10-24-18 – News This Past Week

FireEye: Russian Research Lab Aided the Development of TRITON Industrial Malware
Cybersecurity firm FireEye claims to have discovered evidence that proves the involvement of a Russian-owned research institute in the development of the TRITON malware that caused some industrial systems to unexpectedly shut down last year, including a petrochemical plant in Saudi Arabia.
https://thehackernews.com/2018/10/russia-triton-ics-malware.html

Russia was likely behind dangerous critical infrastructure attack, report says
The malware, alternately dubbed Triton and Trisis, was most likely designed to cause physical damage inside critical infrastructure sites, such as gas refineries and chemical plants, FireEye researchers said in a report published in December.
https://arstechnica.com/information-technology/2018/10/russia-was-likely-behind-dangerous-critical-infrastructure-attack-report-says/

Plaintext Passwords Often Put Industrial Systems at Risk
Plaintext passwords crossing the network, outdated operating systems, direct connections to the Internet, and the lack of automated updates for security solutions often put industrial systems at risk of attacks, according to a new report published on Tuesday by industrial cybersecurity firm CyberX.
https://www.securityweek.com/plaintext-passwords-often-put-industrial-systems-risk-report

The Danger and Opportunity in 5G Connectivity and IoT
The IoT is already rife with security issues resulting from poor incentives to fix vulnerabilities. At the same time, we are spiraling closer towards a hyper-connected world with the increasing momentum around 5G infrastructure. As telecommunications organizations build more infrastructure for 5G networks, we can expect to see wider adoption of IoT devices and an increase in the impact of the threats they pose.
https://threatpost.com/the-danger-and-opportunity-in-5g-connectivity-and-iot/138493/

Grave TCP/IP flaws in FreeRTOS leave IoT gear open to mass hijacking
Commandeered equipment – think Internet-of-Things sensors and gizmos, and automotive and industrial systems – can then be used to, say, spy on owners, siphon data out of a network, launch other cyber-attacks, and so on.
https://www.theregister.co.uk/2018/10/22/freertos_iot_platform_security_flaws/

AWS FreeRTOS Bugs Allow Compromise of IoT Devices
The bugs could allow hackers to crash connected devices in smart homes or critical infrastructure systems, leak information from the devices’ memory, and take them over. And while patches have been issued, researchers warn that it still may take time for smaller vendors to update.
https://threatpost.com/aws-freertos-bugs-allow-compromise-of-iot-devices/138455/

New Security Woes for Popular IoT Protocols
They found that the widely used device-to-device communications protocols contained inherent security weaknesses, especially in the way they are implemented in IoT devices – exposing flaws that could allow attackers to execute denial-of-service (DoS) attacks on devices or gain remote control of industrial IoT or consumer IoT devices for cyber espionage or worse.
https://www.darkreading.com/vulnerabilities—threats/new-security-woes-for-popular-iot-protocols/d/d-id/1333069

FBI Investigates Attack on Critical Water Utility
According to a media release from Onslow Water and Sewer Authority (ONWASA) issued on October 15, 2018, a critical water utility in North Carolina was targeted in a cyber-attack. Federal and state officials are now working with the water utility as part of the investigation into the attack on some of its computer systems.
https://www.infosecurity-magazine.com/news/fbi-investigates-attack-on/

Vulnerable controllers could allow attackers to manipulate marine diesel engines
These security flaws could be exploited by attackers to change the firmware and configuration files, install malware, and perform actions that effectively allow them to take control of a vessel’s engines
https://www.helpnetsecurity.com/2018/10/18/manipulate-marine-diesel-engines/

Medical device maker Medtronic finally fixes its hackable pacemaker
The company said in a notice this week that it’s switching off the software distribution network after researchers found that a hacker could update the pacemaker’s software with malicious software that could manipulate the impulses that regulate a patient’s heartbeat. The researchers, Jonathan Butts and Billy Rios, revealed the vulnerability at the Black Hat conference in August, more than a year after first reporting the vulnerability to Medtronic
https://techcrunch.com/2018/10/16/medical-device-maker-medtronic-finally-fixes-its-hackable-pacemaker/

GreyEnergy group targeting critical infrastructure with espionage
BlackEnergy has been terrorizing Ukraine for years and rose to prominence in December 2015 when they caused a blackout that left 230,000 people without electricity – the first-ever blackout caused by a cyberattack. Around the time of that incident, ESET researchers began detecting another malware framework named GreyEnergy.
https://www.helpnetsecurity.com/2018/10/17/greyenergy-group/

In County Crippled by Hurricane, Water Utility Targeted in Ransomware Attack
The Onslow Water and Sewer Authority (ONWASA) said in a Monday release that a “sophisticated ransomware attack… has left the utility with limited computer capabilities.” While customer data was not compromised as part of the attack, the lack of computing ability will impact the timeliness of service from ONWASA “for several weeks to come.”
https://threatpost.com/in-county-crippled-by-hurricane-water-utility-targeted-in-ransomware-attack/138327/

Remote Code Implantation Flaw Found in Medtronic Cardiac Programmers
A flaw in Medtronic’s CareLink 2090 and CareLink Encore 29901 programmers, which are portable computer systems used to manage implanted cardiac devices in clinical settings, would have allowed remote code implantation over Medtronic’s dedicated Software Deployment Network (SDN).
https://threatpost.com/remote-code-implantation-flaw-found-in-medtronic-cardiac-programmers/138363/

