WASHINGTON – The U.S. Department of Transportation's National Highway Traffic Safety Administration (NHTSA) is taking a proactive safety approach to protect vehicles from malicious cyber-attacks and unauthorized access by releasing proposed guidance for improving motor vehicle cybersecurity. "Cybersecurity is a safety issue, and a top priority at the Department," said U.S. Transportation Secretary Anthony Foxx. "Our intention with today's guidance is to provide best practices to help protect against breaches and other security failures that can put motor vehicle safety at risk." The proposed cybersecurity guidance focuses on layered solutions to ensure vehicle systems are designed to take appropriate and safe actions, even when an attack is successful. The guidance recommends risk-based prioritized identification and protection of critical vehicle controls and consumers' personal data.
The Food and Drug Administration has issued its final guidance on protecting medical devices like pacemakers and insulin pumps from cyberattacks. To start with, it wants manufacturers to boost their cybersecurity measures by incorporating a way to monitor and detect vulnerabilities into the products they make. The FDA also wants them to establish a process for receiving information about potential vulnerabilities from cybersecurity researchers. If they do detect any exploitable flaw, the agency wants the companies to assess the risk it poses to patients. Finally, it wants the medical device makers to issue software patches to fix any vulnerability it finds.
A new report from Kaspersky shows that employers are failing to prepare their workers for any and all cybersecurity risks present when handling enterprise business at home. Millions of people across the world were forced to begin working from home in early March as countries put quarantine measures in place. Yet in the report, 73% of the 6,000 employees who spoke with Kaspersky researchers said they have "have not yet received any specific cybersecurity awareness guidance or training from their employer." To make matters worse, another 27% of workers said they have already been on the receiving end of COVID-19 related phishing emails. The findings are part of a larger Kaspersky study on how COVID-19 is changing the way people are working.
A new, stealthy Internet of Things (IoT) botnet has emerged with the capability of stealing information from a wide range of devices, underscoring the need for the Federal government to provide guidance on how agencies can reduce risks associated with the deployment of their IoT networks. The botnet, known as Torii, "comes with a rich set of features for exfiltration of sensitive information, modular architecture capable of fetching and executing other commands and executables and all of it via multiple layers of encrypted communication," according to security researchers at Avast, a developer of antivirus and internet security software. Torii, which was discovered on Sept. 19, is stealthier and more persistent once a device is compromised than other IoT botnets such as Mirai, the researchers said. In October 2016, a Mirai botnet took down major websites via a massive distributed denial-of-service (DDOS) attack using hundreds of thousands of compromised IoT devices. Mirai is a malware that turns networked devices running Linux into remotely controlled bots that can be used as part of a botnet army in large-scale network attacks.