Evolution of factory security for Industry 4.0

Stuart Traynor @sttrayno @CiscoUKI will be talking about the Evolution of factory security for Industry 4.0  at the Secure IoT conference. The digitisation of manufacturing, or Industry 4.0 as it is commonly known, is driving manufacturing organisations to rapidly adopt new technologies including, Robotics, Industrial IoT, Mobility, Collaboration and Analytics to help drive efficiency within their processes. Unfortunately, more devices and connections also open the door to new cyber-security risks, and previous generations of industrial control systems were not conceived with security or the IP connectivity needed in mind.

Traditional guidance to create air gapped and siloed networks is no longer relevant in today’s world which needs to make use of the data generated on the factory floor. This session looks to explore how cyber-security is evolving in order to allow organisations to effectively adopt Industry 4.0 whilst maintaining the required level of security. It will dicuss two case studies (large enterprise and SMB) to explore the different challenges and approaches required to evolve security in the manufacturing environment.

Stuart is a Solutions Architect within Cisco UKI Technology Office with a focus on working with  manufacturing customers as they look move towards Industry 4.0.

California Poised to Enact Internet of Things Information Security Law

Internet of Things Information Security Law. California is once again poised to set the standard for privacy and data security by enacting the first state law directed at securing Internet of Things (IoT) devices. The law has passed the state legislature and is awaiting the signature of Governor Jerry Brown. It requires manufacturers of “connected devices” to equip them with “a reasonable security feature or features” that are:

  • appropriate to the nature and function of the device;
  • appropriate to the information the device may collect, contain or transmit; and
  • designed to protect the device and any information contained in it from unauthorized access, destruction, use, modification, or disclosure.

The law further provides that if a connected device is equipped with a means for authentication outside a local area network, it shall be deemed a “reasonable security feature” if the preprogrammed password is either unique to each device or the device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.

See full article from The National Law Review here

Ransomware attack blacks out screens at Bristol Airport

Flight information screens were blacked out over the weekend at the Bristol Airport in the UK. Airport officials blamed the incident on a ransomware infection that affected the computers running the airport’s in-house TV screens displaying arrival and departure flight information.

Airport officials decline to pay ransom demand and manually restore all affected systems. Functionality has been restored to all screens after two days.

See ZDNET post here:

 

Threat Modelling & Security Analysis For IoT

Among the most critical tasks in developing secure device is designing platforms with robust countermeasures for identified threats. Dr Andrew Jones from @Arm will be talking Threat Modelling & Security Analysis For IoT at the Secure IoT conference. Andrew will give an overview of Arm’s Platform Security architecture and how threat modelling can be performed to identify and mitigate attacks.

Dr Andrew Jones is the Arm architect focused on future systems design of IoT and embedded automotive systems. Andrew is a veteran system architect having previously worked at the University of Bristol, and several microelectronics companies in the UK and US. He has managed the specification of dozens of successful chips and is the holder of over 50 patents. Andrew Jones is the author of a book on network design and of a number of publications focused on system on chip architectures.

Bitfi the unhackable crypto currency wallet. Did anything go right?

At the Secure IoT conference – with live hacks and previously unpublished comments and insights Ken Munro @TheKenMunroShow from @PenTestPartners will explain and demonstrate the fiasco that is the Bitfi hardware crypto currency wallet. From poor design, even poorer security, and abysmal PR, you’ll get the whole story in one entertaining and enlightening instalment.

Ken is Partner and Founder of Pen Test Partners, a firm of ethical hackers. He regularly blogs on everything from maritime security to hacking cars and the Internet of Things. This has gained him notoriety among the national press, leading to regular appearances on BBC TV and BBC News online as well as the broadsheet press. He’s also an Executive Member of the Internet of Things Security Foundation and spoke out on IoT security design flaws at the forum’s inaugural event.

He also writes for various newspapers and industry magazines in an effort to get beyond the unhelpful scaremongering put about by many security vendors. Ken has become a voice for reform and legislative change in the largely unregulated IoT, briefing UK and US government departments as well as being involved with various EU consumer councils.

Keeping Patients Alive: A Secure Internet of Medical Things

Rob Dobson, Director, @DeviceAuthority will be talking about how to secure Internet of Medical Things devices at the Secure IoT conference.

Experts predicted that like the Internet, the Internet of Things (IoT) too is going to be a part of our everyday life. With an increasing number of medical devices connecting to the Internet, the idea of a connected healthcare sphere becomes more interesting. Several software, service, and product companies are showing interest in connecting devices with a view to make their primary product or service more achievable.

