https://blog.paessler.com/investments-in-iot-security-are-set-to-increase-rapidly-in-2018
The two biggest challenges in 2018 will continue to be protecting against unauthorized access, and patching/updating the software of the device. Companies must not neglect the security problems of IoT and IIoT devices. Cyberattacks on the Internet of Things (IoT) are already a reality.
According to Gartner‘s market researchers, global spending on IoT security will increase to $1.5 billion this year.
1,725 Comments
Tomi Engdahl says:
IoT/ICS Armageddon: hacking devices like there’s no tomorrow (part 1)
https://www.redtimmy.com/iot-ics-armageddon-hacking-devices-like-theres-no-tomorrow-part-1/
Tomi Engdahl says:
https://www.etteplan.com/stories/towards-less-vulnerable-embedded-electronics-new-regulation-cybersecurity
Tomi Engdahl says:
IoT/ICS Armageddon: hacking devices like there’s no tomorrow (part 1) https://www.redtimmy.com/iot-ics-armageddon-hacking-devices-like-theres-no-tomorrow-part-1/
The truth is that hacking OT devices wasn’t challenging enough. Today, like five years ago, the security in the area is running 10/15 years behind the traditional IT sector. In a few words:
Tomi Engdahl says:
Webinar: Embedded cyber security – regulatory news update
https://www.youtube.com/watch?v=NDTAHRyDdMY
Watch this session to get a concise overview of the most interesting regulatory news over the first half of 2021 and possible next steps, both from Operational Technology and Consumer IoT perspectives. Also highlights from ETSI Security Week 2021 will be summarized.
Tomi Engdahl says:
https://www.edn.com/how-shift-left-helps-secure-todays-connected-embedded-systems/
Tomi Engdahl says:
https://pentestmag.com/modbus-traffic-capture-analysis-free-course-content/
Tomi Engdahl says:
Lessons Learned From Examining More Than a Decade of Public ICS/OT Exploits https://www.dragos.com/blog/industry-news/lessons-learned-from-examining-decade-of-public-ics-ot-exploits-data/
report:
https://hub.dragos.com/hubfs/Whitepapers/Examining%20Public%20ICS%20OT%20Exploits%20-%20Dragos%202021.pdf?hsLang=en
Tomi Engdahl says:
Facebook bans academics who researched ad transparency and misinformation on Facebook https://www.theverge.com/2021/8/4/22609020/facebook-bans-academic-researchers-ad-transparency-misinformation-nyu-ad-observatory-plug-in
The researchers say their work is being silenced. Facebook has banned the personal accounts of academics who researched ad transparency and the spread of misinformation on the social network. Facebook says the group violated its term of service by scraping user data without permission. But the academics say they are being silenced for exposing problems on Facebook’s platform.
How a fake network pushes pro-China propaganda
https://www.bbc.com/news/world-asia-china-58062630
A sprawling network of more than 350 fake social media profiles is pushing pro-China narratives and attempting to discredit those seen as opponents of China’s government, according to a new study. The aim is to delegitimise the West and boost China’s influence and image overseas, the report by the Centre for Information Resilience (CIR) suggests.
Tomi Engdahl says:
Black Hat: Security Bugs Allow Takeover of Capsule Hotel Rooms https://threatpost.com/security-bugs-takeover-capsule-hotel/168376/
A researcher was able to remotely control the lights, bed and ventilation in “smart” hotel rooms via Nasnos vulnerabilities.
Tomi Engdahl says:
NicheStack TCP/IP-toteutuksesta löytyi useita haavoittuvuuksia
https://www.kyberturvallisuuskeskus.fi/fi/haavoittuvuus_22/2021
Erityisesti sulautetuissa järjestelmissä käytössä olevasta NicheStack TCP/IP -toteutuksesta löytyi 14 haavoittuvuutta. Nyt julkaistuista haavoittuvuuksista kaksi on kriittisiä, jotka mahdollistavat etänä suoritettavat komennot. Useat sulautettuja järjestelmiä tuottavat valmistajat käyttävät kyseistä toteutusta omissa tuotteissaan.
Tomi Engdahl says:
Value of PLC Key Switch Monitoring to Keep Critical Systems More Secure https://www.dragos.com/blog/industry-news/value-of-plc-key-switch-monitoring/
Programmable Logic Controllers (PLC) and Safety Instrumented Systems
(SIS) Controllers have historically included an external switch, generally in the form of a key, to perform maintenance and troubleshooting. The key switch has become commonplace for automation engineers and technicians who maintain and support these systems and understand the importance of the little switch in overall device operation and affects the underlying process.
