https://blog.paessler.com/investments-in-iot-security-are-set-to-increase-rapidly-in-2018
The two biggest challenges in 2018 will continue to be protecting against unauthorized access, and patching/updating the software of the device. Companies must not neglect the security problems of IoT and IIoT devices. Cyberattacks on the Internet of Things (IoT) are already a reality.
According to Gartner‘s market researchers, global spending on IoT security will increase to $1.5 billion this year.
1,703 Comments
Tomi Engdahl says:
Uusi tekniikka salaa avaimen täysin
https://etn.fi/index.php/13-news/13145-uusi-tekniikka-salaa-avaimen-taeysin
Järjestelmäpiireillä voidaan jo nyt generoida piirin salausavain valmistuksessa syntyvien fyysisten ominaisuuksien perusteella. Tyypillisesti tämä uniikki avain tallennetaan piirille sulakkeeseen, mikä ei riitä sataprosenttiseen salaukseen. PUFsecurityn kehittämä tekniikka ratkaisee ongelman.
Salauksessa puhutaan nyt luottamuksen juuresta (Root of Trust) eli laitetason salaukseen. PUF (Physical Unclonable Function) tarkoittaa piirin valmistuksessa syntyviä uniikkeja eroja, joiden avulla sirulla voidaan luoda uniikki avain. PUFsecurity ja eMemory ovat nyt kehittäneet salausratkaisun, jossa nämä molemmat toiminnot yhdistetään.
Käytännössä PUFrt-ratkaisussa on kyse kvanttitunnelointiin perustuvan PUF:n ja eMemoryn antisulakepohjaisen kertaohjemoitavan muistin yhdistelmästä. PUFsecurity muistuttaa, että salaus on vain niin pitävä kuin sen heikoin lenkki. Uniikki avain ei riitä, jos sitä ei ole tallennettu tavalla, jota ei voi murtaa.
Sulake- eli eFuse-ratkaisussa PUF-toiminnon tuottama avain ohjelmoidaan OTP-muistiin metallilla tai polykalvolla, mikä jättää näkyvän jäljen. Tämän avaimen ohjelmointi antisulakemuistiin tapahtuu polttamalla piirin oksidia. Tämä jättää piirille johtavan polun ilman ulkoisesti näkyvää vihjettä.
Antisulakemuistin solut näyttävät ulospäin samanlaisilta riippumatta siitä, millainen avain niihin on tallennettu. PUFsecurity on jo esitellyt ratkaisua yhdessä Arm:n CC312-solun (Crypto Cell-312) kanssa, joka on suosituin tapa toteuttaa salausavaimen tallennus järjestelmäpiireillä.
PUFrt: Solving Chip Security’s Weakest Link
https://blog.pufsecurity.com/2021/12/20/pufrt-solving-chip-securitys-weakest-link/
Tomi Engdahl says:
NFC-piiri varmistaa käyttäjän
https://etn.fi/index.php/13-news/13148-nfc-piiri-varmistaa-kaeyttaejaen
NFC-yhteyksiä käytetään laajasti mobiilimaksamiseen ja tavaroiden seurantaan. Molemmissa on tärkeä varmistua siitä, että käyttäjä tai tagattu tavara on juuri se, joka väittää olevansa. Jatkossa tämä on helpompaa NXP:n uudella NTAG 22x -piirillä.
NXP:n uudet yksisiruiset NFC-ratkaisut tarjoavat suojauksen, kaksimuotoisen piirin peukaloinnin havaitsemisen ja paristottoman tunnistuksen IoT-sovelluksiin. NTAG 22x DNA -piirien tunnistusjärjestelmään, joka mittaa ympäristön olosuhteiden, kuten kosteuden, nesteen täyttötason tai paineen, muutoksia. Tämän ansiosta tuotekehittäjät voivat nopeasti, helposti ja kestävästi yhdistää suojatun todennuksen tuotteiden kunnonvalvontaan.
NTAG 22x -piirien avulla fyysiset tuotteet voidaan todentaa helposti hyödyntämällä IC:n turvallista ainutlaatuista NFC (SUN) -todennusviestiominaisuutta, jonka avulla valmistajat voivat torjua kustannustehokkaasti väärennöksiä ja toimitusketjupetoksia. Piirien elektronisen peukaloinnin tilantunnistuksen avulla valmistajat tai tuotteen käyttäjät voivat varmistaa tuotteen luvattoman avaamisen.
NTAG® 223 / 224 DNA StatusDetect – Certified NFC Security and Sensing Solutions to Enable Trusted IoT Applications at Scale
https://www.nxp.com/products/rfid-nfc/nfc-hf/ntag-for-tags-labels/ntag-223-224-dna-statusdetect-certified-nfc-security-and-sensing-solutions-to-enable-trusted-iot-applications-at-scale:NTAG_223_224_DNA_STATUSDETECT
Tomi Engdahl says:
How I hacked a hardware crypto wallet and recovered $2 million
https://www.youtube.com/watch?v=dT9y-KQbqi4
I was contacted to hack a Trezor One hardware wallet and recover $2 million worth of cryptocurrency (in the form of THETA). Knowing that existing research was already out there for this device, it seemed like it would be a slam dunk. Little did I realize the project would turn into a roller coaster ride with over three months of experimentation, failures, successes, and heart-stopping moments. It reminded me that hacking is always unpredictable, exciting, and educational, no matter how long you’ve been doing it. In this case, the stakes were higher than normal: I only had one chance to get it right.
