https://blog.paessler.com/investments-in-iot-security-are-set-to-increase-rapidly-in-2018
The two biggest challenges in 2018 will continue to be protecting against unauthorized access, and patching/updating the software of the device. Companies must not neglect the security problems of IoT and IIoT devices. Cyberattacks on the Internet of Things (IoT) are already a reality.
According to Gartner‘s market researchers, global spending on IoT security will increase to $1.5 billion this year.
1,724 Comments
Tomi Engdahl says:
Criminals Can’t Wait to Add Your IoT Device to Their DDoS Networks
https://www.bitdefender.com/blog/hotforsecurity/criminals-cant-wait-to-add-your-iot-device-to-their-ddos-networks/
The idea that our IoT devices might present an attractive target may seem ridiculous. What could attackers achieve by compromising my vacuum cleaner or my smart TV? Well, it turns out that simple access to those devices is a coveted prize.
Whether we’re aware or not, our homes have become smart hubs filled with intelligent devices. We have smart TVs (some with really powerful hardware), vacuums, washing machines, speakers, personal assistants, streaming devices, surveillance cameras, network-attached devices (NAS), smartphones and PCs. And that only scratches the surface of what people have inside their homes.
Any of these devices might have vulnerabilities that would allow attackers to take control or at least compromise them. While we can’t compare a compromised PC with a compromised washing machine, it doesn’t mean that laundry appliance holds no interest.
Tomi Engdahl says:
Maailman vähävirtaisimman wifi-piirin tietoturva sertifioitiin
https://etn.fi/index.php/13-news/12782-maailman-vaehaevirtaisimman-wifi-piirin-tietoturva-sertifioitiin
Kesällä saatiin wifi-pohjaisilla IoT-piireille oma testi, jolla niiden virrankulutusta mitataan. Renesasiin nyt kuuluvan Dialog Semiconductorin DA16200-piiri on tähän mennessä saanut alhaisimmat eli parhaat lukemat. Nyt piirille on saatu tietoturvan takaava PS Certified -status, mutta mitä se tarkoittaa?
Asia ei ole aivan yksinkertainen. PSA Certified (Platform Security Architecture) on Arm:n vuonna 2017 käynnistämä ohjelma, jossa mikropiirien tietoturvaa sertifioidaan 3-portaisella asteikolla. Koska Arm-ohjaimet ovat niin käytettyjä, sertifioinnista on pitkälti tullut de facto -leima sille, kuinka tietoturvallisia piirit ovat.
PSA-luokittelussa on kolme pääkategoriaa. 1-taso tarkoittaa dokumentoinnin tarkastelua ja valmistajien/suunnittelijoiden haastattelua sertifiointilaboratorion toimesta. 2-tasolla piiri testataan lähdekooditasolla ja 3-tasolla siruun yritetään tunkeutua fyysisesti.
Dialog Semiconductorin DA16200-piiri on saanut PSA-tason 1 (v2.1) sertifioinnin. Valmistajan kannalta piirin turvallisuuden PSA-sertifiointi on tietenkin hyvä asia, sillä se takaa tiettyjen tietoturvavaatimusten täyttämisen.
Tomi Engdahl says:
Aiotko ostaa IoT-laitteen? Mieti uudestaan
https://etn.fi/index.php/13-news/12791-aiotko-ostaa-iot-laitteen-mieti-uudestaan
Nettiin kytketyt vempaimet ja lelut ovat suosittu kohde monien käyttäjien toivelistoilla, sillä yli 88 prosenttia ihmisistä käyttää jo IoT-laitteita kotonaan. Kyberturvallisuusasiantuntijat kuitenkin varoittavat, että näissä laitteissa on valtavasti turvallisuusaukkoja, joita rikolliset myös hyödyntävät.
Tästä kerrotaan jopa vitsiä: “IoT:ssä S tarkoittaa turvallisuutta”. – On parasta miettiä ennen kuin tuo uuden IoT-laitteen kotiin, sillä se voi helposti vaarantaa koko verkon, sanoo NordVPN:n digitaalisen turvallisuuden asiantuntija Daniel Markuson.
Maailmanlaajuisesti IoT-laitteita vastaan on tehty 1,5 miljardia hyökkäystä vuoden 2021 ensimmäisen kuuden kuukauden aikana. Viimeaikaisista hyökkäyksistä merkittävin tapahtui maaliskuussa 2021, jolloin joukko hakkereita pääsi käsiksi 150 000 Verkadan sisällä käytettävään älykkääseen turvakameraan.
Kameroita oli sairaaloissa, yrityksissä, poliisilaitoksilla, vankiloissa ja kouluissa. Tämän seurauksena rikolliset saattoivat nähdä videoita naisten terveysklinikoista, psykiatrisista sairaaloista, Teslan tehtailta ja itse Verkadan toimistoista.
Tomi Engdahl says:
New Critical Vulnerabilities Found on Nucleus TCP/IP Stack https://www.forescout.com/blog/new-critical-vulnerabilities-found-on-nucleus-tcp-ip-stack/
Forescout Research Labs, with support from Medigate Labs, have discovered a set of 13 new vulnerabilities affecting the Nucleus TCP/IP stack, which we are collectively calling NUCLEUS:13. The new vulnerabilities allow for remote code execution, denial of service, and information leak. Nucleus is used in safety-critical devices, such as anesthesia machines, patient monitors and others in healthcare.
Forescout Research Labs is committed to supporting vendors in identifying affected products (our open-source TCP/IP stack detector can be helpful in this respect) and to sharing our findings with the cybersecurity community.
Tomi Engdahl says:
Multiple BusyBox Security Bugs Threaten Embedded Linux Devices
https://threatpost.com/busybox-security-bugs-linux-devices/176098/
Researchers discovered 14 vulnerabilities in the Swiss Army Knife’ of the embedded OS used in many OT and IoT environments. They allow RCE, denial of service and data leaks.
Tomi Engdahl says:
The future of OT security in an IT-OT converged world https://www.theregister.com/2021/11/09/securing_ics_in_the_cloud/
Securing ICS in the cloud requires ‘fundamentally different’ approach
Tomi Engdahl says:
Many Healthcare, OT Systems Exposed to Attacks by NUCLEUS:13 Vulnerabilities
https://www.securityweek.com/many-healthcare-ot-systems-exposed-attacks-nucleus13-vulnerabilities
A series of 13 vulnerabilities identified in the Nucleus TCP/IP stack could be exploited to execute code remotely, cause a denial of service condition, or to obtain sensitive information, enterprise device security firm Forescout warns.
Collectively referred to as NUCLEUS:13, the issues likely affect safety-critical devices, such as anesthesia machines, patient monitors and other types of devices used in healthcare. Other types of operational technology (OT) systems are also impacted.
The most important of the newly identified issues is CVE-2021-31886 (CVSS score of 9.8), a stack-based buffer overflow that exists because the FTP server fails to properly validate the length of the “USER” command. An attacker could exploit the vulnerability to cause a denial of service (DoS) condition or to achieve remote code execution.
