01-15-18 – News These Past Two Weeks

Smart cars need smart and secure IT/OT Infrastructures
IT can fail. It often does. We restart IT, and life goes on. Hackers can also compromise these same IT systems creating disruptions and causing theft of credentials. All manners of serious consequences result from these compromises.

Smart cars need smart and secure IT/OT Infrastructures

Secure your SDN controller
A software-defined network (SDN) can help by giving network engineers the flexibility to dynamically change the behavior of a network on a node-by-node basis — something not typically available in a traditional network. An SDN uses virtualization to simplify the management of network resources and offers a solution for increased capacity without significantly increasing costs.
https://www.networkworld.com/article/3245173/software-defined-networking/secure-your-sdn-controller.html

Devices Running GoAhead Web Server Prone to Remote Attacks
GoAhead is a small web server employed by numerous companies, including IBM, HP, Oracle, Boeing, D-link, and Motorola, is “deployed in hundreds of millions of devices and is ideal for the smallest of embedded devices,” according to EmbedThis, its developer.
http://www.securityweek.com/devices-running-goahead-web-server-prone-remote-attacks

The Internet of (Secure) Things Checklist
In October 2016, as a botnet strung together by the Mirai malware launched the biggest distributed denial-of-service attack in history, I was, appropriately enough, giving a talk on Internet of Things (IoT) security and privacy at the Grace Hopper Conference
https://www.darkreading.com/endpoint/the-internet-of-(secure)-things-checklist/a/d-id/1330689

Industrial Firms Increasingly Hit With Targeted Attacks
As part of its 2017 IT Security Risks Survey, Kaspersky talked to more than 5,200 representatives of small, medium and large businesses in 29 countries about IT security and the incidents they deal with
http://www.securityweek.com/industrial-firms-increasingly-hit-targeted-attacks-survey

Samsung introduces autonomous driving platform called DRVLINE
The challenge is simply too big and too complex. Through the DRVLINE platform, we’re inviting the best and brightest from the automotive industry to join us, and help shape the future of the car of tomorrow, today
https://www.engadget.com/2018/01/08/samsung-autonomous-driving-platform-drvline-harman-digital-cockpit/

Rockwell Automation Patches Serious Flaw in MicroLogix 1400 PLC
Thiago Alves from the University of Alabama in Huntsville (UAH) discovered that these controllers are affected by a buffer overflow vulnerability. In 2016, Alves and two other UAH researchers published a paper on using virtual testbeds for industrial control systems (ICS).
http://www.securityweek.com/rockwell-automation-patches-serious-flaw-micrologix-1400-plc

Researchers uncover major security vulnerabilities in ICS mobile applications
According to the researchers, if the mobile application vulnerabilities identified are exploited, an attacker could disrupt an industrial process or compromise industrial network infrastructure, or cause a SCADA operator to unintentionally perform a harmful action on the system. The 34 mobile applications tested were randomly selected from the Google Play Store.

Researchers uncover major security vulnerabilities in ICS mobile applications

Infosec expert viewpoint: Connected car security
A recent Irdeto Global Connected Car Survey found that of the consumers who plan on purchasing a vehicle in the future, 53% are likely to research the car’s ability to protect itself from a cyberattack. The desire to consider cybersecurity when purchasing a car was most prevalent with younger generations aged 25-34, with 62% stating they would conduct this research.

Infosec expert viewpoint: Connected car security

Strong security simplifies compliance for French operators of vital industry
In 2014, France’s National Agency for the Security of Information Systems, or ANSSI, issued two detailed cybersecurity guidance documents for Industrial Control Systems: Cybersecurity for Industrial Control Systems – Classification Method and Key Measures; and Cybersecurity for Industrial Control Systems – Detailed Measures.

