https://blog.paessler.com/investments-in-iot-security-are-set-to-increase-rapidly-in-2018
The two biggest challenges in 2018 will continue to be protecting against unauthorized access, and patching/updating the software of the device. Companies must not neglect the security problems of IoT and IIoT devices. Cyberattacks on the Internet of Things (IoT) are already a reality.
According to Gartner‘s market researchers, global spending on IoT security will increase to $1.5 billion this year.

1,744 Comments
Tomi Engdahl says:
https://lanars.com/blog/embedded-systems-trends
Tomi Engdahl says:
https://etn.fi/index.php/13-news/16609-tpm-turvamoduulien-suojaus-kovenee
Yhdysvaltain valtionhallinnossa vaaditaan, että arkaluonteista dataa sisältävät laitteet pitää suojata erilliseen TPM-turvamoduuliin. STMicroelectronics on nyt esitellyt ensimmäisen TPM-moduulin, joka tukee syyskuussa 2026 pakolliseksi tulevaa FIPS 140-3-sertifiointia.
FIPS 140-3 tuo useita parannuksia verrattuna edeltäjäänsä FIPS 140-2 -standardiin, erityisesti tietoturvan kannalta. Ensinnäkin FIPS 140-3 on linjassa kansainvälisen ISO/IEC 19790 -standardin kanssa, mikä tekee siitä yhteensopivan kansainvälisillä markkinoilla ja parantaa moduulien turvallisuutta maailmanlaajuisesti. Lisäksi fyysisiä turvallisuusvaatimuksia on tiukennettu, erityisesti tasoilla 3 ja 4, joissa vaaditaan parempaa suojaa mm. ympäristövaurioilta ja luvattomilta fyysisiltä hyökkäyksiltä.
Tomi Engdahl says:
https://etn.fi/index.php/13-news/16614-auto-on-tietokone-se-pitaeae-suojata-kyberhyoekkaeyksiltae
Tomi Engdahl says:
USA kieltää kiinalaiset ja venäläiset ohjelmistot maanteiltään
https://etn.fi/index.php/13-news/16635-usa-kieltaeae-kiinalaiset-ja-venaelaeiset-ohjelmistot-maanteiltaeaen
Yhdysvaltain kauppaministeriön teollisuus- ja turvallisuusvirasto BIS on julkistanut ehdotuksen uudesta säännöstöstä, joka toteutuessaan kieltää tiettyjä laitteistoja ja ohjelmistoja sisältävien ajoneuvojen myynnin tai maahantuonnin. Rajoitus koskee koodia ja komponentteja, joilla on yhteys Kiinaan tai Venäjään.
Ehdotus keskittyy ajoneuvojen yhteysjärjestelmään (VCS) integroituihin laitteistoihin ja ohjelmistoihin sekä automatisoituun ajojärjestelmään (ADS) integroituihin ohjelmistoihin. Nämä ovat kriittisiä järjestelmiä, jotka tietyn laitteiston ja ohjelmiston kautta mahdollistavat ulkoisen liitettävyyden ja autonomisen ajokyvyn yhdistetyissä ajoneuvoissa.
Luvaton pääsy näihin järjestelmiin voi antaa vastustajille mahdollisuuden päästä käsiksi ja kerätä kaikkein arkaluontoisimpia tietoja. On mahdollista manipulkoida autojen ohjelmistoja ja käyttäytymistä etäyhteyden yli. Sääntö koskisi kaikkia pyörillä varustettuja maantieajoneuvoja, kuten henkilöautoja, kuorma-autoja ja linja-autoja, mutta sen ulkopuolelle jäävät ajoneuvot, joita ei käytetä yleisillä teillä, kuten maatalous- tai kaivosajoneuvot.
Tomi Engdahl says:
Tekoälystä tulee avaintekijä kyberuhkien torjunnassa
https://etn.fi/index.php/13-news/16647-tekoaelystae-tulee-avaintekijae-kyberuhkien-torjunnassa
Kriittisen infrastruktuurin suojelu on siirtymässä uuteen aikakauteen, kun tekoälystä (AI) tulee avaintekijä kyberuhkien torjunnassa. Check Point Researchin mukaan vuosina 2024 tammi–elokuussa energia- ja vesilaitoksiin kohdistui viikossa keskimäärin 1514 kyberhyökkäystä, mikä on peräti 37 % enemmän kuin edellisvuonna.
Tämä kasvu korostaa tekoälyyn perustuvien ratkaisujen merkitystä infrastruktuurin puolustuksessa. AI:n kyky käsitellä valtavia datavirtoja reaaliajassa mahdollistaa poikkeavuuksien ja uhkien havaitsemisen nopeammin ja tarkemmin kuin koskaan ennen.
Koneoppiminen mahdollistaa järjestelmien jatkuvan kehittymisen ja kyvyn pysyä kyberrikollisten edellä. Voimaverkkojen, vesihuollon ja liikenneverkkojen operaattoreille AI tarjoaa tehokkaan suojan, joka voi estää vakavia häiriöitä. Lisäksi tekoäly vapauttaa ihmisen asiantuntijat rutiinitehtävistä ja antaa heille enemmän aikaa keskittyä monimutkaisiin uhkien analysointiin ja ratkaisuihin. Vaikka tekoälyyn liittyy myös riskejä, kuten tekoälypohjaiset hyökkäykset, sen tarjoamat hyödyt infrastruktuurin suojelussa ovat merkittäviä.
