https://blog.paessler.com/investments-in-iot-security-are-set-to-increase-rapidly-in-2018
The two biggest challenges in 2018 will continue to be protecting against unauthorized access, and patching/updating the software of the device. Companies must not neglect the security problems of IoT and IIoT devices. Cyberattacks on the Internet of Things (IoT) are already a reality.
According to Gartner‘s market researchers, global spending on IoT security will increase to $1.5 billion this year.
1,703 Comments
Tomi Engdahl says:
End-To-End Traceability
https://semiengineering.com/end-to-end-traceability/
Despite standards such as ISO 26262 and IEC 61508, there are still disconnects and gaps in the supply chain and design-through-manufacturing flows. Kurt Shuler, vice president of marketing at Arteris IP, digs into what’s missing, why changes made in one area are not reflected in other areas and throughout the product lifecycle, and why various different phases of the flow don’t always match up with the initial requirements.
Tomi Engdahl says:
Special Reports
https://semiengineering.com/newsletter/aspc-12-02-2021/?cmid=99842cb6-ea42-404b-ba99-92622ec1d0da
Tomi Engdahl says:
First Hacks: The Brand New Nokia 5G Gateway Router
https://hackaday.com/2021/12/27/first-hacks-the-brand-new-nokia-5g-gateway-router/
Aside from being the focus of a series of bizarre conspiracy theories, 5G cellular networks offer the promise of ultra-fast Internet access anywhere within their range. To that end there are a new breed of devices designed to provide home broadband using 5G as a backhaul. It’s one of these, a Nokia Fastmile, that [Eddie Zhang] received, and he’s found it to be an interesting teardown and investigation. Spoiler: it runs Android and has exploitable bugs.
WIP: Hacking the Nokia Fastmile
https://eddiez.me/hacking-the-nokia-fastmile/
As a part of my 5G home internet offering, Optus bundles a 5G gateway called the Nokia Fastmile. The same device seems to be shipped by T-Mobile for their 5G offering and is passionately known as the ‘trashcan’ in r/tmobileisp.
Tomi Engdahl says:
Detecting Evasive Malware on IoT Devices Using Electromagnetic Emanations
https://thehackernews.com/2022/01/detecting-evasive-malware-on-iot.html
Cybersecurity researchers have proposed a novel approach that leverages electromagnetic field emanations from the Internet of Things (IoT) devices as a side-channel to glean precise knowledge about the different kinds of malware targeting the embedded systems, even in scenarios where obfuscation techniques have been applied to hinder analysis.
“[Electromagnetic] emanation that is measured from the device is practically undetectable by the malware,” the researchers said in a paper. “Therefore, malware evasion techniques cannot be straightforwardly applied unlike for dynamic software monitoring. Also, since a malware does not have control on outside hardware-level, a protection system relying on hard]ware features cannot be taken down, even if the malware owns the maximum privilege on the machine.”
The goal is to take advantage of the side channel information to detect anomalies in emanations when they deviate from previously observed patterns and raise an alert when suspicious behavior emulating the malware is recorded in comparison to the system’s normal state.
Tomi Engdahl says:
Detecting Evasive Malware on IoT Devices Using Electromagnetic Emanations https://thehackernews.com/2022/01/detecting-evasive-malware-on-iot.html
Cybersecurity researchers have proposed a novel approach that leverages electromagnetic field emanations from the Internet of Things
(IoT) devices as a side-channel to glean precise knowledge about the different kinds of malware targeting the embedded systems, even in scenarios where obfuscation techniques have been applied to hinder analysis. With the rapid adoption of IoT appliances presenting an attractive attack surface for threat actors, in part due to them being equipped with higher processing power and capable of running fully functional operating systems, the latest research aims to improve malware analysis to mitigate potential security risks. The findings were presented by a group of academics from the Research Institute of Computer Science and Random Systems (IRISA) at the Annual Computer Security Applications Conference (ACSAC) held last month.
Tomi Engdahl says:
Multiple Vulnerabilities Impact Netgear Nighthawk R6700 Routers
https://www.securityweek.com/multiple-vulnerabilities-impact-netgear-nighthawk-r6700-routers
Netgear Nighthawk R6700v3 routers running the latest firmware are affected by multiple vulnerabilities. Details of the flaws were disclosed last week by Tenable after the vendor failed to release patches.
The most important of these security defects results in an authenticated attacker being able to inject commands that would be executed when the device checks for updates.
Tracked as CVE-2021-20173, the issue exists because unsanitized input is being sent to system() calls in the upnpd binary. The attacker can send requests from the SOAP interface to force update checks and trigger the execution of commands.
Furthermore, Tenable’s researchers discovered that communication to and from the device’s web and SOAP interfaces is not encrypted, meaning that sensitive information – such as usernames and passwords – is transmitted in cleartext.
The issues were assigned CVE identifiers CVE-2021-20174 and CVE-2021-20175, respectively.
Tenable also noticed that the device stores usernames and passwords in plaintext, including the admin password. The issue is tracked as CVE-2021-45077.
Another identified vulnerability (CVE-2021-23147) could allow an attacker with physical access to the device to connect to the UART port via a serial connection and run commands as root without authentication.
“We recommend disabling this UART console for production runs, or at least enforcing the same password mechanisms used for other functionality in the device (such as the web UI),” Tenable says.
Tomi Engdahl says:
IoT’s Importance is Growing Rapidly, But Its Security Is Still Weak
https://www.securityweek.com/iots-importance-growing-rapidly-its-security-still-weak
The explosive growth of IoT devices opens an extensive attack surface that needs to be addressed
The weakest link in most digital networks is the person sitting in front of the screen – the defining feature of the Internet of People (IoP). Because that’s where, through cunning and manipulative tactics, unsuspecting recipients can be tricked into opening toxic links. Little do they know, however, they’ve unwittingly opened the gates to digital catastrophe.
Today, more digital devices than ever are connecting to corporate networks. In fact, McKinsey estimates that 127 new IoT devices go online every single second – a pace enabled by the rapid spread of 5G networks. But, because IoT devices are unsentimental about emotional appeals, the opportunity for a bad actor to hack into an internet-connected network has been narrowed. And the attractions of IoT technology remain truly authentic. As far back as 2015, a Samsung white paper put it this way:
“Much more than just a trendy term, the IoT delivers real, measurable benefits by helping companies of all sizes to use their assets more efficiently; react to market trends in real time; better understand their customer’s needs; increase environmental efficiency and reduce their carbon footprint; ensure that best practices are always in place; drive employee and partner productivity; and transform the customer experience.”