Two other similar issues in the FTP server (related to the improper validation of the length of the “PWD/XPWD” and “MKD/XMKD” commands) were assessed with a severity rating of high.
Of the remaining bugs, nine are considered high severity and could be exploited to leak sensitive information or cause DoS conditions. The last issue in the set is a medium-severity bug in the ICMP that could be exploited to send ICMP echo reply messages to arbitrary network systems.
Some of these vulnerabilities, Forescout explains, were addressed in existing versions of the Nucleus TCP/IP stack, yet they were never issued CVE identifiers. Patches are available for all 13 security holes.
Developed by Accelerated Technology, Inc. (ATI) in 1993, Nucleus NET, the TCP/IP stack in the Nucleus real-time operating system (RTOS), is now owned by Siemens. Over its 28-year life, Nucleus has been deployed in devices across several verticals, including healthcare, automotive, and industrial systems.
Organizations are advised to identify within their environments all devices that are running Nucleus and apply the available patches or mitigations as soon as possible, as well as to ensure proper network segmentation is enforced. They should also monitor network traffic to identify any malicious packets and disable FTP/TFTP if not needed, or use switch-based DHCP control mechanisms.
https://www.forescout.com/resources/nucleus13-research-report-dissecting-the-nucleus-tcpip-stack/
Siemens has also published advisories describing the impact of the vulnerabilities on its own products.
https://www.securityweek.com/ics-patch-tuesday-siemens-and-schneider-electric-address-over-50-vulnerabilities-0
Tomi Engdahl says:
ICS, OT Cybersecurity Incidents Cost Some U.S. Firms Over $100 Million: Survey
https://www.securityweek.com/ics-ot-cybersecurity-incidents-cost-some-us-firms-over-100-million-survey
A report published on Wednesday by the Ponemon Institute and industrial cybersecurity firm Dragos shows that the average cost of a security incident impacting industrial control systems (ICS) or other operational technology (OT) systems is roughly $3 million, and some companies reported costs of over $100 million.
The report is based on data from a survey of 600 IT, IT security, and OT security practitioners conducted by the Ponemon Institute in the United States.
Twenty-nine percent of respondents admitted that their organization was hit by ransomware in the past two years, and more than half of them said they had paid an average ransom of more than $500,000. Some organizations reported paying more than $2 million.
Nearly two-thirds of respondents said they experienced an ICS/OT cybersecurity incident in the past two years. The most common causes were negligent insiders, a maintenance-related issue, or IT security incidents “overflowing” to the OT network due to poor segmentation between IT and OT.
On average, it took organizations 170 days to detect an incident, 66 days to investigate it, and 80 days to remediate the incident. A calculation based on the total number of hours it would take a team of six people to detect, investigate, and remediate an incident showed a total labor cost of nearly $1 million. Adding roughly $2 million for downtime, legal costs, regulatory fines, and equipment replacement results in an average total cost of approximately $3 million.
Of the companies that confirmed suffering an incident, 1% said the total cost of the ICS/OT incident exceeded $100 million, and 2% reported costs between $10 million and $100 million. Overall, 13% of respondents said the incident had cost them more than $1 million.
The report published by Dragos and Ponemon focuses on the “cultural divide” between IT and OT teams and its impact on their ability to secure both IT and OT environments.
2021 STATE
OF INDUSTRIAL CYBERSECURITY
The Risks Created by the Cultural
Divide Between the IT & OT Teams
https://hub.dragos.com/hubfs/Reports/2021-Ponemon-Institute-State-of-Industrial-Cybersecurity-Report.pdf?hsLang=en
Tomi Engdahl says:
Over 90% of OT Organizations Experienced Cyber Incidents in Past Year: Report
https://www.securityweek.com/over-90-ot-organizations-experienced-cyber-incidents-past-year-report
A survey conducted recently by cybersecurity firm Fortinet showed that more than 90% of organizations that use operational technology (OT) systems have experienced some sort of cyber incident in the past year.
Fortinet’s 2021 State of Operational Technology and Cybersecurity Report is based on responses received in late February and early March from 100 people working for organizations with more than 2,500 employees in the manufacturing, energy and utilities, healthcare, and transportation sectors.
2021 The State of Operational Technology and Cybersecurity
https://www.fortinet.com/resources-campaign/operational-technology/2021-the-state-of-operational-technology-and-cybersecurity?utm_source=blog&utm_campaign=2021-the-state-of-operational-technology-and-cybersecurity
Tomi Engdahl says:
Several other issues were identified by the survey:
C-level executives and the board are not regularly informed about the efficiency, effectiveness, and security of their ICS/OT cybersecurity program;
Many senior managers lack awareness of the risks and threats to OT environments, which results in inadequate resource allocation;
Reporting relationships and accountability for OT security are not properly structured and become deterrents to investing in OT and ICS cybersecurity;
The level of cybersecurity maturity for ICS/OT is inadequate in many organizations.
https://www.securityweek.com/ics-ot-cybersecurity-incidents-cost-some-us-firms-over-100-million-survey
Tomi Engdahl says:
Intrusion Detection System Defends Vehicles Against Cyberattacks
Nov. 5, 2021
Researchers develop a method for building cyber resiliency into the CAN protocol.
https://www.machinedesign.com/automation-iiot/article/21180293/intrusion-detection-system-defends-vehicles-against-cyberattacks
https://www.electronicdesign.com/markets/automotive/article/21180522/machine-design-intrusion-detection-system-defends-vehicles-against-cyberattacks?utm_source=EG%20ED%20Auto%20Electronics&utm_medium=email&utm_campaign=CPS211028116&o_eid=7211D2691390C9R&rdx.ident%5Bpull%5D=omeda%7C7211D2691390C9R&oly_enc_id=7211D2691390C9R
When a group of researchers issued early warning that they could remotely hack specific Ford and Toyota vehicles back in 2011, the automotive manufacturers responded with skepticism. There was no way hackers could launch remote attacks on their vehicles unless they had physical access to the vehicles, they clapped back.
It took a few more experiments, but the researchers responded with a paper in 2015 that outlined how a remote attack against an unaltered 2014 Jeep Cherokee resulted in physical control of some aspects of the vehicle’s communications systems. That paper demonstrated remote attacks can be staged against many Fiat-Chrysler vehicles, and subsequently led to a mass recall of 1.4 million vulnerable vehicles.
The rate of technological advancement in vehicles makes research into intrusion detection a burgeoning area of automotive cybersecurity research. It’s an area of focus for Southwest Research Institute, which has now developed an innovative technology that uses digital fingerprinting and algorithms to identify anomalies in communications across automotive systems and components.
The intrusion detection system (IDS) was designed to protect military ground vehicles against cyberthreats to embedded systems and connected vehicle networks, noted SwRI engineers, who are collaborating with the U.S. Army Ground Vehicle Systems Center (GVSC) Ground System Cyber Engineering (GSCE).
Military, passenger, and commercial vehicles use the standard Controller Area Network (CAN) bus protocol to enable communications across various nodes or electronic control units (ECUs).