Tekoäly ei pelkästään paranna uhkien havaitsemista, vaan se tehostaa myös automaatiota kriittisissä järjestelmissä. AI voi itsenäisesti analysoida hälytyksiä, yhdistää tietoja eri lähteistä ja aloittaa tarvittavat vastatoimet. Tämä nopeuttaa reaktiota kyberhyökkäyksiin ja vapauttaa ihmistiimit strategiseen suunnitteluun. Tällainen automaatio lisää kriittisen infrastruktuurin joustavuutta ja varmistaa, että järjestelmät pysyvät toimintakykyisinä myös kyberhyökkäysten aikana.
Energiasektori on yksi esimerkki siitä, miten tekoäly voi tehostaa infrastruktuuria. Älykkäissä sähköverkoissa AI ennustaa energiantarpeen vaihtelut ja optimoi energian jakelun, mikä parantaa energiatehokkuutta ja varmistaa vakaat toimitukset. Lisäksi tekoäly auttaa ennakoivassa huollossa, ennustamalla laitteistojen vikoja ja vähentäen näin käyttökatkoksia sekä ylläpitokustannuksia.
Tomi Engdahl says:
https://etn.fi/index.php/13-news/16635-usa-kieltaeae-kiinalaiset-ja-venaelaeiset-ohjelmistot-maanteiltaeaen
Tomi Engdahl says:
ICS/OT
US, Allies Release Guidance on Securing OT Environments
New guidance provides information on how to create and maintain a secure operational technology (OT) environment.
https://www.securityweek.com/us-allies-release-guidance-on-securing-ot-environments/
New guidance from government agencies in the US and allied countries provides organizations with details on how to design, implement, and manage safe and secure operational technology (OT) environments.
OT is deeply integrated into critical infrastructure organizations’ complex environments, and business decisions such as adding new processes, services, or systems, selecting vendors for support, or developing business continuity and security-related plans may affect the cybersecurity of OT.
The new guidance (PDF) from government agencies in Australia, Canada, Germany, Japan, Korea, New Zealand, the US, and the UK, details six principles for secure OT: paramount safety, knowledge of the business, OT data value and protection, OT segmentation, secure supply chain, and the importance of people for OT cybersecurity.
“The authoring agencies recommend an OT decision maker apply the six principles presented in this document to help determine if the decision being made is likely to adversely impact the cyber security of the OT environment,” the guidance reads.
Principles of
operational technology
cyber security
https://www.cyber.gov.au/sites/default/files/2024-10/principles_of_operational_technology_cyber_security.pdf
Tomi Engdahl says:
ICS/OT
Ransomware Hits Critical Infrastructure Hard, Costs Adding Up
Report finds most organizations have suffered financial impact of $500,000 or more from cyberattacks on cyber-physical systems over past year.
https://www.securityweek.com/ransomware-hits-critical-infrastructure-hard-costs-adding-up/
The financial impact of a cyberattack targeting a cyber-physical system (CPS) can reach up to $1 million, as affected organizations struggle with revenue loss, recovery costs, and employee overtime.
According to a new Claroty survey of 1,100 security professionals involved in OT, IoT, BMS, and IoMT (connected medical devices), about 45% of organizations suffered losses of $500,000 or more over the past year, while 27% disclosed losses of $1 million or more.
More than half of the respondents in the chemical manufacturing, power and energy, and mining and materials sectors have reported losses greater than $500,000 caused by cyber incidents over the past 12 months, Claroty’s latest Global State of CPS Security report (PDF) shows.
https://web-assets.claroty.com/resource-downloads/cps-survey-business-disruptions.pdf
Tomi Engdahl says:
Oulussa kehitettiin tapa mitata IoT-laitteen tietoturvaa
https://etn.fi/index.php/13-news/16684-oulussa-kehitettiin-tapa-mitata-iot-laitteen-tietoturvaa
Tekniikan lisensiaatti Rauli Kaksonen on kehittänyt Oulun yliopistossa menetelmän, jolla voidaan mitata IoT-laitteiden kyberturvaa. IoT-laitteesta laaditaan tietoturvakuvaus, joka voidaan varmentaa työkalujen avulla ja jolla eri osapuolet voivat todeta tietoturvan todellisen tason.
Kaksosen väitöstyössään esittelemällä menetelmällä voidaan pienentää esineiden internetin (Internet of Things, IoT) kyberturvariskejä. Uusi menetelmä paljastaa ongelmat kyberturvassa aiemmin. Näin voidaan merkittävästi parantaa IoT-laitteiden turvallisuutta ja vähentää laitteiden aiheuttamia riskejä yhteiskunnalle.
- Alan sekavat käytännöt ja standardit. Jopa alan ammattilaisten on vaikea arvioida IoT-tuotteiden tietoturvaa. Tämä taas tarjoaa valmistajille mahdollisuuden välttää tietoturvaan panostamisen. Älykäs yhteiskunta on täysin riippuvainen esineiden internetistä. Kyberturva ei ole pysynyt tämän kehityksen tahdissa ja ongelmia paljastuu liian usein, Kaksonen summaa.
Kaksosen uskoo, että hänen kehittämänsä läpinäkyvä ja automatisoitu menetelmä kannustaa kehittämään turvallisempia IoT-järjestelmiä. – On korkea aika tehostaa kyberturvan testaamista ja vaatia todennetusti turvallisia tuotteita, Kaksonen näkee.