That’s impressive. At the same time, however, there are risks uniquely associated with unmanaged IoT sensors and their related technologies including gateways, hubs, cloud servers, mobile apps, and control devices, all of which need to be taken seriously. A recent Forrester report pointed out that as the proportion of unmanaged devices within enterprises grows, so does the organization’s attack surface. And that surface is expanding at a breakneck pace, with survey respondents estimating that unmanaged devices now outnumber managed ones on their networks by three to one.
In the same Forrester study, however, two-thirds of those surveyed claimed they had personally experienced a security incident related to their unmanaged IoT devices. And there are plenty such devices to go around. They include office equipment and peripherals, automation sensors for buildings, personal consumer devices, VoIP phones, smart TV screens and monitors, Bluetooth keyboards, headsets, HVAC systems, security systems, lighting systems, cameras, vending machines, smartphones, gaming consoles, smart speakers, medical devices, routers, switches, firewalls, and many more. And that doesn’t even count the proliferation of specialized IoT devices used in manufacturing, transportation, and agriculture.
Tomi Engdahl says:
Making PUFs Even More Secure
https://semiengineering.com/making-pufs-even-more-secure/?cmid=88131501-5ef0-4b55-a87d-70e86c1d8d0a
New sources of entropy could significantly improve robustness of physically unclonable functions.
As security has become a must-have in most systems, hardware roots of trust (HRoTs) have started appearing in many chips. Critical to an HRoT is the ability to authenticate and to create keys – ideally from a reliable source that is unviewable and immutable.
“We see hardware roots of trust deployed in two use models — providing a foundation to securely start a system, and enabling a secure enclave for the end user of the SoC,” said Jason Oberg, co-founder and CTO at Tortuga Logic. “Use cases include storing biometric data, customer-programmed encryption/authentication keys, and unique IDs.”
Those keys and IDs are where physically unclonable functions (PUFs) excel. But today, there’s only one PUF technology broadly deployed. New ones are being readied for commercial use, and they leverage new sources of entropy. Even more are in the research stage.
Tomi Engdahl says:
Security Starts With A Threat Assessment
https://semiengineering.com/security-starts-with-a-threat-assessment/?cmid=88131501-5ef0-4b55-a87d-70e86c1d8d0a
The different types of attacks a device might face.
Developing the security architecture for an electronic device begins with building a threat model wherein we ask these questions:
What is the operational environment in which the device needs to function?
What type of attacks can be identified?
What level of access does a potential attacker have to the device?
What possible attack paths can an attacker exploit?
What resources (money, time), expertise and specialized equipment would a potential attacker be willing to expend given the value of assets at risk?
What would be the damage incurred if an attacker successfully obtained control over a device or its data?
Based on the threat assessment, security architects can define the right level of security for their device and how it is to be implemented and maintained. In this blog, let’s take that second question and consider the kinds of attacks that we could expect.
First, let’s consider remote attacks. These are attacks that do not require ‘physical proximity’ of the attacker and the device being attacked. Attacks through a network interface that target rogue software execution on the device processor (e.g., buffer overflow attacks) could enable an attacker to:
Exploit by execution of non-trusted or 3rd-party code
Steal data being sent to or from a device
Attempt to corrupt or replay data in transit
Remote attacks tend to be cheap to perform and scale very well, allowing attacks on other identical devices.
If an attacker can gain physical access to the device, this opens new avenues for exploitation. These “local access” attacks are often categorized into three rough groups, with increasing attack complexity and cost:
Board-level attacks. These attacks can be mounted using simple tools like a screwdriver, a soldering iron, or a JTAG-based debugging tool, replacing components or connecting to the board or chip debug infrastructure. Examples: Flash chip replacement; debug interface access; scan chain/test logic access; inter-chip bus monitoring.
Chip-level non-invasive attacks. This type of attack targets the chip itself while it is in operation without damaging the chip. Attacks of this type typically require the chip to be connected to an oscilloscope and/or dedicated hardware for measuring, capturing, and analyzing electrical behavior of the chip. Side channel attacks such as differential power analysis are well known non-invasive attacks that can successfully reveal used key materials in unprotected implementations.
Chip-level invasive attacks. This class of attacks actually “open up” the chip by removing its packaging, exposing the die to allow direct access to the wiring and memory structures within the chip. To perform an attack like this requires the use of specialized or bespoke equipment that is expensive and complex to operate. Such equipment can sometimes be rented from universities or companies specialized in reverse engineering of chips, but nevertheless, will require a larger investment from the attacker to get to the information sought.
Tomi Engdahl says:
ICS Vendors Respond to Log4j Vulnerabilities
https://www.securityweek.com/ics-vendors-respond-log4j-vulnerabilities
SecurityWeek has compiled a list of the advisories published by industrial control system (ICS) and other industrial-related vendors in response to the recent Log4j vulnerabilities.
Several vulnerabilities have been discovered in the Log4j logging utility since early December, but the most important of them is CVE-2021-44228, which has been dubbed Log4Shell. Log4Shell has been exploited in many attacks by cybercriminals and state-sponsored threat actors, including against industrial organizations.
Tomi Engdahl says:
BLOG: INTERNET OF THINGS
Screwdriving. Locating and exploiting smart adult toys
https://www.pentestpartners.com/security-blog/screwdriving-locating-and-exploiting-smart-adult-toys/
Hacking My Vagina
https://scanlime.org/2012/11/hacking-my-vagina/
Tomi Engdahl says:
The Internet Of Dongs Project
Hacking Sex Toys For Security And Privacy
https://internetofdon.gs/
Tomi Engdahl says:
Edge Security in an Insecure World
https://www.mouser.com/empowering-innovation/more-topics/ai?utm_source=endeavor&utm_medium=display&utm_campaign=ed-personifai-eit-ai-#article2-ai
As the cost of embedded networked devices falls—consider the Raspberry Pi as one example—they become ubiquitous. But, a hidden cost in this proliferation is that these devices can lack security and therefore be exploited. Without the investment in security, devices can leak private information—such as video, images, or audio—or become part of a botnet that wreaks havoc around the world.
Securing a Device
To look at a device and understand how it can be exploited, we look at what’s called the attack surface. The attack surface for a device represents all of the points where an attacker can attempt to exploit or extract data from a device. This attack surface could include:
The network ports that interface to the device
The serial port
The firmware update process used to upgrade the device
The physical device itself
Attack Vectors
The attack surface defines the device’s exposure to the world and becomes the focus of defense for security. Securing a device is then a process of understanding the possible attack vectors for a device and protecting them to reduce the surface.
