Posted on Aug 27, 2018
There’s been a lot of talk and research about intelligent buildings and cities that are growing smarter by the day with an eye on optimizing energy consumption, increasing operational efficiency, and simply creating the ‘wow’ factor. Check out the flashy Bank of America buildings. It’s not too surprising as technology is enabling every ‘thing’ to connect and communicate over networks. Every energy storage system, elevator server, lighting panel, HVAC system, sensor, you name it, can be connected using building automation control networks like BACnet. This, combined with IoT, cloud, and artificial intelligence, adds up to slick capabilities unimaginable just 10 years ago. But the more systems we integrate, the more we need to protect since they can create vulnerabilities causing cracks in your network attack surface.
In the past, most IT departments didn’t get involved in deploying building services and systems, so building integrators often had to run cables, install unmanaged switches, and set up remote access using technologies like VPNs. Or, if the integrator didn’t have the right networking skills, they’d likely have to rely on the organization’s IT staff to get a firewall or VPN deployed before they could proceed. I’ve heard many a story about big delays for integrators who were at the mercy of networking pros. The great OT / IT divide isn’t a myth and if allowed to persist can severely fracture an organization’s operational efficiency and security posture when attempting to converge IT and OT systems.
That’s the backdrop driving our new partnership with Delta Controls that we announced today. Delta Controls is one of the leading manufacturers of building automation controllers, with more than 300 service providers in over 80 countries. They’ve mastered the integration and automation of everything throughout a building to create an energy efficient and sustainable solution, and Tempered Networks has delivered a simpler and smarter way to securely connect and segment building automation networks. Together, this partnership gives systems integrators the tools to achieve powerful outcomes for their customers including:
· Superior security
· Simpler and faster installations
· Better network performance
· More flexible connectivity options
· Faster data collection
We’re excited about this relationship that will deliver a huge competitive advantage for Delta Controls’ partners and customers and advances the growing smart buildings market. Read more about how we can simplify and secure smart building networks or contact us to set up a no obligation demo.
Posted on Aug 22, 2018
Over the three short days I spent in the Nevada desert, I had the chance to learn about everything from PLC hacking, to which Vegas buffet is best, and I’m sure I missed a lot in between. So, with DEF CON 26 in the books, I’ve taken the chance to reflect on three ways to make the most of DEF CON 27.
- Don’t get distracted
DEF CON runs on the inviting Vegas Strip, surrounded by a thousand attractions, all vying for attention. However, if you can put those distractions aside for seven hours each day, you will benefit from what DEF CON has to offer. Next year I will be sure to save getting lost in Casino malls and browsing buffets to sometime after DEF CON has closed for the night and leave myself more time to soak up what DEF CON has to teach.
- Make time to go to talks
With myriad villages, workshops, and vendors at DEF CON, it’s hard to make time to go to talks. Nevertheless, these 30 to 60-minute talks were some of the most interesting times I spent in Las Vegas. For this reason, next year, I plan to schedule my activities around the talks. This way, I can be sure I don’t miss any talks, and can still visit the other events that last all day.
- Focus on one village
Packet hacking, Lockpicking, Social Engineering, Vote Hacking, whatever a hacker might want, DEF CON has a village for it. This year I spent the weekend seeing them all, but I wish I hadn’t. Each village has a lot to teach, but only if you spend the time to learn it. As such, next year I want to spend my time focusing on just one, or possibly two villages that interest me most.
DEF CON 26 was a whirlwind of lessons and a great way to spend a weekend, but I know there is much that I missed. I hope that with these few guidelines in place, I will stay focused, hear every talk I want, improve my hacking skills and make the most of DEF CON 27.
Posted on Aug 17, 2018
If you are not aware, DEF CON is a yearly hacker pilgrimage to Las Vegas. I was able to go this year for the second time. It is always a fun place to learn about what is going on in the hacking community, stay up to date on the latest computer security topics, and expand my technical skills. If you have never been to DEF CON, here is my (satirical) list of five things you should bring to DEF CON.
You are going to want to bring cash if you want to get in. DEF CON registration accepts only cash at the door. There is no pre-registrations nor credit card transactions. You may be thinking, "Why can't I use a credit card?", but with a convention full of hackers, you must consider what would happen to your credit card.