Tomi Engdahl says:
https://www.uusiteknologia.fi/2024/10/08/iot-kyberturvaa-paremmaksi-uudella-menetelmalla/
Tomi Engdahl says:
Transparent and tool-driven security assessment for sustainable IoT cybersecurity
https://oulurepo.oulu.fi/handle/10024/52122
The first part of this dissertation examines IoT security from selected perspectives. The findings confirm a diverse and fragmented scene. All components of IoT systems are susceptible to vulnerabilities. Though security requirements share some universal categories, many requirements are present only in one or a few standards. Prominent tools are available for security testing, but their use is not systemically endorsed.
The second of this dissertation part presents the novel tool-driven security assessment method. In the method, a tool-verifiable security statement describes the security posture of an IoT product. The method provides transparent and automated security assessment of different versions and configurations covering the product’s lifetime. All stakeholders can inspect and verify the security statement. Proof-of-concept implementation and real-world IoT case studies validate the approach. In the first study, common security tools automate 80% of the security requirement tests, while second study uses ETSI TS 103 701 specification, covering 45% of the security perimeter tests. Requirement and testing improvements would increase the automation coverage.
Tomi Engdahl says:
CYBER;
Cyber Security for Consumer Internet of Things:
Conformance Assessment of Baseline Requirements
https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/01.01.01_60/ts_103701v010101p.pdf
Tomi Engdahl says:
https://hackaday.com/2024/10/07/the-piezoelectric-glitching-attack/
Tomi Engdahl says:
Chris Miller / Financial Times:NEW
Israel compromising Hezbollah pagers shows the West should take hardware security more seriously, especially as most electronics manufacturing shifted to Asia — Unreliable suppliers can modify devices, yet companies devote few resources to verifying the origin of components
https://www.ft.com/content/5c8f5c51-e205-4213-a85a-e6c52963c72c
Tomi Engdahl says:
Guardians of the grid – protecting Europe’s electricity supply from cyber-attacks
EU-funded researchers are fortifying Europe’s electricity sector against increasingly sophisticated attacks by cybercriminals.
https://projects.research-and-innovation.ec.europa.eu/en/horizon-magazine/guardians-grid-protecting-europes-electricity-supply-cyber-attacks
In the past decade, cyber-attacks on Europe’s power infrastructure have intensified so much that energy companies, experts and politicians called for help. Researchers came together to boost the resilience of European energy networks.
The International Energy Agency warned in a November 2023 report that the average number of cyber-attacks against utilities worldwide more than doubled between 2020 and 2022. It singled out electricity grids, which are increasingly switching to digital technology.
“The technologies now deployed along electric grids make them vulnerable to issues with communication and information technology,” said Jesús Torres, an expert in smart grids at the Spanish technology centre CIRCE.
Tomi Engdahl says:
https://arstechnica.com/security/2024/10/two-never-before-seen-tools-from-same-group-infect-air-gapped-devices/
Tomi Engdahl says:
OpenAI Says Iranian Hackers Used ChatGPT to Plan ICS Attacks
https://www.securityweek.com/openai-says-iranian-hackers-used-chatgpt-to-plan-ics-attacks/
OpenAI has disrupted 20 cyber and influence operations this year, including the activities of Iranian and Chinese state-sponsored hackers.
A report published this week by OpenAI reveals that the artificial intelligence company has disrupted more than 20 cyber and covert influence operations since the beginning of the year, including the activities of Iranian and Chinese state-sponsored hackers.
The report highlights the activities of three threat groups that have abused ChatGPT to conduct cyberattacks.
One of these threat actors is CyberAv3ngers, a group linked to Iran’s Islamic Revolutionary Guard Corps (IRGC) that has made headlines this year for its attacks on the water sector.
The group has targeted industrial control systems (ICS) at a water utility in Ireland (the attack left people without water for two days), a water utility in Pennsylvania, and other water facilities in the United States.
These attacks did not involve sophisticated hacking and instead relied on the fact that many organizations leave ICS exposed to the internet and protected with easy to obtain default credentials.
According to OpenAI, accounts associated with CyberAv3ngers used ChatGPT to conduct reconnaissance, but also to help them with vulnerability exploitation, detection evasion, and post-compromise activity.
Many of the reconnaissance activities are related to conducting attacks on programmable logic controllers (PLCs) and other ICS.
Specifically, the hackers asked ChatGPT for industrial ports and protocols that can connect to the internet; industrial routers and PLCs commonly used in Jordan, as well as electricity companies and contractors in this country; and default passwords for Tridium Niagara devices and Hirschmann RS industrial routers.
Tomi Engdahl says:
https://www.cisa.gov/resources-tools/resources/product-security-bad-practices
Tomi Engdahl says:
https://www.edn.com/understand-the-hardware-dependencies-of-iot-security/
Tomi Engdahl says:
I use my NAS to secure my home network – here’s how
https://www.xda-developers.com/secure-network-using-nas/
Contrary to what you may believe, your NAS is quite a versatile device. While its main purpose is obviously to store data and facilitate file-sharing between all your systems, a Network-Attached Storage enclosure can come in handy for several projects. Home lab enthusiasts can use it to self-host their favorite services, while gaming aficionados turn it into a makeshift server for private multiplayer lobbies.
Tomi Engdahl says:
3 reasons you don’t need to build your own firewall with pfSense or OPNsense
https://www.xda-developers.com/reasons-you-dont-need-to-build-your-own-firewall-with-pfsense-or-opnsense/
I love my pfSense firewall and couldn’t see myself returning to a router supplied by an internet service provider (ISP), but it’s not for everyone. While I would recommend building a custom firewall and router to those who’d be able to set it up and manage their LAN, I can understand why some may find it daunting or not worth the effort. Here are some reasons you may not need to build one for your home.
