Two cryptocurrencies have recently become victims of the dreaded ‘51 percent attacks’ on their blockchains. Electroneum suffered a 51 percent attack which was discovered when it was noticed that a massive amount of empty blocks were being constantly mined on the currency’s blockchain one after another, preceded by a sudden drop in hashrate. Following the Electroneum attack it was reported that Verge’s blockchain had also been compromised by a 51 percent attack. Around 250,000 XVG were stolen by the attacker, as the attacker was able to mine multiple blocks one second apart using the same (scrypt) algorithm. This feat would…
In recent weeks, the U.S. Patent and Trademark Office has published Apple patent applications for several fascinating virtual reality concepts, but the latest one takes the cake: Apple has applied to patent a VR system for autonomous cars that radically transforms the car’s interior and exterior environments, making the ride more fun for pass…Read More Apple – VentureBeat
Almost every organisation polled by the Ponemon Institute and Shared Assessments say they fear a ‘catastrophic’ security event related to an unsecured IoT device – yet only a third actively monitor for IoT-related third-party risks.
The study, which surveyed 605 individuals in corporate governance, found the average number of IoT devices in the workplace is set to increase by 55% over the coming year. 81% of those polled said a data breach caused by unsecured IoT devices was ‘likely’ to occur in the next 24 months.
The challenge is more of an issue than may be let on, the report adds. Less than half (45%) of respondents believe they can keep a full inventory of IoT devices in the organisation – and of that number, only 19% actually have an inventory of at least half of their devices. 15% of survey respondents have an inventory of the majority of their applications.
46% of those polled say they have a policy to disable a risky IoT device within their own organisation, while 60% opt for a third-party risk management program.
“The rapid adoption of IoT devices and applications is not slowing down and organisations need to have a clear understanding of the risks these devices pose both inside their own and outside their extended networks,” said Charlie Miller, SVP at the Shared Assessments Program. “While there’s an increasing awareness about third-party IoT risks, much more work needs to be done to ensure controls minimise the risks these devices pose.
“With the increasing number of major data breaches, ransomware, and distributed denial of service attacks in the news daily, and senior executives losing their jobs as a result, it’s critical that organisations assign accountability and ownership of IoT-related oversight across their organisation, ensure that IoT security is taken seriously, and educate management at all levels,” added Miller.
The health, energy, and transport sectors are among IoT-enabled systems at increasing risk of a cyber attack. But why is this, and what can these sectors do to protect themselves? Kate O’Flaherty reports.
From power stations through to medical devices, internet-connected critical national infrastructure is at increasing risk from cyber attack.
Last year, the UK’s National Cyber Security Centre (NCSC) warned that assaults on critical infrastructure are “highly likely”. Increased tensions between Europe and Russia, and between the US and China, raise the stakes even higher.
Indeed, the NCSC said the Kremlin had already ordered attacks on energy companies with the aim of disrupting international order. Meanwhile, the US also recently accused Russia of attempted assaults on its utility sector, and blocked the largest deal in technology history, Broadcom’s hostile takeover of Qualcomm, on national security grounds.
But governments are starting to act. Under the EU’s network and information systems (NIS) Directive, organisations – including those in health, transport, energy, and finance – could be fined up to £17 million if they fail to implement robust cyber security measures.
The global energy sector has already fallen victim to several successful cyber attacks. In 2010, one of the first known large-scale incidents, Stuxnet, targeted an Iranian nuclear facility. Then in 2016, malware known as Industroyer was apparently deployed by the Kremlin to strike Ukraine’s national grid.
So why is this sector more vulnerable than others?
Unintended uses of equipment
The risk is elevated because utilities are often running old supervisory control and data acquisition (SCADA) systems, which were never intended to be connected to the internet in the first place. Adding to the security challenge, Internet of Things (IoT) programmes are being layered on top in a bid to increase efficiency.
The same challenge applies in healthcare, where the tightly regulated world of medical equipment – where machines are often extremely expensive and are used for many years before being replaced – has often seen old systems added to local hospital networks. Such devices can’t be redesigned, patched, or upgraded overnight.