Read about it on The Verge
https://www.theverge.com/2022/1/24/22898712/crypto-hardware-wallet-hacking-lost-bitcoin-ethereum-nft
Tomi Engdahl says:
Dragos ICS/OT Ransomware Analysis: Q4 2021 https://www.dragos.com/blog/industry-news/dragos-ics-ot-ransomware-analysis-q4-2021/
A common misconception suggests ransomware is solely a threat to information technology (IT); however, data from 2021 indicates ransomware is having an increasing impact on operational technology
(OT) as well. Dragos analyzed data from 37 ransomware strains on Dark Web resources leveraged to post victims, leak files, and conduct negotiations. Appearance on a Dark Web resource does not confirm that ransomware actors successfully compromised a firm, the extent of access achieved by the ransomware actors, or whether a firm made the ransomware payment.
Tomi Engdahl says:
IoT/connected Device Discovery and Security Auditing in Corporate Networks
https://thehackernews.com/2022/02/iotconnected-device-discovery-and.html
Tomi Engdahl says:
https://www.ciena.com/insights/articles/Dont-be-Fooled-Utility-Fiber-Outside-the-Substation-Isnt-as-Safe-as-You-Think.html
Tomi Engdahl says:
Yhtenäiset tietoturvavaatimukset langattomille laitteille
https://www.uusiteknologia.fi/2022/02/11/yhtenaiset-tietoturvavaatimukset-langattomille-laitteille/
Runsaan kahden vuoden päästä EU-alueella markkinoille saatettavien langattomien laitteiden tulee täyttää EU:n yhtenäiset tietoturvavaatimukset. Tämä merkitsee muutosta laitevalmistajille, joiden tulee huomioida uudet vaatimukset laitteiden suunnittelussa. Mukana tietopaketti uusista vaatimuksista.
Lisää: EU:n radiolaitedirektiivi RED 2014/53/EU (LINKKI), Euroopan komission asetus kyberturvallisuusvaatimuksista 2022/30 (LINKKI) ja Euroopan komission asetus lisävaatimuksista älypuhelimille 2019/320 (LINKKI) sekä lisätietoja radiolaitteiden vaatimustenmukaisuudesta (LINKKI)
Tomi Engdahl says:
What your smart TV knows about you – and how to stop it harvesting data
Modern TVs gather data that can be monetised. How much of this surveillance can you avoid without turning your smart TV dumb?
https://www.theguardian.com/technology/2022/jan/29/what-your-smart-tv-knows-about-you-and-how-to-stop-it-harvesting-data
Tomi Engdahl says:
SHIELDS UP
https://www.cisa.gov/shields-up
Notably, the Russian government has used cyber as a key component of their force projection over the last decade, including previously in Ukraine in the 2015 timeframe. The Russian government understands that disabling or destroying critical infrastructure – including power and communications – can augment pressure on a country’s government, military and population and accelerate their acceding to Russian objectives. While there are not currently any specific credible threats to the U.S. homeland, we are mindful of the potential for the Russian government to consider escalating its destabilizing actions in ways that may impact others outside of Ukraine. Based on this situation, CISA has been working closely with our critical infrastructure partners over the past several months to ensure awareness of potential threat – part of a paradigm shift from being reactive to being proactive. CISA recommends all organizations – regardless of size – adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets.
Tomi Engdahl says:
Apple plans AirTag updates to curb unwanted tracking https://edition.cnn.com/2022/02/10/tech/airtag-safety-updates/index.html
Apple (AAPL) said Thursday it plans to add more safeguards to AirTags to cut down on unwanted tracking following reports that the devices have been used to stalk people and steal cars. In a blog post, Apple said it has worked with safety groups and law enforcement agencies to identify more ways to update its AirTag safety warnings, including alerting people sooner if the small Bluetooth tracker is suspected to be tracking someone. (Right now, it can take hours for an AirTag to chirp if it has been separated from its owner.). Alkup.
https://www.apple.com/newsroom/2022/02/an-update-on-airtag-and-unwanted-tracking/
Tomi Engdahl says:
FBI: BlackByte ransomware breached US critical infrastructure https://www.bleepingcomputer.com/news/security/fbi-blackbyte-ransomware-breached-us-critical-infrastructure/
The US Federal Bureau of Investigation (FBI) revealed that the BlackByte ransomware group has breached the networks of at least three organizations from US critical infrastructure sectors in the last three months. This was disclosed in a TLP:WHITE joint cybersecurity advisory released Friday in coordination with the US Secret Service.
Alkup. https://www.ic3.gov/Media/News/2022/220211.pdf
Tomi Engdahl says:
Documents reveal depth of anxiety over possible Russian cyberattacks on U.S. grid https://readme.security/documents-reveal-depth-of-anxiety-over-possible-russian-cyberattacks-on-u-s-grid-7f718d6b3e8b
A trove of emails from top Homeland Security officials expose how the U.S. government scrambled to ensure the defenses of American utilities after Russia brought down parts of Ukraine’s power grid in 2015.
