The 1.5 Billion Dollar Market: IoT Security

https://blog.paessler.com/investments-in-iot-security-are-set-to-increase-rapidly-in-2018
The two biggest challenges in 2018 will continue to be protecting against unauthorized access, and patching/updating the software of the device. Companies must not neglect the security problems of IoT and IIoT devices. Cyberattacks on the Internet of Things (IoT) are already a reality.

According to Gartner‘s market researchers, global spending on IoT security will increase to $1.5 billion this year.

1,618 Comments

  1. Tomi Engdahl says:

    Yet another report: Vectra released its 2019 Spotlight Report on Healthcare, which can be downloaded here. The report notes that many unsecured legacy systems still exist, while downtime for patching is a challenge for environments that run 24/7, health-care networks have a 3:1 ratio of devices to people, and any device with an IP address can connect to the network.

    Hospitals can leverage AI to combat cyberattacks, report finds
    https://www.beckershospitalreview.com/cybersecurity/hospitals-can-leverage-ai-to-combat-cyberattacks-report-finds.html

    Reply
  2. Tomi Engdahl says:

    Critical Flaws Found in Eight Wireless Presentation Systems
    https://threatpost.com/bugs-wireless-presentation-systems/144318/

    Crestron, Barco wePresent, Extron ShareLink and more wireless presentation systems have an array of critical flaws.

    Reply
  3. Tomi Engdahl says:

    D-Link Cloud Camera Flaw Gives Hackers Access to Video Stream
    https://threatpost.com/d-link-cloud-camera-flaw/144304/

    Researchers warn customers to reconsider the use of the camera’s remote access feature if the device is monitoring highly sensitive areas of their household or company.

    Reply
  4. Tomi Engdahl says:

    Hacker takes over 29 IoT botnets
    https://www.zdnet.com/article/hacker-takes-over-29-iot-botnets/

    Hacker “Subby” brute-forces the backends of 29 IoT botnets that were using weak or default credentials.

    Reply
  5. Tomi Engdahl says:

    UK Publishes Proposed Regulation for IoT Device Security
    https://www.securityweek.com/uk-publishes-proposed-regulation-iot-device-security

    The UK government has published a consultation document on the proposed regulation of consumer IoT devices. The consultation is not designed to see whether regulation is necessary, but to help the government “make a decision on which measures to take forward into legislation.”

    The UK’s first preference is always for self-regulation, which rarely, if ever, works — no business welcomes limiting its own activities when its competitors might not. The failure of self-regulation is normally followed by legislative compulsion. In October 2018, the UK published a Code of Practice for IoT Security, but says now (PDF), “Despite providing industry with these tools to help address these issues, we continue to see significant shortcomings in many products on the market.”

    Consultation on the Government’s regulatory proposalsregarding consumer Internet of Things (IoT) security
    https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/798721/Consultation_on_the_Government_s_regulatory_proposals_regarding_consumer_Internet_of_Things_security.pdf

    Reply
  6. Tomi Engdahl says:

    The proposal and intent is to make three security requirements mandatory. These are, unique passwords at sale; a published point of contact as part of a vulnerability disclosure process; and a public statement on the minimum length of time during which the device will receive security updates.
    https://www.securityweek.com/uk-publishes-proposed-regulation-iot-device-security

    Reply
  7. Tomi Engdahl says:

    [817] The “Smart” Bike Lock That Got EVERYTHING Wrong (TurboLock TL-400KBL Opened With Screwdriver)!
    https://www.youtube.com/watch?v=mGpMaShltbc

    Comments:

    Its name is TURBOLOCK because you can unlock it quickly without using the key.

    Technically correct, “Security Made Effortless” (to open)

    Anything with “smart” in its name invariably isn’t, in my experience. It’s a bit like countries with “democratic” in their name.

    Safe to say all smart locks or electronic locks are essentially good ideas just not enough time goes into actual security and design

    Reply
  8. Tomi Engdahl says:

    Ripping Up A Rothult
    https://hackaday.com/2019/05/05/ripping-up-a-rothult/

    NFC locks are reaching a tipping point where the technology is so inexpensive that it makes sense to use it in projects where it would have been impractical months ago. Not that practicality has any place among these pages. IKEA carries a cabinet lock for $20USD and does not need any programming but who has a jewelry box or desk drawer that could not benefit from a little extra security? Only a bit though, we’re not talking about a deadbolt here as this teardown shows.

    Rothult has all the stuff you would expect to find in an NFC scanner with a moving part. We find a microcontroller, RFID decoder, supporting passives, metal shaft, and a geartrain.

    https://blognamn.wordpress.com/2018/11/01/teardown-of-the-ikea-rothult-rfid-lock/

    Reply
  9. Tomi Engdahl says:

    MISRA–AUTOSAR: Securing the Connected Car
    https://blogs.synopsys.com/from-silicon-to-software/2019/04/25/misra-autosar-securing-the-connected-car/

    The Motor Industry Software Reliability Association recently announced it is merging its C++ guidelines with AUTOSAR. Will this

    unified standard for safety-related code development be enough to safeguard the future of the connected car?

