07-30-18 – News This Past Week

Xage secures $12 million Series A for IoT security solution on blockchain
It’s an interesting approach, one that attracted Duncan Greatwood to the company. As he told me in December his previous successful exits — Topsy to Apple in 2013 and PostPath to Cisco in 2008 — gave him the freedom to choose a company that really excited him for his next challenge.

Xage secures $12 million Series A for IoT security solution on blockchain

Security concerns around the rapidly growing use of the Industrial Internet of Things
These are the key findings of the 2018 SANS Industrial IoT Security Survey report, which examines the security concerns around the rapidly growing use of IIoT. IIoT is the subset of the Internet of Things that focuses specifically on the industrial application of connected physical devices within critical infrastructure such as electricity, manufacturing, oil and gas, transportation and healthcare

Security concerns around the rapidly growing use of the Industrial Internet of Things

No big deal… Kremlin hackers ‘jumped air-gapped networks’ to pwn US power utilities
Uncle Sam’s finest reckon Moscow’s agents managed to infiltrate computers networks within US electric utilities – to the point where the miscreants could have virtually pressed the off switch in control rooms, yanked the plug on the Yanks, and plunged America into darkness

Endpoint Concerns Blight IIoT Security
The 2018 SANS Industrial IoT Security Survey includes responses from over 200 security, IT and OT professionals in organizations ranging in size from less than 1000 to over 50,000 employees

DHS Officials: Hundreds of US Utility Victims Infiltrated by Russian Hackers
The US Department of Homeland Security, which earlier this year warned of Russian nation-state hacking teams targeting energy and other critical infrastructure organizations, in a briefing this week provided more details on the attack campaign

AVEVA Patches Critical Flaws in HMI/SCADA Tools Following Schneider Merger
UK-based industrial software company AVEVA has patched two critical remote code execution vulnerabilities discovered by researchers in its InTouch and InduSoft development tools

Unpacking the Impact of NIST 1.1 Updates on ICS
The National Institute of Standards and Technology (NIST) recently updated its cybersecurity framework (CSF), rolling out changes to all five pillars: Identify, Protect, Detect, Respond, and Recover. These changes present some challenges for industrial organizations that want or need to comply with this CSF

Jeff Wilbur of the Online Trust Alliance on why enterprise IoT security is a lot like BYOD
As consumer Internet of Things (IoT) devices inevitably find their way into the workplace, IT pros need to isolate them from the rest of the enterprise network, perhaps on a network of their own, so they don’t become backdoors exploitable by attackers, according to the head of the Online Trust Alliance

DHS Officials: Hundreds of US Utility Victims Infiltrated by Russian Hackers
The US Department of Homeland Security, which earlier this year warned of Russian nation-state hacking teams targeting energy and other critical infrastructure organizations, in a briefing this week provided more details on the attack campaign

The Industrial World is Facing a Security Crisis
As more industrial systems become connected, so follows increased awareness of security issues surrounding industrial control systems, programmable logic controllers and SCADA. These once rare worlds of operational technology (OT) and IoT have now become part of the mainstream cybersecurity conversation

Podcast: The Industrial World is Facing a Security Crisis

SCADA vulnerabilities in ICS architectures
A major challenge in industrial control system architecture involves the dual nature of its underlying technologies. That is, a typical ICS component must have the capability to exchange information with both IT and OT systems across designated network or system interfaces.

SCADA vulnerabilities in ICS architectures

Shipping company’s networks in the Americas crippled by ransomware attack
The statement—and posts on COSCO’s official Twitter and Facebook accounts—didn’t disclose the reason for the outage. The Press-Telegram of Long Beach, California, however, reported on Tuesday that the China state-owned shipping company was infected by ransomware. The report didn’t identify the name or strain of the ransomware, which generally encrypts computer hard drives and demands a payment by digital currency to decrypt it.

07-23-18 – News This Past Week

How hackers exploit critical infrastructure
The traditional focus of most hackers has been on software, but the historical focus of crime is on anything of value. It should come as no surprise, therefore, that as operational technology (OT) and industrial control system (ICS) infrastructure have become much more prominent components of national critical infrastructure, that malicious hacking activity would be increasingly targeted in this direction

How hackers exploit critical infrastructure

Tenable Research Advisory: Patches Issued For Critical Vulnerabilities in 2 AVEVA SCADA/OT Apps
A new critical remote code execution vulnerability in AVEVA’s Indusoft Web Studio and InTouch Machine Edition can be exploited to compromise sensitive operational technology. AVEVA has released a patch and we advise urgent attention and response from affected end users.

