05-07-18 – News This Past Week

KRACK VULNERABILITY PUTS MEDICAL DEVICES AT RISK
A slew of devices from medical technology company Becton, Dickinson and Company (BD) are vulnerable to the infamous KRACK key-reinstallation attack, potentially enabling hackers to change and exfiltrate patient records.

KRACK Vulnerability Puts Medical Devices At Risk

Schneider Electric Development Tools Affected by Critical Flaw
Security firm Tenable has disclosed the details of a critical remote code execution vulnerability affecting Schneider Electric’s InduSoft Web Studio and InTouch Machine Edition products
https://www.securityweek.com/schneider-electric-development-tools-affected-critical-flaw

Microsoft Unveils New Solution for Securing Critical Infrastructure
Microsoft’s TCPS project aims to address these types of threats by providing end-to-end security through hardware, software and trust mechanisms that should help organizations ensure they don’t lose control over critical systems
https://www.securityweek.com/microsoft-unveils-new-solution-securing-critical-infrastructure

Medical devices vulnerable to KRACK Wi-Fi attacks
Medical devices from Becton, Dickinson and Company (BD) that rely on Wi-Fi networks encrypted by Wi-Fi Protected Access II (WPA2) encryption are vulnerable to the KRACK Wi-Fi attacks, the company said in a security advisory.
Medical devices vulnerable to KRACK Wi-Fi attacks

Industrial Networks Easy to Hack From Corporate Systems: Study
The study, based on data from nearly a dozen companies around the world in the oil and gas, metallurgy, and energy sectors, found that the corporate network perimeter can be penetrated in 73% of cases, often due to misconfigurations.
https://www.securityweek.com/industrial-networks-easy-hack-corporate-systems-study

SCHNEIDER ELECTRIC PATCHES CRITICAL RCE VULNERABILITY
Researchers discovered a critical remote code execution vulnerability in two Schneider Electric industrial control related products that could give attackers the ability to disrupt or shut down plant operations

Schneider Electric Patches Critical RCE Vulnerability

Volkswagen Cars Vulnerable To Flaws The Company Won’t Patch
Daan Keuper and Thijs Alkemade, two researchers from a Dutch security firm Computest, discovered a flaw in Volkswagen and Audi cars that attackers could exploit remotely, over the internet. Volkswagen will not patch the flaw, as those car models lack the capability to be updated over-the-air
https://www.tomshardware.co.uk/volkswagen-cars-vulnerable-won-t-patch,news-58351.html

Half a million pacemakers need a security patch
Some 465,000 patients are affected. The FDA is recommending that all eligible patients get the firmware update “at their next regularly scheduled visit or when appropriate depending on the preferences of the patient and physician.”
Half a million pacemakers need a security patch

Critical Flaw Puts US Industrial Systems At Risk
A critical security flaw in the InduSoft Web Studio and InTouch Machine Edition applications, both of which are made by Schneider Electric and are used in many industries that rely on automated systems, has been discovered by researchers at the Tenable security company. Tenable’s researchers said the popularity of Schneider Electric’s tools, combined with the severity of the vulnerability, could endanger many U.S. businesses.
https://www.tomshardware.co.uk/critical-flaw-us-industrial-systems,news-58359.html

ABBOTT ADDRESSES LIFE-THREATENING FLAW IN A HALF-MILLION PACEMAKERS
Abbott (formerly St. Jude Medical) has released another upgrade to the firmware installed on certain implantable cardioverter defibrillator (ICD) or cardiac resynchronization therapy defibrillator (CRT-D) devices – a.k.a., pacemakers

Abbott Addresses Life-Threatening Flaw in a Half-Million Pacemakers

04-30-18 – News This Past Week

Hackers Behind Healthcare Espionage Infect X-Ray and MRI Machines
Security researchers have uncovered a new hacking group that is aggressively targeting healthcare organizations and related sectors across the globe to conduct corporate espionage
https://thehackernews.com/2018/04/healthcare-cyber-attacks.html

Cybersecurity task force addresses medical device safety
In an effort to harmonize the work being done in hospitals and by device manufacturers to address medical device vulnerabilities, Vizient has formed the Medical Device Cybersecurity Task Force

Cybersecurity task force addresses medical device safety

RANSOMWARE ATTACK HITS UKRAINIAN ENERGY MINISTRY, EXPLOITING DRUPALGEDDON2
The Ukrainian Energy Ministry has been hit by a ransomware attack – and for once it looks like this is the work of amateurs, not nation-state attackers bent on making a geopolitical point. However, the bad actors appear to have made use of the recently patched Drupal vulnerability

Ransomware Attack Hits Ukrainian Energy Ministry, Exploiting Drupalgeddon2

04-23-18 – News This Past Week

FDA plans to improve medical device cybersecurity
Fixing vulnerabilities in a timely manner and propagating the fixes to the customers and users is also important, and to that end the FDA aims to push firms to adopt policies and procedures for coordinated disclosure of vulnerabilities

FDA plans to improve medical device cybersecurity

Energy security pros worry about catastrophic failure due to cyberattacks
70 percent of energy security professionals are concerned that a successful cyberattack could cause a catastrophic failure, such as an explosion, a recent survey has shown.