    Reply
  10. Tomi Engdahl says:

    Diverse threat factors seen driving cities’ physical, ICT security resilience spending to $335 billion by 2024
    https://www.cablinginstall.com/articles/2019/04/abi-cities-resilience-spending-ict.html?cmpid=&utm_source=enl&utm_medium=email&utm_campaign=cim_data_center_newsletter&utm_content=2019-05-06&eid=289644432&bid=2435950

    City governments worldwide are becoming increasingly aware of the importance of making their cities able to withstand or recover quickly from a range of predictable and unpredictable disasters and catastrophes, driving global public spending on urban resilience projects from US$97 billion in 2019 to US$335 billion in 2024, according to a new report from ABI Research.

    Reply
  11. Tomi Engdahl says:

    Companies Team to Secure IoT Deployments
    https://www.eeweb.com/profile/eeweb/news/companies-team-to-secure-iot-deployments

    Adesto Technologies, IBM, and NXP Semiconductors demonstrated a joint solution that delivers a higher level of security for smart-building and industrial Internet of Things (IoT) applications at the IBM IoT Exchange conference last month. Adesto’s SmartServer IoT edge server and the IBM Watson IoT Platform, along with NXP’s A71CH secure element for IoT devices, provide an added layer of security for businesses connecting their systems to the IBM Cloud.

    Reply
  12. Tomi Engdahl says:

    NIST Working on Industrial IoT Security Guide for Energy Companies
    https://www.securityweek.com/nist-working-industrial-iot-security-guide-energy-companies

    The U.S. National Institute of Standards and Technology (NIST), through its National Cybersecurity Center of Excellence (NCCoE), this week announced that it’s working on a project whose goal is to help the energy sector secure industrial Internet of Things (IIoT) systems.

    Reply
  13. Tomi Engdahl says:

    Kyberturvallisuuden voi kääntää kilpailueduksi
    http://www.etn.fi/index.php/13-news/9449-kyberturvallisuuden-voi-kaantaa-kilpailueduksi

    http://www.etn.fi/index.php/13-news/9450-f-securelle-kaksi-merkittavaa-tietoturvasertifikaattia

    Tietoturvayhtiö F-Secure on saavuttanut IEC:ltä (International Electrotechnical Commission) kaksi sertifikaattia, jotka todistavat yhtiön kyvyn kehittää tietoturvallisia komponentteja teollisille hallintajärjestelmille. Sertifikaatit IEC-62243-4-1 ja IEC-62243-4-2 määrittelevät tietoturvavaatimukset teollisissa hallinta- ja automaatiojärjestelmissä käytettäville tuotteille ja niiden kehitystyölle.

    Reply
  14. Tomi Engdahl says:

    NIST Working on Industrial IoT Security Guide for Energy Companies
    https://www.securityweek.com/nist-working-industrial-iot-security-guide-energy-companies

    SECURINGTHE INDUSTRIAL INTERNET OF THINGS
    Scenario-Based Cybersecurity for the Energy Sector
    https://www.nccoe.nist.gov/sites/default/files/library/project-descriptions/es-iiot-project-description-draft.pdf

    Reply
  15. Tomi Engdahl says:

    New Samsung Exynos Chip Secures IoT Devices With Short-Range Comms
    https://www.securityweek.com/new-samsung-exynos-chip-secures-iot-devices-short-range-comms

    Samsung this week unveiled Exynos i T100, a new mobile system-on-chip (SoC) designed to enhance the security and reliability of Internet-of-Things (IoT) devices that use short-range communication protocols.

    Samsung says the new chip, which uses power-efficient 28nm technology, supports the Bluetooth Low Energy (BLE) 5.0 and Zigbee 3.0 protocols, and it integrates the processor with memory in an effort to provide flexibility to device manufacturers.

    According to Samsung, the security features integrated into the new chip are designed to protect IoT devices against hacking attempts and other threats.

    “The Exynos i T100 comes with a separate Security Sub-System (SSS) hardware block for data encryption and a Physical Unclonable Function (PUF) that creates a unique identity for each chipset,” the tech giant said.

    Reply
  16. Tomi Engdahl says:

    Blockchain IoT solutions
    https://openledger.info/solutions/blockchain-iot/?gclid=EAIaIQobChMIzpqFo5WR4gIVjsqyCh03NwtPEAAYAiAAEgLJi_D_BwE

    Blockchain makes the Internet of Things tamperproof, transparent and secure. Enhance business operations with real-time data about customers, assets, locations and environments, supported by accelerated digital transactions and end-to-end process traceability.

    Reply
  17. Tomi Engdahl says:

    The U.K. just last week announced a proposed new cybersecurity law that would require connected devices to be sold with a unique password, and not a default.

    https://techcrunch.com/2019/05/01/uk-connected-devices-security/

    Reply
  18. Tomi Engdahl says:

    New chip stops hacks before they start
    https://news.engin.umich.edu/2019/04/new-chip-stops-hacks-before-they-start/

    MORPHEUS can encrypt and reshuffle code thousands of times faster than human and electronic hackers.

    A new computer processor architecture developed at the University of Michigan could usher in a future where computers proactively defend against threats, rendering the current electronic security model of bugs and patches obsolete.

    “People are constantly writing code, and as long as there is new code, there will be new bugs and security vulnerabilities. With MORPHEUS, even if a hacker finds a bug, the information needed to exploit it vanishes 50 milliseconds later. It’s perhaps the closest thing to a future-proof secure system.”

