The New Deal for Buildings is hosting a Cybersecurity Summit at the AHR Expo 19 in Atlanta GWCC (Room B310) on Tuesday, January 15, 2019. The Summit will bring together industry thought leaders to review the current status of cybersecurity in the BAS industry, discuss the impending release of BACnet/SC [Read more…]
A LIVE WEBINAR
Prevent Security Risks of 3rd-Parties Vendor Remote Access Across Building Operations
When: Tuesday, November 20, 2018, 9 am PT/ Noon ET
Practically every commercial facility relies on vendors for critical IT tasks, providing them privileged access to building systems–and making networks increasingly vulnerable to a security breach.
Attend this webcast and learn [Read more…]
In an effort to keep the ControlTrends Community in the loop during Cybersecurity Month, here is an interesting update on how IoT devices including microwaves, toys, thermostats, and security cameras are to be securitized. Of particular interest was the My Friend Cayla Smart Doll — a prime target for cyber hackers, who can use the toy’s technology to spy on families and collect private information — because the doll is designed to collect and transmit everything it hears to a voice recognition company. Yikes!
In short, the bills basically direct IoT device manufacturers to equip their devices with reasonable security features, requiring companies to take responsibility for considering the security aspects of their devices as they’re developed and produced.
AUTHOR: THEO DOUGLAS OCT 8, 2018. SOURCE: GOVERNMENT TECHNOLOGY (TRIBUNE NEWS SERVICE).
Gov. Jerry Brown has signed two bills that could make manufacturers of Internet-connected devices more responsible for ensuring the privacy and security of California residents.
The governor’s office announced on September 28 that Brown had signed the legislation, Assembly Bill 1906 and Senate Bill 327. He had until the end of the day on Sept. 30 to do so. Both bills will become law in about 15 months, on Jan. 1, 2020. That delayed effect, one of the lawmakers behind the legislation said, is designed to hold industry accountable but not stifle innovation or unduly burden it with regulation. Senate Bill 327 is the older of the two and was introduced in Feb. 2017 by state Sen. Hannah-Beth Jackson, D-Santa Barbara, but as currently amended, the senator told Government Technology, is “pretty much a mirror” of AB 1906, introduced in January by Assemblywoman Jacqui Irwin, D-Thousand Oaks.
Both require manufacturers of connected devices to equip them with a “reasonable security feature or features” that are appropriate to their nature and function, and the information they may collect, contain or transmit — and are designed to protect the device and its information from “unauthorized access, destruction, use, modification or disclosure.”
The bills also specify that if such a device has a “means for authentification outside a local area network,” that will be considered a reasonable security feature if either the preprogrammed password is unique to each device made; or the device requires a user to create a new “means of authentication” before initial access is granted.
They define “connected device” as a device with an Internet Protocol (IP) or Bluetooth address, and capable of connecting directly or indirectly to the Internet.
Jackson said she’s had “concerns about privacy issues for many, many years,” and was prompted to act last year after hearing from constituents and learning that the My Friend Cayla smart doll, which had been banned in Germany due to concerns about the safety of children, had not been banned in the U.S. She questioned how IoT devices including microwaves, thermostats and security cameras were securitized and was shocked by the lack of security she found.
“This bill basically directs those manufacturers to equip their devices with reasonable security features,” Jackson said, adding she thinks the legislation is “the first of its kind” calling on companies to take responsibility for considering the security aspects of their devices as they’re developed and produced.
However, the question of what defines a “reasonable security feature or features” is one of several that industry groups — among them, the Security Industry Association, the National Electrical Manufacturers Association (NEMA) and the California Manufacturers and Technology Association (CMTA) — cited in their opposition to AB 1906.
In a statement provided to GT, the CMTA said the bills are an attempt to “create a cybersecurity framework by imposing undefined rules on California manufacturers,” but instead create a loophole allowing imported devices to “avoid implementing any security features.” This, it said, makes the state less attractive to manufacturers, less competitive and increases the risk of cyberattacks.
“We recommend an approach that would ensure that all connected devices are compliant and secure, no matter where they are produced. These two innovation-stifling measures not only fail to protect consumers, but will drive away California manufacturing investment,” the CMTA said.
