Cybersecurity Zero Day Threats and Executive Survey

Cybersecurity Zero Day Threats and Executive Survey

Cybersecurity is in the news more often than violence or politics, its seems. Last week I received two important pieces of news—both reported below. The first details vulnerabilities found in VxWorks—the most widely used Real-Time Operating System forming the foundation for process control. The other news concerns a survey of executives that shows continued cyber attacks on industrial systems.

Zero Day Vulnerabilities

Enterprise IoT security company, Armis, announced the discovery of 11 zero-day vulnerabilities, 6 critical, that affect Wind River® VxWorks versions since version 6.5, that include the IPnet stack, collectively known as “URGENT/11.” Updated releases have been provided. URGENT/11 does not impact versions of the product designed for certification, such as VxWorks 653 and VxWorks Cert Edition.

VxWorks, the leading real-time operating system (RTOS), is used in more than two billion devices across industrial, medical and enterprise environments such as mission-critical systems including SCADA, elevator and industrial controllers, patient monitors and MRI machines, as well as firewalls, routers, satellite modems, VOIP phones and printers. If exploited, URGENT/11 could allow a complete takeover of the device and cause disruption on a scale similar to what resulted from the EternalBlue vulnerability.

“VxWorks is the most widely used operating system you may never have heard of,” said Ben Seri, vice president of research at Armis. “A wide variety of industries rely on VxWorks to run their critical devices in their daily operations—from healthcare to manufacturing and even security businesses. This is why URGENT/11 is so important. The potential for compromise of critical devices and equipment especially in manufacturing and healthcare is a big concern.”

URGENT/11 includes six Remote Code Execution (RCE) vulnerabilities that could give an attacker full control over a targeted device, via unauthenticated network packets. Any connected device leveraging VxWorks that includes the IPnet stack is affected by at least one of the discovered vulnerabilities. They include some devices that are located at the perimeter of organizational networks that are internet-facing such as modems, routers and firewalls. Any vulnerability in such a device may enable an attacker to breach networks directly from the internet. Devices protected by perimeter security measures also can be vulnerable once the devices create TCP connections to the internet. These connections can be hijacked and used to trigger the discovered TCP vulnerabilities, allowing attackers to take over the device and access the internal network.

“URGENT/11 could allow attackers to remotely exploit and take over mission critical devices, bypassing traditional perimeter and device security. Every business with these devices needs to ensure they are protected,” said Yevgeny Dibrov, CEO and co-founder of Armis. “The vulnerabilities in these unmanaged and IoT devices can be leveraged to manipulate data, disrupt physical world equipment, and put people’s lives at risk.”

VxWorks is pervasive and trusted due to its rigorous and high-achieving safety certifications and its high degree of reliability and real-time accuracy. In its 32-year history, only 13 Common Vulnerabilities and Exposures (CVEs) have been listed by MITRE as affecting VxWorks. Armis discovered unusually low-level vulnerabilities within the IPnet stack affecting these specific VxWorks versions released in the last 13 years, from versions 6.5 and above. These are the most severe vulnerabilities found in VxWorks to date.

The IPnet networking stack was acquired by Wind River through its acquisition of Interpeak in 2006. Prior to the acquisition, the stack was broadly licensed to and deployed by a number of real-time operating system vendors.

Wind River has been working in collaboration with Armis on this matter, and customers were notified and issued patches to address the vulnerabilities last month. To the best of both companies knowledge, there is no indication the URGENT/11 vulnerabilities have been exploited.

Organizations deploying devices with VxWorks should patch impacted devices immediately. More information can be found in the Wind River Security Alert posted on the company’s Security Center.

Operational Downtime is the Most Common Impact of IoT-Focused Cyberattacks

As connectivity in the Industrial Internet of Things (IIoT) promises to transform the manufacturing and production industry, new research by Irdeto underlines the importance of cybersecurity, revealing that 79% of manufacturing and production organizations surveyed have experienced an IoT-focused cyberattack in the past year. This finding demonstrates the importance of cybersecurity as IoT devices proliferate across the critical infrastructure of these organizations, to ensure that the potential business benefits of IoT can be realized safely.

The Irdeto Global Connected Industries Cybersecurity Survey of 220 security decision makers in organizations in this sector (700 respondents in total) found that of the organizations that were hit by an attack, operational downtime (47%), compromised customer data (35%) and compromised end-user safety (33%) were the most common impacts. These findings clearly point to a direct bearing on revenue as well as health safety challenges presented by unsecured IoT devices.

