How Cyber Attacks are Spreading in the Supply Chain
Barry J. Ewell
May 18, 2020
In today’s high-threat cyber environment, any device you have that runs on software has a high risk of being the target of an attack. As the world population increases and nears 8 billion in 2020, there will be an estimated seven connected devices per person.
Every day, around the world, businesses are at risk of cyber-attacks. Honeywell acknowledges the risk and believes the best way to prevent attacks and the losses that result from them is to take a pervasive approach to security. Pervasive means Honeywell approaches security from multiple angles which include gathering intelligence on cyber events in multiple industries, building protections directly into devices and software, and maintaining a 24/7 level of vigilance on the cyber climate so vulnerabilities can be spotted quickly and patches deployed as soon as possible.
This places a growing stress on the Internet of Things (IoT) space. Let’s take a closer look at what some of the more high-profile cyberattacks have seen in the supply chain in the last several years: BlueBorne, KRACK, Meltdown and Spectre.
Overview. BlueBorne is a type of vulnerability that affects all Bluetooth enabled devices. An attacker enters a device via a Bluetooth connection and takes complete control of the device without any user interaction and without pairing needed simply by being close. BlueBorne has been known to fulfill any number of malicious objectives such as cyber espionage, data theft or even ransomware attacks. It has the ability to allow hackers to penetrate secure internal networks which are ‘air gapped.’ This means even though a network is disconnected from other networks for protection, BlueBorne can still infect the system which endangers industrial systems, government agencies and critical infrastructure. When you take into consideration how many IoT and connected devices flood the market, and the criticality of keeping your data secure you can easily deduce the severity of this type of issue.
How to be Safe. BlueBorne is still a major threat a year after it was discovered. The best solution is to ensure that you work with a vendor that is constantly vigilent about security and your devices are being updated against this type of attack. Always make sure your operating system on all your devices is up-to-date and patched.
Overview. KRACK enables attackers to exploit vulnerabilities found in WPA2. Attackers read information that was previously assumed to be safely encrypted. KRACK stands for (Key Reinstallation Attacks). KRACK takes data being sent over the network by disrupting the third step of the traditional WPA2 four-way “handshake.” You are vulnerable to an attack if you have implemented WPA2 on your router, or other devices that you own such as tablets, smartphone, laptop, IoT devices, and wireless scanners, smart TVs and more.
How to be Safe. In order to stay safe and keep your devices being compromised:
- Be vigilant and continually install updates and patches for every device in the workplace and at home.
- Make sure you work with a vendor that takes cybersecurity seriously and provides timely patches and updates.
- Access only websites that use HTTPS encryption, as an additional layer of protection as data is encapsulated into two security protocols when doing https over a WPA encrypted wireless access point.
- Avoid sending or providing personal information over public Wi-Fi access point, whether or not it is encrypted.
- Remember to keep the firewall enabled on your operating system.
- Consider using a Virtual Private Network (VPN), when setting up a connection to an unsecured public Wi-Fi.
Meltdown and Spectre
Overview. Meltdown and Spectre are the names of two serious security flaws which exploit critical vulnerabilities in modern processors, processors which could allow hackers to steal sensitive data without users knowing. The processor, or central processing unit (CPU), is the primary chip in a computer that carries out the instructions of a computer program – in essence, the brain of the computer. When you engage a program to do something, it’s the processor that carries out that command and co-operates with the rest of the system to perform the needed tasks.
How to be Safe. These security flaws were inherent in the processors. The best thing users could do was to update their computers with the latest security patches, update operating systems and download software from trusted sources.
Honeywell's Pillars to a Foundation of Trust
Every day, around the world, businesses are at risk of cyber-attacks. Honeywell acknowledges the risk and believes the best way to minimize attacks and the losses that result from them is to take a pervasive and holistic approach to security. Pervasive means Honeywell approaches security from multiple angles which include gathering intelligence on cyber events in multiple industries, building protections directly into devices and software, and maintaining a 24/7 level of vigilance on the cyber climate. A holistic approach to security means that we need to pay attention to the entire picture and individual aspects of a product offering. Honeywell aims to integrate all these elements designed to safeguard an organization to empower our customers to build a solution with security built in from the beginning. We focus on protecting you and our products (e.g., mobile computers, scanners, and printers) against sophisticated attacks at all levels from low level opportunistic hackers to industrial espionage and cyber criminals. Honeywell is a founding member of the ISA Global Security Alliance which means that all of our products go through ISA62433 security requirements from their inception. https://isagca.org/
Honeywell’s story begins 100+ years ago as a global leader in industrial manufacturing and advanced technology. We have used that expertise to drive cybersecurity innovation with over 15+ years as a key leader in industrial cybersecurity solutions helping transform and protect the world’s most critical infrastructures. Our broad portfolio includes Operational Technology (OT) cybersecurity software products and services that allow customers to simplify, strengthen and scale industrial cybersecurity across an enterprise.
Our global team of 300+ Certified Cybersecurity Experts have successfully implemented over 5000+ cybersecurity projects, managed 400+ industrial cybersecurity sites, conducted hundreds of risk assessments and have the breadth of resources to help execute projects of every size and complexity in 70 industry sectors often involving critical infrastructure and national security. For example, this includes: supply chain, healthcare, oil and gas, refining, pulp and paper, industrial power generation, chemicals and petrochemicals, biofuels, life sciences, CPG, F&B, utilities, water/waste, metals, minerals and mining industries.
Honeywell’s large footprint in multiple industries gives us a broad view of emerging cybersecurity threats in their earliest stages in industries where the typical cybersecurity offerings are not usually present. This allows us to identify issues, develop countermeasures, and deploy them to our customers earlier than our competition in this industry that usually does not receive attention. We also leverage relationships to receive pre-disclosures of vulnerabilities from industry councils and partners including Intel, Qualcomm, and Google as well as from our participation and work with various organizations such as ICS-CERT (concentrated around Industrial Controls), NVD, DHS CISA and many more. Furthermore, Honeywell’s size, strength and global presence allows us to leverage the broad investment in security across our enterprise.
Cybersecurity is core to Honeywell. We design security into our products, policies, and processes. Our baked-in from inception approach to cybersecurity, design-to-delivery process has a strong emphasis on building security into products to anticipate and mitigate risk before a breach can happen. We do this by embedding deep domain knowledge, product testing and security requirements of industry-leading security practices throughout our full design and development process to ensure our solutions are as secure as possible from the start.
We aim to make our solutions as free of vulnerabilities and attack surface as possible through such measures as continuous testing, authentication safeguards, and adherence to best programming practices. We believe security must evolve with the product that our customers purchase. A group of dedicated white-hat penetration testers with industry leading certifications such as OSCE/OSCP certified, completely independent from the engineering team, continuously test our solutions to ensure we have the highest standards for defense.
Contact a Honeywell Solutions Expert today! Call 1-800-934-3163.
Barry J. Ewell is a Senior Content Marketing Communications Specialist for Honeywell Safety and Productivity Solutions. He has been researching and writing on supply chain topics since 1991.