The Entertainment Software Association, one of three industry groups including NEMA that are opposed to SB 327, said existing law already requires manufacturers to set up “reasonable privacy protections appropriate to the nature of the information they collect.”
Jackson said the bills still leave it to industry to use “their best judgment” to determine reasonable security and disagreed with the idea that the bills might create a loophole for imported devices.
“The concern, I think, is misplaced, because when the products are sold in this country, they will have to meet those standards even if they’re manufactured elsewhere,” she said.
State law would have allowed the bills to become law if they were neither signed by Brown nor vetoed — but both pieces of legislation specified they must be signed by the governor and can only become law if the other bill is also signed. A member of Jackson’s staff characterized this as a provision aimed at ensuring both houses remain on the same footing.
Editor’s Note: This story has been updated to indicate that the Governor signed both pieces of legislation. An earlier version was published before this was reported.
Theo Douglas is a staff writer for Government Technology. His reporting experience includes covering municipal, county and state governments, business and breaking news. He has a Bachelor’s degree in Newspaper Journalism and a Master’s in History, both from California State University, Long Beach.
©2018 Government Technology
Visit Government Technology at www.govtech.com
Distributed by Tribune Content Agency, LLC.
October is National Cybersecurity Awareness Month (NCSAM). NCSAM is a collaborative effort between DHS and its public and private partners—including the National Cyber Security Alliance (NCSA)—to raise awareness about the vital role cybersecurity plays in the lives of U.S. citizens. NCCIC will be participating in NCSAM through weekly posts in the Current Activity section of the NCCIC website. Over the course of the month, these will touch on
NCCIC encourages users and administrators to review the Stay Safe Online NCSAM page and the Stay Safe Online NCSAM Events page for additional information and details on NCSA events.
Controlco’s Chip Cummings tells the ControlTrends Community about the KODARO’s packaged analytics for contractors, which is coupled with the TOSIBOX for an encrypted secure network, and OPTIGO, for speed of light data processing and integrity, and the Dell Edge Gateway with ported Niagara 4. Visit KODARO for more information.
Introducing Cyber Power Systems Power Management Solutions from the Edge to the data center. REGISTER NOW!
• Introduction of CyberPower
• BAS34U24V Product Launch / market relevance/IT vs OT networks
• Learn about the importance of powering and protecting equipment and controls at the edge
• Partner Benefits / Product training
• Question & Answer
Dan Niewirowicz, Special Projects Group
Scott Koller, Vice President of Channel Sales
Who Should Attend? CGNA Customer Contractors are welcome!
Cyber Power Systems (USA), Inc., Shakopee, Minn. – Cyber Power Systems (USA), Inc., a leader in power protection and management products, today introduced an uninterruptible power supply (UPS) system designed to protect building and industrial controls and devices from power failure, interruptions, over-voltages and surges. The CyberPower BAS34U24V protects controller and server platforms, networking devices, data loggers, remote facility monitors, and other equipment from power disruptions to avoid loss of vital data and service failures. The UPS system is the first in a series of automation power-protection products to safeguard equipment within building automation systems (BAS), energy management systems (EMS) and other production-related systems which run smart buildings and factories.
CyberPower is launching the product at the 2018 ASHRAE Winter Conference and AHR Expo for the HVAC and controls industries, January 22-24, at McCormick Place in Chicago. During the AHR Expo, CyberPower will feature product briefings at booth #4058 in the Building Automation and Control Showcase at McCormick Place. The product is compliant to the Construction Specification Institute (CSI) Division 25 standard for integrated building automation regarding facility controller backup.
The CyberPower BAS34U24V serves the growing shift from siloed building systems to an interconnected system of Internet of Things (IoT) devices and sensors that collect and share data within and across portfolios. According to research by IHS Markit, there are more than 4.3 million IoT devices in use in the commercial and industrial electronics sector which includes smart buildings and factories, contributing to more than 27 billion connected IoT devices worldwide in 2017.
A UPS system engineered for control panels and edge networks
Designed for IoT technologies, the BAS34U24V is a UPS system featuring line-interactive topology to regulate voltage without having to switch to the battery.