Strong security simplifies compliance for French operators of vital industry

ICS Vendors Assessing Impact of Meltdown, Spectre Flaws
Organizations that provide solutions for critical infrastructure sectors, including medical device and industrial control systems (ICS) manufacturers, have started assessing the impact of the recently disclosed Meltdown and Spectre exploits on their products
http://www.securityweek.com/ics-vendors-assessing-impact-meltdown-spectre-flaws

01-02-18 – News Since Last Year

Improved IoT Security Starts with Liability for Companies, Not Just Legislation
I believe that in theory, legislation could help with IoT security. However, laws regulating new technologies are often poorly crafted, and can significantly hamper innovation with little benefit. It is critical that any new laws be written with great deliberation and input from all stakeholders.
http://www.securityweek.com/improved-iot-security-starts-liability-companies-not-just-legislation

How can a vulnerability in Ruggedcom switches be mitigated?
Vulnerabilities in Ruggedcom switches could open the industrial switches and other communication devices up to attacks. Expert Judith Myerson explains how to mitigate the risks
http://searchsecurity.techtarget.com/answer/How-can-a-vulnerability-in-Ruggedcom-switches-be-mitigated

Triton framework used in industrial control attacks
Security researchers discovered new ICS attacks using the Triton framework that may have been nation-state-sponsored and intended to cause real-world damage
http://searchsecurity.techtarget.com/news/450431965/Triton-framework-used-in-industrial-control-attacks

The time to deal with IoT security is now
In most cases, I try to turn a skeptical eye on hyperbole. So when a cybersecurity expert tells me that IoT security is a “ticking time bomb,” my initial reaction is not to worry about an upcoming “security apocalypse.”
https://www.networkworld.com/article/3243685/internet-of-things/the-time-to-deal-with-iot-security-is-now.html

DOJ Arrests Hackers Who Took Over DC Surveillance Cameras
The United States Department of Justice (DOJ) announced that, in coordination with the Romanian National Police and other EU and U.S. law enforcement agencies, it arrested two Romanians who hacked into 123 surveillance cameras belonging to the Metropolitan Police Department (MPD) in Washington DC.
http://www.tomshardware.com/news/doj-hackers-washington-dc-cameras,36198.html

12-18-17 – News This Past Week

Our smart future and the threat of cyber-kinetic attacks
Cyber attacks occur daily around the world. Only when one achieves sufficient scope to grab the attention of the news media – such as the WannaCry ransomware attacks of early 2017 – does the public get a brief glimpse of how widespread vulnerabilities are. Those of us who are actively involved in strengthening cybersecurity see the full scope of the problem every day

Our smart future and the threat of cyber-kinetic attacks

TRITON Malware Targeting Critical Infrastructure Could Cause Physical Damage
Dubbed Triton, also known as Trisis, the ICS malware has been designed to target Triconex Safety Instrumented System (SIS) controllers made by Schneider Electric—an autonomous control system that independently monitors the performance of critical systems and takes immediate actions automatically, if a dangerous state is detected
https://thehackernews.com/2017/12/triton-ics-scada-malware.html

New “Triton” ICS Malware Used in Critical Infrastructure Attack
A new piece of malware designed to target industrial control systems (ICS) has been used in an attack aimed at a critical infrastructure organization, FireEye reported on Thursday. Experts believe the attack was launched by a state-sponsored actor whose goal may have been to cause physical damage.
http://www.securityweek.com/new-ics-malware-triton-used-critical-infrastructure-attack

UNPRECEDENTED MALWARE TARGETS INDUSTRIAL SAFETY SYSTEMS IN THE MIDDLE EAST
Since Stuxnet first targeted and destroyed uranium enrichment centrifuges in Iran last decade, the cybersecurity world has waited for the next step in that digital arms race: Another piece of malicious software designed specifically to enable the damage or destruction of industrial equipment.
https://www.wired.com/story/triton-malware-targets-industrial-safety-systems-in-the-middle-east/

Game-changing attack on critical infrastructure site causes outage
Mandiant recently responded to an incident at a critical infrastructure organization where an attacker deployed malware designed to manipulate industrial safety systems
https://arstechnica.com/information-technology/2017/12/game-changing-attack-on-critical-infrastructure-site-causes-outage/

Whitepaper: Top 20 cyber attacks on ICS
The technique for evaluating the risk of cyber-sabotage of industrial processes are well understood by those skilled in the art. Essentially, such risk assessments evaluate a typically large inventory of possible cyber attacks against the cyber-physical system in question, and render a verdict