FDA Warns of Flaws in Medtronic Programmers
A vulnerability in the software update process of certain Medtronic Programmer models has determined the vendor to block the functionality on affected devices, the U.S. Food and Drug Administration (FDA) informs.
https://www.securityweek.com/fda-warns-flaws-medtronic-programmers

Feds Investigate After Hackers Attack Water Utility
The head of the Onslow Water and Sewer Authority said in a news release Monday that its internal computer system, including servers and personal computers, were subjected to what was characterized as “a sophisticated ransomware attack.”
https://www.securityweek.com/feds-investigate-after-hackers-attack-water-utility

NotPetya Linked to Industroyer Attack on Ukraine Energy Grid
The massive NotPetya ransomware outbreak that crippled organizations around the world last year turns out to have links to the Industroyer backdoor, which targets industrial control systems (ICS) and took down the Ukrainian power grid in Kiev in 2016
https://threatpost.com/notpetya-linked-to-industroyer-attack-on-ukraine-energy-grid/138287/

10-15-18 – News This Past Week

The future of OT security in modern industrial operations
Both the likelihood and consequences of cyberattacks to OT/ICS components continue to grow for modern industrial operations
https://www.helpnetsecurity.com/2018/10/15/future-ot-security/

It’s the real Heart Bleed: Medtronic locks out vulnerable pacemaker programmer kit
The watchdog’s alert this week comes after Irish medical device maker Medtronic said it will lock some of its equipment out of its software update service, meaning the hardware can’t download and install new code from its servers
https://www.theregister.co.uk/2018/10/12/medtronic_pacemaker_programmer_security/

Internet Hacking Is About to Get Much Worse
The risks are about to get worse, because computers are being embedded into physical devices and will affect lives, not just our data. Security is not a problem the market will solve. The government needs to step in and regulate this increasingly dangerous space.
https://www.nytimes.com/2018/10/11/opinion/internet-hacking-cybersecurity-iot.html

The Better Way: Threat Analysis & IIoT Security
Threat analysis offers a more nuanced and multidimensional approach than go/no-go patching in the Industrial Internet of Things. But first, vendors must agree on how they report and address vulnerabilities.
https://www.darkreading.com/perimeter/the-better-way-threat-analysis-and-iiot-security-/a/d-id/1332983

New Pentagon Weapons Systems Easily Hacked: Report
The Government Accountability Office said the Pentagon was unaware of how easy it could be for an adversary to gain access to the computer brains and software of the weapons systems and operate inside them undetected
https://www.securityweek.com/new-pentagon-weapons-systems-easily-hacked-report

Many Siemens Products Affected by Foreshadow Vulnerabilities
The security holes could allow malicious applications to obtain potentially sensitive information from a device’s memory, including data associated with operating systems, apps and virtual machines
https://www.securityweek.com/many-siemens-products-affected-foreshadow-vulnerabilities

Constructing the Future of ICS Cybersecurity
As industrial control systems are connected to the cloud and the IoT, experts discuss security challenges
https://www.darkreading.com/perimeter/constructing-the-future-of-ics-cybersecurity/d/d-id/1332995

Security Vulnerabilities in US Weapons Systems
The US Government Accounting Office just published a new report: “Weapons Systems Cyber Security: DOD Just Beginning to Grapple with Scale of Vulnerabilities” (summary here). The upshot won’t be a surprise to any of my regular readers: they’re vulnerable
https://www.schneier.com/blog/archives/2018/10/security_vulner_17.html

Report: US weapons systems are highly vulnerable to cyber attacks
The Department of Defense will have to ramp up its cybersecurity efforts now that it’s planning to spend $1.66 trillion to develop major weapons systems. According to a new report (PDF) by the Government Accountability Office, nearly all of Pentagon’s weapons systems are vulnerable to cyberattacks
https://www.engadget.com/2018/10/10/pentagon-weapons-systems-gao-report/

10-08-18 – News This Past Week

DHS Warns of Threats to Precision Agriculture
Relying on various embedded and connected technologies to improve agricultural and livestock management, precise agriculture is exposed to vulnerabilities and cyber-threats, a new report from the United States Department of Homeland Security (DHS) warns
https://www.securityweek.com/dhs-warns-threats-precision-agriculture

California bans default passwords on any internet-connected device
In less than two years, anything that can connect to the internet will come with a unique password — that is, if it’s produced or sold in California. The “Information Privacy: Connected Devices” bill that comes into effect on January 1, 2020, effectively bans pre-installed and hard-coded default passwords. It only took the authorities about two weeks to approve the proposal made by the state senate
https://www.engadget.com/2018/10/05/california-default-password-ban-information-privacy-connected-devices-bill/

New Splunk IoT Solution Helps Secure ICS
Splunk for Industrial IoT, expected to become available on October 30, combines the capabilities of Splunk Enterprise, Splunk Industrial Asset Intelligence, and the Splunk Machine Learning Toolkit.
https://www.securityweek.com/new-splunk-iot-solution-helps-secure-ics