“Today’s smart buildings and industrial systems rely on computing and analytics placed close to the network edge. The CyberPower BAS34U24V protects connected edgedevices on the plant or building floor, such as controllers and sensors, from damaging power events like surges, spikes and black-outs. The unit provides a continuous flow of clean power to ensure efficient building and equipment operation that, in turn, will flow clean data and analytics to maintain accurate building management,” said Tim Derochie, director of product management at CyberPower.
The UPS system provides DC power supply, surge protection and an internal, space-saving backup battery for long-lasting protection. Features of the CyberPower BAS34U24V include:
Compact form factor and DIN rail mount allows for secure installations inside controller cabinets.
A high density lithium-ion battery and an innovative electronic design with DC output yields an extended battery runtime of up to four hours at 80 percent rated capacity. SNMP internet-standard protocol provides critical information and alerts, such as remaining battery runtime and power conditions. Regulatory and safety certifications for the UPS system include UL 60950-1 and FCC Class B.
About Cyber Power Systems (USA), Inc.
CyberPower designs and manufactures uninterruptible power supply systems, power distribution units, surge protectors, remote management hardware, power management software, mobile chargers and connectivity products. The company serves customers in enterprise, corporate, industrial, government, education, healthcare and small office/home office environments. CyberPower products are available through authorized distributors and sold by value-added resellers, system integrators, managed service providers, select retailers and online resellers.
For more information, visit: www.cyberpowersystems.com.
Cyber Power Systems (USA), Inc.
Tim Madsen, 952-403-9500
It’s not smart buildings – but any commercial building built or renovated in the past 30 years are what you should worry about.
Before the smart buildings concept, digital, Internet-connected controls systems, such as HVAC, lighting, and elevators have been installed and managed by non-IT persons from architects, engineers, contractors and property managers. Without IT best practices, much-less cybersecurity requirements, there is significant exposure to:
* Life Safety Risks
* Equipment Failure
* Productivity Loss
* Network Hopping
* Brand Damage
This webinar will address the cybersecurity condition that afflicts nearly all commercial building stock, what you can do about it and how to get started. We will cover:
* Legacy Building Controls Technology and Connectivity
* Risk Areas and Consequences
* Stakeholders Roles and Responsibilities
* Case Study Examples
* Step by Step Plan to Remediate
Episode 255: ControlTalk NOW — Smart Buildings Videocast and PodCast for week ending Feb 18, 2018 features our interview and cyber security discussion with two of our industry’s most venerated experts from Intelligent Buildings, Darryl Benson and Fred Gordy. Darryl and Fred offer the ControlTrends Community some astute advice and pose an interesting question to system integrators: Do you want to maintain the cyber security risks [Read more…]
Mitigating Meltdown and Spectre Vulnerabilities
Dear valued partner,
On January 3, 2018, a group of researchers from Google Project Zero, Cyberus Technology and several universities revealed two major flaws in computer chips that could leave a huge number of computers and smartphones vulnerable to security concerns. Called “Meltdown” and “Spectre,” the flaws exist in processor families and could allow an attacker to read sensitive data stored in the memory, like passwords, or look at what tabs someone has open on their computer. Researchers indicate almost every computing system – desktops, laptops, smartphones, and cloud servers – is affected by these flaws.
Tridium takes the security of our customers and products seriously. Upon learning about this CPU issue, we began a company-wide product review to determine which of our devices are affected, and what corrective actions are necessary. Our findings to date are summarized below.
IMPACTED TRIDIUM PRODUCTS:
Niagara Supervisor running on Windows or Linux
If you have a Niagara Supervisor that runs on Windows or Linux, your machine may be affected.
Recommended Customer Actions:
* Update your operating systems with the latest patches, making sure that your organization has a patch management plan that is always executed.
* For Windows, please follow the instructions from Microsoft for patching your systems. You may access this information via this link.
* For Linux, please follow the instructions for Red Hat for patching your systems. You may access this information via this link.
* Ensure anti-virus software is up-to-date.
