6-3-19 – News This Past Week

How likely are weaponized cars?
The modern vehicle can be described as electric, connected, software embedded, driverless, and even artificially intelligent. Left unmanaged and without security considerations, these properties render risks that manifest as software bugs and design flaws that may allow unauthorized remote access

How likely are weaponized cars?

Siemens LOGO!, a PLC for small automation projects, open to attack
LOGO!, a programmable logic controller (PLC) manufactured by Siemens, sports three vulnerabilities that could allow remote attackers to reconfigure the device, access project files, decrypt files, and access passwords

Siemens LOGO!, a PLC for small automation projects, open to attack

Industry is Not Prepared for the IIoT Attacks that Have Already Begun
Industrial Internet of Things (IIoT) is an essential part of business transformation and the Industry 4.0 revolution. Its use is burgeoning, with more than 7 billion devices in use worldwide. This is expected to grow to more 20 billion by 2025 — and does not include phones, tablets or laptops. It is a journey just beginning, and nobody yet knows the destination or route
https://www.securityweek.com/industry-not-prepared-iiot-attacks-have-already-begun

High-Risk Flaws Found in Process Control Systems From B&R Automation
According to the cybersecurity firm, the flaws impact 12 components of the APROL products, which are often used by oil and gas, energy, and mechanical engineering companies
https://www.securityweek.com/high-risk-flaws-found-process-control-systems-br-automation

IoT cyberattacks are the new normal, the security mindset isn’t
Eight in ten organizations have experienced a cyberattack on their IoT devices in the past 12 months, according to new research by Irdeto. Of those organizations, 90% experienced an impact as a result of the cyberattack, including operational downtime and compromised customer data or end-user safety.

IoT cyberattacks are the new normal, the security mindset isn’t

5-28-19 – News This Past Week

‘Why do we need to wait for people to be hurt?’ Medical cyber attacks soar 1400%
Strapped to a stretcher, surrounded by medics, nurses and doctors, a middle-aged man was about to play patient zero in what America’s health care industry fears could be the next major pandemic: “cybergeddon.”
https://www.sfgate.com/healthredesign/article/medical-cyber-attacks-terrorism-hospital-health-13853912.php

General Motors designs a new “brain and nervous system” for its vehicles
A common criticism of the increasingly digital nature of new cars and trucks is that all these new features are being shoehorned into systems that were not designed with features like connectivity in mind.
https://arstechnica.com/cars/2019/05/general-motors-designs-a-new-brain-and-nervous-system-for-its-vehicles/

Hackers Are Holding Baltimore’s Government Computers Hostage, and It’s Not Even Close to Over
But the city has not paid. In the two weeks since, Baltimore citizens have not had access to many city services. The city payment services and email systems are still offline
https://gizmodo.com/hackers-are-holding-baltimores-government-computers-hos-1834948639

5-20-19 – News This Past Week

Wormable Windows RDS Vulnerability Poses Serious Risk to ICS
A critical remote code execution vulnerability patched recently by Microsoft in Windows Remote Desktop Services (RDS) poses a serious risk to industrial environments, experts have warned.
https://www.securityweek.com/wormable-windows-rds-vulnerability-poses-serious-risk-ics

We chat to boffins who’ve found a way to disrupt landings using off-the-shelf radio kit
In a research paper titled “Wireless Attacks on Aircraft Instrument Landing Systems,” scheduled to be presented at the 28th USENIX Security Symposium in August, computer scientists Harshad Sathaye, Domien Schepers, Aanjhan Ranganathan, and Guevara Noubir demonstrate that it’s possible to interfere with ILS data in real-time, potentially causing aircraft to discontinue a landing approach (“go around”) or miss the landing area entirely in a low-visibility situation
https://www.theregister.co.uk/2019/05/16/airplane_landing_security/

The Shortcomings of Network Monitoring in Fighting ICS Threats
The growing sophistication of industrial control system (ICS) networks, especially since the advent of the Industrial Internet of Things (IIoT), has improved numerous processes while also making them softer targets for attacks. Simply put, interconnectedness has broadened and weakened the attack surface
https://www.securityweek.com/shortcomings-network-monitoring-fighting-ics-threats