    The technology could be used in a variety of applications, from laptops and PCs to Internet of Things devices, where simple and reliable security will be increasingly critical.

    MORPHEUS bakes security into its hardware. It makes vulnerabilities virtually impossible to pin down and exploit by constantly randomizing critical program assets in a process called “churn.”

    Yet MORPHEUS is transparent to software developers and end users. This is because it focuses on randomizing bits of data known as “undefined semantics.”

    The demonstration chip is a RISC-V processor—a common, open-source chip design often used for research. Austin is working to commercialize the technology through Agita Labs

    Reply
  19. Tomi Engdahl says:

    Cryptography That Can’t Be Hacked
    By
    KEVIN HARTNETT
    April 2, 2019
    https://www.quantamagazine.org/how-the-evercrypt-library-creates-hacker-proof-cryptography-20190402/

    Researchers have just released hacker-proof cryptographic code — programs with the same level of invincibility as a mathematical proof.

    Reply
  20. Tomi Engdahl says:

    DIGITAALISUUS TOI TIETOTURVARISKIT TEHTAISIIN – MILLAINEN ON SINUN TEHTAASI SUUNNITELMA?
    https://www2.nixu.com/planX?utm_source=facebook&utm_medium=cpc&utm_campaign=plan_x&utm_content=fb_a

    Perinteisesti teollisuudessa on erotettu toisistaan operatiivinen puoli ja valvonta. Sitten tuli digitalisaatio.

    Reply
  21. Tomi Engdahl says:

    Securing satellites: The new space race
    https://www.helpnetsecurity.com/2019/05/09/securing-satellites/

    A decade ago, it would have cost you a billion dollars to deploy a satellite into space. Fast forward ten years and you can now have your own personal satellite floating in orbit for around $50,000. 3D printed Rocket Labs, SpaceX and others have revolutionized and industrialized the Space Race.

    To date more than 1000 CubeSats have been successfully deployed in orbit by universities, private companies and others for a variety of tasks including Earth observation, weather monitoring, radio transponder communications, biological experiments, and interplanetary missions, among others.

    But for all the benefits of CubeSat and the various successes of the individual satellite missions, there are also reasons for concern.
    Satellites are vulnerable

    Satellites are basically very expensive IoT devices. Unfortunately, like IoT devices here on the ground, they suffer from a lack of security and are vulnerable to being hacked and compromised. Typically, satellite engineers aren’t thinking about security, resulting in glaring vulnerabilities. There are no mandated security standards that must be met before a satellite is launched.

    Many satellites run on Linux and communicate over commonly hacked channels including VHF, UHF and S Band. Some satellite communication transmissions are not encrypted. This lack of security is leaving the door wide open for a potential satellite attack.

    Securing satellites

    So how do we better secure our satellites? That question is currently up for debate. It obviously begins when the satellite is being built. Security can no longer be an afterthought.

    Modernizing communication between the ground and satellites must be addressed. The use of encryption is gaining traction and some have even called for a “No Encryption, No Fly” rule to be adopted.

    One thing is for certain: the escalating risks surrounding satellite vulnerabilities are simply too great to ignore any longer.

    Reply
  22. Tomi Engdahl says:

    How 5G could impact cybersecurity strategy
    https://blog.malwarebytes.com/101/2019/05/how-5g-could-impact-cybersecurity-strategy/

    With the recent news that South Korea has rolled out the world’s first 5G network, it’s clear that we’re on the precipice of the wireless technology’s widespread launch.

    Offering speeds anywhere from 20 to 100 times faster than 4G long-term evolution (LTE), the next generation of wireless networks will also support higher capacities of wireless devices. That’s a huge deal considering the rise of IoT and similar technologies, all of which require a high-speed, active connection.

    But along with the network upgrade—which will surely bring with it a boost in users relying on wireless frequencies—there are security concerns, some new.

    However, the reality is that 5G introduces a variety of new cybersecurity concerns, particularly when it comes to intensified attacks.

    As more and more devices are powered on and synced up, each one becomes a potential security vulnerability for the wider network. More specifically, many organizations will have to change or restructure their cybersecurity strategies to deal with the new platform.

    Here are four ways that the rise of 5G can and will impact a company’s cybersecurity.

    1. New risks will surface
    2. More devices will necessitate smarter security solutions
    3. Increased bandwidth will raise capability concerns
    4. Integration and automation will be a must

    5G is coming

    Advanced 5G and wireless networks are coming, and they will bring a huge selection of benefits, including higher traffic capacities, lower latency, and increased reliability. Naturally, that means more people and more organizations will rely on the new system for their devices.

    Unfortunately, it also introduces a slew of cybersecurity concerns and problems, particularly as it relates to current security solutions.

    Organizations will need to be prepared and should already have plans in place to upgrade and augment their existing security solutions. Failing to do so could have serious implications, not just for the organization itself but for the world at large.

    Reply
  23. Tomi Engdahl says:

    Panic as panic alarms meant to keep granny and little Timmy safe prove a privacy fiasco
    Simple hack turns them into super secret spying tool
    https://www.theregister.co.uk/2019/05/11/panic_alarms_hackable/

    Reply
  24. Tomi Engdahl says:

    Sectigo Acquires IoT Security Firm Icon Labs
    https://www.securityweek.com/sectigo-acquires-iot-security-firm-icon-labs

    Certificate Authority (CA) Sectigo, formerly Comodo CA, has acquired Icon Labs, a provider of cross-platform security solutions for embedded OEMs and Internet of Things (IoT) device manufacturers.

