Welcome to the October 2024 edition of IoT Insider, your go-to source for the latest news and trends in the world of Internet of Things. In this edition, we bring you a curated selection of news and regulations to keep you informed and empowered in the digital age.

1.    Cyber Threats on the Rise | Protect Your Digital Fortress!

As technology advances, so do the risks. We highlight the latest cyber threats making headlines, from sophisticated ransomware attacks to data breaches affecting millions.

• American Water restores network connections following cybersecurity event. The nation's leading water and wastewater utility firm, American Water, has commenced the reconnection of its systems infrastructure after a proactive shutdown in response to a cybersecurity threat disclosed on October 7. Serving over 14 million residents in 14 states, along with 18 military bases, the company confirmed in an October 10 update that there were no indications of the cyber event affecting its water or wastewater treatment processes.
• Hospital operator under cyber attack in Germany – EU. Johannesstift Diakonie in Berlin faced a ransomware attack. The care of itself was luckily not at risk. Some operations have been postponed is due to the incident.
• GorillaBot unleashes 300K cyber assaults globally. GorillaBot was launching 300,000 attacks, affecting 20,000 organizations worldwide. GorillaBot is based on the Mirai code and holds more DDoS attack methods, in total 19. Includig DDoS floods via UDP, TCP Syn and ACK packet. It is a so called multivector attack.
• Cyberattack on Hubergroup: Regional IT systems compromised. The Hubergroup, a world-leading manufacturer of printing inks, has become the target of a cyber attack. The SAP system, the Internet and also production have been restricted for almost two weeks
• DrayTek router at risk facing 14 vulnerabilities. Several of the flaws enable remote code execution and denial-of-service attacks, while others enable data theft, session hijacking, and other malicious activity.
• OpenAI Says Iranian Hackers Used ChatGPT to Plan ICS Attacks. A report published this week by OpenAI reveals that the artificial intelligence company has disrupted more than 20 cyber and covert influence operations since the beginning of the year, including the activities of Iranian and Chinese state-sponsored hackers. The report highlights the activities of three threat groups that have abused ChatGPT to conduct cyberattacks. One of these threat actors is CyberAv3ngers, a group linked to Iran’s Islamic Revolutionary Guard Corps (IRGC) that has made headlines this year for its attacks on the water sector. The group has targeted industrial control systems (ICS) at a water utility in Ireland (the attack left people without water for two days), a water utility in Pennsylvania, and other water facilities in the United States. These attacks did not involve sophisticated hacking and instead relied on the fact that many organizations leave ICS exposed to the internet and protected with easy to obtain default credentials. 
• Cyber attack on 13 healthcare facilities in Colorado - US. The attack was claimed by the Rhysida ransomware gang, which demanded more than $1.5 million to unlock the data. Researchers found 14,004 unique IP addresses exposing healthcare devices and data systems connected to potentially sensitive medical information on the public internet. 

2.    Global Cybersecurity Regulations | Navigating the Compliance Maze

Governments worldwide are tightening their grip on cybersecurity regulations. Stay updated on the latest compliance requirements, privacy laws, and data protection regulations that can impact businesses and individuals alike. We decode complex jargon and provide practical insights to help you navigate the compliance maze effortlessly.

Cyber Resilience Act (CRA)

The Cyber Resilience Act, adopted by the European Council on October 10, 2024, marks a major step forward in enhancing the security of digital products across the European Union. The new law sets strict cybersecurity requirements for hardware and software products, ensuring that they are more resistant to cyberattacks throughout their lifecycle.

• Scope: The CRA applies to any product with digital elements, including software, IoT devices, and connected consumer goods. This broad coverage ensures that a wide range of technologies must comply with the new cybersecurity rules.
• Security by Design: Manufacturers and developers must incorporate security measures into products from the design stage and maintain them through regular updates. This ensures that security isn't an afterthought but an integral part of product development.
• Vulnerability Management: One critical requirement is the need for ongoing vulnerability management. Companies will be responsible for identifying and mitigating potential security weaknesses, issuing patches or updates when necessary.
• Compliance and Certification: Products must meet specific cybersecurity standards, with certain categories requiring a CE marking to show compliance. This labeling process helps consumers and businesses identify products that meet the necessary security thresholds.
• Penalties for Non-Compliance: Non-compliance with the CRA can lead to fines of up to €15 million or 2.5% of the company's global turnover, whichever is higher. This mirrors the strong enforcement seen with the GDPR, signaling that the EU is serious about cyber resilience.
• Consumer Empowerment: The law also aims to give consumers more confidence when purchasing digital products. It ensures transparency about the security features and risks of products, enabling more informed decision-making.

