08-20-18 – News These Past Two Weeks

Hacking Police Bodycams
Mitchell even realized that because he can remotely access device storage on models like the Fire Cam OnCall, an attacker could potentially plant malware on some of the cameras
https://www.wired.com/story/police-body-camera-vulnerabilities/

Five key security tips to avoid an IoT hack
Recently, Russian PIR Bank lost $1,000,000 because of a compromised router that allowed hackers to gain entry into their local network. Why did it happen and how companies can protect themselves?

Five key security tips to avoid an IoT hack

In-flight satellite comms vulnerable to remote attack, researcher finds
As well as finding that Telnet, FTP and web were available for certain IPs, it turned out that an interface page for a Hughes aircraft satellite communication (SATCOM) router could also be accessed without authentication
In-flight satellite comms vulnerable to remote attack, researcher finds

Smart Irrigation Systems Expose Water Utilities to Attacks
A team of experts has analyzed smart irrigation systems from several vendors and found vulnerabilities that can be exploited to cause potentially serious disruptions to urban water services.
https://www.securityweek.com/smart-irrigation-systems-expose-water-utilities-attacks

Critical Flaws Found in NetComm Industrial Routers
An industrial router made by Australian telecommunications equipment company NetComm Wireless is affected by several serious vulnerabilities that can be exploited remotely to take control of affected devices
https://www.securityweek.com/critical-flaws-found-netcomm-industrial-routers

Ensuring Your Industrial Wireless Systems Are Safely Deployed
Finding a competitive edge in heavy industries and manufacturing today is as much about digitization and data analytics as it is about bringing new products and services to market. It has therefore become imperative for businesses in these sectors to invest in technologies that allow them to connect, control and monitor their industrial environments using sensors, gateways and other digital transformation tools
https://www.securityweek.com/ensuring-your-industrial-wireless-systems-are-safely-deployed

BlackIoT Botnet: Can Water Heaters, Washers Bring Down the Power Grid?
The researchers – Saleh Soltan, Prateek Mittal and H. Vincent Poor from Princeton University – have dubbed the theoretical offensive “BlackIoT”, and have coined the threat to be a “manipulation of demand via IoT” attack, or MadIoT.

BlackIoT Botnet: Can Water Heaters, Washers Bring Down the Power Grid?

Botnet of Smart Heaters, ACs Can Cause Power Disruptions
Wi-Fi enabled air conditioners, ovens, water heaters and space heaters that can be controlled remotely over the Internet are increasingly popular. The power usage of these devices ranges between 1,000 and 5,000 watts
https://www.securityweek.com/botnet-smart-heaters-acs-can-cause-power-disruptions-researchers

Election systems should be considered critical infrastructure
93 percent of security professionals are concerned about cyber-attacks targeting election infrastructure and data, and 81 percent believe cyber criminals will target election data as it is transmitted by machines, software and hardware applications, from local polling stations to central aggregation points, a recent study by Venafi has revealed

Election systems should be considered critical infrastructure

Dragos to integrate ICS-specific threat intelligence with cyber intelligence partners
Dragos announced that its industrial control system (ICS) threat intelligence product, WorldView, will integrate with partner companies, ThreatConnect, Recorded Future, ThreatQuotient, and EclecticIQ

Dragos to integrate ICS-specific threat intelligence with cyber intelligence partners

ICS security fails the Black Hat test
Industrial control systems hit the mainstream at Black Hat this year, with over two dozen program sessions tackling different angles of the subject. The takeaway: Vendors still aren’t really trying
https://searchsecurity.techtarget.com/news/252447079/ICS-security-fails-the-Black-Hat-test

Philips Vulnerability Exposes Sensitive Cardiac Patient Information
A vulnerability in the Philips IntelliSpace Cardiovascular (ISCV) line of medical data management products would allow privilege escalation and arbitrary code execution – opening the door for an attacker to siphon out all kinds of confidential patient information, including medical images and full diagnostic details.