    With this acquisition, Sectigo says its expanded IoT Security Platform will provide device manufacturers, systems integrators, and enterprises using IoT with purpose-built IoT certificate issuance from a third-party CA.

    Reply
  25. Tomi Engdahl says:

    Feds seek to up their cybersecurity game
    https://www.synopsys.com/blogs/software-security/government-cybersecurity/

    Recent government cybersecurity initiatives assume that the federal government has a role to play in securing the IoT and critical infrastructure. Does it?

    Reply
  26. Tomi Engdahl says:

    Will Blockchain handcuff the hackers and cut corruption?
    https://www.electropages.com/blog/2019/05/will-blockchain-handcuff-hackers-and-cut-corruption?utm_campaign=2019-05-13-Electropages-Email-Newsletters&utm_source=newsletter&utm_medium=email&utm_term=article&utm_content=Will+Blockchain+handcuff+the+hackers+and+cut+corruption%3F

    The shady environment that sometimes surrounds cryptocurrencies may have impacted upon the public’s perception of Blockchain, but in reality it has real value when it comes to transforming the management of assets, either tangible or intangible, and smart cities will have a lot of both.

    because Blockchain is immutable, it can create secure, fast, trustworthy and transparent solutions that can be public or private. What this means to smart city/facility/home developers is that any asset-oriented aspects of a municipality can be digitised and made more secure and functional. Each developing smart city will comprise a multitude of different machines – from grid-level infrastructure (such as that involved in metering and energy management) all the way to the individual IoT-enabled devices in the hands of the citizens.

    An intelligent management framework will be required. This will mandate secure asset tracking, user accountability and real-time management – and Blockchain can clearly contribute to all of these.

    Reply
  27. Tomi Engdahl says:

    Blockchain IoT solutions
    https://openledger.info/solutions/blockchain-iot/?gclid=EAIaIQobChMInbiKoJCg4gIVw4ayCh3FigWzEAAYASAAEgLlGfD_BwE

    On blockchain and its integration with IoT. Challenges and opportunities
    https://www.sciencedirect.com/science/article/pii/S0167739X17329205

    Building trust in distributed environments without the need for authorities is a technological advance that has the potential to change many industries, the IoT among them. Disruptive technologies such as big data and cloud computing have been leveraged by IoT to overcome its limitations since its conception, and we think blockchain will be one of the next ones. This paper focuses on this relationship, investigates challenges in blockchain IoT applications, and surveys the most relevant work in order to analyze how blockchain could potentially improve the IoT.

    Reply
  28. Tomi Engdahl says:

    Blockchains and the IoT (Internet of Things)
    Search and discover innovative Internet of Things (IoT) targeted Blockchain Dapps, products and development projects.
    https://www.postscapes.com/blockchains-and-the-internet-of-things/

    https://www.iota.org

    Reply
  29. Tomi Engdahl says:

    Blockchain of Things — cool things happen when IoT & Distributed Ledger Tech collide
    https://medium.com/trivial-co/blockchain-of-things-cool-things-happen-when-iot-distributed-ledger-tech-collide-3784dc62cc7b

    Blockchain and Internet of Things (IoT) are both poised to be worldchanging technologies, just at the beginning of their adoption curve.

    Reply
  30. Tomi Engdahl says:

    Using Blockchain Technology and Smart Contracts for AccessManagement in IoT devices
    https://helda.helsinki.fi/bitstream/handle/10138/228832/blockchain_thesis_RupshaBagchi.pdf

    Reply
  31. Tomi Engdahl says:

    Security Research Labs:
    Many Ethereum nodes running popular clients like Parity and Geth take months to apply security patches, which may leave the network vulnerable to 51% attacks

    The blockchain ecosystem has a patch problem
    https://srlabs.de/bites/blockchain_patch_gap/

    SRLabs research suggests that security vulnerabilities remain unpatched for many Ethereum blockchain participants for extended periods of time, putting the blockchain ecosystem at risk.

    Crypto currencies provide a popular alternative to centralized payment systems, and promise transactions between mutually anonymous parties, often called “trustless” transactions.

    However, the required rational actions seem to extend beyond what many blockchain users are willing to do. In particular, we found early evidence that blockchain participants do not sufficiently patch and hence carry known vulnerabilities.

    Ethereum relies on high availability to prevent double spending. A hacker who controls more than 51% of the computational power in the network can double spend coins, enriching the hacker and undermining the trust in the ecosystem. If a hacker can crash a large number of nodes, controlling 51% of the network becomes easier. Hence, software crashes are a serious security concern for blockchain nodes (unlike in other pieces of software where the hacker does not usually benefit from a crash).

    For that reason, denial of service vulnerabilities have a particularly high severity in cryptocurrency networks; they can be used to massively reduce the amount of computational power needed to perform a 51% attack and double-spend.

    Unpatched Parity Ethereum nodes can be remotely crashed. In February 2019, we reported a vulnerability in the Parity Ethereum client that could be used to remotely crash any Parity Ethereum node prior to version 2.2.10.