Automakers have relied on the CAN protocol as a reliable platform for transmitting information since 1986. Its shortcoming, however, is that it was not designed with cybersecurity in mind.
There are many ways in which hackers may gain control of a vehicle. From cyber physical features (adaptive cruise control, lane departure warnings, park assist systems) to remote keyless entry, Bluetooth, Wi-Fi and radio data systems, connectivity with external networks have expanded exponentially.
“A cyberattack could potentially send erroneous information across the CAN protocol to alter or impede a vehicle’s operations,” said Jonathan Wolford, an SwRI engineer who co-authored a paper on the subject. “An attack on several connected vehicles could have disastrous effects.”
SwRI researchers report they’ve developed algorithms that can now digitally fingerprint messages on nodes that transmit information through the CAN bus protocol. Digital fingerprinting allows an intrusion detection system to identify when an unknown or invalid node or computer is connected to the vehicle network.
They explained that algorithms use the CAN transceiver’s message transmission to track low-level physical layer characteristics to create these digital fingerprints. Examples of such characteristics are minimum and maximum voltages and the voltage transition rates for each CAN frame.
Digital fingerprinting provides a method for accurately identifying messages sent from unauthorized nodes or when a valid node is sending spurious messages, indicative of a “masquerade attack,” they said. Once the system was trained, the engineers injected false data. The algorithms flagged the invasive data instantly. The system is capable of both identifying threats and defending against them, noted the researchers.
“These attacks are theoretically easier for bad actors who have physical access to a vehicle, but vehicles are also vulnerable from wireless attacks,” said Peter Moldenhauer, an SwRI engineer who co-authored the research. “Our system is designed to build cyber resiliency into the CAN protocol as we move to more connected and automated vehicle networks.”
The IDS system is applicable to military, passenger and commercial vehicles.
Tomi Engdahl says:
Nearly 100 TCP/IP Stack Vulnerabilities Found During 18-Month Research Project
https://www.securityweek.com/nearly-100-tcpip-stack-vulnerabilities-found-during-18-month-research-project
An 18-month research project has resulted in the discovery of nearly 100 vulnerabilities across more than a dozen TCP/IP stacks.
The research, named Project Memoria, was conducted by enterprise device security firm Forescout in collaboration with others. It resulted in the discovery of the vulnerabilities tracked as Ripple20, AMNESIA:33, NUMBER:JACK, NAME:WRECK, INFRA:HALT, and NUCLEUS:13.
TCP/IP stacks are leveraged by a wide range of devices for communication, including medical products, industrial control systems (ICS), printers, and switches.
Researchers have identified a total of 97 vulnerabilities across 14 TCP/IP stacks, including ones that can be exploited for remote code execution, DoS attacks, or to obtain sensitive information. The flaws impact hundreds of products, with researchers estimating that there are roughly 3 billion vulnerable devices.
Project Memoria targeted a total of 15 TCP/IP stacks, including CycloneTCP, FNET, FreeBSD, IPnet, lwIP, MPLAB Net, NetX, NicheStack, NDKTCPIP, Nucleus NET, Nut/Net, picoTCP, Treck, uC/TCP-IP, and uIP. In only one of them, lwIP, researchers haven’t found any vulnerabilities.
Some of these TCP/IP stacks have been around for nearly 30 years, but they are still actively developed. While their developers continue to release patches for vulnerabilities, those patches often don’t make it to end user devices, in large part due to what researchers describe as “silent patching.” Silent patching refers to some developers fixing vulnerabilities without assigning CVE identifiers, which results in device vendors and their customers not knowing about the flaws.
“[Silently patched vulnerabilities] exist in very critical supply-chain software, so there are millions of devices out there that have been vulnerable for a long time without even their vendors knowing about it because other vendors chose to remain silent,” Forescout said in a report summarizing Project Memoria. “Silently patching a vulnerability does not mean that nobody will get to know about it: these issues tend to be rediscovered again and again.”
Concluding Project Memoria – Lessons Learned after 18 Months of Vulnerability Research
https://www.forescout.com/resources/project-memoria-lookback-report/
Tomi Engdahl says:
https://threatpost.com/busybox-security-bugs-linux-devices/176098/
Tomi Engdahl says:
Millions of Routers, IoT Devices at Risk from New Open-Source Malware https://threatpost.com/routers-iot-open-source-malware/176270/
Discovered by researchers at AT&T AlienLabs, BotenaGo can exploit more than 30 different vulnerabilities to attack a target, Ofer Caspi, a security researcher at Alien Labs, wrote in a blog post published Thursday. The malware, which is written in Golanga language Google first published in 2007works by creating a backdoor to the device. It then waits to either receive a target to attack from a remote operator through port 19412 or from another related module running on the same machine, he wrote. BotenaGo commences its work with some exploratory moves to see if a device is vulnerable to attack, Caspi wrote. It starts by initializing global infection counters that will be printed to the screen, informing the attacker about total successful infections. The malware then looks for the dlrs’ folder in which to load shell scripts files. If this folder is missing, BotenaGo stops the infection process. In its last step before fully engaging, BotenaGo calls the function scannerInitExploits’, “which initiates the malware attack surface by mapping all offensive functions with its relevant string that represent the targeted system, ” Caspi wrote.
Tomi Engdahl says:
Nearly 100 TCP/IP Stack Vulnerabilities Found During 18-Month Research Project
https://www.securityweek.com/nearly-100-tcpip-stack-vulnerabilities-found-during-18-month-research-project
An 18-month research project has resulted in the discovery of nearly 100 vulnerabilities across more than a dozen TCP/IP stacks.
The research, named Project Memoria, was conducted by enterprise device security firm Forescout in collaboration with others. It resulted in the discovery of the vulnerabilities tracked as Ripple20, AMNESIA:33, NUMBER:JACK, NAME:WRECK, INFRA:HALT, and NUCLEUS:13.
TCP/IP stacks are leveraged by a wide range of devices for communication, including medical products, industrial control systems (ICS), printers, and switches.
Researchers have identified a total of 97 vulnerabilities across 14 TCP/IP stacks, including ones that can be exploited for remote code execution, DoS attacks, or to obtain sensitive information. The flaws impact hundreds of products, with researchers estimating that there are roughly 3 billion vulnerable devices.
Project Memoria targeted a total of 15 TCP/IP stacks, including CycloneTCP, FNET, FreeBSD, IPnet, lwIP, MPLAB Net, NetX, NicheStack, NDKTCPIP, Nucleus NET, Nut/Net, picoTCP, Treck, uC/TCP-IP, and uIP. In only one of them, lwIP, researchers haven’t found any vulnerabilities.
Some of these TCP/IP stacks have been around for nearly 30 years, but they are still actively developed. While their developers continue to release patches for vulnerabilities, those patches often don’t make it to end user devices, in large part due to what researchers describe as “silent patching.” Silent patching refers to some developers fixing vulnerabilities without assigning CVE identifiers, which results in device vendors and their customers not knowing about the flaws.