Philips Vulnerability Exposes Sensitive Cardiac Patient Information

The future of OT security in critical infrastructure
To address these challenges, we discuss below three specific areas in the context of both improved enterprise operational effectiveness, and enhanced security for industrial control systems

The future of OT security in critical infrastructure

IoT Malware Discovered Trying to Attack Satellite Systems of Airplanes, Ships
Researcher Ruben Santamarta shared the details of his successful hack of an in-flight airplane Wi-Fi network – and other findings – at Black Hat USA today
https://www.darkreading.com/vulnerabilities—threats/iot-malware-discovered-trying-to-attack-satellite-systems-of-airplanes-ships/d/d-id/1332529

With Healthcare Security Flaws, Safety’s Increasingly at Stake
A lax culture around cybersecurity from medical device manufacturers and healthcare professionals (and a lack of education around good security measures) is putting hospitals – and subsequently their patients – at risk, said researchers, speaking at Black Hat 2018.

Black Hat 2018: With Healthcare Security Flaws, Safety’s Increasingly at Stake

Flaws in Siemens Tool Put ICS Environments at Risk
Serious vulnerabilities discovered by researchers in Siemens’ TIA Portal for SIMATIC STEP7 and SIMATIC WinCC can be exploited by threat actors for lateral movement and other purposes in ICS environments
https://www.securityweek.com/flaws-siemens-tool-put-ics-environments-risk

Hack causes pacemakers to deliver life-threatening shocks
Life-saving pacemakers manufactured by Medtronic don’t rely on encryption to safeguard firmware updates, a failing that makes it possible for hackers to remotely install malicious wares that threaten patients’ lives, security researchers said Thursday
https://arstechnica.com/information-technology/2018/08/lack-of-encryption-makes-hacks-on-life-saving-pacemakers-shockingly-easy/

In-vehicle wireless devices are endangering emergency first responders
One of the infected devices was a wireless gateway from Sierra Wireless. Authorized IT administrators used it to connect to the airport network in the event that primary connection methods failed. Surprised that such a sensitive piece of equipment could become a foot soldier in a denial-of-service attack, Shattuck began to investigate
https://arstechnica.com/information-technology/2018/08/in-vehicle-wireless-devices-are-endangering-emergency-first-responders/

Flaws in Smart City Systems Can Allow Hackers to Cause Panic
The world’s major cities are increasingly reliant on smart technologies, including for traffic management, disaster detection and response, and remotely controlling utilities. These systems communicate via protocols such as 4G, ZigBee and Wi-Fi.
https://www.securityweek.com/flaws-smart-city-systems-can-allow-hackers-cause-panic

IoT security: Lessons we can learn from the evolution of road safety
I was recently chatting with my father about his life as a young boy growing up in rural Ireland in the middle of the last century, and the conversation moved onto cars and how when he was young cars were a relatively new technology.

IoT security: Lessons we can learn from the evolution of road safety

A botnet of smart irrigation systems can deplete a city’s water supply
However, municipalities and local government entities have adopted new green technology using IoT smart irrigation systems to replace traditional sprinkler systems, and they don’t have the same critical infrastructure security standards

A botnet of smart irrigation systems can deplete a city’s water supply

Smart cities are exposed to old-school threats
Spurred by the false alarm that made Hawaii residents fear for their lives earlier this year, IBM X-Force Red and Threatcare researchers have decided to test several smart city devices and ultimately found 17 zero-day vulnerabilities, some of which could be exploited to create potentially deadly chaos

Smart cities are exposed to old-school threats

Manufacturing Industry Experiencing Higher Incidence of Cyberattacks
According to a new report out today, manufacturing companies have started experiencing elevated rates of cyber reconnaissance and lateral movement from attackers taking advantage of the growing connectivity within the industry
https://www.darkreading.com/risk/manufacturing-industry-experiencing-higher-incidence-of-cyberattacks/d/d-id/1332515

IBM Opens New Labs for Cracking ATMs, IoT Devices
The new network of facilities provides all the toys required for testing the security of consumer and industrial Internet of Things (IoT) technologies, automotive equipment, and Automated Teller Machines (ATMs), both before and after they are deployed to customers
https://www.securityweek.com/ibm-opens-new-labs-cracking-atms-iot-devices