Common attack vectors typically include:
Interfaces
Protocols
Services
https://www.mouser.com/blog?Category=security
Tomi Engdahl says:
Scanning for malicious code with a raspberry pi and an H-field probe…
Obfuscation Revealed: Leveraging Electromagnetic Signals for Obfuscated Malware Classification
https://dl.acm.org/doi/abs/10.1145/3485832.3485894
We will present a novel approach of using side channel information to identify the kinds of threats that are targeting the device. Using our approach, a malware analyst is able to obtain precise knowledge about malware type and identity, even in the presence of obfuscation techniques which may prevent static or symbolic binary analysis. We recorded 100,000 measurement traces from an IoT device infected by various in-the-wild malware samples and realistic benign activity.
Our method does not require any modification on the target device.
In our experiments, we were able to predict three generic malware types (and one benign class) with an accuracy of 99.82%.
Tomi Engdahl says:
Honeywell Launches New OT Cybersecurity Solution for Commercial Buildings
https://www.securityweek.com/honeywell-launches-new-ot-cybersecurity-solution-commercial-buildings
Honeywell on Tuesday announced the launch of a new cybersecurity solution for operational technology (OT) in commercial buildings.
The new solution, the Honeywell Threat Defense Platform (HTDP), is the result of a collaboration between Honeywell Building Technologies and Acalvio Technologies, a Silicon Valley-based cybersecurity firm backed by Honeywell Ventures.
HTDP leverages autonomous deception technology from Acalvio to detect known and unknown threats. The product is designed to lead attackers to decoy assets that mimic valuable IT and OT devices, while making it more difficult for them to identify real systems.
Honeywell says the approach results in high detection and low false alert rates.
Tomi Engdahl says:
Hacker took control of men’s electronic chastity cages and held their penises to ransom
https://lm.facebook.com/l.php?u=https%3A%2F%2Fwww.pinknews.co.uk%2F2021%2F01%2F12%2Fcellmate-chastity-cage-hacker-bluetooth-security-penis-ransom-bitcoin-bdsm%2F&h=AT26g2Lqn2WHI04MZrvyz3UKLBArhH_4JvNTag1coZoujSZU2CteRvKnABsGQzkXQ_vCFXoCX-jQ2xnXAsBASYNBWsYqYQtM6S17v6sX4Dm2cFzAcIII3Z_8mRQrSCSI3w
Tomi Engdahl says:
Linux-Targeted Malware Increases by 35% in 2021: XorDDoS, Mirai and Mozi Most Prevalent https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/
Malware targeting Linux-based operating systems, commonly deployed in Internet of Things (IoT) devices, have increased by 35% in 2021 compared to 2020, according to current CrowdStrike threat telemetry, with the top three malware families accounting for 22% of all Linux-based IoT malware in 2021. XorDDoS, Mirai and Mozi are the most prevalent Linux-based malware families observed in 2021, with Mozi registering a significant tenfold increase in the number of in-the-wild samples in 2021 compared to 2020.
Tomi Engdahl says:
Auton kyberturva ei voi olla omistajan vastuulla
https://etn.fi/index.php/13-news/13034-auton-kyberturva-ei-voi-olla-omistajan-vastuulla
Kyberturvan maailmassa on nyt kohuttu saksalaisesta David Colombosta, joka sanoo onnistuneensa hakkeroimaan yli 20 Teslaa 13 eri maassa. Nuorukainen ei päässyt kiinni auton kriittisiin järjestelmiin, mutta tapaus on silti muistutus siitä, mihin autot ovat menossa ohjelmistojen määrän kasvaessa.
Esimerkiksi tietoturvayhtiö Check Point Softwaren tutkimusjohtaja Loten Finkelsteen sanoo, että kyse on merkittävästä uhasta. – Voimmeko todella odottaa käyttäjien tuntevan monimutkaisen ja teknisesti erittäin edistyneen tuotteen, kuten nykyaikaisen auton, ohjelmistokokoonpanon? Autojen tulee olla turvallisia korkeimpien standardien mukaisesti. Kuljettajan ei pitäisi olla mahdollista sallia etäpääsyä ajoneuvoonsa millään toiminnalla tai muutenkaan.
Kuinka paljon koodia nykyautossa sitten on? Valmistajat eivät näitä tietoja julkaise, mutta esimerkiksi Teslan Linux-pohjainen näyttöpaneeli toimii arvioiden mukaan noin 30 miljoonalla koodirivillä. Jos autossa on kymmeniä – jopa toistasataa – ECU-yksikköä, ohjelmiston määrä voi nousta yli sadan miljoonan koodirivin. On aivan selvää, ettei käyttäjän pidä edes nähdä tuota koodia.
Tomi Engdahl says:
https://www.hackster.io/news/jarrett-ranier-turns-to-555-timers-to-dump-protected-stm8-firmware-through-voltage-glitching-be0152cf7d13
Tomi Engdahl says:
Ransomware cyberattack forces New Mexico jail to lock down https://blog.malwarebytes.com/ransomware/2022/01/ransomware-cyberattack-forces-new-mexico-jail-to-lock-down/
Five days after the new year, the Metropolitan Detention Center (MDC) in Bernalillo County, New Mexico suddenly went on lockdown. The reason? A ransomware cyberattack has knocked the jails internet connection offline, rendering most of their data systems, security cameras, and automatic doors unusable. Prisoners were confined in their cells while MDC technicians struggled to get everything back up and running again.
Tomi Engdahl says:
Researcher discloses alleged zero-day vulnerabilities in NUUO NVRmini2 recording device https://portswigger.net/daily-swig/researcher-discloses-alleged-zero-day-vulnerabilities-in-nuuo-nvrmini2-recording-device
A critical zero-day vulnerability in network video recording equipment made by NUUO has been made public, as a researcher claims unpatched issues could lead to remote code execution (RCE). Discovered by Agile Information Security founder Pedro Ribeiro, the issues have allegedly been present in the NUUO NVRmini2 device since 2016. NVRmini2 is a network video recorder (NVR) from Taiwanese vendor NUU that is able to record and store security footage in a digital format.
Tomi Engdahl says:
Cybersecurity for Industrial Control Systems: Part 1 https://www.trendmicro.com/en_us/research/22/a/cybersecurity-industrial-control-systems-ics-part-1.html
The ever-changing technological landscape has made it possible for the business process on the IT side of an enterprise to be interconnected with the physical process on the OT side. While this advancement has improved visibility, speed, and efficiency, it has exposed industrial control systems (ICSs) to threats affecting IT networks for years. Our expert team extensively looked into reported specific malware families in ICS endpoints to validate ICS security and establish a global baseline for examining threats that put these systems at risk.
