systems

now browsing by tag

 
 

HACKING #NUCLEAR SYSTEMS IS THE #ULTIMATE #CYBER THREAT. ARE WE #PREPARED?

Source: National Cyber Security – Produced By Gregory Evans

The nuclear plant employees stood in rain boots in a pool of water, sizing up the damage. Mopping up the floor would be straightforward, but cleaning up the digital mess would be far from it.

A hacker in an adjacent room had hijacked a simulated power plant, using the industrial controls against themselves to flood the cooling system.

It took officials from three different Swedish nuclear plants, who were brought in to defend against an array of cyberattacks, a couple of hours to disconnect the industrial computer (known as a programmable logic controller) running the system and coordinate its repair.

Though the exercise was conducted in a simulated coal plant, not a nuclear one, the tactile nature of the demonstration — the act of donning rubber boots to fix the flooding — drove home the potential physical consequence of a cyberattack on critical infrastructure. “The next step for them is to go back home and train in their real environment,” Erik Biverot, a former lieutenant colonel in the Swedish army who planned the event, told The Verge.

The drill, which took place this past October at a research facility 110 miles southwest of Stockholm, was the most technically sophisticated cyber exercise in which the UN’s nuclear watchdog — the International Atomic Energy Agency (IAEA) — has participated.

Security experts say more of these hands-on demonstrations are needed to get an industry traditionally focused on physical protection to think more creatively about growing cyber threats. The extent to which their advice is heeded will determine how prepared nuclear facilities are for the next attack.

“Unless we start to think more creatively, more inclusively, and have cross-functional thinking going into this, we’re going to stay with a very old-fashioned [security] model which I think is potentially vulnerable,” said Roger Howsley, executive director of the World Institute for Nuclear Security (WINS).

The stakes are high for this multibillion-dollar sector: a cyberattack combined with a physical one could, in theory, lead to the release of radiation or the theft of fissile material. However remote the possibility, the nuclear industry doesn’t have the luxury of banking on probabilities. And even a minor attack on a plant’s IT systems could further erode public confidence in nuclear power. It is this cruelly small room for error that motivates some in the industry to imagine what, until fairly recently, was unimaginable.

The Nuclear Threat Initiative, a Washington-based nonprofit co-founded by Ted Turner, has tallied about two-dozen cyber incidents since 1990, at least 11 of which were malicious. Those include a December 2014 attack in which suspected North Korean hackers stole blueprints for South Korean nuclear reactors and estimates of radiation exposure to local residents. The affected power company, which provides 30 percent of the country’s electricity, responded by carrying out cyber drills at plants around the country.

In another attack, hackers posing as a Japanese university student sent malicious emails to researchers at the University of Toyama Hydrogen Isotope Research Center, one of the world’s top research sites on the radioactive isotope that makes a hydrogen bomb. From November 2015 to June 2016, the hackers stole over 59,000 files, according to media reports, including research on the ill-fated Fukushima nuclear plant.

Any list of cyber incidents in the nuclear sector, however, is very likely incomplete. The US Nuclear Regulatory Commission, for example, only requires operators to report to the commission cyber incidents that affect the safety, security functions, or emergency preparedness of the plant, excluding potentially significant attacks on IT systems. It is, in general, extremely difficult for a hacker to breach a plant’s inner control systems implicated in the former category, but not nearly as challenging to penetrate the non-critical IT networks included in the latter.

“We are absolutely undercounting [the number of non-safety-related incidents] and we’re not looking so we can’t pretend that our count is accurate,” said Robert M. Lee, a former Air Force cyber officer and founder of Dragos, a firm specializing in industrial control systems (ICS) cybersecurity. By probing their networks for more of these lower-level threats, nuclear operators can bolster their security, he added.

Regulatory requirements have strengthened US nuclear plants’ cybersecurity, and most plants were built decades ago on analog systems that are shielded from direct internet-based attacks. But the growing digitization of the industry is opening up new potential vectors for hackers.

