‘U.S. Cyber Trust Mark’ Program Will Help Consumers Make Informed Purchasing Decisions and Encourage Manufacturers to Meet Higher Cybersecurity Standards

The Federal Communications Commission today voted to create a voluntary cybersecurity labeling program for wireless consumer Internet of Things (“IoT”) products.

Under the program, qualifying consumer smart products that meet robust cybersecurity standards will bear a label—including a new “U.S Cyber Trust Mark”—that will help consumers make informed purchasing decisions, differentiate trustworthy products in the marketplace, and create incentives for manufacturers to meet higher cybersecurity standards.

With today’s action, the Commission has adopted the rules and framework for the program to move forward. Among program highlights:

• The U.S. Cyber Trust Mark logo will initially appear on wireless consumer IoT products that meet the program’s cybersecurity standards.
• The logo will be accompanied by a QR code that consumers can scan for easy-to understand details about the security of the product, such as the support period for the product and whether software patches and security updates are automatic.
• The voluntary program will rely on public-private collaboration, with the FCC providing oversight and approved third-party label administrators managing activities such as evaluating product applications, authorizing use of the label, and consumer education.
• Compliance testing will be handled by accredited labs.
• Examples of eligible products may include home security cameras, voice-activated shopping devices, internet-connected appliances, fitness trackers, garage door openers, and baby monitors.

The Commission is also seeking public comment on additional potential disclosure requirements, including whether software or firmware for a product is developed or deployed by a company located in a country that presents national security concerns and whether customer data collected by the product will be sent to servers located in such a country.

There are a wide range of consumer IoT products on the market that communicate over wireless networks. These products are made up of various devices, and are based on many technologies,
each of which presents its own set of security challenges. Last August, the Commission proposed and sought comment on developing the voluntary cybersecurity labeling program for IoT. The
rules adopted today are based on that record.

According to one third party estimate, there were more than 1.5 billion attacks against IoT devices in the first six months of 2021 alone. Others estimate that there will be more than 25 billion connected IoT devices in operation by 2030. The cybersecurity labeling program builds on the significant public and private sector work already underway on IoT cybersecurity and labeling, emphasizing the importance of continued partnership so that consumers can enjoy the benefits of this technology with greater confidence and trust

The post FCC Creates Voluntary Cybersecurity Labeling Program for Smart Products appeared first on IoT Business News.

Quectel Wireless Solutions, a global IoT solutions provider, today announces that, according to a recent milestone report by Finite State, an independent third-party cybersecurity firm, nearly 95% of all Quectel modules shipped to the United States since the beginning of 2022 have industry-leading security scores based on penetration testing and binary analysis by Finite State.

The report highlights a notable enhancement in Quectel’s security position, expanding the number of modules tested and with scores across the tested modules improving from an average of 33 to 18, up from an average of 62 to 24 in previous testing. This represents a substantial improvement, as both the initial and revised scores significantly surpass the industry average of 98 with the lowest (best) score of 10. Further, the number of and severity of vulnerabilities Finite State did identify in Quectel products or modules are significantly less than the industry standard and revealed a very limited attack surface. Those issues Finite State did discover have been quickly remedied by Quectel.

This advanced phase of testing leverages Finite State’s security technologies and expertise to conduct an exhaustive third-party evaluation of Quectel’s modules. The advanced testing encompasses an array of sophisticated security assessments designed to fortify Quectel’s modules against the evolving landscape of cyber threats, including binary analysis of numerous Quectel products and both penetration testing and binary analysis of several Quectel cellular modules.

“Entering this next phase of security testing with Finite State underscores our relentless pursuit of the highest security standards for our products,” stated Norbert Muhrer, President and CSO, Quectel Wireless Solutions.

“Our continued collaboration is a reflection of our commitment to exceed industry security expectations, ensuring our customers benefit from the most secure and reliable communication modules available – tested and verified by one of the most trusted US cyber security firms. We’re thrilled that the latest report from Finite State demonstrates our commitment and progress.”

The continued integration of Finite State into Quectel’s transparency and security program reaffirms Quectel’s commitment to pioneering unparalleled security practices in the IoT and telecommunications sectors. Quectel has made a measurable improvement in key areas such as the security health of the code, the sophistication of the vulnerability management process, and the transparency of its software supply chain.

The program is strategically designed with three key goals to address the pressing issues in cybersecurity today:

• Implementing the Finite State Platform into Quectel’s DevSecOps procedures, which enhances firmware binary analysis, manages vulnerabilities efficiently, and offers specific recommendations for remediation.
• Developing and sharing Software Bill of Materials (SBOM) and Vulnerability Exploitability Exchange (VEX) documents for each of Quectel’s products, which promotes a transparent environment and provides critical insights into the software components of Quectel’s devices along with any vulnerabilities they may contain.
• Conducting comprehensive manual penetration tests by Finite State’s expert Red Team, which augments automated testing methods and delivers detailed security evaluations for Quectel’s product line.

Matt Wyckhouse, CEO of Finite State, commented, “Progressing to this next phase of security testing demonstrates Quectel’s commitment to leading the industry with transparent, rigorous cybersecurity practices. Quectel’s willingness to subject their products to such rigorous scrutiny is commendable and sets a new industry standard to further safeguard the IoT ecosystem.”

The outcome of this continued engagement is anticipated to enhance the security framework of Quectel’s modules and inspire a shift towards more rigorous security standards across the telecommunications industry. Quectel is dedicated to sharing insights and best practices gleaned from this process, contributing to a safer, more secure digital future.

In addition to the activity with Finite State, Quectel is actively pursuing collaboration with multiple standards-setting organizations to enhance and commit to a more rigorous set of security requirements. This initiative aims to achieve key security certifications from both industry and governmental bodies, underlining Quectel’s dedication to advancing security standards within the sector.

The post Quectel IoT Modules Significantly More Secure Than Industry Average According to Finite State appeared first on IoT Business News.

Asimily’s “IoT Device Security in 2024: The High Cost of Doing Nothing” report identifies today’s IoT threat landscape as enterprises across industries implement and scale connected devices

Asimily, a leading Internet of Things (IoT) risk management platform, today announced the availability of a new report: IoT Device Security in 2024: The High Cost of Doing Nothing.

The comprehensive report—available for free download here—highlights emerging IoT device security trends and challenges.

Enterprises continue to embrace IoT strategies to streamline operations, boost efficiency, and improve customer experiences. From hospitals to manufacturers to public sector agencies, IoT device fleets are critical for meeting these modernization goals. However, the acceleration in connected device deployment opens new windows for cybercriminals and exposes networks to potential breaches. This report addresses the growing challenge of securing IoT devices and explores the consequences for businesses neglecting sufficient cyber resilience. It also provides valuable guidance for implementing a comprehensive approach to mitigating IoT-related cyberattack risks.

Among the key findings and analysis included in the new report:

• Breach tactics continue evolving: Cybercriminals seeking confidential proprietary data to sell for financial gain look for and infiltrate vulnerable and often-unsecured IoT devices to establish initial access to an enterprise’s network. That tactic supports ransomware attacks as well, with criminals gaining access via IoT endpoints, encrypting data, and extorting ransoms. In other cases, nation-state-sponsored groups are motivated to shut down or disrupt the services of their targets. A common tactic is harvesting vast fleets of vulnerable IoT devices to create botnets and utilize them to conduct DDoS attacks. Attackers also know they can rely on unresolved legacy vulnerabilities, as 34 of the 39 most-used IoT exploits have been present in devices for at least three years.

• Routers are the most targeted IoT devices, accounting for 75% of all IoT infections. Hackers exploit routers as a stepping stone to access other connected devices within a network. Security cameras and IP cameras are the second most targeted devices, making up 15% of all attacks. Other commonly targeted devices include digital signage, media players, digital video recorders, printers, and smart lighting. The report also highlights the especially consequential risks associated with specialized industry equipment—including devices critical to patient care in healthcare (including blood glucose monitors and pacemakers), real-time monitoring devices in manufacturing, and water quality sensors in municipalities.

• Cyber insurers are capping payouts. Cybersecurity insurance is becoming more expensive and difficult to obtain as cyberattacks become more common. More insurers are now requiring businesses to have strong IoT security and risk management in place to qualify for coverage—and increasingly denying or capping coverage for those that do not meet certain thresholds. Among the reasons why cyber insurers deny coverage, a lack of security protocols is the most common, at 43%. Not following compliance procedures accounts for 33% of coverage denials. Even if insured, though, reputational damage remains a risk: 80% of a business’s customers will defect if they do not believe their data is secure.

• Manufacturing is now the top target: Cybercriminals are increasingly focusing their attention on the manufacturing, finance, and energy industries. Retail, education, healthcare, and government organizations remain popular targets, while media and transportation have been de-emphasized over the past couple of years.

“Vulnerable IoT devices continue to be a glaring cybersecurity weak spot for many, many enterprises,” said Kenan Frager, VP of Marketing, Asimily. “In the rush to absorb all of the business benefits these devices deliver, sufficient security—and the impact that security has on the broader network—is too often left unchecked.”

“Regardless of industry, an attack on IoT infrastructure can and will result in operational downtime, loss of IP, loss of revenue, and reputational harm. Regulatory compliance adds another layer of pressure, with steep fines and sanctions looming for breaches that affect HIPAA, PCI DSS, NIST, SOC 2, and other increasingly stringent mandates.”

“There’s a clear and urgent need for more businesses to prioritize a more thorough risk management strategy capable of handling the unique challenges of the IoT,” said Shankar Somasundaram, CEO, Asimily.

“While organizations often struggle with the sheer volume of vulnerabilities in their IoT device fleets, crafting effective risk KPIs and deploying tools to gain visibility into device behavior empowers them to prioritize and apply targeted fixes. This approach, coupled with a deeper understanding of attacker behavior, enables teams to distinguish between immediate threats, manageable risks, and non-existent dangers. The right strategy equips organizations to focus efforts where they matter most, maximizing their resources while ensuring the security of their IoT ecosystem at scale.”

The post New Report on IoT Security Underscores the Current Risk of Unsecured Devices and Equipment appeared first on IoT Business News.

The security industry in 2024 is an exciting landscape that Hikvision is actively navigating. As it embraces technological innovation, and adapt to evolving societal needs, it is witnessing the convergence of advanced technologies like Artificial Intelligence (AI), the Internet of Things (IoT), and big data. These innovations are paving the way for smarter, more proactive, and predictive security solutions that are not only robust, but also meet the easy-to-use demands of users.

In this article, Hikvision wants to share the top seven trends that it anticipates will have a significant impact on the security industry this year.

1. AI is accelerating the augmentation of perception in machines

AI is accelerating the transformation of the security industry by enhancing machines’ perceptual capabilities. This is possible thanks to integration with visible light, audio, X-ray, infrared light, radar, and other technologies.

One example of this is Artificial Intelligence Image Signal Processing (AI-ISP) technology, revolutionizes video imaging and provides high-quality visuals through intelligent noise reduction. This enables clearer images with wide dynamic range and sharp detail even in low-light environments, reducing reliance on additional lighting and leading to more efficient situational responses.

2. AI-driven applications are set to revolutionize diverse industries

In the past year, advancements in large-scale AI models have improved the ability to interpret complex situations using diverse data. Hikvision believes this progress creates possibilities for more tailored AI solutions across various sectors including manufacturing, energy, healthcare, and education.

Based on open platforms and advanced algorithms, more streamlined architectures facilitate seamless AI adoption in a range of different verticals. This fosters collaboration and creates an innovative ecosystem for technological advancement.