IoT medical devices provide many benefits for different stakeholders, most notably improved healthcare for patients, efficiency and cost savings for the manufacturer and real time monitoring for healthcare professionals. However, there are risks associated with connecting medical devices to the Internet. The good news is there are ways to mitigate them, which will be addressed in this session.

The session will include:

  • Introduction to IoT medical devices: benefits, concerns and risks
  • Common security challenges
  • How to secure a connected / IoT medical device

Rob has over 25 years of experience in industry, with a wide range of expertise across cybersecurity, IoT, SaaS, Semiconductors and Software engineering. He has been involved in several successful start-ups. Rob helps customers architect and deploy successful IoT solutions with the security they need and is also well known for speaking at various events around the world on IoT Security across many markets, most prominently Industrial & Medical/Healthcare.

IoT Malware Discovered Trying to Attack Satellite Systems of Airplanes

Researcher Ruben Santamarta shared the details of his successful hack of an in-flight airplane Wi-Fi network – and other findings – at Black Hat USA conference in August. 

Ruben Santamarta was flying from Madrid to Copenhagen in November 2017 on a Norwegian Airlines flight when he decided to inspect the plane’s Wi-Fi network security. So he launched Wireshark from his laptop and began monitoring the network.

Santamarta noted “some weird things” happening. First off, his internal IP address was assigned a public, routable IP address, and then, more disconcerting, he suddenly noticed random network scans on his computer. It turned out the plane’s satellite modem data unit, or MDU, was exposed and rigged with the Swordfish backdoor, and a router from a Gafgyt IoT botnet was reaching out to the satcom modem on the in-flight airplane, scanning for new bot recruits.

The Internet of Things (IoT) botnet code didn’t appear to have infected any of the satcom terminals on that plane or others, according to Santamarta, but it demonstrated how exposed the equipment was to potential malware infections. “This botnet was not prepared to infect VxWorks. So, fortunately, it was no risk for the aircraft,” he said.

See Dark Reading Article:

IoT Malware Discovered Trying to Attack Satellite Systems of Airplanes, Ships

Hackable implanted medical devices could cause deaths

A range of implanted medical devices with nine newly discovered security vulnerabilities won’t be fixed by the manufacturer, Medtronic, despite the possibility that, if abused, the weaknesses could lead to injury or death.

In new research presented at the Black Hat information security conference, a pair of security researchers remotely disabled an implantable insulin pump, preventing it from delivering the lifesaving medication, and then took total control of a pacemaker system, allowing them to deliver malware directly to the computers implanted in a patient’s body.

Jonathan Butts of QED Secure Solutions and Billy Kim Rios of Whitescope demonstrated the hacks in a live session, warning anyone with an implanted medical device to leave the room before issuing the disabling command to the insulin pump.

See Guardian Article:

Hackable implanted medical devices could cause deaths

New Cybersecurity Certification Program for IoT Devices 

CTIA, the US wireless industry association, have announced  a Cybersecurity Certification Program for cellular-connected Internet of Things (IoT) devices.

By offering certification for IoT devices built from the ground up with cybersecurity in mind, the program aims to protect consumers and wireless infrastructure, while creating a more secure foundation for smart cities, connected cars, mHealth and other IoT applications.

The program builds upon IoT security recommendations from the National Telecommunications and Information Administration (NTIA) and the National Institute of Standards and Technology (NIST).

The CTIA IoT Cybersecurity Certification Program will begin accepting devices for certification testing starting in October 2018.

 

Smart plug flaw gives hackers access to user’s network

Research by McAfee into the Wemo Insight Smart Plug led to the discovery of an unreported buffer overflow in the libUPnPHndlr.so library. This vulnerability, CVE-2018-6692, allows an attacker to execute remote code. McAfee  were able to demonstrate creating a backdoor channel for an attacker to connect remotely, unnoticed on the network. They used a remote shell to control a TCL smart TV connected to the network.

“Using the Wemo as a middleman, the attacker can power the TV on and off, install or uninstall applications, and access arbitrary online content. Smart TVs are just one example of using the Wemo to attack another device. With the attacker having established a foothold on the network and able to open arbitrary ports, any machine connected to the network is at risk. Because attacks can be conducted through the Wemo and the port mappings generated using this exploit are not visible from the router’s administration page, the attacker’s footprint remains small and hard to detect.”