Why This Matters? With increasing attacks on digital products, particularly those in the IoT and consumer technology sectors, the CRA is a timely and necessary regulation. It pushes companies to take proactive steps in securing their products and ensures a higher level of cybersecurity across the EU, safeguarding businesses and consumers alike.

Devices and areas excluded from the CRA include:

1. Medical Devices: Devices that are already covered by the EU Medical Devices Regulation (MDR) or In Vitro Diagnostic Medical Devices Regulation (IVDR) are excluded from the CRA, as these products already have strict cybersecurity requirements.
2. Aviation and Defense Equipment: Products used in military and defense sectors, as well as certain aviation technologies, are exempt due to the presence of existing security frameworks governing these fields, such as the EU Defense Directive.
3. Motor Vehicles: Products regulated under the Regulation (EU) 2019/2144 on the type approval of motor vehicles are also excluded. This regulation already imposes stringent cybersecurity and safety requirements specific to automotive systems.
4. Large-Scale Industrial Systems: Certain large-scale industrial control systems (ICS) and OT (Operational Technology) systems might fall outside the CRA if they are covered by other sector-specific regulations, such as the NIS2 Directive for critical infrastructure.
5. Custom-Built and Non-Mass Market Products: Devices or software that are custom-developed and not sold to the mass market are typically excluded from CRA compliance. These include systems built for specific professional or industrial use.

Principles of OT Cyber Security

• Principles of Operational Technology Cybersecurity , has been released the October 1, 2024 by the Australian Cyber Security Centre (ACSC) in collaboration with CISA and international partners. The guide provides crucial information for organizations aiming to secure their operational technology (OT) environments, particularly those in critical infrastructure (CI) sectors.

Network and Information Security (NIS2)

• NIS2 : By October 17, 2024, Member States must adopt and publish the measures necessary to comply with the NIS 2 Directive. They shall apply those measures from 18 October 2024. By 17 October 2024, the Commission shall adopt implementing acts laying down the technical and the methodological requirements of the measures with regard to DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online market places, of online search engines and of social networking services platforms, and trust service providers.
• By 17 January 2025 the Cooperation Group shall, establish, with the assistance of the Commission and ENISA, and, where relevant, the CSIRTs network, the methodology and organisational aspects of peer reviews with a view to learning from shared experiences, strengthening mutual trust, achieving a high common level of cybersecurity, as well as enhancing Member States’ cybersecurity capabilities and policies necessary to implement this Directive. Participation in peer reviews is voluntary. The peer reviews shall be carried out by cybersecurity experts. The cybersecurity experts shall be designated by at least two Member States, different from the Member State being reviewed.
• By 17 April 2025, Member States shall establish a list of essential and important entities as well as entities providing domain name registration services. Member States shall review and, where appropriate, update that list on a regular basis and at least every two years thereafter.
• By 17 April 2025 and every two years thereafter, the competent authorities shall notify the Commission and the Cooperation Group of the number of essential and important entities for each sector.
• By 17 October 2027 and every 36 months thereafter, the Commission shall review the functioning of this Directive, and report to the European Parliament and to the Council.

Critical Entities Resilience Directive (CER)

• The Critical Entities Resilience Directive (CER) is a pivotal piece of legislation adopted by the European Union. As the directive comes into effect on October 18, 2024, it is crucial for organizations in the affected sectors to prepare for compliance and understand the implications of this legislation. This directive aims to bolster the resilience of critical entities across various sectors to ensure the continuous provision of essential services amid increasing physical and digital threats.
• Objective and Scope: The directive addresses a comprehensive range of risks that can disrupt essential services and establishes a unified framework to enhance resilience across critical sectors, such as energy, transport, banking, and health
• Implementation Timeline: Member States are required to identify their critical entities by July 17, 2026. Following this identification, these entities will have specific resilience obligations that must be adhered to within a defined timeframe
• Compliance Requirements: Critical entities must conduct their own risk assessments, implement necessary security measures, and report significant incidents to national authorities

Product Security Bad Practices

CISA’s "Product Security Bad Practices " published on October 16, 2024:

1. January 1, 2026: Memory safety roadmaps must be published for products using memory-unsafe languages.
2. After January 1, 2026: Products must support multi-factor authentication (MFA) by default for administrator accounts.
3. Before January 1, 2030: Products must transition from default passwords to instance-unique credentials.