Tomi Engdahl says:
Trusted platform module security defeated in 30 minutes, no soldering required https://arstechnica.com/gadgets/2021/08/how-to-go-from-stolen-pc-to-network-intrusion-in-30-minutes/
Sometimes, locking down a laptop with the latest defenses isn’t enough. Microsoft’s BitLocker, meanwhile, doesn’t use any of the encrypted communications features of the latest TPM standard. That meant if the researchers could tap into the connection between the TPM and the CPU, they might be able to extract the key.
Tomi Engdahl says:
- From stolen laptop to inside the company network https://dolosgroup.io/blog/2021/7/9/from-stolen-laptop-to-inside-the-company-network
To recap, we took a locked down FDE laptop, sniffed the BitLocker decryption key coming out of the TPM, backdoored a virtualized image, and used its VPN auto-connect feature to attack the internal corporate network. That is one way to go from stolen laptop to internal compromise.
Tomi Engdahl says:
2021 Global IoT Trends Report
https://www.newark.com/iot-trends-2021
We reached out to our global customer base with an IoT survey between September 2020 and December 2020. We got 2,095 completed questionnaires, primarily from engineers of IoT solutions, in 60 countries.
Tomi Engdahl says:
Scam-baiting YouTube channel Tech Support Scams taken offline by tech support scam https://www.theregister.com/2021/07/27/youtube_channel_tech_scam/
“So to prove that anyone can be scammed,” Browning announced via Twitter following the attack, “I was convinced to delete my YouTube channel because I was convinced I was talking [to YouTube] support. I never lost control of the channel, but the sneaky s**t managed to get me to delete the channel. Hope to recover soon.”
Tomi Engdahl says:
Top Routinely Exploited Vulnerabilities
https://us-cert.cisa.gov/ncas/alerts/aa21-209a
This Joint Cybersecurity Advisory was coauthored by the U.S.
Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdoms National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI). . This advisory provides details on the top 30 vulnerabilitiesprimarily Common Vulnerabilities and Exposures (CVEs)routinely exploited by malicious cyber actors in 2020 and those being widely exploited thus far in 2021.
Tomi Engdahl says:
The 25 most dangerous software vulnerabilities to watch out for https://www.zdnet.com/article/the-25-most-dangerous-software-vulnerabilities-to-watch-out-for/
Top of the list with the highest score by some margin is CWE-787:
Out-of-bounds Write, a vulnerability where software writes past the end, or before the beginning, of the intended buffer. . Second in the list is CWE-79: Improper Neutralization of Input During Web Page Generation, a cross-site scripting vulnerability which doesn’t correctly neutralise inputs before being placed as outputs on a website. . Third in the list is CWE-125: Out-of-bounds Read, a vulnerability which can allow attackers read sensitive information from other memory locations or cause a crash.
It’s time for a Business Logic API Security Testing Approach https://thehackernews.com/2021/07/wake-up-identify-api-vulnerabilities.html
To do this, you must find ways to simplify and streamline your organization’s API security testing, integrating and enforcing API security testing standards within the development cycle. This way, along with runtime monitoring, the security team can gain visibility into all known vulnerabilities in one place. As a bonus, taking steps to shift-left API security testing will cut costs and accelerate .
time to remediation.
Tomi Engdahl says:
Zero trust architecture design principles 1.0 launched.
https://www.ncsc.gov.uk/blog-post/zero-trust-1-0
The eight principles outlined in our guidance will help you to implement your own zero trust network architecture in an enterprise environment.. The principles are: Know your architecture, including users, devices, services and data. Know your User, Service and Device identities. Assess your user behaviour, device and service health. Use policies to authorise requests. Authenticate & Authorise everywhere.
Focus your monitoring on users, devices and services. Don’t trust any network, including your own. Choose services designed for zero .
trust.
Tomi Engdahl says:
Top Organizations on GitHub Vulnerable to Dependency Confusion Attacks https://redhuntlabs.com/blog/top-organizations-on-github-vulnerable-to-dependency-confusion-attack.html
On analyzing these repositories, we found that 93 repositories out of Top 1000 GitHub Organizations are using a package that doesnt exist on a public package index which can be claimed by an attacker to cause a supply chain attack. On similar lines, we observed that 169 repositories were found to be installing dependencies from a host that isnt reachable over the internet and 126 repositories . were installing packages owned by a GitHub/Gitlab user that doesnt exist.