The six biggest cybersecurity risks facing the utilities industry
The utilities industry is rapidly modernizing its infrastructure, adding more digitized equipment and connectivity across devices, plants, and systems. This evolution to “smart infrastructure” represents a positive, paradigm shift for the industry

The six biggest cybersecurity risks facing the utilities industry

Siemens Addresses Vulnerabilities in LOGO, SINAMICS Products
According to the German industrial giant, SINAMICS Perfect Harmony GH180 medium voltage converters are impacted by two high-severity denial-of-service (DoS) vulnerabilities that can be exploited by an attacker who has access to the network housing the targeted device. The flaws can be exploited with no privileges and without any user interaction
https://www.securityweek.com/siemens-addresses-vulnerabilities-logo-sinamics-products

5-13-19 – News This Past Week

Over 100 Flaws Expose Buildings to Hacker Attacks
He said an attacker can conduct a wide range of activities after hijacking the vulnerable systems, including trigger alarms, lock or unlock doors and gates, control elevator access, intercept video surveillance streams, manipulate HVAC systems and lights, disrupt operations, and steal personal information
https://www.securityweek.com/over-100-flaws-expose-buildings-hacker-attacks

Extinguishing the IoT Insecurity Dumpster Fire
And then as you mentioned, there’s industrial IoT, which has those high type of risk if there is some sort of security issue there. So there really are all these different types of devices and along with those, different types of security implications.

Extinguishing the IoT Insecurity Dumpster Fire

NIST Working on Industrial IoT Security Guide for Energy Companies
The U.S. National Institute of Standards and Technology (NIST), through its National Cybersecurity Center of Excellence (NCCoE), this week announced that it’s working on a project whose goal is to help the energy sector secure industrial Internet of Things (IIoT) systems
https://www.securityweek.com/nist-working-industrial-iot-security-guide-energy-companies

5-6-19 – News This Past Week

Hacking our way into cybersecurity for medical devices
Hospitals are filled with machines connected to the internet. With a combination of both wired and wireless connectivity, knowing and managing which devices are connected has become more complicated and, consequently, the institutions’ attack surface has expanded

Hacking our way into cybersecurity for medical devices

People Are Clamoring to Buy Old Insulin Pumps
How an obsolete medical device with a security flaw became a must-have for some patients with type 1 diabetes
https://www.theatlantic.com/science/archive/2019/04/looping-created-insulin-pump-underground-market/588091/

Plan to secure internet of things with new law
Security vulnerabilities that could be targeted by hackers have been found in everything from toy dolls to internet-connected ovens in recent years
https://www.bbc.com/news/technology-48106582

Two Vulnerabilities Expose Rockwell Controllers to DoS Attacks
Two vulnerabilities discovered by industrial cybersecurity companies CyberX and Nozomi Networks in some of Rockwell Automation’s controllers expose devices to denial-of-service (DoS) attacks
https://www.securityweek.com/two-vulnerabilities-expose-rockwell-controllers-dos-attacks

‘Denial of service condition’ disrupted US energy company operations
An energy company providing power in several western U.S. states experienced a “denial-of-service condition” serious enough to warrant reporting it to the government’s energy authority.

‘Denial of service condition’ disrupted US energy company operations

UK Publishes Proposed Regulation for IoT Device Security
The UK government has published a consultation document on the proposed regulation of consumer IoT devices. The consultation is not designed to see whether regulation is necessary, but to help the government “make a decision on which measures to take forward into legislation.”
https://www.securityweek.com/uk-publishes-proposed-regulation-iot-device-security

Security lapse exposed a Chinese smart city surveillance system
Security researcher John Wethington found a smart city database accessible from a web browser without a password. He passed details of the database to TechCrunch in an effort to get the data secured

Security lapse exposed a Chinese smart city surveillance system

4-29-19 – News These Past Two Weeks

TRITON Attacks Underscore Need for Better Defenses
After revealing last week that the same set of tools used by the TRITON attackers were also found in a second victim’s network, security services firm FireEye stressed that attackers are likely in the networks of some of the facilities that are home to the 18,000 Triconex safety systems installed in plants worldwide.
https://www.darkreading.com/vulnerabilities—threats/triton-attacks-underscore-need-for-better-defenses/d/d-id/1334418