How Shodan helps identify ICS cybersecurity vulnerabilities
Shodan can be a helpful tool for security pros to locate ICS cybersecurity vulnerabilities. Expert Ernie Hayden explains how Shodan works and how it can be used for security
https://searchsecurity.techtarget.com/tip/How-Shodan-helps-identify-ICS-cybersecurity-vulnerabilities

U.S. Energy Department Invests Another $28 Million in Cybersecurity
The U.S. Department of Energy on Monday announced that it’s investing up to $28 million in tools and technologies that will improve the resilience and cybersecurity of the power grid and oil and gas infrastructure
https://www.securityweek.com/us-energy-department-invests-another-28-million-cybersecurity

10-01-18 – News This Past Week

California’s new laws bolster security for connected devices
California just raised the baseline for security in the Internet of Things… to a degree. Governor Jerry Brown has signed very similar Assembly and Senate bills that require hardware makers to include “reasonable” security measures for connected devices
https://www.engadget.com/2018/09/30/california-connected-device-laws/

‘Torii’ Breaks New Ground For IoT Malware
Stealth, persistence mechanism and ability to infect a wide swath of devices make malware dangerous and very different from the usual Mirai knockoffs, Avast says.
https://www.darkreading.com/attacks-breaches/-torii-breaks-new-ground-for-iot-malware/d/d-id/1332930

Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks
Many organizations are not necessarily aware of the large number of IoT devices they are already using and how IoT devices may affect cybersecurity and privacy risks differently than conventional information technology (IT) devices do
https://csrc.nist.gov/publications/detail/nistir/8228/draft

Hackers are finding creative ways to target connected medical devices
Hackers are leveraging error messages from connected medical devices — including radiology, X-ray and other imaging systems — to gain valuable insights, according to Zingbox. These insights are then used to refine the attacks, increasing the chance of successful hack
https://www.helpnetsecurity.com/2018/09/28/target-connected-medical-devices/

Vulnerabilities and architectural considerations in industrial control systems
The reason SCADA security is so controversial stems primarily from the intense consequences that come from a compromise in this area. In this podcast, Andrew Ginter, VP of Industrial Security at Waterfall Security Solutions, and Edward Amoroso, CEO of TAG Cyber, talk about SCADA vulnerabilities in ICS architectures
https://www.helpnetsecurity.com/2018/09/28/scada-vulnerabilities-ics/

No Patches for Critical Flaws in Fuji Electric Servo System, Drives
ICS-CERT and Trend Micro’s Zero Day Initiative (ZDI) this week disclosed the existence of several unpatched vulnerabilities affecting servo systems and drives from Japanese electrical equipment company Fuji Electric
https://www.securityweek.com/no-patches-critical-flaws-fuji-electric-servo-system-drives

Researchers See Improvements in Vehicle Cybersecurity
Since 2013, IOActive has spent thousands of hours every year analyzing vehicle cybersecurity, and the company has published several research papers on this topic. A report made available in 2016 showed that half of the flaws found at the time had an impact level of critical (25%) or high (25%).
https://www.securityweek.com/researchers-see-improvements-vehicle-cybersecurity

Owning Security in the Industrial Internet of Things
Why IIoT leaders from both information technology and line-of-business operations need to join forces to develop robust cybersecurity techniques that go beyond reflexive patching
https://www.darkreading.com/threat-intelligence/owning-security-in-the-industrial-internet-of-things/a/d-id/1332876

09-24-18 – News This Past Week

Legitimate RATs Pose Serious Risk to Industrial Systems
A report published on Friday by the security firm reveals that, on average, in the first half of 2018, legitimate RATs were found on more than two-thirds of computers used for industrial control systems (ICS).
https://www.securityweek.com/legitimate-rats-pose-serious-risk-industrial-systems

Rockwell Automation Patches Severe Flaws in Communications Software
RSLinx Classic is a widely used piece of software that allows organizations to connect Logix5000 programmable automation controllers to various Rockwell applications, including for data acquisition, programming, HMI interaction, and configuration apps. The product is used worldwide, mainly in the energy, critical manufacturing, and water and wastewater systems sectors
https://www.securityweek.com/rockwell-automation-patches-severe-flaws-communications-software

Threats posed by using RATs in ICS
Based on our analysis of KSN statistics, we were able to identify a number of attacks and malware infection attempts involving RATs installed on ICS computers. In most cases, attacks were based on the following scenarios (in the descending order of attack incidence)
https://securelist.com/threats-posed-by-using-rats-in-ics/88011/

Key weapon for closing IoT-era cybersecurity gaps? Artificial intelligence
As businesses struggle to combat increasingly sophisticated cybersecurity attacks, the severity of which is exacerbated by both the vanishing IT perimeters in today’s mobile and IoT era, and an acute shortage of skilled security professionals, IT security teams need a both a new approach and powerful new tools.
https://www.helpnetsecurity.com/2018/09/19/iot-era-cybersecurity-gaps/

Malicious hacking activity increasingly targeting critical infrastructure
In this podcast, Andrew Ginter, VP of Industrial Security at Waterfall Security Solutions, and Edward Amoroso, CEO of TAG Cyber, talk about how the traditional focus of most hackers has been on software, but the historical focus of crime is on anything of value
https://www.helpnetsecurity.com/2018/09/19/maliciuos-hacking-activity-increasingly-targeting-critical-infrastructure/