    According to our collected data, only two thirds of nodes have been patched so far. Shortly after we reported this vulnerability, Parity released a security alert, urging participants to update their nodes.

    Breaking the backbone of the Ethereum network requires crashing only a handful of nodes. Unfortunately, the data from ethernodes.org does not include whether a node is a miner. However, we know that currently the vast amount of hashing power is concentrated in a few mining pools. Mining pools often share one node to communicate with the Ethereum network, and we can safely assume that those mining pools are very security aware and keep their nodes up-to-date.

    To resolve this situation, more reliable update mechanisms are needed. It is therefore desirable (and in line with Ethereum core beliefs) to decentralize the hashing power – this decentralization however would only increase security if the new mining nodes would still be security aware.

    Even if the miner nodes are secure for now, failure to close known vulnerabilities may lead to a collapse of the blockchain ecosystem if and when the hashing power becomes more decentralized. This failure to update could leave the blockchain ecosystem in a more vulnerable state by lowering the barrier for performing a 51% attack.

    Reply
  32. Tomi Engdahl says:

    BLUETOOTH’S COMPLEXITY HAS BECOME A SECURITY RISK
    https://www.wired.com/story/bluetooth-complex-security-risk/

    BLUETOOTH IS THE invisible glue that binds devices together. Which means that when it has bugs, it affects everything from iPhones and Android devices, to scooters, and even physical authentication keys used to secure other accounts. The order of magnitude can be stunning: The BlueBorne flaw, first disclosed in September 2017, impacted five billion PCs, phones, and IoT units.

    As with any computing standard, there’s always the possibility of vulnerabilities in the actual code of the Bluetooth protocol itself, or in its lighter-weight sibling Bluetooth Low Energy. But security researchers say that the big reason Bluetooth bugs come up has more to do with sheer scale of the written standard, development of which is facilitated by the consortium known as the Bluetooth Special Interest Group. Bluetooth offers so many options for deployment that developers don’t necessarily have full mastery of the available choices—which can result in faulty implementations.

    Reply
  33. Tomi Engdahl says:

    Where Does PLM Fit in Digital Transformation?
    https://www.designnews.com/automation-motion-control/where-does-plm-fit-digital-transformation/205286041760797?ADTRK=InformaMarkets&elq_mid=8707&elq_cid=876648

    Product lifecycle management (PLM) is a critical component of the digital transformation that is taking companies into the world of advance automation and connected systems.

    Where does PLM fit in digital transformation? You might think that’s a strange question in view of all the talk about digital transformation. You may think that surely everybody knows the answer. I’m not so sure.

    Another reason that people may not be sure where PLM fits in digital transformation is that there doesn’t seem to be an agreed definition of digital transformation.

    With so much information, and so many definitions, it’s not surprising that many people wonder where PLM fits in digital transformation.

    Four Levels of Digital Transformation

    Part of the problem with the information about digital transformation is that it seems to be at four levels. The first two aren’t particularly interesting for PLM. Level 1 is about rebranding and relabelling, taking something that exists and calling it digital transformation. Level 2 is the addition of new features and functions to an existing IT product and calling it digital transformation.

    At the other extreme, level 4 digital transformation is the creation of a new business area or company that wouldn’t have been possible without the use of IT components such as the internet, the World Wide Web, database technology, GPS, or telecommunications. This is the digital transformation that led to the creation of companies such as Amazon, Google, Uber, Facebook, and LinkedIn.

    The Scope of Product Lifecycle Management

    To see how PLM is related to digital transformation, it’s good to start with its definition and scope. PLM emerged around 2001. It was defined in Product Lifecycle Management: Paradigm for 21st Century Product Realisation (2004) in the following way:

    Product lifecycle management is the business activity of managing, in the most effective way, a company’s products all the way across their lifecycles, from the very first idea for a product all the way through until it is retired and disposed of. PLM is the management system for a company’s products. It organizes a company’s product-related resources, including business processes, product data, people, parts, and software applications.

    The scope of PLM can be described by reference to the PLM grid, a 5 * 10 matrix. On the horizontal axis of the grid, the x-axis, are the five phases of the product lifecycle: ideation; definition, realization, support, and recycling. On the vertical axis of the grid are the components to be addressed when managing a product across the lifecycle: products, business processes, product data, the PDM system, PLM applications, equipment, methods, people, organization, and objectives. Each of these components is managed in each of the five phases of the lifecycle.

    Just as digital transformation is about augmenting, transforming, and changing the paradigm, so is PLM. Before the PLM paradigm emerged in 2001, the previous paradigm for the management of a company’s products was the departmental paradigm.

    The PLM Paradigm

    The PLM paradigm for the management of a company’s products differs significantly from the departmental paradigm. The PLM paradigm is business-oriented, joined-up, lifecycle, holistic, formally-defined, digital, and product-focused. Whereas the departmental paradigm was technically-oriented. It wasn’t joined up. It wasn’t lifecycle. It was atomistic and piecemeal. It wasn’t formally defined. It was paper-based. It wasn’t product-focused.

    PLM can be seen as digital transformation applied to the product-related activities of a manufacturing company.

    Reply
  34. Tomi Engdahl says:

    The Decline of Hacktivism: Attacks Drop 95 Percent Since 2015
    https://securityintelligence.com/posts/the-decline-of-hacktivism-attacks-drop-95-percent-since-2015/

    Looking at IBM X-Force data in the period between 2015 and 2019, our team noted a sharp decrease in publicly disclosed hacktivist attacks.