On a serious note, cash doesn't create an audit trail. DEF CON attendees are typically privacy conscious, and transacting in cash maintains that privacy.
2. A Burner Phone
To enhance the privacy conscious geekery, bring a burner phone! You wouldn't want your regular phone to be a possible attack surface, and you can flash the idea that you are extremely concerned about privacy by using a phone you don't care about.
3. A Linux Live CD
For those who are dead set on bringing a laptop (or a desktop if you don't mind lugging everything around), have a Linux Live CD available. This way you can boot an operating system to use without worrying about infecting your regular operating system.
Every year DEF CON has a badge hacking challenge. The badge you get for your admission price is a puzzle, and ensuring you bring cables to poke and prod the badge can help in the badge hacking competition.
5. An Interest in Hacking
Last, but not least, bring an interest in hacking and an open mind. DEF CON has talks you can attend which cover a wide range of topics. New this year was the [ICS Village] (https://www.icsvillage.com/) that helped bring awareness and visibility to the need for industrial control security.
Posted on Aug 9, 2018
Airplanes have come quite a long way since I worked at Boeing. During my tenure at the commercial aircraft company, I led a project team that designed the beginning of the digital flight instruments integration that would eventually be used for their new commercial aircraft’s full digital instrument panel directive to “usher in the future” and to allow better technology and more convenience for the pilots. Today, commercial airplanes can provide passenger and crew the convenience of inflight Wi-Fi access to the internet for browsing, checking email, checking flight data, streaming videos from the IFE system (inflight entertainment) and even doing Secure Remote Access demos with IDN to show how securely I can access a camera that is protected by an Identity Defined Overlay (IDO) from anywhere on, and above the world.
This blog post is the second installment to the “Ships, planes, trains and automobiles!” series highlighting connected transportation systems that can be hacked and how they can be secured with Tempered’s Secure IDN.
Much like maritime vessels, commercial aircraft like the Boeing 787 and Airbus A380 jets can have multiple types of networks; the Wi-Fi passenger network, the IFE system and the Aircraft Data Network for avionics systems, all reachable from the ground via SATCOM (satellite communications) and ATG (air to ground) technologies. The latest onboard networks are no different from the types of IP networks you see at the office, home or hotels built with COTS devices (commercial off the shelf). As such, these networks are just as susceptible to hacking attempts, via passenger access to the Wi-Fi or IFE systems either directly connecting a laptop into the video system’s ethernet port or indirectly (infected victimized phones or computers). Hacking can also happen via ground to air, as the Department of Homeland Security discovered in late 2017 where officials were able to remotely hack into a Boeing 757’s network using passable equipment through TSA security.
The best countermeasure to take against unauthorized access is to segment the flight operations network from other non-essential networks. To segment securely from the get-go, you’ll need to do this with Tempered Networks’ IDN. Tempered Networks’ Identity Defined Networking solution can easily and securely segment your flight operations network from your in-flight internet and onboard entertainment networks, cloak your critical avionics systems from cyber-attacks and effectively make them invisible to hackers. Cloaking reduces the total attack surface area and eliminates the cyber kill chain at the Reconnaissance level, potentially eliminating the attack from further advancing. When Tempered’s IDN cloaks the airplane's flight control systems, they are not scannable. Hackers can’t hack what they cannot see.
Tempered Networks’ IDN Enforcement appliances, the HIPservices, are part of a responsible for applying the Zero Trust secure segmentation, cloaking critical devices, and encrypting data in motion. These attributes help protect your avionics and other critical flight devices and the data passing between them whether the airplane is in the air or at the gates securely synchronizing flight data for previous and future flights.
The following is the HIPswitch 75 appliance, conveniently designed to fit in inconvenient spaces; compact and secure:
In the current aircraft network design, the avionics, crew, and passenger networks are interconnected so a vulnerability in a device in any one of these networks will affect the security of the others. Cyberattack vectors such as passenger laptops, crew phones or one of the airplane’s COTS routers can reportedly be used to access the avionics controls, inflight or remotely from the ground, to cause damage or other life threatening events. Tempered Networks provides secure networking that can protect your critical aircraft environment from those vulnerabilities in three simple steps. Our IDN design objective is based on the principle that it must be easy to connect, cloak, segment, move, failover, and disconnect networks and individual resources. IDN unifies networking and security into a single platform, making it simple to create Zero Trust Overlays without having to modify existing network security infrastructure. Our point-and-click management console makes it easy to connect, micro-segment and manage all your networked devices—across any transport or location. And this approach comes at a fraction of the cost of alternative solutions. For a quick overview of what Tempered Networks IDN, Zero Trust, and cloaking can do for your ship networks, please see .
