12-11-17 – News This Past Week

Top-selling handgun safe can be remotely opened in seconds—no PIN needed
The Vaultek VT20i handgun safe, ranked fourth in Amazon’s gun safes and cabinets category, allows owners to electronically open the door using a Bluetooth-enabled smartphone app. The remote unlock feature is supposed to work only when someone knows the four- to eight-digit personal identification number used to lock the device. But it turns out that this PIN safeguard can be bypassed using a standard computer and a small amount of programming know-how

Rockwell Automation Patches Serious Flaw in FactoryTalk Product
FTAE provides a consistent view of alarms and events via a View SE HMI system. The product is used worldwide in sectors such as critical infrastructure, entertainment, automotive, food and beverage, and water and wastewater

“Everything you interact with that you don’t typically think of as a computer has some kind of microcontroller in it, and over the next five to 10 years we believe that those devices will all be replaced by versions of the devices that will be interconnected,” says Galen Hunt, the managing director of Project Sopris. Think blenders, hair dryers, and other unlikely but inevitable connected accessories.

Given how aggressively Iran has pursued infrastructure hacking, previously targeting the financial sector and even a dam in upstate New York, the new findings serve as a warning, and highlight the evolving nature of the threat

Serious Flaw Found in Many Siemens Industrial Products
According to Siemens, the list of affected products includes SIMATIC S7-200 Smart micro-PLCs for small automation applications, some SIMATIC S7 CPUs, SIMATIC WinAC RTX software controllers, SIMATIC ET 200 PROFINET interface modules, SIMATIC PN/PN couplers, SIMATIC Compact field units, development kits for PROFINET IO, SIMOTION motion control systems, SINAMICS converters, SINUMERIK CNC automation solutions, SIMOCODE motor management systems, and SIRIUS 3RW motor soft starters

Hackers Can Steal Data From Air-Gapped Industrial Networks via PLCs
Researchers have discovered a method that hackers could use to stealthily exfiltrate data from air-gapped industrial networks by manipulating the radio frequency (RF) signal emitted by programmable logic controllers

Nearly 2/3 of Industrial Companies Lack Security Monitoring
While more than half of the 130 decision-makers from industrial organizations in the survey say they work in a facility that has suffered a breach, just 37% of the respondents say their organizations monitor networks for suspicious activity and traffic

Industrial Firms Slow to Adopt Cybersecurity Measures: Honeywell
A survey of 130 strategic decision makers from around the world revealed that more than half of industrial organizations have suffered a cybersecurity incident, including ones involving removable media, denial-of-service (DoS) attacks, malware, hackers breaking into plant IT systems, state-sponsored attacks, and direct attacks on control systems.

The Year to Come in ICS / Critical Infrastructure Security
Here, I wanted to address some of my thoughts about what the New Year will hold for Industrial Control Systems/Critical Infrastructure cybersecurity. It is “Security Prediction Season” after all and I’d be remiss not to offer my thoughts. Below I’ve outlined a few things I think that will definitely manifest – some are bad, some offer more promise for placing us on a path to combatting an adversarial scourge which is growing in this absolutely critical area

Critical Flaw in WAGO PLC Exposes Organizations to Attacks
The flaw, discovered by a researcher at security services and consulting company SEC Consult, impacts Linux-based WAGO PFC200 series PLCs, specifically a total of 17 750-820X models running firmware version 02.07.07 (10). The affected devices are advertised by the vendor as ultra-compact and secure automation systems that can be used for traditional machine control, process technology, and in the offshore sector

The Rising Dangers of Unsecured IoT Technology
While this is perhaps one of the most potentially life-threatening examples of unsecured Internet of Things (IoT) security, it drives home the point that manufacturers are not building these devices with security as a priority. As IoT devices grow in popularity, seemingly endless security- and privacy-related concerns are surfacing

12-04-17 – News This Past Week

Hacked IV Pumps and Digital Smart Pens Can Lead to Data Breaches
An attack on a single IV infusion pump or digital smart pen can be leveraged to a widespread breach that exposes patient records, according to a Spirent SecurityLabs researcher.