    Reply
  35. Tomi Engdahl says:

    How Decoding Network Traffic Can Save Your Data Bacon
    https://threatpost.com/how-decoding-network-traffic-can-save-your-data-bacon/144845/

    Here are four things the network sees that could indicate an attack:

    Network users attempting to access system they have never historically accessed before
    Suspiciously small amounts of traffic going to the same location regularly over a long period of time (this is how the Sony Entertainment breach happened)
    Irregular DNS queries in large quantities indicate a Domain Generation Algorithm may be in use by malware or ransomware
    Communication to business-critical servers by IoT devices connected on the corporate network

    The Network as The Source of Knowledge

    With the network leveraged as the most in-depth source of data, it has the perfect capacity to monitor and collect the data taking place across the network. When user behaviors change, the network sees it. The network can also detect when large amounts of data are being taken in large-scale data exfiltration attacks. But attackers don’t steal terabytes of data all at once; instead, they steal small pieces at a time, and these low-and-slow types of attacks often don’t show up on the radar for most intrusion prevention and detection systems. These systems aren’t looking for small amounts of data leaving the network, and as weeks and months go by, more and more data is slowly smuggled out.

    Network traffic analytics lets organizations see these types of attacks from inception and alerts businesses to compromise. Additionally, it allows companies and threat hunters alike to leverage the network not only as the heart of the corporate environment, but also as a defensive mechanism as well.

    Reply
  36. Tomi Engdahl says:

    How to Securely Blend Your IoT Data with Business Data
    https://www.securityweek.com/how-securely-blend-your-iot-data-business-data

    Opportunities Created by the Integration of IoT Data With the Rest of Your Business Environment Are Vast

    It’s not much of a stretch to see that IoT data will likely converge with the rest of an organization’s business data. For manufacturing organizations, the enhanced visibility from this integration represents a tremendous opportunity to accelerate time to insight, giving plant managers and production managers a way to use business information to contextualize data.

    Integrating IoT sensor data into the rest of the business environment won’t work if organizations aren’t prioritizing security. Blending various data points — like PLC, SCADA, and work order data — creates challenges for securing industrial environments. To effectively protect this complex attack surface, organizations need new ways to correlate cyber incidents with physical consequences while taking into account all the various data types and sources. When a suspicious incident occurs, connecting the dots between the event, the physical results, and the potential data sources helps security teams get to the root of the problem faster.

    The Problem with Integration

    The vast majority of manufacturers have dragged their feet around integrating their organization’s data despite its enormous potential — and with good reason. Organizations that have rapidly accumulated billions of data sets from machines, sensors and internal business applications are now overwhelmed by the sheer volume. They now face increasingly time-consuming and labor-intensive integrations of sensor and machine data with internal business applications.

    Cycbersecurity also continues to present new and evolving challenges. If security policies and network segmentations aren’t strong and enforced, sophisticated threats that gain access to the corporate network have the potential to cross over into the OT environment — and vice versa — to steal sensitive information, disrupt productivity and wreak havoc on systems. Integrated networks will be a benefit to organizations but only when deployed thoughtfully and securely.

    Ensuring a Secure Environment

    Which systems should you pay attention to and why? For IT professionals deploying IoT projects, security continues to be a major concern, with the majority — 55% — ranking it as their top priority, according to 451 Research. Hardly surprising, considering that integrating IoT data makes security significantly more complicated.

    To ensure the security of the entire environment, it’s no longer enough to solely focus on authentication and the network perimeter — you need to monitor the right combination of systems. Because a typical converged IT/OT network includes SCADA and MES systems that are often integrated with ERP and other IT systems, security teams need to scrutinize engineering workstations, historians, Human Machine Interfaces (HMI) and programmable logic controllers (PLCs) for malware and suspicious behavior.

    Reply
  37. Tomi Engdahl says:

    A Firmware Update Architecture for Internet of Things Devices
    draft-moran-suit-architecture-01
    https://tools.ietf.org/id/draft-moran-suit-architecture-01.html

    Vulnerabilities with Internet of Things (IoT) devices have raised the need for a solid and secure firmware update mechanism that is also suitable for constrained devices. Incorporating such update mechanism to fix vulnerabilities, to update configuration settings as well as adding new functionality is recommended by security experts.

    Reply
  38. Tomi Engdahl says:

    Unclonable digital fingerprints developed for IoT devices
    https://www.controleng.com/articles/unclonable-digital-fingerprints-developed-for-iot-devices/

    Rice University integrated circuit (IC) designers have developed unclonable digital fingerprints for Internet of Things (IoT) devices that allows their PUF to be more energy efficient than previously published versions.

    Rice University integrated circuit (IC) designers have developed technology that is 10 times more reliable than current methods of producing unclonable digital fingerprints for Internet of Things (IoT) devices.

    Rice’s Kaiyuan Yang and Dai Li physically unclonable function (PUF) technology generates two unique fingerprints for each PUF. This zero-overhead method uses the same PUF components to make both keys and does not require extra area and latency because of an innovative design feature that also allows their PUF to be about 15 times more energy efficient than previously published versions.