Tomi Engdahl says:
COVID’s Silver Lining: The Acceleration of the Extended IoT
https://www.securityweek.com/covid%E2%80%99s-silver-lining-acceleration-extended-iot
Acceleration of XIoT unlocked business opportunities and ignited security innovation
Most experts agree that over the past two years, COVID has accelerated digital transformation significantly – by five to 10 years – as has the convergence of physical and digital assets. Ransomware attacks against hospitals, oil pipelines, food supply chains, and other critical infrastructure brought into sharp focus the high criticality of cyber-physical systems (CPS) and their exposure to attacks. With more time, the security industry would have been better prepared to address the cyber risks of converged CPS. However, I’d like to argue that this acceleration and the functions it forced are the silver lining of the COVID pandemic. Here’s why.
Let’s start with defining what we mean by CPS. NIST defines CPS as “comprising interacting digital, analog, physical, and human components engineered for function through integrated physics and logic.” Other phrases include IoT, Industrial Internet, Smart Cities, Smart Grid and “Smart” Anything (e.g., cars, buildings, homes, manufacturing, hospitals, appliances).
For simplicity, these categories can be referred to holistically as the Extended IoT (XIoT), with three main components:
1. Industrial IoT (IIoT) and operational technology (OT) are all the cyber-physical processes and equipment such as programmable logic controllers (PLCs) that support critical processes in industrial environments. These systems are connected internally to workstations that can typically be accessed remotely for maintenance; other cyber components include IIoT devices such as smart sensors. The 16 critical infrastructure sectors as defined by CISA – from manufacturing to energy to transportation – rely on these interconnected processes and systems.
2. Healthcare IoT includes medical imaging equipment such as MRI machines and CT scanners, as well as internet of medical things (IoMT) devices such as smart vitals monitors and infusion pumps that support critical care delivery in healthcare environments. These systems are usually connected to organizations’ IT networks.
3. All other IoT devices used in smart cities, smart grids, Enterprise IoT, and smart “anything.”
Acceleration of the XIoT was net positive for a few reasons, as it:
• Unlocked business opportunities.
• Ignited security innovation.
• Prioritized cybersecurity at the board level.
• Raised executive awareness of XIoT.
In this landscape, security technologies that can deliver optimized, cross-platform solutions that cover full connectivity between the cyber and physical worlds are preferred by security teams. Given the range and complexity of XIoT, it’s understandable that CISOs want to consolidate their risk governance processes and have a comprehensive view across all aspects and elements of their networks, spanning industrial, healthcare, and enterprise environments. Efficiency and ease of use are also key considerations and we’ve seen a great deal of progress in those areas as organizations have had to move at warp speed to survive and thrive.
For the last two years we’ve operated under the cloud of COVID. But its silver lining has been the acceleration of the XIoT, the value it delivers to organizations, and the people they serve. With proof we can move forward faster, securely, there is no turning back. The opportunities to think and do differently are limitless, and exciting!
https://www.capgemini.com/service/digital-services/digital-engineering-and-manufacturing-services/iot-and-connected-products/internet-of-things-xiot-platform/
Tomi Engdahl says:
https://cybersecuritymate.com/security-flaws-in-software/
Tomi Engdahl says:
Internet of Things (IoT) Security: Challenges and Best PracticesIt was originally published on https://www.apriorit.com/
https://cybersecuritymate.com/security-flaws-in-software/
Tomi Engdahl says:
https://www.apple.com/newsroom/2022/02/an-update-on-airtag-and-unwanted-tracking/
Tomi Engdahl says:
https://threatpost.com/critical-mqtt-bugs-industrial-rce-moxa/178399/
Tomi Engdahl says:
Internet of Things (IoT) Security: Challenges and Best PracticesIt was originally published on https://www.apriorit.com/
https://www.apriorit.com/dev-blog/513-iot-security
Tomi Engdahl says:
https://www.darkreading.com/vulnerabilities-threats/3-critical-software-development-security-trends-and-best-practices
Tomi Engdahl says:
https://www.forbes.com/sites/chuckbrooks/2021/02/07/cybersecurity-threats-the-daunting-challenge-of-securing-the-internet-of-things/?sh=7fe018045d50
Below is an example list for the C-Suite, CISOs, CTOS and CIOs to heuristically use to help meet their IoT security challenges:
Use an established IoT Cybersecurity framework that draws on industry experience and best practices, such as those provided by NIST.
Do a vulnerability assessment of all devices connected to your network (on Premises and remote)
Create an IoT/Cybersecurity incident response plan
Compartmentalize IoT devices to minimize attack surfaces
Add security software, containers, and devices to “digitally fence” network and devices
Monitor and share threat intelligence
Scan all software for vulnerabilities in networks and applications
Update and patch vulnerabilities to both networks and devices
Do not integrate devices into your network with default passwords and other known vulnerabilities
Establish privileged access for device controls and applications
Use strong authentication and perhaps biometrics for access control
Use machine authentication when connecting to a network
Encrypt IoT communications, especially for data in transit
Use strong firewalls
Use secure routers and WIFI
Use multi-layered cybersecurity protections, including antivirus software
Back up all data
Consider Managed Security and outside subject matter experts
Consider Cloud security as a service
Integrate emerging technologies for protections including machine learning/artificial intelligence
Continually audit and use real time analytics (including predictive analytics)
Implement security awareness training for all employees
Be Vigilant
Tomi Engdahl says:
The 3G shutdown is coming: https://ifls.online/3s62GjX
Tomi Engdahl says:
LockBit, Conti most active ransomware targeting industrial sector https://www.bleepingcomputer.com/news/security/lockbit-conti-most-active-ransomware-targeting-industrial-sector/
Ransomware attacks extended into the industrial sector last year to such a degree that this type of incident became the number one threat in the industrial sector.