3. Cloud and edge computing convergence is accelerating

The convergence of cloud and edge computing is driving the emergence of faster and more efficient services. This leads to real-time, intelligent solutions, like smarter perimeter control and more convenient cloud-based security system management, empowering us with immediate analytics and better decision-making at the edge. Cloud-based platforms also minimize hardware investments and offer scalable options for businesses of all sizes and budgets, reducing upfront and ongoing costs.

4. Digital twin technology has the potential to revolutionize business management

Digital twins are virtual models that simulate real-world scenarios in real time. By integrating with AIoT, cloud computing, and other technologies, they provide us with dynamic insights on performance metrics like security, traffic, and energy usage. This enables an immersive experience with synchronized visuals, improving process efficiency, enabling proactive maintenance, and leading to cost savings and better business management.

5. Display technology, particularly LED, is advancing rapidly

The rapid adoption of COB (Chip-on-Board) technology is driving demand for small-pitch LEDs. Innovative LED solutions are also emerging that balance lower energy consumption with high resolution, promoting carbon neutrality, and supporting broader applications. Integrated video walls in command centers, for example, help us make smart decisions with intuitive views. Interactive displays and digital signage are acting as catalysts for digital transformation in education, business, and the hospitality sectors.

6. Digital identity authentication security is increasingly crucial in safeguarding cybersecurity

Digital identity authentication involves verifying and authorizing identities, which is a pivotal cybersecurity measure. Threat actors use techniques like phishing, malware, and social engineering to steal personal information and identities. To safeguard digital identities, users and organizations should employ strong passwords, use multi-factor authentication, avoid public networks, update software in a timely manner, and guard against social engineering attacks.

7. Innovative technologies drive environmental sustainability and climate change resilience

Industry stakeholders are increasingly adopting green practices to reduce carbon emissions and resource usage. This includes efficient product transportation, sustainable packaging, and standardized component utilization. Hikvision also expects to see innovative technologies being used to increase climate change resilience. By integrating environmental sensors into security systems, for instance, it can better respond to natural disasters like floods, wildfires, landslides, and avalanches.

The post Top 7 trends for the security industry in 2024 appeared first on IoT Business News.

Since the founding of our company, SAM has welcomed efforts by government agencies and regulators worldwide to raise consumer awareness about cybersecurity in the IoT space. These efforts benefit both consumers and the network operators connecting them to the digital world. Consumers benefit by being better informed about an IoT product’s security attributes at the “point of sale” and operators benefit as this increased awareness amongst consumers will make it easier to develop and sell new network-based security services.

The latest development comes from the United States, where the White House has introduced the “Cyber Trust Mark” program. This program aims to certify IoT devices bearing the label, ensuring they meet essential security attributes safeguarding consumers’ networks and device data. While voluntary, this initiative, led by the Federal Communications Commission, is set to begin implementation in 2024. This is part of an initiative that includes a collaboration between the White House and the National Institute of Standards and Technology (NIST) to establish cybersecurity standards tailored to routers.

These moves will have a positive impact on the IoT ecosystem on a variety of levels. Yet, while product labels will increase consumer awareness and education, they cannot address the ongoing evolution and fragmentation of IoT devices. Thousands seemingly hit the market each year, making “constant” security unattainable. Even a seemingly secure device could falter over time without proper software updates, which in reality, the average consumer does not do.

This fact is part of a trend that has led to a situation where most home and small business devices and networks lack adequate protection. This vulnerability arises due to various reasons, including the widespread use of consumer electronics devices that have become connected IoT devices through home routers. While some vulnerabilities may only be an inconvenience for some users, other can open the door to malicious activities. One of the most pressing challenges in the realm of IoT is the sluggish discovery-to-patching process by firmware vendors, leaving users exposed indefinitely. This issue highlights a critical gap in home security, where the timely resolution of IoT vulnerabilities should be a requirement, not a “luxury.”

However, for consumer electronics in general, it takes time to create a fix, to test it in the field and then to distribute it. And for IoT devices, it’s a different matter altogether, as numerous devices have minimal security and no ongoing security patch program. Or the devices are no longer on the market at all. This condition creates a significant window of opportunity for hackers who are well aware of these vulnerabilities and often have ample time to exploit them before the vendors issue a remedy, leaving end users vulnerable to attacks. Even when the patch is ready for deployment, there is still the question of how it will be deployed onto the users’ devices. Some devices can be updated via the corresponding app on the smartphone. Others, however, need to be updated manually – a lengthy and quite complicated process for even those who are tech savvy.

Katherine Gronberg, Head of Government Services at NightDragon, who works frequently with NIST and the White House on matters relating to IoT security, has commented: “With the explosion of IoT devices available from a wide variety source, consumers have until now not had any help in deciding what to buy or even to be mindful of security. The Cyber Trust Mark will allow consumers to identify products that have been designed and manufactured according to secure development guidelines and that offer some basic security features, most of which will likely not require any actions by the device user. While this program doesn’t apply to IoT devices that are already in use today, it will create a more informed customer and may make other parties in the ecosystem such as retailers or ISPs more conscious of the problem and might motivate them to take action.”

One action that the industry has seen recently is a renewed focus on routers, as seen in a recent security advisory issued by the US NSA, in which one of its recommendations was for consumers to exchange ISP-issued routers for ones they would purchase themselves. And there is another router-focused technique that more and more ISPs are using to help their customers with IoT network security, namely the “hot patching” measure, which uses a router-based software agent to provide protection for the router itself and every device connected to it.

Hot patching is designed as a “one stop” protection program in which an ISP would download an agent to a router to provide constant real-time monitoring and alerts. Hot patching is based on what is known as “deep packet inspection,” or DPI, which is a well-known and long-standing technique wherein the payload of packets traversing a data network is inspected and analyzed. The result empowers consumers with comprehensive router and device security, eliminating vulnerability monitoring and patching complexities.

While security labeling undoubtedly enhances consumer awareness and overall IoT security, the quest for constant security calls for a gateway-based solution. Such a solution can act as the ultimate backstop to industry and government initiatives, securing IoT devices and the connecting network.

Therefore, we believe the “Cyber Trust Mark” program will certainly be a great benefit for the consumer or “end user” and the increased awareness about IoT security it will raise gives ISPs an excellent opportunity to play a more proactive role that will be welcomed by their customers and which will increase IoT network security in meaningful ways.

The post Nurturing IoT’s Safety Net: Can the ‘Cyber Trust Mark’ Weather the Fragmented Storm? appeared first on IoT Business News.

In the ever-expanding universe of the Internet of Things (IoT), security is not just a feature but a foundational necessity. With billions of devices connected and communicating, the potential for data breaches, unauthorized access, and other cyber threats grows exponentially. In this context, IoT security protocols are essential to ensure that the communication between devices, and from devices to servers, remains confidential and tamper-proof. Here, we explore the current landscape of IoT security protocols, the challenges they face, and the future direction of securing IoT networks.

The Current State of IoT Security Protocols

IoT devices, ranging from consumer products like smart thermostats to industrial sensors monitoring critical infrastructure, are often built with convenience and cost-effectiveness in mind. However, this focus can sometimes come at the expense of robust security measures. The protocols governing the security of these devices are as varied as their applications.

1. Transport Layer Security (TLS) and Secure Sockets Layer (SSL): TLS and its predecessor, SSL, are cryptographic protocols designed to provide secure communication over a computer network. In the IoT space, TLS/SSL is commonly used to secure the connection between a device and a cloud server, ensuring that data remains private and integral.

2. Datagram Transport Layer Security (DTLS): For IoT devices that rely on UDP, which is common in real-time applications, DTLS offers a way to secure these communications. It is similar to TLS but adapted for datagram protocols.

3. Extensible Messaging and Presence Protocol (XMPP): XMPP is an open standard for message-oriented middleware based on XML. It offers a set of protocols for message-oriented communication with mechanisms for security.

4. Constrained Application Protocol (CoAP): CoAP is a specialized web transfer protocol for use with constrained nodes and networks in IoT. It can be used with DTLS to provide a secure communication channel.

5. Z-Wave and Zigbee: These are communication protocols for low-energy radio waves often used in home automation, with built-in security layers to encrypt messages between devices.

6. Message Queuing Telemetry Transport (MQTT): MQTT is a popular IoT publish-subscribe network protocol that can be secured with TLS.

Challenges Facing IoT Security Protocols

The challenges in IoT security are manifold, stemming from both the variety of devices and the complexity of the network architectures. Here are the key challenges:

1. Resource Constraints: Many IoT devices have limited computational resources and cannot support traditional web-grade encryption methods.

2. Diversity of Devices: The IoT ecosystem is vast, with a wide range of devices that have different capabilities and security needs.

3. Scalability: Security protocols must be able to scale effectively as billions of new devices come online.

4. Lifecycle Management: IoT devices often have long lifecycles, and security protocols must be updatable to respond to new threats over time.

5. Interoperability: With so many different protocols and manufacturers, ensuring that security measures are interoperable across devices and systems is a challenge.

Advanced Security Protocols for IoT

As the IoT industry evolves, so do the strategies to secure it. Here are some advanced protocols and techniques being developed and implemented:

1. Lightweight Cryptography: NIST is working on standards for lightweight cryptography intended for constrained devices, which will be more suitable for the IoT environment.

2. Public Key Infrastructure (PKI): PKI provides a scalable method for secure device authentication and encryption key distribution.

3. Elliptic Curve Cryptography (ECC): ECC provides the same level of encryption as RSA but uses smaller keys, which are more suitable for IoT devices.

4. Quantum-resistant algorithms: With the potential threat of quantum computing, there’s a growing focus on developing security algorithms that would be resistant to quantum attacks.

5. Secure Software Updates: Ensuring that devices can be securely updated is crucial for responding to vulnerabilities as they are discovered.

Implementing IoT Security Protocols

The implementation of robust security measures is as critical as the development of the protocols themselves. Here are key considerations for implementation:

1. Default Security: Devices should come with security features enabled by default, requiring little to no configuration from the user.

2. Regular Updates: Manufacturers must provide regular firmware updates to address security vulnerabilities and ensure devices stay secure over their lifespan.

3. User Education: Users should be informed about the importance of security and how to manage their devices securely.

4. Multi-layered Security: Security should be implemented in layers, including secure boot, transport layer security, secure storage, and intrusion detection systems.

The Future of IoT Security

Looking forward, the IoT industry must continue to prioritize security to protect against evolving cyber threats. Here are potential future developments:

1. AI and Machine Learning: These technologies can be used to detect anomalies in network behavior, potentially identifying and neutralizing threats in real-time.

2. Blockchain for IoT Security: Blockchain technology could enable secure, tamper-proof systems for IoT device authentication and firmware updates.

3. Integration of Security in IoT Standards: As new IoT standards are developed, integrating security as a core component will be crucial.

4. Government Regulation and Compliance: We may see more government regulation aimed at improving IoT security, similar to the GDPR for data protection.

5. Universal Security Standards: Efforts may be put toward creating universal security standards that can be applied across devices and industries.

Conclusion

The complexity of IoT security is significant, and the stakes are high. As the IoT continues to grow, effective security protocols must be developed and implemented to protect privacy and ensure the safe and reliable operation of connected devices. The future of IoT depends not just on innovation in connectivity and functionality but equally on the strength and adaptability of its security protocols. The journey toward a secure IoT ecosystem is ongoing, and it requires the concerted effort of manufacturers, software developers, security experts, and regulatory bodies.

The post Fortifying the Internet of Things: Navigating the Landscape of IoT Security Protocols appeared first on IoT Business News.