Tomi Engdahl says:
Vulnerability in IDEMIA Biometric Readers Allows Hackers to Unlock Doors
https://www.securityweek.com/vulnerability-idemia-biometric-readers-allows-hackers-unlock-doors
A critical vulnerability impacting multiple IDEMIA biometric identification devices can be exploited to unlock doors and turnstiles.
Because of this security defect, if the TLS protocol is not activated, an attacker in the network can send specific commands without authentication to open doors or turnstiles directly operated by a vulnerable device.
The attacker could also exploit the bug to cause a denial of service (DoS) condition by sending a reboot command to the vulnerable device, according to an advisory published by IDEMIA, a France-based tech company that specializes in identity-related physical security services.
Identified by researchers at Russian cybersecurity firm Positive Technologies – which was sanctioned by the United States last year for alleged ties with Russian intelligence – the flaw has a CVSS score of 9.1, yet no CVE identification number has been issued for it until now.
Affected products include MorphoWave Compact MD/MDPI/MDPI-M, VisionPass MD/MDPI/MDPI-M, all variants of SIGMA Lite/Lite+/Wide, SIGMA Extreme, and MA VP MD.
Tomi Engdahl says:
Xiaomi julkisti oppaan IoT-laitteiden suojaamisesta
https://etn.fi/index.php/13-news/13046-xiaomi-julkisti-oppaan-iot-laitteiden-suojaamisesta
Kiinalainen kulutuselektroniikkajätti Xiaomi on esitellyt ehdotuksensa kulutuselektroniikan IoT-aitteiden tietoturvastandardiksi. Opas on toisen polven esitys ja nimeltään Cyber Security Baseline for Consumer Internet of Things Device Version 2.0. Se pyrkii turvaamaan käyttäjien yksityisyyden ja turvallisuuden kattavalla vaatimusluettelolla, joka perustuu laitteen laitteisto- ja ohjelmisto-ohjeisiin.
Cyber-Security-Baseline-for-Consumer-Internet-of-Things/resources/pdf/Cyber Security Baseline for Consumer Internet of Things Device.pdf
https://github.com/MiSecurity/Cyber-Security-Baseline-for-Consumer-Internet-of-Things/blob/main/resources/pdf/Cyber%20Security%20Baseline%20for%20Consumer%20Internet%20of%20Things%20Device.pdf
Tomi Engdahl says:
https://www.nozominetworks.com/downloads/SANS-Survey-2021-OT-ICS-Cybersecurity-Nozomi-Networks.pdf
Tomi Engdahl says:
Campaigns abusing corporate trusted infrastructure hunt for corporate credentials on ICS networks https://ics-cert.kaspersky.com/publications/reports/2022/1/19/campaigns-abusing-corporate-trusted-infrastructure-hunt-for-corporate-credentials-on-ics-networks/
In 2021, Kaspersky ICS CERT experts noticed a growing number of anomalous spyware attacks infecting ICS computers across the globe.
Although the malware used in these attacks belongs to well-known commodity spyware families, these attacks stand out from the mainstream due to a very limited number of targets in each attack and a very short lifetime of each malicious sample. By the time the anomaly was detected, this had become a trend: around 21.2% of all spyware samples blocked on ICS computers worldwide in H1 2021 were part of this new limited-scope short-lifetime attack series and, at the same time, and, depending on the region, up to one-sixth of all computers attacked with spyware were hit using this tactic.
Tomi Engdahl says:
Living Off the “Edge” of the Land
https://www.securityweek.com/living-edge-land
Edge-Access Trojans (EATs) allow attackers to collect data and even disrupt crucial decisions as the edge of the network
Edge computing is eminently practical in that it solves several important problems, many of which are related to the latency created when data must travel long distances. The edge offers significant functional and economic benefits, such as the emergence of a new breed of real-time applications. And the need for more edges has increased due to the proliferation of IoT and operational technology (OT) devices, as well as smart devices powered by 5G and AI that enable real-time transactions.
At the same time, though, such a profusion of devices expands the attack surface, creating new entry doors into corporate networks. New edge-based threats are emerging as cybercriminals target the entire extended network as an entry point for an attack. Malicious actors will work to maximize any potential security gaps created by intelligent edges and advances in computing power to create advanced and more destructive threats – and at unprecedented scale.
As edge devices become more powerful, with more native capabilities, criminals will design new attacks to “live off the edge.” An increase in attacks targeting OT, particularly at the edge, is likely as the convergence of IT and OT networks continues. It’s important to understand the nature of attacks headed for the edge in order to properly prepare for them.
New edge threats emerge
FortiGuard Labs predicted last year the advent of Edge-Access Trojans (EATs), designed to target edge environments. This approach has the advantage of allowing bad actors to collect data and even disrupt crucial decisions as the edge of the network, where time sensitivity is paramount. This would create an entirely new level of urgency to ransomware attacks, particularly when it comes critical infrastructure systems.
Attackers can also use EATs to corrupt data, which may significantly impact downstream systems that rely on data collected by edge devices. Such edge footholds can also be used to tunnel back to the corporate network.
Another edge challenge: Living off the land
Living-off-the-land attacks allow malware to use existing toolsets and capabilities within compromised environments. It’s a particularly tricky situation because attacks and data exfiltration look like normal system activity and go unnoticed. The March 2021 Hafnium Exchange attacks used this technique to live and persist in domain controllers.
Living off the land at the edge
We believe EATs and living-off-the-land will converge in 2022. Criminals will design new attacks to live off the edge “land” as edge devices become more powerful and, of course, more privileged. Edge malware will monitor edge activities and data and then steal, hijack or even ransom critical systems, applications and information while avoiding detection.
Endpoint security becomes increasingly important
Every point of connection represents a possible attack surface. IoT edge devices and the IoT devices they connect with present new vulnerabilities for a network. Some edge devices come with default passwords, such as “admin,” that customers may neglect to change. Other devices are personal ones that a user may log in to and then leave open, allowing an attacker to access the network. Examples include smartphones or smart cars, both of which can be stolen while the user is still logged in to the network.
Protecting your organization from these new edge-based threats will require you to upgrade end-user devices with advanced Endpoint Detection and Response (EDR) technologies along with enhanced network access controls (NAC) – including zero trust network access (ZTNA).
Securing the edge
Cybercriminals are tireless in their efforts to attack everything they can, and that includes the edge. The convergence of the “living off the land” and EATs trends is particularly dangerous, as it enables attackers to go unnoticed while they carry out their schemes for as long as they want. With every endpoint a potential entry point, you need EDR and other advanced defense solutions working together to thwart edge attacks.