Tomi Engdahl says:
Shadowserver Starts Conducting Daily Scans to Help Secure ICS https://www.securityweek.com/shadowserver-starts-conducting-daily-scans-help-secure-ics
The Shadowserver Foundation this week announced that it has started conducting daily internet scans in an effort to identify exposed industrial control systems (ICS) and help organizations reduce their exposure to attacks.
Tomi Engdahl says:
Dragos 2021 Industrial Cybersecurity Year In Review Summary https://www.dragos.com/blog/dragos-2021-industrial-cybersecurity-year-in-review-summary/
Ransomware became the number one attack vector in the industrial sector. Dragos assessed that manufacturing accounted for 65% of all ransomware attacks. Two ransomware groups, Conti and Lockbit 2.0, caused 51 percent of attackswith 70% of their malicious activity targeting manufacturing.
Report at https://hub.dragos.com/hubfs/333%20Year%20in%20Review/2021/2021%20ICS%20OT%20Cybersecurity%20Year%20In%20Review%20-%20Dragos%202021.pdf?hsLang=en
Tomi Engdahl says:
Hardware & Embedded Systems: A little early effort in security can return a huge payoff https://research.nccgroup.com/2022/02/22/hardware-embedded-systems-a-little-early-effort-in-security-can-return-a-huge-payoff/
Theres no shortage of companies that need help configuring devices securely, or vendors seeking to remediate vulnerabilities. But from our vantage point at NCC Group, we mostly see devices when working directly with OEMs confronting security issues in their products and by this point, its usually too late to do much. We root out as many vulnerabilities as we can in the time allotted, but many security problems are already baked in. Thats why we advocate so strongly for security early in the development process.
Mitigating kernel risks on 32-bit ARM
https://security.googleblog.com/2022/02/mitigating-kernel-risks-on-32-bit-arm.html
Linux kernel support for the 32-bit ARM architecture was contributed in the late 90s, when there was little corporate involvement in Linux development, and most contributors were students or hobbyists, tinkering with development boards, often without much in the way of documentation. Now 20+ years later, 32-bit ARM’s maintainer has downgraded its support level to ‘odd fixes,’ while remaining active as a kernel contributor. This is a common pattern for aging and obsolete
architectures: corporate funding for Linux kernel development has tremendously increased the pace of development, but only for architectures with a high return on investment.
Tomi Engdahl says:
Tackling Security Challenges in 5G Networks https://www.enisa.europa.eu/news/enisa-news/tackling-security-challenges-in-5g-networks
The EU Agency for Cybersecurity (ENISA) proposes good practices for the secure deployment of Network Function Virtualisation (NFV) in 5G networks.. Network Function Virtualisation is a new technology in 5G networks, which offers benefits for telecom operators in terms of flexibility, scalability, costs, and network management. However, this technology also introduces new security challenges.
Tomi Engdahl says:
The Urgency To Cyber-Secure Space Assets https://www.forbes.com/sites/chuckbrooks/2022/02/27/the-urgency-to-cyber-secure-space-assets/
Our reliance on space, and especially satellites, for communications, security, intelligence, and commerce has exponentially grown with digital transformation. Unfortunately, so have the risks, as a result, the need to prioritize cybersecurity around space assets is urgent.
Last May, the Cybersecurity and Infrastructure Security Agency (CISA) announced the formation of a Space Systems Critical Infrastructure Working Group. The group is composed of government and industry members that operates under the Critical Infrastructure Partnership Advisory Council (CIPAC) framework, bringing together space system critical infrastructure stakeholders.
Tomi Engdahl says:
Increasing Number of Threat Groups Targeting OT Systems in North America
https://www.securityweek.com/increasing-number-threat-groups-targeting-ot-systems-north-america
An increasing number of threat groups have been targeting organizations with industrial control system (ICS) or other operational technology (OT) environments, according to a new report from industrial cybersecurity company Dragos.
Dragos last year identified three new groups that appear to be interested in ICS/OT, which brings the total number of such groups tracked by the company to 18. The new groups discovered in 2021 are tracked as KOSTOVITE, ERYTHRITE and PETROVITE, and the first two actually managed to gain direct access into ICS/OT networks.
PETROVITE, which has targeted mining and energy operations in Kazakhstan, has shown an interest in collecting data on ICS/OT systems and networks, but, based on what Dragos has seen, it has yet to actually gain access to these types of systems. The company is aware of PETROVITE attacks conducted since the third quarter of 2019.
There appear to be some overlaps between PETROVITE activity and KAMACITE and Fancy Bear, which have been linked to Russia. KAMACITE has targeted energy companies in the United States.