The Top 5 Security Threats & Mitigations for Industrial Networks
While vastly different than their IT counterparts, operational technology environments share common risks and best practices
https://www.darkreading.com/endpoint/the-top-5-security-threats-and-mitigations-for-industrial-networks-/a/d-id/1332816

Malware Samples Targeting IoT More Than Double in 2018
It’s no secret that connected devices are posing a security threat in the commercial, consumer and industrial worlds. A fresh report on this expanding threat landscape shows that attacks are accelerating, with MikroTik routers, Telnet password-cracking and the Mirai botnet dominating the proceedings
https://threatpost.com/threatlist-malware-samples-targeting-iot-more-than-double-in-2018/137528/

New trends in the world of IoT threats
Cybercriminals’ interest in IoT devices continues to grow: in H1 2018 we picked up three times as many malware samples attacking smart devices as in the whole of 2017. And in 2017 there were ten times more than in 2016. That doesn’t bode well for the years ahead
https://securelist.com/new-trends-in-the-world-of-iot-threats/87991/

09-17-18 – News This Past Week

Global market for smart city platforms expected to reach $755 million by 2027
Driven by Internet of Things (IoT) deployments, as well as other smart technologies, smart city platforms provide the integrated capability to coordinate data, applications, and services at one or more levels across operational domains for multiple stakeholders
https://www.helpnetsecurity.com/2018/09/12/smart-city-platforms/

BlackIoT: IoT Botnet of High Wattage Devices Can Disrupt the Power Grid
We demonstrate that an Internet of Things (IoT) botnet of high wattage devices–such as air conditioners and heaters–gives a unique ability to adversaries to launch large-scale coordinated attacks on the power grid. In particular, we reveal a new class of potential attacks on power grids called the Manipulation of demand via IoT (MadIoT) attacks that can leverage such a botnet in order to manipulate the power demand in the grid
https://www.usenix.org/conference/usenixsecurity18/presentation/soltan

California bill regulates IoT for first time in US
The State legislature approved ‘SB-327 Information privacy: connected devices’ last Thursday and handed it over to the Governor to sign. The legislation introduces security requirements for connected devices sold in the US. It defines them as any device that connects directly or indirectly to the internet and has an IP or Bluetooth address. That covers an awful lot of devices
https://nakedsecurity.sophos.com/2018/09/13/california-bill-regulates-iot-for-first-time-in-us/

Supermicro servers fixed after insecure firmware updating discovered
Researchers have sounded a warning about the security of Baseboard Management Controllers (BMCs) – a critical component that datacentres depend on to manage servers.
https://nakedsecurity.sophos.com/2018/09/10/supermicro-servers-fixed-after-insecure-firmware-updating-discovered/

Google’s Android Team Finds Serious Flaw in Honeywell Devices
Members of Google’s Android team discovered that some of Honeywell’s Android-based handheld computers are affected by a high severity privilege escalation vulnerability. The vendor has released software updates that should address the flaw
https://www.securityweek.com/googles-android-team-finds-serious-flaw-honeywell-devices

Forcepoint Launches Critical Infrastructure Business Unit
The new unit will be led by David Hatchell, who has been named vice president of Critical Infrastructure. Hatchell, who previously led critical infrastructure units at Belden and Intel/McAfee, will report to Sean Berg, senior vice president and general manager for Forcepoint’s Global Governments and Critical Infrastructure business
https://www.securityweek.com/forcepoint-launches-critical-infrastructure-business-unit

Leveraging Segmentation to Secure IoT
The rapid deployment of IoT devices has had a significant and lasting impact on the security of today’s evolving network. BYOD, the first significant infusion of IoT devices begun over a decade, was focused mainly on user-owned devices such as mobile phones and laptops
https://www.securityweek.com/leveraging-segmentation-secure-iot

Flaws Found in Fuji Electric Tool That Links Corporate PCs to ICS
Several vulnerabilities rated “high severity” have been discovered by researchers in Fuji Electric V-Server. The vendor has released updates that should address the flaws
https://www.securityweek.com/flaws-found-fuji-electric-tool-links-corporate-pcs-ics

09-09-18 – News These Past Two Weeks

Malware Found on USB Drives Shipped With Schneider Solar Products
Schneider Electric recently informed customers that some of the USB flash drives shipped by the company with its Conext ComBox and Conext Battery Monitor products were infected with malware
https://www.securityweek.com/malware-found-usb-drives-shipped-schneider-solar-products

Finding the Middle Ground: Securing Smart Cities
High-profile cyberattacks and data breaches have become somewhat of a norm. You’ve likely heard this before: it’s no longer a question of if an attack will happen but when. We expect ‘always on’ connectivity with access to business data and this means that the clear boundaries of the traditional security perimeter are fading fast
https://www.securityweek.com/finding-middle-ground-securing-smart-cities

Take (Industrial) Control: A Look at the 2018 ICS Threat Landscape
Industrial control systems (ICS) are increasingly being targeted as attackers take advantage of the Internet to target machines on organizations’ industrial networks
https://www.darkreading.com/risk/take-(industrial)-control-a-look-at-the-2018-ics-threat-landscape/d/d-id/1332754