    Reply
  39. Tomi Engdahl says:

    Utility sector strengthens security posture with rise of IIoT
    https://www.controleng.com/articles/utility-sector-strengthens-security-posture-with-rise-of-iiot/

    Cybersecurity: Improving evaluation and certification methods, security audits, and testing provide a foundation for evaluating Industrial Internet of Things (IIoT) devices.

    Reply
  40. Tomi Engdahl says:

    Five ways location intelligence improves IIoT operations
    Digital representations of factories and industrial spaces lead to opportunities.
    https://www.controleng.com/articles/five-ways-location-intelligence-improves-iiot-operations/

    From optimizing the supply chain to minimizing waste and managing plant materials and resources effectively, rich and intelligent location data is at the heart of improving efficiency, safety and security of Industrial Internet of Things (IIoT) operations.

    Highly detailed real-time location information allows location and tracking of any connected object, indoor or outdoor, at an unprecedented level of accuracy, improving the factory-floor production process and providing clear and complete visibility across supply chains worldwide.

    Accurate and precise digital representations of factories, industrial spaces and indoor maps, for example, open all kinds of opportunities that enable the safe, autonomous operation of equipment such as forklifts. Location intelligence improves safety levels and boosts efficiency for IIoT operations.

    Intelligent IIoT supply chains

    Intelligent and accurate tracking of connected parts and products at every stage across a supplier network and production process enables truly “just in time” manufacturing, which means huge cost savings.

    Accurate, real-time location data and the latest connected and always-on tracking technologies are powering this latest revolution in supply chain visibility, allowing operators to understand exactly where parts and materials are in the supply chain and to better predict their arrival times.

    High frequency access to and visibility of this information enables optimization of all material flows across the supply chain as autonomous movement systems are introduced.

    Asset and resource optimization

    Understanding the location patterns of humans and equipment also helps operators to determine whether they are over- or under-resourced.

    With stronger asset optimization, industrial plant owners can make smarter business decisions about how much equipment to rent or buy, for example, based on actual use data that is given in equipment location and status updates, ultimately reducing CAPEX and OPEX expenditures.

    Enhanced cyber and physical security

    In the IIoT, cyber and physical security are constant concerns, wherever valuable business data or connected infrastructure are in use.

    That’s why location intelligence can be invaluable when it comes to adding an additional layer of validation to an industrial plant’s security model. As an example, any change initiated to the configuration of the plant floor can be double-checked against the geofenced location of the actor initiating the change, enhancing standard cybersecurity.

    Also, with geofencing and alert systems, it is always valuable to know if personnel are in approved or restricted areas. Reducing unauthorized access to equipment and areas improves physical security and significantly reduces the risk of cyberattacks.

    Reply
  41. Tomi Engdahl says:

    This advice pretty much applies to IoT as well:

    Security Tip (ST19-002)
    Best Practices for Securing Election Systems
    https://www.us-cert.gov/ncas/tips/ST19-002

    Software and Patch Management

    Implementing an enterprise-wide software and patch management program reduces the likelihood of an organization experiencing significant cybersecurity incidents

    Log Management

    Retaining and adequately securing logs from both network devices and local hosts supports triage and remediation of cybersecurity events. An organization can analyze the logs to determine the impact of cybersecurity events and ascertain whether an incident has occurred.
    Centralized Log Management

    Organizations should set up centralized log management:

    Forward logs from local hosts to a centralized log management server—often referred to as a security information and event management (SIEM) tool. CISA has observed threat actors attempting to delete local logs to remove on-site evidence of their activities. By sending logs to a SIEM tool, an organization can reduce the likelihood of malicious log deletion.
    Correlate logs from both network and host security devices. By reviewing logs from multiple sources, an organization can better triage an individual event and determine its impact to the organization as a whole.
    Review both centralized and local log management policies to maximize efficiency and retain historical data. CISA recommends that organizations retain critical logs for a minimum of one year, if possible.

    Network Segmentation

    Organizations can limit the impact of a cybersecurity incident by enforcing network segmentation. Proper network segmentation is an effective security mechanism to prevent an intruder from propagating exploits or laterally moving around an internal network.

    Block Suspicious Activity

    Many organizations set their security devices to alert on suspicious activity instead of blocking it. When an organization does not block suspicious activity by default, it increases the likelihood of adverse events that allow an adversary to compromise IT resources.

    Credential Management

    Managing passwords and using strong passwords are important steps in preventing unauthorized access to databases, applications, and other election infrastructure assets. Multi-factor authentication (MFA), in particular, can help prevent adversaries from gaining access to an organization’s assets even if passwords are compromised through phishing attacks or other means.

    Establish a Baseline for Host and Network Activity

    An organization’s IT personnel are critical in determining what is and is not normal and expected host or network activity. With the appropriate tools, IT personnel are well positioned to determine whether observed anomalous activity warrants further investigation

    Network Baseline

    Specific metrics should include expected bandwidth usage for
    The organization,
    Each user (if possible),
    Remote access,
    Ports,
    Protocols, and
    File types.
    Organizations should consider variables such as the time of day traffic occurs, i.e., remote access is more suspicious occurring at 1 a.m. than during standard business hours.
    Including additional metrics—such as the destination of network traffic and the destination Internet Protocol (IP) address’s geographic location—establishes a more detailed baseline.
    Once a baseline is established, an organization should review the results to determine if they align with industry best practices. (See Handbook for Elections Infrastructure Security.)
    Organizations should compare their baseline traffic with the rules from their boundary firewalls to ensure that the rules are acting as intended and align with industry best practices.