Routers provided by your ISP aren’t terrible, but they’re not particularly great either. Modern devices are considerably better than ones sent by ISPs in the early 2000s, but they still fall short of what’s available through a custom solution. An average internet user with no idea about port forwarding, NAT, QoS, and reverse proxies, likely won’t take advantage of all the features offered by pfSense or OPNsense.
Tomi Engdahl says:
How I made a home VPN with dynamic DNS for secure remote access
https://www.xda-developers.com/how-i-made-a-home-vpn-with-dynamic-dns-for-secure-remote-access/
Tomi Engdahl says:
ICS/OT
Siemens and Rockwell Tackle Industrial Cybersecurity, but Face Customer Hesitation
Siemens and Rockwell Automation are taking steps to improve cybersecurity in industrial organizations, but getting customers to install security systems and upgrade ICS can still be challenging.
https://www.securityweek.com/siemens-and-rockwell-tackle-industrial-cybersecurity-but-face-customer-hesitation/
As the industrial sector increasingly relies on connected technologies to manage complex systems, cybersecurity has become a critical priority. Cyberattacks targeting industrial control systems (ICS) and operational technology (OT) are rising in frequency and severity, posing significant risks to manufacturing operations, supply chains, and public safety.
Tomi Engdahl says:
Application Security
API Security Matters: The Risks of Turning a Blind Eye
Willfully ignoring important security issues to make our lives easier is, unfortunately, something that does happen in the security field.
https://www.securityweek.com/api-security-matters-the-risks-of-turning-a-blind-eye/
Tomi Engdahl says:
PLCHound Aims to Improve Detection of Internet-Exposed ICS
Georgia Tech researchers have developed PLCHound, an algorithm that uses AI to improve the identification of internet-exposed ICS.
https://www.securityweek.com/plchound-aims-to-improve-detection-of-internet-exposed-ics/
Tomi Engdahl says:
Top 12 Tips For API Security
https://www.youtube.com/watch?v=6WZ6S-qmtqY
1. Https
2. OAuth2
3. WebAuthn
4. Implement Authorization
5. Leveled API Keys
6.Rate Limiting
7. API Versioning
8.Allow Listing
9. OWASP Security Risks
10.API Gateway
11. Error Handling
12. Input Validation
Tomi Engdahl says:
https://hackaday.com/2024/11/15/this-week-in-security-hardware-attacks-iot-security-and-more/
Tomi Engdahl says:
Käyttöliittymälle tulee uusi rooli verkon reunalla
https://etn.fi/index.php/tekniset-artikkelit/16878-kaeyttoeliittymaelle-tulee-uusi-rooli-verkon-reunalla
Kun verkkojen välisten yhdyskäytävien toteuttamisessa ollaan siirtymässä enenevässä määrin yhdessä tapahtuvaan reunalaskennan ja tekoälyn hyödyntämiseen, yksi järjestelmäkomponentti tahtoo jäädä turhan vähälle huomiolle: ihmisen ja koneen välisen rajapinnan toteuttava laite. Näin voi käydä esimerkiksi käytettäessä laitekehikkoja tai tietokonekoteloita järjestelmäarkkitehtuuriin kuuluvien edge-solmujen tekoälytoimintojen sijoituspaikkoina, kirjoittaa Advantech artikkelissaan.
Vastaavasti maantieteellisesti jakautuneissa arkkitehtuureissa käytetään älykkäitä matkapuhelinreitittimiä reunalaskennan toteuttamisessa. Nämä reitittimet voivat toimia isäntinä sovellusohjelmistoille kuten protokollakääntäjille tai tekoälypäättelijöille. Monissa näissä toteutuksissa arkkitehtuuriin kuuluu myös visuaalisuuteen liittyviä vaatimuksia joko paikallisesti konetasolla tuotantolinjan tai koko järjestelmän toiminnan valvonnassa.
Ihmisen ja koneen rajapinnan toteuttavat HMI-laitteet nähdään usein muissa laitteissa olevan tai niissä syntyvän datan paikallisina päätepisteinä. Tällöin kuitenkin menetetään mahdollisuus yksinkertaistaa koko järjestelmän suunnittelua verrattuna siihen, jos sen sijaan käytettäisiinkin HMI-laitetta älykkäänä edge-yhdyskäytävänä omalla tavallaan.
Automaation HMI-ohjelmistot
Automaation arkkitehtuureissa olennaisen tärkeitä komponentteja ovat HMI-ohjelmistot, jotka toimitetaan joko integroituna osana näyttölaitetta tai erillisenä sovellusohjelmistona asennettavaksi näyttölaitteeseen tai teollisuus-PC:hen ja joiden tehtävänä on esittää tietoa insinööreille ja käyttöhenkilöstölle sekä mahdollistaa heidän vuorovaikutuksen käynnissä olevaan prosessiin ja laitteisiin.
Jopa tämän päivän yhä verkottuneemmassa maailmassa törmätään vielä tapauksiin, joissa prosessilaitoksen käyttöhenkilökunta ei joko osaa tai ei halua tulla yhdistetyksi ulkoisiin järjestelmiin ja laitteisiin. Tyypillisenä esimerkkinä voisi olla vanhemman tai perinteisen PLC-tyylisen laitteen käyttäminen koneessa tai tuotantolinjalla. Kuitenkin on tarpeen, että insinöörit ja käyttöhenkilöstö ovat vuorovaikutuksessa järjestelmän kanssa, vaikka käytössä olevat PLC:t eivät tukisikaan alueverkon pilviyhteyttä.