An introduction to ICS threats and the current landscape
ICS threats have become more prevalent, so the need for organizations to understand the risks has grown. Expert Ernie Hayden explains what enterprises need to know

SCADA/ICS Dangers & Cybersecurity Strategies
Nearly 60% of surveyed organizations using SCADA or ICS reported they experienced a breach in those systems in the last year. Here are four tips for making these systems safer

A $225 GPS spoofer can send sat-nav-guided vehicles into oncoming traffic *
The attack starts with a $225 piece of hardware that’s planted in or underneath the targeted vehicle that spoofs the radio signals used by civilian GPS services. It then uses algorithms to plot a fake “ghost route” that mimics the turn-by-turn navigation directions contained in the original route. Depending on the hackers’ ultimate motivations, the attack can be used to divert an emergency vehicle or a specific passenger to an unintended location or to follow an unsafe route. The attack works best in urban areas the driver doesn’t know well, and it assumes hackers have a general idea of the vehicle’s intended destination

07-16-18 – News This Past Week

Flaws Expose Siemens Protection Relays to DoS Attacks
Siemens has informed customers that some of the company’s SIPROTEC protection relays are exposed to denial-of-service (DoS) attacks due to a couple of vulnerabilities present in the EN100 communication module

VPNFilter Malware Hits Critical Infrastructure in Ukraine
The Security Service of Ukraine (SBU) revealed this week that the VPNFilter malware, which it attributed to Russian intelligence agencies, had targeted a critical infrastructure organization

Ukraine Security Service Stops VPNFilter Attack at Chlorine Station
Ukraine’s SBU Security Service reportedly detected and shut down a cyberattack that used VPNFilter malware on network equipment in a chlorine station that supplies water treatment and sewage plants

ICS Security: ‘The Enemy Is in the Wire’
Threats to industrial control systems are real and frightening. The government is taking steps to keep us safer in the future, but there are near-term steps you can take right now.

Thales and Device Authority healthcare IoT solution ensures device and data security for medical devices
Thales and Device Authority announce a jointly developed solution to ensure the authentication of IoT devices and the confidentiality and integrity of the data they rely on – giving both healthcare professionals and their patients the confidence to adopt these technologies

Thales and Device Authority healthcare IoT solution ensures device and data security for medical devices

Power Grid Protection Firm SEL Patches Severe Software Flaws
Several vulnerabilities, including ones rated high severity, have been discovered in management and configuration tools from power grid protection company Schweitzer Engineering Laboratories (SEL). The vendor has released software updates to address the flaws

07-09-18 – News This Past Week

Flaws Expose Siemens Central Plant Clocks to Attacks
Siemens SICLOCK devices are used to synchronize time in industrial plants. The central plant clock ensures stability in case of a failure or loss of reception at the primary time source

Strange and scary IoT hacks
The Internet of Things has provided a worldwide digital playground for hackers, pranksters and those who would thwart them and here are 9 of the most unnerving

Azure IoT Edge Exits Preview with Security Updates
Microsoft rolls out its cloud-based IoT service to the general public, while upping data protection with new categories including device management and security

For victims of smart home abuse, there’s no easy out
On the surface, this seems like a relatively straightforward problem to solve: Just change your password or unplug the devices, right? Except the issue here is two-fold. Not only are the devices sometimes solely controlled by the abuser, but oftentimes making these changes will result in even worse abuse, especially if the couple is still living together.

