11-13-17 – News This Past Week

Schneider Electric Patches Critical Flaw in HMI Products
InduSoft Web Studio allows organizations to develop human-machine interfaces (HMIs), supervisory control and data acquisition (SCADA) systems and embedded instrumentation solutions. The Wonderware InTouch product, which is used in over one-third of the world’s industrial facilities, is an HMI visualization software. The products are used in various industries, including manufacturing, water and wastewater, automotive, oil and gas, building automation, and energy.

Automotive Cybersecurity Firm Argus Acquired by Continental
Cyber threats to automotive systems are not necessarily new, but are becoming more of an issue as cars become connected to the Internet and to other devices such as smartphones, smart keys, diagnostic tools and other vehicles.

Stealthy New PLC Hack Jumps the Air Gap
Researchers have devised a sneaky reconnaissance attack that drops rogue ladder-logic code onto a Siemens programmable logic controller (PLC) to gather sensitive plant data from an industrial network with no Internet connection, and then siphons it remotely via Radio Frequency (RF) transmission. A nation-state or other hacker group could use the stolen information for a future attack that sabotages the plant’s physical operations.

The IoT Blindspot
According to a new Forrester study that queried 603 IT and business decision-makers across the globe with 2,500 or more employees, a key contributor to the IoT visibility problem may be confusion over who is responsible for IoT management and security.

IoT anxiety is consuming security professionals
A new survey conducted by Forrester Consulting unveiled that security and LoB leaders are experiencing high levels of anxiety due to IoT/OT security concerns, largely due to the negative business ramifications a security failure can have on critical business operations.

IoT anxiety is consuming security professionals

Siemens Teams Up with Tenable
ICS/SCADA vendor further extends its managed security services for critical infrastructure networks.

Siemens and Tenable Partner to Protect Industrial Networks
Worsening geopolitical tensions and increasing awareness of the potential harm caused by cyber attacks against the operational technology (OT) networks of critical industries has made industrial control systems (ICS) a focus of cybersecurity attention. But protecting ICS remains problematic as it emerges from its pre-internet security-unaware origins into the modern internet-connected world: it now has to add remaining secure to remaining operational

Connected technologies will accelerate security threats to healthcare industry
Life sciences and healthcare companies will follow the lead of other industries and integrate connected technologies including Internet of Things (IoT) and intelligent scanners across their ecosystems as a means to improve operational efficiencies, enhance supply chain visibility and deliver better patient care – but the increasing use of such technologies will accelerate security risks, according to a new set of predictions from Unisys.

Connected technologies will accelerate security threats to healthcare industry

Protecting Critical Infrastructure When a Dragonfly Beats its Wings
News that a sophisticated and long-established cyber espionage group may have the ability to infiltrate and do serious harm to critical energy supply infrastructure doesn’t come as a complete surprise. It does, however, provide an opportunity to reflect on how such systems are protected and what we as an industry can do better in the future.

Security, privacy issues we need to solve before non-medical implants become pervasive
The cybernetic revolution is happening, and it’s imperative that civil liberties and privacy issues are addressed by system designers, innovators, regulators, and legislators, says James Scott, a Senior Fellow at cybersecurity think tank ICIT

Security, privacy issues we need to solve before non-medical implants become pervasive

11-06-17 – News This Past Week

Russia-Linked Hackers Target Turkish Critical Infrastructure
Called Energetic Bear, but also known as Dragonfly and Crouching Yeti, the group has been active since at least 2010. First detailed in 2014, the threat group has been focused mainly on the energy sector in the United States and Europe.