Energy security pros worry about catastrophic failure due to cyberattacks

IOT SECURITY CONCERNS PEAKING – WITH NO END IN SIGHT
With the massive influx of connected devices into our digital lives, it’s no surprise that IoT security was on the forefront of the 2018 RSA Conference this year. But despite numerous talks about IoT vulnerabilities this week, a clear resolution seems nowhere in sight.

IoT Security Concerns Peaking – With No End In Sight

70% of Energy Firms Worry About Physical Damage from Cyberattacks
High-profile ICS attacks Triton/Trisis, Industroyer/CrashOverride, and Stuxnet have driven energy firms to invest more in cybersecurity, survey shows
https://www.darkreading.com/attacks-breaches/70–of-energy-firms-worry-about-physical-damage-from-cyberattacks/d/d-id/1331589

Putting the S.M.A.R.T. in Smart Cities: How to Address the Expanding Attack Surface
The concept of a smart city came of age in conjunction with another now ubiquitous term: digital transformation. Cities and counties rely heavily on their taxing authority to provide critical services such as public safety, public works and infrastructure maintenance
https://www.tenable.com/blog/putting-the-s-m-a-r-t-in-smart-cities-how-to-address-the-expanding-attack-surface

AN ELABORATE HACK SHOWS HOW MUCH DAMAGE IOT BUGS CAN DO
Vulnerabilities in internet-connected devices are well-documented by this point, but the most common exploitations generally involve conscripting thousands of vulnerable IoT devices into botnets, or getting onto a network through a weak IoT device for ransomware attacks. These aren’t using data-stealing missions.
https://www.wired.com/story/elaborate-hack-shows-damage-iot-bugs-can-do/

Surge of Attacks Targeting Network Infrastructure Devices – What You Need to Know
Based on the recent surge of attacks on network devices by Russian state-sponsored cyber actors, the US-CERT has released Technical Alert (TA18-106A). As of now, targets are primarily government and private-sector organizations, critical infrastructure providers and the internet service providers (ISPs) that support U.S. infrastructure
https://www.tenable.com/blog/surge-of-attacks-targeting-network-infrastructure-devices-what-you-need-to-know

How to Protect Industrial Control Systems from State-Sponsored Hackers
US-CERT recently issued an alert about Russian threat activity against infrastructure sectors. Is there a way to fight back?
https://www.darkreading.com/attacks-breaches/how-to-protect-industrial-control-systems-from-state-sponsored-hackers/a/d-id/1331529

Surprise! Wireless brain implants are not secure, and can be hijacked to kill you or steal thoughts
And because this particularly bit of kit resides amid sensitive gray matter – to treat conditions like Parkinson’s – the potential consequences of successful remote exploitation include voltage changes that could result in sensory denial, disability, and death
https://www.theregister.co.uk/2018/04/18/boffins_break_into_brain_implant/

04-16-18 – News This Past Week

The way we regulate self-driving cars is broken—here’s how to fix it
The key issue is this: the current system is built around an assumption that cars will be purchased and owned by customers. But the pioneers of the driverless world—including Waymo, Cruise, and Uber—are not planning to sell cars to the public. Instead, they’re planning to build driverless taxi services that customers will buy one ride at a time
https://arstechnica.com/cars/2018/04/the-way-we-regulate-self-driving-cars-is-broken-heres-how-to-fix-it/

Critical Infrastructure Threat Is Much Worse Than We Thought
Last October the United States Computer Emergency Readiness Team (US-CERT) published a technical alert on advanced persistent threat (APT) activity targeting energy and other critical infrastructure sectors. Recently, it was updated with new information uncovered since the original report, and there are some interesting revelations this time around
https://www.securityweek.com/critical-infrastructure-threat-much-worse-we-thought

Schneider Electric Patches 16 Flaws in Building Automation Software
U.motion is a building automation solution used around the world in the commercial facilities, critical manufacturing and energy sectors. U.motion Builder is a tool that allows users to create projects for their U.motion devices.
https://www.securityweek.com/schneider-electric-patches-16-flaws-building-automation-software

6 Myths About IoT Security
Here are common misconceptions about these securing these devices – and tips for locking them down.
https://www.darkreading.com/attacks-breaches/6-myths-about-iot-security/d/d-id/1331408

Splunk turns data processing chops to Industrial IoT
Splunk has always been known as a company that can sift through oodles of log or security data and help customers surface the important bits. Today, it announced it was going to try to apply that same skill set to Industrial Internet of Things data.