Industrial Cybersecurity Startup SCADAfence Secures $10 Million
The Tel Aviv-based company explains that it helps industrial network operators bridge the cybersecurity gap that comes when connecting operational technology (OT) and IT networks to ensure operational continuity and the security of valuable assets

Siemens Patches Several Flaws in Teleprotection Devices
According to advisories published by both Siemens and ICS-CERT, medium severity vulnerabilities have been found in the EN100 Ethernet module used by SWT 3000 devices running IEC 61850 and TPOP firmware

Robocars Should Be ‘Disconnected,’ Warns Former EFF Chief
Brad Templeton has been a software architect, a former Electronic Frontier Foundation (EFF) chair, an adviser to Google’s self-driving car project, and a Chair for Computing at the Singularity University. He has recently started warning about the cybersecurity issues self-driving cars, or “robocars,” may face if automotive companies don’t start to take security more seriously as they race to bring them to market

AWS allows customers to manage and protect IoT devices
AWS IoT 1-Click, AWS IoT Device Management, AWS IoT Device Defender, AWS IoT Analytics, Amazon FreeRTOS, and AWS Greengrass ML Inference make getting started with IoT as easy as one click, enable customers to onboard and manage large fleets of devices, audit and enforce consistent security policies, and analyze IoT device data at scale

AWS allows customers to manage and protect IoT devices

Tenable Delivers Industrial Security
Organizations are continuously leveraging new data and information capabilities to accelerate their business processes and deliver greater value to customers. As a result, industries such as energy, utilities, and manufacturing are becoming increasingly digital and connected

Linux for the Industry 4.0 era: New distro for factory automation
NXP Semiconductors, a world leader in secure connectivity solutions, just announced a Linux distribution that is intended to support factory automation. It’s called Open Industrial Linux (OpenIL), and it’s promising true industrial-grade security based on trusted computing, hardened software, cryptographic operations and end-to-end security

Recently Patched Dnsmasq Flaws Affect Siemens Industrial Devices
Dnsmasq is a lightweight tool designed to provide DNS, DHCP, router advertisement and network boot services for small networks. It can be found in Linux distributions, smartphones, routers, and many Internet of Things (IoT) devices

11-13-17 – News These Past Two Weeks

Curing The Security Sickness in Medical Devices
Just as the rapid development of the Internet of Things (IoT) has transformed traditional industries and service sectors, it is also having a great impact in the world of healthcare. It’s easy to argue, in fact, that no area is being transformed by digital technologies as rapidly or with as many benefits for society as new medical technologies

More Industrial Products at Risk of KRACK Attacks
An increasing number of vendors have warned customers over the past weeks that their industrial networking products are vulnerable to the recently disclosed Wi-Fi attack method known as KRACK.

Criminals leverage unsecured IoT devices, DDoS attacks surge
Organizations experienced an average of 237 DDoS attack attempts per month during Q3 2017 – equivalent to 8 DDoS attack attempts every day – as hackers strive to take their organisations offline or steal sensitive data, according to Corero Network Security.

Criminals leverage unsecured IoT devices, DDoS attacks surge

Startup Uses 3D Modeling to Make Autonomous Driving Safer
It might come as a surprise that only 4 percent of new car buyers, according to a U.K. survey, place safety as a top priority when considering their purchase

‘Treat infosec fails like plane crashes’ – but hopefully with less death and twisted metal
Brian Honan, founder and head of Ireland’s first CSIRT and special adviser on internet security to Europol, argued that failures in cybersecurity should be viewed as an opportunity to learn lessons and prevent them happening again.

IBM’s Schneier: It’s Time to Regulate IoT to Improve Cyber-Security
In a keynote address at the SecTor security conference, IBM Resilient Systems CTO Bruce Schneier makes a case for more regulatory oversight for software and the internet of things

Forrester predicts what’s next for IoT
As the Internet of Things moves from “experimentation to business scale,” research firm Forrester shares its predictions for 2018. Think specialization and cloud — and big security risks.