Graafinen päätepiste
Tässä käyttötapauksessa HMI-paneeli toimii visualisointivälineenä teollisuus-PC:lle tai vastaavalle, joka tarjoaa yhdistettyä reunalaskentaa ja tekoälyä koneille, tuotantolinjoille tai prosesseille.
HMI yhdyskäytävänä
Konsepti, jossa HMI-laitetta käytetään järjestelmän yhdyskäytävänä, on järkevää. Arkkitehtuurin kannalta yhdyskäytävä toimii pisteenä, jossa data konvergoidaan alemman tason laitteille sopivaksi, ja näinhän tapahtuu missä tahansa HMI-toteutuksen pisteessä.
Tomi Engdahl says:
Why IIoT Projects Fail
3 Secrets to Solving the Chokepoints
https://www.telit.com/resources/whitepapers/why-iiot-projects-fail/
Tomi Engdahl says:
Sol-Ark manufacturer reportedly disables all Deye inverters in the US
https://solarboi.com/2024/11/17/sol-ark-oem-disables-all-deye-inverters-in-the-us/
Ethics-wise you are literally shutting down equipment homeowners paid for and depend on to fit some twisted business strategy.
literally seeing dozens of people call me all morning, and I never even sold Deye
Seemingly at the drop of a hat the morning of Friday, Nov 15th, Deye-branded inverters across the US were reportedly intentionally bricked with the message:
This inverter is not allowed use at Pakistan/USA/UK
Deye is the contract manufacturer of the Sol-Ark hybrid inverters, and Sol-Ark have the exclusive right to sell the inverters in the US since 2018, as shown in several lawsuits over the years ⤤. Deye-branded inverters have been sold for installation by several companies (seemingly in breach of Sol-Ark’s exclusivity agreement with Deye), and Sol-Ark has exercised its right to exclusivity through the court system.
It’s unclear what the impetus is for this reported shutdown, why it’s happening now, and why it didn’t happen sooner. As many people in the DIY Solar Power Forum have noted, it seems unfair to bring innocent consumers into the fight, who probably have no idea what their inverter brand even is.
Deye has not given a public statement on this issue yet, but Sol-Ark gave me this statement:
Sol-Ark has learned of the situation caused by the unauthorized sales of Deye-branded inverters within Puerto Rico and the USA. Though Sol-Ark has no control over Deye’s actions, we recognize that the messaging conveyed through the Deye-branded inverter’s screen suggests Sol-Ark can provide warranty or service for these cases, which we cannot. Though we are not responsible for Deye-branded inverters or any inverters that are not branded and sold by Sol-Ark or through an authorized Sol-Ark distributor or reseller, Sol-Ark has determined to offer a possible solution to those consumer households that have purchased Deye-branded inverters.
Because of this mission and the direct effect that Deye’s actions may have on individual families, for the period from November 15, 2024 through December 31, 2024, Sol-Ark will permit each consumer household that has installed a Deye-branded inverter and has had that inverter’s functions disabled by Deye, to purchase a new Sol-Ark inverter of equivalent performance at a substantially discounted price. If you purchase a Sol-Ark inverter under this limited program, Sol-Ark will pay to have the Sol-Ark unit shipped to your address in Puerto Rico. Sol-Ark will not make this offer available to any person after December 31, 2024. The offer is limited to consumer households
Sol-Ark are not party to the reason for the shutdown, and that the shutdown was done solely at Deye’s discretion.
To address potential concerns about internet-connected Sol-Ark inverters, Simon McLean, Vice President of Marketing for Sol-Ark, commented this:
Sol-Ark inverters are managed, updated and serviced through Sol-Ark’s proprietary “MySolArk” platform, which has been designed and implemented to ensure the security and privacy of Sol-Ark customers. Data obtained through the platform is processed and maintained by Sol-Ark in the U.S. and used solely in accordance with Sol-Ark privacy policies.
This situation is not only concerning because people may be without their solar production and backup power right now, but also because it seemed incredibly easy for a company in China to flip this switch on their inverters that brought power production to a halt. It brings to mind the mind-boggling amount of solar installed in the US that’s producing power using Chinese-manufactured inverters. As tensions and trade wars escalate with China, it’s an uncomfortable level of leverage that China may hold over our country.
Plus, country-level politics aside, the internet-connectedness of all solar installed over the last 5-10 years is a huge potential problem, illustrated by this exact situation. By default, most inverter manufacturers have ways to remotely configure inverters, and those internal systems pose large targets for cyber attackers. If any of the big manufacturer’s systems are breached, that’s gonna be a real bad time.
It’s unknown what the resolution for this will be for the affected customers. It truly is shitty that Deye didn’t run this geographical check at the initial installation of these inverters. This will likely penalize the wrong people as a result.
Tomi Engdahl says:
Zero Trust is a security framework designed to protect cloud-based networks by eliminating the assumption that anything inside the network perimeter is trustworthy. Here are the key principles and components of Zero Trust protocol design:
Key Principles of Zero Trust
Never Trust, Always Verify: Every access request is treated as if it originates from an open network. Verification is required for every user and device attempting to access resources.
Least Privilege Access: Users and devices are granted the minimum level of access necessary to perform their tasks, reducing the risk of unauthorized access.
Micro-Segmentation: The network is divided into smaller segments, each with its own security controls, to limit the spread of potential breaches.
Continuous Monitoring and Validation: Continuous monitoring of user activity and device health ensures that any anomalies are detected and addressed promptly.
Components of Zero Trust Architecture
User and Device Authentication: Strong authentication mechanisms, such as multi-factor authentication (MFA), ensure that only authorized users and devices can access the network1.
Access Control: Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC) are used to enforce least privilege access1.