Tomi Engdahl says:
More than half of medical devices found to have critical vulnerabilities
A new report reveals what kind of medical devices are at most risk of security threats
https://www.zdnet.com/article/more-than-half-of-medical-devices-have-critical-vulnerabilities/
More than half of the connected medical devices in hospitals pose security threats due to critical vulnerabilities that could potentially compromise patient care.
According to the 2022 State of Healthcare IoT Device Security Report from Cynerio, 53% of internet-connected medical devices analyzed were found to have a known vulnerability, while one-third of bedside devices were identified to have a critical risk. Cynerio analyzed over 10 million medical devices at more than 300 global hospitals and medical facilities.
The report warns that if these medical devices were to be accessed by hackers, it would impact service availability, data confidentiality, and even patient safety.
“Healthcare is a top target for cyberattacks, and even with continued investments in cybersecurity, critical vulnerabilities remain in many of the medical devices hospitals rely on for patient care,”
Cynerio Research Finds Critical Medical Device Risks
https://www.cynerio.com/blog/cynerio-research-finds-critical-medical-device-risks-continue-to-threaten-hospital-security-and-patient-safety
Continue to Threaten Hospital Security and Patient Safety
Following surge in cyber attacks on the healthcare sector, new report finds over half of medical devices contain critical vulnerabilities despite increased investments in security
Tomi Engdahl says:
John Phipps: Is a Possible Cyberwarfare Attack Looming for Your Farm? Why Tractors May Be Next
https://www.agweb.com/news/business/technology/john-phipps-possible-cyberwarfare-attack-looming-your-farm-why-tractors
Regardless of their decisions, the losses from hacks are set to spiral and somebody will pay them. Any product or process that is dependent on secure data transmission could be a target. In fact, rather than spend resources attacking giant manufacturers or institutions that already have beefed up crypto security, why not look further down the food chain – targets that can’t afford better defenses? Hacking lots of those for modest ransoms might be a more lucrative strategy than swinging for the fences.
The Iowa coop hack last year could prove a precursor of this non-glamorous industry targeting.
My uninformed guess is tractors being hacked to override factory engine controllers or emission controls are ripe for self-inflicted hacks. Buying chips from unknown sources may be like putting small time bombs in your machinery. My predictions are far from expert, but the big reason I see increased danger from stealth cyberwar is because we still think of our industry as a simple chain largely outside the global economy, when it is really part of a vast web.
Agriculture cannot escape risk simply because we’re a relatively small part of the economy. We could be unexpected collateral damage when other industries are attacked. In fact, I think that’s how we’ll find out just how connected we are to the rest of the world.
Tomi Engdahl says:
Mirai splinter botnets dominate IoT attack scene
One of the most well-known botnets ever to exist continues to plague PCs and connected devices.
https://www.zdnet.com/article/mirai-splinter-botnets-dominate-iot-attack-scene/
Botnets built from the Mirai codebase continue to wreak havoc in the technology arena, with cyberattackers taking advantage of lax Internet of Things (IoT) security in widespread attacks.
Computers and other connected devices, including IoT and NAS storage, are compromised through weak credentials, vulnerabilities, exploit kits, and other security weaknesses.
These systems join a network of slave devices that can be commanded to perform malicious activities.
Attack types commonly associated with botnets are the launch of Distributed Denial-of-Service (DDoS) attacks, brute-force attacks leading to information theft and ransomware deployment, and the covert installation of cryptocurrency mining software on vulnerable, Internet-facing servers.
The most well-known, perhaps, is Mirai, which made its debut with catastrophic DDoS attacks in 2016 against DNS provider Dyn and the website of cybersecurity expert & reporter Brian Krebs.
Mirai’s source code was then released online, opening up an avenue for variants to be created including Okiru, Satori, and Masuta.
Despite the age of the original botnet, the code underpinning the network and the use of its code in mutated versions means that Mirai is still a risk to organizations today.
As IoT device numbers are expected to reach approximately 30.9 billion by 2025, the team expects the threat – and overall power – of botnets to only continue to expand.
At present, Gafgyt and Mirai, alongside multiple botnets based on Mirai code such as BotenaGo, Echobot, Loli, Moonet, and Mozi, are being used to target devices primarily based in Europe and North America.
Tomi Engdahl says:
New Open Source Tool Helps Identify EtherNet/IP Stacks for ICS Research, Analysis
https://www.securityweek.com/new-open-source-tool-helps-identify-ethernetip-stacks-ics-research-analysis
Industrial cybersecurity firm Claroty on Wednesday announced a new open source tool designed for identifying EtherNet/IP stacks.
According to the company, the new “EtherNet/IP & CIP Stack Detector” tool can be useful to security researchers, operational technology (OT) engineers, and asset owners.
EtherNet/IP (ENIP) is an industrial network protocol that implements the Common Industrial Protocol (CIP). ENIP is often used for process control and industrial automation applications.
In the past years, Claroty researchers have conducted projects focusing on the security of ENIP stacks and found vulnerabilities that could pose serious risks to industrial control systems (ICS).
Claroty says this open source tool can be used to identify and classify the use of third-party ENIP stack code, helping organizations understand their exposure to vulnerabilities found in these stacks.
Team82 ENIP & CIP Stack Detector Simplifies Protocol Identification
https://www.claroty.com/2022/01/26/blog-research-team82-enip-cip-stack-detector-simplifies-protocol-identification/
Team82 is releasing today a custom, generic EtherNet/IP stack detection tool that will be free and publicly available via our GitHub repository.
The tool fulfills a number of use cases for cybersecurity researchers, OT engineers, and asset owners by helping them to identify and classify commercial and homegrown products using the same third-party ENIP stack code. By identifying the ENIP stack, users inside the enterprise as well as vendors will be able to better understand their exposure to newly disclosed vulnerabilities, and subsequently prioritize updates.
https://github.com/claroty/enip-stack-detector
Tomi Engdahl says:
Cyber threat bulletin: Cyber Centre urges Canadian critical infrastructure operators to raise awareness and take mitigations against known Russian-backed cyber threat activity https://cyber.gc.ca/en/guidance/cyber-threat-bulletin-cyber-centre-urges-canadian-critical-infrastructure-operators-raise
The Canadian Centre for Cyber Security encourages the Canadian cybersecurity communityespecially critical infrastructure network defendersto bolster their awareness of and protection against Russian state-sponsored cyber threats. The Cyber Centre joins our partners in the US and the UK in recommending proactive network monitoring and mitigations. Myös:
https://www.reuters.com/world/americas/canada-agency-says-russian-backed-actors-targeting-infrastructure-2022-01-20/
Tomi Engdahl says:
Mirai splinter botnets dominate IoT attack scene | ZDNet
https://www.zdnet.com/article/mirai-splinter-botnets-dominate-iot-attack-scene/
One of the most well-known botnets ever to exist continues to plague PCs and connected devices.