Threat Predictions for Industrial Security in 2018
2017 was one of the most intense in terms of incidents affecting the information security of industrial systems. Security researchers discovered and reported hundreds of new vulnerabilities, warned of new threat vectors in ICS and technological processes, provided data on accidental infections of industrial systems and detected targeted attacks

Enterprise Physical Security Drives IoT Adoption
The vast majority of respondents to a new survey are deploying IoT technologies for building safety in the form of security cameras

Infosec expert viewpoint: IoT security initiatives
IoT went quickly from buzzword to mainstream, and connected devices have become common in households and enterprises around the globe. A worrying lack of regulation has fueled a plethora of security problems causing headaches to security teams and endangering end users

Infosec expert viewpoint: IoT security initiatives

Flaw in Siemens RTU Allows Remote Code Execution
Researchers at IT security services and consulting company SEC Consult discovered the flaws in the SICAM RTU SM-2556 COM modules, which can be attached to SICAM 1703 and RTU substation controllers for LAN/WAN communications. The product is used worldwide in the energy and other sectors.

Boeing 757 Testing Shows Airplanes Vulnerable to Hacking, DHS Says
A team of government, industry and academic officials successfully demonstrated that a commercial aircraft could be remotely hacked in a non-laboratory setting last year, a U.S. Department of Homeland Security (DHS) official said Wednesday at the 2017 CyberSat Summit in Tysons Corner, Virginia.

11-13-17 – News This Past Week

Schneider Electric Patches Critical Flaw in HMI Products
InduSoft Web Studio allows organizations to develop human-machine interfaces (HMIs), supervisory control and data acquisition (SCADA) systems and embedded instrumentation solutions. The Wonderware InTouch product, which is used in over one-third of the world’s industrial facilities, is an HMI visualization software. The products are used in various industries, including manufacturing, water and wastewater, automotive, oil and gas, building automation, and energy.

Automotive Cybersecurity Firm Argus Acquired by Continental
Cyber threats to automotive systems are not necessarily new, but are becoming more of an issue as cars become connected to the Internet and to other devices such as smartphones, smart keys, diagnostic tools and other vehicles.

Stealthy New PLC Hack Jumps the Air Gap
Researchers have devised a sneaky reconnaissance attack that drops rogue ladder-logic code onto a Siemens programmable logic controller (PLC) to gather sensitive plant data from an industrial network with no Internet connection, and then siphons it remotely via Radio Frequency (RF) transmission. A nation-state or other hacker group could use the stolen information for a future attack that sabotages the plant’s physical operations.

The IoT Blindspot
According to a new Forrester study that queried 603 IT and business decision-makers across the globe with 2,500 or more employees, a key contributor to the IoT visibility problem may be confusion over who is responsible for IoT management and security.

IoT anxiety is consuming security professionals
A new survey conducted by Forrester Consulting unveiled that security and LoB leaders are experiencing high levels of anxiety due to IoT/OT security concerns, largely due to the negative business ramifications a security failure can have on critical business operations.

IoT anxiety is consuming security professionals

Siemens Teams Up with Tenable
ICS/SCADA vendor further extends its managed security services for critical infrastructure networks.

Siemens and Tenable Partner to Protect Industrial Networks
Worsening geopolitical tensions and increasing awareness of the potential harm caused by cyber attacks against the operational technology (OT) networks of critical industries has made industrial control systems (ICS) a focus of cybersecurity attention. But protecting ICS remains problematic as it emerges from its pre-internet security-unaware origins into the modern internet-connected world: it now has to add remaining secure to remaining operational

Connected technologies will accelerate security threats to healthcare industry
Life sciences and healthcare companies will follow the lead of other industries and integrate connected technologies including Internet of Things (IoT) and intelligent scanners across their ecosystems as a means to improve operational efficiencies, enhance supply chain visibility and deliver better patient care – but the increasing use of such technologies will accelerate security risks, according to a new set of predictions from Unisys.

Connected technologies will accelerate security threats to healthcare industry

Protecting Critical Infrastructure When a Dragonfly Beats its Wings
News that a sophisticated and long-established cyber espionage group may have the ability to infiltrate and do serious harm to critical energy supply infrastructure doesn’t come as a complete surprise. It does, however, provide an opportunity to reflect on how such systems are protected and what we as an industry can do better in the future.