For more IDN details and use cases, please visit Tempered Networks.
Posted on Jul 31, 2018
Performance reviews can always be a tricky subject, but we’re trying to change that. We found that our managers weren’t motivated to provide performance reviews because of how long, uncomfortable, and unproductive they can be. Luckily, we discovered a game-changing way to provide feedback: the 5-Word Review.
The 5-Word Review comes from the cofounder of Kayak, Paul English, who wanted a simpler, and more direct way to communicate feedback. English’s method operates as such: provide the reviewee with two or three positive words and two or three challenge words. The manager then delivers their 5-Words in an in-person meeting.
Our managers have expressed how much easier it is to hold a conversation when giving this feedback since it helps the delivery of the information and how it is received. By giving instructions that words have to be decided, this overrides anyone’s tendency to skirt around an awkward topic. Each word then serves as a data point.
We have also enhanced the 5-Word Review by allowing not only managers to review their direct reports, but to have direct reports review their managers and peers to review each other. We keep these reviews anonymous to allow everyone to feel comfortable saying what they need to say. The opportunity to review a manager provides a way to give critical feedback that might otherwise never get brought up. Some of our employees have expressed how much more painless and effective this process is.
We’ve only done one round of these so far, so we’ll circle back with the team and look at the data to determine how productive the 5-Word Review actually is. But what we know for now is that we’ve received a lot of gratitude and good feedback.
Posted on Jul 24, 2018
IT’s task of delivering secure networking is challenging enough – just ask them! Now enter millions of Internet of Things (IoT) devices looking to connect to the network and ask them again what they think of network security. Yes, IoT has been hyped for years, but it’s rapidly taking shape and adoption is accelerating. Gartner says over 20 billion connected things will be in use worldwide by 2020, driving hardware spending of $1.4 trillion by businesses. And while all the talk is on the potential IoT devices can deliver, for IT teams it spells one big headache!
IoT devices have already been used in a massive DDoS attack, and that’s just the beginning. Forrester predicts that “IoT-based attacks will likely continue to grow in 2018, including those on both devices and cloud backplanes, as hackers try to compromise systems for ransom or to steal sensitive information,” according to a TechRepublic report.
Let’s face it; security is often an afterthought in the rush to harvest new technologies. And the role of IoT in digital transformation is causing many businesses to push forward, hoping to forestall or at least keep even with competitors. How are they going to connect potentially billions of devices securely? It’s not practical or viable with today’s networking solutions that rely on TCP/IP addressing.
There’s got to be a better way and there is!
Securing IoT devices in end-to-end private networks can be done with technology based on the Host Identity Protocol (HIP), which can connect and protect devices that can’t network or protect themselves.
Using device-based cryptographic identities (CIDs), HIP devices are natively cloaked and invisible to hacker reconnaissance and protected against DDOS, man-in-the-middle attacks, IP spoofing, and other types of network and transport layer attacks.
HIP resolves a fundamental flaw in TCP/IP that binds the identity and location of a device in an IP address. By decoupling these, the IP address functions solely as a resource locator, while the CID makes it possible to quickly and efficiently create secure network overlays that are invisible to hackers.
HIP enables organizations to transcend from address-defined networking to Identity-Defined Networking (IDN), where trust is based on provable, cryptographic identity. This shift is essential for the industrial IoT, where every connected device represents a new attack vector, increasing risk to the organization.
We are enabling businesses to embed provable identities in any IoT or Machine-2-Machine device with the first commercial implementation of HIP products and services. Our HIPswitches are being used to replace old IP radios and achieve secure connectivity for kiosks, POS systems, HVAC, robotics, manufacturing, p2p web services, and other applications.
Physical HIPswitches can securely connect legacy equipment that uses a combination of different protocols and topologies, or runs outdated or end-of-life software such as Windows XP.
