a Prosthetic Arm

USB attacks: Big threats to ICS from small devices
It’s amazing that a device as small as a USB drive could be a serious threat to critical infrastructure systems. Although a USB drive is simply a chip on a stick, when used maliciously, it can deliver malware, steal critical data and cause other malicious attacks
https://searchsecurity.techtarget.com/feature/USB-attacks-Big-threats-to-ICS-from-small-devices

Siemens Warns of Critical Remote-Code Execution ICS Flaw
SICAM 230 is used for a broad range of industrial control system (ICS) applications, including use as an integrated energy system for utility companies, and a monitoring system for smart-grid applications

Siemens Warns of Critical Remote-Code Execution ICS Flaw

Securing IoT: Whose responsibility is it?
Securing IoT has been a hot topic since day one — and for good reason. Adding internet connectivity to anything inevitably increases the number of threats it can face, and the sheer number of IoT devices an enterprise uses widens its potential attack surface. Add in the IoT devices your employees use on a daily basis and it can be a recipe for disaster.
https://internetofthingsagenda.techtarget.com/answer/Securing-IoT-Whose-responsibility-is-it

How hackers could wreck container vessels
This may all seem like some kind of fantasy based on the plot of the hit 1990s movie Hackers, in which heroes Acid Burn and Zero Cool and their cyber-pals race to stop malware sinking a bunch of oil tankers. However, UK-based Pen Test Partners (PTP) have dug up legit vulnerabilities before, so forgive us if we give them the benefit of the doubt here
https://www.theregister.co.uk/AMP/2019/02/21/boat_hacking_case/

Honeywell’s industrial cybersecurity solution guards against USB device attacks
USB devices include flash drives and charging cables, as well as many other USB-attached devices. They represent a primary attack vector into industrial control system (ICS) environments, and existing security controls typically focus on the detection of malware on these USBs.

Honeywell’s industrial cybersecurity solution guards against USB device attacks

Critical Flaws Allow Hackers to Take Control of Kunbus Industrial Gateway
Germany-based Kunbus offers connectivity solutions for industrial networks. The company’s gateway products, which are used by various types of organizations around the world, are designed to provide continuous and reliable communications between different networks and systems
https://www.securityweek.com/critical-flaws-allow-hackers-take-control-kunbus-industrial-gateway

IT security incidents affecting German critical infrastructure are on the rise
The BSI is the federal agency charged with managing computer and communication security for the German government, as well as monitoring the security of computer applications and the Internet, protecting critical infrastructure, certifying security products, and more.

IT security incidents affecting German critical infrastructure are on the rise

Rockwell Automation industrial energy meter vulnerable to public exploits
It measures voltage and current in an electrical circuit and communicates power and energy parameters to applications such as FactoryTalk EnergyMetrixTM, SCADA systems, and programmable controllers, over Ethernet or serial networks.

Rockwell Automation industrial energy meter vulnerable to public exploits

Got Critical Infrastructure? Then You Should Know How To Protect It
Industrial Control Systems (ICS) are key to keeping critical infrastructure such as electric grids, nuclear facilities, oil & gas refineries, wastewater treatment plants, manufacturing operations, and more running and safe. In fact, much of what underlies the goods and services being produced and offered across the globe rely on ICS in some form, whether it be in production, transport or operations.
https://www.securityweek.com/got-critical-infrastructure-then-you-should-know-how-protect-it

Researchers and businesses need to work together to expose IoT vulnerabilities
Two new vulnerabilities have been unocovered within connected devices that allow hackers access to the personal lives of consumers, according to McAfee researchers. A vulnerability within BoxLock smart padlock enables hackers to unlock the device within a few seconds, and a vulnerability within the Mr. Coffee brand coffee maker with Wemo grants hackers access to home networks.

Researchers and businesses need to work together to expose IoT vulnerabilities

Cyberbit launches SCADAShield Mobile for passive monitoring of ICS network traffic
Housed in a 27-pound, water resistant suitcase small enough to stow in the cabin of an airplane, SCADAShield Mobile enables on-demand audits and provides asset discovery, threat detection and vulnerability assessment for use cases ranging from on-site compliance audits to understanding the security posture of an ICS network during an emergency.