07-02-18 – News This Past Week

Rockwell Patches Flaw Affecting Safety Controllers From Several Vendors
In April, at SecurityWeek’s ICS Cyber Security Conference in Singapore, industrial cybersecurity firm Applied Risk disclosed the details of a serious denial-of-service (DoS) vulnerability affecting safety controllers from several major vendors. Rockwell Automation is one of those vendors and the company has now released patches for its products

Industrial IoT: Protecting the Physical World from Cyber Attacks
The convergence of industrial IoT and intelligent automation has been a boon for many enterprises, allowing machines to take on tasks that previous generations of automation could not handle. This shift mirrors the way that connected devices have transformed home life for many consumers

Fairhair Alliance Building IoT Security Architecture
A group of companies in the building automation and IoT space is working for a coherent security architecture that incorporates multiple standards

House Passes Bill to Enhance Industrial Cybersecurity
The U.S. House of Representatives on Monday passed a bill aimed at protecting industrial control systems (ICS), particularly ones used in critical infrastructure, against cyberattacks

A proof-of-concept attack could cause ships to dangerously veer off course, and it all stems from simple security issues, including the failure to change default passwords or segment networks.

Simple Security Flaws Could Steer Ships Off Course

New WPA3 security protocol simplifies logins, secures IoT
Latest WPA3 security protocol update adds new features to the Wi-Fi access specification for simple and secure wireless access for individuals, as well as enterprises

US legislators put industrial control system security on the map
After a spate of attacks on industrial control systems (ICS), the US this week officially recognized the need to secure them with a new bill. On Monday, House representatives passed legislation to bring these systems under the protection of the Department of Homeland Security
US legislators put industrial control system security on the map

CIS Adapts Critical Security Controls to Industrial Control Systems
The Center for Internet Security (CIS) recently updated their popular CIS Controls – formerly known as the SANS Top 20 – and just published a companion CIS Controls Implementation Guide for Industrial Control Systems. Cody Dumont and I contributed to this Industrial Control System (ICS) guide, in the hope of making it easier for organizations to employ the CIS Controls for protecting OT environments

GlobalSign, Comodo launch competing IoT security platforms
GlobalSign Tuesday unveiled its IoT Identity Platform, which includes several products and services aimed at using public key infrastructure (PKI) to assign identities to IoT devices and authenticate them. The cloud-based platform includes IoT Edge Enroll, an enrollment client that provisions and manages PKI-based identities for an assortment of connected devices.

06-25-18 – News This Past Week

Pwned with ‘4 lines of code’: Researchers warn SCADA systems are still hopelessly insecure
A presentation at last week’s BSides London conference by researchers from INSINIA explained how a device planted on a factory floor can identify and list networks, and trigger controllers to stop processes or production lines.

China-based hackers burrow inside satellite, defense, and telecoms firms
An advanced hacking campaign originating in China has spent the past year infiltrating satellite operators, defense contractors, and telecoms companies in the US and Southeast Asia, researchers from Symantec said

SCADA Hacking – Industrial Systems Woefully Insecure
It was ok before everything started getting wired up to networks, but with SCADA systems pre-dating the kind of security controls we need to stay safe, it’s hard to retrofit them

SCADA Hacking – Industrial Systems Woefully Insecure

NanoLock Launches Platform to Protect IoT Devices From Production Through End-of-Life
Cybersecurity start-up NanoLock Security today announced a new lightweight security platform designed to add security into the small connected devices better known as the internet of things, rather than to overlay security around those devices.

Four New Vulnerabilities in Phoenix Contact Industrial Switches
Phoenix Contact has disclosed four vulnerabilities in switches in the FL SWITCH industrial line. The affected devices are typically used in automated processes at digital substations, oil and gas, maritime, and other industrial applications

Thermostats, Locks and Lights: Digital Tools of Domestic Abuse
One woman had turned on her air-conditioner, but said it then switched off without her touching it. Another said the code numbers of the digital lock at her front door changed every day and she could not figure out why. Still another told an abuse help line that she kept hearing the doorbell ring, but no one was there

Rockwell Patches Flaw Affecting Safety Controllers From Several Vendors
In April, at SecurityWeek’s ICS Cyber Security Conference in Singapore, industrial cybersecurity firm Applied Risk disclosed the details of a serious denial-of-service (DoS) vulnerability affecting safety controllers from several major vendors. Rockwell Automation is one of those vendors and the company has now released patches for its products

Hippocratic Oath in German

The country of Siemens, Braun, Dräger, Zeiss and many more renowned medical engineering companies is finally getting it too: I am the Cavalry has published the long and short versions of the Hippocratic Oath for Connected Devices in the German language. The Oath is a voluntary agreement to honour the principles of software engineering safety to protect patients’ health and lives and can be found under https://iamthecavalry.org/eid. Find the PDF here.

