Category: Jeff Lanza’s Blog

In 2016, 89% of all attacks involve financial or espionage motivations. 30% of phishing messages were opened in 2016 – up from 23% in the 2015 report. 95% of breaches and 86% of security incidents fall into nine patterns. 70% of cyber attacks use a combination of phishing and hacking.

Do you really know how good your employees are at detecting phishing and social engineering attacks?  Know Before is an excellent service to give you that data before it happens.

https://www.knowbe4.com/products/enterprise-security-awareness-training/

Full article here:  https://www.helpnetsecurity.com/2020/01/06/automotive-cybersecurity-incidents/

Upstream Security’s 2020 Automotive Cybersecurity Report shares in-depth insights and statistics gleaned from analyzing 367 publicly reported automotive cyber incidents spanning the past decade, highlighting vulnerabilities and insights identified during 2019.

Automotive-related cybersecurity incidents surge

“With the rapid rise of attacks on the automotive industry, OEMs and smart mobility providers need extensive visibility and clarity into the threat landscape, helping them design the proper security architecture spanning their vehicles and cloud environments,” said Oded Yarkoni, Upstream Security’s VP of Marketing. “Our annual automotive cybersecurity report shows that the threats faced by the entire industry are real and increasingly more prevalent.”

Upstream’s 2020 Automotive Cybersecurity Report introduces some of the key findings of the AutoThreat Intelligence research team for 2019 as well as solutions used by the industry going forward:

Connected vehicles are already taking over: 330 million vehicles are already connected, and top car brands in the US market have stated that only connected vehicles will be sold by 2020. This fact alone exponentially increases the potential damage of each attack. A wide-scale attack could potentially disrupt an entire city and even lead to catastrophic loss of lives.

The number of automotive cybersecurity incidents has increased dramatically: Since 2016, the number of annual incidents has increased by 605%, with incidents more than doubling in the last year alone.

Most incidents are carried out by criminals: 57% of incidents in 2019 were carried out by cybercriminals to disrupt businesses, steal property, and demanding ransom. Only 38% were the result of researchers with the goal of warning companies and consumers of discovered vulnerabilities.

A third of all incidents involved keyless entry attacks: The top three attack vectors over the past ten years were keyless entry systems (30%), backend servers (27%), and mobile apps (13%).

Everyone is affected, from automotive companies to consumers: over the past ten years, every type of company in the smart mobility system was affected. This includes OEMs, fleets, telematics, and after-market service providers, and ride-sharing services along with consumers who have had their property and private information were stolen.

A third of incidents resulted in car theft and break-ins: The top three impacts of incidents over the past ten years were car thefts/break-ins (31%), control over car systems (27%), and data/privacy breaches (23%).

The vast majority of incidents in 2019 involved remote attacks: 82% of incidents in 2019 involved short and long-range remote attacks, which do not require physical access to the vehicle and can be carried out from anywhere in the world.

Awareness is increasing: More automotive vulnerabilities are being listed, with 66 CVEs listed to date. The use of bug bounty programs, which has been popular in enterprise infosec, is on the rise as more automotive companies adopt it as a way to discover vulnerabilities. These programs offer compensation to researchers (white hat hackers) who discover and report vulnerabilities to the owner company. Additionally, government officials and consumers are demanding regulations and laws to protect them against cybercrime in the automotive space.

The industry is adopting a multilayered security approach: This involves new regulations and standards, security by design, in-vehicle and cloud-based automotive cybersecurity solutions, and expanding SOCs to VSOCs (Vehicle Security Operations Centers) for early detection and rapid remediation.

Excellent article by J.M. Porup

Full article available here: https://www.csoonline.com/article/3505816/are-we-running-out-of-time-to-fix-aviation-cybersecurity.html

Shipping giant Maersk suffered close to half a billion dollars in losses in 2017 when it was infected by the NotPetya sabotageware. Maersk was not even a target of that attack. Could the same thing happen in aviation?

The realization is beginning to dawn on the aviation sector that, yes, it could. In the Maersk attack, the business was hit, not the vessels. But as security researcher Chris Kubeka reported last month, cybersecurity risks in aviation extend to planes in the air.

Modern aircraft are “flying data centers” that “travel around the globe,” but the aviation industry poorly understands how to protect passengers from cybersecurity risk, according to a new report from the Atlantic Council on aviation cybersecurity.

Now, without fully understanding the risk, without the technical expertise to mitigate that risk, and without sufficient financial or regulatory incentives to do so, the industry is stumbling into the future, and hoping nothing bad happens while they figure things out.

If the aviation industry seems unprepared to meet this challenge, the new report offers insight into what’s holding it back.

Risks and rewards of going digital

The aviation industry has leapfrogged ahead of security to reap the efficiency gains to be had from rapid digitization, and is now looking over its shoulder realizing security issues can come back to bite it at any moment, with consequences ranging from disruption of land-based systems, to malware infections of aircraft, or even — at the extremely unlikely end of the spectrum — a class break that affects hundreds or thousands of aircraft all at once.

A Luddite might say leaving analog behind was a mistake. But the efficiency gains from the shift to digital should not be underestimated, Pete Cooper, an aviation cybersecurity expert at the Atlantic Council, tells CSO, pointing out that aircraft safety has improved with more granular data collection. “For example, if data from a system means that you service it based off its actual operating life and not arbitrary dates/times, it can drastically reduce engineering downtime,” he says. “Additionally, if that system data suddenly shows a high rate of wear (for example), then it means that it can be brought in early for checking based on condition.”

Increased data collection also leads to more efficient flight paths, reduced flight times, lower fuel usage and CO2 emissions, and so forth, he points out.

The flip side of that coin, however, is the risk of a catastrophic cybersecurity incident. Unlike analog safety issues, such as a part wearing out or a flawed procedure that leads to pilot error, security issues, like the software they corrupt, scale. It only takes a single vulnerability for another Petya or NotPetya to happen.

Safety vs. security

Flying remains one of the safest ways to travel, and that’s due in large part to continuous efforts to improve air safety. Cultural norms in aviation have rewarded and incentivized a whistleblowing culture, where the lowliest mechanic can throw a red flag and stop a jet from taking off if he notices a potential safety issue.

Contrast that with the often-fraught issue of reporting security vulnerabilities, where shame and finger-pointing and buck passing are the norm. The report highlights the problem, writing, “Across much of the cybersecurity landscape, there arguably remains a stigma about discussing cybersecurity vulnerabilities and challenges that go beyond managing sensitive vulnerabilities.”

A wormable exploit or a backdoored software update — like the backdoored MeDoc software update that started the Petya worm — could cause safety issues at scale. It’s unclear that the aviation industry’s traditional safety thinking is sufficient to meet this challenge.

For instance, the report calls out the need for greater information sharing on aviation cybersecurity threats, acknowledging the risk of a Maersk-like scenario and observing rather drily that “other sectors have seen the scale and costs from a single vulnerability and ‘wormable’ exploit. Given the criticality of the sector, combined with disruptions that could scale rapidly, there remains much to do to understand the aviation-cybersecurity landscape.”

The report also calls out the growing awareness that good-faith security researchers are needed but figuring out how to deal with them is causing some consternation in the industry. “There was strong agreement that good-faith researchers were a positive thing for the aviation industry, but perspectives on guidance, legal clarity, and ease of vulnerability disclosure all remain unclear or difficult to navigate,” the report notes.

In the meantime, fasten your seatbelt and stow your tray table. We may be in for some turbulence before we get where we all want to go.