Whitepaper: Top 20 cyber attacks on ICS

Xage emerges from stealth with a blockchain-based IoT security solution
The company also announced that Duncan Greatwood has joined the company as CEO. Greatwood is an experienced entrepreneur, who sold Topsy to Apple in 2013 and PostPath to Cisco in 2008. These exits have given him the freedom to pick and choose the projects he wants to work on, and he liked what he saw at Xage from a technology perspective
Xage emerges from stealth with a blockchain-based IoT security solution

Hackers on the Hill – Shmoocon 2018

We’re doing a thing. We got a Congressional staffer to take a bunch of hackers on a tour of the U.S. Capital building before Shmoocon 2018. Kicks off at 8:30am on Friday, January 19, 2018. The group is size limited, so we’re doing pre-reg…no F5 required this time. Join us. You know you want to.

12-11-17 – News This Past Week

Top-selling handgun safe can be remotely opened in seconds—no PIN needed
The Vaultek VT20i handgun safe, ranked fourth in Amazon’s gun safes and cabinets category, allows owners to electronically open the door using a Bluetooth-enabled smartphone app. The remote unlock feature is supposed to work only when someone knows the four- to eight-digit personal identification number used to lock the device. But it turns out that this PIN safeguard can be bypassed using a standard computer and a small amount of programming know-how
https://arstechnica.com/information-technology/2017/12/top-selling-handgun-safe-can-be-remotely-opened-in-seconds-no-pin-needed/

Rockwell Automation Patches Serious Flaw in FactoryTalk Product
FTAE provides a consistent view of alarms and events via a View SE HMI system. The product is used worldwide in sectors such as critical infrastructure, entertainment, automotive, food and beverage, and water and wastewater
http://www.securityweek.com/rockwell-automation-patches-serious-flaw-factorytalk-product

A TINY NEW CHIP COULD SECURE THE NEXT GENERATION OF IOT
“Everything you interact with that you don’t typically think of as a computer has some kind of microcontroller in it, and over the next five to 10 years we believe that those devices will all be replaced by versions of the devices that will be interconnected,” says Galen Hunt, the managing director of Project Sopris. Think blenders, hair dryers, and other unlikely but inevitable connected accessories.
https://www.wired.com/story/project-sopris-iot-security/

IRANIAN HACKERS HAVE BEEN INFILTRATING CRITICAL INFRASTRUCTURE COMPANIES
Given how aggressively Iran has pursued infrastructure hacking, previously targeting the financial sector and even a dam in upstate New York, the new findings serve as a warning, and highlight the evolving nature of the threat
https://www.wired.com/story/apt-34-iranian-hackers-critical-infrastructure-companies/

Serious Flaw Found in Many Siemens Industrial Products
According to Siemens, the list of affected products includes SIMATIC S7-200 Smart micro-PLCs for small automation applications, some SIMATIC S7 CPUs, SIMATIC WinAC RTX software controllers, SIMATIC ET 200 PROFINET interface modules, SIMATIC PN/PN couplers, SIMATIC Compact field units, development kits for PROFINET IO, SIMOTION motion control systems, SINAMICS converters, SINUMERIK CNC automation solutions, SIMOCODE motor management systems, and SIRIUS 3RW motor soft starters
http://www.securityweek.com/serious-flaw-found-many-siemens-industrial-products

Hackers Can Steal Data From Air-Gapped Industrial Networks via PLCs
Researchers have discovered a method that hackers could use to stealthily exfiltrate data from air-gapped industrial networks by manipulating the radio frequency (RF) signal emitted by programmable logic controllers
http://www.securityweek.com/hackers-can-steal-data-air-gapped-industrial-networks-plcs

Nearly 2/3 of Industrial Companies Lack Security Monitoring
While more than half of the 130 decision-makers from industrial organizations in the survey say they work in a facility that has suffered a breach, just 37% of the respondents say their organizations monitor networks for suspicious activity and traffic
https://www.darkreading.com/risk/nearly-2-3-of-industrial-companies-lack-security-monitoring/d/d-id/1330570

Industrial Firms Slow to Adopt Cybersecurity Measures: Honeywell
A survey of 130 strategic decision makers from around the world revealed that more than half of industrial organizations have suffered a cybersecurity incident, including ones involving removable media, denial-of-service (DoS) attacks, malware, hackers breaking into plant IT systems, state-sponsored attacks, and direct attacks on control systems.
http://www.securityweek.com/industrial-firms-slow-adopt-cybersecurity-measures-honeywell