Network Segmentation: Implementing micro-segmentation to isolate different parts of the network and control traffic between them2.
Endpoint Security: Ensuring that all endpoints (devices) are secure and compliant with security policies before they can access the network3.
Data Encryption: Encrypting data both at rest and in transit to protect it from unauthorized access4.
Security Analytics: Using advanced analytics and machine learning to detect and respond to threats in real-time5.
Implementing Zero Trust in Cloud-Based Networks
Identity and Access Management (IAM): Centralized IAM systems manage user identities and enforce access policies across cloud services.
Secure Access Service Edge (SASE): Integrates networking and security functions, providing secure access to cloud applications and services.
Cloud Security Posture Management (CSPM): Continuously monitors cloud environments to ensure compliance with security policies and best practices.
By adopting a Zero Trust approach, organizations can significantly enhance their security posture, especially in complex cloud environments where traditional perimeter-based security models are insufficient3.
Tomi Engdahl says:
This is a Guide to a Secure Enterprise Network by NIST: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-215.pdf And this is a Zero Trust Architecture Guide, also by NIST: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf Both are really usefull resources.
Tomi Engdahl says:
Zero Trust is a concept where no one, whether an internal or external user, is considered trusted by default. Instead, all access to network resources must be verified and authenticated, regardless of the user’s location.
Zero trust is not a protocol, it is a concept that requires tool sets, policies, and controls to achieve.
Trust nobody or nothing by default and restrict allowed user to only what they need with security enforcement.
Never trust always verify
Tomi Engdahl says:
Androxgh0st iskee IoT-laitteisiin ja kriittiseen infrastruktuuriin
https://www.uusiteknologia.fi/2024/12/11/androxgh0st-iskee-iot-laitteisiin-ja-kriittiseen-infrastruktuuriin/
Sijainti
Etusivu > Artikkelit/raportit > Androxgh0st iskee IoT-laitteisiin ja kriittiseen infrastruktuuriin
Androxgh0st iskee IoT-laitteisiin ja kriittiseen infrastruktuuriin
Artikkelit/raportit
- 11.12.2024
Tietoturvayhtiö Check Point Softwaren haittaohjelmakatsaus nostaa esiin Androxgh0stin nousun sekä Jokerin ja Anubiksen jatkuvat uhat ja entistä kehittyneemmät toimintatavat. Haitake jatkaa hyökkäyksiä esimerkiksi kriittiseen infrastruktuuriin. Androxgh0stin oli myös Suomen että maailman yleisin haittaohjelma.
Check Pointin tutkijat korostavat erityisesti Androxgh0stin nopeaa nousua. Se hyödyntää haavoittuvuuksia eri alustoilla, kuten IoT-laitteissa ja verkkopalvelimissa, jotka ovat kriittisen infrastruktuurin keskeisiä osia. ”Androxgh0stin nousu ja sen yhdistyminen Moziin osoittavat, kuinka kyberrikolliset kehittävät jatkuvasti toimintatapojaan’’, sanoo VP of Research Maya Horowitz Check Point Softwarelta.
Mozin toimintatapoja jäljitellen Androxgh0st käyttää etäkoodin suorittamista ja tunnistetietojen varastamista, jotta se säilyttää jatkuvan pääsyn järjestelmiin. Tämä mahdollistaa muun muassa palvelunestohyökkäykset (DDoS) ja tietovarkaudet. Bottiverkko tunkeutuu kriittiseen infrastruktuuriin korjaamattomien haavoittuvuuksien kautta, ja Mozin ominaisuuksien lisääminen on merkittävästi laajentanut Androxgh0stin toimintamahdollisuuksia.
Androxgh0st pystyy Check Pointin mukaan tartuttamaan enemmän IoT-laitteita ja hallitsemaan laajempaa kohdejoukkoa bottiverkkojen kautta. Näillä hyökkäyksillä on laajoja vaikutuksia eri toimialoihin, mikä korostaa niiden vakavuutta niin hallituksille, yrityksille kuin yksityishenkilöillekin, jotka ovat riippuvaisia kriittisestä infrastruktuurista.
AndroxGh0st Malware Integrates Mozi Botnet to Target IoT and Cloud Services
https://thehackernews.com/2024/11/androxgh0st-malware-integrates-mozi.html
The threat actors behind the AndroxGh0st malware are now exploiting a broader set of security flaws impacting various internet-facing applications, while also deploying the Mozi botnet malware.
“This botnet utilizes remote code execution and credential-stealing methods to maintain persistent access, leveraging unpatched vulnerabilities to infiltrate critical infrastructures,” CloudSEK said in a new report.
AndroxGh0st is the name given to a Python-based cloud attack tool that’s known for its targeting of Laravel applications with the goal of sensitive data pertaining to services like Amazon Web Services (AWS), SendGrid, and Twilio.
Active since at least 2022, it has previously leveraged flaws in the Apache web server (CVE-2021-41773), Laravel Framework (CVE-2018-15133), and PHPUnit (CVE-2017-9841) to gain initial access, escalate privileges, and establish persistent control over compromised systems.
Nov 08, 2024Ravie LakshmananIoT Security / Vulnerability
AndroxGh0st Malware
The threat actors behind the AndroxGh0st malware are now exploiting a broader set of security flaws impacting various internet-facing applications, while also deploying the Mozi botnet malware.
“This botnet utilizes remote code execution and credential-stealing methods to maintain persistent access, leveraging unpatched vulnerabilities to infiltrate critical infrastructures,” CloudSEK said in a new report.