Speaking at a Dell IoT launch in New York last year, IoT security company Zingbox claimed that hackers had entered US hospital networks via insecure medical devices, including MRI scanners and X-Ray machines, accessed patients’ medical records, and changed drug doses remotely.
Healthcare providers should consider whether all such devices need to be connected to the internet, and actively explore what the impact would be of the device being compromised, or used to access other critical systems.
They should then work with the manufacturer to take preemptive action.
The rapid growth of the IoT in these sectors is emerging as a further security challenge. According to recent research from the Wi-SUN Alliance, the IoT utilities sector alone could be worth as much as $ 15 billion by 2024.
Oil and gas firms, which have a long track record of using SCADA and industrial control systems (ICS) to drive efficiency, are the most eager to add the IoT to this mix, with 88 percent considering it a priority. Utilities are not far behind, with three-quarters of all firms investing in the IoT, according to Wi-SUN’s research.
“One reason for the growing interest in IoT is the fact that it plays into several other key areas, such as IT automation, big data analytics, and organisational connectivity,” says Phil Beecher, Wi-SUN Alliance president.
Adding to this, today’s connected energy systems differ to those of the past, which were historically on separate networks: “You had to physically be there to hack it,” says Ken Munro, partner and founder at penetration security company, Pen Test Partners.
When IoT solutions and processes are layered on top of legacy systems, it creates an inviting prospect for hackers and hostile ‘actors’, says Karl Lankford, senior solutions engineer at remote access specialist, Bomgar.
Lankford points to “lots of new products” being fast-tracked into use by manufacturers, which are keen to exploit the cost-saving efficiencies that the Industrial Internet of Things (IIoT) can deliver.
He warns: “In the rush to make everything internet enabled, security can sometimes be overlooked, and businesses have to ensure that someone isn’t creating or opening a backdoor into the network.”
• In a recent Internet of Business report, IBM laid out the ground rules for securing the IIoT.
In healthcare, the WannaCry cryptoworm last Spring demonstrated the potential impact of a successful cyber attack, when it brought more than one-third of the UK’s NHS Trusts to a standstill, causing cancelled appointments and halting life-saving treatments.
As is often the case with health technology, the ransomeware’s impact was significant because of the high numbers of computers running an outdated and unsupported operating system – Windows 7 – which had not been patched.
Earlier NHS security review recommendations had not been implemented, partly for cost reasons. Had they been, WannaCry’s impact on the NHS would have been minimal. This tells us that ignoring security recommendations for cost reasons is a false economy.
Keeping operating systems and applications continuously patched and upgraded is essential. Particularly in an environment where hardware upgrades to run more recent OSs may not be possible for budgetary reasons.
There are numerous examples of vulnerable systems and devices in healthcare. For example, last year in the US it was discovered that 465,000 pacemakers needed a firmware update to close security holes. (Former US vice president Dick Cheney was reportedly so paranoid that his heart defibrillator could be hacked that he demanded doctors fit a new device without a Wi-Fi connection.)
Healthcare systems pose a particular challenge to security specialists, because replacing old technology is not always possible.
Greg Day, VP and CSO EMEA at enterprise security provider Palo Alto Networks, cites the example of an MRI scanner. “It’s very expensive, and embedded within it is a lightweight operating system. But you can’t just upgrade it; the company that made the hardware, such as Siemens, needs to test it to see if it’s compatible. There’s often a complicated supply chain involved.”
Meanwhile, Dan Lyon, principal security consultant at Synopsys, explains that is not always easy to recover healthcare systems after a breach. This is because medical devices need to be serviced by the manufacturer, and lack the data backup and restore functions that are usually performed when recovering from malware attacks. “This could mean an extended period of downtime while the manufacturer either repairs or replaces the medical device,” he says.