Botnets built from the Mirai codebase continue to wreak havoc in the technology arena, with cyberattackers taking advantage of lax Internet of Things (IoT) security in widespread attacks.
On Tuesday, Intel 471 published a new report on Mirai’s fracturing into new forms and a reported surge in attacks during 2020 and 2021 against IoT devices using these botnet variations.
“Threat actors seized the opportunity to not only create large botnets, but also steal confidential data from IoT devices linked to compromised organizations, and potentially sell it on underground marketplaces,” the researchers say.
As IoT device numbers are expected to reach approximately 30.9 billion by 2025, the team expects the threat – and overall power – of botnets to only continue to expand.
https://intel471.com/blog/iot-cybersecurity-threats-mirai-botnet
Tomi Engdahl says:
Linux-Targeted Malware Increases by 35% in 2021: XorDDoS, Mirai and Mozi Most Prevalent https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/
Malware targeting Linux-based operating systems, commonly deployed in Internet of Things (IoT) devices, have increased by 35% in 2021 compared to 2020, according to current CrowdStrike threat telemetry, with the top three malware families accounting for 22% of all Linux-based IoT malware in 2021.
Tomi Engdahl says:
Millions of Routers, IoT Devices at Risk as Malware Source Code Surfaces on GitHub
“BotenaGo” contains exploits for more than 30 vulnerabilities in multiple vendor products and is being used to spread Mirai botnet malware, security vendor says.
https://www.darkreading.com/vulnerabilities-threats/source-code-for-malware-targeting-millions-of-routers-iot-devices-uploaded-to-github
BotenaGo is designed to execute remote shell commands on systems where it has successfully exploited a vulnerability. An analysis that Alien Labs conducted last year when it first spotted the malware showed BotenaGo using two different methods to receive commands for targeting victims. One of them involved two backdoor ports for listening to and receiving the IP addresses of target devices, and the other involved setting a listener to system I/O user input and receiving target information through it.
AT&T Alien Labs finds new Golang malware (BotenaGo) targeting millions of routers and IoT devices with more than 30 exploits
https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits
Tomi Engdahl says:
Defending the Supply Chain: Why the DDS Protocol is Critical in Industrial and Software Systems https://www.trendmicro.com/en_us/research/22/a/defending-the-supply-chain-why-dds-is-critical-in-industrial-and-software-systems.html
DDS drives railways, autonomous cars, airports, spacecrafts, diagnostic imaging machines, luggage handling, industrial robots, military tanks, and frigates for about a decade, with its adoption increasing steadily. [...] Given this technology’s ubiquity, we decided to investigate further and discovered multiple security vulnerabilities, resulting in 13 new CVE IDs for the six most common DDS . implementations.
Tomi Engdahl says:
Millions of Routers, IoT Devices at Risk as Malware Source Code Surfaces on GitHub https://www.darkreading.com/vulnerabilities-threats/source-code-for-malware-targeting-millions-of-routers-iot-devices-uploaded-to-github
The authors of a dangerous malware sample targeting millions of routers and Internet of Things (IoT) devices have uploaded its source code to GitHub, meaning other criminals can now quickly spin up new variants of the tool or use it as is, in their own attack campaigns.
Tomi Engdahl says:
US Says National Water Supply ‘Absolutely’ Vulnerable to Hackers
https://www.securityweek.com/us-says-national-water-supply-absolutely-vulnerable-hackers
Cyber defenses for US drinking water supplies are “absolutely inadequate” and vulnerable to large-scale disruption by hackers, a senior official said Thursday.
“There’s inadequate resilience to even a criminal sector,” the official said. “The threshold of resilience is not what it needs to be.”
President Joe Biden has attempted to address infrastructure cybersecurity but is limited by the fact that the vast majority of services are provided by private, not government, companies.
The scale of the challenge became clear in May last year when a ransomware attack temporarily crippled the Colonial Pipeline, a major oil pipeline network. A similar attack was carried out on JBS, one of the world’s biggest meat-processing companies.
These systems are increasingly automated, with computers managing treatment, storage and distribution. “These processes — I want to underscore this point — could all be vulnerable to cyberattacks, which could disable or manipulate monitoring control systems,” the official said.
“We’re particularly concerned that a cyberattack could be carried out, for example, to manipulate treatment processes to produce unsafe water. Also to damage water infrastructure or even to stop the flow of water,” the official said.
Tomi Engdahl says:
White House Publishes Federal Zero Trust Strategy
https://www.securityweek.com/white-house-publishes-federal-zero-trust-strategy
The White House on Wednesday released its federal zero trust strategy, requiring agencies to meet certain cybersecurity standards and objectives by the end of fiscal year 2024.
The strategy builds upon the executive order signed by President Joe Biden in May 2021 to improve the United States’ cyber defenses. The executive order was signed in response to the SolarWinds, Colonial Pipeline and other significant attacks carried out by foreign threat actors.
When a zero trust model is implemented, no user, system, network or service operating inside or outside the security perimeter is trusted, and every access attempt is verified.
The latest memorandum from the Office of Management and Budget (OMB) requires agencies to achieve certain goals by the end of 2024. These goals focus on identity, devices, networks, applications and workloads, and data — these are the five pillars described by the zero trust model of the DHS’s Cybersecurity and Infrastructure Security Agency (CISA).
Tomi Engdahl says:
Carly Page / TechCrunch:
Censys, an IoT search engine aimed at helping organizations find poorly protected assets, raises a $35M Series B, hires former OneLogin CEO to be its new CEO — Censys, a search engine for Internet of Things devices, has secured $35 million in Series B funding and a new CEO.
IoT search engine Censys secures $35M — and a new CEO
https://techcrunch.com/2022/01/27/censys-iot-search-engine-new-ceo/
Censys, a search engine for Internet of Things devices and internet assets, has secured $35 million in Series B funding and a new CEO.
The internet security startup, based in Michigan tech hub Ann Arbor, which started as an open source research project at the University of Michigan seven years ago, claims to provide a “complete database” of all devices hooked up to the internet in a bid to help organizations locate poorly protected assets. Censys’ attack surface management platform continuously discovers businesses’ internet assets and monitors them, identifying security issues and preventing oversights from becoming vulnerabilities by ensuring that assets are protected by integrating with existing security solutions.