The Year to Come in ICS / Critical Infrastructure Security
Here, I wanted to address some of my thoughts about what the New Year will hold for Industrial Control Systems/Critical Infrastructure cybersecurity. It is “Security Prediction Season” after all and I’d be remiss not to offer my thoughts. Below I’ve outlined a few things I think that will definitely manifest – some are bad, some offer more promise for placing us on a path to combatting an adversarial scourge which is growing in this absolutely critical area
http://www.securityweek.com/year-come-ics-critical-infrastructure-security

Critical Flaw in WAGO PLC Exposes Organizations to Attacks
The flaw, discovered by a researcher at security services and consulting company SEC Consult, impacts Linux-based WAGO PFC200 series PLCs, specifically a total of 17 750-820X models running firmware version 02.07.07 (10). The affected devices are advertised by the vendor as ultra-compact and secure automation systems that can be used for traditional machine control, process technology, and in the offshore sector
http://www.securityweek.com/critical-flaw-wago-plc-exposes-organizations-attacks

The Rising Dangers of Unsecured IoT Technology
While this is perhaps one of the most potentially life-threatening examples of unsecured Internet of Things (IoT) security, it drives home the point that manufacturers are not building these devices with security as a priority. As IoT devices grow in popularity, seemingly endless security- and privacy-related concerns are surfacing
https://www.darkreading.com/mobile/the-rising-dangers-of-unsecured-iot-technology–/a/d-id/1330518

12-04-17 – News This Past Week

Hacked IV Pumps and Digital Smart Pens Can Lead to Data Breaches
An attack on a single IV infusion pump or digital smart pen can be leveraged to a widespread breach that exposes patient records, according to a Spirent SecurityLabs researcher.
https://www.darkreading.com/mobile/hacked-iv-pumps-and-digital-smart-pens-can-lead-to-data-breaches/d/d-id/1330536

Industrial Cybersecurity Startup SCADAfence Secures $10 Million
The Tel Aviv-based company explains that it helps industrial network operators bridge the cybersecurity gap that comes when connecting operational technology (OT) and IT networks to ensure operational continuity and the security of valuable assets
http://www.securityweek.com/industrial-cybersecurity-startup-scadafence-secures-10-million

Siemens Patches Several Flaws in Teleprotection Devices
According to advisories published by both Siemens and ICS-CERT, medium severity vulnerabilities have been found in the EN100 Ethernet module used by SWT 3000 devices running IEC 61850 and TPOP firmware
http://www.securityweek.com/siemens-patches-several-flaws-teleprotection-devices

Robocars Should Be ‘Disconnected,’ Warns Former EFF Chief
Brad Templeton has been a software architect, a former Electronic Frontier Foundation (EFF) chair, an adviser to Google’s self-driving car project, and a Chair for Computing at the Singularity University. He has recently started warning about the cybersecurity issues self-driving cars, or “robocars,” may face if automotive companies don’t start to take security more seriously as they race to bring them to market
http://www.tomshardware.com/news/brad-templeton-robocars-security-plan,36015.html

AWS allows customers to manage and protect IoT devices
AWS IoT 1-Click, AWS IoT Device Management, AWS IoT Device Defender, AWS IoT Analytics, Amazon FreeRTOS, and AWS Greengrass ML Inference make getting started with IoT as easy as one click, enable customers to onboard and manage large fleets of devices, audit and enforce consistent security policies, and analyze IoT device data at scale

AWS allows customers to manage and protect IoT devices

Tenable Delivers Industrial Security
Organizations are continuously leveraging new data and information capabilities to accelerate their business processes and deliver greater value to customers. As a result, industries such as energy, utilities, and manufacturing are becoming increasingly digital and connected
https://www.tenable.com/blog/tenable-delivers-industrial-security

Linux for the Industry 4.0 era: New distro for factory automation
NXP Semiconductors, a world leader in secure connectivity solutions, just announced a Linux distribution that is intended to support factory automation. It’s called Open Industrial Linux (OpenIL), and it’s promising true industrial-grade security based on trusted computing, hardened software, cryptographic operations and end-to-end security
https://www.networkworld.com/article/3238727/linux/linux-for-factory-automation.html