“[Silently patched vulnerabilities] exist in very critical supply-chain software, so there are millions of devices out there that have been vulnerable for a long time without even their vendors knowing about it because other vendors chose to remain silent,” Forescout said in a report summarizing Project Memoria. “Silently patching a vulnerability does not mean that nobody will get to know about it: these issues tend to be rediscovered again and again.”
Concluding Project Memoria – Lessons Learned after 18 Months of Vulnerability Research
https://www.forescout.com/resources/project-memoria-lookback-report/
Tomi Engdahl says:
‘BotenaGo’ Malware Targets Routers, IoT Devices with Over 30 Exploits
https://www.securityweek.com/botenago-malware-targets-routers-iot-devices-over-30-exploits
A newly discovered Golang-based malware is using over 30 exploits in attacks, potentially putting millions of routers and Internet of Things (IoT) at risk of malware infection, according to a warning from AT&T Alien Labs.
Dubbed BotenaGo, the threat deploys a backdoor on the compromised device, and then waits for commands – either from a remote operator or a malicious module on the device – to initiate an attack.
As part of a typical BotenaGo attack, the malware first maps potential targets to attack functions, then queries the target with a GET request, after which it searches the returned data, and only then it attempts to exploit the vulnerable target.
On a compromised device, the malware creates two backdoor ports: 31412 and 19412, and starts listening on port 19412 to receive the victim’s IP. Next, it loops through mapped exploit functions to execute them with the supplied IP.
AT&T Alien Labs researchers have identified a total of 33 exploit functions that BotenaGo initiates.
One of malware’s functions was designed to exploit CVE-2020-8958, a vulnerability that potentially affects over 2 million Guangzhou devices. Another one targets CVE-2020-10173, a vulnerability in the Comtrend VR-3033 routers that potentially impacts roughly 250,000 devices.
The threat also targets vulnerabilities in devices from DrayTek (CVE-2020-8515), D-Link (CVE-2015-2051, CVE-2020-9377, CVE-2016-11021, and CVE-2013-5223), Netgear (CVE-2016-1555, CVE-2016-6277, CVE-2017-6077, and CVE-2017-6334), GPON (CVE-2018-10561 and CVE-2018-10562), Linksys (CVE-2013-3307), XiongMai (CVE-2018-10088), TOTOLINK (CVE-2019-19824), Tenda (CVE-2020-10987), ZyXEL (CVE-2020-9054 and CVE-2017-18368) and ZTE (CVE-2014-2321).
“As payload, BotenaGo will execute remote shell commands on devices in which the vulnerability has been successfully exploited. Depending on the infected system, the malware uses different links, each with a different payload,” the researchers explain.
Tomi Engdahl says:
AT&T Alien Labs finds new Golang malware (BotenaGo) targeting millions of routers and IoT devices with more than 30 exploits https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits
AT&T Alien Labs has found new malware written in the open source programming language Golang. Deployed with more than 30 exploits, it has the potential of targeting millions of routers and IoT devices.
Tomi Engdahl says:
IoT Protocol Used by NASA, Siemens and Volkswagen Can Be Exploited by Hackers
https://www.securityweek.com/iot-protocol-used-nasa-siemens-and-volkswagen-can-be-exploited-hackers
Researchers Warn DDS Protocol Can Be Abused for Lateral Movement and Malware C&C
Researchers have shown that a widely used protocol named Data Distribution Service (DDS) is affected by vulnerabilities that could be exploited by threat actors for various purposes.
Maintained by the standards development organization Object Management Group (OMG), DDS is a middleware protocol and API standard for data connectivity that is advertised as ideal for business-critical IoT systems. DDS has been used in sectors such as public transportation, air traffic management, aerospace, autonomous driving, industrial robotics, medical devices, and missile and other military systems.
DDS has been used by organizations such as NASA, Siemens, and Volkswagen, as well as in the popular Robot Operating System (ROS).
There are both open source and closed source implementations of DDS, including by ADLINK Technology, Eclipse (CycloneDDS), eProsima (Fast DDS), OCI (OpenDDS), TwinOaks Computing (CoreDX DDS), Gurum Networks (GurumDDS), and RTI (Connext DDS).
The researchers disclosed some of their findings at the Black Hat Europe 2021 cybersecurity conference last week, with a research paper detailing their work being planned for early next year.
In the meantime, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released an industrial control systems (ICS) advisory related to the research.
“CISA is issuing this advisory to provide early notice of the reported vulnerabilities and identify baseline mitigations for reducing risks to these and other cybersecurity attacks,” CISA said.
According to CISA, patches have been released for CycloneDDS, FastDDS, OpenDDS, Connext DDS, and CoreDX DDS. There do not appear to be any patches from Gurum, which the researchers said ignored several notification attempts.
ICS Advisory (ICSA-21-315-02)
Multiple Data Distribution Service (DDS) Implementations
https://us-cert.cisa.gov/ics/advisories/icsa-21-315-02
1. EXECUTIVE SUMMARY
CVSS v3 8.6
ATTENTION: Exploitable remotely/low attack complexity
Vendors: Eclipse, eProsima, GurumNetworks, Object Computing, Inc. (OCI), Real-Time Innovations (RTI), TwinOaks Computing
Equipment: CycloneDDS, FastDDS, GurumDDS, OpenDDS, Connext DDS Professional, Connext DDS Secure, Connext DDS Micro, CoreDX DDS
Vulnerabilities: Write-what-where Condition, Improper Handling of Syntactically Invalid Structure, Network Amplification, Incorrect Calculation of Buffer Size, Heap-based Buffer Overflow, Improper Handling of Length Parameter Inconsistency, Amplification, Stack-based Buffer Overflow
CISA is aware of a public report detailing vulnerabilities found in multiple open-source and proprietary Object Management Group (OMG) Data-Distribution Service (DDS) implementations. This advisory addresses a vulnerability that originates within, and affects the implementation of, the DDS standard. In addition, this advisory addresses other vulnerabilities found within the DDS implementation. CISA is issuing this advisory to provide early notice of the reported vulnerabilities and identify baseline mitigations for reducing risks to these and other cybersecurity attacks.
The following implementations of OMG DDS are affected:
Eclipse CycloneDDS: All versions prior to 0.8.0
eProsima Fast DDS: All versions prior to 2.4.0 (#2269)
GurumNetworks GurumDDS: All versions
Object Computing, Inc. (OCI) OpenDDS: All versions prior to 3.18.1
Real-Time Innovations (RTI) Connext DDS Professional and Connext DDS Secure: Versions 4.2x to 6.1.0
RTI Connext DDS Micro: Versions 3.0.0 and later
TwinOaks Computing CoreDX DDS: All versions prior to 5.9.1
Tomi Engdahl says:
Cloudflare Battles 2 Tbps DDoS Attack Launched by Mirai Botnet
https://www.securityweek.com/cloudflare-mitigates-2-tbps-ddos-attack-launched-mirai-botnet
Web security services provider Cloudflare says it mitigated a distributed denial-of-service (DDoS) attack that peaked at almost 2 terabytes per second (Tbps).
The multi-vector assault was launched by a botnet of approximately 15,000 machines infected with a variant of the original Mirai malware. The bots included Internet of Things (IoT) devices and GitLab instances, Cloudflare said in a new report.