One of the first known cyber incidents at a nuclear plant took place in 1992 when rogue programmer Oleg Savchuk deliberately infected the computer system of a plant in Lithuania with a virus. Savchuk was arrested and became a precautionary footnote in the history of nuclear security. It would take a set of much more seismic events to illuminate the danger of cyber threats to nuclear operators.

In March 2007, with US energy regulators looking on, engineers at the Idaho National Lab showed how 21 lines of computer code could cripple a huge generator, as journalist Kim Zetter writes in her book. It was only through this jaw-dropping experiment, known as Aurora, that some energy industry officials came to accept that digital tools are capable of physical destruction.

Before Aurora, “there were many people who simply denied the concept that any kind of physical damage could be caused or triggered by a cyber event,” Marty Edwards, an ICS expert who helped design the experiment, told The Verge. Two years later, the destructive potential shown in Aurora became a reality. The famed Stuxnet attack injected a formidable computer worm into Iran’s Natanz enrichment facility in 2009, destroying about 1,000 centrifuges. The United States and Israel are suspected of being behind the attack, which used a USB drive to deliver malware to “air gapped” systems, or those with no direct or indirect connections to the internet. In doing so, the attackers refuted the notion that such a system was immune to hacking.

Stuxnet’s creators used four “zero-days,” or previously unknown software exploits, whereas most big cyberattacks use one at most. The attackers managed the improbable feat of breaching and manipulating a nuclear facility’s heavily protected industrial controls. In doing so, they changed the cybersecurity conversation in the nuclear industry, prompting new regulations and more investments in defenses.

As instructive as Stuxnet was, nuclear officials can only learn so much from one attack and, because successful attacks are rare, there is a small pool of data from which to learn. For some, the answer is to create your own attacks in a controlled environment.

The exercise conducted this past October took advantage of the high-tech environment provided by Sweden’s Defense Research Agency. Officials from the IAEA and at least 20 of its member countries, including the US and China, watched on TV screens as offensive and defensive cyber teams did battle. The defenders grappled with everything from straightforward denial-of-service attacks to the more insidious scenario of a contractor’s laptop exposing a facility to malware.

In one instance, they used an actual Siemens programmable logic controller. In another, they modeled one of the exercise’s attacks on the 2015 hack of the Ukrainian power grid, one of the biggest energy-sector attacks since Stuxnet.

The Swedes meticulously documented what amounted to a scientific experiment. Audio and video captured participants’ every move and may be later analyzed by a research team. The biggest early takeaway from the experiment, however, was decidedly low-tech: participants had to trust each other to navigate a stressful environment.

The IT specialists who participated normally work individually rather than as a team to handle cyber incidents, according to Biverot. For each participant, knowing that “I can give this guy a call if I’m in trouble” would be invaluable during a security incident, he told The Verge.

Security experts say there is no substitute for putting an organization’s cyber teams under the gun in an intense, credible scenario. “It’s very important to understand the link between what’s happening in cyberspace and what’s happening in real life,” said Dennis Granåsen, a senior scientist at the Defense Research Agency. “If you don’t do that, it’s very easy to just think of these exercises as a game where you need to perform and get a good score and that’s it.”

The less that exercises seem like a game to participants, the better prepared they’ll be for the real thing. The challenge, however, is that exercises as technically rigorous as the Swedish one have not been the norm across the global nuclear sector. They can be expensive, take many months to plan, and may require bringing in outside cyber expertise to drill plant personnel. Exercise programs are growing in maturity and are including more red-teaming, but experts say more work is needed.

Without outside help, many operators will struggle to keep pace with cyber threats, according to Roger Brunt, a former top official at the UK’s Office for Nuclear Regulation. For that reason, Britain’s larger nuclear operators have recently begun hiring security firms to probe their computer networks for vulnerabilities, he said.

While safety and security are paramount at nuclear plants, business considerations also come into play as many plants, including the vast majority of the 61 in the US, are privately owned. The financial and reputational damage that a successful cyberattack could wreak has led some executives to walk through them in advance.

