Search results

Monday, March 18, 2019 @ 08:03 PM gHale

PAS Global, LLC released PAS Cyber Integrity 6.3, which includes risk analytics that continuously measures and identifies cybersecurity risks to multi-vendor OT (Operational Technology) endpoints, as well as forensic analysis capabilities that provide deep insight into the impact and propagation of a cyber attack.

PAS Cyber Integrity helps industrial companies secure their most critical assets – the OT systems that enable safe and reliable production.

It enables companies to gather and maintain a complete, accurate inventory of OT cyber assets, capture configuration baselines, monitor for unauthorized configuration changes, automate a continuous vulnerability and patch management process across the enterprise, and implement a program for system backup and recovery.

PAS Cyber Integrity risk analytics enable industrial companies to:

Continuously measure industrial endpoint security posture and provide visibility into cybersecurity risks: Vulnerabilities, patch currency gaps, configuration baseline deviations, and unauthorized configuration changes down to the field instrument level.

Identify OT endpoint security degradation and risk propagation so OT security specialists, automation engineers, and risk/compliance managers can prioritize remediation and reduce industrial cybersecurity attack surfaces.

Enable forensic investigations via extensive multi-vendor configuration and referential insight to provide foundational ICS cybersecurity, enterprise scalability, performance, and platform independence.

“Our customers must continuously measure multi-vendor OT endpoint security posture and visualize risk propagation to ensure safe and reliable production,” said Mark Carrigan, chief operating officer at PAS Global, LLC. “Cyber Integrity enables OT cybersecurity professionals to discover cybersecurity risks, expedite remediation, and facilitate forensic analysis and response for OT devices down to level 0 – something that network-based monitoring solutions simply cannot do.”

Tuesday, March 12, 2019 @ 04:03 PM gHale

A bipartisan group of lawmakers unveiled legislation Monday that would create cybersecurity standards for Internet of Things (IoT)-connected devices.

The bill, introduced in the Senate by Sens. Mark Warner (D-VA) and Cory Gardner (R-CO) and in the House by Reps. Will Hurd (R-TX) and Robin Kelly (D-IL), would require established standards for government use of the devices.

Analog Grid Back Up Bill Passes Senate
After Pipeline Audit, Congress Wants Change
Lawmakers Seek Answers to MA Gas Blasts
Pipeline Visibility Cuts Downtime

IoT devices can open the door to potential security issues. Hackers who are able to access one device can sometimes find a way to manipulate other connected items. They can also infiltrate networks or systems linked to the devices.

There has been a rush to get IoT devices to market, but that comes with a drawback.

“IoT device manufacturers have typically deprioritized security in favor of faster time-to-market and lower costs,” said Phil Neray, vice president of Industrial Cybersecurity at CyberX, a Boston-based IIoT & ICS security firm. “As a result, many IoT devices have much weaker security than other devices upon which we depend such as laptops and cell phones, lacking even the most basic security features like simple patching and removal of hard-coded administrative passwords. As a result, IoT devices present a particularly soft target for adversaries, who use them as convenient entry-points to compromise our smart buildings, smart cities, and smart factories. This bipartisan bill is an important step toward steering IoT manufacturers in the direction of stronger security for all devices that fuel our hyper-connected world.”

Government officials, lawmakers and security researchers have pointed to the vulnerabilities created by the interconnected nature of the devices — which can include products from ranging from vehicles to home appliances like doorbells — as a major cybersecurity concern.

Gardner and Warner introduced a different version of the bill in the 115th Congress, but the measure did not advance.

Warner, who co-chairs the Senate Cybersecurity Caucus with Gardner and is vice chairman of the Senate Intelligence Committee, said in a published report he’s concerned about IoT devices “being sold without appropriate safeguards and protections in place, with the device market prioritizing convenience and price over security.”

Gardner said as the devices “continue to transform our society and add countless new entry points into our networks, we need to make sure they are secure, particularly when they are integrated into the federal government’s networks.”

Under the bill, the National Institute of Standards and Technology (NIST) would create recommendations for the federal government’s use of IoT devices, including establishing minimum security requirements to address the products’ cyber vulnerabilities.

NIST would also be required to issue a report on the increasing use and overlap of IoT devices, including recommendations on how to address cybersecurity issues.