The research also suggests that these organizations are aware of where the key cybersecurity vulnerabilities exist with their infrastructure, but do not necessarily have everything they need to address them. The most prominent vulnerabilities within manufacturing and production organizations were in mobile devices and apps (46%). This was followed by the IT network (41%) and the software used by the organization (40%) – which if referring to the OT equipment software which runs of the factory floor, could be hugely problematic.

However, despite this awareness, 92% of respondents feel their organization does not have everything it needs to address cybersecurity challenges. 44% state that their organization needs to implement a more robust security strategy. This is followed by a need for additional expertise/skills within the organization to address all aspects of cybersecurity (42%) and a need for more effective cybersecurity tools (37%).

This is compounded by the finding that, in the manufacturing sector, a total of 91% of manufacturers and 96% of users of IoT devices state that the cybersecurity of the IoT devices that they manufacture or use could be improved either to a great extent or to some extent. Failure to address these challenges could prove costly with the average financial impact as a result of an IoT-focused cyberattack in the manufacturing space identified as more than $280,000 USD, according to the survey.

“While the benefits of IoT may be in abundance in manufacturing and industrial environments, this connectivity also increases the attack surface and these findings demonstrate that there is an awareness of the cybersecurity challenges and impacts within the industry, but potentially a need to rethink strategies to mitigate the impact of potential cyberattacks,” said Mark Hearn, Director of IoT Security and Business Development, Irdeto. “Whatever the nature of the threat, industrial and manufacturing organizations must understand the scope of their current risk, ask hard cybersecurity-centric questions to vendors, and work with trusted advisors to safely embrace connectivity in their manufacturing process.”

As organizations fight to keep pace with the cybersecurity challenges in the manufacturing sector, they do have several security measures in place, but have often not implemented enough layers into their security strategy. 21% of organizations surveyed do not currently have software protection technologies implemented, while 39% do not have mobile app protection implemented, despite identifying mobile devices and apps as the greatest source of vulnerabilities. In addition, only 50% make security part of the product design lifecycle process.

However, the majority of organizations that don’t already have these measures in place, state that they plan to implement them in the next year. In addition, 99% of the manufacturing organizations surveyed agree that a security solution should be an enabler of new business models, not just a cost. These findings suggest that attitudes towards IoT security are changing for the better.

“As the manufacturing industry embraces IoT technology it’s clear that there are many cybersecurity challenges that must be addressed, but the industry attitude towards cybersecurity is on the right track,” added Steeve Huin, Vice President of Strategic Partnerships, Business Development and Marketing, Irdeto. “As the scope of connected manufacturing grows, the opportunities and the risks are magnified and it is imperative that organizations upskill and implement robust cybersecurity strategies to ensure they mitigate the threat and safely take advantage of the benefits that IoT can bring.”

Gaining Trust In Your Data Systems

Gaining Trust In Your Data Systems

Digitalization breeds the need for data and connected devices. Trusted connections and data are required for success. Siemens invited a diverse group of press, analysts, podcasters, and bloggers to Munich this week (November 26-28) to discuss cybersecurity and the Charter of Trust.

I will use the words of Siemens below to discuss the rationale for the Charter of Trust. However the idea is that if users cannot trust their data and connections, they will never go further into digitalization and therefore not realize the anticipated benefits.

Some of the analysts and others in the conference had trouble understanding how something seemingly vague and not specifically standards-based would work. I think they missed the point. First, standards are good, but they take a long time to develop. What was needed was not another new standard. What is needed is for many companies to agree to a set of principles and then commonly work toward them for the mutual benefit of the industry, users, and society.

Eva Schulz-Kamm, Global Head of Government Affairs at Siemens AG, and Rainer Zahner, Global Head of Cybersecurity Governance at Siemens told us the digital world is changing everything. Billions of devices are connected by the Internet of things. That holds great potential for everyone, but also great risk. The risk of exposure to cyber-attacks. The risk of losing control over the systems that run our infrastructures. Cybersecurity is therefore crucial to the success of our digital economy – because only if the security of data and networked systems is guaranteed will people actively support the digital transformation. Then explained why Siemens has initiated the Charter of Trust.

Siemens’ 171 years of experience have also shown that the best way to make a lasting difference isn’t as one company, but as an industry – not only as one nation, but as part of a global community. In modern history, competitor businesses have forged standards together that have carried the world from one industrial revolution to the next – including the unfolding digital transformation of industry. Countries without clear-cut geopolitical alliances have come together to forge cross-border agreements that grow trade and advance peace.