A look at security threats to critical infrastructure
Threats to critical infrastructure, like Operation Sharpshooter, should motivate CI sectors to take cybersecurity seriously. Learn about the threats and how to defend against them
https://searchsecurity.techtarget.com/tip/A-look-at-security-threats-to-critical-infrastructure

Examining Triton Attack Framework: Lessons Learned in Protecting Industrial Systems
Recently, the infamous Triton (also known as Trisis) malware framework made news again after researchers from FireEye found evidence of the same attacker lurking in other critical infrastructure. In 2017, Triton was behind an attack that shut down Schneider Electric’s Triconex safety instrumentation system (SIS) at a petrochemical plant in Saudi Arabia — the malware went undetected for nearly a year and has been linked to a group called XENOTIME
https://www.securityweek.com/examining-triton-attack-framework-lessons-learned-protecting-industrial-systems

Hacker Finds He Can Remotely Kill Car Engines After Breaking Into GPS Tracking Apps
The hacker, who goes by the name L&M, told Motherboard he hacked into more than 7,000 iTrack accounts and more than 20,000 ProTrack accounts, two apps that companies use to monitor and manage fleets of vehicles through GPS tracking devices
https://motherboard.vice.com/en_us/article/zmpx4x/hacker-monitor-cars-kill-engine-gps-tracking-apps

Serious Vulnerabilities Found in Fujifilm X-Ray Devices
The flaws, described in an advisory published this week by ICS-CERT, affect Fuji Computed Radiography (FCR) XC-2 and Capsula X medical imaging products (CR-IR 357) — Capsula products are marketed as Carbon in the United States. The impacted devices are used in the healthcare sector worldwide
https://www.securityweek.com/serious-vulnerabilities-found-fujifilm-x-ray-devices

Rockwell Controller Flaw Allows Hackers to Redirect Users to Malicious Sites
A serious vulnerability affecting some of Rockwell Automation’s MicroLogix and CompactLogix programmable logic controllers (PLCs) can be exploited by a remote attacker to redirect users to malicious websites.
https://www.securityweek.com/rockwell-controller-flaw-allows-hackers-redirect-users-malicious-sites

NIST Tool Finds Errors in Complex Safety-Critical Software
The U.S. National Institute of Standards and Technology (NIST) this week announced that updates to its Automated Combinatorial Testing for Software (ACTS) research toolkit should help developers of complex safety-critical applications find potentially dangerous errors and make their software safer
https://www.securityweek.com/nist-tool-finds-errors-complex-safety-critical-software

4-15-19 – News This Past Week

Someone is targeting “critical infrastructure” safety systems in networked attacks
The Triton malware was first identified 16 months ago by researchers from Fireeye: it targets Triconex control systems from Schneider Electric, and was linked by Fireeye to the Central Scientific Research Institute of Chemistry and Mechanics in Moscow

Someone is targeting “critical infrastructure” safety systems in networked attacks

Triton ICS Malware Hits A Second Victim
According to researchers at FireEye, the cybercriminals behind Triton, also called Trisis, have once again targeted industrial control systems (ICS), this time at an undisclosed company in the Middle East. Further, FireEye has taken the additional step of linking Triton with high confidence to Russian state-sponsored hackers

SAS 2019: Triton ICS Malware Hits A Second Victim

The hacker group behind the Triton malware strikes again
The company was tight-lipped on the intrusion at the second facility, declining to describe the type of facility or its location — or even the year of the attack

The hacker group behind the Triton malware strikes again

Mysterious safety-tampering malware infects a second critical infrastructure site
Sixteen months ago, researchers reported an unsettling escalation in hacks targeting power plants, gas refineries, and other types of critical infrastructure. Attackers who may have been working on behalf of a nation caused an operational outage at a critical-infrastructure site after deliberately targeting a system that prevented health- and life-threatening accidents
https://arstechnica.com/information-technology/2019/04/mysterious-safety-tampering-malware-infects-a-2nd-critical-infrastructure-site/