Quectel Wireless Solutions, a global IoT solutions provider, announced today that extensive testing by Finite State, a major cybersecurity consultancy, shows that Quectel’s products substantially exceed industry standards and best practices in multiple security measures.

Quectel engaged Finite State, a third-party expert security firm focused on managing software supply chain risk for the enterprise, to rigorously test Quectel’s IoT modules to demonstrate Quectel’s commitment to transparent, verifiable product security.

The first progress report released to Quectel concludes that its modules’ security score, as reflected in Finite State’s risk profiling, started strong when testing began earlier this year and got stronger rapidly as Quectel implemented Finite State’s recommendations. The score improved across the modules tested from an average of 62 to 24 with the highest possible score being 10. The report underlines that this is a significant improvement in Quectel’s security posture with both the initial and current scores far exceeding the industry average score of 98.

“Quectel has embraced security and transparency holistically, in a way that we rarely see from other organizations. Their commitment to make SBOMs and VEX reports available to their customers will make the IoT industry more secure and transparent,” said Matt Wyckhouse, CEO of Finite State. “They have built upon their existing security testing processes by integrating even deeper testing into their first- and third-party code, and they’ve responded to findings in their development process faster than others in their industry, resulting in risk metrics that place them in the top 10% of all connected products we’ve analyzed,” Matt Wyckhouse continued.

Finite State focused its initial penetration testing and analysis on the most critical Quectel cellular modules sold in the U.S. The platforms verified by Finite State represent approximately 70 percent of all North American IoT modules shipped within the last 18 months.

“Quectel plans to continue this third-party penetration testing and security verification for all of its most critical modules and to make it an ongoing and life-cycle process. We also encourage and assist our device original equipment manufacturers (OEMs) customers to do their own third-party testing,” said Norbert Muhrer, president and CSO of Quectel. “These results will guide Quectel as we continue to enhance our cybersecurity implementation on our products. We encourage our competitors to follow us on their own in such approach to make the IoT industry the safe and trusted place our customers expect it to be.”

In addition to penetration testing of its key modules, Quectel announced the release of Software Bill of Materials (SBOM) and Vulnerability Exploitability Exchange (VEX) documents for its IoT modules. As an industry-first among IoT module manufacturers, these resources will be made available through the Quectel website. The SBOM and VEX documents will assist customers in this crucial task by providing machine-readable, comprehensive data. The SBOM documents will detail the software components and dependencies within each IoT module, along with licensing and provenance information. The VEX files will provide updated data on the vulnerabilities identified and their status.

Providing SBOM and VEX documents has a cascading effect on the entire IoT ecosystem. As a Module provider, Quectel is integral to the architecture of numerous IoT devices. The transparency and commitment to security will benefit all IoT products built on Quectel’s platforms.

“Our commitment to being both secure and transparent sets us apart,” Muhrer said. “By making this information readily accessible, we aim to empower our customers to make better-informed decisions about security risk assessment and patching prioritization and provide full transparency around our security posture. We are offering a full tool-box of security related measures and consulting to our customers to implement secure devices. Quectel is also collaborating with standards-setting bodies to help develop and then commit to achieving a stringent set of security requirements, including attainment of several key industry and government security certifications,” Mr. Muhrer added.

Separately, Quectel reiterated that its modules maintain the highest standards of data protection and security. “Quectel customers own and control all of the data collected by its modules. Quectel has no access to any of the device data,” said Peter Fowler, senior vice president, North America, Quectel.

“Quectel is committed to delivering high-quality, best-in-class, secure IoT modules and go above and beyond industry standard practices by conducting independent third-party cyber security audits.”

Quectel retained Finite State in May 2023 to audit and penetration-test the security of its modules. Its ongoing work includes rigorous security testing, improved software supply chain visibility, and comprehensive software risk management.

The post Quectel IoT modules get high security scores from cybersecurity expert Finite State; pioneering cybersecurity transparency program begins appeared first on IoT Business News.

October, recognized globally as Cybersecurity Awareness Month, is a timely reminder of the ever-present threats in the digital realm.

It underscores the importance of fortifying our digital defenses, especially in the corporate environment where the stakes are high. As businesses increasingly integrate Internet of Things (IoT) devices into their networks, this month’s spotlight is on the significance of a detailed cybersecurity strategy for these devices.

The Growing Threat Landscape

The allure of IoT devices lies in their ability to enhance operational efficiency, offer real-time data, and improve overall business processes. However, this interconnectedness also presents a double-edged sword. If left unsecured, each device can be a potential entry point for cybercriminals.

Hackers are becoming more sophisticated, leveraging advanced techniques to exploit vulnerabilities in IoT devices. From Distributed Denial of Service (DDoS) attacks using botnets of compromised IoT devices to data breaches that siphon off sensitive information, the threats are multifaceted and evolving. A single breach can result in significant financial losses, reputational damage, and operational disruptions.

The Perils of Unapproved IoT Devices

One of the growing concerns for businesses is the proliferation of unapproved IoT devices within their networks. In their quest for convenience or enhanced functionality, employees might plug in devices that still need rigorous security vetting. These devices, often with weak default passwords or outdated firmware, can become easy targets for hackers. It’s not just about the immediate threat of a breach. These devices can be co-opted into larger botnets, used in more extensive attacks, or even as silent listeners, collecting data over time and sending it to malicious actors.

This is why businesses need stringent policies in place. Employees should be educated about the risks of using unapproved devices and the potential consequences for the entire organization. A clear policy, combined with regular audits and checks, can significantly reduce the risk these rogue devices pose.

The Need for a Comprehensive IoT Security Strategy

Given the expanding threat landscape, it’s clear that more than a piecemeal approach to IoT security will be required. Businesses need a comprehensive strategy that encompasses:

• Device Authentication and Authorization: Every device connecting to the network should be authenticated. This ensures that only approved devices can connect and interact with the network.
• Regular Updates: IoT devices should be regularly updated with the latest firmware and security patches. This can address known vulnerabilities and protect against known attack vectors.
• Network Segmentation: IoT devices should be on a separate network segment. This ensures that even if a device is compromised, the attacker can’t quickly move across the corporate network laterally.
• Real-time Monitoring: With advanced threat detection systems, any unusual activity can be detected in real-time, allowing for swift remedial action.
• Employee Training: Employees should be trained to recognize potential threats, understand the importance of using approved devices, and know the latest best practices in IoT security.

Industry Leaders Weigh In on IoT Security

As businesses grapple with IoT security challenges, industry leaders’ insights provide valuable perspectives on the path forward.

Ashu Bhoot of Orion Networks remarks, “The adoption of IoT has accelerated the digital transformation journey for many businesses. However, this rapid integration has also exposed many to vulnerabilities they weren’t prepared for. At Orion Networks, we believe that a proactive approach and continuous education are the keys to staying ahead of potential threats.”

Aaron Kane of CTI Technology offers a forward-looking perspective: “The future of business is undeniably intertwined with IoT. But as we embrace this future, we must also be cognizant of the security implications. At CTI Technology, we focus not only on providing solutions but also on empowering our clients with the knowledge and tools they need to secure their digital ecosystems.”

Jorge Rojas of Tektonic Managed Services emphasizes the collaborative approach, noting, “IoT security is not a challenge that businesses should face alone. It requires collaboration between service providers, device manufacturers, and businesses. At Tektonic Managed Services, we’re committed to fostering this collaborative spirit, ensuring our clients access the best security solutions and practices in the industry.”

These insights from industry leaders underscore the collective responsibility and collaborative approach required to address the challenges of IoT security. As businesses continue integrating IoT devices into their operations, partnering with knowledgeable and proactive IT service providers will be crucial in navigating the complex landscape of IoT security.

Conclusion

As we observe Cybersecurity Awareness Month, the focus on IoT security has never been more critical. Integrating IoT devices brings immense benefits but also introduces vulnerabilities that cybercriminals can exploit. By understanding the threats, implementing robust policies, and adopting a comprehensive security strategy, businesses can harness the power of IoT while ensuring that their networks remain secure.

The post October: Cybersecurity Awareness Month and the Imperative of IoT Security appeared first on IoT Business News.

“Total Cost of Ownership Analysis on Connected Device Cybersecurity Risk” details the challenges that hospital systems now face, and the increasingly urgent need for modernized risk mitigation.

Asimily, an Internet of Things (IoT) and Internet of Medical Things (IoMT) risk management platform, today announced the availability of a new report: Total Cost of Ownership Analysis on Connected Device Cybersecurity Risk.

The full report highlights the unique cybersecurity challenges that healthcare delivery organizations (HDOs) face and the true costs of their IoT and IoMT security risks. HDOs have a low tolerance for service interruptions to network-connected devices and equipment because of their crucial role in patient outcomes and quality of care. Resource-constrained HDO security and IT teams continue to face operational difficulties in sufficiently securing critical systems from increasingly-sophisticated attacks, as their vast and heterogeneous IoMT device fleets complicate management and, left unchecked, offer a broad attack surface. The report concludes that adopting a holistic risk-based approach is the most cost-efficient and long-term-effective path for HDOs to secure their critical systems and IoMT devices..

Among the key findings and analysis included in the new report:

• Emerging cybersecurity trends and challenges: The report reveals the top cyberattack strategies impacting HDO medical devices right now: ransomware attacks that spread to devices and disrupt services, third-party-introduced malware that impacts device performance, and devices communicating with unknown IP addresses to enable remote breaches. Cyberattacks on healthcare providers have become remarkably common: the average HDO experienced 43 attacks in the last 12 months. Unfortunately, many of those attacks are successful, with 44% of HDOs suffering a data breach caused by a third party within the last year alone.

• The high cost of doing nothing: For HDOs, today’s high-failure status quo can be catastrophic. Cyberattacks cost HDOs an average of $10,100,000 per incident. Worse, cyber incidents are directly responsible for a 20% increase in patient mortality. 64% of HDOs also reported suffering from operational delays, and 59% had longer patient stays due to cybersecurity incidents. Those financial and operational burdens are pushing many HDOs to the brink: the average hospital operating margin sits at 1.4% in 2023. Currently, more than 600 rural U.S. hospitals risk closure, in an environment where a single cyberattack can put a smaller HDO out of business.

• Poor device health leads to poor outcomes: HDO security and IT teams face a high-risk environment where the average medical device has 6.2 vulnerabilities. Adding to this challenge, more than 40% of medical devices are near end-of-life and poorly supported (or unsupported) by manufacturers.

• Cybersecurity resources and staffing are limited: Even when device vulnerabilities are recognized, HDO security teams are able to fix only 5-20% of known vulnerabilities each month.

• Cyber insurance is no longer enough: As ransomware attacks and breaches have skyrocketed in recent years, cyber liability insurers are introducing coverage limits and capped payouts, making it a less and less effective recourse for HDOs. At the same time, cyber insurance also fails to address the costly reputational damage an HDO suffers following a breach.

“This report details the very current and very significant challenges that HDOs face in defending themselves from cybersecurity risk, and the profound need for holistic and optimized risk reduction strategies as they implement and scale a cybersecurity risk management program for their connected devices,” said Stephen Grimes, Managing Partner & Principal Consultant at Strategic Healthcare Technology Associates, LLC. “Asimily’s risk prioritization capabilities and clear device vulnerability scoring enable HDO security teams to overcome limited resources and accurately focus on remediating the greatest risks to their organizations, achieving a ten-fold increase in cybersecurity productivity. We invite HDO leaders and their cybersecurity risk managers to read and absorb the lessons of this report, and to take the steps necessary to mitigate IoMT device risks with the strategic efficiency and effectiveness these risks demand.”