Siemens has made an update available for some of its SIMATIC PCS 7 distributed control systems that are impacted by a remotely exploitable input validation vulnerability

Siemens Update Patches SIMATIC PCS 7 Bug in Some Versions

Security vs. convenience? IoT requires another level of thinking about risk
One thing immediately stood out to me: there seems to be no proper mechanism to help users understand the ramifications of the risk/reward tradeoffs around these commonly used “personal” Internet-connected-devices, which makes it difficult for users to have any sort of effective understanding of their risks. I pointed out the same in a recent CNN Tech article about Amazon Key

Beyond Bitcoin: Oracle, IBM Prepare Blockchains for Industrial Use
There’s been a lot of talk recently about blockchains beyond its original use for supporting Bitcoin. Earlier this year, we covered a session in London where the takeaway from the panel was there are too many problems to be solved. But that was in February, and a lot has changed since then

Practical Steps for Getting Started with IT/OT Security Convergence
Given the frequency and severity of cyberattacks in the news, cyber threats are top of mind for boards of directors and executive teams. In fact, according to Aon’s 2017 Global Risk Management Survey cybercrime ranked number five among the top 10 concerns for risk decision-makers globally and number one among respondents in North America – above concerns about economic slowdown, increasing competition, damage to reputation, and regulatory changes

Is the U.S. finally about to take IoT security seriously?
Indeed, security issues plaguing IoT devices have long been a concern, and last week congressional Democrats introduced a bill designed to help mitigate what are seen as widespread vulnerabilities. But while the effort is noble and may help raise awareness of the issues, there are lots of reasons why the Cyber Shield Act of 2017 won’t end up doing much to actually solve the problem

Most organizations and consumers believe there is a need for IoT security regulation
90% of consumers lack confidence in the security of Internet of Things (IoT) devices. This comes as more than two-thirds of consumers and almost 80% of organizations support governments getting involved in setting IoT security, according to Gemalto.

Most organizations and consumers believe there is a need for IoT security regulation

The Future of Industrial Security – IT and OT Convergence
In industrial organizations, security is traditionally divided across three silos: physical security, IT security and operational security (plant security and system integrity). This divide makes it more difficult for facilities operators to identify and respond to incidents

Researchers Downplay Size of Reaper IoT Botnet
Called Reaper, the botnet was said a couple of weeks ago to have infected over one million organizations worldwide, but Arbor claims that the actual size of the botnet fluctuates between 10,000 and 20,000 bots in total

10-30-17 – News This Week

Industrial Products Also Vulnerable to KRACK Wi-Fi Attack
In the case of Cisco, many of the company’s products are affected, including Cisco 829 Industrial Integrated Services routers and Industrial Wireless 3700 series access points. The networking giant has yet to release patches for the vulnerable industrial products. However, workarounds are available for six of the flaws.

A Checklist for Securing the Internet of Things
IoT devices promise endless benefits, but they also come with serious security issues. Use this checklist to make sure your company stays safe.

A report published Thursday outlines two flaws in the AmosConnect 8 web platform, which ships use to monitor IT and navigation systems while also facilitating messaging, email, and web browsing for crewmembers.

A common satellite comms package for ships and oil rigs has a backdoor that won’t be patched
Apparently, internet communications packages are isolated from internal ship networks that control steering, navigation and propulsion. However, access to the ship’s internet would be a boon to pirates and state actors wishing to monitor ships’ communications and learn about cargoes, destinations, and locations

A common satellite comms package for ships and oil rigs has a backdoor that won’t be patched

Security Flaw Could Have Let Hackers Turn on Smart Ovens
A security flaw in LG’s smart home devices gave hackers a way to control the household appliances of millions of customers, including the ability to turn on ovens, a computer security firm revealed on Thursday.

Hackers can force airbags to deploy
Common Vulnerabilities and Exposures number 2017-14937: in unspecified post-2014 passenger car models, the explosive charge that deploys the airbag is controlled by an instruction that is secured by one of only 256 keypairs, and there is no rate-limit on authentication attempts over the CAN bus

Hackers can force airbags to deploy

US-CERT: hackers are targeting our critical infrastructure
US-CERT (US Computer Emergency Readiness Team), which operates under DHS, and the FBI, issued an “alert” titled, “Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors” last Friday, focused on what it said were, “APT actions targeting government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors.”
US-CERT: hackers are targeting our critical infrastructure

US Critical Infrastructure Target of Russia-Linked Cyberattacks
Nation-state actors are trying to gain access to vital industrial control systems (ICS) at US energy companies and other critical infrastructure organizations via the networks of their suppliers and trusted third parties, the United States government has warned

Feds warn energy, aviation companies of hacking threats
Hackers have been targeting the nuclear, energy, aviation, water and critical manufacturing industries since May, according to Reuters. It’s even serious enough for Homeland Security and the FBI to email firms most at risk of attacks, warning them that a group of cyberspies had already succeeded in infiltrating some of their peers’ networks, including at least one energy generator

DHS’ Dragonfly ICS campaign alert isn’t enough, experts say
The Department of Homeland Security released an alert confirming the Dragonfly ICS cyberattack campaign, but experts said more action is needed to protect critical infrastructure.