Industry Reactions to New Triton Attacks on Critical Infrastructure
The existence of Triton came to light in 2017 after the malware had caused disruptions at an oil and gas plant in Saudi Arabia. FireEye, which previously linked Triton to a research institute owned by the Russian government, recently analyzed the threat actor’s tools and techniques after identifying another target
http://www.securityweek.com/industry-reactions-new-triton-attacks-critical-infrastructure

Siemens Patches Serious DoS Flaws in Many Industrial Products
Siemens’ Patch Tuesday updates for April 2019 address several serious vulnerabilities, including some denial-of-service (DoS) flaws affecting many of the company’s industrial products
http://www.securityweek.com/siemens-patches-serious-dos-flaws-many-industrial-products

Critical Vulnerability in Siemens Spectrum Power (CVE-2019-6579) Patched in Monthly Advisory
On April 9, Siemens published its monthly Siemens Advisory Day release across a variety of Siemens products. This includes 11 CVEs newly addressed in Siemens products along with updates to previous advisories, including additional CVEs and product updates and mitigations. The most critical of these vulnerabilities could give an unauthenticated attacker administrative privileges
https://www.tenable.com/blog/critical-vulnerability-in-siemens-spectrum-power-cve-2019-6579-patched-in-monthly-advisory

Cars Exposed to Hacker Attacks by Hardcoded Credentials in MyCar Apps
A small aftermarket telematics unit from Montreal, Canada-based AutoMobility, MyCar provides users with a series of smartphone-controlled features for their cars, including geolocation, remote start/stop and lock/unlock capabilities.
http://www.securityweek.com/cars-exposed-hacker-attacks-hardcoded-credentials-mycar-apps

Medical Device Cybersecurity
Before long, just about everything in the medical world will be running on software – and even connected to the internet. That already applies to pacemakers and insulin pumps and a host of devices used in hospitals
http://www.byuradio.org/episode/e85c70f1-e81a-48d4-9c69-9c469fe23ce6/top-of-mind-with-julie-rose-israel-women-in-trucking-medical-device-cybersecurity?playhead=2219&autoplay=true

Hacking healthcare: A call for infosec researchers to probe biomedical devices
It is a brave new connected world out there and there is no shortage of cybersecurity risks associated with everything we do. We can’t even be sure that the technologies that keep as alive and healthy will work as intended if malicious actors set their sights on them

Hacking healthcare: A call for infosec researchers to probe biomedical devices

90% of OT organizations are cyberattack victims, yet visibility into OT systems is still limited
OT professionals have spoken — the people who manage critical systems such as manufacturing plants and transportation almost unanimously state that they are fighting-off cyberattacks on a regular basis

90% of OT organizations are cyberattack victims, yet visibility into OT systems is still limited

4-8-19 – News This Past Week

TXOne Networks Unveils First Industrial Cybersecurity Product
TXOne Networks, a joint venture between cybersecurity firm Trend Micro and industrial networking solutions provider Moxa, this week unveiled its first product, an industrial intrusion prevention system
https://www.securityweek.com/txone-networks-unveils-first-industrial-cybersecurity-product

Long Equipment Life Cycles Expose Manufacturing Industry to Attacks: Study
Using data from its Smart Protection Network infrastructure, Trend Micro has conducted a detailed analysis of the threats and risks impacting the manufacturing sector and drew comparisons to other industries
https://www.securityweek.com/long-equipment-life-cycles-expose-manufacturing-industry-attacks-study

Researchers trick radiologists with malware-created cancer nodes
Security researchers in Israel have developed malware that can add realistic-looking but entirely fake growths to CT and MRI scans or hide real cancerous nodules that would be detected by the medical imagining equipment
https://www.engadget.com/2019/04/03/malware-cancerous-nodes-ct-mri-scans/

Airports & Operational Technology: 4 Attack Scenarios
As OT systems increasingly fall into the crosshairs of cyberattackers, aviation-industry CISOs have become hyper-focused on securing them
https://www.darkreading.com/vulnerabilities—threats/airports-and-operational-technology-4-attack-scenarios-/a/d-id/1334282