GitLab instances ensnared into the botnet are affected by CVE-2021-22205, a critical (CVSS score of 10) vulnerability that was patched more than six months ago, but which continues to expose tens of thousands of systems.
The 2 Tbps DDoS attack only lasted one minute. The assault combined DNS amplification and UDP floods, company said.
Cloudflare notes that it observed an overall increase in the number of terabit-strong DDoS attacks over the last quarter, and that network-layer incidents were up 44% quarter-over-quarter.
Tomi Engdahl says:
The self-driving smart suitcase that the person behind you can hijack!
https://nakedsecurity.sophos.com/2021/11/16/the-self-driving-smart-suitcase-that-the-person-behind-you-can-hijack/
The Internet of Things (IoT) has become infamous for providing us, in a worrying number of cases, with three outcomes:
Connected products that we didn’t know we needed.
Connected products that we purchased anyway.
Connected products that ended up disconnected in a cupboard.
To be fair, not all IoT products fall into all, some or even any of these categories, but there are many that have made it into at least one.
There was the home video camera with a “unique identifier” that wasn’t unique, leaving one couple from Australia who thought they both had access to view their own living room, but suddenly found that each of them was inadvertently spying on a different third party.
There was the surveillance system that showed an unwitting homeowner in England the outside of an unknown pub, which he eventually tracked down with the help of search engines and visited to enjoy a fortifying pint of ale.
At the pub, he took a selfie on his own phone of himself enjoying his drink… using the pub’s camera. (He showed the pic to the landlord, who shared both his amusement and his concern.)
And there was the $99 smart bike padlock – no more combinations to remember! no more fussing with keys in cold hands! – that allowed you to open your own lock with the official app (or with your fingerprint) in 0.8 seconds, or to open anyone’s lock with an unofficial app in just 2 seconds.
No hacksaw required
The padlock hackers (no literal hacking or hacksaws required) in the why-did-they-even-bother-to-call-it-a-lock story above were from well-known UK penetration testing outfit PTP, short for Pen Test Partners.
And when researchers at PTP come across a connected product that they didn’t know they needed…
…they immediately know they need it!
So when they spotted a digital suitcase called the Airwheel SR5, they simply had to get one, because who can resist a Bluetooth-enabled, self-driving robot suitcase? (We’re not making this up.)
Why drag your carry-on luggage behind you when you can simply strap on a Bluetooth wristband and let the luggage follow you through the airport, steering its way around obstacles (and, one hopes, other passengers, with or without their own self-driving luggage), thus saving you the hassle of dragging round all the extra weight that the suitcase needs, in the form of batteries and motors, to drag itself around for you?
Well, PTP quickly found out one reason why they might not trust the SR5 in a busy airport, namely that it wasn’t very accurate.
Once you’ve paired your SR5 with its supplied wristband so it will follow you around autonomously, you don’t really need (and might never bother) to use its other feature: letting you drive it around the airport concourse like an RC car, in a worryingly zippy fashion, using an app on your phone.
But if you don’t get around to installing the app and pairing it with your own suitcase…
….then anyone else can pair with it instead, even if you’ve instructed it to follow behind you.
By following your suitcase as it follows you, a suitacasejacker could pair their phone with your luggage and simply drive it off, without ever laying a hand on it, thanks to a hardwired pairing code.
See if you can guess the “secret” PIN.
Yes, that’s right, it’s: 11111111.
PTP also discovered that the suitcase firmware doesn’t seem to be digitally signed, which could allow rogue firmware updates (tracking beacons, anyone?), and that the company hasn’t yet managed to get its app into Google’s Play Store, forcing you to sideload it instead.
What to do?
If you can’t resist this self-driving suitcase, make sure you pair it with your own phone as well as with your wristband, so that fellow airport travellers can’t trivially hijack it.
If you’re a programmer, don’t use hardwired passwords. In fact, don’t enable remote pairing by default, either, to prevent unauthorised surprises. As PTP points out, picking a random password and putting a printout inside the suitcase before delivery would be a simple place to start. Home router vendors do this with their wireless access points these days, and it has largely eliminated the problem of default Wi-Fi credentials.
If you’re relying on an official Android app, do your best to get it into the Play Store first. Google Play is far from perfect at keeping malware out, but being unable to make the grade in the first place is not a good look for your product, and won’t encourage your customers to install it. Ironically, in this case (see what we did there?), you can’t secure your luggage against rogue pairing attempts without installing the unvetted app first.
Tomi Engdahl says:
Why is poor visibility a major problem for industries?
https://www.etteplan.com/stories/why-poor-visibility-major-problem-industries?utm_campaign=newsletter-6-2021&utm_content=newsletter&utm_medium=email&utm_source=apsis-anp-3&pe_data=D444350457342435846784742504471%7C29928913
Industrial companies around the world look for solutions to optimize business performance, increase productivity, and improve the user experience. But everywhere, there is a huge obstacle: heterogeneous equipment. Why is that a problem, and how to overcome it?
Modernizing HMIs can have significant impact
In industrial automation, HMI monitors have been around for decades. HMIs installed in machines, production lines, and control rooms are important for visibility.
Human users can both monitor the situation and interact with equipment. But often, the user experience of HMIs is hopelessly outdated. End-users struggle with using and learning multiple different interfaces and with the lack of a comprehensive overview of the situation.
“Just integrating assets and combining it with HMI modernization is a very concrete way towards better visibility. Our customers have seen great results with doing this. End-users can see more actionable information of the production process, which improves their situational awareness and productivity,” Kari Jussila says.
Tomi Engdahl says:
https://threatpost.com/routers-iot-open-source-malware/176270/
Tomi Engdahl says:
NSA and CISA Release Guidance on Securing 5G Cloud Infrastructures https://us-cert.cisa.gov/ncas/current-activity/2021/11/19/nsa-and-cisa-release-guidance-securing-5g-cloud-infrastructures
CISA has announced the joint National Security Agency (NSA) and CISA publication of the second of a four-part series, Security Guidance for 5G Cloud Infrastructures. Part II: Securely Isolate Network Resources examines threats to 5G container-centric or hybrid container/virtual network, also known as Pods. The guidance provides several aspects of pod security including limiting permissions on deployed containers, avoiding resource contention and denial-of-service attacks, and implementing real-time threat detection.
Tomi Engdahl says:
Serious Vulnerabilities Found in Wi-Fi Module Designed for Critical Industrial Applications
https://www.securityweek.com/serious-vulnerabilities-found-wi-fi-module-designed-critical-industrial-applications
More than 20 vulnerabilities have been identified by Cisco’s Talos research and threat intelligence unit in a Lantronix Wi-Fi module designed for critical industrial and commercial applications.
The affected product, the PremierWave 2050 enterprise Wi-Fi module, delivers always-on 5G Wi-Fi connectivity, and is designed for mission-critical operations. According to the vendor’s website, it delivers enterprise-grade security.