It’s in this spirit that Siemens launched the Charter of Trust earlier this year at the at the Munich Security Conference, a longstanding forum for business and government leaders to discuss geopolitical issues. Since then, several more global companies saw the value of the Charter of Trust, and signed on. These companies committed to create the first-of-its-kind global alliance focused on answering a very important question: How do we secure critical infrastructure – from our factories to our power grids – in the digital age?

We also are carrying an important message together: that when we talk about security today, it isn’t just about diplomacy and resolving military conflicts – it is increasingly about cyber attacks that seek to undermine our democratic and economic values.

The Charter of Trust then begins with these three goals:

  • protecting the data and assets of individuals and businesses;
  • preventing damage to people, businesses, and infrastructures;
  • building a reliable basis for trust in a connected and digital world.

“We know at the outset that a one-size fits all approach won’t work. We have instead agreed to 10 principles – from ensuring the highest levels of responsibility for cybersecurity within every company, to securing supply chains, products, and working with governments. Together, we will develop and continuously improve coordinated strategies and shared standards to protect critical infrastructures, public facilities and private companies.”

Charter of Trust members: The AES Corporation, Airbus, Allianz, Atos, Cisco, Dell Technologies, Enel, IBM, Munich Security Conference, NXP Semiconductors, SGS,. Deutsche Telekom, Total and TÜV SÜD.

Cybersecurity Zero Day Threats and Executive Survey

National Cybersecurity Wars Require IoT Supplier Response

Critical infrastructure control systems have been under cyber attack for years. Need we mention Stuxnet, the attack that brought the issue to the public eye? Pressure has been mounting on controls, automation, and IoT suppliers to protect a nation’s assets.

Siemens and eight partners signed a joint charter for greater cybersecurity at a recent Munich conference.

Highlights include:

  • Ten action areas for greater cybersecurity
  • Call for dedicated government ministries and chief information security officers
  • Independent certification for critical infrastructures and solutions in the Internet of Things

The Charter of Trust calls for binding rules and standards to build trust in cybersecurity and further advance digitalization. In addition to Siemens and the Munich Security Conference (MSC), the companies Airbus, Allianz, Daimler Group, IBM, NXP, SGS and Deutsche Telekom are signing the Charter. The initiative is further welcomed by Canadian foreign minister and G7 representative Chrystia Freeland as well as witnessed by Elżbieta Bieńkowska, the EU Commissioner for Internal Market, Industry, Entrepreneurship and Small and Medium-sized Enterprises.

“Confidence that the security of data and networked systems is guaranteed is a key element of the digital transformation,” said Siemens President and CEO Joe Kaeser. “That’s why we have to make the digital world more secure and more trustworthy. It’s high time we acted – not just individually but jointly with strong partners who are leaders in their markets. We hope more partners will join us to further strengthen our initiative.”

The Charter delineates 10 action areas in cybersecurity where governments and businesses must both become active. It calls for responsibility for cybersecurity to be assumed at the highest levels of government and business, with the introduction of a dedicated ministry in governments and a chief information security officer at companies. It also calls for companies to establish mandatory, independent third-party certification for critical infrastructure and solutions – above all, where dangerous situations can arise, such as with autonomous vehicles or the robots of tomorrow, which will interact directly with humans during production processes. In the future, security and data protection functions are to be preconfigured as a part of technologies, and cybersecurity regulations are to be incorporated into free trade agreements. The Charter’s signatories also call for greater efforts to foster an understanding of cybersecurity through training and continuing education as well as international initiatives.

“Secure digital networks are the critical infrastructure underpinning our interconnected world,” said Canadian foreign minister Chrystia Freeland. “Canada welcomes the efforts of these key industry players to help create a safer cyberspace. Cybersecurity will certainly be a focus of Canada’s G7 presidency year.‎”‎ The matter is also a top priority for the Munich Security Conference. “Governments must take a leadership role when it comes to the transaction rules in cyberspace,” said Wolfgang Ischinger, Chairman of the Munich Security Conference. “But the companies that are in the forefront of envisioning and designing the future of cyberspace must develop and implement the standards. That’s why the Charter is so important. Together with our partners, we want to advance the topic and help define its content,” he added.

According to the ENISA Threat Landscape Report, cybersecurity attacks caused damage totaling more than €560 billion worldwide in 2016 alone. For some European countries, the damage was equivalent to 1.6 percent of the gross domestic product. And in a digitalized world, the threats to cybersecurity are steadily growing: According to Gartner, 8.4 billion networked devices were in use in 2017 – a 31-percent increase over 2016. By 2020, the figure is expected to reach 20.4 billion.