* Ensure that your Supervisor machine, which is a mission-critical system, is not being used for email access or general web browsing. The Spectre/Meltdown threats require malware be executed on a target machine. Malware attacks typically come from malicious web links, malware-based email attachments and infected USB disks.
* Control physical access to your mission critical systems to prevent attackers from using infected USB disks to infect your machines. Physical security is critical, and your systems must be protected.
We are continuing to work with our vendors in our investigation, but at this point, we know the following:
* The JACE 2/3/6/7 families use a much older PPC architecture, and the processor vendor has determined that they are not susceptible to Spectre and Meltdown.
The JACE-8000 is not affected by Meltdown.
The JACE-8000 uses an ARM chip that is reportedly vulnerable to a Spectre The vendor of the operating system of the JACE is doing further investigation into what patches could possibly apply. Tridium will be working closely with them to determine what OS changes, if any, should be made to mitigate any threat. In the meantime, Tridium has employed significant security measures that mitigate the threat of malware executing on a device.
A Spectre attack requires malware execution. The security controls that are employed by the JACE-8000 include (but are not limited to) the following:
* Niagara’s JACE-8000 employs a “secure boot” process, providing integrity validation of the image at boot time, providing non-repudiated assurance that the root image wasn’t tampered with.
* Niagara 4 employs integrity validation of the core framework at run-time, validating the digital signatures of all Niagara run-time components, ensuring that core Tridium Software has not been tampered with.
* Niagara 4’s Security Manager provides malware prevention by “sandboxing” third party modules, restricting installed software to a limited set of permissions, and terminating execution of any installed software that attempts unauthorized privileges.
* Niagara limits administrative controls and access to sensitive areas of Niagara to authenticated administrators with platform access.
It is important to understand that the security of your Niagara system also revolves around how your system is configured on your network. Please refer to the following documents to ensure that your systems are up-to-date with best practices:
* Niagara AX Hardening Guide (Step-by-Step Guidance for securing your AX systems)
* Niagara 4 Hardening Guide (Step-by-Step Guidance for securing your Niagara 4+ systems)
* TridiumTalk on Cybersecurity – “Defending Your Business Against Cyber Threats” (One hour webinar on Cybersecurity best practices in your organization)
* Q&A from TridiumTalk on Cybersecurity
* Tridium Cybersecurity White Paper
If you have any questions, please contact your Tridium account manager or contact Customer Support via firstname.lastname@example.org.
Homeland Security Advisory TA17-318B: HIDDEN COBRA – North Korean Trojan: Volgmer. Original release date: November 14, 2017. Systems Affected: Network systems
Overview: This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. government partners, DHS and FBI identified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with a Trojan malware variant used by the North Korean government—commonly known as Volgmer. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra.
FBI has high confidence that HIDDEN COBRA actors are using the IP addresses—listed in this report’s IOC files—to maintain a presence on victims’ networks and to further network exploitation. DHS and FBI are distributing these IP addresses to enable network defense and reduce exposure to North Korean government malicious cyber activity.
This alert includes IOCs related to HIDDEN COBRA, IP addresses linked to systems infected with Volgmer malware, malware descriptions, and associated signatures. This alert also includes suggested response actions to the IOCs provided, recommended mitigation techniques, and information on reporting incidents. If users or administrators detect activity associated with the Volgmer malware, they should immediately flag it, report it to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give it the highest priority for enhanced mitigation.
For a downloadable copy of IOCs, see:
NCCIC conducted analysis on five files associated with or identified as Volgmer malware and produced a Malware Analysis Report (MAR). MAR-10135536-D examines the tactics, techniques, and procedures observed. For a downloadable copy of the MAR, see:
MAR IOCs (.stix)
Volgmer is a backdoor Trojan designed to provide covert access to a compromised system. Since at least 2013, HIDDEN COBRA actors have been observed using Volgmer malware in the wild to target the government, financial, automotive, and media industries.