Splunk turns data processing chops to Industrial IoT

A LONG-AWAITED IOT CRISIS IS HERE, AND MANY DEVICES AREN’T READY
YOU KNOW BY now that Internet of Things devices like your router are often vulnerable to attack, the industry-wide lack of investment in security leaving the door open to a host of abuses. Worse still, known weaknesses and flaws can hang around for years after their initial discovery. Even decades. And Monday, the content and web services firm Akamai published new findings that it has observed attackers actively exploiting a flaw in devices like routers and video game consoles that was originally exposed in 2006
https://www.wired.com/story/upnp-router-game-console-vulnerabilities-exploited/

Flaw in Emergency Alert Systems Could Allow Hackers to Trigger False Alarms
The emergency alert sirens are used worldwide to alert citizens about natural disasters, man-made disasters, and emergency situations, such as dangerous weather conditions, severe storms, tornadoes and terrorist attacks
https://thehackernews.com/2018/04/hacking-emergency-alert-sirens.html

Industrial Internet Consortium Develops New IoT Security Maturity Model
The Industrial Internet Consortium (IIC) has developed a new IoT Security Maturity Model (SMM), building on its own security framework and reference architecture. This week it has published the first of two papers: IoT Security Maturity Model: Description and Intended Use. This is primarily a high-level overview aimed at the less technical of IoT stakeholders
https://www.securityweek.com/industrial-internet-consortium-develops-new-iot-security-maturity-model

Electrical Substations Exposed to Attacks by Flaws in Siemens Devices
On March 8, Siemens and ICS-CERT published advisories to warn organizations of the existence of three vulnerabilities in SIPROTEC 4, SIPROTEC Compact, and Reyrolle devices, which provide integrated protection, control, measurement, and automation functions for electrical substations and other applications. The vendor has released patches and mitigations for each of the flaws
https://www.securityweek.com/electrical-substations-exposed-attacks-flaws-siemens-devices

Why Mass Transit Could Be the Next Big Target for Cyber Attacks—and What to do About it
The constantly evolving tools and methods of cyber attackers has resulted in specific industries becoming the unfortunate subjects of sudden upswings in incident volume and severity. In recent years, for example, we’ve seen waves of ransomware attacks in healthcare and large-scale customer data breaches in technology. So, this trend begs the question, who’s next?
https://www.securityweek.com/why-mass-transit-could-be-next-big-target-cyber-attacks%E2%80%94and-what-do-about-it

Moxa plugs serious vulnerabilities in industrial secure router
A slew of serious vulnerabilities in the Moxa EDR-810 series of industrial secure routers could be exploited to inject OS commands, intercept weakly encrypted or extract clear text passwords, expose sensitive information, trigger a crash, and more.

Moxa plugs serious vulnerabilities in industrial secure router

Severe Flaws Expose Moxa Industrial Routers to Attacks
Cisco’s Talos intelligence and research group has reported identifying a total of 17 vulnerabilities in an industrial router from Moxa, including many high severity command injection and denial-of-service (DoS) flaws
https://www.securityweek.com/severe-flaws-expose-moxa-industrial-routers-attacks

04-09-18 – News This Past Week

Businesses Fear ‘Catastrophic Consequences’ of Unsecured IoT
Businesses’ concern about risk from the Internet of Things (IoT) is evolving faster than their security practices, according to a new survey about the danger of third-party devices. Risk management is still relatively immature, and it’s posing a threat to sensitive and confidential data, researchers report
https://www.darkreading.com/iot/businesses-fear-catastrophic-consequences-of-unsecured-iot-/d/d-id/1331476

Critical Flaws Expose Natus Medical Devices to Remote Attacks
According to Cisco, an attacker with access to the targeted network can remotely execute arbitrary code on the device or cause a service to crash by sending specially crafted packets. An attack does not require authentication
https://www.securityweek.com/critical-flaws-expose-natus-medical-devices-remote-attacks

“Open sesame”: Industrial network gear hackable with the right username
This week, two separate security alerts have revealed major holes in devices from Moxa, an industrial automation networking company. In one case, attackers could potentially send commands to a device’s operating system by using them as a username in a login attempt
https://arstechnica.com/information-technology/2018/04/open-sesame-industrial-network-gear-hackable-with-the-right-username/