Recently Patched Dnsmasq Flaws Affect Siemens Industrial Devices
Dnsmasq is a lightweight tool designed to provide DNS, DHCP, router advertisement and network boot services for small networks. It can be found in Linux distributions, smartphones, routers, and many Internet of Things (IoT) devices
http://www.securityweek.com/recently-patched-dnsmasq-flaws-affect-siemens-industrial-devices

11-13-17 – News These Past Two Weeks

Curing The Security Sickness in Medical Devices
Just as the rapid development of the Internet of Things (IoT) has transformed traditional industries and service sectors, it is also having a great impact in the world of healthcare. It’s easy to argue, in fact, that no area is being transformed by digital technologies as rapidly or with as many benefits for society as new medical technologies
http://www.securityweek.com/curing-security-sickness-medical-devices

More Industrial Products at Risk of KRACK Attacks
An increasing number of vendors have warned customers over the past weeks that their industrial networking products are vulnerable to the recently disclosed Wi-Fi attack method known as KRACK.
http://www.securityweek.com/more-industrial-products-risk-krack-attacks

Criminals leverage unsecured IoT devices, DDoS attacks surge
Organizations experienced an average of 237 DDoS attack attempts per month during Q3 2017 – equivalent to 8 DDoS attack attempts every day – as hackers strive to take their organisations offline or steal sensitive data, according to Corero Network Security.

Criminals leverage unsecured IoT devices, DDoS attacks surge

Startup Uses 3D Modeling to Make Autonomous Driving Safer
It might come as a surprise that only 4 percent of new car buyers, according to a U.K. survey, place safety as a top priority when considering their purchase
https://blogs.nvidia.com/blog/2017/11/23/safer-autonomous-driving/

‘Treat infosec fails like plane crashes’ – but hopefully with less death and twisted metal
Brian Honan, founder and head of Ireland’s first CSIRT and special adviser on internet security to Europol, argued that failures in cybersecurity should be viewed as an opportunity to learn lessons and prevent them happening again.
https://www.theregister.co.uk/2017/11/24/infosec_disasters_learning_op/

IBM’s Schneier: It’s Time to Regulate IoT to Improve Cyber-Security
In a keynote address at the SecTor security conference, IBM Resilient Systems CTO Bruce Schneier makes a case for more regulatory oversight for software and the internet of things
http://www.eweek.com/security/ibm-s-schneier-it-s-time-to-regulate-iot-to-improve-cyber-security

Forrester predicts what’s next for IoT
As the Internet of Things moves from “experimentation to business scale,” research firm Forrester shares its predictions for 2018. Think specialization and cloud — and big security risks.
https://www.networkworld.com/article/3237268/internet-of-things/forrester-predicts-what-s-next-for-iot.html

Threat Predictions for Industrial Security in 2018
2017 was one of the most intense in terms of incidents affecting the information security of industrial systems. Security researchers discovered and reported hundreds of new vulnerabilities, warned of new threat vectors in ICS and technological processes, provided data on accidental infections of industrial systems and detected targeted attacks
https://securelist.com/ksb-threat-predictions-for-industrial-security-in-2018/83186/

Enterprise Physical Security Drives IoT Adoption
The vast majority of respondents to a new survey are deploying IoT technologies for building safety in the form of security cameras
https://www.darkreading.com/mobile/enterprise-physical-security-drives-iot-adoption/d/d-id/1330425

Infosec expert viewpoint: IoT security initiatives
IoT went quickly from buzzword to mainstream, and connected devices have become common in households and enterprises around the globe. A worrying lack of regulation has fueled a plethora of security problems causing headaches to security teams and endangering end users

Infosec expert viewpoint: IoT security initiatives

Flaw in Siemens RTU Allows Remote Code Execution
Researchers at IT security services and consulting company SEC Consult discovered the flaws in the SICAM RTU SM-2556 COM modules, which can be attached to SICAM 1703 and RTU substation controllers for LAN/WAN communications. The product is used worldwide in the energy and other sectors.
http://www.securityweek.com/flaw-siemens-rtu-allows-remote-code-execution