The Importance of Access Control for IoT Devices
Cybercriminals are actively increasing their focus on IoT devices, with the latest variant of the Hide ‘N Seek malware expanding its focus to include, for the first time, home automation devices. There are two reasons why these devices are so attractive to the criminal community. The first is that these devices are notoriously vulnerable to attack while at the same time being very difficult, if impossible to secure
https://www.securityweek.com/importance-access-control-iot-devices

Even ‘Regular Cybercriminals’ Are After ICS Networks
Contrary to what some might perceive, state-backed groups and advanced persistent threat (APT) actors are not the only adversaries targeting industrial control system (ICS) environments
https://www.darkreading.com/vulnerabilities—threats/even-regular-cybercriminals-are-after-ics-networks/d/d-id/1332505

Governor Snyder announces new high school curriculum focused on automotive cybersecurity
Offering our high school students hands-on experience in dynamic fields like automotive cybersecurity will be critical to filling the growing demand for talent in key professional trades
Governor Snyder announces new high school curriculum focused on automotive cybersecurity

Irdeto provides anti-hacking protection for Indentive’s home IoT platform
Irdeto is partnering with Indentive, a Swedish IoT technology provider, to secure its home IoT platform, Connective. Indentive will implement Irdeto Cloakware to ensure that security is built into the basis of the home network, including the latest generation of its consumer-facing IoT applications

Irdeto provides anti-hacking protection for Indentive’s home IoT platform

08-06-18 – News This Past Week

US Department of Homeland Security says Russia hacked networks of major US energy firms
Citing officials at the Department of Homeland Security (DHS), the hacks were first detected in the spring of 2016 and continued throughout 2017, carried out by hackers who worked for a Russian state-sponsored group previously known as Dragonfly or Energetic Bear
https://www.v3.co.uk/v3-uk/news/3036469/us-department-of-homeland-security-says-russia-hacked-networks-of-major-us-energy-firms

Dept. of Energy to Test Electrical Grid Against Cyberattacks
The Department of Energy wants to find out, so it’s launching the first hands-on exercise to test the grid’s ability to recover from a blackout caused by cyberattacks, E&E News reports. Its weeklong experiment, dubbed “Liberty Eclipse,” will take place starting Nov. 1 on a restricted area off the New York coast called Plum Island
https://www.darkreading.com/vulnerabilities—threats/dept-of-energy-to-test-electrical-grid-against-cyberattacks/d/d-id/1332481

FBI Offers New IoT Security Tips
Following the FBI’s May request to router owners to reboot their devices, the bureau has released a “Security Tip” about risks associated with the Internet of Things (IoT). Included among suggestions to be alert to unusual increases in network traffic and reminders about the wisdom of firmware updates are statements regarding the importance of the IoT and the true nature of the risks involved
https://www.darkreading.com/iot/fbi-offers-new-iot-security-tips/d/d-id/1332482

Court sinks children’s hospital attacker found stranded on a boat
In 2014, Gottesfeld affiliated himself with the Anonymous brand of hacktivism and left multiple hospitals hamstrung by flooding their computer networks with distributed denial of service (DDoS) e-garbage and putting out the standard, monotone Guy Fawkes call for others to join in
Guilty! Court sinks children’s hospital attacker found stranded on a boat

Phishing Campaign Targets 400 Industrial Organizations
Data collected by Kaspersky showed that the malware associated with the campaign attacked nearly 800 company PCs across various industries. The attacks, which are ongoing, attempt to steal money and confidential data from the targeted organizations, which include oil and gas to metallurgy, energy, construction and logistics
https://www.securityweek.com/phishing-campaign-targets-400-industrial-organizations

Power Grid Security: How Safe Are We?
Experiencing a power outage? It could have been caused by a hacker … or just a squirrel chewing through some equipment. And that’s a problem.
https://www.darkreading.com/endpoint/power-grid-security-how-safe-are-we/a/d-id/1332420