Two weeks before the Swedish exercise, a group of lawyers, insurers, and nuclear executives huddled in central London to consider an alarming scenario: malware had hit a workstation at a nuclear plant, triggering a shutdown of the reactor and a power cut for nearby residents during a dangerous heatwave.

Whereas the Swedish drill was geeks and computer code, the London one was lawyers and the lofty words of judges and defendants.

A fictional power company was on mock trial for decisions its executives had taken leading up to the made-up incident. They had failed to ensure that software on the plant had been updated and that employees were trained in security. Despite an eloquent defense from executives, the judges found the company criminally and civilly liable for the $1.7 billion in economic and other damages incurred by the power cut, and for the 10 people who died in the heat wave.

Howsley said he was surprised at the criminal verdict, thinking the bar for damning security practices would be higher. But that may be where legal norms are headed, given that companies like Uber and Anthem have been sued for allegedly shoddy cybersecurity regimes.

Among nuclear executives, “accountability is going to drive better behavior” on cybersecurity, said Kathryn Rauhut, a lawyer and nonresident fellow at the Stimson Center, which hosted the exercise.

Rauhut said that when drawing up the exercise, she considered several scenarios that might spur strong interest from nuclear executives. Nothing resonates like the threat of a civil or criminal lawsuit for bad security practices. “The CEOs said, ‘Whoa, this is huge. I didn’t know I was liable,’” she told The Verge.

Howsley, a 35-year veteran of the nuclear industry, has seen the industry adapt its safety standards after the 1986 Chernobyl disaster, its security standards after the September 11th attacks, and its cybersecurity standards after Stuxnet. The guessing game of where the next threat might come from can be maddening.

“Someone once said to me, ‘The future is actuarial, history is forensic,’” said Howsley, a cerebral Englishman with a PhD in botany. “If something awful happens at 3 o’clock this afternoon, people will look back and say, ‘How did we allow this to happen?’ But we forget all the things that we worried about and didn’t happen.”

As training in the lab and boardroom continues, hackers in the real world are sharpening their skills. The years since Stuxnet have seen an uptick in advanced hacking operations targeting energy infrastructure. The Ukrainian power grid has been a playground for hackers, some of whom analysts have traced to Russia.

A year after the December 2015 attack, which cut power for 225,000 people, the Ukrainian grid was hit again in what Dragos says was an even more sophisticated operation. “Adversaries are getting smarter, they are growing in their ability to learn industrial processes and codify and scale that knowledge, and defenders must also adapt,” states the firm’s analysis of the attack.

Just last week, energy software giant Schneider Electric acknowledged that hackers had exploited a flaw in its safety system software, known as Triconex, at an industrial plant, causing the plant to shut down. The company has declined to identify the plant. Triconex systems are used at a variety of plants, including oil, gas, and nuclear.

This changing digital landscape is prompting governments and energy companies to get more ambitious in how they drill for attacks. The goal is tighter communication and unalloyed trust between the government and operators of critical infrastructure, the vast majority of which is privately owned in the US.

In the event of a serious cyberattack, nuclear operators would need to have agencies on speed dial to mitigate the damage. In the waning days of the Obama administration, US and British officials tested these lines of communication in an unprecedented exercise they called Ionic Shield.

On a conference call in November 2016, officials at the White House and Downing Street watched as a piece of malware hit the administrative networks of hypothetical nuclear plants in the US and Britain. Participants tested how well they could pass the word of a spreading attack through the chain of command and take corrective action. Communication between the two governments and between government and industry went well, according to Caitlin Durkovich, a former official for the Department of Homeland Security (DHS).

However, Durkovich told The Verge, “I think we walked away with the sense we need to improve how the industry here [in the US] is communicating with the industry there [in Britain], especially as it relates to sharing threat information.”

In June 2017, DHS officials warned the energy industry that hackers had targeted the computer network of the Wolf Creek nuclear facility in Kansas. The threat was limited and did not involve safety or other critical systems, security experts told The Verge, but it served as a reminder that nuclear facilities are still very much in hackers’ crosshairs.