As the IoT becomes an integral part of critical industries, the transport sector is also vulnerable. According to Alex Cowan, CEO of specialist security vendor RazorSecure, the risks to transport organisations include: “Many connected devices are being put in security zones that they were never designed for, with connectivity back out to the internet and weak segregation of systems such as virtual LANs.”
Close to the edge
So, what can be done to mitigate these risks to critical industries? In the future, Edge security will be integral, as well as systems that look for unusual behaviour.
The edge environment is where much real-time AI and IoT processing will take place, because with an estimated 30 billion connected devices online by 2020, a mass of-in-memory processing will be essential, with other data-crunching carried out near the source.
Cowan points out that the NCSC’s guidance for NIS encourages a shift towards active security monitoring and anomaly detection, rather than attempting to secure each and every IoT device.
AI, machine learning, monitoring, and detection, together with automatic discovery and identification, may be the only realistic approaches to IoT security in the long run: systems that detect unusual profiles and/or infer unusual behaviour as it emerges.
In the energy sector, Munro advises segregation, access control, and updating kit. He says: “Security isn’t perfect: all it takes is one high-grade attack and we are stuffed again, but with industrial control systems, issues tend to be systemic. A vulnerability in one can lead to a breach of them all, which is why it’s so important to have good defences.”
Policy is also important. Doug Wylie, director infrastructure and industrials practice at information security centre SANS Institute, says organisations need to accept the risks and apply counter measures, including response and recovery. “It’s understanding what the risk profile looks like, and the threat landscape. This is often addressed by ensuring that people are continuously trained.”
Overall, visibility is key, says Palo Alto’s Day. “What do we have out there; what technology is it using, and who is responsible for it?”
But in the end, a very simple solution could help those tasked with protecting these vulnerable connected environments. Munro says: “People have got to be proactive. In most cases it’s about not missing patches and not using default, common, or reused passwords: the basics just aren’t being followed.”
Additional reporting: Chris Middleton.
Internet of Business says
A raft of recent reports have identified IoT security as a blind spot for many organisations. And as IoT systems are layered on top of legacy networks and critical systems, this introduces a much broader attack surface, where responsibility for security becomes less and less clear.
This is why organisations need to take responsibility themselves, stress test systems, and consider the possible impacts of a cyber attack in advance. The NHS did this, but key security recommendations were ignored. Budgets are often the real killers, it seems.
However, several Internet of Business reports reveal that many organisations simply aren’t taking responsibility, and are doing little to secure the IoT, despite strong awareness of risk.
And as Kate O’Flaherty points out, the unique challenge in healthcare, and in some industrial deployments, is that many types of device or machinery were never designed to be connected to the internet in the first place. Taking MRI or X-Ray machines offline inevitably impacts on hospitals’ ability to treat sick patients.
Instead of living on the edge, organisations should look to the edge for new solutions.
KateO’Flaherty is a freelance journalist with over a decade’s experience reporting on business and IT. She has held editor and news reporter positions on titles including: The Inquirer, Marketing Week, and Mobile Magazine, and has written articles for The Guardian, the Times, the Economist, SC UK Magazine, Mobile Europe, and Wired UK. She is also a contributing analyst at Current Analysis, covering wholesale telecoms.
Security researchers at Kaspersky Lab have discovered what's likely to be another state-sponsored malware strain, and this one is more advanced than most. Nicknamed Slingshot, the code spies on PCs through a multi-layer attack that targets MikroTik… Engadget RSS Feed
Remember those 'sonic attacks' against the American and Canadian embassies last summer, making staff queasy and raising all kinds of questions as to what happened? There might have an answer. University of Michigan researchers have theorized that t… Engadget RSS Feed
Cyber attacks are increasingly becoming a fact of life. North Korea attacked aerospace and telecom networks last year. Olympics officials confirmed a recent attack that took place during the opening ceremonies. While Russia denied its involvement in… Engadget RSS Feed
The White House has officially joined the UK government in blaming Russia for last year's NotPetya attacks. Shortly after the UK publicly accused Kremlin of unleashing the wiper worm on various organizations around the globe, particularly in Ukraine,… Engadget RSS Feed