Tomi Engdahl says:
Over 20,000 data center management systems exposed to hackers https://www.bleepingcomputer.com/news/security/over-20-000-data-center-management-systems-exposed-to-hackers/
Researchers have found over 20,000 instances of publicly exposed data center infrastructure management (DCIM) software that monitor devices, HVAC control systems, and power distribution units, which could be used for a range of catastrophic attacks.
Tomi Engdahl says:
Samantha Hissong / Rolling Stone:
Profile of artist Seneca, who says she is the lead designer behind the original Bored Ape Yacht Club NFT collection and has seen relatively little compensation — The Bored Ape Yacht Club lit up the internet — but its lead designer, Seneca, has been watching from the shadows
The NFT Art World Wouldn’t Be the Same Without This Woman’s ‘Wide-Awake Hallucinations’
The Bored Ape Yacht Club lit up the internet — but its lead designer, Seneca, has been watching from the shadows
https://www.rollingstone.com/culture/culture-features/seneca-bored-ape-yacht-club-digital-art-nfts-1280341/
Her creativity helped fuel a technological revolution she knew almost nothing about. Although the Bored Ape Yacht Club — now, arguably, the world’s biggest NFT project — first appeared online in May and quickly started selling for millions, the woman who drew its primary characters had no idea that the collection was a hit until she Googled the name months later.
These cartoonish primates have since generated more than a billion dollars and lassoed mainstreamers into the crypto scene. Yet Seneca — the 27-year-old Asian-American artist who played an integral role in bringing their ideas to life — gets little credit.
Watching NFT enthusiasts graffiti every corner of the Internet with variations of her work has been bittersweet. Imagine casually walking into a museum only to stumble upon your own art hanging on the wall behind velvet ropes; when Seneca logged onto Twitter, where she’s known as All Seeing Seneca, and saw that Steph Curry was using an avatar she birthed as his profile picture, her eyes bulged. “It really took me some time to wrap my head around all this,” she tells Rolling Stone over Zoom.
Yuga Labs co-founder Gargamel says he was struck by the “expressiveness” of her characters. “There’s a whole mood that gets conveyed,” he tells Rolling Stone via email. “For the apes, we arrived at exactly the mood we were after: existential boredom.” Muniz agrees: “She’s particularly skilled at expression and bringing characters to life.”
Though Seneca wasn’t familiar with NFTs at the time, Yuga Labs gave her a lot of room to play in the collaboration. “They said, ‘We want punk apes. What do you think that would look like? What kind of style would you like? What do you think will look good?’” She imagined herself as an ape’s neighbor in a grungy city where the primates roam free as citizens. She saw “an ape that’s kind of jaded and tired of life but has all the money and time in the world, and hangs out at a metal bar” and ran through fictitious interactions with the creature. “That’s where that idea came from.”
Creating the apes’ aesthetic poured out of her naturally: A self-declared metalhead, Seneca plays a Gibson SG — which Muniz says she “slays” — and listens to bands like Megadeth, Behemoth, and Bullet for My Valentine. But she’s also a lover of Nineties gross-out animation, from which she drew inspiration. “I just love the grit of it all,” she says.
To be clear, Seneca was not the project’s sole illustrator. “I am the lead artist behind the original collection,” she says. The ape body itself, she adds, is “exactly line-for-line” her drawing. Other production artists — “Thomas Dagley, Migwashere, and a couple who chose to remain anonymous,” according to Gargamel — handled the traits and environment. However, she points out, she did develop some of the major traits, like the grinning mouth, the popping eyes, and the beanie.
“Not of ton of people know that I did these drawings, which is terrible for an artist,” she says. Word of mouth has been growing, though, and she hopes that will help her find more collaborations. In the meantime, she’s focusing on her solo work.
Tomi Engdahl says:
1 in 7 Ransomware Extortion Attacks Leak Critical Operational Technology Information https://www.mandiant.com/resources/ransomware-extortion-ot-docs
Based on our analysis, one out of every seven leaks from industrial organizations posted in ransomware extortion sites is likely to expose sensitive OT documentation. Access to this type of data can enable threat actors to learn about an industrial environment, identify paths of least resistance, and engineer cyber physical attacks. On top of this, other data also included in the leaks about . employees, processes, projects, etc. can provide an actor with a very accurate picture of the target’s culture, plans, and operations.
Tomi Engdahl says:
OT Data Stolen by Ransomware Gangs Can Facilitate Cyber-Physical Attacks
https://www.securityweek.com/ot-data-stolen-ransomware-gangs-can-facilitate-cyber-physical-attacks
Many of the ransomware attacks on industrial and critical infrastructure organizations result in the exposure of operational technology (OT) data that could be useful to threat actors, including to conduct cyber-physical attacks, according to Mandiant.
The company’s researchers have analyzed the roughly 2,600 data leaks that resulted from ransomware attacks in 2021 and determined that approximately 1,300 of them impacted critical infrastructure and industrial organizations.
An investigation of 70 of these leaks showed that ten of them contained technically sensitive OT information. Mandiant’s analysis included manually browsing through file listings and files, and forensic analysis using public and custom tools.
Exposed data, which at one point had been available — or still is available — to anyone with the knowledge to access websites on the Tor anonymity network, included IT and OT admin credentials, PLC project files, process documentation, engineering documentation for customer projects, and source code and other information for a proprietary platform.
Impacted organizations included renewable and hydroelectric energy producers, a train manufacturer, oil and gas organizations, control systems integrators, and a satellite vehicle tracking service.
Tomi Engdahl says:
Outdated IoT healthcare devices pose major security threats https://www.csoonline.com/article/3648592/outdated-iot-healthcare-devices-pose-major-security-threats.html
More than half (53%) of the IoT (internet of things) and internet of medical things (IoMT) devices used in healthcare contain critical cybersecurity risks, according to The State of IoMT Device Security report by Cynerio, which analyzed devices from more than 300 hospitals in the US.
Tomi Engdahl says:
Forescout Acquires Healthcare Cybersecurity Firm CyberMDX
https://www.securityweek.com/forescout-acquires-healthcare-cybersecurity-firm-cybermdx
Device security firm Forescout Technologies announced on Tuesday that is has acquired healthcare cybersecurity firm CyberMDX, which provides solutions to protect medical devices and clinical networks.
CyberMDX offers a solution that helps healthcare organizations continuously discover connected medical devices, visualize network flow, manage assets, and obtain risk assessment and security reports. It also delivers defense capabilities, as well as operational analytics and insights.