ThreatList: Attacks on Industrial Control Systems on the Rise
The main source of infection was the internet – with 27 percent of attacks received from web sources. Another 8.4 percent arrived through removable storage media, and a surprisingly small 3.8 percent came from email clients
https://threatpost.com/threatlist-attacks-on-industrial-control-systems-on-the-rise/137251/

Malware on ICS Increasingly Comes From Internet: Kaspersky
Kaspersky Lab products installed on industrial automation systems have detected over 19,000 malware samples in the first half of 2018, and the company has determined that the Internet is an increasingly significant source of attacks
https://www.securityweek.com/malware-ics-increasingly-comes-internet-kaspersky

IT security teams are being locked out of IoT projects
Trend Micro revealed that organizations around the world are exposing themselves to unnecessary cyber risk by failing to give IT security teams a voice when planning IoT project deployments in enterprise environments
https://www.helpnetsecurity.com/2018/09/06/iot-projects-security/

Flaw in Schneider PLC Allows Significant Disruption to ICS
A vulnerability discovered in some of Schneider Electric’s Modicon programmable logic controllers (PLCs) may allow malicious actors to cause significant disruption to industrial control systems (ICS).
https://www.securityweek.com/flaw-schneider-plc-allows-significant-disruption-ics

Remotely exploitable flaw in Schneider Electric PLCs is a danger to OT networks
A vulnerability in the Schneider Electric Modicon M221, a programmable logic controller (PLC) deployed in commercial industrial facilities worldwide, can be exploited to remotely disconnected the device from communicating in the ICS network.
https://www.helpnetsecurity.com/2018/09/06/remotely-exploitable-flaw-schneider-electric-plc/

Threat Landscape for Industrial Automation Systems in H1 2018
In February, Kaspersky Lab ICS CERT published a report on an investigation into the initial infection tactics used by the notorious APT group Energetic Bear/Crouching Yeti, as well as the results of an analysis of several web servers compromised by the group in 2016 and early 2017, using information provided by the server owners
https://securelist.com/threat-landscape-for-industrial-automation-systems-in-h1-2018/87913/

Endpoints a Top Security Concern for Industrial Organizations: IIoT Survey
The SANS Institute recently published a research study of Industrial IoT (IIoT) security. The survey polled more than 200 security professionals from energy, utility, oil and gas, and manufacturing organizations. Among the key findings, the majority of respondents reported they are more concerned about endpoint device security, than network security
https://www.securityweek.com/endpoints-top-security-concern-industrial-organizations-iiot-survey

Phillips plugs security flaws in e-Alert tool
Dutch tech company Phillips has fixed several serious security flaws in Philips e-Alert, a tool that helps magnetic resonance imaging (MRI) systems work as intended
https://www.helpnetsecurity.com/2018/09/04/philips-e-alert-vulnerabilities/

Critical Flaws in Syringe Pump, Device Gateways Threaten Patient Safety
Flaws in the Qualcomm Life Capsule Datacaptor Terminal Server and the Becton Dickinson (BD) Alaris TIVA Syringe Pump have been acknowledged by the vendors and publicly disclosed via ICS-CERT
https://threatpost.com/critical-flaws-in-syringe-pump-device-gateways-threaten-patient-safety/137067/

High-Severity Flaws Patched in Schneider Electric Products
The two flaws, which exist in Schneider Electric’s power management system, PowerLogic PM5560, and its programmable logic controller, Modicon M221, can be exploited remotely, according to dual advisories released by ICS-CERT on Tuesday
https://threatpost.com/high-severity-flaws-patched-in-schneider-electric-products/137034/

How hard-coded credentials threaten industrial control systems
Hard-coded credentials open industrial control systems up to unauthorized access by malicious actors. Expert Ernie Hayden explains the threat and what enterprises can do about it
https://searchsecurity.techtarget.com/tip/How-hard-coded-credentials-threaten-industrial-control-systems

Old “Misfortune Cookie” flaw opens medical gateway and devices to attack
A vulnerability in Qualcomm Life Capsule Datacaptor Terminal Server (DTS) can be easily exploited to allow attackers to execute unauthorized code to obtain administrator-level privileges on the device.
https://www.helpnetsecurity.com/2018/08/29/medical-gateway-device-vulnerability/

NIST’s New Advice on Medical IoT Devices
Medical infusion pumps, which deliver medications to patients, are archetypal examples of the expanding threat surface being delivered by connected devices. Connecting these pumps to clinical systems can improve healthcare delivery, but if not properly secured could endanger the patient and expose the health delivery organization (HDO) infrastructure to intrusion
https://www.securityweek.com/nists-new-advice-medical-iot-devices

Emerging consensus for an ICS security approach
An increasing body of experience with industrial control system (ICS) security, as well as the emerging Industrial Internet of Things (IIoT) are driving a new consensus as to the difference between information technology (IT) and operations technology (OT) / ICS security programs
https://www.helpnetsecurity.com/2018/08/27/ics-security-approach/

08-27-18 – News This Past Week

Trend Micro’s new program helps IoT device makers tackle risk at source
Trend Micro has reconfirmed its commitment to Internet of Things (IoT) security with a new program designed to leverage its Zero Day Initiative (ZDI) to minimize vulnerabilities as smart products are developed.