It highlights practices that introduce significant cybersecurity risks, especially to critical infrastructure. The key bad practices identified include:

1. Use of unsupported software (no longer receiving security updates).
2. Use of known, fixed, or default passwords.
3. Use of outdated protocols or cryptography.

Software manufacturers should avoid memory-unsafe languages, SQL and command injection vulnerabilities and should addressing known exploitable vulnerabilities.

3. Industry Spotlight | Cutting-Edge Innovations in Cyber Defence

Discover groundbreaking advancements and innovative technologies in the world of cyber defence. From artificial intelligence and machine learning to blockchain and quantum computing, we explore how these game-changing technologies are revolutionizing the fight against cyber threats. Get inspired by success stories and learn how to implement these solutions in your own digital ecosystem.

October’s topic: Cryptojacking attacks on IoT

Cryptojacking, the unauthorized use of devices to mine cryptocurrency, poses a serious threat to IoT systems due to their generally weaker security controls. Attackers compromise these devices, turning them into part of a cryptocurrency mining network, often without the owner's knowledge. A notable case involves the Romanian hacker group Outlaw, which exploited Linux servers and IoT assets to mine Monero. These attacks are devious and often go unnoticed by the victim. On smaller IoT assets these attacks drain system resources, increase operational risk, performance degradation and security breaches.

To combat cryptojacking, strong authentication, regular updates and robust monitoring are essential.

4. Expert Interviews | Insights from Cybersecurity Gurus

Gain exclusive access to interviews with industry experts, thought leaders, and cybersecurity gurus. Uncover their strategies, predictions, and best practices to protect yourself, your organization, and your loved ones from the ever-evolving cyber landscape. Stay updated on emerging trends, emerging threats, and expert tips to stay cyber resilient.

The success story of Heights Telecom and Check Point

Heights Telecom has partnered with Check Point Software Technologies to enhance home network security through their new Heights Cyber Dome solution. This initiative addresses the increasing risks faced by home routers, which have evolved from simple internet conduits to critical components of smart home ecosystems. The partnership aims to provide a proactive security framework that integrates Check Point's Quantum technologies, ensuring comprehensive protection against emerging cyber threats. As the article notes, “the convenience of smart devices comes at a cost,” making robust security essential. Read more here or here .

5. Cybersecurity Awareness Corner | Empowering You with Knowledge

Knowledge is power! Our cybersecurity awareness corner equips you with practical tips, best practices, and actionable advice to enhance your online safety. Learn how to spot phishing attempts, secure your passwords, protect your personal information, and stay safe in the digital world. Be the cybersecurity champion your friends envy!

Did you know you can test our Embedded IoT Security Solution?

Testing the Nano Agent IoT security solution is crucial for real-world scenarios because it demonstrates how easily IoT devices can be compromised by common attacks like brute force login attempts and command injection. By interacting with live attack simulations, such as the brute force attack and network scanning tools, users can see how Nano Agent’s advanced protection effectively blocks these threats. With security disabled, attackers bypass device controls, but enabling the Nano Agent stops them, showcasing its critical role in safeguarding IoT systems from exploitation.

This hands-on test experience highlights the value of integrating the Nano Agent solution into IoT infrastructures to prevent escalating risks and making it Cyber Resilient!

You can test it here (an account at our portal is required) or ping me and I will share the scenario and links with you!

We hope you find this edition of The IoT Insider both informative and engaging. Stay tuned for more exciting updates in the next edition, where we'll dive deeper into the world of cybersecurity. Remember, vigilance and knowledge are key to staying safe in our interconnected world.

Stay secure, stay informed, and stay one step ahead!