Tomi Engdahl says:
Significant Historical Cyber-Intrusion Campaigns Targeting ICS https://us-cert.cisa.gov/ncas/current-activity/2021/07/20/significant-historical-cyber-intrusion-campaigns-targeting-ics
To raise awareness of the risks toand improve the cyber protection ofcritical infrastructure, CISA and the Federal Bureau of Investigation (FBI) have released a Joint Cybersecurity Advisory as well as updates to five alerts and advisories. These alerts and advisories contain information on historical cyber-intrusion campaigns that have targeted ICS
Tomi Engdahl says:
Verifiable design in modern systems
https://security.googleblog.com/2021/07/verifiable-design-in-modern-systems.html
The way we design and build software is continually evolving. Just as we now think of security as something we build into software from the start, we are also increasingly looking for new ways to minimize trust in that software. One of the ways we can do that is by designing software so that you can get cryptographic certainty of what the software has done. In this post, we’ll introduce the concept of verifiable data structures that help us get this cryptographic certainty. We’ll describe some existing and new applications of verifiable data structures, and provide some additional resources we have created to help you use them in your own applications.
Tomi Engdahl says:
TSA Pipeline Security Guideline Update
https://www.dragos.com/blog/industry-news/tsa-pipeline-security-guideline-update/
n the United States, CISA identifies 16 critical infrastructure sectors considered vital to our economy and way of life. Energy is one of the critical sectors and is quite literally the lifeline that every other sector depends on. The energy sector is made up of the electric and oil and natural gas subsectors. While the electric subsector has for over a decade had minimum mandatory cybersecurity requirements, there have been understandable challenges in implementing similar standards for the oil and natural gas subsector.
Tomi Engdahl says:
Web shells: How can we get rid of them and why law enforcement is not really the answer https://www.gdatasoftware.com/blog/webshells
Microsoft recorded a total of 144,000 web shell attacks between August
2020 and January 2021. Web shells are very light programmes (scripts) that hackers install to either attack affected websites or web-facing services or prepare a future attack. A web shell allows hackers to execute standard commands on web servers that have been compromised.
Web shells use code such as PHP, JSP or ASP for this purpose. When the web shells are successfully installed, the hackers are able to execute the same commands as the administrators of the website can. They can also execute commands that steal data, install malicious code and provide system information that allows hackers to penetrate deeper into networks.
Tomi Engdahl says:
The Challenges of Vulnerability Management in OT Environments https://www.dragos.com/blog/the-challenges-of-vulnerability-management-in-ot-environments/
After careful analysis and field validation, Dragos has found that publicly announced vulnerability severity scores are often inaccurate, incomplete and lack both context and guidance. This means that industrial teams are struggling with how to interpret and apply them in their environments and spending too much time chasing the wrong issues.. Whitepaper at https://hub.dragos.com/hubfs/Whitepapers/Understanding%20the%20Challenges%20of%20OT%20Vulnerability%20Management%20and%20How%20to%20Tackle%20Them%20-%20Dragos%202021.pdf
Tomi Engdahl says:
August 2021 ICS Patch Tuesday: Siemens, Schneider Address Over 50 Flaws
https://www.securityweek.com/august-2021-ics-patch-tuesday-siemens-schneider-address-over-50-flaws
Siemens and Schneider Electric on Tuesday released 18 security advisories addressing a total of more than 50 vulnerabilities affecting their products.
The vendors have provided patches, mitigations, and general security recommendations for reducing the risk of attacks.
Tomi Engdahl says:
Leading Threat to Industrial Security is Not What You Think
https://www.securityweek.com/leading-threat-industrial-security-not-what-you-think
As attackers become more sophisticated, so do their attacks. This in turn exposes threat vectors that once were thought to be well protected, or at least not interesting enough to attack. Nowhere is this truer than in industrial control systems (ICS) environments.
The growing practice of connecting ICS to enterprise networks and the internet, driven by technologies such as IoT, edge computing and analytics platforms, has put ICS on the radar of cybercriminals.
ICS attacks can cause severe problems, ranging from supply chain disruption to physical damage to components and subsystems. What’s more, ICS traffic often contains proprietary data or information that has intrinsic value to business processes or workflows.