One-Third of Industrial Networks Connected to Internet
Many industrial and critical infrastructure systems are connected to the Internet, and the operational technology (OT) networks of some organizations have already been compromised, according to a new study from industrial security firm CyberX

DHS, FBI Warn of Ongoing APT Attack Against Critical Infrastructure
The Department of Homeland Security and Federal Bureau of Investigation have issued a joint technical alert warning that government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors are subject to an ongoing attack campaign from an advanced actor, most probably Dragonfly

Reaper: Calm Before the IoT Security Storm?
It’s been just over a year since the world witnessed some of the world’s top online Web sites being taken down for much of the day by “Mirai,” a zombie malware strain that enslaved “Internet of Things” (IoT) devices such as wireless routers, security cameras and digital video recorders for use in large-scale online attacks

10-23-17 – News This Past Week

Energy Regulator Acts to Improve Power Grid Security
With growing concern over nation-state cyber attacks comes an increasing need to secure the critical infrastructure. In the Quadrennial Energy Review published in January 2017, the U.S. Energy Department wrote, “Cyber threats to the electricity system are increasing in sophistication, magnitude, and frequency.” The reliability of the electric system underpins virtually every sector of the modern U.S. economy, it warned.

U.S. warns public about attacks on energy, industrial firms
The U.S government issued a rare public warning that sophisticated hackers are targeting energy and industrial firms, the latest sign that cyber attacks present an increasing threat to the power industry and other public infrastructure.

US-CERT study predicts machine learning, transport systems to become security risks
The institute’s CERT Coordination Centre (CERT/CC) sees machine learning as a potential security quagmire, since it expects aggressive adoption in the medium term, but use-cases are legion, making it difficult to observe from a security point of view. In its survey, published this month, the team stated

Passengers Have a Lot to Say About Self-Driving Cars – We Should Listen
Society’s fear of driverless cars is somewhat baffling to me. Given that car crashes attributable to human error cause more than 1 million vehicle deaths every year1, it’s those human-driven cars people should be afraid of. Yet all of us today get behind the wheel and simply trust that the cars coming toward them in the opposite lane will stay where they’re supposed to. From my point of view, unless those are self-driving cars, we should all be terrified.

Passengers Have a Lot to Say About Self-Driving Cars – We Should Listen

IoT Cybersecurity: What’s Plan B?
But the situation is critical. The Internet is dangerous — and the IoT gives it not just eyes and ears, but also hands and feet. Security vulnerabilities, exploits, and attacks that once affected only bits and bytes now affect flesh and blood.

“For the general sphere of IoT devices, like security cameras, we’re not just underwater,” says Kevin Fu, a computer scientist at the University of Michigan who focuses on medical device security. “We’re under quicksand under water.”

Steps to Improve Critical Infrastructure and ICS Network Security
Hopefully you’ve read those articles with an open mind and taken away from them what I’ve intended – a sense of urgency, a realization that these networks must be a top priority in your security strategy, and a motivation to convince your organization to act. If you haven’t read these articles, I invite you do so today.

IoT Deployment Security Top Concern for Enterprises
A new survey shows that 63% of respondents are worried about the impact of the Internet of Things on corporate security technologies and processes.