Addressing IoT Device Security Head-on
Securing IoT devices can be challenging. Product developers necessarily have deep expertise in project management, engineering, quality assurance and many other aspects of bringing a product to market. But they don’t typically have expertise in cybersecurity, such as security threat intelligence, regulatory compliance, and data breach avoidance or response requirements.
https://www.securityweek.com/addressing-iot-device-security-head

Why Bitcoin Miners Target Critical Infrastructure Networks
On this week’s Threatpost Podcast show, we sit down with Ronen Rabinovich from Cyberbit to discuss bitcoin mining on operational technology and critical infrastructure networks

Podcast: Why Bitcoin Miners Target Critical Infrastructure Networks

DHS Establishes Center For Defense of Critical Infrastructure
Center foundational to new government-led ‘collective defense’ strategy for sharing and responding to cyberthreats, DHS secretary says
https://www.darkreading.com/attacks-breaches/dhs-establishes-center-for-defense-of-critical-infrastructure-/d/d-id/1332442

Job One for Space Force: Space Asset Cybersecurity
Much of the United States’ critical infrastructure relies on space systems. I define space systems as assets that either exist in suborbital or outer space or ground control systems—including launch facilities for these assets. Space asset organizations are organizations that build, operate, maintain or own space systems
https://www.belfercenter.org/publication/job-one-space-force-space-asset-cybersecurity

MUD: The Solution to Our Messy Enterprise IoT Security Problems?
While Internet of Things (IoT) devices offer plenty of impressive capabilities that improve efficiency through industrial and workplace applications, they unequivocally continue to pose major security liabilities. Many IoT devices feature little or zero built-in security measures, making them enticing targets for hackers
https://www.darkreading.com/endpoint/mud-the-solution-to-our-messy-enterprise-iot-security-problems/a/d-id/1332384

Tripwire Data Collector uncovers blind spots in industrial cybersecurity
Tripwire announced the debut of Tripwire Data Collector, a new cybersecurity solution to provide visibility into vulnerabilities and changes within operational technology (OT) environments

Tripwire Data Collector uncovers blind spots in industrial cybersecurity

07-30-18 – News This Past Week

Xage secures $12 million Series A for IoT security solution on blockchain
It’s an interesting approach, one that attracted Duncan Greatwood to the company. As he told me in December his previous successful exits — Topsy to Apple in 2013 and PostPath to Cisco in 2008 — gave him the freedom to choose a company that really excited him for his next challenge.

Xage secures $12 million Series A for IoT security solution on blockchain

Security concerns around the rapidly growing use of the Industrial Internet of Things
These are the key findings of the 2018 SANS Industrial IoT Security Survey report, which examines the security concerns around the rapidly growing use of IIoT. IIoT is the subset of the Internet of Things that focuses specifically on the industrial application of connected physical devices within critical infrastructure such as electricity, manufacturing, oil and gas, transportation and healthcare

Security concerns around the rapidly growing use of the Industrial Internet of Things

No big deal… Kremlin hackers ‘jumped air-gapped networks’ to pwn US power utilities
Uncle Sam’s finest reckon Moscow’s agents managed to infiltrate computers networks within US electric utilities – to the point where the miscreants could have virtually pressed the off switch in control rooms, yanked the plug on the Yanks, and plunged America into darkness
https://www.theregister.co.uk/2018/07/24/russia_us_energy_grid_hackers/

Endpoint Concerns Blight IIoT Security
The 2018 SANS Industrial IoT Security Survey includes responses from over 200 security, IT and OT professionals in organizations ranging in size from less than 1000 to over 50,000 employees
https://www.infosecurity-magazine.com/news/endpoint-confusion-and-concerns/

DHS Officials: Hundreds of US Utility Victims Infiltrated by Russian Hackers
The US Department of Homeland Security, which earlier this year warned of Russian nation-state hacking teams targeting energy and other critical infrastructure organizations, in a briefing this week provided more details on the attack campaign
https://www.darkreading.com/attacks-breaches/dhs-officials-hundreds-of-us-utility-victims-infiltrated-by-russian-hackers/d/d-id/1332372