Boeing 757 Testing Shows Airplanes Vulnerable to Hacking, DHS Says
A team of government, industry and academic officials successfully demonstrated that a commercial aircraft could be remotely hacked in a non-laboratory setting last year, a U.S. Department of Homeland Security (DHS) official said Wednesday at the 2017 CyberSat Summit in Tysons Corner, Virginia.
http://www.aviationtoday.com/2017/11/08/boeing-757-testing-shows-airplanes-vulnerable-hacking-dhs-says/

11-13-17 – News This Past Week

Schneider Electric Patches Critical Flaw in HMI Products
InduSoft Web Studio allows organizations to develop human-machine interfaces (HMIs), supervisory control and data acquisition (SCADA) systems and embedded instrumentation solutions. The Wonderware InTouch product, which is used in over one-third of the world’s industrial facilities, is an HMI visualization software. The products are used in various industries, including manufacturing, water and wastewater, automotive, oil and gas, building automation, and energy.
http://www.securityweek.com/schneider-electric-patches-critical-flaw-hmi-products

Automotive Cybersecurity Firm Argus Acquired by Continental
Cyber threats to automotive systems are not necessarily new, but are becoming more of an issue as cars become connected to the Internet and to other devices such as smartphones, smart keys, diagnostic tools and other vehicles.
http://www.securityweek.com/automotive-cybersecurity-firm-argus-acquired-continental

Stealthy New PLC Hack Jumps the Air Gap
Researchers have devised a sneaky reconnaissance attack that drops rogue ladder-logic code onto a Siemens programmable logic controller (PLC) to gather sensitive plant data from an industrial network with no Internet connection, and then siphons it remotely via Radio Frequency (RF) transmission. A nation-state or other hacker group could use the stolen information for a future attack that sabotages the plant’s physical operations.
https://www.darkreading.com/threat-intelligence/stealthy-new-plc-hack-jumps-the-air-gap-/d/d-id/1330381

The IoT Blindspot
According to a new Forrester study that queried 603 IT and business decision-makers across the globe with 2,500 or more employees, a key contributor to the IoT visibility problem may be confusion over who is responsible for IoT management and security.
https://www.darkreading.com/endpoint/the-iot-blindspot/d/d-id/1330354

IoT anxiety is consuming security professionals
A new survey conducted by Forrester Consulting unveiled that security and LoB leaders are experiencing high levels of anxiety due to IoT/OT security concerns, largely due to the negative business ramifications a security failure can have on critical business operations.

IoT anxiety is consuming security professionals

Siemens Teams Up with Tenable
ICS/SCADA vendor further extends its managed security services for critical infrastructure networks.
https://www.darkreading.com/cloud/siemens-teams-up-with-tenable-/d/d-id/1330370

Siemens and Tenable Partner to Protect Industrial Networks
Worsening geopolitical tensions and increasing awareness of the potential harm caused by cyber attacks against the operational technology (OT) networks of critical industries has made industrial control systems (ICS) a focus of cybersecurity attention. But protecting ICS remains problematic as it emerges from its pre-internet security-unaware origins into the modern internet-connected world: it now has to add remaining secure to remaining operational
http://www.securityweek.com/siemens-and-tenable-partner-protect-industrial-networks

Connected technologies will accelerate security threats to healthcare industry
Life sciences and healthcare companies will follow the lead of other industries and integrate connected technologies including Internet of Things (IoT) and intelligent scanners across their ecosystems as a means to improve operational efficiencies, enhance supply chain visibility and deliver better patient care – but the increasing use of such technologies will accelerate security risks, according to a new set of predictions from Unisys.