10-16-17 – News This Past Week

How smart cities can protect against IoT security threats
As long as developers work in tandem with one another, the security problems presented by the development of IoT within smart cities won’t be insurmountable

North Korean Threat Actors Probe US Electric Companies
Known threat actors based in North Korea recently targeted several US electric companies in a spear-phishing campaign that appeared to be more of an early reconnaissance mission than an attempt to cause any immediate disruption

IoT: Insecurity of Things or Internet of Threats?
The Internet of Things is pushing billions of connected devices online, he noted. Last year’s Mirai malware attack, which mobilizes hundreds of thousands of devices as bots, highlighted the vulnerability of the Internet of Things and served as an example of what could go wrong

But as real as the threat of power-utility hacking may be, not every grid penetration calls for Defcon 1. Responding to them all with an equal sense of alarm is like conflating a street mugging with an intercontinental ballistic missile attack.

Siemens Patches Flaws in Building Automation Controllers
Siemens has released a firmware update for its BACnet Field Panel building automation products to address two vulnerabilities, including one classified as high severity

10-02-17 – News This Past Week

Serious Flaw Exposes Siemens Industrial Switches to Attacks
The flaw, discovered by Siemens itself and tracked as CVE-2017-12736, affects SCALANCE X industrial ethernet switches, and Ruggedcom switches and serial-to-ethernet devices running the Rugged Operating System (ROS).

Industrial manufacturer Siemens is encouraging users running devices that use its Ruggedcom Discovery Protocol (RCDP) to apply firmware updates this week. The updates resolve a serious and remotely exploitable vulnerability that could let an attacker carry out administrative actions.

Siemens Patches Improper Access Vulnerability in Ruggedcom Protocol

Thousands of Malware Variants Found on Industrial Systems: Kaspersky
According to the company’s “Threat Landscape for Industrial Automation Systems” report for the first six months of the year, nearly 38 percent of the industrial systems protected globally by its products were targeted during this period. This is 1.6 percent less than in the second half of 2016

DDoS Attacks More Likely to Hit Critical Infrastructure Than APTs: Europol
While critical infrastructure has been targeted by sophisticated threat actors, attacks that rely on commonly available and easy-to-use tools are more likely to occur, said Europol in its 2017 Internet Organised Crime Threat Assessment

Caterpillar Eyes Competitive Edge with Connected Asset Security Program
Over the past five years, Caterpillar has provided “tactical” security for its remote-controlled equipment used in its three areas of business – construction, resources, and energy and transportation, says Joseph Zacharias, global head of information security engineering at Caterpillar

Threat Landscape for Industrial Automation Systems in H1 2017
Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team (Kaspersky Lab ICS CERT) publishes the results of its research on the threat landscape for industrial automation systems for the first six months of 2017

Threat Landscape for Industrial Automation Systems in H1 2017

Docs ran a simulation of what would happen if really nasty malware hit a city’s hospitals. RIP :(
Speaking at DerbyCon in Kentucky, USA, on Saturday, three medics with have a side interest in hacking gave an update on their work analyzing security flaws in medical machinery. And, reader, the results weren’t good. On average, a connected device had about 1,000 exploitable CVE flaws, with some going over the 1,400 mark, it was claimed

9-11-17 – News This Past Week

Hackers Can Remotely Access Syringe Infusion Pumps to Deliver Fatal Overdoses
Now, it turns out that a syringe infusion pump used in acute care settings could be remotely accessed and manipulated by hackers to impact the intended operation of the device, ICS-CERT warned in an advisory issued on Thursday.


Syringe infusion pumps can be fiddled with by remote attackers
The vulnerabilities, identified by independent researcher Scott Gayou, include buffer overflows, hard-coded credentials and passwords, improper certificate validation, passwords stored in the configuration field, and improper access control.


Symantec Researchers Reveal New Ramped-up Attacks on U.S. Power Grid
The malware is delivered using old phishing techniques, but with new payloads. Several power generation and control facilities, perhaps including one nuclear power plant, have already been penetrated.


Hackers lie in wait after penetrating US and Europe power grid networks
Nation-sponsored hackers have penetrated the operational networks multiple US and European energy companies use to control key parts of the power grid that supplies electricity to hundreds of millions of people, researchers warned Wednesday.


