Delivered December 17th, 2019. Contributors: Kiersten M. and
Cybersecurity News Scan - Aviation
A total of 10 reports concerning cybersecurity in aviation have been compiled, with a specific focus on news reports published in the past six months, from June 17, 2019 to today. Each of these articles, along with summaries of and other relevant information for them can be found in the attached spreadsheet.
In Juneof2019, Qatar’s Civil Aviation Authority published cybersecurity guidelines targeted at helping to prevent electronic threats and attacks on "the nation’s aircraft operators, airports and air traffic control systems", making them the first Middle Eastern civil aviation regulator to do so.
In July, experts in the United Kingdom prevented a phishing attack targeted at airline customers, which it notes was one of several such cyberattacks between 2018 and 2019.
In July 2019, the Department of Homeland Security (DHS) released a report "warning that modern flight systems are vulnerable to hacking if someone manages to gain physical access to the aircraft". They recommended "that plane owners ensure they restrict unauthorized physical access to their aircraft until the industry develops safeguards to address the issue, which was discovered by a Boston-based cybersecurity company and reported to the federal government".
The Cybersecurity and Infrastructure Security Agency (CISA) issued a similar warning to DHS's, indicating that a vulnerability within the communication system used in aircraft "could allow bad actors to inject false data into the aircraft", potentially causing a crash.
"Airlines and airports predicted to invest more than $61 billion in IT in 2019, up from the $50 billion spent last year", with a specific focus on cybersecurity and preventing cyber attacks.
Cybersecurity News Scan - Power
A total of 10 reports concerning cybersecurity in power and electricity have been compiled, with a specific focus on news reports published in the past six months, from June 17, 2019 to today. Each of these articles, along with summaries of and other relevant information for them can be found in the attached spreadsheet.
"Lawmakers are zeroing in on the potential for foreign cyber attacks to take down the U.S. electric grid, with members in both chambers pushing hearings and a flurry of bills to address the issue," and "congressional interest in the issue is growing following reports that Iran has stepped up its cyber attacks against U.S. critical infrastructure, and as Trump administration officials cite threats from Russia and China against the electric grid".
Following a number of cyber attacks on United States' power grids throughout various cities, officials "and security researchers are considering the option that a state-sponsored hacking group may be behind the attacks".
In September, the "Senate Committee on Energy and Natural Resources approved a pair of bills designed to improve the cyber and physical security for the energy grid" as part of a larger goal of protecting the United States' energy grid from cyber attacks.
"As part of National Cybersecurity Awareness Month in October, utilities, government and businesses are working together to ensure the country’s electric grid is safe from cyber threats, while making sure that consumers have the tools they need to stay secure online."
More than a dozen electricity providers "were targets in a recent wave of cyberattacks" which was revealed in late Augustof2019. The targeted providers were spanned across "18 states from Maine to Washington" and involved hackers' attempts "to get malware installed on utility computers through “phishing” emails that trick recipients into opening them".
Cybersecurity News Scan - Healthcare
A total of 10 reports concerning cybersecurity in healthcare have been compiled, with a specific focus on news reports published in the past six months, from June 16, 2019 to today. Each of these articles, along with summaries of and other relevant information for them can be found in the attached spreadsheet.
In Augustof2019, the United States enlisted a group of ethical hackers to try to hack "pacemakers, drug pumps, and other devices" with the goal of learning any vulnerabilities that might exist within the equipment. This was organized as more and more medical devices are found to be vulnerable to cyber attacks, putting patients and hospital networks at risk.
An August 2019 report from Kapersky found that "employees of healthcare organizations in the U.S. and Canada are lacking cybersecurity education and awareness in three main areas including regulation, policy and training", increasing cybersecurity risks for patients treating with those employees.
In late September, the FDA and the U.S. Department of Homeland Security released a warning concerning a total of 11 cybersecurity vulnerabilities in various IPNet medical device software programs. According to the FDA's release, "These vulnerabilities may allow anyone to remotely take control of the medical device and change its function, cause denial of service, or cause information leaks or logical flaws, which may prevent device function".
Private medical information of about 130,000 patients who were treated at a Montana health system were compromised in October, following a phishing scam "in which several employees unknowingly provided login credentials to hackers in response to a 'well-designed email'".
Mastercard recently expanded out of the financial industry and into healthcare, with the specific goal of focusing on cybersecurity in the industry. Specifically, in Octoberof2019 they launched "Mastercard Healthcare Solutions, a collection of software products aimed at tackling perennial pain points in the business of healthcare".