The legislation also would require the Office of Management and Budget (OMB) to create guidelines for the purchase and use of such devices. And the NIST and OMB would have to revisit the policies and recommendations every five years to ensure they are in line with best practices.

Monday, March 11, 2019 @ 05:03 PM gHale

Two demolition workers remain in intensive care in critical condition after a spill of a hazardous chemical at a former factory off Jefferson Road in Henrietta, NY.

Crews were called around 9:20 Monday morning to the Amesbury Truth building for a report of a chemical leak.

CA Winery Settles Chemical Safety Case
Exxon Pays Penalty for Fatal Fire at TX Refinery
2 KS Firms Indicted Over Noxious Chemical Release
Guilty: Illegally Storing Hazardous Waste

Five people ended up exposed to a chemical known as methylene diphenyl diisocyanate (MDI), a chemical known to cause respiratory issues and can even be fatal. Three people were rushed to Strong Memorial Hospital, two of them in critical condition, while two others were treated at the scene. The condition of the third worker hospitalized is not known.

All employees ended up evacuated and about 50 responders were called to the scene, including the Monroe County Hazardous Materials unit who entered the building to determine the extent of the chemical leak.

The building used to be Amesbury Truth. Previous to that, it was the Schlegel Corporation. They moved out of state and crews were in the process of demolition in the back of the building. Amesbury Truth makes window and door products, including weatherstripping made out of foam and other materials.

That demo work is the cause of the leak, said Mark Cholach, Henrietta Fire District assistant fire chief.

“As part of that, there were three to four large tanks of this material,” Cholach said. “The tanks had been cleaned out. They were in the process of demolishing those tanks and the associated pipes that ran from the tanks to the building. It appears that during the demolition of one of those pipes, that chemical came out and exposed the patients.”

Tuesday, February 12, 2019 @ 01:02 PM gHale

A 54-year-old worker died after he was found in a vat of sulfuric acid at a South Lyon, MI-based steel manufacturing firm.

Daniel Hill was fully submerged in the 10-12 percent sulfuric acid solution Saturday afternoon as his Michigan Seamless Tube co-workers attempted to pull him from the industrial container, burning themselves from the at least 160-degree chemical solution, Fire Chief Robert Vogel said.

Wind Machine Incident Kills Worker
Worker Crushed at OH Steel Foundry
2 Workers Killed in CA Almond Shaker Incident
One Dead, 2 Hurt in Welding Shop Blast

“Other employees, co-workers saw him in the tank,” Vogel said. “He was completely submerged and was 100 percent covered in burns. The gentleman was trying to get out. They ran and grabbed him and pulled him out.”

Roughly 11 hours later, Hill died of chemical burns at 11:30 p.m. Saturday, said Kristin LaMaire, administrative assistant to the Washtenaw County Medical Examiner.

South Lyon police responded to an emergency call at about 12:21 p.m. to the manufacturing facility at 400 McMunn St., Police Chief Chris Sovik said. The employees placed Hill under a safety shower, and medics then transported him to the University of Michigan Hospital in Ann Arbor.

“He was speaking when we were there,” Vogel said. “He was walking and talking. Unfortunately, he passed. It was pretty extreme burns.”

It was unclear how Hill ended up in the vat and how long it was before he was rescued, he said.

The co-workers who assisted Hill sustained burns to their hands, Vogel said. Medics treated them at the scene.

Mark Hommel, a Michigan Seamless spokesman who works in human resources, described Hill as “a valued employee” who was with the company since April 2017. He said the company is conducting a “comprehensive investigation” and is “cooperating fully” with the Michigan Occupational Health and Safety Administration (MIOSHA) investigation.

Pardeep Toor, public information officer for the Michigan Licensing and Regulatory Affairs Department, said MIOSHA’s investigation of the incident has begun.

“MIOSHA cannot provide information on an open investigation,” he said. “Typically, this type of investigation may take several weeks or months to complete.”

Michigan Seamless Tube, one of South Lyon’s largest employers, has had seven workplace safety violations since 2012, according to the U.S. Occupational Safety and Health Administration, with fines totaling $93,000.

Michigan Seamless Tube is a wholly owned subsidiary of Hammond, Indiana-based Specialty Steels Works Inc. The company emerged from Chapter 11 bankruptcy in 2017 and renamed from Optima Specialty Steel. It also owns steel manufacturers Niagara LaSalle Corp. in Hammond and Corey Steel Co. in Cicero, Illinois.