Skilled Hackers Gaining Access to U.S. Energy Systems
iDefense hasn’t said who it believes may be behind the attacks. But U.S. federal agencies last month said hackers backed by the Russian government have targeted U.S. energy and other industries in a new wave of attacks since March 2016.
https://www.cio-today.com/article/index.php?story_id=107715

Four Gas Pipeline Firms Hit in Attack on Their EDI Service Provider
Several cybersecurity experts this week cautioned against underestimating the seriousness of a cyberattack on an EDI service provider that disrupted data communication services at four major US interstate gas pipeline companies in the last few days
https://www.darkreading.com/perimeter/four-gas-pipeline-firms-hit-in-attack-on-their-edi-service-provider/d/d-id/1331458

How critical infrastructure operators rate their security controls
Indegy revealed that nearly 60 percent of executives at critical infrastructure operators polled in a recent survey said they lack appropriate controls to protect their environments from security threats

How critical infrastructure operators rate their security controls

INSECURE SCADA SYSTEMS BLAMED IN RASH OF PIPELINE DATA NETWORK ATTACKS
After a cyberattack shut down numerous pipeline communication networks this week, experts are stressing the importance of securing third-party systems in supervisory control and data acquisition (SCADA) environments

Insecure SCADA Systems Blamed in Rash of Pipeline Data Network Attacks

Internet of Battle Things: a militarized IoT where “cognitive bandwidth constraints” require “autonomous cyber agents”
Alexander Kott is chief of the Network Science Division at the Army Research Laboratory; in a new paper, he rounds up several years’ worth of papers that he wrote or co-authored, along with some essays and articles by others, on what an “Internet of Battle Things” will look like.

Internet of Battle Things: a militarized IoT where “cognitive bandwidth constraints” require “autonomous cyber agents”

Several U.S. Gas Pipeline Firms Affected by Cyberattack
Several natural gas pipeline operators in the United States have been affected by a cyberattack that hit a third-party communications system, but the incident does not appear to have impacted operational technology
https://www.securityweek.com/several-us-gas-pipeline-firms-affected-cyberattack

Medical Device Security Startup Launches
Cynerio lands multi-million dollar funding round.
https://www.darkreading.com/risk/medical-device-security-startup-launches/d/d-id/1331444

Public Hearing on IoT Risks
The U.S. Consumer Product Safety Commission (CPSC, Commission, or we) will conduct a public hearing to receive information from all interested parties about potential safety issues and hazards associated with internet-connected consumer products
https://www.schneier.com/blog/archives/2018/04/public_hearing_.html

Research Reports Reveal Concerns About IoT Risks and Microsoft Flaws
Multiple research reports released the week of March 26-30, reveal prevailing trends in the cyber-security attack landscape
http://www.eweek.com/security/research-reports-reveal-concerns-about-iot-risks-and-microsoft-flaws

Report Warns U.S. Industry About Need to Thwart Russian Cyber-Attacks
A report from the U.S. Computer Emergency Readiness Team provides a detailed look at how alleged Russian attackers planned and executed a long-term cyber-attack against unprepared energy installations
http://www.eweek.com/security/report-warns-u.s.-industry-about-need-to-thwart-russian-cyber-attacks

Nation-state hackers are attacking our trust in critical systems
In the last few years, the lines between cyber criminals and nation-states have become increasingly blurry and it has become obvious that the private sector is not capable of handling cyber threats on its own, Chris Inglis, former deputy director of the National Security Agency, told the crowd at World Cyber Security Congress this week

Nation-state hackers are attacking our trust in critical systems

04-02-18 – News This Past Week

Third-party IoT risk management not a priority
With the proliferation of IoT devices used in organizations to support business, technology and operations innovation, respondents to an Ponemon Institute study were asked to evaluate their perception of IoT risks, the state of current third party risk management programs, and governance practices being employed to defend against IoT-related cyber attacks

Third-party IoT risk management not a priority

Energy Sector Most Impacted by ICS Flaws, Attacks: Study
The security firm has analyzed a total of 322 flaws disclosed in 2017 by ICS-CERT, vendors and its own researchers, including issues related to industrial control systems (ICS) and general-purpose software and protocols used by industrial organizations
https://www.securityweek.com/energy-sector-most-impacted-ics-flaws-attacks-study

Baltimore’s 911 dispatch system was hacked last weekend
Baltimore’s 911 dispatch system was hacked over the weekend and authorities temporarily shut it down. The mayor’s office confirmed to The Baltimore Sun that the system was digitally infiltrated early Saturday morning, but provided no other details while the investigation is ongoing
https://www.engadget.com/2018/03/28/baltimore-s-911-dispatch-system-was-hacked-last-weekend/

Hackers hit 911 system, emergency dispatch affected
James Bentley, a spokesman for Pugh, told the newspaper that the attack, which came around 8:30 am on Sunday morning, affected messaging functions within the computer-aided dispatch (CAD) system
Hackers hit 911 system, emergency dispatch affected