Security, privacy issues we need to solve before non-medical implants become pervasive
The cybernetic revolution is happening, and it’s imperative that civil liberties and privacy issues are addressed by system designers, innovators, regulators, and legislators, says James Scott, a Senior Fellow at cybersecurity think tank ICIT

Security, privacy issues we need to solve before non-medical implants become pervasive

11-06-17 – News This Past Week

Russia-Linked Hackers Target Turkish Critical Infrastructure
Called Energetic Bear, but also known as Dragonfly and Crouching Yeti, the group has been active since at least 2010. First detailed in 2014, the threat group has been focused mainly on the energy sector in the United States and Europe.

Siemens has made an update available for some of its SIMATIC PCS 7 distributed control systems that are impacted by a remotely exploitable input validation vulnerability

Siemens Update Patches SIMATIC PCS 7 Bug in Some Versions

Security vs. convenience? IoT requires another level of thinking about risk
One thing immediately stood out to me: there seems to be no proper mechanism to help users understand the ramifications of the risk/reward tradeoffs around these commonly used “personal” Internet-connected-devices, which makes it difficult for users to have any sort of effective understanding of their risks. I pointed out the same in a recent CNN Tech article about Amazon Key

Beyond Bitcoin: Oracle, IBM Prepare Blockchains for Industrial Use
There’s been a lot of talk recently about blockchains beyond its original use for supporting Bitcoin. Earlier this year, we covered a session in London where the takeaway from the panel was there are too many problems to be solved. But that was in February, and a lot has changed since then

Practical Steps for Getting Started with IT/OT Security Convergence
Given the frequency and severity of cyberattacks in the news, cyber threats are top of mind for boards of directors and executive teams. In fact, according to Aon’s 2017 Global Risk Management Survey cybercrime ranked number five among the top 10 concerns for risk decision-makers globally and number one among respondents in North America – above concerns about economic slowdown, increasing competition, damage to reputation, and regulatory changes

Is the U.S. finally about to take IoT security seriously?
Indeed, security issues plaguing IoT devices have long been a concern, and last week congressional Democrats introduced a bill designed to help mitigate what are seen as widespread vulnerabilities. But while the effort is noble and may help raise awareness of the issues, there are lots of reasons why the Cyber Shield Act of 2017 won’t end up doing much to actually solve the problem

Most organizations and consumers believe there is a need for IoT security regulation
90% of consumers lack confidence in the security of Internet of Things (IoT) devices. This comes as more than two-thirds of consumers and almost 80% of organizations support governments getting involved in setting IoT security, according to Gemalto.

Most organizations and consumers believe there is a need for IoT security regulation

The Future of Industrial Security – IT and OT Convergence
In industrial organizations, security is traditionally divided across three silos: physical security, IT security and operational security (plant security and system integrity). This divide makes it more difficult for facilities operators to identify and respond to incidents

Researchers Downplay Size of Reaper IoT Botnet
Called Reaper, the botnet was said a couple of weeks ago to have infected over one million organizations worldwide, but Arbor claims that the actual size of the botnet fluctuates between 10,000 and 20,000 bots in total

10-30-17 – News This Week

Industrial Products Also Vulnerable to KRACK Wi-Fi Attack
In the case of Cisco, many of the company’s products are affected, including Cisco 829 Industrial Integrated Services routers and Industrial Wireless 3700 series access points. The networking giant has yet to release patches for the vulnerable industrial products. However, workarounds are available for six of the flaws.

A Checklist for Securing the Internet of Things
IoT devices promise endless benefits, but they also come with serious security issues. Use this checklist to make sure your company stays safe.

A report published Thursday outlines two flaws in the AmosConnect 8 web platform, which ships use to monitor IT and navigation systems while also facilitating messaging, email, and web browsing for crewmembers.