Wednesday, February 6, 2019 @ 04:02 PM gHale

Mark Stein (Owner) and Laurie Gates (Administrative Manager/Safety Director).

Watertown, SD-based ESCO Manufacturing, Inc., is an industry leader in illuminated signage, constructing quality signs for retail and custom sign companies nationwide.

Their product offering serves three markets: Commercial, schools and churches, and outdoor advertising. Products range from one-of-a-kind specialties to an entire production run of signs. ESCO Manufacturing uses channel letters with light-emitting diode (LED) or neon illumination; aluminum and steel custom shaped cabinets; flex, poly, aluminum or routed faces, any of which can be decorated with digital prints, vinyl, or spray.

McElroy Facilities get SHARP, Stay Safe
Haws gets Safer, Earns SHARP Status
Phoenix Sintered Metals gets SHARP
K&K Fabrication gets SHARP in MN

ESCO Manufacturing heard about the OSHA On-Site Consultation Program through another employer in Watertown that had a positive experience with their consultants’ services. The company reached out to OSHA On-Site Consultation Program in an effort to improve their workplace safety and health program. Since 2004, ESCO Manufacturing has been a client of the South Dakota State University, On-Site Consultation Program. They first contacted the consultation program for an initial site visit and safety assessment, and the company has been a repeat customer.

The OSHA On-Site Consultation Program offers no-cost and confidential occupational safety and health services to small- and medium-sized businesses in all 50 states, the District of Columbia, and several U.S. territories, with priority given to high-hazard worksites. On-Site Consultation services are separate from enforcement and do not result in penalties or citations. Consultants from state agencies or universities, such as South Dakota State University, work with employers to identify workplace hazards, provide advice for compliance with OSHA standards, and assist in establishing and improving safety and health programs.

During the full-service, comprehensive safety and health visits in 2016 and 2017, minor hazards were identified and immediately corrected in the presence of the consultant. Immediate correction of hazards included disposal of worn electrical cords and removal of debris from electrical panel rooms.

Tracking Method
A tracking method was used to monitor long-term corrections of more complex hazards until the abatements were completed. For example, a potential hazard was identified around the opening of the vacuum former. After discussing this concern with the consultants, guards were added, and signage, restricting employees’ access to the hazard, was prominently displayed. Another potential hazard was identified in the neon room. With the consultant’s guidance, a light curtain was added to ESCO Manufacturing’s neon bending room. This curtain shuts off power to the testing table if employees enter that area while testing is being performed.

After working with the consultants, a number of business practices were changed.

“In addition to our monthly company-wide safety meetings,” said Laurie Gates, ESCO administrative manager and safety director, “we have increased the focus of our monthly safety committee meetings. We implemented an accident investigation process to be used on all first reports and near misses. We also conduct monthly safety training and safety inspections.”

“By working with the OSHA On-Site Consultation Program, we have seen a dramatic decrease in the number of injuries,” Gates said. We have also seen a significant decrease in our Workers Compensation costs. Our days without a lost time accident is close to 1,000 days, which is a drastic improvement from a few years ago.” ESCO Manufacturing’s experience modifier rate dropped from 0.80 in 2015 to 0.67 in 2018; value of worker’s compensation claims went from $9,088 in 2015 to zero in 2018; and worker’s compensation premiums were lowered from $48,516 in 2015 to $28,658 in 2018.

“We have grown,” said Gates, “and our payroll increased over this period. The savings is actually understated because worker compensation is a calculation that includes payroll figures. If payroll stayed the same, the saving would have been even more dramatic.”

The company is over 50 years old. Several employees simply were comfortable with well-honed work processes. Initially, getting everyone on the same page with changes to the safety program proved challenging, but over time – through monthly training, ongoing communication, audits, and employee involvement – a safety culture emerged.

SHARP Program
After the full-service, comprehensive safety and health visits in 2016 and 2017, ESCO Manufacturing decided to apply to participate in the OSHA Safety and Health Recognition Program (SHARP). This program recognizes small business employers who have used OSHA On-Site Consultation Program services and operate exemplary safety and health programs. Acceptance of a worksite into SHARP from OSHA is an achievement of status that singles ESCO Manufacturing out among its business peers as a model for worksite safety and health.