AVEVA Patches Critical Flaws in HMI/SCADA Tools Following Schneider Merger
UK-based industrial software company AVEVA has patched two critical remote code execution vulnerabilities discovered by researchers in its InTouch and InduSoft development tools
https://www.securityweek.com/aveva-patches-critical-flaws-hmiscada-tools-following-schneider-merger

Unpacking the Impact of NIST 1.1 Updates on ICS
The National Institute of Standards and Technology (NIST) recently updated its cybersecurity framework (CSF), rolling out changes to all five pillars: Identify, Protect, Detect, Respond, and Recover. These changes present some challenges for industrial organizations that want or need to comply with this CSF
https://www.securityweek.com/unpacking-impact-nist-11-updates-ics

Jeff Wilbur of the Online Trust Alliance on why enterprise IoT security is a lot like BYOD
As consumer Internet of Things (IoT) devices inevitably find their way into the workplace, IT pros need to isolate them from the rest of the enterprise network, perhaps on a network of their own, so they don’t become backdoors exploitable by attackers, according to the head of the Online Trust Alliance
https://www.networkworld.com/article/3292223/internet-of-things/qanda-jeff-wilbur-of-the-online-trust-alliance-on-why-enterprise-iot-security-is-a-lot-like-byod.html

DHS Officials: Hundreds of US Utility Victims Infiltrated by Russian Hackers
The US Department of Homeland Security, which earlier this year warned of Russian nation-state hacking teams targeting energy and other critical infrastructure organizations, in a briefing this week provided more details on the attack campaign
https://www.darkreading.com/attacks-breaches/dhs-officials-hundreds-of-us-utility-victims-infiltrated-by-russian-hackers/d/d-id/1332372

The Industrial World is Facing a Security Crisis
As more industrial systems become connected, so follows increased awareness of security issues surrounding industrial control systems, programmable logic controllers and SCADA. These once rare worlds of operational technology (OT) and IoT have now become part of the mainstream cybersecurity conversation

Podcast: The Industrial World is Facing a Security Crisis

SCADA vulnerabilities in ICS architectures
A major challenge in industrial control system architecture involves the dual nature of its underlying technologies. That is, a typical ICS component must have the capability to exchange information with both IT and OT systems across designated network or system interfaces.

SCADA vulnerabilities in ICS architectures

Shipping company’s networks in the Americas crippled by ransomware attack
The statement—and posts on COSCO’s official Twitter and Facebook accounts—didn’t disclose the reason for the outage. The Press-Telegram of Long Beach, California, however, reported on Tuesday that the China state-owned shipping company was infected by ransomware. The report didn’t identify the name or strain of the ransomware, which generally encrypts computer hard drives and demands a payment by digital currency to decrypt it.
https://arstechnica.com/information-technology/2018/07/shipping-companys-networks-in-the-americas-crippled-by-ransomware-attack/

07-23-18 – News This Past Week

How hackers exploit critical infrastructure
The traditional focus of most hackers has been on software, but the historical focus of crime is on anything of value. It should come as no surprise, therefore, that as operational technology (OT) and industrial control system (ICS) infrastructure have become much more prominent components of national critical infrastructure, that malicious hacking activity would be increasingly targeted in this direction

How hackers exploit critical infrastructure

Tenable Research Advisory: Patches Issued For Critical Vulnerabilities in 2 AVEVA SCADA/OT Apps
A new critical remote code execution vulnerability in AVEVA’s Indusoft Web Studio and InTouch Machine Edition can be exploited to compromise sensitive operational technology. AVEVA has released a patch and we advise urgent attention and response from affected end users.
https://www.tenable.com/blog/tenable-research-advisory-patches-issued-for-critical-vulnerabilities-in-2-aveva-scadaot-apps

An introduction to ICS threats and the current landscape
ICS threats have become more prevalent, so the need for organizations to understand the risks has grown. Expert Ernie Hayden explains what enterprises need to know
https://searchsecurity.techtarget.com/tip/An-introduction-to-ICS-threats-and-the-current-landscape