A common satellite comms package for ships and oil rigs has a backdoor that won’t be patched
Apparently, internet communications packages are isolated from internal ship networks that control steering, navigation and propulsion. However, access to the ship’s internet would be a boon to pirates and state actors wishing to monitor ships’ communications and learn about cargoes, destinations, and locations

A common satellite comms package for ships and oil rigs has a backdoor that won’t be patched

Security Flaw Could Have Let Hackers Turn on Smart Ovens
A security flaw in LG’s smart home devices gave hackers a way to control the household appliances of millions of customers, including the ability to turn on ovens, a computer security firm revealed on Thursday.

Hackers can force airbags to deploy
Common Vulnerabilities and Exposures number 2017-14937: in unspecified post-2014 passenger car models, the explosive charge that deploys the airbag is controlled by an instruction that is secured by one of only 256 keypairs, and there is no rate-limit on authentication attempts over the CAN bus

Hackers can force airbags to deploy

US-CERT: hackers are targeting our critical infrastructure
US-CERT (US Computer Emergency Readiness Team), which operates under DHS, and the FBI, issued an “alert” titled, “Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors” last Friday, focused on what it said were, “APT actions targeting government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors.”
US-CERT: hackers are targeting our critical infrastructure

US Critical Infrastructure Target of Russia-Linked Cyberattacks
Nation-state actors are trying to gain access to vital industrial control systems (ICS) at US energy companies and other critical infrastructure organizations via the networks of their suppliers and trusted third parties, the United States government has warned

Feds warn energy, aviation companies of hacking threats
Hackers have been targeting the nuclear, energy, aviation, water and critical manufacturing industries since May, according to Reuters. It’s even serious enough for Homeland Security and the FBI to email firms most at risk of attacks, warning them that a group of cyberspies had already succeeded in infiltrating some of their peers’ networks, including at least one energy generator

DHS’ Dragonfly ICS campaign alert isn’t enough, experts say
The Department of Homeland Security released an alert confirming the Dragonfly ICS cyberattack campaign, but experts said more action is needed to protect critical infrastructure.

One-Third of Industrial Networks Connected to Internet
Many industrial and critical infrastructure systems are connected to the Internet, and the operational technology (OT) networks of some organizations have already been compromised, according to a new study from industrial security firm CyberX

DHS, FBI Warn of Ongoing APT Attack Against Critical Infrastructure
The Department of Homeland Security and Federal Bureau of Investigation have issued a joint technical alert warning that government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors are subject to an ongoing attack campaign from an advanced actor, most probably Dragonfly

Reaper: Calm Before the IoT Security Storm?
It’s been just over a year since the world witnessed some of the world’s top online Web sites being taken down for much of the day by “Mirai,” a zombie malware strain that enslaved “Internet of Things” (IoT) devices such as wireless routers, security cameras and digital video recorders for use in large-scale online attacks

10-23-17 – News This Past Week

Energy Regulator Acts to Improve Power Grid Security
With growing concern over nation-state cyber attacks comes an increasing need to secure the critical infrastructure. In the Quadrennial Energy Review published in January 2017, the U.S. Energy Department wrote, “Cyber threats to the electricity system are increasing in sophistication, magnitude, and frequency.” The reliability of the electric system underpins virtually every sector of the modern U.S. economy, it warned.

U.S. warns public about attacks on energy, industrial firms
The U.S government issued a rare public warning that sophisticated hackers are targeting energy and industrial firms, the latest sign that cyber attacks present an increasing threat to the power industry and other public infrastructure.

US-CERT study predicts machine learning, transport systems to become security risks
The institute’s CERT Coordination Centre (CERT/CC) sees machine learning as a potential security quagmire, since it expects aggressive adoption in the medium term, but use-cases are legion, making it difficult to observe from a security point of view. In its survey, published this month, the team stated

Passengers Have a Lot to Say About Self-Driving Cars – We Should Listen
Society’s fear of driverless cars is somewhat baffling to me. Given that car crashes attributable to human error cause more than 1 million vehicle deaths every year1, it’s those human-driven cars people should be afraid of. Yet all of us today get behind the wheel and simply trust that the cars coming toward them in the opposite lane will stay where they’re supposed to. From my point of view, unless those are self-driving cars, we should all be terrified.