Cyberattack disrupted Baltimore emergency responders
CAD is used to automatically divert calls to the closest emergency responders, in order to make assistance in emergencies as efficient and quick as possible. Manually taking phone calls and details is far slower
http://www.zdnet.com/article/cyberattack-disrupted-baltimore-emergency-responders/

People are really worried about IoT data privacy and security—and they should be
A new study from the Economist Intelligence Unit (EIU) shows that consumers around the world are deeply worried about in how their personal information is collected and shared by the Internet of Things (IoT). But let’s be honest, the problem isn’t that unsophisticated consumers are panicking for no reason. In fact, consumers are merely picking up on the very real inherent risks and uncertainties surrounding IoT data.
https://www.networkworld.com/article/3267065/internet-of-things/people-are-really-worried-about-iot-data-privacy-and-securityand-they-should-be.html

Internet of insecure Things: Software still riddled with security holes
An audit of the security of IoT mobile applications available on official stores has found that tech to safeguard the world of connected things remains outstandingly mediocre
https://www.theregister.co.uk/2018/03/28/iot_software_still_insecure/

Critical Flaws Found in Siemens Telecontrol, Building Automation Products
Siemens informed customers this week that critical vulnerabilities have been found in some of its telecontrol and building automation products, and revealed that some SIMATIC systems are affected by a high severity flaw
https://www.securityweek.com/critical-flaws-found-siemens-telecontrol-building-automation-products

Nation-state hackers are attacking our trust in critical systems
In the last few years, the lines between cyber criminals and nation-states have become increasingly blurry and it has become obvious that the private sector is not capable of handling cyber threats on its own, Chris Inglis, former deputy director of the National Security Agency, told the crowd at World Cyber Security Congress this week

Nation-state hackers are attacking our trust in critical systems

03-26-18 – News These Past Two Weeks

Threat Landscape for Industrial Automation Systems in H2 2017
For many years, Kaspersky Lab experts have been uncovering and researching cyberthreats that target a variety of information systems – those of commercial and government organizations, banks, telecoms operators, industrial enterprises, and individual users.

Threat Landscape for Industrial Automation Systems in H2 2017

Penn State secures building automation, IoT traffic with microsegmentation
Penn State chose microsegmentation technology from Tempered Networks to isolate and cloak traffic from its smart-building systems, which rely on the BACnet communications protocol to share data
https://www.networkworld.com/article/3265065/lan-wan/penn-state-secures-building-automation-iot-traffic-with-microsegmentation.html

Puerto Rico’s Electric Utility Hacked in Weekend Attack
Service was disrupted but no customer records compromised, officials said.
https://www.darkreading.com/attacks-breaches/puerto-ricos-electric-utility-hacked-in-weekend-attack/d/d-id/1331328

Siemens Patches Flaws in SIMATIC Controllers, Mobile Apps
Organizations using SIMATIC products were informed by both Siemens and ICS-CERT this week of a denial-of-service (DoS) vulnerability that can be exploited by sending specially crafted PROFINET DCP packets to affected systems
https://www.securityweek.com/siemens-patches-flaws-simatic-controllers-mobile-apps

Middle East oil and gas companies are unprepared to address OT cyber risk
Cyber security breaches in the Middle East are widespread and frequently undetected, with 30 percent of the region’s attacks targeting operational technology (OT), finds a new study by Siemens and Ponemon Institute

Middle East oil and gas companies are unprepared to address OT cyber risk

Critical Infrastructure: Stop Whistling Past the Cyber Graveyard
An open letter to former colleagues in Homeland Security, peers in private sector cybersecurity firms, those who own and operate critical systems, academics, and politicians
https://www.darkreading.com/critical-infrastructure-stop-whistling-past-the-cyber-graveyard/a/d-id/1331308

PROGRAMS CONTROLLING ICS ROBOTICS ARE ‘WIDE OPEN’ TO VULNERABILITIES
Most manufacturers have connected their operational technology – including industrial control systems and robotic equipment –to the internet, yet the lack of basic security protocols leave these companies open to cyberattacks

Programs Controlling ICS Robotics Are ‘Wide Open’ to Vulnerabilities

Russia accused of burrowing into US energy networks
This week the Department of Homeland Security (DHS) added cyber-intrusion and surveillance of the US critical infrastructure sector to the growing list of accusations – in a move that might have been missed by commentators had it not come packaged with sanctions connected to alleged interference in elections
Russia accused of burrowing into US energy networks