However, Cisco Talos researchers discovered that the product is affected by a total of 21 vulnerabilities, a majority of which have been assigned critical or high severity ratings. Talos has published 18 separate advisories describing the vulnerabilities.
The researchers have reproduced the vulnerabilities on Lantronix PremierWave 2050 version 8.9.0.0R4, and Talos claims there are no official patches for the security holes, despite the vendor knowing about them since June 15.
Vulnerability Spotlight: Vulnerabilities in Lantronix PremierWave 2050 could lead to code execution, file deletion
https://blog.talosintelligence.com/2021/11/lantronix-premier-wave-vuln-spotlight.html
Cisco Talos recently discovered multiple vulnerabilities in Lantronix’s PremierWave 2050, an embedded Wi-Fi module.
There are several vulnerabilities in PremierWave 2050’s Web Manager, a web-accessible application that allows users to configure settings for the 2050 gateway. An attacker could exploit some of these vulnerabilities to carry out a range of malicious actions, including executing arbitrary code and deleting or replacing files on the targeted device.
Tomi Engdahl says:
https://www.uusiteknologia.fi/2021/11/24/turvaluokitettu-ohjainsarja-iot-kehitykseen/
Tomi Engdahl says:
https://www.infosecurity-magazine.com/news/uk-cybersecurity-legislation-iot/
Tomi Engdahl says:
Eavesdropping Bugs in MediaTek Chips Affect 37% of All Smartphones and IoT Globally
https://thehackernews.com/2021/11/eavesdropping-bugs-in-mediatek-chips.html
Tomi Engdahl says:
New cyber laws to protect people’s personal tech from hackers
https://www.gov.uk/government/news/new-cyber-laws-to-protect-peoples-personal-tech-from-hackers
Consumers will be better protected from attacks by hackers on their phones, tablets, smart TVs, fitness trackers and other internet-connectable devices thanks to a new world-leading law introduced today by the government.
Tomi Engdahl says:
https://www.enertec.fi/natiivi/2962/verkkohyokkaykset-uhkaavat-energia-alaa?fbclid=IwAR0utEr8tLodQlAXo7y9424TWbNLFGqG5J6rkN8kpKYA3NlidwlV9XIR9XE
Tomi Engdahl says:
Searching for Exposed ASUS Routers Vulnerable to CVE-2021-20090
https://isc.sans.edu/diary/rss/28072
Over the past 7 days, my honeypot captured a few hundred POST for a vulnerability which appeared to be tracked as a critical path traversal vulnerability in the web interfaces of routers with Arcadyan firmware. If successfully exploited, could allow unauthenticated remote actors to bypass authentication and add the router to the botnet Mirai botnet.
Tomi Engdahl says:
UK Introduces New Cybersecurity Legislation for IoT Devices – Infosecurity Magazine
https://www.infosecurity-magazine.com/news/uk-cybersecurity-legislation-iot/
Tomi Engdahl says:
UK Introduces New Cybersecurity Legislation for IoT Devices – Infosecurity Magazine
https://www.infosecurity-magazine.com/news/uk-cybersecurity-legislation-iot/
The UK government has today introduced new legislation to Parliament that aims to better protect consumers’ IoT devices from hackers.
The Product Security and Telecommunications Infrastructure (PSTI) Bill places new cybersecurity standards on manufacturers, importers and distributors of internet-connectable devices, such as phones, tablets, smart TVs and fitness trackers. The legislation will also apply to products that can connect to multiple other devices but not directly to the internet, like smart light bulbs and smart thermostats.
These requirements include banning universal default passwords, forcing firms to be transparent about actions they are taking to fix security flaws in their products and creating a better public reporting system for any vulnerabilities discovered. In addition, these companies will have a duty to investigate compliance failures, produce statements of compliance and maintain appropriate records of this.
Failure to comply could result in heavy fines issued by a new regulator – up to £10m of 4% of their global turnover, as well as up to £20,000 a day in the case of an ongoing contravention.
Tomi Engdahl says:
“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
What are some of the emerging technologies in security? Would these generate opportunities and create challenges?
We are proceeding in an era of “Malthusian” advances in science and technology, enabled by faster computing and ever-expanding data analytics. Those emerging technologies are significantly impacting cybersecurity. They include artificial intelligence (AI), machine learning, high-performance computing, cloud, edge computing, 5G, and eventually quantum technologies.
Computing systems that employ AI and ML are becoming more pervasive and critical to cyber operations and have become a major focus of cybersecurity research development and investments. Advanced 5G and wireless networks will benefit higher traffic capacities, lower latency, increased reliability, and enable processing and analytics in real-time. Edge computing strives to bring real-time computation, data storage, and operations closer to the device, rather than relying on a central location, avoiding latency issues. Technologies that improve capabilities for discovering, categorizing, monitoring, synthesizing, and automating the analysis of data are advantages in mitigating cybersecurity threats. Specifically, such tech can be used to bolster botnet detection and mitigation technology, data visualization tools, active malware protection, rootkit detection and mitigation technology, and incident response analytics.
Emerging tech can be a two-way street for good and bad. Artificial intelligence and machine learning can be used by hackers to automate target selection and more. Threat actors, especially state-sponsored and criminal enterprises, are becoming more sophisticated by searching for vulnerabilities and infiltrating malware by adapting (and automating), enabling machine learning, deep learning, artificial intelligence, and other analytic tools. SolarWinds was more than a wakeup call for those realities.
Also, the emergence of the Internet of Things presents special security challenges. There are an estimated 44 billion IoT endpoints today and trillions of sensors connected to those endpoints. Hackers have many attack options and entries for inserting malware into such a large and unregulated attack surface.
Tomi Engdahl says:
Huge fines and a ban on default passwords in new UK law
https://www.bbc.com/news/technology-59400762
The government has introduced new legislation to protect smart devices in people’s homes from being hacked. Default passwords for internet-connected devices will be banned, and firms which do not comply will face huge fines.
Tomi Engdahl says:
Quantum-Driven Hardware Security Solution Addresses End-to-End IoT Protection
Nov. 28, 2021
Crypto Quantique created a secure end-to-end IoT Cybersecurity platform using quantum-driven semiconductor hardware IP.
https://www.mwrf.com/techxchange/talks/video/21182245/quantumdriven-hardware-security-solution-addresses-endtoend-iot-protection
Tomi Engdahl says:
Cybersecurity Takes the Wheel as Auto Industry’s Top Priority
https://www.darkreading.com/vulnerabilities-threats/cybersecurity-takes-the-wheel-as-auto-industry-s-top-priority
Vehicle safety, which has long been a top concern for automotive companies, today equates to cybersecurity. That’s because now more than ever, vehicles run on software. They are fast-moving, highly connected data centers, part mainframe, and part mobile device, loaded with Internet of Things (IoT) devices. They are effectively mobile nodes operating at the edge of massive cloud infrastructure. And they will increasingly become targets for cyberattackers.
Tomi Engdahl says:
Volume of Attacks on IoT/OT Devices Increasing: Microsoft Study
https://www.securityweek.com/volume-attacks-iotot-devices-increasing-microsoft-study
The volume of attacks on IoT and OT devices is increasing and in many cases these systems were specifically targeted by threat actors, according to a new study commissioned by Microsoft.