“The threat is not going to go away,” Howsley said. “It will get more subtle.”

Some hackers play the long game, lingering on peripheral networks for months in the hope of gaining a foothold into more critical systems. For network defenders, maintaining urgency in the absence of regular, successful attacks can be difficult. The shock value of events like Aurora and Stuxnet can only last so long as those who study them fall back into their routines. Rigorous exercises based on unnerving scenarios are critical to keeping engineers and cyber specialists on their toes.

The post HACKING #NUCLEAR SYSTEMS IS THE #ULTIMATE #CYBER THREAT. ARE WE #PREPARED? appeared first on National Cyber Security .

View full post on National Cyber Security

International Workshop on Future Information, Security, Privacy and Forensic for Complex Systems (FISP)

General Cybersecurity Conference

 August 13 – 15, 2018 | Gran Canaria, Spain

Cybersecurity Conference Description

Availability, integrity and secrecy of complex information systems are increasingly important requirements for modern society as well as nations as with every passing day computers control and administer more and more aspects of human life. We entrust much of our lives to information and computer technologies (ICT’s). However, it is difficult and challenging task to understand security risk and to provide effective security solution as attackers only need to find a single vulnerability but developers or system administrators need to find and fix all vulnerabilities. In addition, cyber space is considered as fifth battle-field after land, air, water and space.

The aim of FISP-2018 is to provide a premier international platform for wide range of professions including scholars, researchers, academicians and Industry people to discuss and present the most recent challenges and developments in “Information Security, Privacy and Forensics for Complex systems” from the perspective of providing security awareness and its best practices for the real world. After the high success of the previous edition (FISP’2017) in conjunction with 12th International Conference on Future Networks and Communications 2017 (FNC-2017), Belgium, the fourth International Workshop on Future Information Security, Privacy and Forensics for Complex systems (FISP-2018) will continue to open to submit novel and high quality research contributions as well as state of the art reviews in the field of information security and privacy. We anticipate that this workshop will open new entrance for further research and technology improvements in this important area.

advertisement:

The post International Workshop on Future Information, Security, Privacy and Forensic for Complex Systems (FISP) appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

International Conference on Dependable Systems and Networks

General Cybersecurity Conference

 June 25 – 28, 2018 | Luxembourg City, Luxembourg

Cybersecurity Conference Description 

The IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) has a distinctive approach to accidental and malicious faults under a common body of knowledge. Today, it is the most prestigious international forum for presenting advanced and innovative research results, problem solutions, practices, and insights on new challenges in the field of dependable and secure computing.

DSN is the flagship conference for research furthering robustness and resilience of today’s wide spectrum of computing systems. Indeed, dependability and security concerns can no longer be tackled in isolation, from general IT to the internet-of-things, cyber-physical systems and application areas.

advertisement:

The post International Conference on Dependable Systems and Networks appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

20th International Conference on Cybersecurity and Resilience of Cyber Physical Systems (ICCRCPS)

General Cybersecurity Conference

 June 21 – 22, 2018 | Vienna, Austria

Cybersecurity Conference Description [Submitted by Organizer/ Or Written By Us]

The ICCRCPS 2018: 20th International Conference on Cybersecurity and Resilience of Cyber Physical Systems aims to bring together leading academic scientists, researchers and research scholars to exchange and share their experiences and research results on all aspects of Cybersecurity and Resilience of Cyber Physical Systems. It also provides a premier interdisciplinary platform for researchers, practitioners and educators to present and discuss the most recent innovations, trends, and concerns as well as practical challenges encountered and solutions adopted in the fields of Cybersecurity and Resilience of Cyber Physical Systems.

advertisement:

The post 20th International Conference on Cybersecurity and Resilience of Cyber Physical Systems (ICCRCPS) appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

13th Annual Conference of the Midwest Association for Information Systems (MWAIS)

General Cybersecurity Conference

 May 24 – 25, 2018 | St. Louis, Missouri, United States

Cybersecurity Conference Description

MWAIS 2018 will provide an intimate environment to facilitate the sharing of ideas, and close interaction among participants. About 100 participants are expected from throughout the Midwest US, the neighboring states and Canadian provinces, and beyond.