Connected technologies will accelerate security threats to healthcare industry

Protecting Critical Infrastructure When a Dragonfly Beats its Wings
News that a sophisticated and long-established cyber espionage group may have the ability to infiltrate and do serious harm to critical energy supply infrastructure doesn’t come as a complete surprise. It does, however, provide an opportunity to reflect on how such systems are protected and what we as an industry can do better in the future.
http://www.securityweek.com/protecting-critical-infrastructure-when-dragonfly-beats-its-wings

Security, privacy issues we need to solve before non-medical implants become pervasive
The cybernetic revolution is happening, and it’s imperative that civil liberties and privacy issues are addressed by system designers, innovators, regulators, and legislators, says James Scott, a Senior Fellow at cybersecurity think tank ICIT

Security, privacy issues we need to solve before non-medical implants become pervasive

11-06-17 – News This Past Week

Russia-Linked Hackers Target Turkish Critical Infrastructure
Called Energetic Bear, but also known as Dragonfly and Crouching Yeti, the group has been active since at least 2010. First detailed in 2014, the threat group has been focused mainly on the energy sector in the United States and Europe.
http://www.securityweek.com/russia-linked-hackers-target-turkish-critical-infrastructure

SIEMENS UPDATE PATCHES SIMATIC PCS 7 BUG IN SOME VERSIONS
Siemens has made an update available for some of its SIMATIC PCS 7 distributed control systems that are impacted by a remotely exploitable input validation vulnerability

Siemens Update Patches SIMATIC PCS 7 Bug in Some Versions

Security vs. convenience? IoT requires another level of thinking about risk
One thing immediately stood out to me: there seems to be no proper mechanism to help users understand the ramifications of the risk/reward tradeoffs around these commonly used “personal” Internet-connected-devices, which makes it difficult for users to have any sort of effective understanding of their risks. I pointed out the same in a recent CNN Tech article about Amazon Key
https://arstechnica.com/information-technology/2017/11/rethinking-our-approach-toward-personal-threat-models-in-an-iot-world/

Beyond Bitcoin: Oracle, IBM Prepare Blockchains for Industrial Use
There’s been a lot of talk recently about blockchains beyond its original use for supporting Bitcoin. Earlier this year, we covered a session in London where the takeaway from the panel was there are too many problems to be solved. But that was in February, and a lot has changed since then
https://thenewstack.io/beyond-bitcoin-blockchains-expand/

Practical Steps for Getting Started with IT/OT Security Convergence
Given the frequency and severity of cyberattacks in the news, cyber threats are top of mind for boards of directors and executive teams. In fact, according to Aon’s 2017 Global Risk Management Survey cybercrime ranked number five among the top 10 concerns for risk decision-makers globally and number one among respondents in North America – above concerns about economic slowdown, increasing competition, damage to reputation, and regulatory changes
http://www.securityweek.com/practical-steps-getting-started-itot-security-convergence

Is the U.S. finally about to take IoT security seriously?
Indeed, security issues plaguing IoT devices have long been a concern, and last week congressional Democrats introduced a bill designed to help mitigate what are seen as widespread vulnerabilities. But while the effort is noble and may help raise awareness of the issues, there are lots of reasons why the Cyber Shield Act of 2017 won’t end up doing much to actually solve the problem
https://www.networkworld.com/article/3235518/internet-of-things/is-the-u-s-finally-about-to-take-iot-security-seriously.html

Most organizations and consumers believe there is a need for IoT security regulation
90% of consumers lack confidence in the security of Internet of Things (IoT) devices. This comes as more than two-thirds of consumers and almost 80% of organizations support governments getting involved in setting IoT security, according to Gemalto.

Most organizations and consumers believe there is a need for IoT security regulation

The Future of Industrial Security – IT and OT Convergence
In industrial organizations, security is traditionally divided across three silos: physical security, IT security and operational security (plant security and system integrity). This divide makes it more difficult for facilities operators to identify and respond to incidents
http://www.securityweek.com/future-industrial-security-it-and-ot-convergence

Researchers Downplay Size of Reaper IoT Botnet
Called Reaper, the botnet was said a couple of weeks ago to have infected over one million organizations worldwide, but Arbor claims that the actual size of the botnet fluctuates between 10,000 and 20,000 bots in total
http://www.securityweek.com/researchers-downplay-size-reaper-iot-botnet

10-30-17 – News This Week

Industrial Products Also Vulnerable to KRACK Wi-Fi Attack
In the case of Cisco, many of the company’s products are affected, including Cisco 829 Industrial Integrated Services routers and Industrial Wireless 3700 series access points. The networking giant has yet to release patches for the vulnerable industrial products. However, workarounds are available for six of the flaws.
http://www.securityweek.com/industrial-products-also-vulnerable-krack-wi-fi-attack