SCADA/ICS Dangers & Cybersecurity Strategies
Nearly 60% of surveyed organizations using SCADA or ICS reported they experienced a breach in those systems in the last year. Here are four tips for making these systems safer
https://www.darkreading.com/endpoint/scada-ics-dangers-and-cybersecurity-strategies/a/d-id/1332278

A $225 GPS spoofer can send sat-nav-guided vehicles into oncoming traffic *
The attack starts with a $225 piece of hardware that’s planted in or underneath the targeted vehicle that spoofs the radio signals used by civilian GPS services. It then uses algorithms to plot a fake “ghost route” that mimics the turn-by-turn navigation directions contained in the original route. Depending on the hackers’ ultimate motivations, the attack can be used to divert an emergency vehicle or a specific passenger to an unintended location or to follow an unsafe route. The attack works best in urban areas the driver doesn’t know well, and it assumes hackers have a general idea of the vehicle’s intended destination
https://arstechnica.com/information-technology/2018/07/a-225-gps-spoofer-can-send-autonomous-vehicles-into-oncoming-traffic/

07-16-18 – News This Past Week

Flaws Expose Siemens Protection Relays to DoS Attacks
Siemens has informed customers that some of the company’s SIPROTEC protection relays are exposed to denial-of-service (DoS) attacks due to a couple of vulnerabilities present in the EN100 communication module
https://www.securityweek.com/flaws-expose-siemens-protection-relays-dos-attacks

VPNFilter Malware Hits Critical Infrastructure in Ukraine
The Security Service of Ukraine (SBU) revealed this week that the VPNFilter malware, which it attributed to Russian intelligence agencies, had targeted a critical infrastructure organization
https://www.securityweek.com/vpnfilter-malware-hits-critical-infrastructure-ukraine

Ukraine Security Service Stops VPNFilter Attack at Chlorine Station
Ukraine’s SBU Security Service reportedly detected and shut down a cyberattack that used VPNFilter malware on network equipment in a chlorine station that supplies water treatment and sewage plants
https://www.darkreading.com/attacks-breaches/ukraine-security-service-stops-vpnfilter-attack-at-chlorine-station/d/d-id/1332282

ICS Security: ‘The Enemy Is in the Wire’
Threats to industrial control systems are real and frightening. The government is taking steps to keep us safer in the future, but there are near-term steps you can take right now.
https://www.darkreading.com/attacks-breaches/ics-security-the-enemy-is-in-the-wire/a/d-id/1332247

Thales and Device Authority healthcare IoT solution ensures device and data security for medical devices
Thales and Device Authority announce a jointly developed solution to ensure the authentication of IoT devices and the confidentiality and integrity of the data they rely on – giving both healthcare professionals and their patients the confidence to adopt these technologies

Thales and Device Authority healthcare IoT solution ensures device and data security for medical devices

Power Grid Protection Firm SEL Patches Severe Software Flaws
Several vulnerabilities, including ones rated high severity, have been discovered in management and configuration tools from power grid protection company Schweitzer Engineering Laboratories (SEL). The vendor has released software updates to address the flaws
https://www.securityweek.com/power-grid-protection-firm-sel-patches-severe-software-flaws

07-09-18 – News This Past Week

Flaws Expose Siemens Central Plant Clocks to Attacks
Siemens SICLOCK devices are used to synchronize time in industrial plants. The central plant clock ensures stability in case of a failure or loss of reception at the primary time source
https://www.securityweek.com/flaws-expose-siemens-central-plant-clocks-attacks

Strange and scary IoT hacks
The Internet of Things has provided a worldwide digital playground for hackers, pranksters and those who would thwart them and here are 9 of the most unnerving
https://www.networkworld.com/article/3285968/internet-of-things/strange-and-scary-iot-hacks.html

Azure IoT Edge Exits Preview with Security Updates
Microsoft rolls out its cloud-based IoT service to the general public, while upping data protection with new categories including device management and security
https://www.darkreading.com/cloud/azure-iot-edge-exits-preview-with-security-updates/d/d-id/1332201