Trend Micro’s new program helps IoT device makers tackle risk at source

Security of smart utilities leaves a lot to be desired
The modernization of utility infrastructures is enabling increased efficiencies and reliability through digitization, connectivity, and IT-based approaches. Smart cyber assets are transforming both power and water grids, allowing operators to deploy and leverage a new generation of functionality and customer services.

Security of smart utilities leaves a lot to be desired

IoT security: The work on raising the bar continues
One of the main goals of Chief Information Security Officers should be to help the organization succeed, and they are unlikely to do that by denying their organization the ability to take advantage of new technologies

IoT security: The work on raising the bar continues

7 Serious IoT Vulnerabilities
A growing number of employees have various IoT devices in their homes – where they’re also connecting to an enterprise network to do their work. And that means significant threats loom.
https://www.darkreading.com/iot/7-serious-iot-vulnerabilities/d/d-id/1332616

How to develop the right strategy to increase IoT security
As more and more devices become connected, many industries that were previously secure are experiencing new threats or attacks to their devices and services

How to develop the right strategy to increase IoT security

Flaws in Emerson Workstations Allow Lateral Movement
Researchers working for two industrial cybersecurity firms have discovered several critical and high severity vulnerabilities in Emerson DeltaV DCS Workstations. The vendor has released patches that should resolve the flaws
https://www.securityweek.com/flaws-emerson-workstations-allow-lateral-movement

08-20-18 – News These Past Two Weeks

Hacking Police Bodycams
Mitchell even realized that because he can remotely access device storage on models like the Fire Cam OnCall, an attacker could potentially plant malware on some of the cameras
https://www.wired.com/story/police-body-camera-vulnerabilities/

Five key security tips to avoid an IoT hack
Recently, Russian PIR Bank lost $1,000,000 because of a compromised router that allowed hackers to gain entry into their local network. Why did it happen and how companies can protect themselves?

Five key security tips to avoid an IoT hack

In-flight satellite comms vulnerable to remote attack, researcher finds
As well as finding that Telnet, FTP and web were available for certain IPs, it turned out that an interface page for a Hughes aircraft satellite communication (SATCOM) router could also be accessed without authentication
In-flight satellite comms vulnerable to remote attack, researcher finds

Smart Irrigation Systems Expose Water Utilities to Attacks
A team of experts has analyzed smart irrigation systems from several vendors and found vulnerabilities that can be exploited to cause potentially serious disruptions to urban water services.
https://www.securityweek.com/smart-irrigation-systems-expose-water-utilities-attacks

Critical Flaws Found in NetComm Industrial Routers
An industrial router made by Australian telecommunications equipment company NetComm Wireless is affected by several serious vulnerabilities that can be exploited remotely to take control of affected devices
https://www.securityweek.com/critical-flaws-found-netcomm-industrial-routers

Ensuring Your Industrial Wireless Systems Are Safely Deployed
Finding a competitive edge in heavy industries and manufacturing today is as much about digitization and data analytics as it is about bringing new products and services to market. It has therefore become imperative for businesses in these sectors to invest in technologies that allow them to connect, control and monitor their industrial environments using sensors, gateways and other digital transformation tools
https://www.securityweek.com/ensuring-your-industrial-wireless-systems-are-safely-deployed

BlackIoT Botnet: Can Water Heaters, Washers Bring Down the Power Grid?
The researchers – Saleh Soltan, Prateek Mittal and H. Vincent Poor from Princeton University – have dubbed the theoretical offensive “BlackIoT”, and have coined the threat to be a “manipulation of demand via IoT” attack, or MadIoT.

BlackIoT Botnet: Can Water Heaters, Washers Bring Down the Power Grid?

Botnet of Smart Heaters, ACs Can Cause Power Disruptions
Wi-Fi enabled air conditioners, ovens, water heaters and space heaters that can be controlled remotely over the Internet are increasingly popular. The power usage of these devices ranges between 1,000 and 5,000 watts
https://www.securityweek.com/botnet-smart-heaters-acs-can-cause-power-disruptions-researchers

Election systems should be considered critical infrastructure
93 percent of security professionals are concerned about cyber-attacks targeting election infrastructure and data, and 81 percent believe cyber criminals will target election data as it is transmitted by machines, software and hardware applications, from local polling stations to central aggregation points, a recent study by Venafi has revealed

Election systems should be considered critical infrastructure

Dragos to integrate ICS-specific threat intelligence with cyber intelligence partners
Dragos announced that its industrial control system (ICS) threat intelligence product, WorldView, will integrate with partner companies, ThreatConnect, Recorded Future, ThreatQuotient, and EclecticIQ

Dragos to integrate ICS-specific threat intelligence with cyber intelligence partners

ICS security fails the Black Hat test
Industrial control systems hit the mainstream at Black Hat this year, with over two dozen program sessions tackling different angles of the subject. The takeaway: Vendors still aren’t really trying
https://searchsecurity.techtarget.com/news/252447079/ICS-security-fails-the-Black-Hat-test

Philips Vulnerability Exposes Sensitive Cardiac Patient Information
A vulnerability in the Philips IntelliSpace Cardiovascular (ISCV) line of medical data management products would allow privilege escalation and arbitrary code execution – opening the door for an attacker to siphon out all kinds of confidential patient information, including medical images and full diagnostic details.