Securing ICS is more challenging than protecting traditional IT environments since ICS is insecure by design. ICS was originally conceived to be siloed from other IT systems, shared IT infrastructure and the outside world. These closed systems were considered immune from external threats, simply because they were “air gapped”.
Advances in IoT technologies and other IT centric systems made it logical to connect ICS to IT to garner numerous benefits. However, very few considered the implications of that connectivity, which cybercriminals are able to exploit. Especially the native insecurities of ICS, such as limited policies, a lack of access control provisions, weak password enforcement and infrequent patching. Perhaps the biggest threat to ICS is the fact that utility companies are such large targets – they are well known, cover large geographic areas, and their critical locations are all very public.
Consider the following attack vectors that can impact ICS.
Brute force attacks against weak passwords are something IT pros have been dealing with for years and have developed countermeasures against. However, most ICS systems lack policies around passwords, meaning that attacks may go unnoticed or unrecorded. Here, ICS operators need to learn what constitutes a brute force attack, identify the signs of such an attack, and implement controls to prevent damage. Processes that require knowledge, action, and response. Those processes must be taught.
Another attack vector is false data injection, whose primary goal is to disrupt ICS processes. In the IT world, DDoS (Distributed Denial of Service) attacks are focused on disruption. However, with ICS false data injection may take on a different characteristic, one that not only disrupts processing, but potentially damages physical equipment, or cascades to other devices. ICS operators must learn how to monitor for those types of attacks, create policies that can stem them, and remediate vulnerabilities they exploit.
Other attack vectors ICS is susceptible to include buffer overflows, command injection, PLC programming modifications, and many more. Dealing with those attacks requires knowledge of both ICS and IT, meaning that ICS operators must achieve the same level of cyber competency as their IT counterparts, while also applying their knowledge of the intricacies of ICS.
Simply put, organizations must put in place plans and policies to adequately train those that manage ICS, build realistic scenarios, and also provide a layer of anonymity for those responding to those threats.
Tomi Engdahl says:
Philips study finds hospitals struggling to manage thousands of IoT devices https://www.zdnet.com/article/philips-study-finds-hospitals-struggling-to-manage-thousands-of-devices/
Working with cybersecurity company CyberMDX, researchers with Philips surveyed 130 IT healthcare decision-makers to figure out how they were managing the thousands of medical devices that populate most hospitals today.
Tomi Engdahl says:
What Is Zero Trust and Why Does It Matter?
https://www.trendmicro.com/en_us/ciso/21/h/what-is-zero-trust-and-why-does-it-matter.html
As the remote workforce expanded, so did the attack surface for cybercriminalsforcing security teams to pivot their strategy to effectively protect company resources. During this time of change, the hype around Zero Trust increased, but with several different interpretations of what it was and how it helps. Eric Skinner from Trend Micro gets real about the true intent of Zero Trust and how you can use it better protect your organization.
Tomi Engdahl says:
How ‘shift left’ helps secure today’s connected embedded systems – EDN
https://www.edn.com/how-shift-left-helps-secure-todays-connected-embedded-systems/
DevSecOps—which stands for development security operations—expands on DevOps principles with a “shift left” principle, designing and testing for security early and continuously in each software iteration.
Defense-in-depth and the process model
Traditionally, the practice for secure embedded code verification has been largely reactive. Code is developed in accordance with relatively loose guidelines and then subjected to performance, penetration, load, and functional testing to identify vulnerabilities.
A more proactive approach ensures code is secure by design. That implies a systematic development process, where the code is written in accordance with secure coding standards, is traceable to security requirements, and is tested to demonstrate compliance with those requirements as development progresses.
One interpretation of this proactive approach integrates security-related best practices into the V-model software development lifecycle that is familiar to developers in the functional safety domain. The resulting secure software development life cycle (SSDLC) represents a shift left for security-focused application developers, ensuring that vulnerabilities are designed out of the system (Figure 1).
Shift left: What it means
The concepts behind the “shift left” principle should be familiar to anyone developing safety-critical applications because for many years, functional safety standards have demanded a similar approach. Consequently, the following best practices proven in the functional safety domain apply to security-critical applications as well:
Establish requirements at the outset
Undocumented requirements lead to miscommunication on all sides and create rework, changes, bug fixes, and security vulnerabilities. To ensure smooth project development, all team members must understand in the same way all parts of the product and the process of its development. Clearly defined functional and security requirements help ensure they do.