Symantec: ‘Dragonfly’ Attack Group Targets Energy Companies In US, Turkey, Switzerland
The company also said the attackers were careful to cover their tracks. Dragonfly is said to have relied on off-the-shelf malware anyone can use, to have avoided using zero-day exploits, and to have used both Russian and French in various code strings to avoid giving away the country of origin via the language used. All of these factors led Symantec to hold off on officially attributing Dragonfly’s actions to a specific country.


Serious Flaws Found in Westermo Industrial Routers
Qualys researcher Mandar Jadhav discovered that Westermo’s MRD-305-DIN, MRD-315, MRD-355 and MRD-455 industrial routers, which are used for remote access worldwide in the commercial facilities, critical manufacturing and energy sectors, are exposed to attacks by three vulnerabilities


Fixing, upgrading and patching IoT devices can be a real nightmare
Ensuring cybersecurity for computers and mobile phones is a huge, complex business. The ever-widening scope and unbelievable variety of threats makes keeping these devices safe from cyber criminals and malware a full-time challenge for companies, governments and individuals around the world.


News This Past Week

Siemens Patches Flaws in Automation, Power Distribution Products
Siemens customers were informed last week that some of the company’s automation and power distribution products are affected by vulnerabilities that can be exploited for denial-of-service (DoS) attacks and session hijacking

30 ways to improve IoT privacy
To improve IoT security and privacy, we need to create a security culture. Here are 30 ways IoT device makers and developers can do their part.

This Linux tool could improve the security of IoT devices
Snappy, a software deployment and management system designed by Canonical for the Ubuntu operating system, could be a shortcut to building trusted IoT applications

UK infrastructure failing to meet the most basic cybersecurity standards
More than a third of national critical infrastructure organisations have not met basic cybersecurity standards issued by the UK government, according to Freedom of Information requests by Corero Network Security

Need to Jumpstart IoT Security? Consider Segmentation
In the healthcare industry, medical devices connecting patients, care givers, and systems across facilities are being used to save lives and find cures. Manufacturers embarking on their digital transformation journey are connecting devices on the factory floor to increase uptime, productivity, and competitive advantage

FDA issues recall of 465,000 St. Jude pacemakers to patch security holes
Heart patients will have to visit their doctors to have their pacemakers patched for the “voluntary” recall — but there are risks

Advantech fixes serious vulns in WebAccess HMI/SCADA software
Advantech WebAccess is a web browser-based software package for human-machine interfaces (HMI) and supervisory control and data acquisition (SCADA).

Advantech fixes serious vulns in WebAccess HMI/SCADA software

IoT Device Hit by Credential Attack Every Two Minutes: Experiment
Internet of Things (IoT) botnets such as Mirai might not be in the headlines as often as they were several months ago, but the threat posed by insecure IoT devices is as high as before, a recent experiment has revealed

News This Past Week

Cisco IOS Flaws Expose Rockwell Industrial Switches to Remote Attacks
The Allen-Bradley Stratix and ArmorStratix switches, which ICS-CERT says are used worldwide in the critical manufacturing, energy and water sectors, rely on Cisco’s IOS software for secure integration with enterprise networks. That means Cisco IOS flaws can also affect Rockwell Automation products

IoT Thermostat Bug Allows Hackers to Turn Up the Heat
With the ever-increasing impact of smart and connected devices in our daily lives, Cybersecurity has a variety of security challenges to deal with. The field of traditional computer security deals with a myriad of issues like data theft or sabotage. However, when it comes to IoT security, the consequences of a successful attack can be even more diverse.

This Linux tool could improve the security of IoT devices
Snappy, a software deployment and management system designed by Canonical for the Ubuntu operating system, could be a shortcut to building trusted IoT applications

Germany publishes ethical guidelines for self-driving cars
The technological developments are forcing government and society to reflect on the emerging changes. The decision that has to be taken is whether the licensing of automated driving systems is ethically justifiable or possibly even imperative

Unfixable Automobile Computer Security Vulnerability
Researchers say this flaw is not a vulnerability in the classic meaning of the word. This is because the flaw is more of a CAN standard design choice that makes it unpatchable