Tomi Engdahl says:
GE SCADA Product Vulnerabilities Show Importance of Secure Configurations
https://www.securityweek.com/ge-scada-product-vulnerabilities-show-importance-secure-configurations
GE Digital has released patches and mitigations for two high-severity vulnerabilities affecting its Proficy CIMPLICITY HMI/SCADA software, which is used by plants around the world to monitor and control operations.
The flaws were found by industrial cybersecurity firm OTORIO, which this week published a brief blog post describing the issues. GE and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have released separate advisories for each of the vulnerabilities.
One of the security holes, tracked as CVE-2022-23921, can be exploited for privilege escalation and remote code execution. However, successful exploitation requires access to the device running Proficy CIMPLICITY and the targeted server must not be running a project and it must be licensed for multiple projects. GE has released an update that should patch this vulnerability.
“CVE-2022-23921 may allow an attacker with a limited access to the CIMPLICITY server to escalate privileges by dropping a malicious file within the CIMPLICITY runtime project,” Matan Dobrushin, VP of research at OTORIO, told SecurityWeek.
The second issue, identified as CVE-2022-21798, is related to the transmission of credentials in clear text. An attacker who can capture the credentials through a man-in-the-middle (MitM) attack can use them to authenticate to the HMI and obtain information about alerts and other parts of the system. GE said an attacker — in some cases — may also be able to change values in the system.
“Given CIMPLICITY’s central role in OT environments, the two vulnerabilities introduce a huge disruptive impact potential on this operational server. We can assume that if and when attackers establish a foothold in the network, CIMPLICITY will be on top of their list,” OTORIO warned in its blog post.
GE said users can prevent exploitation of CVE-2022-21798 by enabling encrypted communications. In fact, OTORIO noted that both vulnerabilities can be mitigated if the server has a secure configuration. The company noted, however, that this is often not the case.
2 New Vulnerabilities Discovered in GE’s CIMPLICITY Servers
https://www.otorio.com/blog/2-new-vulnerabilities-discovered-in-ge-s-cimplicity-servers/
Yesterday, GE Digital published 2 advisories of vulnerabilities in GE’s SCADA/HMI product – Proficy CIMPLICITY that were discovered by OTORIO’s research team.
The two vulnerabilities are –
CVE-2022-23921- Privilege Execution Vulnerability (CVSS – 7.5)
CVE-2022-21798 – Credentials Vulnerability (CVSS – 7.5)
GE Digital is a leading provider of industrial software solutions and IIoT services. As such, their systems can be found in almost every industry. The GE CIMPLICITY is a well known HMI/SCADA system with a well-established track record. Where installed, CIMPLICITY is typically the key component that controls and monitors the operations in the manufacturing environment.
Given CIMPLICITY’s central role in OT environments, the two vulnerabilities introduce a huge disruptive impact potential on this operational server. We can assume that if and when attackers establish a foothold in the network, CIMPLICITY will be on top of their list.
The OTORIO Research team addressed the issues in the past. If we look at CVE-2022-21798 for example, the default configuration of the affected CIMPLICITY servers is vulnerable and exposes sensitive information to the network. However, If configured correctly with the existing security features of the system, the risk is immediately mitigated. Our recommendations, along with an open-source hardening tool we designed can be found below or by using this link: https://github.com/otoriocyber/CIMPLICITY-Hardening-Tool
Tomi Engdahl says:
COVID’s Silver Lining: The Acceleration of the Extended IoT
https://www.securityweek.com/covid%E2%80%99s-silver-lining-acceleration-extended-iot
Acceleration of XIoT unlocked business opportunities and ignited security innovation
Most experts agree that over the past two years, COVID has accelerated digital transformation significantly – by five to 10 years – as has the convergence of physical and digital assets. Ransomware attacks against hospitals, oil pipelines, food supply chains, and other critical infrastructure brought into sharp focus the high criticality of cyber-physical systems (CPS) and their exposure to attacks. With more time, the security industry would have been better prepared to address the cyber risks of converged CPS. However, I’d like to argue that this acceleration and the functions it forced are the silver lining of the COVID pandemic. Here’s why.
Let’s start with defining what we mean by CPS. NIST defines CPS as “comprising interacting digital, analog, physical, and human components engineered for function through integrated physics and logic.” Other phrases include IoT, Industrial Internet, Smart Cities, Smart Grid and “Smart” Anything (e.g., cars, buildings, homes, manufacturing, hospitals, appliances).
For simplicity, these categories can be referred to holistically as the Extended IoT (XIoT), with three main components:
1. Industrial IoT (IIoT) and operational technology (OT) are all the cyber-physical processes and equipment such as programmable logic controllers (PLCs) that support critical processes in industrial environments. These systems are connected internally to workstations that can typically be accessed remotely for maintenance; other cyber components include IIoT devices such as smart sensors. The 16 critical infrastructure sectors as defined by CISA – from manufacturing to energy to transportation – rely on these interconnected processes and systems.
2. Healthcare IoT includes medical imaging equipment such as MRI machines and CT scanners, as well as internet of medical things (IoMT) devices such as smart vitals monitors and infusion pumps that support critical care delivery in healthcare environments. These systems are usually connected to organizations’ IT networks.
