Tag Archives: Cybersecurity

Why Are Embedded Industrial Control Devices Now Vulnerable To TCP/IP Attacks?

Critical flaws found in embedded TCP/IP stacks may widely affect industrial control devices.
By John Blyler – Cybersecurity experts have found numerous vulnerabilities affecting a commonly used TCP/IP protocol network stack used in millions of Operational Technology (OT) devices. In contrast to IT systems – which manage data – OT devices control the physical world, especially in the industrial and manufacturing spaces.

Further, the affected OT devices are manufactured by hundreds of vendors and deployed in manufacturing plants, power generation, water treatment, and infrastructure sectors. For the most part, the OT devices are part of the industrial IoT marketplaces, all of which are highly susceptible to attacks and flaws that result from issues within the TCP/IP network communications architecture.

Since its inception, the TCP/IP network protocol stacks have formed the backbone of the Internet. Smaller, tailored versions of the full-up Internet stack were created decades ago for embedded systems later used in connected IIoT devices. The embedded TCP/IP stacks – sometimes called NicheStack – combine applications, transport, network, and physical components.

NicheStack is a closed source IPv4 network layer and application implementation for operating systems. It is one of three available from InterNiche Technologies, Inc., designed for use in embedded systems.

Researchers have identified more than a dozen vulnerabilities in the NicheStack TCP/IP stack used by many OT vendors. The vulnerabilities are collectively tracked as INFRA:HALT, which targets NicheStack, potentially enabling an attacker to achieve remote code execution, denial of service (DNS), information leak, TCP spoofing, and even DNS cache corruption. more>

Updates from ITU

The basis for safer digital finance
By Bilel Jamoussi – The transformations we are seeing in numerous fields – from energy and mobility to health care, agriculture, and financial services – all hinge on digital technologies, along with an array of associated business ecosystems. All these technologies and systems must be reliable, secure and deserving of our trust.

The Financial Inclusion Global Initiative (FIGI) is an open framework for collaboration led by the International Telecommunication Union (ITU), the World Bank Group, and the Committee on Payments and Market Infrastructures (CPMI).

Our partnership brings together the expertise to accelerate digital financial inclusion. With the support of the Bill & Melinda Gates Foundation, we have brought together the full range of stakeholders set to benefit from this expertise.

The World Bank Group and CPMI have helped to build a strong understanding of the policy considerations surrounding digital identity and incentivizing the use of electronic of payments.

ITU’s work has focused on security, infrastructure and trust – secure financial applications and services, reliable digital infrastructure, and the resulting consumer trust that our money and digital identities are safe. more>

Related>

Updates from ITU

Countries ramp up cybersecurity strategies
ITU – The latest Global Cybersecurity Index (GCI) from the International Telecommunication Union (ITU) shows a growing commitment around the world to tackle and reduce cybersecurity threats.

Countries are working to improve their cyber safety despite the challenges of COVID-19 and the rapid shift of everyday activities and socio-economic services into the digital sphere, the newly released 2020 index confirms.

According to GCI 2020, around half of countries globally say they have formed a national computer incident response team (CIRT), indicating an 11 per cent increase since 2018. Rapid uptake of information and communication technologies (ICTs) during the COVID-19 pandemic has put cybersecurity at the forefront. more>

Related>

EU cybersecurity agency says hackers target supplier’s code

Europe Online/KG – Mapping on emerging supply chain attacks, the European Union Agency for Cybersecurity warned on July 29 that 66% of attacks focus on the supplier’s code.

Supply chain attacks have been a concern for cybersecurity experts for many years because the chain reaction triggered by one attack on a single supplier can compromise a network of providers. Malware is the attack technique that attackers resort to in 62% of attacks.

According to the new ENISA report – Threat Landscape for Supply Chain Attacks, which analyzed 24 recent attacks, strong security protection is no longer enough for organizations when attackers have already shifted their attention to suppliers.

This is evidenced by the increasing impact of these attacks such as downtime of systems, monetary loss and reputational damage.

“Due to the cascading effect of supply chain attacks, threat actors can cause widespread damage affecting businesses and their customers all at once,” EU Agency for Cybersecurity Executive Director Juhan Lepassaar said. “With good practices and coordinated actions at (the) EU level, (the) Member States will be able to reach a similar level of capabilities raising the common level of cybersecurity in the EU,” he added.