It is suspected that spear phishing is the primary delivery mechanism for Volgmer infections; however, HIDDEN COBRA actors use a suite of custom tools, some of which could also be used to initially compromise a system. Therefore, it is possible that additional HIDDEN COBRA malware may be present on network infrastructure compromised with Volgmer
The U.S. Government has analyzed Volgmer’s infrastructure and have identified it on systems using both dynamic and static IP addresses. At least 94 static IP addresses were identified, as well as dynamic IP addresses registered across various countries. The greatest concentrations of dynamic IPs addresses are identified below by approximate percentage:
India (772 IPs) 25.4 percent
Iran (373 IPs) 12.3 percent
Pakistan (343 IPs) 11.3 percent
Saudi Arabia (182 IPs) 6 percent
Taiwan (169 IPs) 5.6 percent
Thailand (140 IPs) 4.6 percent
Sri Lanka (121 IPs) 4 percent
China (82 IPs, including Hong Kong (12) 2.7 percent
Vietnam (80 IPs) 2.6 percent
Indonesia (68 IPs) 2.2 percent
Russia (68 IPs) 2.2 percent
As a backdoor Trojan, Volgmer has several capabilities including: gathering system information, updating service registry keys, downloading and uploading files, executing commands, terminating processes, and listing directories. In one of the samples received for analysis, the US-CERT Code Analysis Team observed botnet controller functionality.
Volgmer payloads have been observed in 32-bit form as either executables or dynamic-link library (.dll) files. The malware uses a custom binary protocol to beacon back to the command and control (C2) server, often via TCP port 8080 or 8088, with some payloads implementing Secure Socket Layer (SSL) encryption to obfuscate communications.
Malicious actors commonly maintain persistence on a victim’s system by installing the malware-as-a-service. Volgmer queries the system and randomly selects a service in which to install a copy of itself. The malware then overwrites the ServiceDLL entry in the selected service’s registry entry. In some cases, HIDDEN COBRA actors give the created service a pseudo-random name that may be composed of various hardcoded words.
Detection and Response
This alert’s IOC files provide HIDDEN COBRA indicators related to Volgmer. DHS and FBI recommend that network administrators review the information provided, identify whether any of the provided IP addresses fall within their organizations’ allocated IP address space, and—if found—take necessary measures to remove the malware.
When reviewing network perimeter logs for the IP addresses, organizations may find instances of these IP addresses attempting to connect to their systems. Upon reviewing the traffic from these IP addresses, system owners may find some traffic relates to malicious activity and some traffic relates to legitimate activity.
Network Signatures and Host-Based Rules
This section contains network signatures and host-based rules that can be used to detect malicious activity associated with HIDDEN COBRA actors. Although created using a comprehensive vetting process, the possibility of false positives always remains. These signatures and rules should be used to supplement analysis and should not be used as a sole source of attributing this activity to HIDDEN COBRA actors.
alert tcp any any -> any any (msg:”Malformed_UA”; content:”User-Agent: Mozillar/”; depth:500; sid:99999999;)
description = “Malformed User Agent”
$s = “Mozillar/”
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and $s
A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include
temporary or permanent loss of sensitive or proprietary information,
disruption to regular operations,
financial losses incurred to restore systems and files, and
potential harm to an organization’s reputation.
DHS recommends that users and administrators use the following best practices as preventive measures to protect their computer networks:
Use application whitelisting to help prevent malicious software and unapproved programs from running. Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.
Keep operating systems and software up-to-date with the latest patches. Vulnerable applications and operating systems are the target of most attacks. Patching with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
Maintain up-to-date antivirus software, and scan all software downloaded from the Internet before executing.
Restrict users’ abilities (permissions) to install and run unwanted software applications, and apply the principle of “least privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.
Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine. For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources. For information on safely handling email attachments, see Recognizing and Avoiding Email Scams. Follow safe practices when browsing the web. See Good Security Habits and Safeguarding Your Data for additional details.
Do not follow unsolicited web links in emails. See Avoiding Social Engineering and Phishing Attacks for more information.
Response to Unauthorized Network Access
Contact DHS or your local FBI office immediately. To report an intrusion and request resources for incident response or technical assistance, contact DHS NCCIC (NCCICCustomerService@hq.dhs.gov or 888-282-0870), FBI through a local field office, or the FBI’s Cyber Division (CyWatch@fbi.gov or 855-292-3937).