Tomi Engdahl says:
Value of PLC Key Switch Monitoring to Keep Critical Systems More Secure
https://www.dragos.com/blog/industry-news/value-of-plc-key-switch-monitoring/
Tomi Engdahl says:
An EPYC escape: Case-study of a KVM breakout
https://googleprojectzero.blogspot.com/2021/06/an-epyc-escape-case-study-of-kvm.html
Tomi Engdahl says:
Rolling out your RBAC Infrastructure to Electrical Substations
https://www.linkedin.com/pulse/rolling-out-your-rbac-infrastructure-electrical-chaitanya-bisale?articleId=6694158507568197632
Tomi Engdahl says:
”Tappokytkin” paljastui: Samsung pimensi televisioita etähallinnalla
Etelä-Afrikka todistaa harvinaisella tavalla, millainen valta valmistajalla voi olla omista laitteistaan.
https://www.is.fi/digitoday/art-2000008213266.html
Tomi Engdahl says:
Vulnerabilities Allow Hackers to Tamper With Doses Delivered by Medical Infusion Pumps
https://www.securityweek.com/vulnerabilities-allow-hackers-tamper-doses-delivered-medical-infusion-pumps
McAfee security researchers, in partnership with Culinda, identified a series of severe vulnerabilities in B. Braun’s Infusomat Space large volume infusion pump and SpaceStation system that they claim could potentially lead to dispensing potentially lethal doses of medication.
A total of five vulnerabilities were identified, the most severe of which carries a CVSS score of 9.7 and is tracked as CVE-2021-33885. The issue exists because the device doesn’t verify who is sending the commands, thus allowing a remote, unauthenticated attacker to send input to the device, which will use it instead of the correct data.
Next in line is CVE-2021-33886 (CVSS score of 8.2), where proprietary networking commands aren’t properly authenticated, thus allowing an attacker to reconfigure the device remotely.
The remaining three issues include CVE-2021-33886 (CVSS score of 7.7), which allows an attacker to gain user level command line access, CVE-2021-33883 (CVSS score of 7.1), where sensitive information is transmitted in clear text, and CVE-2021-33884 (CVSS score of 5.8), where an attacker could upload files to a directory.
Tomi Engdahl says:
Engineering Workstations Are Concerning Initial Access Vector in OT Attacks
https://www.securityweek.com/engineering-workstations-are-concerning-initial-access-vector-ot-attacks
Organizations that use industrial control systems (ICS) and other operational technology (OT) are increasingly concerned about cyber threats, and while they have taken steps to address risks, many don’t know if they have suffered a breach, according to a survey conducted by the SANS Institute on behalf of industrial cybersecurity firm Nozomi Networks.
The SANS 2021 OT/ICS Cybersecurity Report is based on information provided by 480 individuals from a wide range of industries.
The survey conducted by SANS showed that nearly 70% of respondents believe the risk to their OT environment is high or severe, which is a significant increase from the 51% in 2019, when SANS conducted a similar survey.
https://www.nozominetworks.com/downloads/SANS-Survey-2021-OT-ICS-Cybersecurity-Nozomi-Networks.pdf
Tomi Engdahl says:
Flaws in John Deere Systems Show Agriculture’s Cyber Risk
John Deere, Researchers Spar Over Impact of Vulnerabilities
https://www.bankinfosecurity.com/flaws-in-john-deere-systems-show-agricultures-cyber-risk-a-17240
Tomi Engdahl says:
Hacker Claims Honda And Acura Vehicles Vulnerable To Simple Replay Attack
https://hackaday.com/2021/08/30/hacker-claims-honda-and-acura-vehicles-vulnerable-to-simple-replay-attack/
Keyless entry has become a standard feature on virtually all cars, where once it was a luxury option. However, it’s also changed the way that thieves approach the process of breaking into a car. After recent research, [HackingIntoYourHeart] claims that many modern Honda and Acura vehicles can be accessed with a simple replay attack using cheap hardware.