Passengers Have a Lot to Say About Self-Driving Cars – We Should Listen

IoT Cybersecurity: What’s Plan B?
But the situation is critical. The Internet is dangerous — and the IoT gives it not just eyes and ears, but also hands and feet. Security vulnerabilities, exploits, and attacks that once affected only bits and bytes now affect flesh and blood.

“For the general sphere of IoT devices, like security cameras, we’re not just underwater,” says Kevin Fu, a computer scientist at the University of Michigan who focuses on medical device security. “We’re under quicksand under water.”

Steps to Improve Critical Infrastructure and ICS Network Security
Hopefully you’ve read those articles with an open mind and taken away from them what I’ve intended – a sense of urgency, a realization that these networks must be a top priority in your security strategy, and a motivation to convince your organization to act. If you haven’t read these articles, I invite you do so today.

IoT Deployment Security Top Concern for Enterprises
A new survey shows that 63% of respondents are worried about the impact of the Internet of Things on corporate security technologies and processes.

10-16-17 – News This Past Week

How smart cities can protect against IoT security threats
As long as developers work in tandem with one another, the security problems presented by the development of IoT within smart cities won’t be insurmountable

North Korean Threat Actors Probe US Electric Companies
Known threat actors based in North Korea recently targeted several US electric companies in a spear-phishing campaign that appeared to be more of an early reconnaissance mission than an attempt to cause any immediate disruption

IoT: Insecurity of Things or Internet of Threats?
The Internet of Things is pushing billions of connected devices online, he noted. Last year’s Mirai malware attack, which mobilizes hundreds of thousands of devices as bots, highlighted the vulnerability of the Internet of Things and served as an example of what could go wrong

But as real as the threat of power-utility hacking may be, not every grid penetration calls for Defcon 1. Responding to them all with an equal sense of alarm is like conflating a street mugging with an intercontinental ballistic missile attack.

Siemens Patches Flaws in Building Automation Controllers
Siemens has released a firmware update for its BACnet Field Panel building automation products to address two vulnerabilities, including one classified as high severity

10-02-17 – News This Past Week

Serious Flaw Exposes Siemens Industrial Switches to Attacks
The flaw, discovered by Siemens itself and tracked as CVE-2017-12736, affects SCALANCE X industrial ethernet switches, and Ruggedcom switches and serial-to-ethernet devices running the Rugged Operating System (ROS).

Industrial manufacturer Siemens is encouraging users running devices that use its Ruggedcom Discovery Protocol (RCDP) to apply firmware updates this week. The updates resolve a serious and remotely exploitable vulnerability that could let an attacker carry out administrative actions.

Siemens Patches Improper Access Vulnerability in Ruggedcom Protocol

Thousands of Malware Variants Found on Industrial Systems: Kaspersky
According to the company’s “Threat Landscape for Industrial Automation Systems” report for the first six months of the year, nearly 38 percent of the industrial systems protected globally by its products were targeted during this period. This is 1.6 percent less than in the second half of 2016

DDoS Attacks More Likely to Hit Critical Infrastructure Than APTs: Europol
While critical infrastructure has been targeted by sophisticated threat actors, attacks that rely on commonly available and easy-to-use tools are more likely to occur, said Europol in its 2017 Internet Organised Crime Threat Assessment

Caterpillar Eyes Competitive Edge with Connected Asset Security Program
Over the past five years, Caterpillar has provided “tactical” security for its remote-controlled equipment used in its three areas of business – construction, resources, and energy and transportation, says Joseph Zacharias, global head of information security engineering at Caterpillar

Threat Landscape for Industrial Automation Systems in H1 2017
Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team (Kaspersky Lab ICS CERT) publishes the results of its research on the threat landscape for industrial automation systems for the first six months of 2017

Threat Landscape for Industrial Automation Systems in H1 2017

Docs ran a simulation of what would happen if really nasty malware hit a city’s hospitals. RIP :(
Speaking at DerbyCon in Kentucky, USA, on Saturday, three medics with have a side interest in hacking gave an update on their work analyzing security flaws in medical machinery. And, reader, the results weren’t good. On average, a connected device had about 1,000 exploitable CVE flaws, with some going over the 1,400 mark, it was claimed