“As a growing healthcare organization acquiring clinics and offering new services like ambulatory clinics, you have to stay in front of the risk,” said Kevin Torres, the VP of IT and CISO at MemorialCare, an Asimily customer and leading nonprofit health system in Orange County and Los Angeles County that includes four hospitals along with other specialized clinics. “You need to make sure that you’re effectively onboarding these environments and matching their security posture to yours. Using Asimily, we gained full visibility into connected IoT and IoMT devices and their associated vulnerabilities. Our security program achieved 98% NIST compliance while the average of 60 similar HDOs is 71%.”

The post IoT Security Report Sheds Light on Hospitals’ Device Risks appeared first on IoT Business News.

State of XIoT Security Report: 1H 2022 from Claroty’s Team82 reveals rise in IoT vulnerabilities, vendor self-disclosures, and fully or partially remediated firmware vulnerabilities.

Vulnerability disclosures impacting IoT devices increased by 57% in the first half (1H) of 2022 compared to the previous six months, according to new research released today by Claroty, the cyber-physical systems protection company.

The State of XIoT Security Report: 1H 2022 also found that over the same time period, vendor self-disclosures increased by 69%, becoming more prolific reporters than independent research outfits for the first time, and fully or partially remediated firmware vulnerabilities increased by 79%, a notable improvement given the relative challenges in patching firmware versus software vulnerabilities.

Compiled by Team82, Claroty’s award-winning research team, the report is a deep examination and analysis of vulnerabilities impacting the Extended Internet of Things (XIoT), a vast network of cyber-physical systems including operational technology and industrial control systems (OT/ICS), Internet of Medical Things (IoMT), building management systems, and enterprise IoT. The data set comprises vulnerabilities discovered by Team82 and from trusted open sources including the National Vulnerability Database (NVD), the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), CERT@VDE, MITRE, and industrial automation vendors Schneider Electric and Siemens.

“After decades of connecting things to the internet, cyber-physical systems are having a direct impact on our experiences in the real world, including the food we eat, the water we drink, the elevators we ride, and the medical care we receive,” said Amir Preminger, vice president of research at Claroty.

“We conducted this research to give decision makers within these critical sectors a complete snapshot of the XIoT vulnerability landscape, empowering them to properly assess, prioritize, and address risks to the mission-critical systems underpinning public safety, patient health, smart grids and utilities, and more.”

Key Findings

• IoT Devices: 15% of vulnerabilities were found in IoT devices, a significant increase from 9% in Team82’s last report covering the second half (2H) of 2021. Additionally, for the first time, the combination of IoT and IoMT vulnerabilities (18.2%) exceeded IT vulnerabilities (16.5%). This indicates enhanced understanding on the part of vendors and researchers to secure these connected devices as they can be a gateway to deeper network penetration.

• Vendor Self-Disclosures: For the first time, vendor self-disclosures (29%) have surpassed independent research outfits (19%) as the second most prolific vulnerability reporters, after third-party security companies (45%). The 214 published CVEs almost doubles the total in Team82’s 2H 2021 report of 127. This indicates that more OT, IoT, and IoMT vendors are establishing vulnerability disclosure programs and dedicating more resources to examining the security and safety of their products than ever before.

• Firmware: Published firmware vulnerabilities were nearly on par with software vulnerabilities (46% and 48% respectively), a huge jump from the 2H 2021 report when there was almost a 2:1 disparity between software (62%) and firmware (37%). The report also revealed a significant increase in fully or partially remediated firmware vulnerabilities (40% in 1H 2022, up from 21% in 2H 2021), which is notable given the relative challenges in patching firmware due to longer update cycles and infrequent maintenance windows. This indicates researchers’ growing interest in safeguarding devices at lower levels of the Purdue Model, which are more directly connected to the process itself and thus a more attractive target for attackers.

• Volume and Criticality: On average, XIoT vulnerabilities are being published and addressed at a rate of 125 per month, reaching a total of 747 in 1H 2022. The vast majority have CVSS scores of either critical (19%) or high severity (46%).

• Impacts: Nearly three-quarters (71%) have a high impact on system and device availability, the impact metric most applicable to XIoT devices. The leading potential impact is unauthorized remote code or command execution (prevalent in 54% of vulnerabilities), followed by denial-of-service conditions (crash, exit, or restart) at 43%.

• Mitigations: The top mitigation step is network segmentation (recommended in 45% of vulnerability disclosures), followed by secure remote access (38%) and ransomware, phishing, and spam protection (15%).

• Team82 Contributions: Team82 continues to lead the way in OT vulnerability research, having disclosed 44 vulnerabilities in 1H 2022 and a total of 335 vulnerabilities to date.

The post IoT Vulnerability Disclosures Grew 57% from 2H 2021 to 1H 2022 appeared first on IoT Business News.

Offers comprehensive and automated cybersecurity validation of IoT devices.

Keysight Technologies, Inc., a leading technology company that delivers advanced design and validation solutions to help accelerate innovation to connect and secure the world, has delivered a new Internet of Things (IoT) Security Assessment software solution that enables IoT chip and device manufacturers, as well as organizations deploying IoT devices, to perform comprehensive, automated cybersecurity assessments.

Increasing numbers of connected IoT devices enable hackers to leverage cybersecurity vulnerabilities for a range of attacks including malware, ransomware and exfiltration of data. According to Statista, the total installed base of IoT connected devices worldwide is projected to grow to 30.9 billion units by 2025 from 13.8 billion units expected in 2021.

“IoT device vulnerabilities are especially dangerous as they can facilitate sensitive data breaches and lead to physical danger, such as industrial equipment malfunction, medical device defects, or a home security system breach,” wrote Merritt Maxim, vice president, research director, and Elsa Pikulik, researcher, Forrester, in the State of IoT Security Report 2021.¹

“In 2020, IoT devices were the second most common vector for an external breach and technology leaders rank security issues as a top concern plaguing or hindering IoT deployments.”

IoT Security Vulnerabilities – BrakTooth Discovery

Recently, researchers at Singapore University of Technology and Design (SUTD) discovered a group of vulnerabilities, they named BrakTooth, in commercial Bluetooth chipsets that impact billions of end-user devices. The SUTD research was funded with a grant from Keysight. The SUTD published results were leveraged into improvements in Keysight’s IoT Security Assessment software.

BrakTooth captures fundamental attack vectors against devices using Bluetooth Classic Basic Rate/Enhanced Data Rate (BR/EDR) and is likely to affect Bluetooth chipsets beyond those tested by the SUTD team.

“It is hard to accurately gauge the scope of BrakTooth affected chipsets,” commented Sudipta Chattopadhyay, assistant professor, SUTD. “We advise all Bluetooth product manufacturers to conduct appropriate risk assessments, especially if their product may include a vulnerable chipset. We are thankful to Keysight for generously supporting our research and the opportunity to collaborate with the experienced Keysight security team.”

The vulnerabilities, which include 20 common vulnerabilities and exposures (CVEs), as well as four awaiting CVE assignments, are found in Bluetooth communication chipsets used in System-on-Chip (SoC) boards. These pose risks that include remote code execution, crashes and deadlocks. The SUTD team responsibly disclosed the findings to the affected vendors, providing a means to reproduce the findings and time to remediate vulnerabilities.

“Research activities like these at SUTD are critical to improving cybersecurity in the connected world. If the good guys don’t improve it, the cyber criminals will take advantage of vulnerabilities for nefarious purposes,” said Steve McGregory, senior director of Keysight’s security research and development team. “While investment into research is needed and helpful, software and chipset manufacturers are responsible for delivering secure products using rigorous security testing.”

Keysight’s IoT Security Assessment Software

Keysight’s IoT Security Assessment software leverages more than 20 years of experience in network security testing to reveal security vulnerabilities across any network technology. The software offers comprehensive, automated testing to rapidly cover a large matrix of known and unknown vulnerabilities. IoT security assessments include novel cybersecurity attack tools and techniques for wireless interfaces such as Wi-Fi, Bluetooth, and Bluetooth Low Energy (BLE) to test known vulnerabilities, as well as to discover new vulnerabilities.

Development organizations can easily integrate Keysight’s API-driven solution into their development pipeline with a single API for control and reporting. Organizations deploying IoT devices can leverage the software to validate IoT devices before they are delivered to end users and as new vulnerabilities become a concern. Ongoing research from Keysight’s Application and Threat Intelligence Research Center provides updates to the latest protocol fuzzing and attack techniques.

The post Keysight Delivers New IoT Security Assessment Test Software appeared first on IoT Business News.

Key Findings:

• McAfee sees attackers shift from mass-spread campaigns to fewer, more lucrative targets
• Cryptocurrency coin miner malware increases 117% due to growth in 64-bit CoinMiner applications
• New Mirai malware variants drove increases in Internet of Things and Linux threats
• Overall newly detected malware threats averaged 688 per minute

McAfee Corp., the device-to-cloud cybersecurity company, today released its McAfee Threats Report: June 2021, examining cybercriminal activity related to malware and the evolution of cyber threats in the first quarter of 2021.

The quarter saw cyber adversaries shift from low-return, mass-spread ransomware campaigns toward fewer, customized Ransomware-as-a-Service (RaaS) campaigns targeting larger, more lucrative organizations. A proliferation in 64-bit CoinMiner applications drove the growth of cryptocurrency-generating coin mining malware by 117%. Additionally, a surge in the growth of new Mirai-based malware variants drove increases in malware targeting Internet of Things (55%) and Linux (38%) systems.

“Criminals will always evolve their techniques to combine whatever tools enable them to best maximize their monetary gains with the minimum of complication and risk,” said Raj Samani, McAfee fellow and chief scientist. “We first saw them use ransomware to extract small payments from millions of individual victims. Today, we see Ransomware as a Service supporting many players in these illicit schemes holding organizations hostage and extorting massive sums for the criminals.”

Each quarter, McAfee assesses the state of the cyber threat landscape based on in-depth research, investigative analysis, and threat data gathered by the McAfee Global Threat Intelligence cloud from over a billion sensors across multiple threat vectors around the world.

Ransomware

Ransomware declined by 50% in Q1 due in part to a shift by attackers from broad campaigns attacking many targets with the same samples to campaigns attacking fewer, larger targets with unique samples. Campaigns using one type of ransomware to infect and extort payments from many victims are notoriously “noisy” in that hundreds of thousands of systems will, in time, begin to recognize and block these attacks. By allowing attackers to launch unique attacks, RaaS affiliate networks are allowing adversaries to minimize the risk of detection by large organizations’ cyber defenses and then paralyze and extort them for large ransomware payments. This shift is reflected by the decline in prominent ransomware family types from 19 in January 2021 to 9 in March 2021.

Despite the high profile attacks from the DarkSide RaaS group exposed in Q2 2021, REvil was the most detected in Q1, followed by the RansomeXX, Ryuk, NetWalker, Thanos, MountLocker, WastedLocker, Conti, Maze and Babuk strains.

Coin Miner Malware

While prominent ransomware attacks have focused attention on how criminals use ransomware to monetize their crimes with payments in cryptocurrency, a first quarter 117% surge in the spread of cryptocurrency-generating coin mining malware can be attributed to a sharp spike in 64-bit CoinMiner applications.

Rather than locking up victims’ systems and holding them hostage until cryptocurrency payments are made, Coin Miner malware infects compromised systems and silently produces cryptocurrency using those systems’ computing capacity for the criminals that designed and launched such campaigns. The advantage to cybercriminals is that there is zero interaction required of both the perpetrator and the victim. While the victim’s computers may operate slower than usual due the coin miner’s workload, victims may never become aware that their system is creating monetary value for criminals.

