Industrial Products At Risk Of KRACK Attacks

By   ISBuzz Team
Writer , Information Security Buzz | Nov 27, 2017 08:00 am PST

An increasing number of vendors have warned customers over the past weeks that their industrial networking products are vulnerable to the recently disclosed Wi-Fi attack method known as KRACK. The KRACK (Key Reinstallation Attack) flaws affect the WPA and WPA2 protocols and they allow a hacker within range of the targeted device to launch a man-in-the-middle (MitM) attack and decrypt or inject data. A total of ten CVE identifiers have been assigned to these security bugs. IT security experts commented below.

Edgard Capdevielle, CEO at Nozomi Networks:

edgard capdevielle“The KRACK malware, which attacks wireless devices, including industrial routers, access points and gateways, as well as smartphones and tablets used by engineers and operators for remote access to ICS shows, the risks inherent in increasing connectivity in industrial control systems (ICS). While wireless device use provides benefits such as more convenient connectivity and increases in productivity, they can also be the targets of cyberattacks.

“If a Man-In-the-Middle or other type of attack is carried out, improper communication or data could be transmitted over the network.  This could impact the proper the operation of devices or establish a foothold to collect data on the ICS for a further attack. With today’s cybersecurity technology such as passive network monitoring that uses machine learning and artificial intelligence to establish a baseline model of a system, any abnormal communication will be quickly identified.  Staff will receive alerts and be able to take actions to block the malware from doing damage. Industrial operators need to know that defending their systems is possible, and we encourage them to be proactive about continuously improving their cybersecurity posture through the use of technology, training and other measures identified in industrial cyber security standards.”

Doron Youngerwood, Product Manager, Big Data & Artificial Intelligence at Amdocs: 

isbuzz author male 1“With the digital economy so crucial to growth it’s no surprise the Chancellor has chosen to invest in cutting edge technologies, such as AI, to maintain the UK’s position as a leader in the sector. This is a smart move because AI is becoming more prevalent in every-day life and influencing everything from consumer spending to business decision making, but the £500m technology investment needs to be spent wisely if it’s going to have any real impact on the UK economy. The Government plans to address the digital skills gap, but specific investment is required for the training and education of marketers and sales teams who will be responsible for implementing AI-led initiatives.

“AI is already driving customer service and digital marketing for large retail brands, banks and mobile operators, and while developers and IT managers are familiar with the technology it’s their colleagues in sales and marketing that will benefit most from the innovations it is driving. The same can be said of customer service agents, the frontline of any business, who will be expected to interact with AI systems and chat bots as they process customer requests. Investment in these areas will allow UK businesses to effectively manage the vast reams of data they have access to and derive the tremendous value that artificial intelligence has to offer.”

Etienne Greeff, CTO and Co-Founder at SecureData:

isbuzz author male 1“Another Autumn Budget, and another year when the UK government neglects putting cybersecurity as one of its utmost priorities for investment. We see talk of driverless cars, rail cards and digital skills, but no mention real mention of how the UK will defend against cyberattack at a time when nation states are virtually attacking one another in a game of one-upmanship and, in some instances, unleashing cyber warfare.

“While the Budget announcement has given a nod to the importance of digital skills, it’s not nearly enough investment to secure a society that is increasingly online and increasingly vulnerable to attack. Is the investment in the right place? Could it be better spent educating organisations and the general public on the risks we face online today and providing the knowledge and skills to create a more united cyber front? While Hammond has promised significant funding to secure ‘the UK’s position as a world leader in transformational technologies’, barely any of this is wholeheartedly reserved for cybersecurity. The more tech innovation we create, the more we need to recognise the fact that security (or lack of) will make or break its success and safety. It’s time the UK government acknowledged this with more concerted efforts towards protecting British business and its citizens.”

Michael Segal, Area VP, Strategy at NETSCOUT:

isbuzz author male 1“The investment in AI is a very smart move by the UK government. This decision directly impacts the national UK GDP, by empowering its businesses to become more productive and reduce costs. Productivity and cost reduction directly drive corporate revenue and profitability and increase the GDP.

“Supporting AI startups will drive new levels of automation, efficient data mining and machine learning. Automation will accelerate the digital transformation and make the adoption process more efficient, which would benefit enterprises in a variety of sectors such as government, manufacturing, healthcare, financial services, retail, technology and other. Efficient data mining utilising both supervised and unsupervised machine learning algorithms will enhance the value of data owned by the different corporations, which would increase their IP (intellectual property) and therefore the market cap.”

Richard Parris, CEO and Chairman at Digital identity Specialist Intercede:

richard parris 2“The Chancellor’s budget announcement to allocate significant investment into digital skills is refreshing to see. But where was the mention of cybersecurity?  It’s all well talking about initiatives such AI, electric cars, broadband and 5G. But how do we ensure we have the resources and expertise to secure these technological developments? Hammond described his latest budget as a ‘balanced approach’ but frankly I disagree.

“It’s shocking that this wasn’t directly addressed given the countless number of large scale cyber-attacks that have plagued our headlines this year, affecting millions of UK businesses and consumers. The Government has continually stated its plan to keep the UK at the forefront of innovation, but this innovation will definitely fall behind if we aren’t able to secure critical data and the infrastructure driving the UK’s technological revolution. Cybersecurity is the cornerstone of the future of the UK’s growing economy. By not recognising the important role that cybersecurity plays in the future development of our nation, UK businesses and citizens will be left vulnerable to attack.”

James Lyne, Head of Research and Development at SANS Institute:

isbuzz author male 1“We’re now living in a digital economy, where anything and everything can be connected or automated. Unfortunately, as we increasingly move our society and commerce online, we face two challenges – the growing opportunity for cybercriminals to attack us, and the lack of skilled security practitioners to keep these opportunistic individuals at bay. We therefore welcome the announcement today that the UK Government will invest more in building British skills in computer science and digital competencies, in addition to fortifying the current security of the nation’s mobile infrastructure.

“Computer science – which includes cyber security – is a fundamental part of the secondary school curriculum but recent reports highlighted a lack of teachers as a key reason that not all schools were offering it to their students at GCSE. While the country continues to innovate, we’re left with huge gaps within our workforce – skilled security practitioners who can defend our systems, critical infrastructure and digital economy – so it’s vital that we provide the pipeline of students to take up those roles when they leave school and university. Right now, it’s a huge challenge for organisations to hire security practitioners, mainly because we don’t have enough of them, so cyber security and computer science need to be taught from an early age as viable options for future professional careers.

“SANS is part of a consortium working with the Department for Digital, Culture, Media & Sport (DCMS) on this very challenge – the ‘Cyber Discovery’ programme targets young people at secondary schools, introducing them to cyber security now so that they can potentially become the future front line of defence of our digital nation. The UK Government’s further investment into Computer Science is therefore a very positive sign both from a curriculum perspective, and from a business perspective – providing a greater ability to grow, scale and thrive in a digital economy that is protected and nurtured by budding, yet currently untapped security talent.”