DHS and FBI warn Russia is behind cyberattacks on US infrastructure
The Department of Homeland Security and the FBI released a report today detailing Russian efforts to hack into US government entities and infrastructure sectors, including energy, nuclear, commercial, water, aviation and critical manufacturing sectors
https://www.engadget.com/2018/03/15/dhs-fbi-warn-russia-behind-infrastructure-cyberattacks/

China-linked Hackers Target Engineering and Maritime Industries
Referred to as Leviathan or TEMP.Periscope, the group has been historically interested in targets connected to South China Sea issues, which hasn’t changed in the recently observed attacks. Targets include research institutes, academic organizations, and private firms in the United States
https://www.securityweek.com/china-linked-hackers-target-engineering-and-maritime-industries

IoT security warning: Cyber-attacks on medical devices could put patients at risk
More collaboration is needed in order to ensure internet-connected medical devices can’t cause harm to patients, says research
http://www.zdnet.com/article/iot-security-warning-cyber-attacks-on-medical-devices-could-put-patients-at-risk/

Medical Apps Come Packaged with Hardcoded Credentials
Vulnerabilities in DocuTrac applications also include weak encryption, according to Rapid7.
https://www.darkreading.com/endpoint/medical-apps-come-packaged-with-hardcoded-credentials/d/d-id/1331268

Time of death? A therapeutic postmortem of connected medicine
At last year’s Security Analyst Summit 2017 we predicted that medical networks would be a titbit for cybercriminals. Unfortunately, we were right. The numbers of medical data breaches and leaks are increasing. According to public data, this year is no exception.

Time of death? A therapeutic postmortem of connected medicine

IIC Publishes Best Practices for Securing Industrial Endpoints
The Industrial Internet Consortium (IIC) has published a new paper designed to provide a concise overview of the countermeasures necessary to secure industrial endpoints; that is, the industrial internet of things
https://www.securityweek.com/iic-publishes-best-practices-securing-industrial-endpoints

IIC addresses industrial IoT security on endpoints
In a new document, the Industrial Internet Consortium abridges IEC and NIST publications, offering clear, concise guidance to ensure IIoT security in connected plants
http://internetofthingsagenda.techtarget.com/news/252436665/IIC-addresses-industrial-IoT-security-on-endpoints

IoT Product Safety: If It Appears Too Good to Be True, It Probably Is
Proposed new connected-product repair laws will provide hackers with more tools to make our lives less secure
https://www.darkreading.com/endpoint/iot-product-safety-if-it-appears-too-good-to-be-true-it-probably-is-/a/d-id/1331227

Auto manufacturers are asleep at the wheel when it comes to security
That’s the conclusion of a series of speakers at the Kaspersky Security Analyst Summit. These security researchers have demonstrated how easy it is to introduce software into vehicles to steal data, take control of vital functions, get around alarm and electronic key systems and even crash the car
https://www.theregister.co.uk/2018/03/10/auto_manufacturers_are_asleep_at_the_wheel_when_it_comes_to_security/

Ransomware for robots is the next big security nightmare
Researchers found they were able to infect robots with ransomware; in the real world, such attacks could be highly damaging to businesses if robotic security isn’t addressed
http://www.zdnet.com/article/ransomware-for-robots-is-the-next-big-security-nightmare/

Researchers say quantum computing could improve self-driving cars’ cyber security
Quantum computers could transform the security of self-driving cars, claim researchers
https://www.v3.co.uk/v3-uk/news/3027885/researchers-say-quantum-computing-could-improve-self-driving-cars-cyber-security

03-13-18 – News This Past Week

Infrastructure security: Don’t just sit there, do something!
Confused by conflicting indications from the control panel, operators made a series of bad decisions which exacerbated the problems. The reactor core, starved of vital coolant, started to overheat. Radioactive material began to vent into the outer protective enclosure.

Infrastructure security: Don’t just sit there, do something!

Smart traffic lights cause jams when fed spoofed data
But no, we can’t have nice things like smooth, smart, algorithmically timed sailing through intersections – at least, not with the current state of traffic technology. A team of five researchers from the University of Michigan have found that the DOT’s I-SIG (Intelligent Traffic Signal System) is way too easy to spoof with bad data.
Smart traffic lights cause jams when fed spoofed data

BlackBerry’s post-phone future includes IoT security
BlackBerry hasn’t been shy about shifting its focus away from hardware and toward technologies you can find inside others’ devices, such as self-driving cars and secure comms. If you need any further proof, though, you just got it: BlackBerry has struck a deal with Swiss electronics maker Punkt to secure an upcoming range of Internet of Things devices.
https://www.engadget.com/2018/03/07/blackberry-punkt-deal-secures-iot-devices/

How can IoT stakeholders mitigate the risk of life-threatening cyberattacks?
With an estimated 20 billion Internet-connected devices set to appear in our homes and offices by the end of the decade, future cyberattacks will dwarf what we’ve seen to date. These connected devices will feed into fundamental infrastructure we rely on every day: transportation, power plants, medical devices, and supply chains, for example. As cyberattacks move from financial and reputation risks into the realm of ‘life and death’ consequences, which IoT stakeholders should we turn to to address this?