A Checklist for Securing the Internet of Things
IoT devices promise endless benefits, but they also come with serious security issues. Use this checklist to make sure your company stays safe.
https://www.darkreading.com/iot/a-checklist-for-securing-the-internet-of-things/a/d-id/1330209

A BUG IN A POPULAR MARITIME PLATFORM LEFT SHIPS EXPOSED
A report published Thursday outlines two flaws in the AmosConnect 8 web platform, which ships use to monitor IT and navigation systems while also facilitating messaging, email, and web browsing for crewmembers.
https://www.wired.com/story/bug-in-popular-maritime-platform-isnt-getting-fixed/

A common satellite comms package for ships and oil rigs has a backdoor that won’t be patched
Apparently, internet communications packages are isolated from internal ship networks that control steering, navigation and propulsion. However, access to the ship’s internet would be a boon to pirates and state actors wishing to monitor ships’ communications and learn about cargoes, destinations, and locations

A common satellite comms package for ships and oil rigs has a backdoor that won’t be patched

Security Flaw Could Have Let Hackers Turn on Smart Ovens
A security flaw in LG’s smart home devices gave hackers a way to control the household appliances of millions of customers, including the ability to turn on ovens, a computer security firm revealed on Thursday.
http://www.securityweek.com/security-flaw-could-have-let-hackers-turn-smart-ovens

Hackers can force airbags to deploy
Common Vulnerabilities and Exposures number 2017-14937: in unspecified post-2014 passenger car models, the explosive charge that deploys the airbag is controlled by an instruction that is secured by one of only 256 keypairs, and there is no rate-limit on authentication attempts over the CAN bus

Hackers can force airbags to deploy

US-CERT: hackers are targeting our critical infrastructure
US-CERT (US Computer Emergency Readiness Team), which operates under DHS, and the FBI, issued an “alert” titled, “Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors” last Friday, focused on what it said were, “APT actions targeting government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors.”
US-CERT: hackers are targeting our critical infrastructure

US Critical Infrastructure Target of Russia-Linked Cyberattacks
Nation-state actors are trying to gain access to vital industrial control systems (ICS) at US energy companies and other critical infrastructure organizations via the networks of their suppliers and trusted third parties, the United States government has warned
https://www.darkreading.com/attacks-breaches/us-critical-infrastructure-target-of-russia-linked-cyberattacks/d/d-id/1330196

Feds warn energy, aviation companies of hacking threats
Hackers have been targeting the nuclear, energy, aviation, water and critical manufacturing industries since May, according to Reuters. It’s even serious enough for Homeland Security and the FBI to email firms most at risk of attacks, warning them that a group of cyberspies had already succeeded in infiltrating some of their peers’ networks, including at least one energy generator
https://www.engadget.com/2017/10/22/feds-warn-energy-hacking-threats/

DHS’ Dragonfly ICS campaign alert isn’t enough, experts say
The Department of Homeland Security released an alert confirming the Dragonfly ICS cyberattack campaign, but experts said more action is needed to protect critical infrastructure.
http://searchsecurity.techtarget.com/news/450428840/DHSs-Dragonfly-ICS-campaign-alert-isnt-enough-experts-say

One-Third of Industrial Networks Connected to Internet
Many industrial and critical infrastructure systems are connected to the Internet, and the operational technology (OT) networks of some organizations have already been compromised, according to a new study from industrial security firm CyberX
http://www.securityweek.com/one-third-industrial-networks-connected-internet-study

DHS, FBI Warn of Ongoing APT Attack Against Critical Infrastructure
The Department of Homeland Security and Federal Bureau of Investigation have issued a joint technical alert warning that government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors are subject to an ongoing attack campaign from an advanced actor, most probably Dragonfly
http://www.securityweek.com/dhs-fbi-warn-ongoing-apt-attack-against-critical-infrastructure

Reaper: Calm Before the IoT Security Storm?
It’s been just over a year since the world witnessed some of the world’s top online Web sites being taken down for much of the day by “Mirai,” a zombie malware strain that enslaved “Internet of Things” (IoT) devices such as wireless routers, security cameras and digital video recorders for use in large-scale online attacks
https://krebsonsecurity.com/2017/10/reaper-calm-before-the-iot-security-storm/