Study maps ‘extensive Russian GPS spoofing’
The analysis showed Russia was “pioneering” the use of GPS spoofing techniques to “protect and promote its strategic interests”, the report said
https://www.bbc.com/news/technology-47786248

Researchers trick Tesla Autopilot into steering into oncoming traffic
Researchers have devised a simple attack that might cause a Tesla to automatically steer into oncoming traffic under certain conditions. The proof-of-concept exploit works not by hacking into the car’s onboard computing system, but by using small, inconspicuous stickers that trick the Enhanced Autopilot of a Model S 75 into detecting and then following a change in the current lane
https://arstechnica.com/information-technology/2019/04/researchers-trick-tesla-autopilot-into-steering-into-oncoming-traffic/

Boeing’s 737 Max update is still ‘weeks’ away from FAA approval
This long wait wasn’t entirely unexpected. Leaks hinting at tentative approval warned that Boeing might have to make last-minute changes, and even an ideal update schedule would have airlines waiting a while to deploy the update to their fleets
https://www.engadget.com/2019/04/01/faa-will-take-long-time-to-approve-737-max-fix/

Critical Rockwell Automation Bug in Drive Component Puts IIoT Plants at Risk
The vulnerability was identified in Rockwell Automation’s PowerFlex 525 drive component, which is used in applications such as conveyors, fans, pumps and mixers. The drive offers a wide range of motor and software controls from regulating volts per hertz and software used to manage EtherNet/IP networks

Critical Rockwell Automation Bug in Drive Component Puts IIoT Plants at Risk

Critical Flaw Allows Hackers to Take Control of PowerFlex AC Drives
PowerFlex 525 AC drives are designed for controlling electrical motors. Unlike traditional drives, these devices offer advanced features, such as embedded Ethernet/IP communications and USB programming. Rockwell Automation says the product is ideal for conveyors, pumps, fans and mixers
https://www.securityweek.com/critical-flaw-allows-hackers-take-control-powerflex-ac-drives

The Consumerization of Industrial Cyber Security
If we look back to the internet boom of the mid 1990s, the general public was also unaware of how a computer security breach could impact their lives. Little attention was given to computer viruses (now called malware), websites that were compromised by hackers or data breaches
https://www.securityweek.com/consumerization-industrial-cyber-security

4-1-19 – News This Past Week

Critical Rockwell Automation Bug in Drive Component Puts IIoT Plants at Risk
A critical denial-of-service (DoS) vulnerability has been found in a Rockwell Automation industrial drive, which is a logic-controlled mechanical component used in industrial systems to manage industrial motors.

Critical Rockwell Automation Bug in Drive Component Puts IIoT Plants at Risk

Critical Flaw Allows Hackers to Take Control of PowerFlex AC Drives
PowerFlex 525 AC drives are designed for controlling electrical motors. Unlike traditional drives, these devices offer advanced features, such as embedded Ethernet/IP communications and USB programming. Rockwell Automation says the product is ideal for conveyors, pumps, fans and mixers
https://www.securityweek.com/critical-flaw-allows-hackers-take-control-powerflex-ac-drives

The Consumerization of Industrial Cyber Security
Little attention was given to computer viruses (now called malware), websites that were compromised by hackers or data breaches. But that all changed, once attackers began stealing credit card information and identities online.
https://www.securityweek.com/consumerization-industrial-cyber-security

3-25-19 – News This Past Week

New IoT Security Bill: Third Time’s the Charm?
The latest bill to set security standards for connected devices sold to the US government has fewer requirements, instead leaving recommendations to the National Institute of Standards and Technology.
https://www.darkreading.com/iot/new-iot-security-bill-third-times-the-charm/d/d-id/1334190

Hacked tornado sirens taken offline in two Texas cities ahead of major storm
A hacker set off the tornado emergency sirens in the middle of the night last week across two North Texas towns. Following the unauthorized intrusion, city authorities had to shut down their emergency warning system a day before major storms and potential tornados were set to hit the area.
https://www.zdnet.com/article/hacked-tornado-sirens-taken-offline-in-two-texas-cities-ahead-of-major-storm/