06-18-18 – News This Past Week

‘Shift Left’ & the Connected Car
How improving application security in the automotive industry can shorten product development time, reduce costs, and save lives.

ICS/SCADA Smart Scanning: Discover and Assess IT-Based Systems in Converged IT/OT Environments
Increasingly, operational technology (OT) environments are interconnecting with IT and adopting exploitable IT-based assets and protocols. This means OT systems are exposed to IT threats. Additionally, IT/OT convergence is expanding the cyberattack surface.

Security Vulnerabilities: A Threat to Automotive Innovation
The pace of innovation within the automotive industry has been breath-taking. Only ten years ago, the very concept of self-driving cars and heavy goods vehicles was still regarded as far-fetched science fiction. Today, they are already a common sight on many roads around the world.

Siemens Patches Vulnerabilities in SCALANCE, Other Devices
Siemens this week published five new security advisories describing several vulnerabilities discovered in its switches, routers, building automation products, and medical devices

Critical Flaws Patched in Schneider Building Automation Software
Schneider Electric recently patched four vulnerabilities in its U.motion Builder software, including two critical command execution flaws. Advisories have been published by both the vendor and ICS-CERT

06-11-18 – News This Past Week

Tens of Vulnerabilities Found in Quest Appliances
Researchers at Core Security say they have discovered a total of more than 60 vulnerabilities in disk backup and system management appliances from Quest. The IT management firm has released patches, but threatened to take legal action against Core if it disclosed too many details

Interconnectivity Has Put ICS Environments in Cyber Risk Crosshairs
Tell any IT professional that the computer running the electrical grid has not been updated in 20 years, or that the machine that controls operations in the bottling plant was last tuned up when Y2K was still being planned, and they will look at you like you are crazy. They simply will not believe you.

What happens if IoT security doesn’t get solved?
A new Bain & Company report says security concerns are slowing IoT adoption. Is this problem fixable — and what if it isn’t?

Mirai Variants Continue to Spawn in Vulnerable IoT Ecosystem
Mirai is the archetypal IoT botnet, first achieving infamy with a 665 Gbps DDoS attack against the KrebsOnSecurity website in September 2016. Within days, a second Mirai attack targeted the French hosting firm, OVH, with an attack that peaked at nearly 1 Tbps. These were, at the time, the largest DDoS attacks ever recorded

Researcher Successfully Hacked In-Flight Airplanes – From the Ground
It’s been four years since researcher Ruben Santamarta rocked the security world with his chilling discovery of major vulnerabilities in satellite equipment that could be abused to hijack and disrupt communications links to airplanes, ships, military operations, and industrial facilities

US Government Probes Airplane Vulnerabilities, Says Airline Hack Is ‘Only a Matter of Time’
According to DHS and other US government documents obtained by Motherboard, the DHS is continuing to investigate how insecure commercial aircraft are to cyber attacks, with one research lab saying hacking a plane may lead to a “catastrophic disaster.”

Vulnerable ship systems: Many left exposed to hacking
Pen Test Partners’ Ken Munro and his colleagues – some of which are former ship crew members who really understand bridge and propulsion systems – have been probing the security of ships’ IT systems for a while now and the results are depressing: satcom terminals exposed on the Internet, admin interfaces accessible via insecure protocols, no firmware signing, easy-to-guess default credentials, and so on

Vulnerable ship systems: Many left exposed to hacking

Serious Flaws Found in Philips Patient Monitoring Devices
Researchers have discovered serious vulnerabilities in patient monitoring devices from Philips. The vendor has shared some recommendations for mitigating the risks until patches are made available

Triton ICS Malware Developed Using Legitimate Code
The developers of Triton, a recently discovered piece of malware designed to target industrial control systems (ICS), reverse engineered a legitimate file in an effort to understand how the targeted devices work

MIT researchers develop transmitter to prevent hackers from attacking IoT devices
One method that has been looked into to protect the data on these devices is “frequency hopping”, a technique which sends each data packet, containing thousands of individual bits, on a random, unique radio frequency (RF) channel, so hackers can’t pin down any given packet

05-21-18 – News This Past Week

Siemens Patches DoS Flaws in Medium Voltage Converters
According to advisories published by ICS-CERT and Siemens, the flaws impact SINAMICS GH150, GL150, GM150, SL150, SM120 and SM150 converters, which are used worldwide in the energy, chemical, critical manufacturing, water and wastewater, and food and agriculture sectors