Forty-four percent of the more than 600 respondents who took part in a survey said their organization experienced a cyber incident that involved an IoT or OT device in the past two years. Thirty-nine percent said such a device was the target of the attack and 35% said the device was leveraged to conduct a broader attack — this includes lateral movement, detection evasion and persistence.
IoT and OT devices may be specifically targeted by attackers with the intent to cause disruption. One example provided by Microsoft involves human-operated ransomware attacks that disrupt production in an organization.
Half of respondents said the volume of attacks against IoT/OT devices in their organization “increased” or “significantly increased” in the past 12 to 24 months. Moreover, only less than 20% of respondents believe the volume of attacks will decrease in the upcoming period.
Microsoft’s study also confirms that industrial systems are in many cases not isolated from the internet or the IT network. Roughly half of respondents said their OT network is connected to the corporate IT network, and 56% admitted that their OT network is directly connected to the internet.
While 55% of respondents believe IoT and OT products are not secure by design, 47% are relying on the manufacturer to secure these devices.
The State of IoT and OT Cybersecurity in the Enterprise
https://www.microsoft.com/en-us/download/details.aspx?id=103698
Tomi Engdahl says:
‘Moobot’ Botnet Targets Hikvision Devices via Recent Vulnerability
https://www.securityweek.com/moobot-botnet-targets-hikvision-devices-recent-vulnerability
A Mirai-based botnet dubbed ‘Moobot’ is attempting to exploit a recently addressed vulnerability that affects many Hikvision products, according to Fortinet’s FortiGuard Labs.
Tracked as CVE-2021-36260 and affecting over 70 cameras and NVRs from Hikvision, the critical-severity bug can be exploited to gain root access and completely take over vulnerable devices, without any form of user interaction.
Tomi Engdahl says:
How the 3G Shutdown in 2022 Could Screw Your Car
Smartphones are getting faster, but some older connected cars may lose service forever.
https://www.thedrive.com/tech/43187/how-the-3g-shutdown-in-2022-could-screw-your-car
Tomi Engdahl says:
Edge Security in an Insecure World
https://www.mouser.com/empowering-innovation/more-topics/ai?utm_source=endeavor&utm_medium=display&utm_campaign=ed-personifai-eit-ai-#article2-ai
As the cost of embedded networked devices falls—consider the Raspberry Pi as one example—they become ubiquitous. But, a hidden cost in this proliferation is that these devices can lack security and therefore be exploited. Without the investment in security, devices can leak private information—such as video, images, or audio—or become part of a botnet that wreaks havoc around the world.
Edge Computing in a Nutshell
Edge computing is a paradigm of shifting centralized compute resources closer to the source of data. This produces a number of benefits including:
Disconnected operation
Faster response time
Improved balance of compute needs across the spectrum
Tomi Engdahl says:
Limes Security – KNXlock
https://limessecurity.com/en/knxlock/
In October 2021 we received an interesting request for help from a German engineering company. The company, providing electrical and automation engineering services for various industrial cases was having an issue with one of their customers: They had been contracted at some point to engineer the building automation system of a mid-sized site. They built the system based on the so-called KNX technology, which is a building automation standard that is very common throughout Europe. KNX is a very powerful standard, as it allows to engineer and manage everything from small to very large building sites. Control system devices which are publicly accessible on the internet have been a known problem that security experts were pointing for a decade already. What made this attack campaign interesting was that it was executed, using unique, control system-technology specific aspects.
Tomi Engdahl says:
5 Ways to Reduce the Risk of Ransomware to Your OT Network
https://www.securityweek.com/5-ways-reduce-risk-ransomware-your-ot-network
In the last year and half, we’ve seen an unprecedented increase in ransomware attacks on Operational Technology (OT) networks. While this surge is generating a lot of press coverage, it was something that experts within our industry have been anticipating for a while. In fact, I presented on the topic of ransomware and destructive attacks at RSAC 2018, together with a host of security leaders from the public and private sector.
Evidence of nation-state actors targeting OT networks had been building. But in 2017, NotPetya showed the world that the accidental spill-over of ransomware into OT networks could have disastrous consequences. Operations came to a standstill at multinational corporations across a wide swath of sectors including healthcare, energy, and transportation, resulting in an estimated $10 billion in damages. It was only a matter of time for cybercriminals to realize that OT networks are critical to operations, and therefore extremely valuable.
Revenue is generated and customers’ lives are improved when OT networks are up and running. If ransomware attacks specifically targeted industrial environments, the outcome could be loss of availability of those systems, thus impacting the core business of the company. Even a partial loss of view for human operators into network activity would necessitate a shutdown of the process due to product quality or safety concerns. Ultimately, any risk of disruption to physical processes can lead to loss in productivity and revenue and, in some cases, could lead to loss of life as well.
Most recently, U.S. government agencies acknowledged that BlackMatter is a possible rebrand of DarkSide, the group that attacked Colonial Pipeline and has since targeted multiple U.S. critical infrastructure entities, including two in the food and agriculture sector. Whether a rebrand, or an offshoot as some security experts argue, the group demonstrates the resolve of nation-state actors to continue to disrupt consumer access to critical infrastructure services and thus the economy and daily life for millions of people.
What can defenders do in this new reality to strengthen the security posture of their OT environments? Here are five recommendations every CISO should consider:
1. Extend the scope of your risk governance to include anything that is a cyber-physical asset. This includes all Industrial IoT, industrial control system (ICS), and Enterprise IoT components. Of course, this is a challenging step for many organizations since it’s not an easy task to even identify those assets.
2. Make sure that you have proper segmentation between IT and OT networks. There are many business processes and applications that need to communicate across the IT/OT boundary, so we need to ensure this is done in a secure way. This simple step usually gets taken for granted, but it shouldn’t. In addition to the IT/OT segmentation, deploy virtual segmentation to zones within the OT environment – this will help detect lateral movement within the OT networks.
3. Practice good cyber hygiene. Ensure that your hygiene extends to OT and IoT devices. This includes the use of strong passwords (and not sharing passwords amongst different users, a practice that is common in industrial operations), a password vault, and multi-factor authentication. Some processes, like patching legacy systems, might be more challenging or not possible. If that is the case, identify and implement compensating controls such as firewall rules and access control lists.
4. Implement a robust system monitoring program. This means monitoring for threats in both IT and OT networks and anything that is traversing that boundary. Agentless solutions that are purpose-built for continuous threat monitoring across the OT network, can be implemented quickly, integrate equally well with OT and IT systems and workflows, and allow IT and OT teams to look at OT environments together. Working from the same set of information these teams take specific steps to manage and mitigate risk from both known and unknown, emerging threats.
5. Run exercises on your incident response plan. Running tabletop exercises of ransomware attacks can help you understand your organizational and technical preparedness. This affords you an opportunity to create an improved incident response plan and will build confidence in your preparedness and resilience to such attacks.