    Notice and Consent Banners for Computer Systems

    This section identifies recommended elements in computing system notice and consent banners and provides an example banner.

    Reply
  42. Tomi Engdahl says:

    From https://semiengineering.com/week-in-review-iot-security-auto-46/

    IoT devices for consumer applications are showing up in enterprise networks, potentially compromising those systems, Zscaler ThreatLabz reports. Security researchers say 91.5% of IoT transactions happen over a plaintext channel, and only 18% running that use SSL exclusively to communicate in enterprise settings.

    Consumer IoT Devices Are Compromising Enterprise Networks
    https://www.darkreading.com/iot/consumer-iot-devices-are-compromising-enterprise-networks/d/d-id/1334777

    While IoT devices continue to multiply, the latest studies show a dangerous lack of visibility into those connected to enterprise networks.

    With data pulled from more than 1,000 enterprise organizations running one or more IoT devices in its network, the “2019 IoT Threats Report” study was conducted by researchers at Zscaler ThreatLabZ. Their goal was to survey the IoT attack surface within typical enterprises by looking at IoT device footprints over the course of a one-month period. It found that the organizations under study were running 270 different IoT device profiles from 153 different IoT manufacturers. All told, these devices pumped out 56 million device transactions over the course of a single month.

    For the most part, all of that IoT data is flying around in the clear. Researchers found that 91.5% of IoT transactions are conducted over a plaintext channel, and a scant 18% of IoT devices running that use SSL exclusively to communicate in enterprise settings.

    That low level of encryption should come as no surprise, considering how many consumer-class devices were represented in the mix of IoT devices found in these business environments.

    “Many of the devices are employee-owned, and this is just one of the reasons they are a security concern,” the report explained.

    “Often, the IoT malware payloads contain a list of known default username/password names, which, among other things, enables one infected IoT device to infect another,” the report noted. It explained that Mirai, in particular, also favored leveraging vulnerabilities in IoT management frameworks that could help attackers achieve remote code execution.

    Similar to those heady early days of smartphone proliferation, enterprises are reporting extremely low visibility into IoT device prevalence and activity within their networks. A study released by Ponemon Institute earlier this month showed that only 5% of organizations say they keep an inventory of all managed IoT devices.

    Reply
  43. Tomi Engdahl says:

    Expanding IoT Results in Increased Security Breaches
    https://www.designnews.com/automation-motion-control/expanding-iot-results-increased-security-breaches/34350510360784?ADTRK=InformaMarkets&elq_mid=8829&elq_cid=876648

    A new study shows that cyber attacks against companies with IoT deployment has grown to 26% per year, up from 15% per year two years ago.

    With the proliferation of IoT devices and networks that extend connectivity beyond the plant walls, it’s not surprising that companies are experiencing data breaches. What is surprising is that reported data breaches have grown from 15% of companies using IoT in 2017 to 26% today. And that doesn’t count the companies that don’t know they’ve been breached.

    A Wide Range of New Attacks

    The attacks on IoT connectivity are varied in nature, from old-style hacking to sophisticated organizational breaches. “Certainly, we’re seeing more ransomware related attacks, but we’re also seeing an increase in nation-state – or quasi-nation state – attacks,” Charlie Miller, senior advisor at The Santa Fe Group, told Design News. “Other studies also show an increase in the number of data breaches. I’m not certain if the increase is due to greater regulatory scrutiny, heightened internal privacy awareness, or if it’s simply an increased number of attackers using IoT as the least secure way in.”

    The study also tracked how companies are responding to security issues. Miller noted a difference in the response to attacks by companies that deployed their own IoT system versus companies that used a vendor to deploy IoT. “We are seeing contradictory evidence from two recent studies,” said Miller. “A recent study on IoT systems that were not deployed by third-party vendors suggests a more positive picture, while the Third Party Risk Benchmarking Survey showed some slippage in terms of the percentage of companies with incident response and recovery plans in place.”

    Who’s in Charge of Cybersecurity?

    The IoT study reveals that 67% of companies have incident response plans that cover security breaches, but only 33% include contingencies for security breaches that specially result from an IoT security incident. “We know from other research that risk related internal communications and education are not where we want them to be broadly,” said Miller. “Since IoT is an emerging area of risk, organizations have largely not integrated IoT risks into existing risk education programs.”

    Reply
  44. Tomi Engdahl says:

    Must Reads: Enhanced Cybersecurity for the IIoT
    http://www.electronics-know-how.com/article/2776/must-reads-enhanced-cybersecurity-for-the-iiot

    The urgency of IIoT security is becoming ever more apparent, and embedding the highest levels of trust is now essential. The editors at AspenCore have compiled a series that will help you understand how to design in IIoT security, the benefits of hardware-based security, use cases involving the latest security solutions, and more.

    Reply
  45. Tomi Engdahl says:

    SECURINGTHE INDUSTRIAL INTERNET OF THINGS
    Scenario-Based Cybersecurity for the Energy Sector
    https://www.nccoe.nist.gov/sites/default/files/library/project-descriptions/es-iiot-project-description-draft.pdf

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*