“The takeaway from the ransomware and coin miner trends shouldn’t be that we need to restrict or even outlaw the use of cryptocurrencies,” Samani continued. “If we have learned anything from the history of cybercrime, criminals counter defenders’ efforts by simply improving their tools and techniques, sidestepping government restrictions, and always being steps ahead of defenders in doing so. If there are efforts to restrict cryptocurrencies, perpetrators will develop new methods to monetize their crimes, and they only need to be a couple steps ahead of governments to continue to profit.”

Threats & Victims

Overall Malware Threats. The first quarter of 2021 saw the volume of new malware threats average 688 threats per minute, an increase of 40 threats per minute over Q4 2020.

IoT & Linux Devices. A variety of new Mirai malware variants drove increases on the Internet of Things (IoT) and Linux malware categories in Q1. The Moobot family (a Mirai variant) was observed to be mass-spread and accounted for multiple Mirai variants. These variants all exploit vulnerabilities in IoT devices like DVRs, webcams and internet routers. Once exploited, the malware is hidden on the system, downloads later stages of the malware and connects with the command-and-control server (C2). When the compromised IoT devices are connected to their botnet, they can be commandeered to participate in DDoS attacks.

Industry Sectors. McAfee tracked a 54% increase in publicly reported cyber incidents targeting the technology sector during the first quarter of 2021. The Education and Financial/Insurance sectors followed with 46% and 41% increases respectively, whereas reported incidents in Wholesale/Retail and Public Sector declined by 76% and 39% respectively.

Regions. These incidents surged in 54% in Asia and 43% in Europe, but declined 13% in North America. While reported incidents actually declined 14% in the United States, these incidents grew 84% in France and 19% in the United Kingdom.

Resources:

• McAfee Threats Report: June 2021
• MVISION Insights Public View
• McAfee Threat Center

The post McAfee Sees Ransomware-as-a-Service, Cryptocurrency and Internet of Things Threats Surge in Q1 2021 appeared first on IoT Business News.

Sierra Wireless, the world’s leading IoT solutions provider, today announced that it discovered it was the subject of a ransomware attack on its internal IT systems on March 20, 2021.

Once the company learned of the attack, its IT and operations teams immediately implemented measures to counter the attack in accordance with established cybersecurity procedures and policies that were developed in collaboration with third-party advisors. These teams, with the assistance of these and additional third-party advisors, believe they have addressed the attack, and are currently working to bring Sierra Wireless’ internal IT systems back online.

At this time, Sierra Wireless believes the impact of the attack was limited to Sierra Wireless systems, as the company maintains a clear separation between its internal IT systems and customer facing products and services.

As a result of the ransomware attack, Sierra Wireless halted production at its manufacturing sites. The company’s website and other internal operations have also been disrupted by the attack. The company believes it will restart production at these facilities and resume normal operations soon. In the meantime, Sierra Wireless asks its customers and partners for their patience as it seeks to remediate the situation.

Due to these disruptions, Sierra Wireless is at this time withdrawing the First Quarter 2021 guidance it provided on February 23, 2021.

The post Sierra Wireless Announces Ransomware Attack appeared first on IoT Business News.

From home alarms like Google Nest to robot personal assistants like Alexa, the increasing dependence on WiFi connectivity in everyday appliances opens up many opportunities for hackers. Industries and governments have grappled with how to increase cyber security in a way that can keep up with this burgeoning trend.

The bipartisan IoT Cybersecurity Improvement Act was signed early last December, and is a step in the right direction for IoT cybersecurity. The act establishes minimum cyber security standards for all IoT devices that are controlled by the US government. The use of these devices, the way they are managed and serviced as well as a streamlined reporting system regarding vulnerabilities are all aspects that are addressed in the new cybersecurity bill.

The National Institute of Standards and Technology (NIST) played an important part in this new legislation, providing the standards for which the legislature is based. The bill only applies to devices purchased or managed by the U.S. government. However, the large purchasing power of the American government will provide a huge incentive for manufacturers to adopt similar standards for all IoT devices across the board.

Why the IoT is more at risk

This new piece of legislation came at the end of a year that saw a huge surge in cyber crime, mostly due to the coronavirus pandemic. Over 80% of organizations reported an increase in hacking incidents last year, with financial damage due to cyber crime set to hit an estimated $6 trillion in 2021.

This last year in particular, health care organizations, pharmaceutical companies and patients alike were targeted by sophisticated cybercriminals from around the world. Medical professions especially have been disproportionately affected by the vulnerabilities in the IoT sphere, since many medical devices now rely on internet connectivity for a variety of purposes.

The very recent attack on software company SolarWinds exposes the cyber security risk within government agencies, with over 18,000 users affected by the malware installed in the software. This attack demonstrates how a hacking incident can lead to a supply chain disruption that can have the capacity to affect large segments of the population.

Everyday users of the internet have been lulled into a sense of safety while browsing the internet online, with many users having no problem shopping and banking online. For most users, simply knowing that any website they go shopping on comes PCI-DSS certified to ensure a secure transaction of their credit card is enough to indicate that the site is safe for putting in their financial information.

It is true that PCI certification can ensure the more secure transferring of online data, requiring the end-to-end encryption of cardholder data and firewalls to block any unknown entities from attempting to access said data in the first place to name a couple of measures. Businesses and vendors that likewise rely on PCI-DSS certification for their IoT devices can greatly reduce the likelihood of having customer or business data compromised, but ensuring complete security just isn’t that simple.

The IoT Cybersecurity Improvement Act of 2020

The IoT Cybersecurity Improvement Act of 2020 contains many provisions that will encourage a more uniform and secure way of deploying IoT devices in the future. The act covers the development, management, configuring, and patching of IoT devices, ensuring that cybersecurity remains a focus throughout the entire life cycle of a new IoT device.

The rapidly growing popularity of IoT devices means that sometimes devices are rushed into production with the goal of selling as many as possible as soon as possible, and often at the price of overlooked security. In this scenario, vulnerabilities may not be discovered until the device is in widespread circulation. At this point, many companies may choose to ignore addressing the weak areas in their device to avoid affecting sales or alerting would-be hackers to potential opportunities.

One way companies and organizations can avoid this is to release their devices and applications using Dynamic Application Security Testing (DAST) applications, which constantly scan and test your IoT device applications for vulnerabilities while they are running. As Cloud Defense notes, this is effective because it utilizes the exact same methods that a cybercriminal would normally use to identify vulnerabilities.

Similar in approach, the IoT Cybersecurity Improvement Act mandates all contractors and subcontractors involved in government projects to report new vulnerabilities and resolve them as they arise. This level of transparency will ensure that the government is fully informed regarding risks and can hone this legislature to better fit the future digitalized world. The NIST, for example, is required to update their guidelines every five years to keep pace with the rapid developments in this industry.

IoT and the cloud

During the coronavirus lockdowns of 2020, organizations began to rely more heavily on remote work. Companies that never had work from home policies previously had to quickly make sure remote workers had all the tools they needed to complete their professional tasks at home.

The advantages of computing quickly became apparent, especially for those organizations with remote workers that did not have a home office set up previously. The ability to store and share documents and tools online and access them from any computer or phone connected to WiFi became indispensable to the remote work culture.

According to Toronto-based IT expert and software developer Gary Stevens of Hosting Canada, the word “cloud” might not generate images of ironclad security, but in reality it’s actually a fairly secure method of transferring data – provided you’re using a laptop or smartphone.

As Stevens points out: “Cloud storage is the primary means of storing our data online, so it’s imperative that your storage provider be safe from hackers and malicious software, but still easy-to-use and accessible from any device. Thankfully, this issue has been addressed by several cloud hosting companies who’ve made security their utmost priority, and thus became the preferred choice for businesses which also value data security and privacy.”

Unfortunately, cloud-based smart home appliances are quite the opposite. The IoT gadgets found in many homes are very vulnerable to hacks, some of which have been the subject of fascinating headlines in the past year, including hackers gaining the ability to turn the lights on or off, or in some instances even hear what is going on in a home via vulnerable smart home devices as well.

These are just a few of the more shocking examples of vulnerabilities seen in IoT devices in the past few years that have illustrated the need for stronger security protocols like what the Cybersecurity Improvement Act provides.

Too little, too late?

The IoT Cybersecurity Improvement Act will certainly improve cybersecurity among IoT devices, but this is just a small step towards a more secure digital future. It does not address security breaches that occurred in the past or new vulnerabilities that may be exploited in the future, as it is focused only on government devices. It is, however, an important movement in the right direction as society continues to grapple with the dangers and risks of digital life.

The post Security Bill Will Create New Security Standards For IoT Devices in the USA appeared first on IoT Business News.

• Nokia Threat Intelligence Report warns of rising cyberattacks on internet-connected devices

• Report also highlights role of numerous COVID-19-themed cybercriminal campaigns aimed at exploiting user data

Cyberattacks on internet-connected devices continue to rise at an alarming rate due to poor security protections and cybercriminals use of automated tools to exploit these vulnerabilities, according to the latest Nokia Threat Intelligence Report.

The report found that Internet-connected, or IoT, devices now make up roughly 33% of infected devices, up from about 16% in 2019. The report’s findings are based on data aggregated from monitoring network traffic on more than 150 million devices globally where Nokia’s NetGuard Endpoint Security product is deployed.

Adoption of IoT devices, from smart home security monitoring systems to drones and medical devices, is expected to continue growing as consumers and enterprises move to take advantage of the high bandwidth, ultra-low latency, and fundamentally new networking capabilities that 5G mobile networks enable, according to the report.

The rate of success in infecting IoT devices depends on the visibility of the devices to the internet, according to the report. In networks where devices are routinely assigned public facing internet IP addresses, a high infection rate is seen. In networks where carrier-grade Network Address Translation is used, the infection rate is considerably reduced because the vulnerable devices are not visible to network scanning.

The Threat Intelligence Report also reveals there is no let up in cybercriminals using the COVID-19 pandemic to try to steal personal data through a variety of types of malware. One in particular is disguised as a “Coronavirus Map” application – mimicking the legitimate and authoritative Coronavirus Map issued by Johns Hopkins University – to take advantage of the public’s demand for accurate information about COVID-19 infections, deaths and transmissions.

But the bogus application is used to plant malware on victims’ computers to exploit personal data. “Cybercriminals are playing on people’s fears and are seeing this situation as an opportunity to promote their agendas,” the report says. The report urges the public to install applications only from trusted app stores, like Google and Apple.

Bhaskar Gorti, Nokia Software President and Chief Digital Officer, said:

“The sweeping changes that are taking place in the 5G ecosystem, with even more 5G networks being deployed around the world as we move to 2021, open ample opportunities for malicious actors to take advantage of vulnerabilities in IoT devices. This report reinforces not only the critical need for consumers and enterprises to step up their own cyber protection practices, but for IoT device producers to do the same.”

The post Nokia Threat Intelligence Report warns of rising cyberattacks on internet-connected devices appeared first on IoT Business News.

While ransomware has been grabbing all the headlines, botnets have continued to grow with much less publicity.

That may be about to change as cyberattackers are now using botnets to wipe all data from internet-connected devices. This includes routers, servers, and IoT devices.

Businesses and individuals need to be aware that any internet-linked device is potentially vulnerable to cyberattacks. As IoT devices often have proprietary firmware, they may be more of a challenge to attack than computers and standard mobile devices. Their security can, however, be compromised by default/weak passwords.

Here are the different ways that the new HEH botnet can launch attacks on IoT devices and systems:

Attacks depend on exposed ports and default/weak passwords

The newly-discovered HEH botnets look for devices that have ports 23/2323 (the Telnet ports) exposed online. If they get access to these ports, they can perform a low-level brute-force attack on the password. If this succeeds, they proceed to install the HEH malware and this is what wipes out data from the system.