3. All other IoT devices used in smart cities, smart grids, Enterprise IoT, and smart “anything.”
Tomi Engdahl says:
The report released today is designed to give guidance on building cybersecurity zones and conduits for a railway system https://www.enisa.europa.eu/news/building-cyber-secure-railway-infrastructure
The approach taken is based on the recently published CENELEC Technical Specification 50701 and is complemented with a guidance to help railway operators with the practical implementation of the zoning process.. The work gathers the experience of the European Rail ISAC and of their members such as European infrastructure managers and railway undertakings, which are Operators of Essential Services (OES) as defined in the Security of Network and Information Systems (NIS) directive and is designed to help them implement the cybersecurity measures needed in the zoning and conduits processes.
Tomi Engdahl says:
Ukraina sai apua kybersodankäyntiin: Hakkerit häiritsivät Venäjän sotakalustoa
https://www.kauppalehti.fi/uutiset/ukraina-sai-apua-kybersodankayntiin-hakkerit-hairitsivat-venajan-sotakalustoa/78dfa9f8-03de-4440-8655-3bf0deae92f9
Kyberpartisaaneiksi itseään kutsuva valkovenäläinen hakkeriryhmä kertoi sunnuntaina tunkeutuneensa tietokoneille, jotka ohjaavat Valko-Venäjän junaliikennettä, uutisoi Bloomberg. Ryhmän mukaan se sai joitain junia pysähtymään Minskiin ja Orshaan sekä Osipovichin kaupungin liepeille. Ryhmä kertoo muuttaneensa järjestelmän reitityksiä sekä salanneensa niissä ollutta dataa.
Tomi Engdahl says:
The Value of Penetration Testing ICS/OT Environments https://www.dragos.com/blog/the-value-of-penetration-testing-ics-ot-environments/
When establishing and testing a brand-new cybersecurity program, it can be difficult to know exactly what steps are reasonable to take, and when to take them. In this blog, we will talk about when to begin thinking about a penetration test, and considerations to make when youve decided its time to order one for your industrial control systems (ICS) and operational technology (OT) environments. Building a cybersecurity program is a marathon, not a race. It can be exciting finally getting to the point of ordering a penetration test, but testing should be considered a late-stage maturity activity. In other words, system owners should make sure that they have the basic building blocks of a cybersecurity program in place before considering a penetration test.
Tomi Engdahl says:
Schneider Relay Flaws Can Allow Hackers to Disable Electrical Network Protections
https://www.securityweek.com/schneider-relay-flaws-can-allow-hackers-disable-electrical-network-protections
Vulnerabilities discovered by researchers in some of Schneider Electric’s Easergy relays can allow hackers to disable protections for electrical networks. The vendor has released patches that should address the security flaws.
Three high-severity vulnerabilities have been found in Easergy medium-voltage protection relays — two impact Easergy P5 devices and one affects Easergy P3 devices. Schneider Electric informed customers about these vulnerabilities in January and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory last week.
Vulnerabilities found in Schneider Easergy protection relaysAccording to the advisories from Schneider and CISA, P3 relays are affected by a buffer overflow (CVE-2022-22725) that can lead to arbitrary code execution or a denial-of-service (DoS) condition if specially crafted packets are sent to the targeted device over the network.
Tomi Engdahl says:
Shadowserver Starts Conducting Daily Scans to Help Secure ICS
https://www.securityweek.com/shadowserver-starts-conducting-daily-scans-help-secure-ics
Tomi Engdahl says:
The nonprofit cybersecurity organization is scanning the web for exposed services that use the Modbus industrial communications protocol on TCP port 502, but Shadowserver’s Piotr Kijewski told SecurityWeek that they plan on introducing many other ICS and operational technology (OT) protocol scans in the near future.
https://www.securityweek.com/shadowserver-starts-conducting-daily-scans-help-secure-ics
Tomi Engdahl says:
More than 100,000 infusion pumps were found susceptible to severe vulnerabilities that were disclosed roughly three years ago, according to researchers at Palo Alto Networks’ Unit 42.
Scans of over 200,000 infusion pumps found on the networks of healthcare providers and hospitals show that 75% of these network-connected devices are impacted by known vulnerabilities that expose them to potential cyberattacks.
What’s more alarming, Palo Alto Networks researchers say, is the fact that more than 52% of the scanned devices are susceptible to two severe security flaws identified in 2019 — CVE-2019-12255 (CVSS score of 9.8) and CVE-2019-12264 (CVSS score of 7.1).
Over 100,000 of the infusion pumps were found vulnerable to older, medium-severity bugs (CVE-2016-9355 and CVE-2016-8375), the company said in a research report.
Tomi Engdahl says:
Slight Increase in Attacks on ICS Computers in 2021: Report
https://www.securityweek.com/slight-increase-attacks-ics-computers-2021-report
Kaspersky said it saw only a small increase in the percentage of industrial control system (ICS) computers targeted in 2021 compared to the previous year, but there was a more significant rise for certain types of threats.
Overall, Kaspersky blocked “malicious objects” on 39.6% of the ICS computers protected by its products, up from 38.6% in 2020. On the other hand, in the second half of 2021, the company observed attacks only against 31.4% of devices, the smallest of any six-month period since the start of 2020.
However, there were certain types of threats where the number of detections has been on an upwards trend in the past two years. This includes spyware (blocked on over 8.1% of devices compared to 5.6% in H1 2020), malicious scripts and phishing pages (9.3% up from 6.5%), and cryptocurrency miners (2.1% up from 0.9%).