Philips Vulnerability Exposes Sensitive Cardiac Patient Information

The future of OT security in critical infrastructure
To address these challenges, we discuss below three specific areas in the context of both improved enterprise operational effectiveness, and enhanced security for industrial control systems

The future of OT security in critical infrastructure

IoT Malware Discovered Trying to Attack Satellite Systems of Airplanes, Ships
Researcher Ruben Santamarta shared the details of his successful hack of an in-flight airplane Wi-Fi network – and other findings – at Black Hat USA today
https://www.darkreading.com/vulnerabilities—threats/iot-malware-discovered-trying-to-attack-satellite-systems-of-airplanes-ships/d/d-id/1332529

With Healthcare Security Flaws, Safety’s Increasingly at Stake
A lax culture around cybersecurity from medical device manufacturers and healthcare professionals (and a lack of education around good security measures) is putting hospitals – and subsequently their patients – at risk, said researchers, speaking at Black Hat 2018.

Black Hat 2018: With Healthcare Security Flaws, Safety’s Increasingly at Stake

Flaws in Siemens Tool Put ICS Environments at Risk
Serious vulnerabilities discovered by researchers in Siemens’ TIA Portal for SIMATIC STEP7 and SIMATIC WinCC can be exploited by threat actors for lateral movement and other purposes in ICS environments
https://www.securityweek.com/flaws-siemens-tool-put-ics-environments-risk

Hack causes pacemakers to deliver life-threatening shocks
Life-saving pacemakers manufactured by Medtronic don’t rely on encryption to safeguard firmware updates, a failing that makes it possible for hackers to remotely install malicious wares that threaten patients’ lives, security researchers said Thursday
https://arstechnica.com/information-technology/2018/08/lack-of-encryption-makes-hacks-on-life-saving-pacemakers-shockingly-easy/

In-vehicle wireless devices are endangering emergency first responders
One of the infected devices was a wireless gateway from Sierra Wireless. Authorized IT administrators used it to connect to the airport network in the event that primary connection methods failed. Surprised that such a sensitive piece of equipment could become a foot soldier in a denial-of-service attack, Shattuck began to investigate
https://arstechnica.com/information-technology/2018/08/in-vehicle-wireless-devices-are-endangering-emergency-first-responders/

Flaws in Smart City Systems Can Allow Hackers to Cause Panic
The world’s major cities are increasingly reliant on smart technologies, including for traffic management, disaster detection and response, and remotely controlling utilities. These systems communicate via protocols such as 4G, ZigBee and Wi-Fi.
https://www.securityweek.com/flaws-smart-city-systems-can-allow-hackers-cause-panic

IoT security: Lessons we can learn from the evolution of road safety
I was recently chatting with my father about his life as a young boy growing up in rural Ireland in the middle of the last century, and the conversation moved onto cars and how when he was young cars were a relatively new technology.

IoT security: Lessons we can learn from the evolution of road safety

A botnet of smart irrigation systems can deplete a city’s water supply
However, municipalities and local government entities have adopted new green technology using IoT smart irrigation systems to replace traditional sprinkler systems, and they don’t have the same critical infrastructure security standards

A botnet of smart irrigation systems can deplete a city’s water supply

Smart cities are exposed to old-school threats
Spurred by the false alarm that made Hawaii residents fear for their lives earlier this year, IBM X-Force Red and Threatcare researchers have decided to test several smart city devices and ultimately found 17 zero-day vulnerabilities, some of which could be exploited to create potentially deadly chaos

Smart cities are exposed to old-school threats

Manufacturing Industry Experiencing Higher Incidence of Cyberattacks
According to a new report out today, manufacturing companies have started experiencing elevated rates of cyber reconnaissance and lateral movement from attackers taking advantage of the growing connectivity within the industry
https://www.darkreading.com/risk/manufacturing-industry-experiencing-higher-incidence-of-cyberattacks/d/d-id/1332515

IBM Opens New Labs for Cracking ATMs, IoT Devices
The new network of facilities provides all the toys required for testing the security of consumer and industrial Internet of Things (IoT) technologies, automotive equipment, and Automated Teller Machines (ATMs), both before and after they are deployed to customers
https://www.securityweek.com/ibm-opens-new-labs-cracking-atms-iot-devices

The Importance of Access Control for IoT Devices
Cybercriminals are actively increasing their focus on IoT devices, with the latest variant of the Hide ‘N Seek malware expanding its focus to include, for the first time, home automation devices. There are two reasons why these devices are so attractive to the criminal community. The first is that these devices are notoriously vulnerable to attack while at the same time being very difficult, if impossible to secure
https://www.securityweek.com/importance-access-control-iot-devices

Even ‘Regular Cybercriminals’ Are After ICS Networks
Contrary to what some might perceive, state-backed groups and advanced persistent threat (APT) actors are not the only adversaries targeting industrial control system (ICS) environments
https://www.darkreading.com/vulnerabilities—threats/even-regular-cybercriminals-are-after-ics-networks/d/d-id/1332505