In some ways, HEH is more notable for what it doesn’t do than what it does. It doesn’t mine for cryptocurrency, or spy on users or encrypt data for ransom. It simply wipes devices clean of data. This might not be technically impressive, but when you consider that 89% of business professionals agree that the protection of data is vital to their company’s survival, you can see how knowing how to shield against HEH is so important.

Wiping all data also removes a device’s firmware

HEH has the potential to bring a whole new meaning to the phrase “delivering disruption with IoT”. Wiping the data from an IoT device also wipes its firmware, leaving it “bricked”. Given that 87% of businesses describe the IoT as “vital” to their future success, it’s easy to see how this could deliver major disruption.

At present, it seems likely that SMBs and private individuals will be the worst affected. Firstly, larger businesses are probably more likely to understand how to undertake robust security checks on their applications and APIs. This means that they are less likely to get infected. Secondly, they are more likely to know how to reactivate “bricked” devices.

At present, it’s easy to defend against HEH

At present, little is known about the background of HEH. In fact, it’s not even clear if the data-wiping functionality is intentional or if it was actually meant to be a self-destruct mechanism.

It may be that HEH was just intended as a basic cyber-mischief or as an experiment that went wrong. It may however be that HEH is still in the process of being developed. If it’s the latter, then there is the potential for it to become much more dangerous.

HEH requires two security vulnerabilities to be present, namely exposed ports and default/weak passwords. Ideally, both would be addressed. If, however, you need to keep telnet ports open, you can still protect yourself against HEH by using a strong password.

Governmental efforts are already being made to ensure that IoT devices have robust security protection straight out of the box. For example, both California and Oregon have implemented IoT security laws and the UK has a government-backed code of practice for IoT-device manufacturers, albeit a voluntary one.

At present, however, in most situations, the onus is still very much on the purchaser to make sure that their password is appropriately robust. One strategy you can use to protect your IoT devices from HEH is to rely on dynamic application security testing (or DAST). It is a security approach in which a DAST tool attempts to hack into your application while it is running in order to detect any vulnerabilities.

This means that both businesses and individuals need to inform themselves of effective password management. Businesses must also ensure that they have processes in place to reduce the likelihood of human error.

Strong passwords are only a starting point

Strong passwords may help protect the IoT devices of companies and individuals against primitive threats such as HEH. They are, however, nowhere near enough to ensure the sort of robust protection modern companies need. In particular, there are three key areas all companies must address.

These days, it is no longer enough just to rely on automated defenses such as anti-malware software and firewalls (although these are still essential). You have to use 24/7 threat monitoring for constant vigilance. If you don’t have the capability to do this yourself, then you need to work with a vendor that does.

You also need to ensure that all software, operating system, and firmware updates are applied promptly. By this point, companies should already have a robust process for updating computers and mobile devices. IoT devices may, however, be overlooked and this can create an opportunity for hackers.

Remote and mobile security

Security isn’t just about protecting your website from hackers. It’s about preventing your website from being used as a way to gain backdoor access to your internal network. Keeping your website safe requires a very similar approach to keeping your internal company network safe.

The good news is there are a number of measures you can take. For instance, it’s very important for your business website to come secured with SSL, which permits data sent over your website to be authenticated and encrypted tso that it can only be accessed by an intended recipient. But despite SSL being so important and simple to set up, less than one third of all domains even use an SSL certificate. Don’t make the same mistake.

There are also anti-malware programs and firewalls for websites. Similarly, you need to keep your web-related software updated and carefully manage access both to the admin controls and any back-end databases.

Users who are regularly out of the office will need particularly robust training to identify social engineering attacks. Sophisticated cybercriminals may see them as soft targets as they lack the protection of having colleagues (and IT) nearby. They cannot, therefore, just call someone over for help in the same way as location-based workers.

Finally, businesses should ensure that employees only connect to the company network over a reliable virtual private network, for VPN. A VPN can encrypt all data sent over your network and hide your employees’ IP address for an added level of security.

VPNs are also a rather inexpensive investment, as there are a number of quality options available for under $6 a month that also offer proven encryption measures in the form of IKEv2 and L2TP. With this in mind, there’s really no reason not for your company to invest in one.

Conclusion

Paying attention to basic security will go a long way to protecting against even sophisticated cyberattacks. Basic security measures you can take include combining anti-malware software, firewalls/WAFs, VPNs, and threat-monitoring software with regular software updates and password-/account-management.

It is, however, important to remember that users (and especially remote and mobile workers) are generally the weakest link in your security chain. It is therefore vital to ensure that they are suitably educated and monitored.

The post New HEH Botnet Launches Brutal Attacks on IoT Devices and Systems appeared first on IoT Business News.

Smart cities are the future. Today more than ever, nations around the globe are starting to adopt new developments to enhance their cities’ smart capabilities.

One such nation is Macau, which joined hands with the Chinese technology giant Alibaba group in 2017. The goal was to develop a public-private partnership project that aims to turn the special administrative region into a leading smart city in the Asia Pacific region.

The Macau-Alibaba partnership

Banking on the technologies of the Alibaba group’s cloud computing arm, Alibaba Cloud, the partnership’s main goal was to improve the IT infrastructure in Macau to pave the way for major digital developments, particularly in healthcare, governance, tourism, transportation, and talent development.

In order to help Macau transform into a smart city, these plans include developing an integrated system for enhancing public and tourism services, and building a smart transportation network, among many other things. This system is called a city brain, which is designed to use fast-evolving artificial intelligence technologies to gather and process large amounts of data in supercomputers and then feed that information back around the city.

The partnership is specifically divided into two phases. The first phase (already concluded in August of 2019) has seen the transportation, tourism, travel, healthcare, and public governance sectors adopt smart capabilities. The second phase, however, still requires various government departments to obtain cybersecurity certifications first before they can proceed. The phase is set to conclude in 2021 and will include projects related to environmental protection, customs, and finance.

Why City Brains Rely Upon Cloud Computing

City brains make use of real-time comprehensive aggregation and convergence of network, government, imaging devices, and IoT sensor data to instantly correct defects in urban operations. This allows for a more intelligent deployment of natural, police, hydropower, medical, administrative, and road resources.

For example, one of the most common defects in urban operations is traffic congestion. This is further worsened by natural phenomena such as monsoon rains and flooding. At times, massive development projects can also lead to this problem, resulting in millions of dollars’ worth of losses each year.

City brains also lead to smart healthcare as it streamlines operations by improving medical records. With the help of intelligent algorithms, city brains can find anomalies in medical institutions and schedule operations by predicting medical requirements accurately and optimizing medical resources distribution.

Solutions to the elaborate drawbacks of rapid haphazard urbanization such as these require analysis of huge amounts of data from multiple complicated networks. With the cloud computing that city brains rely on, this is made easier, faster, and more convenient. The intangible nature of this technology is also best for the sustainability of such breakthroughs and developments.

Additionally, since city brains rely upon the cloud for storage of data, they tend to be more secure than traditional storage options such as physical drives, which come with more security vulnerabilities, scalability issues, and more recoverability problems.

City Brains in Smart Cities

During the first phase of the partnership in 2018, over 30 million tourists arrived in Macau. Alibaba helped the Macau Government Tourism Office (MGTO) analyze real-time tourist flows in peak hours to divert visitors to alternative scenic spots. The group had to adjust the algorithm to fit Macau, helping it balance the number of tourists and the many heritage buildings that the city houses.

Even though Macau is Alibaba’s first smart city venture outside the mainland, the group already has a proven track record in smart city development. In Suzhou, Alibaba Cloud has already helped the city efficiently manage its bus networks, increasing the passenger volume on pilot bus routes by 17%.

Alibaba’s Hangzhou City Brain, an artificial intelligence-enabled transportation management system, is also now slowly reaping the benefits of the original City Brain project. With automatic traffic signal control in Hangzhou’s Xiaoshan district, traffic speed has increased by 15%, reducing the average travel time by 3 minutes. Meanwhile, emergency vehicle response shortened by 50%, allowing rescue vehicles to arrive 7 minutes faster.

As in the examples mentioned above, the city brain allows for efficient management of mass transit systems, as well as the improvement of traffic congestion and signal control. It also helps in accident and disaster management, expediting response from the police, fire protection, and medical rescue with its real-time alarm data.

Basically, smart cities leverage connectivity, and all the available data insights, security, and compliance of city brains to optimize convenience and efficiency on the way of life and work of the city’s citizens.

Preparing For Modernization

With practices already in use in the Asian mainland ranging from using artificial intelligence for the optimization of road, air, and water transportation management, Alibaba Cloud has been helping local governments in China effectively make management decisions through building ‘city brains’ with its big data and deep learning technologies.

Alibaba accomplishes this since its city brain system is specifically dependent on the SaaS cloud model, which means that all data resides with the service provider and that software can be sent to an end user from within the cloud environment. In this context, Alibaba’s SaaS system can connect smart systems across a city and then map the massive amount of data that it collects.

These kinds of functions are meant to make it easier for cities to provide insights from complex data sets in real-time, which can hopefully create a safer environment along with higher quality service to everyday citizens.

In Macau, Alibaba has already launched the Macau Talent Program, which provides local students with training programs and fosters a local technology ecosystem so that the city can create its own group of talented cloud computing and e-commerce professionals. It has also established the Hong Kong and Macau Eco Alliance that provides enterprises of the different industries access to Alibaba’s immense train of solutions and its extensive suite of international partners.

Modernization is inevitable, especially now that the use of technology is an integral part of life. It’s really that big of a step now as it would have been before there were smartphones with AI capabilities like speech and face recognition, text identification, and natural language processing (NLP). Nowadays, these technologies are used for all the little things like unlocking phones, smart typing, and voice directing.

Ensuring Security in Smart Cities

As smart cities get even smarter, ensuring their security becomes more important. After all, they rely heavily on networks of information and on connections between systems, sensors, and devices.

With this vastness, there can be cyber-attackers taking advantage of a “bolted on” security and infiltrate the systems, exfiltrate sensitive information, and even potentially disrupt critical operations.

What used to be the norm could become dangerous in smart cities. For instance, ransomware attacks typically bank on people who only use traditional methods to store their data. Providers are now starting to ramp up their security against ransomware attacks, and many support automatically versioned backups in order to prevent loss of data.

Without effectively designing security into a system as basic as this, hackers can look for unsecured ports, get access to residents’ home computer networks, and steal personal data like banking or insurance records.

In a smart city environment, humans are often the weak links in the cybersecurity chain due to poor security hygiene. People accessing cloud services should be educated about simple things like good authentication policies, frequent and regular password changing, and multi-factor authentication.

On the government level, there is a clear lack of governance regarding issues such as data handling, privacy policies, and access privileges. There is no need for an army of security engineers, but a team familiar with the cybersecurity discipline should be good enough for a start.

Lastly, there are unintended chains of consequences to these digital connections accessed via the internet and massive cloud computing architectures. This is why security by design, good security hygiene, and a team of cyber-specialists are absolutely critical when ensuring safety and privacy in smart cities.

Welcoming Smart Cities of the Future

Smart cities are complex technological ecosystems of public services, public and private organizations, network systems, sensors and devices, and cloud computing architecture.

The constant interaction and convergence of physical and digital infrastructures, immense data exchanges even between the old and new systems, and the dynamically changing processes require all data to be always secure, as well as the systems and related processes to be safe from prying hands.

It is therefore necessary, such as the case of Macau (where there is an emphasis on obtaining cybersecurity certificates before proceeding), to make sure that smart cities are cyber-secure. Only when the possibilities of cyber risks are managed more effectively will the full potential of smart cities be realized.