It’s a bold claim, and one that we’d love to see confirmed by a third party. The crux of the allegations are that simply recording signals from a Honda or Acura keyfob is enough to compromise the vehicle. Reportedly, no rolling code system is implemented and commands can easily be replayed.
https://github.com/HackingIntoYourHeart/Unoriginal-Rice-Patty
Tomi Engdahl says:
Karu ennustus: Kyber¬murhista tulee totta 4 vuodessa https://www.is.fi/digitoday/tietoturva/art-2000008239757.html
Gartner Predicts By 2025 Cyber Attackers Will Have Weaponized Operational Technology Environments to Successfully Harm or Kill Humans
https://www.gartner.com/en/newsroom/press-releases/2021-07-21-gartner-predicts-by-2025-cyber-attackers-will-have-we
Organizations Can Reduce Risk by Implementing a Security Control Framework
By 2025, cyber attackers will have weaponized operational technology (OT) environments to successfully harm or kill humans, according to Gartner, Inc.
Attacks on OT – hardware and software that monitors or controls equipment, assets and processes – have become more common. They have also evolved from immediate process disruption such as shutting down a plant, to compromising the integrity of industrial environments with intent to create physical harm. Other recent events like the Colonial Pipeline ransomware attack have highlighted the need to have properly segmented networks for IT and OT.
“In operational environments, security and risk management leaders should be more concerned about real world hazards to humans and the environment, rather than information theft,” said Wam Voster, senior research director at Gartner. “Inquiries with Gartner clients reveal that organizations in asset-intensive industries like manufacturing, resources and utilities struggle to define appropriate control frameworks.”
Gartner predicts that the financial impact of CPS attacks resulting in fatal casualties will reach over $50 billion by 2023. Even without taking the value of human life into account, the costs for organizations in terms of compensation, litigation, insurance, regulatory fines and reputation loss will be significant. Gartner also predicts that most CEOs will be personally liable for such incidents.
Tomi Engdahl says:
https://pentestmag.com/how-to-secure-chromecast/
Tomi Engdahl says:
Samsung Can Remotely Disable Any of Its TVs Worldwide
The technology is called TV Block, and it’s pre-loaded on every Samsung TV.
https://uk.pcmag.com/tvs/135256/samsung-can-remotely-disable-any-of-its-tvs-worldwide
On July 11, a distribution center located in KwaZulu-Natal, South Africa was looted and an unknown number of Samsung televisions were stolen. However, all of those TVs are now useless as Samsung has revealed they are fitted with remote blocking technology.
What you may be surprised to hear is that Samsung can do this to any of its TVs, regardless of where they are in the world. The company admitted as much in its latest Samsung Newsroom post detailing how the TVs in South Africa were stolen and then disabled.
The technology is called TV Block and it’s “pre-loaded on all Samsung TV products.” Whenever a TV is confirmed as being stolen, Samsung logs the serial number of the TV and then waits for it to be connected to the internet. At that point a Samsung server is connected to by default, the serial number is checked, and if it’s on the list, “the blocking system is implemented, disabling all the television functions.”
Tomi Engdahl says:
IoT Attacks Skyrocket, Doubling in 6 Months https://threatpost.com/iot-attacks-doubling/169224/
According to a Kaspersky analysis of its telemetry from honeypots shared with Threatpost, the firm detected more than 1.5 billion IoT attacks up from 639 million during the previous half year, which is more than twice the volume.
Tomi Engdahl says:
Threat landscape for industrial automation systems in H1 2021 https://securelist.com/threat-landscape-for-industrial-automation-systems-in-h1-2021/104017/
Full report at
https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-Threat-landscape-for-industrial-automation-systems-statistics-for-H1-2021-En.pdf
Tomi Engdahl says:
Uusi merenkulun kyberturvallisuusohjeistus varustamoille ja aluksille https://shipowners.fi/wp-content/uploads/2021/09/WWW_Parhaat_ka%CC%88yta%CC%88nno%CC%88t_aluksille_SU.pdf
Suomen Varustamot ry ja Huoltovarmuusorganisaatioon kuuluva Vesikuljetuspooli ovat julkaisseet kyberturvallisuuden parhaat käytännöt -ohjeistuksen varustamoille ja aluksille. Ohjeistus perustuu yhdessä tehtyyn laajaan merenkulun kyberturvallisuusselvitykseen.
Tomi Engdahl says:
The ISO/SAE 21434 standard is the start of a long and tenuous journey that will inevitably see many design challenges along the way.
Read the full article: http://arw.li/6189y2zaW
#EDN #Cybersecurity
ISO/SAE 21434 auto cybersecurity standard: Dawn of a new era?
https://www.edn.com/iso-sae-21434-auto-cybersecurity-standard-dawn-of-a-new-era/?utm_source=edn_facebook&utm_medium=social&utm_campaign=Articles
The news about NXP Semiconductors certified by TÜV SÜD to comply with the new automotive cybersecurity standard ISO/SAE 21434 is the harbinger of a new era that could be reminiscent of how the ISO 26262 functional safety standard reshaped the automotive industry during the past decade. NXP claims to be the first chipmaker to have complied with the ISO/SAE 21434 standard.