Many Vulnerabilities Found in OPC UA Industrial Protocol
Developed and maintained by the OPC Foundation, OPC UA stands for Open Platform Communications Unified Automation. The protocol is widely used in industrial automation, including for control systems (ICS) and communications between Industrial Internet-of-Things (IIoT) and smart city systems

‘Allanite’ Group Targets ICS Networks at Electric Utilities in US, UK
The group, tracked as “Allanite,” has been linked to campaigns conducted by Dragonfly (aka Energetic Bear and Crouching Yeti) and Dymalloy, which Dragos discovered while analyzing Dragonfly attacks

Internet of Things Security Policies Still Lagging, Report Finds
Internet of things (IoT) security has been a growing concern in recent years, with vulnerabilities continuing to be reported and hackers continuing to launch attacks.

A flaw in a connected alarm system exposed vehicles to remote hacking
A bug that allowed two researchers to gain access to the backend systems of a popular internet-connected vehicle management system could have given a malicious hacker everything they needed to track the vehicle’s location, steal user information, and even cut out the engine.

IT Pros Worried About IoT But Not Prepared to Secure It
Few organizations have a security policy in place for Internet of Things devices, new survey shows

Relying on legacy security technologies leaves you blind to IoT threats
IoT and IIoT (Industrial IoT) introduce new IoT networks autonomous from the enterprise network. Organizations are blind to these IoT networks and devices across a plethora of new protocols and frequencies.

Relying on legacy security technologies leaves you blind to IoT threats

‘Chrysene’ Group Targets ICS Networks in Middle East, UK
Tracked by industrial cybersecurity firm Dragos as “Chrysene,” the actor has been linked to OilRig and Greenbug, groups that have mainly focused on the Arabian Gulf region and which are believed to have been involved in the Shamoon and Shamoon 2 attacks

Critical Flaws Patched in Phoenix Contact Industrial Switches
Several vulnerabilities, including ones rated critical and high severity, have been patched in industrial ethernet switches made by Phoenix Contact, a Germany-based company that specializes in industrial automation, connectivity and interface solutions

Critical Code Execution Flaws Patched in Advantech WebAccess
Advantech WebAccess is a browser-based software package for human-machine interfaces (HMI) and supervisory control and data acquisition (SCADA) systems. The product is used in the United States, Europe and East Asia in the energy, critical manufacturing, and water and wastewater sectors.

Severe DoS Flaw Discovered in Siemens SIMATIC PLCs
SIMATIC S7-400 is a family of programmable logic controllers (PLCs) designed for process control in industrial environments. The product is used worldwide in the automotive, mechanical equipment manufacturing, building engineering, steel, power generation and distribution, chemical, warehousing, food, and pharmaceutical sectors

Hacking train Wi-Fi may expose passenger data and control systems
Vulnerabilities on the Wi-Fi networks of a number of rail operators could expose customers’ credit card information, according to infosec biz Pen Test Partners this week

2018: Scariest Year of Evil Things on the Internet
The report indicates that security professionals have a heightened concern for growing threats, with 85% of respondents believing their country will suffer a major critical infrastructure cyber-attack in the next five years

The Enterprise of Thing’s troubling lack of security
Enterprise deployment of IoT devices brings a unique requirement to enterprise security that is distinct from normal end points and data centers. Here are three strategies to address it

Getting grounded in IoT networking and security
The internet of things already consists of nearly triple the number of devices as there are people in the world, and as more and more of these devices creep into enterprise networks it’s important to understand their requirements and how they differ from other IT gear.

Most Industrial Networks Vulnerable to Attack
Despite the fact that so many aspects of a modern society rely on the proper and uninterrupted operations of critical infrastructure, security flaws across many industrial control systems (ICSs) are largely vulnerable to cyber-attacks

The ABCs Driving the Growth of Industrial Cybersecurity
Nothing in industrial cybersecurity is as simple as ABC. Protecting complex, yet aging industrial networks against direct and indirect attacks, planned by increasingly sophisticated adversaries, is as big a challenge as you’ll find in operational technology. And, for decades, the exposure of industrial control systems was overlooked and fell far behind IT in terms of risk management