How can IoT stakeholders mitigate the risk of life-threatening cyberattacks?

Connected Cars Pose New Security Challenges
Very few objects are as personal to their owners as their cars. But today’s cars have grown beyond a form of self-expression and turned into our personal concierges, navigating the best routes, making our dinner reservations, and potentially reserving parking spots ahead of our arrival. But with all the advantages connected vehicles can bring to our lives, they can also potentially expose us to security risks.
https://www.darkreading.com/endpoint/connected-cars-pose-new-security-challenges/a/d-id/1331166

IOT SECURITY DISCONNECT: AS ATTACKS SPIKE, DEVICE PATCHING STILL LAGS
According to a report by Trustwave released last week, 61 percent of companies surveyed who have deployed some level of connected technology have also had to deal with a security incident that they can trace back to an IoT device. On the flip side, only 49 percent of those same businesses surveyed said they have formal patching policies and procedures in place that would help prevent attacks.

IoT Security Disconnect: As Attacks Spike, Device Patching Still Lags

What to understand about health care IoT and its security
As we have seen, the Internet of Things will disrupt and change every industry and how actors within it do business. Along with new paradigms in services and products that one can offer due to the proliferation of IoT, come business risks as well as heightened security concerns – both physical and cyber. In our prior column, we spoke about this topic in the context of the Smart Electric Grid. Today we’re taking a look at how IoT is disrupting the health care market and how we can take steps to secure it.
https://www.networkworld.com/article/3260788/internet-of-things/what-to-understand-about-health-care-iot-and-securing-it.html

Backdooring connected cars for covert remote control
We’ve all known for a while now that the security of connected cars leaves a lot to be desired. The latest proof of that sad state of affairs comes from Argentinian security researchers and hackers Sheila Ayelen Berta and Claudio Caracciolo. The pair is set to demonstrate a hardware backdoor for the CAN bus that can be controlled remotely at the upcoming Hack in the Box conference in Amsterdam.

Backdooring connected cars for covert remote control

03-05-18 – News This Past Week

Delta Patches Vulnerabilities in HMI, PLC Products
A researcher who uses the online moniker “Axt” informed Delta via Trend Micro’s Zero Day Initiative (ZDI) and ICS-CERT that its WPLSoft product, a programming software for programmable logic controllers (PLCs), is affected by several types of vulnerabilities.
https://www.securityweek.com/delta-patches-vulnerabilities-hmi-plc-products

Keeping on top of ICS-focused hacking groups, defenses
“While only one has demonstrated an apparent capability to impact ICS networks through ICS-specific malware directly, all have engaged in at least reconnaissance and intelligence gathering surrounding the ICS environment,” the company noted in a recently published report.

Keeping on top of ICS-focused hacking groups, defenses

Phillips clinical imaging solution plagued by vulnerabilities
Phillips is developing a software update to mitigate 35 CVE-numbered vulnerabilities in the Philips IntelliSpace Portal (ISP), a clinical imaging visualization and analysis solution that is used by healthcare and public health organizations around the world

Phillips clinical imaging solution plagued by vulnerabilities

Philips Working on Patches for 35 Flaws in Healthcare Product
Philips has informed customers that it’s working on patches for dozens of vulnerabilities affecting the company’s IntelliSpace Portal, a visualization and analysis solution designed for healthcare organizations
https://www.securityweek.com/philips-working-patches-35-flaws-healthcare-product

What Enterprises Can Learn from Medical Device Security
In today’s cloud-native world, organizations need a highly distributed approach that ties security to the workload itself in order to prevent targeted attacks
https://www.darkreading.com/cloud/what-enterprises-can-learn-from-medical-device-security-/a/d-id/1331145

ICS Under Fire in 2017
New Dragos report finds rising number of public vulnerability advisories around ICS with not enough reasonable guidance around how to deal with these flaws
https://www.darkreading.com/vulnerabilities—threats/ics-under-fire-in-2017/d/d-id/1331163

Public Advisories Fail to Convey True Impact of ICS Flaws
Public advisories describing vulnerabilities in industrial control systems (ICS) often fail to convey the true impact of the flaws, according to a report published today by ICS cybersecurity firm Dragos
https://www.securityweek.com/public-advisories-fail-convey-true-impact-ics-flaws