Cyberbit launches SCADAShield Mobile for passive monitoring of ICS network traffic

ICS/SCADA Attackers Up Their Game
The bad news: Attacks aimed at industrial sites have become more aggressive over the past year. The good news: Some industrial control systems (ICS) operators increasingly are taking more proactive defensive measures to thwart cyberattacks on their networks
https://www.darkreading.com/threat-intelligence/ics-scada-attackers-up-their-game/d/d-id/1333893

The Dark Sides of Modern Cars: Hacking and Data Collection
Going forward, connected cars will increasingly make life-or-death decisions about physical objects and other digital systems they can sense nearby, while at the same time collecting and storing troves of monetizable operational and personal data.

The Dark Sides of Modern Cars: Hacking and Data Collection

Securing the Future of Safe Autonomous Driving
For industries that have strong safety, reliability and security standards, like aerospace and automotive, these benefits can translate to nearly 40 percent cost and time savings from enhanced software verification, according to a study by consultancy VDC Research.
https://blogs.nvidia.com/blog/2019/02/05/adacore-secure-autonomous-driving/

IoT Security’s Coming of Age Is Overdue
The unique threat landscape requires a novel security approach based on the latest advances in network and AI security
https://www.darkreading.com/attacks-breaches/iot-securitys-coming-of-age-is-overdue/a/d-id/1333756

Radiflow releases new version of its industrial threat detection solution
The current practices for risk assessments and security remediations employed by industrial enterprises and critical infrastructure operators generally rely on manual evaluations and follow unstructured processes. These processes are often time consuming and are not sufficiently responsive to changes in the threat and vulnerability landscape.

Radiflow releases new version of its industrial threat detection solution

Attacks on Automotive Systems Feared Likely
Yet few engineers feel empowered to do anything about them, a survey shows
https://www.darkreading.com/vulnerabilities—threats/attacks-on-automotive-systems-feared-likely/d/d-id/1333808?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

You Can Add Sudden-Acceleration Attacks to the List of Electric Scooter Dangers
On Tuesday, security firm Zimperium published a report detailing what researchers say are security flaws of Xiaomi’s M365 scooter that make it susceptible to hackers. Specifically, Zimperium found that these scooters each have a Bluetooth password to access its features, but “the password is not being used properly as part of the authentication process with the scooter and that all commands can be executed without the password.”
https://gizmodo.com/you-can-add-sudden-acceleration-attacks-to-the-list-of-1832562198

02-04-19 – News Since January

Top 10 IoT vulnerabilities
Everyone knows security is a big issue for the Internet of Things, but what specifically should we be most afraid of? OWASP identifies the top 10 vulnerabilities
https://www.networkworld.com/article/3332032/internet-of-things/top-10-iot-vulnerabilities.html

Schneider Electric Teams With Nozomi on Critical Infrastructure Security
Schneider Electric has teamed up with industrial cybersecurity firm Nozomi Networks to offer anomaly detection, vulnerability assessment, and other services to customers in the critical infrastructure and other industrial sectors
https://www.securityweek.com/schneider-electric-teams-nozomi-critical-infrastructure-security

A new taxonomy for SCADA attacks
Attacks aimed at SCADA networks are still much rarer than those targeting IT networks, but the number is slowly rising.

A new taxonomy for SCADA attacks

Yes, you can remotely hack factory, building site cranes. Wait, what?
Did you know that the manufacturing and construction industries use radio-frequency remote controllers to operate cranes, drilling rigs, and other heavy machinery? Doesn’t matter: they’re alarmingly vulnerable to being hacked, according to Trend Micro.
https://www.theregister.co.uk/2019/01/15/even_cranes_are_hackable_trend_micro/

Radio frequency remote controller weaknesses have serious safety implications
Trend Micro released a new report detailing inherent flaws and new vulnerabilities in radio frequency (RF) remote controllers found and disclosed through the Zero Day Initiative (ZDI).