With a more secure and resilient operating environment, there’s less need to worry about glitches and more time to constantly achieve breakthroughs in the continuous development of smart cities around the world.

The post Why Cybersecurity Is Crucial in Smart Cities appeared first on IoT Business News.

NXM Labs Inc. today announced NXM CyberSafe®, the world’s first insurance-backed cyber security warranty program for connected consumer devices, was named the winner of the 2020 TWICE VIP Award in the Warranty Services category.

NXM CyberSafe, which enhances a manufacturer’s existing parts and labor warranty to include anti-hacking protection, was voted on by the audience of TWICE magazine, the leading voice in the Consumer Electronics industry. The annual VIP awards celebrate the best features, design and value that new products bring to consumers.

The NXM Guaranteed CyberSafe seal makes it easy for consumers to recognize brands whose products have been independently certified to be safe from hacking. NXM CyberSafe warranties run concurrently with existing OEM warranties and are fully transferable.

Products displaying the NXM CyberSafe seal are protected by NXM Autonomous Security, the first Internet of Things (IoT) security software solution to receive Platform Security Architecture (PSA) certification from Underwriters Laboratories (UL), the world’s leading safety science company.

“Consumers believe that it is up to brand manufacturers to ensure the products they sell are secure, not them,” says Scott Rankine, NXM’s CEO.

“Winning this prestigious Award reinforces the importance of security as a key selling feature. When given a choice, many consumers will opt for peace of mind, providing those manufacturers who display the NXM CyberSafe seal with a significant competitive advantage.”

The post World’s First IoT Cyber Security Warranty from NXM Wins TWICE VIP Award appeared first on IoT Business News.

The increasing threat landscape is forcing IoT implementors and vendors to embrace and prioritize new hardware-focused digital security options.

By 2026, IoT connections will exceed 23 billion across all major IoT markets. Almost all those connections will be faced with incessant and constantly evolving cyber-threats, forcing implementers and IoT vendors to embrace new digital security options to protect managed fleets and connected assets. Secure device authentication currently stands among the top-tier investment priorities for key IoT markets. Global tech market advisory firm, ABI Research, expects that hardware focused IoT authentication services will reach US$8.4 billion in revenues by 2026.

“There are several key technologies revolving around authentication security that currently transform the IoT device value chain. Chief elements among them revolve around IoT identity issuance, provisioning, authentication, encryption key lifecycle management, access management and attestation,” explains Dimitrios Pavlakis, Industry Analyst at ABI Research. These are the prime focus of IoT vendors who capitalize on the emerging threat horizon to better position their services and explore new IoT monetization models.

“As it currently stands, the IoT is not a secure place for future deployments and both IoT players and digital security vendors are aware of that,” comments Pavlakis.

“The good news is that the recent change in thinking has caused a noticeable mentality shift and investment surge for secure authentication technologies across the IoT ecosystem; the bad news is that this also gives rise to many IoT management offerings with questionable levels of security and intelligence.”

IoT authentication services need to consider a plethora of variables, sharing both operational and connectivity as well as security characteristics. “Just because cybersecurity investments need to enter deeper into the IoT deployment equation does not mean that operational variables will be left unaccounted,” explains Pavlakis. “Bandwidth capacity, connectivity requirements, operational specifications and device heterogeneity, digital footprint and processing power, edge-cloud dependencies, telemetry and intelligence are all key factors that need to be addressed to obtain a sustainable growth for the IoT going forward.”

Many IoT security vendors are taking advantage of the recent IoT investment surge to increase their market footprint and deliver security-first authentication and management services for the IoT supported by a multitude of flexible pricing models. Market leaders and innovative companies offering IoT security services operating in different areas of the IoT value chain include Intel, Microsoft Azure, Amazon Web Services, Entrust Datacard, Rambus, Data I/O, and Globalsign.

The post The Critical Need for IoT Cybersecurity Will Drive Device Authentication Services to US$8.4 Billion Revenues by 2026 appeared first on IoT Business News.

The ETSI Technical Committee on Cybersecurity (TC CYBER) today unveils ETSI EN 303 645, a standard for cybersecurity in the Internet of Things that establishes a security baseline for internet-connected consumer products and provides a basis for future IoT certification schemes.

Based on the ETSI specification TS 103 645, EN 303 645 went through National Standards Organization comments and voting, engaging even more stakeholders in its development and ultimately strengthening the resulting standard. The EN is a result of collaboration and expertise from industry, academics and government.

As more devices in the home connect to the internet, the cybersecurity of the Internet of Things (IoT) has become a growing concern. The EN is designed to prevent large-scale, prevalent attacks against smart devices that cybersecurity experts see every day. Compliance with the standard will restrict the ability of attackers to control devices across the globe – known as botnets – to launch DDoS attacks, mine cryptocurrency and spy on users in their own homes. By preventing these attacks, the EN represents a huge uplift in baseline security and privacy.

ETSI EN 303 645 specifies 13 provisions for the security of Internet-connected consumer devices and their associated services. IoT products in scope include connected children’s toys and baby monitors, connected safety-relevant products such as smoke detectors and door locks, smart cameras, TVs and speakers, wearable health trackers, connected home automation and alarm systems, connected appliances (e.g. washing machines, fridges) and smart home assistants. The EN also includes 5 specific data protection provisions for consumer IoT.

“We launched the Finnish IoT label in November 2019; it was a world first and it attracted a lot of global interest,” says Juhani Eronen from Traficom.

“Our labels are awarded to networking smart devices that meet certification criteria based on EN 303 645; this help consumers identify IoT devices that are sufficiently secure. To date we have awarded the labels to several products including fitness watches, home automation devices and smart hubs.”

“Being involved in the development of the ETSI standard from the start helped us a lot in building up our certification scheme. Feedback from companies and hackers has been very positive so far”, he adds.

“Legrand is pleased to have contributed to the ETSI EN 303 645 standard. It focuses on the product baseline controls addressing the most common security weaknesses in the IoT ecosystem. Ensuring a better level of security in the IoT Ecosystem can only be achieved if Governments, Industry and Consumers collaborate on a common and reachable goal, and standardization bodies like ETSI have provided the right platform to achieve it for this standard”, says Mahmoud Ghaddar, CISO Standardization.

ETSI EN 303 645 is a cohesive standard that presents an achievable, single target for manufacturers and IoT stakeholders to attain. Many organizations have already based their products and certification schemes around the EN and its predecessor TS. It demonstrates how one standard can underpin many assurance schemes and provide flexibility in certification – whilst maintaining world-leading security.

The ETSI Technical Committee CYBER (TC CYBER) continues its work on IoT security, with the development of a test specification and an implementation guide to complement EN 303 645.

The post ETSI Releases World-Leading Consumer IoT Security Standard appeared first on IoT Business News.

More than 80% of cybersecurity and risk leaders in a new global survey say the technologies could make enterprises more vulnerable to attack.

An overwhelming majority of cybersecurity and risk management leaders believe that developments in 5G wireless technology will create cybersecurity challenges for their organizations.

Their top three 5G-related concerns are greater risk of attacks on Internet of Things (IoT) networks, a wider attack surface and a lack of security by design in 5G hardware and firmware.

These are among the findings of a new report released today by Information Risk Management (IRM), a UK-based cybersecurity company of Altran.

The report, titled Risky Business, is based on a survey of senior cybersecurity and risk management decision makers at 50 global companies across seven major industry sectors: automotive, communications, energy, finance/public sector, software/internet, transport and pharmaceuticals. The study was conducted between July and September of this year.

Eighty-three percent of survey respondents said 5G developments will create cybersecurity challenges for their organizations, suggesting that the new technology will bring heightened risks. “The acceleration to market of 5G and lack of security considerations are causing concern,” the report states.

“The vulnerabilities in 5G appear to go beyond wireless, introducing risks around virtualised and cloud native infrastructure.”

The study also found that 86% of respondents expect artificial intelligence (AI) to have an impact on their cybersecurity strategy over the next five years, as AI systems are integrated into core enterprise security functions. The top three AI applications that respondents said they would consider implementing as part of their cybersecurity strategy are network intrusion detection and prevention, fraud detection and secure user authentication.

“AI in cybersecurity is a double-edged sword,” the report explains. “It can provide many companies with the tools to detect fraudulent activity on bank accounts, for example, but it is inevitably a tool being used by cybercriminals to carry out even more sophisticated attacks.”

In late August, for example, The Wall Street Journal reported that criminals using AI-based software had successfully mimicked a German CEO’s voice and had duped the head of a UK subsidiary into sending €220,000 ($243,000) to a fraudulent account. It is being dubbed one of the world’s first publicly known cyberattacks using AI. “We are likely to see more of this as the technology develops,” the report warns.

Commenting on the potential impact of 5G and AI on cybersecurity, Charles White, CEO of IRM, cautioned:
“A lack of awareness of these technologies’ security implications can have far reaching consequences. At best an embarrassing fine and at worst a fatal blow to the bottom line. Now is the time for enterprises to work closely with their cybersecurity teams to design and develop 5G and AI products that place cybersecurity front and center.”

The study also found:

• A growing number of C-level executives recognize the challenges facing enterprise security teams. Ninety-one percent of respondents said that increased cybersecurity awareness at the C-level has translated into their decision-making. But most cybersecurity decisions are still based on cost – and not on the safest solutions to put in place, according to respondents, indicating a lack of understanding of the financial and reputational impact of cyberattacks.

• There is a worrisome lack of awareness of the Networks & Information Systems Directive/ Network & Information Systems Regulations, which is a piece of legislation setting a range of network and information security requirements for Operators of Essential Services (OES) and Digital Service Providers (DSPs). The survey found that 30% of respondents are unaware of the NIS Directive/Regulations, and of the 70% who are aware of the legislation, over a third (about 25% overall) have failed to implement the necessary changes.

IRM is at the heart of Altran’s recently formed World Class Center for Cybersecurity, which offers an extended portfolio of global solutions to protect next-generation networks and systems. With sites in North America, France, the UK and Portugal, the WCC for cybersecurity specializes in working with some of the world’s largest organizations to combat cyber challenges introduced by Industry 4.0.

Summary – Key findings of the report:

• 80% of enterprises expect 5G to adversely impact them
• 9% of organisations are unaware of how many third parties they share data with
• 86% of enterprises will be impacted by AI in the next 5 years
• 30% of organisations are unaware of the NIS Directive/NIS Regulations

The post 5G and AI Expected to Bring Heightened Cybersecurity Risks, Study Finds appeared first on IoT Business News.

The European Union’s Cybersecurity Act is a key step in establishing the regulatory frameworks and certification schemes necessary for developing cyber-resilience.

In addition, the Cybersecurity Act also provides for a permanent mandate and more resources for the EU Cybersecurity Agency, ENISA.

In his 2017 State of the Union Address, President Jean-Claude Juncker said:
“In the past three years, we have made progress in keeping Europeans safe online. But Europe is still not well equipped when it comes to cyber-attacks. This is why, today, the Commission is proposing new tools, including a European Cybersecurity Agency, to help defend us against such attacks.”

In an increasingly connected world, however, it can be difficult for device manufacturers and service providers to identify the necessary levels of protection required for their products, and for consumers to verify the security of the devices and services they are using. This creates trust issues that limit widespread IoT adoption and innovation, as well as putting consumers and businesses at risk of security breaches.

So, what is the European Cybersecurity Act?

Fast forward to June 2019, the Act has come into force and aims to better support Member States with tackling cybersecurity threats and attacks.