For victims of smart home abuse, there’s no easy out
On the surface, this seems like a relatively straightforward problem to solve: Just change your password or unplug the devices, right? Except the issue here is two-fold. Not only are the devices sometimes solely controlled by the abuser, but oftentimes making these changes will result in even worse abuse, especially if the couple is still living together.
https://www.engadget.com/2018/07/02/smart-home-abuse-no-easy-out/

07-02-18 – News This Past Week

Rockwell Patches Flaw Affecting Safety Controllers From Several Vendors
In April, at SecurityWeek’s ICS Cyber Security Conference in Singapore, industrial cybersecurity firm Applied Risk disclosed the details of a serious denial-of-service (DoS) vulnerability affecting safety controllers from several major vendors. Rockwell Automation is one of those vendors and the company has now released patches for its products
https://www.securityweek.com/rockwell-patches-flaw-affecting-safety-controllers-several-vendors

Industrial IoT: Protecting the Physical World from Cyber Attacks
The convergence of industrial IoT and intelligent automation has been a boon for many enterprises, allowing machines to take on tasks that previous generations of automation could not handle. This shift mirrors the way that connected devices have transformed home life for many consumers
https://www.securityweek.com/industrial-iot-protecting-physical-world-cyber-attacks

Fairhair Alliance Building IoT Security Architecture
A group of companies in the building automation and IoT space is working for a coherent security architecture that incorporates multiple standards
https://www.darkreading.com/iot/fairhair-alliance-building-iot-security-architecture/d/d-id/1332147

House Passes Bill to Enhance Industrial Cybersecurity
The U.S. House of Representatives on Monday passed a bill aimed at protecting industrial control systems (ICS), particularly ones used in critical infrastructure, against cyberattacks
https://www.securityweek.com/house-passes-bill-enhance-industrial-cybersecurity

SIMPLE SECURITY FLAWS COULD STEER SHIPS OFF COURSE
A proof-of-concept attack could cause ships to dangerously veer off course, and it all stems from simple security issues, including the failure to change default passwords or segment networks.

Simple Security Flaws Could Steer Ships Off Course

New WPA3 security protocol simplifies logins, secures IoT
Latest WPA3 security protocol update adds new features to the Wi-Fi access specification for simple and secure wireless access for individuals, as well as enterprises
https://searchsecurity.techtarget.com/news/252443752/New-WPA3-security-protocol-simplifies-logins-secures-IoT

US legislators put industrial control system security on the map
After a spate of attacks on industrial control systems (ICS), the US this week officially recognized the need to secure them with a new bill. On Monday, House representatives passed legislation to bring these systems under the protection of the Department of Homeland Security
US legislators put industrial control system security on the map

CIS Adapts Critical Security Controls to Industrial Control Systems
The Center for Internet Security (CIS) recently updated their popular CIS Controls – formerly known as the SANS Top 20 – and just published a companion CIS Controls Implementation Guide for Industrial Control Systems. Cody Dumont and I contributed to this Industrial Control System (ICS) guide, in the hope of making it easier for organizations to employ the CIS Controls for protecting OT environments
https://www.tenable.com/blog/cis-adapts-critical-security-controls-to-industrial-control-systems

GlobalSign, Comodo launch competing IoT security platforms
GlobalSign Tuesday unveiled its IoT Identity Platform, which includes several products and services aimed at using public key infrastructure (PKI) to assign identities to IoT devices and authenticate them. The cloud-based platform includes IoT Edge Enroll, an enrollment client that provisions and manages PKI-based identities for an assortment of connected devices.
https://searchsecurity.techtarget.com/news/252443994/GlobalSign-Comodo-launch-competing-IoT-security-platforms

06-25-18 – News This Past Week

Pwned with ‘4 lines of code’: Researchers warn SCADA systems are still hopelessly insecure
A presentation at last week’s BSides London conference by researchers from INSINIA explained how a device planted on a factory floor can identify and list networks, and trigger controllers to stop processes or production lines.
https://www.theregister.co.uk/2018/06/18/physically_hacking_scada_infosec/