Unpatchable Flaw in Modern Cars Allows Hackers to Disable Safety Features
Today, many automobiles companies are offering vehicles that run on the mostly drive-by-wire system, which means a majority of car’s functions—from instrument cluster to steering, brakes, and accelerator—are electronically controlled

‘Smart’ solar power inverters raise risk of energy grid attacks
Given the dearth of research on this class of device, it’s an eye-catching if sensational claim that shouldn’t come as a total surprise in the light of recent technological developments
‘Smart’ solar power inverters raise risk of energy grid attacks

‘Gloomy times ahead’ for security on critical infrastructure, warn experts
It looks like pretty good timing. Less than a week after a couple of critical infrastructure experts bemoaned the ongoing lack of security in the industry, the US National Institute of Standards and Technology (NIST) is out with the latest (fifth) draft of its Security and Privacy Controls for Information Systems and Organizations
‘Gloomy times ahead’ for security on critical infrastructure, warn experts

How likely is a ‘digital Pearl Harbor’ attack on critical infrastructure?
Richard A Clarke, who in 2000 was the US’s top counter-terrorism and cybersecurity chief, gets credit for coining the term “digital Pearl Harbor”. He said at the time that it was “improbable,” but added that “statistically improbable events can occur”.
How likely is a ‘digital Pearl Harbor’ attack on critical infrastructure?

Hacked robots can be a deadly insider threat
IOActive researchers have probed the security of a number of humanoid home and business robots as well industrial collaborative robots, and have found it seriously wanting

Hacked robots can be a deadly insider threat

Medical devices and the Internet of Things: Defending against cyber threats
More than one-third (35.6 percent) of surveyed professionals in the Internet of Things-connected medical device ecosystem say their organizations have experienced a cybersecurity incident in the past year, according to Deloitte

Medical devices and the Internet of Things: Defending against cyber threats

Insecure IoT Devices Pose Physical Threat to General Public
At the car wash, look out for attack robots. Billy Rios, CEO of Whitescope, visits the Dark Reading News Desk to discuss how IoT devices could be hacked to physically attack people in everyday public settings.

Report Suggests ‘Fleeting Window’ to Prevent Major Cyber Attack on Critical Infrastructure
The National Infrastructure Advisory Council (NIAC) published a draft report this week titled Securing Cyber Assets: Addressing Urgent Cyber Threats to Critical Infrastructure (PDF). The report warns there is a narrow and fleeting window to prepare for and prevent “a 9/11-level cyber-attack” against the U.S. critical infrastructure

Healthcare Providers Warned of Flaws in Philips Product
The U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and Philips have warned healthcare providers that one of the company’s radiation dose management tools is affected by potentially serious vulnerabilities

Overcoming the Lost Decade of Information Security in ICS Networks
Despite the collective failures in that space – leading to billions in stolen intellectual property, massive intelligence gains like OPM, hundreds of millions of stolen identities, etc. – there were clearly major advances in terms of security controls. Countless innovations – tons of investment in terms of people and money, the birth and evolution of an industry/subindustries, a proven ability to respond to (although not foresee) emerging threats – depict a tremendous number of positives hidden behind the losses

Fourth US Navy Collision This Year Raises Suspicion of Cyber-Attacks
Early Monday morning a U.S. Navy Destroyer collided with a merchant vessel off the coast of Singapore. The U.S. Navy initially reported that 10 sailors were missing, and today found “some of the remains” in flooded compartments

Industrial hack can turn powerful machines into killer robots
In a post titled “Exploiting Industrial Collaborative Robots,” security researchers at IOActive detail how popular models of consumer and industrial robots have already been compromised in such a way that could cause humans bodily harm. The study examines a class of collaborative robots designed to work together with their human counterparts, often in industrial settings.

DJI Spark Gets Mandatory Firmware Update, Won’t Fly Unless Updated
Given that drones are basically robots with fast-spinning rotary blades that can fly high up in the sky, clearly there are safety issues to be considered since you don’t want these drones to fall out of the sky and land on someone’s head. This is why we can’t say we’re surprised to learn of one of the measures DJI is taking to ensure drone safety