Ransomware attacks are disrupting pipelines, processing plants, and food distribution. And although none of these attacks appear to have impacted the OT environment directly – it is only a matter of time.
Tomi Engdahl says:
Smart Meter Hacking – Introduction
https://m.youtube.com/watch?v=gYowTR3Dfdk
Tomi Engdahl says:
IoT under attack: Security is still not good enough on these edge devices
Most enterprises don’t have visibility into the IoT devices that are being attacked by hackers who want to breach corporate IT networks.
https://www.zdnet.com/article/iot-under-attack-security-is-still-good-not-enough-on-these-edge-devices/
Tomi Engdahl says:
Honeypot experiment reveals what hackers want from IoT devices https://www.bleepingcomputer.com/news/security/honeypot-experiment-reveals-what-hackers-want-from-iot-devices/
A three-year-long honeypot experiment featuring simulated low-interaction IoT devices of various types and locations gives a clear idea of why actors target specific devices. More specifically, the honeypot was meant to create a sufficiently diverse ecosystem and cluster the generated data in a way that determines the goals of adversaries. Research paper: https://arxiv.org/pdf/2112.10974.pdf
Tomi Engdahl says:
Convergence or overlap? Understanding the IT/OT relationship
With the increasing number of industrial systems connected to the internet, operational technology (OT) is vulnerable to cyberattacks and stands to benefit from information technology (IT) experience.
https://www.controleng.com/articles/convergence-or-overlap-understanding-the-it-ot-relationship/?oly_enc_id=0462E3054934E2U
Tomi Engdahl says:
New Flaws Expose EVlink Electric Vehicle Charging Stations to Remote Hacking
https://www.securityweek.com/new-flaws-expose-evlink-electric-vehicle-charging-stations-remote-hacking
Schneider Electric has patched several new vulnerabilities that expose its EVlink electric vehicle charging stations to remote hacker attacks.
Schneider announced the availability of patches on December 14, when it urged customers to immediately apply patches or mitigations. The flaws have been found to impact EVlink City (EVC1S22P4 and EVC1S7P4), Parking (EVW2, EVF2 and EVP2PE) and Smart Wallbox (EVB1A) devices, as well as some products that have reached end of life.
The vendor has credited researcher Tony Nasr for finding a total of seven vulnerabilities in these charging stations, including one critical and five high-severity issues.
The security holes include cross-site request forgery (CSRF) and cross-site scripting (XSS) bugs that can be exploited to carry out actions on behalf of a legitimate user, and a weakness that can be leveraged to gain access to a charging station’s web interface via brute-force attacks. The most serious issue — based on its CVSS score of 9.3 — is a server-side request forgery (SSRF) vulnerability.
Tomi Engdahl says:
5 Ways to Reduce the Risk of Ransomware to Your OT Network
https://www.securityweek.com/5-ways-reduce-risk-ransomware-your-ot-network
In the last year and half, we’ve seen an unprecedented increase in ransomware attacks on Operational Technology (OT) networks. While this surge is generating a lot of press coverage, it was something that experts within our industry have been anticipating for a while. In fact, I presented on the topic of ransomware and destructive attacks at RSAC 2018, together with a host of security leaders from the public and private sector.
What can defenders do in this new reality to strengthen the security posture of their OT environments? Here are five recommendations every CISO should consider:
1. Extend the scope of your risk governance to include anything that is a cyber-physical asset. This includes all Industrial IoT, industrial control system (ICS), and Enterprise IoT components. Of course, this is a challenging step for many organizations since it’s not an easy task to even identify those assets. It’s a process that might take iterations. Thankfully, in the last few years our industry has made tremendous progress in technology that helps us easily discover such assets and profile their exposure, risk, and vulnerabilities.
2. Make sure that you have proper segmentation between IT and OT networks. There are many business processes and applications that need to communicate across the IT/OT boundary, so we need to ensure this is done in a secure way. This simple step usually gets taken for granted, but it shouldn’t. In addition to the IT/OT segmentation, deploy virtual segmentation to zones within the OT environment – this will help detect lateral movement within the OT networks. And if remote operations need access directly into the OT networks, make sure this is done through a secure remote access connection with strict controls over users, devices, and sessions.
3. Practice good cyber hygiene. Ensure that your hygiene extends to OT and IoT devices. This includes the use of strong passwords (and not sharing passwords amongst different users, a practice that is common in industrial operations), a password vault, and multi-factor authentication. Some processes, like patching legacy systems, might be more challenging or not possible. If that is the case, identify and implement compensating controls such as firewall rules and access control lists. The Cybersecurity and Infrastructure Security Agency (CISA), has a number of no-cost hygiene tools, including scanning and testing to help reduce exposure to threats.
4. Implement a robust system monitoring program. This means monitoring for threats in both IT and OT networks and anything that is traversing that boundary. Agentless solutions that are purpose-built for continuous threat monitoring across the OT network, can be implemented quickly, integrate equally well with OT and IT systems and workflows, and allow IT and OT teams to look at OT environments together. Working from the same set of information these teams take specific steps to manage and mitigate risk from both known and unknown, emerging threats.
5. Run exercises on your incident response plan. Running tabletop exercises of ransomware attacks can help you understand your organizational and technical preparedness. This affords you an opportunity to create an improved incident response plan and will build confidence in your preparedness and resilience to such attacks.
Tomi Engdahl says:
Why It’s So Difficult — And Costly — To Secure Chips
https://semiengineering.com/why-its-so-difficult-and-costly-to-secure-chips/
Threats are growing and widening, but what is considered sufficient can vary greatly by application or by user. Even then, it may not be enough.
Rising concerns about the security of chips used in everything from cars to data centers are driving up the cost and complexity of electronic systems in a variety of ways, some obvious and others less so.
Until very recently, semiconductor security was viewed more as a theoretical threat than a real one. Governments certainly worried about adversaries taking control of secure systems through back doors in hardware, either through third-party IP or unknowns in the global supply chain, but the rest of the chip industry generally paid little heed apart from the ability to boot securely and to authenticate firmware. But as advanced electronics are deployed in cars, robots, drones, medical devices, as well as in a variety of server applications, robust hardware security is becoming a requirement. It no longer can be brushed aside as a ‘nice-to-have’ feature because IC breaches can affect safety, jeopardize critical data, and sideline businesses until the damage is assessed and the threat resolved.
The big question many companies are now asking is how much security is enough. The answer is not always clear, and it’s often incomplete. Adequate security is based on an end-to-end risk assessment, and when it comes to semiconductors the formula is both complex and highly variable. It includes factors that can fluctuate from one vendor to the next in the same market, and frequently from one chip to the next for the same vendor.
Tomi Engdahl says:
Creating IoT Devices That Will Remain Secure
https://semiengineering.com/creating-iot-devices-that-will-remain-secure/
What’s secure today may not be secure in the future, and even if you include an IoT device with state-of-the-art security, it may be surrounded by less secure devices. Steve Hanna, distinguished engineer at Infineon, examines the impact of security on IoT adoption, why resilience across a system is the new target for secure designs, and how to minimize the impact of less secure devices.