Ex-technician convicted of (possibly drunken) attack on smart water meter system

(credit: Alan Stanton)

The Internet of Things' "security through obscurity" has been proven once again to not be terribly secure thanks to an angry and possibly inebriated ex-employee. Adam Flanagan, a former radio frequency engineer for a company that manufactures remote meter reading equipment for utilities, was convicted on June 15 in Philadelphia after pleading guilty to two counts of "unauthorized access to a protected computer and thereby recklessly causing damage." Flanagan admitted that after being fired by his employer, he used information about systems he had worked on to disable meter reading equipment at several water utilities. In at least one case, Flanagan also changed the default password to an obscenity.

Flanagan's employer was not named in court documents. According to a plea agreement filing, Flanagan worked on a team that installed tower gateway base stations (TGBs)—communications hubs mounted on poles distributed across a utility's service area to communicate with smart meters. His work was apparently not up to his former employer's standards, however. In March of 2013, he received a poor annual performance review and was placed on a "performance improvement plan." He failed to meet expectations and was terminated in November of 2013.

Over the next few months, TGBs that Flanagan's employer had installed for a number of municipal water departments "developed problems," the Justice Department's sentencing memo stated. In December of 2013, employees of the water authority in Kennebec, Maine, found they couldn't connect to the utility's TGBs. This was a system Flanagan had installed, but the problems could not be directly attributed to him because the logs for the system weren't checked until February of 2014. By then, data from December had already been purged.

Read 4 remaining paragraphs | Comments

Task force tells Congress health IT security is in critical condition

Health IT's security problems run deep. (credit: Sean Gallagher)

A congressionally mandated healthcare industry task force has published the findings of its investigation into the state of health information systems security, and the diagnosis is dire.

The Health Care Industry Cybersecurity Task Force report (PDF), published on June 1, warns that all aspects of health IT security are in critical condition and that action is needed both by government and the industry to shore up security. The recommendations to Congress and the Department of Health and Human Services (HHS) included programs to drive vulnerable hardware and software out of health care organizations. The report also recommends efforts to inject more people with security skills into the healthcare work force, as well as the establishment of a chain of command and procedures for dealing with cyber attacks on the healthcare system.

The problems healthcare organizations face probably cannot be fixed without some form of government intervention. As the report states, "The health care system cannot deliver effective and safe care without deeper digital connectivity. If the health care system is connected, but insecure, this connectivity could betray patient safety, subjecting them to unnecessary risk and forcing them to pay unaffordable personal costs. Our nation must find a way to prevent our patients from being forced to choose between connectivity and security."

Read 20 remaining paragraphs | Comments

Nuclear plants leak critical alerts in unencrypted pager messages

(credit: fcpages.com)

A surprisingly large number of critical infrastructure participants—including chemical manufacturers, nuclear and electric plants, defense contractors, building operators and chip makers—rely on unsecured wireless pagers to automate their industrial control systems. According to a new report, this practice opens them to malicious hacks and espionage.

Earlier this year, researchers from security firm Trend Micro collected more than 54 million pages over a four-month span using low-cost hardware. In some cases, the messages alerted recipients to unsafe conditions affecting mission-critical infrastructure as they were detected. A heating, venting, and air-conditioning system, for instance, used an e-mail-to-pager gateway to alert a hospital to a potentially dangerous level of sewage water. Meanwhile, a supervisory and control data acquisition system belonging to one of the world's biggest chemical companies sent a page containing a complete "stack dump" of one of its devices.

Other unencrypted alerts sent by or to "several nuclear plants scattered among different states" included:

Read 6 remaining paragraphs | Comments

Nuclear plants leak critical alerts in unencrypted pager messages

(credit: fcpages.com)

A surprisingly large number of critical infrastructure participants—including chemical manufacturers, nuclear and electric plants, defense contractors, building operators and chip makers—rely on unsecured wireless pagers to automate their industrial control systems. According to a new report, this practice opens them to malicious hacks and espionage.

Earlier this year, researchers from security firm Trend Micro collected more than 54 million pages over a four-month span using low-cost hardware. In some cases, the messages alerted recipients to unsafe conditions affecting mission-critical infrastructure as they were detected. A heating, venting, and air-conditioning system, for instance, used an e-mail-to-pager gateway to alert a hospital to a potentially dangerous level of sewage water. Meanwhile, a supervisory control and data acquisition system belonging to one of the world's biggest chemical companies sent a page containing a complete "stack dump" of one of its devices.

Other unencrypted alerts sent by or to "several nuclear plants scattered among different states" included:

Read 6 remaining paragraphs | Comments