AndroxGh0st is the name given to a Python-based cloud attack tool that’s known for its targeting of Laravel applications with the goal of sensitive data pertaining to services like Amazon Web Services (AWS), SendGrid, and Twilio.
Active since at least 2022, it has previously leveraged flaws in the Apache web server (CVE-2021-41773), Laravel Framework (CVE-2018-15133), and PHPUnit (CVE-2017-9841) to gain initial access, escalate privileges, and establish persistent control over compromised systems.
Cybersecurity
Earlier this January, U.S. cybersecurity and intelligence agencies revealed that attackers are deploying the AndroxGh0st malware to create a botnet for “victim identification and exploitation in target networks.”
The latest analysis from CloudSEK reveals a strategic expansion of the targeting focus, with the malware now exploiting an array of vulnerabilities for initial access -
CVE-2014-2120 (CVSS score: 4.3) – Cisco ASA WebVPN login page XSS vulnerability
CVE-2018-10561 (CVSS score: 9.8) – Dasan GPON authentication bypass vulnerability
CVE-2018-10562 (CVSS score: 9.8) – Dasan GPON command injection vulnerability
CVE-2021-26086 (CVSS score: 5.3) – Atlassian Jira path traversal vulnerability
CVE-2021-41277 (CVSS score: 7.5) – Metabase GeoJSON map local file inclusion vulnerability
CVE-2022-1040 (CVSS score: 9.8) – Sophos Firewall authentication bypass vulnerability
CVE-2022-21587 (CVSS score: 9.8) – Oracle E-Business Suite (EBS) Unauthenticated arbitrary file upload vulnerability
CVE-2023-1389 (CVSS score: 8.8) – TP-Link Archer AX21 firmware command injection vulnerability
CVE-2024-4577 (CVSS score: 9.8) – PHP CGI argument injection vulnerability
CVE-2024-36401 (CVSS score: 9.8) – GeoServer remote code execution vulnerability
“The botnet cycles through common administrative usernames and uses a consistent password pattern,” the company said. “The target URL redirects to /wp-admin/, which is the backend administration dashboard for WordPress sites. If the authentication is successful, it gains access to critical website controls and settings.”
The attacks have also been observed leveraging unauthenticated command execution flaws in Netgear DGN devices and Dasan GPON home routers to drop a payload named “Mozi.m” from different external servers (“200.124.241[.]140″ and “117.215.206[.]216″).
Mozi is another well-known botnet that has a track record of striking IoT devices to co-opt them into a malicious network for conducting distributed denial-of-service (DDoS) attacks.
While the malware authors were arrested by Chinese law enforcement officials in September 2021, a precipitous decline in Mozi activity wasn’t observed until August 2023, when unidentified parties issued a kill switch command to terminate the malware. It’s suspected that either the botnet creators or Chinese authorities distributed an update to dismantle it.
AndroxGh0st’s integration of Mozi has raised the possibility of a possible operational alliance, thereby allowing it to propagate to more devices than ever before.
Tomi Engdahl says:
Watch Now: Navigating Your OT Cybersecurity Journey: From Assessment to Implementation
Learn how to develop a holistic solution that provides you and your team the power to mitigate cyber threats effectively within your OT environment.
https://www.securityweek.com/webinar-tomorrow-navigating-your-ot-cybersecurity-journey-from-assessment-to-implementation/
Tomi Engdahl says:
Ransomware
Critical Infrastructure Ransomware Attack Tracker Reaches 2,000 Incidents
Temple University’s Critical Infrastructure Ransomware Attacks (CIRA) database now contains over 2,000 entries.
https://www.securityweek.com/universitys-critical-infrastructure-ransomware-attack-tracker-reaches-2000-incidents/
Roughly 2,000 ransomware attacks were launched over the past decade against critical infrastructure organizations in the United States and other countries, according to data collected as part of a project maintained at Temple University in Philadelphia.
SecurityWeek first wrote about the project in 2020, when it covered more than 680 ransomware attacks targeting critical infrastructure. By February 2022, the number of entries exceeded 1,100, and it has now reached just over 2,000.
The project is maintained by Aunshul Rege, professor in the Department of Criminal Justice at Temple University, and Rachel Bleiman, PhD candidate and graduate research assistant.
The Critical Infrastructure Ransomware Attacks (CIRA) database currently covers more than 2,000 attacks documented since 2013, and includes nearly 300 entries for incidents that came to light in 2024.
https://sites.temple.edu/care/cira/
Tomi Engdahl says:
Androxgh0st iskee IoT-laitteisiin ja kriittiseen infrastruktuuriin
https://www.uusiteknologia.fi/2024/12/11/androxgh0st-iskee-iot-laitteisiin-ja-kriittiseen-infrastruktuuriin/
Tietoturvayhtiö Check Point Softwaren haittaohjelmakatsaus nostaa esiin Androxgh0stin nousun sekä Jokerin ja Anubiksen jatkuvat uhat ja entistä kehittyneemmät toimintatavat. Haitake jatkaa hyökkäyksiä esimerkiksi kriittiseen infrastruktuuriin. Androxgh0stin oli myös Suomen että maailman yleisin haittaohjelma.
Mozin toimintatapoja jäljitellen Androxgh0st käyttää etäkoodin suorittamista ja tunnistetietojen varastamista, jotta se säilyttää jatkuvan pääsyn järjestelmiin. Tämä mahdollistaa muun muassa palvelunestohyökkäykset (DDoS) ja tietovarkaudet. Bottiverkko tunkeutuu kriittiseen infrastruktuuriin korjaamattomien haavoittuvuuksien kautta, ja Mozin ominaisuuksien lisääminen on merkittävästi laajentanut Androxgh0stin toimintamahdollisuuksia.