Read More….

advertisement:

The post 13th Annual Conference of the Midwest Association for Information Systems (MWAIS) appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Healthcare Information and Management Systems Society (HIMMS) 2018

Source: National Cyber Security – Produced By Gregory Evans

Healthcare Event

 March 5 – 9, 2018 | Las Vegas, Nevada, United States

Cybersecurity Conference Description

The 2018 HIMSS Annual Conference & Exhibition brings together 40,000+ health IT professionals, clinicians, executives and vendors from around the world. Exceptional education, world-class speakers, cutting-edge health IT products and powerful networking are hallmarks of this industry-leading conference.

Read More….

The post Healthcare Information and Management Systems Society (HIMMS) 2018 appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Network Systems Engineer

Source: National Cyber Security – Produced By Gregory Evans

This position, located in Orem, Utah, is very outward facing – interacting directly with executives, managers, and business users to keep the everything flying along smoothly; even though we might be changing out the wing on the plane while it’s still in the air.

Responsibilities: Source, provision and deploy Windows and Mac laptops and workstations — globally. Manage our Cisco Network, Call Center, and Meraki infrastructure. Aided by a managed services team. Maintain and evolve our local office network and desktop infrastructures – multiple US locations plus Europe and Asia Work with the business to source and maintain our network of approximately 60 local country phone numbers and toll free connections Identify process improvement opportunities and work with key stakeholders to develop and implement effective solutions Develop optimal data management and reporting practices to ensure best practices are put in place

Minimum Qualifications:
Knowledge, Skills and Abilities: 5+ years as a Systems or Network Engineer Windows and Apple OS skills Cisco Meraki Network and Device Management skills Cisco Call Center management skills New Relic/Google Analytics Strong Understanding of IT governance and Security policies and processes Ability to read and understand complex requirements documents, identify gaps and capturing one-off use cases, etc. Deliver customer requests on time and deliver high quality solutions. Ability to think and operate in a logical manner, break down processes and investigate issues by asking the right questions to determine potential solutions.

Education, Training and Experience:
Appropriate degree in IT, Computer Science or other Technical degree

The post Network Systems Engineer appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Two #Women #Charged With #Hacking Bucks #Computer #Systems

A Bucks student and her cohort were arrested and charged with hacking the college’s computer system to alter her grades and the grades of other students in a microbiology course.
The two women arrested were Aleisha Morosco, a 30-year-old part-time student, and Kelly Margaret Marryott, a 37-year-old employed at a medical office.

Bucks officials have suspected since July that someone had been meddling with students’ grades, and once it was reported to the police, the suspicion was confirmed.

Police said Marryott used the personal information of a Bucks faculty member she gained from her employment at a medical office. From there Morosco allegedly hacked the school’s computer network to change her own grade and the grades of other students.

Stephanie H. Shanblatt, president of Bucks County Community College, released the following statement about the incident:
“Dear Colleagues: Last week, the Newtown Township Police arrested two women in connection with an attempt to change grades at the college last summer. I wanted to assure you that this was an isolated incident. When the college discovered the problem, we reported it to Newtown Township Police and worked cooperatively with law enforcement to resolve the case. Bucks takes the integrity of our data systems very seriously. All of the grades altered in the breach were restored to their correct level. I would like to thank the Newtown Township Police Department for their professionalism in bringing this investigation to its appropriate conclusion. In addition, our gratitude goes out to the Office of Security and Safety, Information Technology, and Online Learning for their prompt attention to this matter.”

Both women have been charged with unlawful use of computer, computer crimes, computer trespass, identity theft, and criminal conspiracy.

Computer trespassing is a very serious crime. PhiladelphiaCriminal- Attorney.com states that “If you are indicted on federal computer crime charges, you can face being sent to a federal prison for years.” The two women were arraigned before District Judge Mick Petrucci and released on $40,000 unsecured bail.