Radio frequency remote controller weaknesses have serious safety implications

Malware Built to Hack Building Automation Systems
Researchers dig into vulnerabilities in popular building automation systems, devices.
https://www.darkreading.com/vulnerabilities—threats/malware-built-to-hack-building-automation-systems/d/d-id/1333671

Hackers Can Abuse Legitimate Features to Hijack Industrial Controllers
Hackers can abuse legitimate features present in industrial controllers to hijack these devices and leverage them to gain a foothold in a network, a researcher warns
https://www.securityweek.com/hackers-can-abuse-legitimate-features-hijack-industrial-controllers-expert

How to perform an ICS risk assessment in an industrial facility
An important step to secure an industrial facility is performing an ICS risk assessment. Expert Ernie Hayden outlines the process and why each step matters
https://searchsecurity.techtarget.com/tip/How-to-perform-an-ICS-risk-assessment-in-an-industrial-facility

Mitsubishi Electric develops cyber defense technology for connected cars
Mitsubishi Electric has developed a multi-layered defense technology that protects connected vehicles from cyber attacks by strengthening their head unit’s defense capabilities.

Mitsubishi Electric develops cyber defense technology for connected cars

RF Hacking Research Exposes Danger to Construction Sites
Trend Micro team unearthed 17 vulnerabilities among seven vendors’ remote controller devices
https://www.darkreading.com/attacks-breaches/rf-hacking-research-exposes-danger-to-construction-sites/d/d-id/1333717

Black Hat Asia Offers New IoT Security Tools & Tricks
Come to Black Hat Asia in March for an expert look at what’s happening in the world of Internet of Things, and what you can do to secure it.
https://www.darkreading.com/black-hat/black-hat-asia-offers-new-iot-security-tools-and-tricks/d/d-id/1333712

Flaws in Moxa IIoT Product Expose ICS to Remote Attacks
Serious vulnerabilities found in an industrial IoT (IIoT) platform from Moxa could enable malicious hackers to launch remote attacks on industrial networks. The vendor has released a patch that should address the flaws
https://www.securityweek.com/flaws-moxa-iiot-product-expose-ics-remote-attacks

SafeRide tackles connected vehicle security with machine learning
SafeRide’s vXRay technology aims to improve security for connected vehicles with unsupervised machine learning. Can it keep hackers out of the driver’s seat?
https://searchsecurity.techtarget.com/news/252456491/SafeRide-tackles-connected-vehicle-security-with-machine-learning

Flaws Expose Phoenix Contact Industrial Switches to Attacks
The latest firmware updates released by Phoenix Contact for its FL SWITCH industrial ethernet switches address a total of six vulnerabilities that can be exploited to obtain credentials for the web interface, conduct unauthorized activities, cause a denial-of-service (DoS) condition, and launch man-in-the-middle (MitM) attacks
https://www.securityweek.com/flaws-expose-phoenix-contact-industrial-switches-attacks

Build security into your IoT plan or risk attack
There’s huge potential with the IoT, but security must be built into a company’s plan and not tacked on at the end
https://www.networkworld.com/article/3336269/internet-of-things/build-security-into-your-iot-plan-or-risk-attack.html

Researchers Allege ‘Systemic’ Privacy, Security Flaws in Popular IoT Devices
Researchers are highlighting the insecure nature of Internet of Things devices in a report released Tuesday alleging a bevy of popular consumer connected devices sold at major retailers such as Walmart and Best Buy and are riddled with security holes and privacy issues

Researchers Allege ‘Systemic’ Privacy, Security Flaws in Popular IoT Devices

U.S. Intel Community: Russia, China Can Disrupt Critical Infrastructure
Russia and China are capable of disrupting critical infrastructure in the United States, and Iran is not far behind, according to the Worldwide Threat Assessment made public by the U.S. intelligence community on Tuesday
https://www.securityweek.com/us-intel-community-russia-china-can-disrupt-critical-infrastructure

U.S. Energy Firm Fined $10 Million for Security Failures
A US energy company, identified by some media reports as Duke Energy, received a $10 million fine from the North American Electric Reliability Corporation (NERC) for nearly 130 violations of the Critical Infrastructure Protection (CIP) standards.
https://www.securityweek.com/us-energy-firm-fined-10-million-security-failures

The Industrial Internet Consortium and OpenFog Consortium unite
The Industrial Internet Consortium (IIC) and the OpenFog Consortium (OpenFog) today announced that they have finalized the details to combine the two largest and most influential international consortia in Industrial IoT, fog and edge computing.

The Industrial Internet Consortium and OpenFog Consortium unite