Forescout says the acquisition will strengthen its out-of-the-box support for connected device types across IT, IoT, operational technology (OT) and Internet of Medical Things (IoMT) devices.
Tomi Engdahl says:
Telehealth: A New Frontier in Medicineand Security https://securelist.com/telehealth-report-2020-2021/105642/
Phishing and malware attacks that exploit the medical theme will continue, and, with the development of telemedicine, the number of services that fraudsters use as bait will only increase. Moreover, its likely that cybercriminals will try to hack telehealth services.
Tomi Engdahl says:
CPX 360: IoT-laitteet voi suojata automaattisesti
https://etn.fi/index.php/13-news/13125-cpx-360-iot-laitteet-voi-suojata-automaattisesti
CPX 360 on tietoturvayhtiö Check Point Softwaren teknologiakonferenssi, joka tänäkin vuonna järjestetään virtuaalisesti. Yksi uusista esillä olleista tuotteista on Quantum IoT Protect, joka pyrkii automaattisesti estämään IoT-laitteiden kautta yrityksen verkkoon tulevat hyökkäykset.
Tuotepäällikkö Eyal Manorin mukaan ongelma on iso. 5000 työntekijän organisaatiolla on tyypillisesti yli 20 tuhatta IoT-laitetta. Yleensä niitä ei hallita mitenkään, niitä ajetaan jollain vanhalla, turvattomalla käyttöjärjestelmällä, eikä niihin ole valmiiksi sisäänrakennettu mitään tietoturvaa. Jos salsana on, se on yleensä heikko.
- Yksi ainoa suojaamaton IoT-laite, vaikkapa valvontakamera voi olla reitti, jota pitkin yrityksen verkkoon hyökätään. Pelkästään vuoden 2021 havaittiin yli 1,5 miljardia murtautumista IoT-laitteisiin, Manor muistutti.
Kun nykyiset IoT-suojausratkaisut eivät riitä, Check Pointilla on tietysti tarjota omaa, parempaa ratkaisua. Se on Quantum IoT Protect, joka asettuu yrityksen tuotepaletissa verkon Quantum-suojaustuotteiden joukkoon.
Työkalu skannaa kaikki organisaation verkkoon liitetyt IoT-laitteet ja arvioi niiden riskitason. Tämä vie aikaa enintään 5 minuuttia. Tämän jälkeen ohjelmisto luokittelee IoT-laitteet ryhmiin. Laitteille voidaan määritellä omat oikeudet eli policy. Siinä voidaan esimerkiksi asettaa laitteen vaatimien toimintojen minimiyhteydet vaikkapa firmware-päivityksiä varten.
Työkalun monitorointiosio näyttää, jos IoT-laite (vaikkapa tulostin) on yrittänyt ottaa yhteyttä ei-sallittuihin palveluihin tai osoitteisiin.
Tomi Engdahl says:
Critical Vulnerabilities Found in Sealevel Device Used in ICS Environments
https://www.securityweek.com/critical-vulnerabilities-found-sealevel-device-used-ics-environments
Cisco’s Talos security researchers have published details on a series of critical vulnerabilities that Sealevel has addressed in the SeaConnect 370W WiFi-connected edge device.
The internet of things (IoT) device is used in industrial control system (ICS) environments for the monitoring of real-world I/O processes. The identified bugs could be exploited to execute arbitrary code on a vulnerable device, or to perform man-in-the-middle attacks.
The most severe of the newly disclosed bugs are three buffer overflow issues rated “critical severity,” which could be exploited to achieve remote code execution on vulnerable devices.
With a CVSS score of 10, two of the flaws were identified in the LLMNR and NBNS name resolution services that SeaConnect 370W exposes. The bugs are tracked as CVE-2021-21960 and CVE-2021-21961.
“The vulnerability occurs when attempting to copy the queried name to a local buffer of fixed size (identified above as name_buffer). The implementation does not conduct any bounds checking prior to copying the data, simply trusting the supplied length field will be accurate and no larger than 32 bytes,” Talos explains.
https://blog.talosintelligence.com/2022/02/vuln-spotlight-sea-level-connect.html
Tomi Engdahl says:
Ransomware Often Hits Industrial Systems, With Significant Impact: Survey
https://www.securityweek.com/ransomware-often-hits-industrial-systems-significant-impact-survey
Ransomware attacks in many cases hit industrial control systems (ICS) or operational technology (OT) environments, and impact is often significant, according to a report published on Thursday by IoT and industrial cybersecurity company Claroty.
Claroty’s “Global State of Industrial Cybersecurity” report is based on a Pollfish survey of 1,100 IT and OT security professionals in the United States, Europe and the APAC region. More than half of respondents work for enterprises that have an annual revenue exceeding $1 billion. The survey was conducted in September 2021.
Roughly 80% of respondents admitted that their organization had experienced a ransomware attack within the past year, and nearly half said the incident had impacted their ICS/OT environment.
Only 15% of respondents said there was no impact or minimal impact on operations, and nearly 50% said there was significant impact. Seven percent said the incident resulted in a full operations shutdown that lasted for more than a week.
The cyberattack was disclosed to both authorities and shareholders in most cases, but some companies apparently did not inform anyone.
There has been a lot of debate over the past years on ransomware payments. The U.S. government has taken action against payment facilitators and issued a warning regarding potential legal implications. A recently introduced bill would require organizations to report ransomware payments.
Of the individuals who took part in the Claroty survey, 28% believe ransomware payments should be legal and there should be no requirement to inform authorities. More than 41%, on the other hand, believe these types of payments should be legal only as long as regulators or authorities are informed. Approximately 20% believe ransomware payments should be illegal.
Nearly two-thirds of respondents said reporting incidents involving IT or OT systems to government regulators should be mandatory.
When asked about the hourly cost of downtime on their company’s revenue, 8% said it was more than $5 million and 14% said it was $1 to $5 million.
As for the workforce, a vast majority of respondents believe IT security professionals in their organization are capable of managing the cybersecurity of OT/ICS environments. However, 40% said they are urgently looking to hire more industrial cybersecurity experts.
More than 80% of respondents said their ICS/OT security budget had increased moderately or significantly since the start of the pandemic. Moreover, many admitted that ransomware attacks such as the ones that hit Colonial Pipeline led to cybersecurity becoming a bigger priority and increased investment.
THE GLOBAL STATE
OF INDUSTRIAL
CYBERSECURITY 2021:
RESILIENCE AMID
DISRUPTION
https://claroty.com/wp-content/uploads/2022/02/Claroty_Report_State_of_Industrial_Cybersecurity_2021.pdf