The IoT holds great promise for many new business initiatives, and organizations shouldn’t have to hold back because legacy security schemes fall short.
Posted on Jul 19, 2018
Ships, planes, trains and automobiles! This article is not really about the awesome 1987 movie starring Steve Martin and John Candy, but rather a series of upcoming posts regarding the everyday transportation systems we all take for granted, how they are all remotely hackable and how to secure them with Tempered’s Secure IDN. First up; Ships.
Maritime vessels support two classifications of networks; a serial network and an IP network. A ship’s serial network hosts Industrial Control Systems for environmental controls like refrigerant and heat as well as ship operational controls for engines, navigation and steering systems. A ship’s IP network hosts its business systems including email, internet access and browsing. It’s also typical to see serial-to-IP devices that bridge these two networks together with the goal of extending that ICS and ship control data further into business systems.
As far back as 2010, warnings have been published regarding how hackable maritime vessels were and just as recently as yesterday, pen testers have reported ship networks are still vulnerable to cyber-attacks. Cyber Security Specialists have even taken steps to prove this point by using typical attack practices from reconnaissance to phishing, to discover vulnerabilities, back doors, exposed devices (like the ships satcom and serial-to-IP converters) to commit man-in-the-middle (MITM) attack scenarios. Phishing was also done to take control of laptops, which contained ship data and device credentials. Once the targets were compromised, the testers moved on to discover serial data spilling into the IP network where they could’ve easily manipulated environmental controls for shipping containers, the ships’ steering, navigation data, and so on. In other words, if any commercial or cruise ship is compromised, the ship, its shipment, and more importantly it’s crew and public seafarer lives, are in danger.
Because they are often left at default settings, satcom and serial-to-IP bridges are usually the focus of attacks on a ship. Satcom systems are the easiest way to get onto vessel networks and the serial-to-IP bridges are the means in which attackers can access the life dependent data. There are many ways to address commercial and passenger ship cyber-security like educating the crew on how to recognize socially engineered malware and phishing attempts, and through policies that can guide ship crews in implementing countermeasures for cyber-attacks. Countermeasures can range from securing satcom and serial-to-IP bridges with encryption, to changing default passwords, to encrypting data in motion. More importantly, segmenting business, bridge, engineering, crew and public Wi-Fi networks is key to further securing critical ship systems from unauthorized access.
Tempered Network’s Identity Defined Networking (IDN) solution can easily and securely segment your vessel’s serial ecosystem from your IP network, cloak your critical ship systems (including the Serial-to-IP bridging devices) from cyber-attacks and effectively make them invisible to hackers. Cloaking reduces the total attack surface area and eliminates the cyber kill chain at the Reconnaissance level, potentially eliminating the attack from further advancing. When your critical ship systems are cloaked by Tempered’s IDN, they are not scannable for IP addresses or running services. Hackers can’t hack what they cannot “see”.
In my recent post, Tempered Networks 5-minute IDN explainer, I mentioned that our IDN Enforcement appliances, the HIPservices, are part of a three component design responsible for applying the Zero Trust secure segmentation, cloaking, and encrypting data in motion. These attributes help protect your critical devices and the data passing between them. The HIPservices can also be applied as your serial-to-IP bridge to the IP Network, protecting your ship’s critical serial ecosystem. The following is the HIPswitch 250gd-s model; dual cellular with serial-to-IP support.
According to current maritime vessel security articles, simple security flaws on ship network systems allow unauthorized access and control that can cause ships to go off-course, with loss of volatile merchandise due to unauthorized environmental manipulation, and worse - life threatening events. Tempered Networks provides secure networking that can protect your critical vessel environment from those simple security flaws in three simple steps. Our IDN design objective is based on the principle that it must be easy to connect, cloak, segment, move, failover, and disconnect networks and individual resources. IDN unifies networking and security into a single platform, making it simple to create Zero Trust Overlays without having to modify existing network security infrastructure. Our point-and-click management console makes it easy to connect, micro-segment and manage all your networked devices—across any transport or location. And this approach comes at a fraction of the cost of alternative solutions. For a quick overview of what Tempered Networks IDN, Zero Trust, and cloaking can do for your ship networks, please see Tempered Networks 5-minute IDN explainer.
For more IDN details and use cases, please visit Tempered Networks.