Five Threat Groups Target Industrial Systems
There are at least five sophisticated threat groups whose activities focus on industrial control systems (ICS), according to a report published on Thursday by industrial cybersecurity firm Dragos
https://www.securityweek.com/five-threat-groups-target-industrial-systems-dragos

Emerson Patches Severe Flaw in ControlWave Controllers
Automation solutions provider Emerson has patched a potentially serious denial-of-service (DoS) vulnerability in its ControlWave Micro Process Automation Controller product
https://www.securityweek.com/emerson-patches-severe-flaw-controlwave-controllers

Siemens Releases BIOS Updates to Patch Intel Chip Flaws
Siemens has released BIOS updates for several of its industrial devices to patch vulnerabilities discovered recently in Intel chips, including Meltdown, Spectre and flaws affecting the company’s Management Engine technology
https://www.securityweek.com/siemens-releases-bios-updates-patch-intel-chip-flaws

How to Shield Against IoT Security Threats
While politicians and security experts are constantly warning about the risk of cyber-attacks, they rarely, if ever, mention the risks associated with the Internet of Things (IoT). They should, since there are already plenty of examples of successful IoT security attacks
https://www.securityweek.com/how-shield-against-iot-security-threats

02-26-18 – News This Past Week

Anatomy of an Attack on the Industrial IoT
We like to think that cyberattacks are focused primarily on stealing credit card numbers and that attackers don’t know much about the control systems that run critical infrastructure. Unfortunately, that’s just wishful thinking. In 2017, we saw an increasing number of threat actors bypass existing network perimeter security controls to perform sophisticated reconnaissance of industrial process control networks
https://www.darkreading.com/vulnerabilities—threats/anatomy-of-an-attack-on-the-industrial-iot-/a/d-id/1331097

Arm Reveals More Details About Its IoT Platform Security Architecture
When it announced its Platform Security Architecture for IoT devices last year, Arm said that “security can no longer be optional.” Now, shortly after it announced the iSim SoC that’s supposed to connect more devices to the IoT, the company revealed more about the PSA framework
http://www.tomshardware.com/news/arm-iot-platform-security-architecture,36564.html

The Rise of ICS Malware: How Industrial Security Threats Are Becoming More Surgical
Last December, a malware variant specifically designed to attack industrial safety systems was discovered. It was apparently used to cause an operational outage at a critical infrastructure facility in The Middle East
https://www.securityweek.com/rise-ics-malware-how-industrial-security-threats-are-becoming-more-surgical

MEDICAL CYBERSECURITY & DENSE VULNERABILITIES
During my onstage interview with Dan Geer at S4x18, we discussed what is the best course of action when vulnerabilities are dense (listen beginning at 28:15). I suggested that medical device and software were a great example of dense vulnerabilities, so is the current approach to find and fix vulnerabilities a good approach when a single exploitable bug can take out a hospital for a week

MEDICAL CYBERSECURITY & DENSE VULNERABILITIES

Protecting safety instrumented systems from malware attacks
Trisis malware targets safety instrumented systems and puts industrial control systems at risk. Expert Ernie Hayden reviews what to know about SIS and its security measures
http://searchsecurity.techtarget.com/tip/Protecting-safety-instrumented-systems-from-malware-attacks

Is the IoT backlash finally here?
After years of worry, the long-anticipated backlash to the changes wrought by the Internet of Things may finally be arriving. That could be a good thing.
https://www.networkworld.com/article/3256215/internet-of-things/is-the-iot-backlash-finally-here.html

Getting Started with IoT Security in Healthcare
It’s estimated that by 2025, more than 30 percent of all Internet of Things (IoT) devices will be dedicated to the realm of healthcare – more than in retail, transportation and the personal security sectors combined. Already today, practitioners are using IoT tech to conduct portable monitoring, enact electronic record keeping initiatives, and to apply drug safeguards – all efforts that are streamlining operations and delivering safer, more comprehensive care to patients
https://www.darkreading.com/partner-perspectives/iboss/getting-started-with-iot-security-in-healthcare/a/d-id/1331090

NIST Working on Global IoT Cybersecurity Standards
The Internet of Things (IoT) is here and growing. It has the potential to facilitate or obstruct the further evolution of the Fourth Industrial Revolution; largely depending upon whether it is used or abused. Its abusers will be the same criminal and aggressor state actors that currently abuse information systems
https://www.securityweek.com/nist-working-global-iot-cybersecurity-standards

Expected changes in IT/OT convergence and industrial security
Ten years ago, I was brought into the industrial security arena by a top company executive in who was convinced that we needed traditional endpoint protection on smart meters. I had spent fifteen years before that in enterprise security, so it took a while to shape my focus around the nature of the problem of IT/OT convergence and industrial security

Expected changes in IT/OT convergence and industrial security