As part of this support, the Act establishes an EU framework for cybersecurity certification. This allows for the certification of products, processes and services that will be valid throughout the bloc, boosting the security of online services and consumer devices.

The European Commission supported the Act saying:

“This is a ground-breaking development as it is the first internal market law that takes up the challenge of enhancing the security of connected products, Internet of Things devices as well as critical infrastructure through such certificates.”

The importance of certification

The world is becoming increasingly ‘digitally dependent’, with connectivity spanning from our edge devices, through the ‘fog’ and into the cloud, helping us to manage every aspect of our personal, business and industrial lives.

Ensuring the security of connected devices and services therefore is a critical priority for all stakeholders, not least device manufacturers, who must ensure that the devices they build are secure enough to protect from immediate threats and consider how risks may change throughout the device’s lifecycle.

That is why an impartial and standardized certification platform, supported by accredited laboratories, is necessary to enable device manufacturers and service providers to verify the security of devices, as well as categorize and select the most appropriate type of protection for their product.

The security benefits of certification and standardization are particularly notable, but they exist for businesses also. By establishing one set of rules, device manufacturers around the world will find it easier to demonstrate to the European market that their products are secure, and prove the trustworthy nature of their merchandise.

In addition, the act gives service providers the peace of mind that data, intellectual property and other valuable information is safely secured within a certified device.

Enter GlobalPlatform

To answer to new international security risks, GlobalPlatform has standardized secure technologies and services that, today, are adopted and deployed globally, to provide privacy protection and lay the foundation for cyber-resilience. It is doing this by developing new evaluation methodologies to accelerate product creation and achieve a faster route to market, while ensuring security and data privacy is maintained.

The post The EU Cybersecurity Act: what is it and what does it mean for Europe? appeared first on IoT Business News.

Irdeto finds that in sectors such as transport, manufacturing and healthcare, while a majority of organizations have suffered an IoT attack, the mindset of security as a cost is changing.

Eight in ten organizations have experienced a cyberattack on their IoT devices in the past 12 months, according to new research by Irdeto.

Of those organizations, 90% experienced an impact as a result of the cyberattack, including operational downtime and compromised customer data or end-user safety. This demonstrates the security limitations of many IoT devices and the need for organizations to think carefully about a cybersecurity strategy amidst an IoT deployment.

The Irdeto Global Connected Industries Cybersecurity Survey of 700 enterprises in five countries (China, Germany, Japan, UK and US) also found that organizations in transport, manufacturing and healthcare have suffered substantial losses due to IoT-related vulnerabilities, with the average financial impact as a result of an IoT-focused cyberattack identified as more than $330,000 USD.

With IoT in its relative infancy across these sectors, this substantial financial burden is only going to increase if action is not taken. However, it’s not all gloom and doom for these sectors. Of those surveyed, 99% agree that a security solution should be an enabler of new business models, not just a cost. These findings suggest that the previous mindset of IoT security as an afterthought is changing.

“One of the most promising results of the study found that today’s organizations in technology, transport, manufacturing and healthcare are thinking even more strategically about security,” said Steeve Huin, Vice President of Strategic Partnerships, Business Development and Marketing, Irdeto.

“This is a clear indication that today’s businesses realize the value add that security can bring to their organization. From enabling new rental or subscription models in connected vehicles, to Digital Twins revolutionizing the manufacturing processes, to providing patients with even better healthcare, security is the enabler to successfully implementing new and future business models in today’s connected world.”

While the security mindset may be changing, the research also suggests a distinct lack of optimism about the future security of IoT devices within these organizations. Only 7% of respondents stated that their organization has everything it needs to tackle cybersecurity challenges. 46% stated they need additional expertise/skills within the organization to address all aspects of cybersecurity. This was followed closely by more effective cybersecurity tools and the implementation of a more robust cybersecurity strategy at 43% each.

Perhaps even more alarming, 82% of organizations that manufacture IoT devices are concerned that the devices they develop are not adequately secured from a cyberattack. Further, a total of 93% of manufacturers and 96% of users of IoT devices stated that the cybersecurity of the IoT devices that they manufacture or use could be improved either to a great extent or to some extent. In the UK, Germany and China, 100% of IoT device users believe that the cybersecurity of the devices they use could be improved either to a great extent or to some extent – an alarming finding, considering that these devices are proliferating rapidly throughout these organizations.

“The benefits brought to a wide range of industries by connectivity and the Internet of Things are not in doubt. However, greater connectivity opens organizations and their customers up to a myriad of additional vulnerabilities that must be considered from the outset,” said Jaco Du Plooy, Vice President of IoT Security, Irdeto. “If you want to take advantage of the benefits of connected devices or software, you need to choose wisely where to spend your time and budget.”

“Organizations must understand the scope of their current risk, ask hard cybersecurity-centric questions to vendors and work with trusted advisors to safely embrace connectivity in their manufacturing process. Then organizations must incorporate multiple layers of security into their defenses.”

With IoT-focused cyberattacks becoming more and more common, organizations rightly have several security measures in place. However, the study found that more than one-in-four organizations (26%) do not have software protection technologies implemented into their business. In addition, fewer organizations have mobile app protection (52%) implemented and even fewer still make security a part of the product design lifecycle process (49%). The study also found that only just over half of the organizations surveyed (53%) conduct continuous security and/or code reviews.

However, while it’s clear that many organizations may not have the most robust cybersecurity strategy in place, most are planning on adding to their cybersecurity portfolio in the next year. Of the businesses surveyed, 18% plan on adding software protection in the next year, while 29% plan on adding mobile app protection, 30% plan on making security part of the product design lifecycle and 29% plan on implementing continuous security and/or code reviews in the next year.

The post New 2019 Global Survey: IoT-Focused Cyberattacks are the New Normal appeared first on IoT Business News.

Trend Micro Incorporated, today warned organizations to revisit their operational technology (OT) security after finding major design flaws and vulnerable implementations related to two popular machine-to-machine (M2M) protocols, Message Queuing Telemetry Transport (MQTT) and Constrained Application Protocol (CoAP).

Trend Micro’s new report, co-branded with Politecnico di Milano, The Fragility of Industrial IoT’s Data Backbone, highlights the growing threat of industrial espionage, denial-of-service and targeted attacks by abusing these protocols.

Over just a four-month period, Trend Micro researchers identified more than 200 million MQTT messages and more than 19 million CoAP messages being leaked by exposed brokers and servers. Using simple keyword searches, malicious attackers could locate this leaked production data, identifying lucrative information on assets, personnel and technology that can be abused for targeted attacks.

Greg Young, vice president of cybersecurity for Trend Micro, said:

“The issues we’ve uncovered in two of the most pervasive messaging protocols used by IoT devices today should be cause for organizations to take a serious, holistic look at the security of their OT environments.”

“These protocols weren’t designed with security in mind, but are found in an increasingly wide range of mission critical environments and use cases. This represents a major cybersecurity risk. Hackers with even modest resources could exploit these design flaws and vulnerabilities to conduct reconnaissance, lateral movement, covert data theft and denial-of-service attacks.”

The research shows how attackers could remotely control IoT endpoints or deny service by leveraging security issues in the design, implementation and deployment of devices using these protocols. Furthermore, by abusing specific functionality in the protocols, hackers could maintain persistent access to a target to move laterally across a network.

A few vulnerabilities were also identified through this research, which were disclosed through Trend Micro’s Zero Day Initiative (ZDI): CVE-2017-7653, CVE-2018-11615, and CVE-2018-17614.

An example of the impact these vulnerabilities could have, CVE-2018-17614 is an out-of-bounds write that could allow an attacker to execute arbitrary code on vulnerable devices that implement an MQTT client. While no new CoAP vulnerabilities were found, the report reinforces that CoAP is User Datagram Protocol-based and follows a request-response scheme, making it a good fit for amplification attacks.

To mitigate the risks highlighted in the research, Trend Micro encourages organizations to:

• Implement proper policies to remove unnecessary M2M services
• Run periodic checks using internet-wide scanning services to ensure sensitive data is not leaking through public IoT services
• Implement a vulnerability management workflow or other means to secure the supply chain
• Stay up to date with industry standards as this technology is evolving rapidly

The post Trend Micro Research Uncovers Major Flaws in Leading IoT Protocols appeared first on IoT Business News.

• IoT botnet activity represented 78% of malware detection events in communication service provider networks in 2018, more than double the rate seen in 2016, when IoT bot activity was first seen in meaningful numbers.

• IoT bots now make up 16% of infected devices in CSP networks, up significantly from 3.5% a year ago.

• Malware threats against IoT devices could get worse as consumer adoption of such devices accelerate in the years ahead as 5G capabilities – including extreme broadband, ultra-low latency connectivity, and massive networking – advance.

According to Nokia’s Threat Intelligence Report 2019, the use of malicious software to attack IoT devices like smart home security monitoring systems is rising substantially and growing more sophisticated as cyber criminals take advantage of lax security.

Driven by financial and other nefarious purposes, IoT botnet activity accounted for 78% of malware detection events in communication service provider (CSP) networks in 2018, according to the report, which is based on data aggregated from monitoring network traffic this year on more than 150 million devices globally where Nokia’s NetGuard Endpoint Security product is deployed.

That is up sharply from 33% in 2016, when IoT botnets were first seen in meaningful numbers. A botnet is a system of computers that can be infected with malicious software and controlled by a single computer for doing things like stealing bank account information and shuttering web sites.

Kevin McNamee, director of Nokia’s Threat Intelligence Lab and lead author of the report, said:

“Cyber criminals are switching gears from the traditional computer and smartphone ecosystems and now targeting the growing number of vulnerable IoT devices that are being deployed. You have thousands of IoT device manufacturers wanting to move product fast to market and, unfortunately, security is often an afterthought.”

In 2018, IoT bots made up 16% of infected devices in CSP networks, up significantly from the 3.5% observed in 2017.

As an indicator of the rising threat, the report found that malware-infected crypto-coin mining is expanding from high-end servers with specialized processors to IoT devices as well as smartphones and web browsers. Crypto-coin mining is generally the process by which crypto currency transactions are verified and added to blockchain technology systems.

Industry analysts widely expect IoT device adoption to accelerate with 5G. The high bandwidth, large-scale and ultra-low latency capabilities of 5G greatly facilitate connecting billions of things to the internet, including smart home security monitoring systems, vehicles, drones and medical devices.

But, as the Threat Intelligence report’s findings underscore, lagging security protection of many current IoT devices and increasing technical sophistication are giving cyber criminals broader scope for successfully launching IoT device attacks.

“Cyber criminals have increasingly smart tools to scan for and to quickly exploit vulnerable devices, and they have new tools for spreading their malware and bypassing firewalls. If a vulnerable device is deployed on the internet, it will be exploited in a matter of minutes,” McNamee said.

Also explaining some of the rise in IoT device malware infection rates is the fact that attacks on mobile and fixed networks in 2018 decreased from previous years. This is a result not only of cyber criminals looking further afield for softer targets, like IoT devices, but of better-protected networks, platforms and mobile devices that are designed and built with security in mind.

The Nokia NetGuard security suite provides protection against a wide variety of bots and malware. The suite aggregates, analyses and correlates security data from a variety of sources, including endpoint detection software, to help security teams control risks and costs and to improve decision making.

The NetGuard Endpoint Security software includes an IoT behavioral anomaly detection component that is capable of constantly tracking devices against security threats. The individual traffic profiles of any device, including an IoT device, are machine-learned automatically by the Endpoint system; any anomalies detected triggers immediate trouble-shooting against threats.

The post Nokia’s report warns on the threat of malicious software targeting IoT devices appeared first on IoT Business News.