View full post on National Cyber Security Ventures

Information Technology Specialist (Systems Analysis)

more information on sonyhack from leading cyber security expertsSource: National Cyber Security – Produced By Gregory Evans Department of the Treasury – New Carrollton, MD $119,285 – $161,900 a year – Full-time, Part-time The U.S. Department of the Treasury has a distinguished history dating back to the founding of our nation. As the steward of U.S. economic and financial systems, Treasury is a […] View full post on AmIHackerProof.com | Can You Be Hacked?

Pizza Hut #app and 41 #Hyatt POS systems #breached by #hackers

Source: National Cyber Security – Produced By Gregory Evans

Pizza Hut #app and 41 #Hyatt POS systems #breached by #hackers

On October 14, 2017, Pizza Hut notified approximately 60,000 customers, via email, that hackers compromised their personal information. The breach occurred on October 1 and 2, but the company waited two weeks to inform customers. The breach lasted about 28 hours, so any person who ordered from Pizza Hut through the mobile app during that time may have been affected.

Cyber criminals stole names, delivery addresses, billing zip codes, credit card numbers, CVN numbers, and email addresses. Although Pizza Hut issued a statement saying it quickly detected the breach and immediately remedied the situation, several customers tweeted comments about how long it took to disclose data breach details. A number of people had their bank accounts drained of funds.

Pizza Hut is considered the sixth largest fast-food chain in the world based on the number of locations globally. It is offering all of the 60,000 individuals potentially impacted by the cyber theft a free credit monitoring service for a year through Kroll Information Assurance LLC.

This is not the first time a large-scale restaurant chain has been targeted by cyber criminals this year. Other restaurants include Arby’s, Chipolte Mexican Grill, and Shoney’s. The recent Sonic breach compromised the private data of approximately five million customers.

Hyatt Hotels Corporation suffers second data breach in two years

On October 17, Brian Krebs reported that Chicago-based Hyatt Hotels Corporation publicly announced a data breach involving 41 of its hotels in 11 countries. China was impacted most, with 18 locations hit. Between March 18 and July 2, 2017, cyber criminals gained unauthorized access to customer payment card information.

Hackers breached POS terminals where information was manually entered or swiped. The cyber criminals stole cardholder names, card numbers, expiration dates, and internal verification codes. Hyatt launched an investigation involving third-party experts, law enforcement authorities and credit card companies.

In 2015, Hyatt was a victim of another data breach, which compromised credit card information at 250 locations within 50 different countries.

Hotels an increasingly target of cybercrime

In an article by data security firm Netsurion, it is reported that cyber criminals are increasingly targeting hospitality chains, mainly due to the type of POS system used. Legacy, i.e. outdated technical systems with integrated POS environments that run unsecured applications, are unable to compete with modern, more stable POS solutions. Adding extra back-office data processors to the mix also makes personal data more vulnerable.

John Chrisly, global CISO for Netsurian, pinpointed five threats that hotel brands and franchisees need to be aware of:

Ransomware
Remote hacking through third-party vendors
Phishing scams targeting customers and hotels
Distributed denial-of-service (DDoS) attacks on the hotel network
Theft of personal information over public Wi-Fi
The increase in hotel breaches affirms the need for Congress to take a closer look at the information security needs of retailers and hospitality chains when formulating its national cybersecurity regulations.

Protect your retail, restaurant or hospitality chain from cybercrime

As cybercriminals find new ways to infiltrate POS systems and mobile apps, it’s becoming more and more necessary to implement an effective information security management system (ISMS). An ISMS is a centrally managed framework for keeping an organization’s private information safe. The policies, procedures, and technical and physical control you put in place will help to protect the confidentiality, availability and integrity of information you process.

ISO 27001 is the international standard describing an appropriate ISMS implementation to protect your organization. To learn more, you can download ISO 27001: The facts. This free guide explains how the Standard works, how to navigate your compliance program, and the benefits of obtaining certification from an ISO 27001-accredited firm.

The post Pizza Hut #app and 41 #Hyatt POS systems #breached by #hackers appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures