03 May 2019

IRM Weekly Cybersecurity Roundup: New IoT Law and more

Fancy getting the weekly roundup delivered straight to your inbox? Sign up to the IRM newsletter.

New law to secure IoT in talks

A new law has been proposed to make IoT (Internet of things) devices more secure, now that most households rely on them.

The new law proposes devices such as Smart TVs, speakers, home appliances (such as ovens and thermostats) would come specially prepared with unique passwords to prevent hackers from targeting these devices.

An attack on these devices could lead to hackers stealing personal data, spying on users or remotely taking control of said devices and misusing them.

Cybersecurity expert, Ken Munro, told BBC News the proposed legislation was a “positive step forward, helping to fix the mess that is consumer smart product security. It’s important that government doesn’t allow the proposed regulation to be watered down during consultation. The proposals are limited, but a good start.”

A new labelling system would also be introduced to tell customers how secure an IoT product is. Retailers would have to follow a set of rules themselves to fain a label:

  • offer unique passwords by default
  • state clearly for how long security updates would be made available
  • offer a public point of contact to whom any cybersecurity vulnerabilities can be disclosed

If these regulations met, retailers could find themselves barred from selling products.

You can read more here.

Cyber-attack cost Norse Hydro $52 million

The aluminium titans Norsk Hydro were hit by a cyber-attack back in March, affecting their entire global organisation.

The organisation has confirmed the cost of the attack is between $50 million – $52 million. The cyber-attack forced Norsk to shutdown several of it’s metal extrusion plans after it fell victim to the ransomware attack ‘LockerGoga’, which encrypts files with extensions such as docx, PDF, ppt etc.

Data from the report shows that sales volumes in Hydro’s extruded solutions unit fell to 333,000 tonnes in the first quarter compared to 362,000 tonnes this time last year.

The attack was first thought to stem from an environmental activist in response to allegations that Norsk Hydro’s operation in Brazil has harmed the environment (an act of hacktivism). However, the attack appears to be financial in nature.

Threat of a cyber attack is ‘a matter of when, not if’

Ciaran Martin, Chief Executive of the National Cyber Security Centre (NCSC) has stated that the UK could suffer from a category one cyber attack before the end of this decade.

Martin spoke at the NCSC’s annual CyberUK event, which took place in Glasgow this week. The two-day conference brought together several thousand attendees across the intelligence community and cybersecurity sector.

It’s been two years since the category two cyber-attack on the NHS and it is believe that an even more serious cyber-attack against the UK looms.

A category one attack is classed as a ‘national cyber emergency’ which causes sustained disruption to UK essential services or national security. Theses attacks usually create severe economic or social consequences and in the most extreme cases, loss of life.

WannaCry fell into category two, which is considered a “highly significant incident”, in which there is “a serious impact on central government, UK essential services, a large proportion of the UK population, or the UK economy”. Categories three to six are, respectively, classed as significant, substantial, moderate, and localised incidents.

You can read more here.

Quick Fire Updates:

Potential police investigation after Williamson’s sack: Gary Williamson (UK Defence Secretary) was sacked by Theresa May after she believed he was behind the the leak detailing plans to allow Chinese company Huawei to build Britain’s 5G mobile network. Williamson now wants a police investigation to clear his name. You can read more here.

Brokers advise clients on creating stronger passwords: Brokers advising their clients on cybersecurity should inform them that re-using passwords is not the best practice. Read more here.

LGA plans new funding for councils for cybersecurity: The Local Government Association (LGA) is planning to give councils greater funding for the development of an online self-assessment tool to monitor progress in cybersecurity. Read more here.

A US job recruitment site has exposed more than 13.7 million user records following a security laps: One of the most popular job recruitment sites, Ladders, which specialise in high-end jobs, left an Amazon (hosted Elasticsearch) database exposed without a password, allowing anyone to access the data. Read more here.

To receive this blog direct to your inbox every week, sign up to our newsletter.

If you have any questions about this week’s roundup, or want to understand how you can improve your cybersecurity strategy, get in touch with IRM.