In North America, nearly 20% of systems were targeted, roughly the same as in Western Europe, Kaspersky’s report shows. In comparison, the percentage of targeted systems exceeded 40% in many parts of Asia and even 50% in Africa and Southeast Asia.
The cybersecurity firm’s solutions blocked roughly 5,000 malware families and 20,000 malware variants on industrial systems in both the first and the second half of 2021. In terms of variants, this is roughly the same as in the previous two years. However, in terms of malware families, while there was no significant change in 2021 compared to 2020, the numbers are roughly double compared to 2019.
Tomi Engdahl says:
Millions of APC Smart UPS Devices Can Be Remotely Hacked, Damaged
https://www.securityweek.com/millions-apc-smart-ups-devices-can-be-remotely-hacked-damaged
Uninterruptible power supply (UPS) products made by Schneider Electric subsidiary APC are affected by critical vulnerabilities that can be exploited to remotely hack and damage devices, according to enterprise device security company Armis.
Armis researchers have identified three vulnerabilities in APC Smart-UPS devices, which they collectively named TLStorm.
APC says it has sold more than 20 million UPS devices worldwide and data from Armis shows that nearly 80% of companies are exposed to TLStorm attacks. UPS devices are used in data centers, hospitals and industrial facilities, and attacks targeting these systems can have serious consequences.
APC UPS vulnerabilitiesArmis researchers have analyzed the communications between the APC Smart-UPS devices and their remote management services, and discovered vulnerabilities in the TLS implementation and a design flaw related to firmware upgrades.
One security hole, tracked as CVE-2022-22806, has been described as a TLS authentication bypass issue that can lead to remote code execution. The second TLS-related flaw, CVE-2022-22805, has been described as a buffer overflow related to packet reassembly and it can also lead to remote code execution.
These vulnerabilities can be exploited remotely — including from the internet — by an unauthenticated attacker to “alter the operations of the UPS to physically damage the device itself or other assets connected to it,” Armis said.
The third vulnerability, CVE-2022-0715, is related to unsigned firmware updates. Due to the fact that firmware updates are not cryptographically signed, an attacker could create a malicious piece of firmware and install it from a USB drive, the network and even from the internet.
“This can allow attackers to establish long-lasting persistence on such UPS devices that can be used as a stronghold within the network from which additional attacks can be carried,” Armis explained.
In a security advisory released on Tuesday, Schneider Electric said the vulnerabilities, which have been classified as “critical” and “high severity,” impact SMT, SMC, SCL, SMX, SRT, and SMTL series products. The company has started releasing firmware updates that contain patches for these vulnerabilities. In the case of products for which firmware patches are not available, Schneider has provided a series of mitigations for reducing the risk of exploitation.
TLStorm
https://www.armis.com/research/tlstorm/
Three critical vulnerabilities discovered in APC Smart-UPS devices can allow attackers to remotely manipulate the power of millions of enterprise devices.
Armis has discovered a set of three critical zero-day vulnerabilities in APC Smart-UPS devices that can allow remote attackers to take over Smart-UPS devices and carry out extreme attacks targeting both physical devices and IT assets. Uninterruptible power supply (UPS) devices provide emergency backup power for mission-critical assets and can be found in data centers, industrial facilities, hospitals and more.
APC is a subsidiary of Schneider Electric, and is one of the leading vendors of UPS devices with over 20 million devices sold worldwide. If exploited, these vulnerabilities, dubbed TLStorm, allow for complete remote take-over of Smart-UPS devices and the ability to carry out extreme cyber-physical attacks. According to Armis data, almost 8 out of 10 companies are exposed to TLStorm vulnerabilities. This blog post provides a high-level overview of this research and its implications.
Attackers can remotely take over devices via the Internet.
The latest APC Smart-UPS models are controlled through a Cloud connection. Armis researchers found that an attacker exploiting the TLStorm vulnerabilities could remotely take over devices via the Internet without any user interaction or signs of attack. As a result, attackers can perform a remote-code execution (RCE) attack on a device, which in turn could be used to alter the operations of the UPS to physically damage the device itself or other assets connected to it.
Schneider Electric Security Notification
08-Mar-22 Document Reference Number – SEVD-2022-067-02 Page 1 of 5
APC Smart-UPS SMT, SMC, SMX, SCL, SMTL and SRT Series
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-067-02
Tomi Engdahl says:
Edge Security in an Insecure World
By M. Tim Jones for Mouser Electronics
https://www.mouser.com/empowering-innovation/more-topics/ai?utm_source=endeavor&utm_medium=display&utm_campaign=ed-personifai-eit-ai-#article2-ai
As the cost of embedded networked devices falls—consider the Raspberry Pi as one example—they become ubiquitous. But, a hidden cost in this proliferation is that these devices can lack security and therefore be exploited. Without the investment in security, devices can leak private information—such as video, images, or audio—or become part of a botnet that wreaks havoc around the world.
Tomi Engdahl says:
Alexa Versus Alexa Tricks Voice Assistants Into Running Malicious Commands From Their Own Speakers
https://www.hackster.io/news/alexa-versus-alexa-tricks-voice-assistants-into-running-malicious-commands-from-their-own-speakers-bc8b856d972f
A failure to ignore audio coming from its own speaker leaves Amazon’s Echo devices, and potentially other voice assistants, vulnerable.