Governor Snyder announces new high school curriculum focused on automotive cybersecurity
Offering our high school students hands-on experience in dynamic fields like automotive cybersecurity will be critical to filling the growing demand for talent in key professional trades
Governor Snyder announces new high school curriculum focused on automotive cybersecurity

Irdeto provides anti-hacking protection for Indentive’s home IoT platform
Irdeto is partnering with Indentive, a Swedish IoT technology provider, to secure its home IoT platform, Connective. Indentive will implement Irdeto Cloakware to ensure that security is built into the basis of the home network, including the latest generation of its consumer-facing IoT applications

Irdeto provides anti-hacking protection for Indentive’s home IoT platform

08-06-18 – News This Past Week

US Department of Homeland Security says Russia hacked networks of major US energy firms
Citing officials at the Department of Homeland Security (DHS), the hacks were first detected in the spring of 2016 and continued throughout 2017, carried out by hackers who worked for a Russian state-sponsored group previously known as Dragonfly or Energetic Bear
https://www.v3.co.uk/v3-uk/news/3036469/us-department-of-homeland-security-says-russia-hacked-networks-of-major-us-energy-firms

Dept. of Energy to Test Electrical Grid Against Cyberattacks
The Department of Energy wants to find out, so it’s launching the first hands-on exercise to test the grid’s ability to recover from a blackout caused by cyberattacks, E&E News reports. Its weeklong experiment, dubbed “Liberty Eclipse,” will take place starting Nov. 1 on a restricted area off the New York coast called Plum Island
https://www.darkreading.com/vulnerabilities—threats/dept-of-energy-to-test-electrical-grid-against-cyberattacks/d/d-id/1332481

FBI Offers New IoT Security Tips
Following the FBI’s May request to router owners to reboot their devices, the bureau has released a “Security Tip” about risks associated with the Internet of Things (IoT). Included among suggestions to be alert to unusual increases in network traffic and reminders about the wisdom of firmware updates are statements regarding the importance of the IoT and the true nature of the risks involved
https://www.darkreading.com/iot/fbi-offers-new-iot-security-tips/d/d-id/1332482

Court sinks children’s hospital attacker found stranded on a boat
In 2014, Gottesfeld affiliated himself with the Anonymous brand of hacktivism and left multiple hospitals hamstrung by flooding their computer networks with distributed denial of service (DDoS) e-garbage and putting out the standard, monotone Guy Fawkes call for others to join in
Guilty! Court sinks children’s hospital attacker found stranded on a boat

Phishing Campaign Targets 400 Industrial Organizations
Data collected by Kaspersky showed that the malware associated with the campaign attacked nearly 800 company PCs across various industries. The attacks, which are ongoing, attempt to steal money and confidential data from the targeted organizations, which include oil and gas to metallurgy, energy, construction and logistics
https://www.securityweek.com/phishing-campaign-targets-400-industrial-organizations

Power Grid Security: How Safe Are We?
Experiencing a power outage? It could have been caused by a hacker … or just a squirrel chewing through some equipment. And that’s a problem.
https://www.darkreading.com/endpoint/power-grid-security-how-safe-are-we/a/d-id/1332420

Addressing IoT Device Security Head-on
Securing IoT devices can be challenging. Product developers necessarily have deep expertise in project management, engineering, quality assurance and many other aspects of bringing a product to market. But they don’t typically have expertise in cybersecurity, such as security threat intelligence, regulatory compliance, and data breach avoidance or response requirements.
https://www.securityweek.com/addressing-iot-device-security-head

Why Bitcoin Miners Target Critical Infrastructure Networks
On this week’s Threatpost Podcast show, we sit down with Ronen Rabinovich from Cyberbit to discuss bitcoin mining on operational technology and critical infrastructure networks

Podcast: Why Bitcoin Miners Target Critical Infrastructure Networks

DHS Establishes Center For Defense of Critical Infrastructure
Center foundational to new government-led ‘collective defense’ strategy for sharing and responding to cyberthreats, DHS secretary says
https://www.darkreading.com/attacks-breaches/dhs-establishes-center-for-defense-of-critical-infrastructure-/d/d-id/1332442

Job One for Space Force: Space Asset Cybersecurity
Much of the United States’ critical infrastructure relies on space systems. I define space systems as assets that either exist in suborbital or outer space or ground control systems—including launch facilities for these assets. Space asset organizations are organizations that build, operate, maintain or own space systems
https://www.belfercenter.org/publication/job-one-space-force-space-asset-cybersecurity

MUD: The Solution to Our Messy Enterprise IoT Security Problems?
While Internet of Things (IoT) devices offer plenty of impressive capabilities that improve efficiency through industrial and workplace applications, they unequivocally continue to pose major security liabilities. Many IoT devices feature little or zero built-in security measures, making them enticing targets for hackers
https://www.darkreading.com/endpoint/mud-the-solution-to-our-messy-enterprise-iot-security-problems/a/d-id/1332384

Tripwire Data Collector uncovers blind spots in industrial cybersecurity
Tripwire announced the debut of Tripwire Data Collector, a new cybersecurity solution to provide visibility into vulnerabilities and changes within operational technology (OT) environments

Tripwire Data Collector uncovers blind spots in industrial cybersecurity