Boeing downplayed 737 MAX software risks, self-certified much of plane’s safety
Additionally, the MCAS system was designed to work based on input from only one sensor—despite the fact that Boeing rated a failure of the system as “hazardous.” That level of risk—which in itself was understated, according to engineers—should have been enough to require redundant sensors.
https://arstechnica.com/information-technology/2019/03/boeing-downplayed-737-max-software-risks-self-certified-much-of-planes-safety/

They didn’t buy the DLC: feature that could’ve prevented 737 crashes was sold as an option
The MCAS includes a feature that determines when the aircraft is pointed upward relative to the flow of air across its surface at an angle that could lead to the loss of sufficient lift to keep the airplane flying—what’s known as a stall. To prevent a stall, MCAS (like other anti-stall systems on commercial aircraft) adjusts the aircraft’s tail stabilizers to push the nose of the aircraft down, boosting its airspeed.
https://arstechnica.com/information-technology/2019/03/boeing-sold-safety-feature-that-could-have-prevented-737-max-crashes-as-an-option/

Boeing to make safety feature standard on troubled Max jets
The equipment, which had been offered as an option, alerts pilots of faulty information from key sensors. It will now be included on every 737 Max as part of changes that Boeing is rushing to complete on the jets by early next week, according to two people familiar with the changes
https://www.apnews.com/140576a8e9d4449eae646c8c479fdc3a

Schneider Electric Working on Patch for Flaw in Triconex TriStation Emulator
A serious denial-of-service (DoS) vulnerability has been found in Schneider Electric’s Triconex TriStation Emulator software. The vendor has yet to release a patch, but assured customers that the flaw does not pose a risk to operating safety controllers.
https://www.securityweek.com/schneider-electric-working-patch-flaw-triconex-tristation-emulator

Securing Industrial IoT in the Modern World
Manufacturing arguably offers the largest attack surface of almost any industry with regards to cybersecurity threats, and has long been a prime target for ‘everyday’ attacks like phishing, ransomware, data-theft – you name it, they’ve seen it.
https://www.securityweek.com/securing-industrial-iot-modern-world

8 ways to protect building management systems
Like any other computer system installed in buildings and factories, building management systems are vulnerable to attackers, such as disgruntled employees, industry competitors, industrial spies or a nation-state
https://searchsecurity.techtarget.com/tip/8-ways-to-protect-building-management-systems

Triton and the new wave of IIoT security threats
Triton malware, which can shut down industrial safety systems, causing damage to facilities and threatening human life, targets the industrial internet of things
https://www.networkworld.com/article/3375206/triton-and-the-new-wave-of-iiot-security-threats.html

Wireless vulns in Medtronic’s implanted defibrillators allow remote shocks, shutdown, denial-of-service battery attacks and data theft
Medtronic is the most notorious maker of insecure medical implants in America, with a long history of inserting computers into people’s bodies with insecure wireless interfaces, toolchains and update paths, and nothing has changed

Wireless vulns in Medtronic’s implanted defibrillators allow remote shocks, shutdown, denial-of-service battery attacks and data theft

DHS issues warning about Medtronic implantable defibrillator flaws
A warning issued by the department says over 20 Medtronic products are afflicted with vulnerabilities that could be exploited by attackers nearby. Sixteen of the products are implantable defibrillators — some still sold around the world today — while the others are the defibrillators’ bedside monitors and programmers.
https://www.engadget.com/2019/03/22/dhs-warning-medtronic-implantable-defibrillator-flaws/

Don’t have a heart attack but your implanted defibrillator can be hacked over the air
Medical gear maker Medtronic is once again at the center of a hacker panic storm. This time, a number of its heart defibrillators, implanted in patients’ chests, can, in certain circumstances, be wirelessly hijacked and reprogrammed, perhaps to lethal effect
https://www.theregister.co.uk/AMP/2019/03/22/medtronic_implanted_defibrillator_hackable/

Schneider Electric partners with Vericlave to protect customers’ critical IT and OT systems
Under the terms of the agreement, Schneider Electric will provide Vericlave’s advanced encryption technology to further secure and protect its customers’ critical IT and OT systems from the risk of cyberattack.

Schneider Electric partners with Vericlave to protect customers’ critical IT and OT systems