Supply chain attacks are now expected to multiply by 4 in 2021, compared to last year. This new trend stresses the need for policymakers and the cybersecurity community to act now. This is why novel protective measures to prevent and respond to potential supply chain attacks in the future while mitigating their impact need to be introduced urgently. more>

EU to counter cyber threats

By Kostis Geropoulos – Europe needs to be the driving force in securing infrastructure of core services against hybrid attacks, including ransomware, and work with NATO to build a resilient cyber defense, European Parliament Vice President Marcel Kolaja, a Czech software engineer, told New Europe in an exclusive interview.

“The cyber strategy of the European Commission also underlines the importance of international cooperation and the Commission plans to work with partners around the world. But, of course, we need to focus on those who share our values of democracy and rule of law and human rights because even though this is a global issue, of course, cooperation with corrupt regimes does not really bring you much,” Kolaja said in an interview, following the Prague European Summit. “So, I think in that sense our natural partner of the European Union is basically NATO where there is already a cooperation ongoing through a technical arrangement on cyber defense,” the Czech MEP added.

Kolaja, who engages in the Committee on the Internal Market and Consumer Protection (IMCO) of the European Parliament, reminded that currently the Network Information Security Directive is being updated. “I’m a shadow rapporteur of an opinion in the IMCO committee for that and this Directive basically lays down rules for member states to adopt national cybersecurity strategies, to designate competent national authorities so that the critical infrastructure can be resilient against all sorts of attacks. Of course, ransomware is one of them. It foresees cybersecurity risk management and reporting obligations for critical infrastructure and for critical entities,” Kolaja told New Europe, adding that the legislative proposal strengthens security requirements for the companies by imposing a risk management approach and providing a minimum list of basic security elements that have to be applied. more>

Reinventing the Internet for a society of change

By Francisco Jaime Quesado – The COVID-19 pandemic has led to the world to an unexpected opportunity wherein it can redesign the context and concept of the Internet for society.

The world is facing new and unprecedented strategic challenges as a result of the coronavirus outbreak, and the reinvention of the Internet is one strategic tool that could facilitate a new agenda for the future. This strategic process demands an effective push towards a more cooperative agenda, one that focuses on a prosperous and competitive economy, sustainable environment, and a more democratic, open, healthy society.

This reinvention process should be seen as a key and positive element that empowers both citizens and growing businesses to help build an innovative, secure and sustainable post-pandemic world.

More than ever, the society of change that we need demands a clear and balanced repositioning of the Internet, one that is fundamentally based on a full understanding of policy issues and the context to which they belong. Furthermore, a pragmatic strategy is needed for sustainable growth and prosperity so that the majority of society can respond to the following challenges that the world is now facing:

  • Transforming society into a high skill/high employment economy for a globalized environment;
  • Tackling the effects of an ageing population, while improving major public services;
  • This must be done in a way that takes into account foreseeable expenditures and environmental constraints;

It is absolutely critical that the world’s different social actors come to understand the extreme importance of these issues when it comes to promoting a real and effective process of reinventing the internet, particularly by the private citizens and various institutions who are decisive enablers of change. more>

3 Reasons Embedded Security Is Being Ignored

By Jacob Beningo – The IoT has grown to the point that everyone and their brother is in the process of connecting their products to the Internet. This is great because it opens new revenue generating opportunities for businesses and in some cases completely new business models that can generate rapid growth. The problem that I am seeing though is that in several cases there seems to be little to no interest in securing these devices.

(I draw this conclusion from the fact that embedded conferences, webinars, articles and even social media conversations seem to draw far less interest then nearly any other topic).

I’m going to explore the primary reasons why I believe development teams are neglecting security in their embedded products and explain why security doesn’t have to be a necessary evil.

Reason #1 – The Perception That Adding Security Is Expensive

I believe that there is still a perception in the embedded space that security is expensive. Right now, if you were to survey the availability of security experts, you will find that there is a severe shortage at the moment.

Reason #2 – We Will “Add It Later”

Nobody wants to be on the front page due to a security breach. I believe in many cases, companies want to include security, but in the early stages of product development, when funds are short, security is often the lowest priority. With many good intentions, the teams often think they’ll add it later after we get through this sprint or this development cycle. The problem that is encountered here is that you can’t add security on at the end of the development cycle.