Vehicle manufacturers must comply with the R155 automotive cybersecurity regulation for new vehicle type launches in Europe, Japan, and Korea from July 2022 onward; the new automotive cybersecurity standard will be crucial in implementing the R155 requirements across the automotive supply chain. ISO/SAE 21434 provides a rigorous framework intended to enable organizations to design vehicles that are protected against a variety of cybersecurity threats.
Unlike the ISO 26262 functional safety standard published in 2011, a standard for automotive cybersecurity has lagged behind. That, in turn, has been terrifying automotive companies since vehicles either already have or will have over-the-air (OTA) software updates. More broadly, as hackers have demonstrated time and again, security vulnerabilities can be introduced both in hardware and software flows.
Connected vehicles linked with external entities—other vehicles, smart city infrastructure, and the cloud—will inevitably require robust security measures to protect the vehicle, its systems, and the back-end networks. The ISO/SAE 21434 standard sets out a framework for effectively managing cybersecurity risks in electrical and electronic (E/E) systems in road vehicles.
Tomi Engdahl says:
Täysin suojattu IoT-radio alle gigahertsiin
https://etn.fi/index.php/13-news/12562-taeysin-suojattu-iot-radio-alle-gigahertsiin
IoT-operaattorit haluavat laitteita, jotkakantavat pitkälle, tulevat toimeen pitkään paristovirralla ja ovat 100-prosenttisesti suojattuja, jotta sensitiivinen data pysyy oikeissa käsissä. Silicon Labs vastaa toiveisiin uusilla Secure Vault -sarjan järjestelmäpiireillä.
Tähän asti piirien tietoturva on ollut jotain, jonka asiakas lisää siruihin ja sovelluksiin sen jälkeen, kun ne tulevat toimittajan tuotantolinjalta. Nyt SiLabs antaa asiakkaille mahdollisuuden tuoda tietoturva piireihinsä jo tehtaalla.
Tämä tarkoittaa, että asiakas pääsee muuttamaan tuotenumeroita, lisäämään salausavaimia ja -sertifikaatteja, lisäämään tai poistamaan toimintoja oman tarpeen mukaan ja niin edelleen. Tämän myötä yhtiö tarjoaa ensimmäisiä täysin suojattuja SoC-piirejä alle gigahertsin IoT-yhteyksiin, oli käytössä oleva radioprotokolla mitä tahansa.
Ensimmäiset uuden polven piirit ovat ERF32-sarjan FG23- ja ZG23 -piirit.
Tomi Engdahl says:
IoT-laitteille täysin varma PUF-suojaus
https://etn.fi/index.php/13-news/12582-iot-laitteille-taeysin-varma-puf-suojaus
Ainoa täysin varman tekniikka suojata esimerkiksi ohjainten salausavaimet on PUF (physically unclonable function). Siinä ei ole mitään digitaalisesti tallennettua salausavainta, jonka voisi kopioida. Analogi Devicesiin nykyään kuuluva Maxim Integrated Products on esitellyt markkinoiden vähävirtaisimman PUF-ohjaimen.
MAXQ1065-tietoturvaprosessori tarjoaa avaimet käteen -salaustoimintoja esimerkiksi laitteiden keskinäiseen todennukseen, suojattuun käynnistykseen, suojatulle laiteohjelmistopäivitykselle ja suojatulle viestinnälle. Se sisältää vakioalgoritmit avainten vaihtoon ja joukkosalaukseen tai täydellisen siirtokerroksen TLS-suojauksen. Piirillä on 8 kilotavua turvallista tallennustilaa käyttäjätiedoille, avaimille, varmenteille ja laskureille, joissa on käyttäjän määrittämät kulunvalvonta- ja elinkaarenhallintatoiminnot IoT-laitteille.