Researchers from the University of London and the Università degli Studi di Catania have published a paper showcasing a new class of attacks against voice-activated assistant systems, dubbed Alexa versus Alexa and triggered by having the device self-issue voice commands.
“Alexa versus Alexa [is] a novel attack that leverages audio files containing voice commands and audio reproduction methods in an offensive fashion, to gain control of Amazon Echo devices for a prolonged amount of time,” the team explains of its work. “AvA leverages the fact that Alexa running on an Echo device correctly interprets voice commands originated from audio files even when they are played by the device itself – i.e., it leverages a command self-issue vulnerability.”
Tomi Engdahl says:
UPS flaws allow for remote code execution and remote fire-based interruptions
Hooking up uninterruptible power supplies with TLS implementation errors automatically to a cloud service could potentially lead to a burning sensation
https://www.zdnet.com/article/ups-flaws-allow-for-remote-code-execution-and-remote-fire-based-interruptions/
Tomi Engdahl says:
Secure your healthcare devices with Microsoft Defender for IoT and HCL’s CARE https://www.microsoft.com/security/blog/2022/03/14/secure-your-healthcare-devices-with-microsoft-defender-for-iot-and-hcls-care/
Recently, Microsoft and global technology services firm HCL Technologies teamed up to help solve the security challenge with a high-performance solution for medical devices. The result is a new reference architecture and platform for building secure medical devices and services based on HCL’s Connected Assets in Regulated Environment (CARE), Microsoft Defender for IoT, and Azure IoT. By freeing medical device manufacturers from the need to build security solutions and cloud services, this new platform will enable them to focus on their own core mission and strengths, which are healthcare-related innovation and patient care, even as they build new, better, and more secure medical devices.
Tomi Engdahl says:
New Linux Bug in Netfilter Firewall Module Lets Attackers Gain Root Access https://thehackernews.com/2022/03/new-linux-bug-in-netfilter-firewall.html
A newly disclosed security flaw in the Linux kernel could be leveraged by a local adversary to gain elevated privileges on vulnerable systems to execute arbitrary code, escape containers, or induce a kernel panic. also:
https://nickgregory.me/linux/security/2022/03/12/cve-2022-25636/
Tomi Engdahl says:
Talking About Cybersecurity and Cell Phones
Feb. 28, 2022
Alex Leadbeater, ETSI TC CYBER Chair, discusses the organization’s new standard focusing on cybersecurity and cell phones.
https://www.electronicdesign.com/technologies/iot/video/21215825/electronic-design-talking-about-cybersecurity-and-cell-phones?utm_source=EG%20ED%20Connected%20Solutions&utm_medium=email&utm_campaign=CPS220225025&o_eid=7211D2691390C9R&rdx.ident%5Bpull%5D=omeda%7C7211D2691390C9R&oly_enc_id=7211D2691390C9R
Tomi Engdahl says:
Edge Security in an Insecure World
https://www.mouser.com/empowering-innovation/more-topics/ai?utm_source=endeavor&utm_medium=display&utm_campaign=ed-personifai-eit-ai-#article2-ai
Tomi Engdahl says:
Model contract language for medical technology cybersecurity published https://www.helpnetsecurity.com/2022/03/14/medical-technology-cybersecurity/
Medical technology companies and health delivery organizations have a new template for agreeing on cybersecurity contractual terms and conditions to reduce cost, complexity and time in the contracting process and improve patient safety.
Tomi Engdahl says:
The Rising Importance of Research Communities for Industrial Cybersecurity
https://www.securityweek.com/rising-importance-research-communities-industrial-cybersecurity
IT security research communities have been around for decades, sharing their findings with community members and the vendors of the affected product with the aim of accelerating some type of corrective action to safeguard users. As appreciation for the value of this service continued to grow, vendors began to offer bug bounty programs to provide researchers financial motivation to work with them to identify vulnerabilities. Today, bug bounty programs are prevalent, and researchers are being well compensated.
But what about research communities focused on the vulnerability landscape relevant to critical infrastructure?
On the heels of a historic period for critical infrastructure organizations, including the acceleration of digital transformation, targeted ransomware attacks, and crafty supply chain attacks, the need for research communities focused on operational technology (OT) and industrial controls systems (ICS) is urgent. While these communities are emerging and having a positive impact, it is still early days. What will it take for them to proliferate and grow?
Let’s look at the unique challenges for researchers analyzing these assets, the current state of these communities, and four ways to accelerate their growth moving forward.
Tomi Engdahl says:
Uncovering Trickbot’s use of IoT devices in command-and-control infrastructure https://www.microsoft.com/security/blog/2022/03/16/uncovering-trickbots-use-of-iot-devices-in-command-and-control-infrastructure/
The Microsoft Defender for IoT research team has recently discovered the exact method through which MikroTik devices are used in Trickbot’s
C2 infrastructure. In this blog, we will share our analysis of the said method and provide insights on how attackers gain access to MikroTik devices and use compromised IoT devices in Trickbot attacks.
Tomi Engdahl says:
Cybersecurity Testing for Industrial Control Systems (W42)
https://pentestmag.com/course/cybersecurity-testing-for-industrial-control-systems-w42/