China-based hackers burrow inside satellite, defense, and telecoms firms
An advanced hacking campaign originating in China has spent the past year infiltrating satellite operators, defense contractors, and telecoms companies in the US and Southeast Asia, researchers from Symantec said
https://arstechnica.com/information-technology/2018/06/china-based-hackers-burrow-inside-satellite-defense-and-telecoms-firms/

SCADA Hacking – Industrial Systems Woefully Insecure
It was ok before everything started getting wired up to networks, but with SCADA systems pre-dating the kind of security controls we need to stay safe, it’s hard to retrofit them

SCADA Hacking – Industrial Systems Woefully Insecure

NanoLock Launches Platform to Protect IoT Devices From Production Through End-of-Life
Cybersecurity start-up NanoLock Security today announced a new lightweight security platform designed to add security into the small connected devices better known as the internet of things, rather than to overlay security around those devices.
https://www.securityweek.com/nanolock-launches-platform-protect-iot-devices-production-through-end-life

Four New Vulnerabilities in Phoenix Contact Industrial Switches
Phoenix Contact has disclosed four vulnerabilities in switches in the FL SWITCH industrial line. The affected devices are typically used in automated processes at digital substations, oil and gas, maritime, and other industrial applications
https://www.darkreading.com/iot/four-new-vulnerabilities-in-phoenix-contact-industrial-switches/d/d-id/1332121

Thermostats, Locks and Lights: Digital Tools of Domestic Abuse
One woman had turned on her air-conditioner, but said it then switched off without her touching it. Another said the code numbers of the digital lock at her front door changed every day and she could not figure out why. Still another told an abuse help line that she kept hearing the doorbell ring, but no one was there

Rockwell Patches Flaw Affecting Safety Controllers From Several Vendors
In April, at SecurityWeek’s ICS Cyber Security Conference in Singapore, industrial cybersecurity firm Applied Risk disclosed the details of a serious denial-of-service (DoS) vulnerability affecting safety controllers from several major vendors. Rockwell Automation is one of those vendors and the company has now released patches for its products
https://www.securityweek.com/rockwell-patches-flaw-affecting-safety-controllers-several-vendors

Hippocratic Oath in German

The country of Siemens, Braun, Dräger, Zeiss and many more renowned medical engineering companies is finally getting it too: I am the Cavalry has published the long and short versions of the Hippocratic Oath for Connected Devices in the German language. The Oath is a voluntary agreement to honour the principles of software engineering safety to protect patients’ health and lives and can be found under https://iamthecavalry.org/eid. Find the PDF here.

06-18-18 – News This Past Week

‘Shift Left’ & the Connected Car
How improving application security in the automotive industry can shorten product development time, reduce costs, and save lives.
https://www.darkreading.com/application-security/shift-left-and-the-connected-car/a/d-id/1332018

ICS/SCADA Smart Scanning: Discover and Assess IT-Based Systems in Converged IT/OT Environments
Increasingly, operational technology (OT) environments are interconnecting with IT and adopting exploitable IT-based assets and protocols. This means OT systems are exposed to IT threats. Additionally, IT/OT convergence is expanding the cyberattack surface.
https://www.tenable.com/blog/icsscada-smart-scanning-discover-and-assess-it-based-systems-in-converged-itot-environments

Security Vulnerabilities: A Threat to Automotive Innovation
The pace of innovation within the automotive industry has been breath-taking. Only ten years ago, the very concept of self-driving cars and heavy goods vehicles was still regarded as far-fetched science fiction. Today, they are already a common sight on many roads around the world.
https://www.securityweek.com/security-vulnerabilities-threat-automotive-innovation

Siemens Patches Vulnerabilities in SCALANCE, Other Devices
Siemens this week published five new security advisories describing several vulnerabilities discovered in its switches, routers, building automation products, and medical devices
https://www.securityweek.com/siemens-patches-vulnerabilities-scalance-other-devices

Critical Flaws Patched in Schneider Building Automation Software
Schneider Electric recently patched four vulnerabilities in its U.motion Builder software, including two critical command execution flaws. Advisories have been published by both the vendor and ICS-CERT
https://www.securityweek.com/critical-flaws-patched-schneider-building-automation-software