MAXQ1065
Ultra Low-Power Cryptographic Controller with ChipDNATM for Embedded Devices
https://www.maximintegrated.com/en/products/embedded-security/secure-authenticators/MAXQ1065.html?utm_source=PR-Newswire&utm_medium=press-rels&utm_content=MAXQ1065&utm_campaign=FY22_Q1_2021_SEP_MSS-SecAuth_WW_PRDFOL-MAXQ1065_EN
Tomi Engdahl says:
Many Hikvision Cameras Exposed to Attacks Due to Critical Vulnerability
https://www.securityweek.com/many-hikvision-cameras-exposed-attacks-due-critical-vulnerability
More than 70 Hikvision camera and NVR models are affected by a critical vulnerability that can allow hackers to remotely take control of devices without any user interaction.
The flaw, tracked as CVE-2021-36260, was discovered by a researcher who uses the online moniker “Watchful IP.” The researcher published a blog post over the weekend, but has not made public any technical details to prevent abuse.
The vulnerability can be exploited to gain root access and take full control of a device. An attacker could also use compromised devices to access internal networks.
“Given the deployment of these cameras at sensitive sites potentially even critical infrastructure is at risk,” the researcher warned.
“Only access to the http(s) server port (typically 80/443) is needed,” the researcher added. “No username or password needed nor any actions need to be initiated by the camera owner. It will not be detectable by any logging on the camera itself.”
Unauthenticated Remote Code Execution (RCE) vulnerability in Hikvision IP camera/NVR firmware (CVE-2021-36260)
https://watchfulip.github.io/2021/09/18/Hikvision-IP-Camera-Unauthenticated-RCE.html
Tomi Engdahl says:
https://etn.fi/index.php/13-news/12541-autoille-tuli-kyberturvastandardi
Autoille on laadittu ensimmäinen kyberturvastandardi. NXP kertoo olevansa ensimmäinen puolijohdetoimittaja, jonka saksalainen TÜV SÜD on sertifioinut noudattamaan uutta kyberturvallisuusstandardia ISO/SAE 21434.
Kyberturvallisuusstandardin tavoitteena on tarjota verkkoon liitetyille ajoneuvoille vankka suoja haitallisia kyberhyökkäyksiä vastaan. Standardi edellyttää, että OEM-valmistajat ja niiden toimitusketjut soveltavat suunnittelun mukaista lähestymistapaa komponentteihinsa, palvelimiinsa ja prosesseihinsa vähentääkseen riskiä olla alttiita hyökkäyksille missä tahansa ajoneuvon käyttöiän vaiheessa alkukonseptista ja suunnitteluvaiheesta aina niiden elinkaaren loppuun.
Miksi tällä on merkitystä: Heinäkuusta 2022 lähtien autonvalmistajien on noudatettava R155 -autojen kyberturvallisuusasetusta uusien ajoneuvotyyppien lanseerauksissa Euroopassa, Japanissa ja Koreassa, mikä edustaa yli kolmannesta maailmanlaajuisesta ajoneuvotuotannosta. Muiden alueiden odotetaan seuraavan perässä.
Tomi Engdahl says:
Älylaitteisiin jo puolitoista miljardia hyökkäystä
https://etn.fi/index.php/13-news/12551-aelylaitteisiin-jo-puolitoista-miljardia-hyoekkaeystae
Vuoden 2021 ensimmäisellä puoliskolla älylaitteisiin kohdistui 1,5 miljardia hyökkäystä. Tietoturvayhtiö Kasperskyn mukaan IoT-laitteisiin kohdistuneiden hyökkäysten määrä kasvoi yli sata prosenttia vuoden 2021 ensimmäisten kuuden kuukauden aikana.
Edeltäneen puolen vuoden aikana hyökkäyksiä havaittiin 639 miljoonaa, joten määrä on yli kaksinkertaistunut. Kasperskyn mukaan on huomattava, että ongelma ei ole vain yksityishenkilöiden. Koska miljoonat työskentelevät edelleen kotoa käsin, verkkorikolliset kohdistavat yrityksen resursseja kotiverkkojen ja kotona olevien älylaitteiden kautta.
Todellisissa hyökkäyksissä IoT-laitteisiin kohdistuvien hyökkäysten lopputulos kehittyy, Kaspersky havaitsi. Tartunnan saaneita laitteita käytetään varastamaan henkilökohtaisia tai yritystietoja, ja louhimaan kryptovaluuttoja perinteisten DDoS-hyökkäysten lisäksi, joissa laitteisiin lisätään botti.
Tomi Engdahl says:
How do you take down a destroyer with numbers?
https://www.vice.com/en/article/3dk58b/why-were-not-allowed-to-divide-by-zero?