Reason #3 – Teams Are In Too Big A Hurry

Nearly every development team that I encounter is behind schedule and in a hurry. New start-ups, seasoned successful teams, there is always way too much to do and never enough time (or budget). In many cases, teams may be developing a new product and need to get to market fast in order to start generating revenue so that they can pay the bills.

Security is a foundational element to any connected device. Security cannot be added on at the end of a product and must be carefully thought through from the very beginning. Without thinking about it up front, the development team can’t ensure they have the right hardware components in place to properly isolate their software components or expect to have the right software frameworks in their application to properly manage and secure their product. more>

Cybersecurity and digital trade: What role for international trade rules?

By Joshua P. Meltzer – Trade and cybersecurity are increasingly intertwined. The global expansion of the internet and increased use of data flows by businesses and consumers—for communication, e-commerce, and as a source of information and innovation—are transforming international trade. The spread of artificial intelligence, the “internet of things,” (IoT) and cloud computing will accelerate the global connectivity of businesses, governments, and supply chains.

As this connectivity grows, however, so does our exposure to the risks and costs of cyberattacks. As the President’s National Security Telecommunications Advisory Council observed, the U.S. is “faced with a progressively worsening cybersecurity threat environment and an ever-increasing dependence on internet technologies fundamental to public safety, economic prosperity, and overall way of life. Our national security is now inexorably linked to cybersecurity.

Not only are traditional defense and other national security targets at risk of cyberattack, so too is the broader economy. This includes critical infrastructure—such as telecommunications, transport, and health care—which relies on software to network services. There is also cybertheft of intellectual property (IP) and manipulation of online information. More broadly, these risks undermine business and consumer trust in the internet as a basis for commerce and trade.

Many countries are adopting policy measures to respond to the threat. According to one estimate, at least 50 percent of countries have adopted cybersecurity policies and regulations. more>

Introducing Cybersecurity Insights: Director’s Corner

By Matthew Scholl – The Director’s Corner will highlight how NIST’s cybersecurity, privacy, and information security-related projects are making a difference in the field and leading the charge to make positive changes.

I believe the greatest accomplishment for the division, and what I am most proud of, is how we work globally — and the way we work in an open, transparent, and inclusive process. This is especially true in the development and standardization of cryptography. This process, coupled with NISTs technical excellence in crypto, results in NIST encryption used by commercial IT products across the world. This underlying encryption enables billions of dollars of electronic commerce to function­; such as swiping credit cards at the grocery store — to online purchases — to major financial exchanges.

As we look at 2020 and beyond, NIST will update our encryption standards and ensure that encryption will continue to enable the economy and protect our livelihood. The biggest thing coming in the future (that you will hear more and more about), is in the area of quantum resistant cryptography. NIST is building open, transparent, and inclusive encryption methods with our global partners for new sets of encryption that are needed when quantum computing becomes a reality.

Quantum computing is a completely new method and architecture of conducting computational activity (or way to generate information). When a quantum computer finally is strong enough, some of our current encryption will become vulnerable. Therefore, NIST is proactively working to create new encryption standards. more>

Updates from ITU

Meet your virtual avatar: the future of personalized healthcare
ITU News – Tingly? Sharp? Electric? Dull? Pulsing?

Trying to describe a pain you feel to your doctor can be a difficult task. But soon, you won’t have to: a computer avatar is expected to tell your doctor everything they need to know.

The CompBioMed Centre of Excellence, an international consortium of universities and industries, is developing a program that creates a hyper-personalized avatar or ‘virtual human’ using a supercomputer-generated simulation of an individual’s physical and biomedical information for clinical diagnostics.

There is a rapid and growing need for this kind of technology-enabled healthcare. 12 million people who seek outpatient medical care in the U.S. experience some form of diagnostic error. Additionally, the World Health Organization estimates that there will be a global shortage of 12.9 million healthcare workers by 2035.

Greater access to technology-enabled healthcare will allow doctors to make better and faster diagnoses – and provide the tools to collect the necessary data.

The Virtual Human project combines different kinds of patient data that are routinely generated as part of the current healthcare system, such as x-rays, CAT scans or MRIs to create a personalized virtual avatar. more>

Related>