Androxgh0st pystyy Check Pointin mukaan tartuttamaan enemmän IoT-laitteita ja hallitsemaan laajempaa kohdejoukkoa bottiverkkojen kautta. Näillä hyökkäyksillä on laajoja vaikutuksia eri toimialoihin, mikä korostaa niiden vakavuutta niin hallituksille, yrityksille kuin yksityishenkilöillekin, jotka ovat riippuvaisia kriittisestä infrastruktuurista.
Tomi Engdahl says:
ICS/OT
Researcher Says ABB Building Control Products Affected by 1,000 Vulnerabilities
ABB has patched building control product vulnerabilities that can expose many facilities to remote attacks.
https://www.securityweek.com/researcher-says-abb-building-control-products-affected-by-1000-vulnerabilities/
A researcher claims to have found over 1,000 vulnerabilities in products made by electrification and automation solutions provider ABB, including flaws that can expose facilities to remote hacking. The vendor has released patches.
The vulnerabilities were discovered by Gjoko Krstic, who is known for security research aimed at building management and access control systems, in ABB Cylon FLXeon and ABB Cylon Aspect building energy management and control solutions.
Krstic told SecurityWeek that he uncovered just over 1,000 vulnerabilities in the Aspect product (including many with ‘critical’ and ‘high’ severity ratings), and 35 security holes in the FLXeon product.
A wide range of flaws have been found, including unauthorized file access and manipulation, XSS, CSRF, SSRF, IDOR, security bypass, DoS, SQL injection, and password-related issues that can be exploited for remote code execution, to obtain sensitive information, or to cause disruption.
The researcher said some of the vulnerabilities can be exploited by a remote, unauthenticated attacker to take complete control of the targeted system.
Tomi Engdahl says:
https://www.edn.com/the-future-of-cybersecurity-and-the-living-label/
Tomi Engdahl says:
ICS/OT
Organizations Still Not Patching OT Due to Disruption Concerns: Survey
https://www.securityweek.com/organizations-still-not-patching-ot-due-to-disruption-concerns-survey/
Cyber-physical systems security company TXOne Networks has published its 2024 Annual OT/ICS Cybersecurity Report.
Many organizations are still concerned that patching operational technology (OT) systems can lead to equipment downtime and operational disruptions, and consequently they do not conduct regular patching, according to cyber-physical security firm TXOne Networks.
The data comes from TXOne’s 2024 Annual OT/ICS Cybersecurity Report, which is based on a survey of 150 C-level executives in North America, Europe, the Middle East and Asia.
The survey found that 85% of organizations don’t conduct regular patching. A majority install patches quarterly or less often, which leaves them exposed to attacks for extended periods of time.
This is despite a vast majority experiencing cybersecurity incidents affecting their OT environments in the past year, and 37% of OT security incidents involving exploitation of software vulnerabilities.
When asked about the main challenges to regular OT patching, the most commonly cited reason was the lack of personnel or expertise (48%), followed by concerns about operational disruptions or downtime (47%), and the lack of vendor support or patch testing (43%). In fact, 41% of organizations delay patching until vendor support is available.
Tomi Engdahl says:
ICS/OT
China’s Volt Typhoon Hackers Dwelled in US Electric Grid for 300 Days
Dragos case study reveals that Volt Typhoon hacked the US electric grid and stole information on OT systems.
https://www.securityweek.com/chinas-volt-typhoon-hackers-dwelled-in-us-electric-grid-for-300-days/
Tomi Engdahl says:
Up to 25% of Internet-Exposed ICS Are Honeypots: Researchers
Many of the industrial control system (ICS) instances seen in internet scanning are likely or possibly honeypots, not real devices.
https://www.securityweek.com/up-to-25-of-internet-exposed-ics-are-honeypots-researchers/
An analysis conducted by researchers at the Norwegian University of Science and Technology Gjøvik and the Delft University of Technology in the Netherlands showed that a significant percentage of the industrial control system (ICS) instances detected by internet scans are actually honeypots.
The researchers used the Censys search engine to identify internet-exposed ICS. They targeted 17 widely used industrial control protocols and discovered roughly 150,000 devices across 175 countries.
The researchers then applied various criteria to determine how many of those ICS instances were real and how many were likely or possibly honeypots, decoy systems designed to attract threat actors in an effort to obtain valuable information on attacker tactics, techniques, and procedures (TTPs).
While Censys was used to collect the data on internet-exposed systems, the researchers noted that their methods can be applied to any source data, including Shodan and independent scanning.
Their analysis was conducted over a period of one year, between January 2024 and January 2025. In April 2024, they determined that roughly 15% of the ICS devices they were seeing online appeared to be honeypots, and the percentage increased to 25% in January 2025.
Tomi Engdahl says:
https://www.reuters.com/sustainability/climate-energy/ghost-machine-rogue-communication-devices-found-chinese-inverters-2025-05-14/
Tomi Engdahl says:
Exposure assessment of US energy sector
SixMap has released a comprehensive cybersecurity assessment of 21 US energy providers. The research identified 39,986 hosts with 58,862 services exposed to the internet across these organizations. Roughly 7% of all exposed services are running on non-standard ports, creating dangerous blind spots for security teams. The research also found that, on average, each organization had 9% of its hosts in the IPv6 space, another area of potential risk, as most security teams have no way of monitoring these assets.
https://www.sixmap.io/wp-content/uploads/SixMap-Research_Energy-Sector-Exposure-Assessment.pdf