“Earning the OSHA SHARP award and flag has helped raise awareness within the company of the need to work safely and to follow safety procedures,” said Mark Stein, owner. “This program has highlighted areas where we need to improve, and it reinforced some of the workplace safety and health policies and procedures we already had in place. Working for SHARP was a goal that everyone in the company stood behind, helped make happen, and will work to sustain.”

“The On-Site Consultation Program has had a huge impact on our company,” Stein continued. “The program helped us implement programs and procedures in place to make our facilities safer. We have seen a dramatic decrease in the number of injuries that we have on-site. Working safely and wearing personal protective equipment are now a part of our culture. We also include information about our safety record and SHARP certification in our interviewing and new hire on-boarding processes. We have found that most applicants look favorably upon a prospective employer that has a strong safety record.”

Thursday, January 31, 2019 @ 04:01 PM gHale

Graduates Lieutenant Mark Mulla (left) of the New Orleans Police Department and Lieutenant Marina Turner (right) from the United States Coast Guard stand with Michael Wallace (center), director of Tulane’s Emergency and Security Studies.
Source: Jennifer Zdon

Security careers are in huge demand and with a lack of people to fill all the openings, one university is receiving high grades in its offerings.

Tulane University’s Homeland Security online master’s program received high marks from, including the third-best online master’s program and the top program for intelligence officers for 2019.

Automating Cyber Detection
Trying to Build a Cybersecurity Workforce
Students Win Hackathon by Keeping It Simple
Security Apprenticeship Bill Introduced identifies what it sees as the top programs in the nation based on curriculum quality, program flexibility, affordability and graduate outcomes.

“The Tulane Homeland Security Studies program is proud to be included in this list,” said Michael M. Wallace, professor of practice and director of Tulane’s Emergency and Security Studies. “The program’s courses are tailored for the current and future practitioner and draw heavily from the expertise developed in New Orleans, a U.S. municipality that has a great amount of experience in dealing with homeland security issues.”

Since its online debut in 2016-17, Tulane’s master’s in homeland security program, which is offered through the Tulane School of Professional Advancement, is for individuals with front-line experience, including first responders, community volunteers, veterans or active-duty military members.

The program prepares students to work in the fields of emergency management, intelligence analysis, counterterrorism analysis, cybersecurity, border protection and security and infrastructure protection at all levels of government and in the private sector.

Tulane’s courses range from domestic and international terrorism and intelligence research methods to examinations of emergency management and border security. The curriculum dives deep into the policies and strategies used in today’s advanced homeland security sector.

Students have the opportunity to build on real-world experience to develop the strategic and analytical skills to plan for and prevent emergencies within complex organizations such as corporations, government agencies and nonprofit organizations.

Friday, January 11, 2019 @ 01:01 PM gHale

It is easy to see why security expenditures will continue to grow because global spending in manufacturing automation for the Internet of Things (IoT) is poised to take off this year, researchers said in a new report.

While IoT spending is forecast to reach $745 billion this year, which is a hike of 15.4 percent over 2018, the industries forecast to spend the most on solutions this year are discrete manufacturing ($119 billion), process manufacturing ($78 billion), transportation ($71 billion), and utilities ($61 billion), according to the report by research firm, IDC.

Security Analytics Continuing to Grow
Attacker Effectiveness on Rise: Researchers
Personality Traits Become Cyber Risks
How to Deceive a Deceiver

On top of that global IoT spending will maintain a double-digit annual growth rate throughout the 2017-2022 forecast period and surpass the $1 trillion mark in 2022, according to IDC.

“Adoption of IoT is happening across industries, in governments, and in consumers’ daily lives. We are increasingly observing how data generated by connected devices is helping businesses run more efficiently, gain insight into business processes, and make real-time decisions. For consumers, access to data is changing how they are informed about the status of households, vehicles, and family members as well as their own health and fitness,” said Carrie MacGillivray, vice president, Internet of Things and Mobility at IDC. “The next chapter of IoT is just beginning as we see a shift from digitally enabling the physical to automating and augmenting the human experience with a connected world.”

IoT spending among manufacturers will be largely focused on solutions that support manufacturing operations and production asset management. In transportation, more than half of IoT spending will go toward freight monitoring, followed by fleet management.

IoT spending in the utilities industry will be for smart grids for electricity, gas, and water. The industries that will see the fastest compound annual growth rates (CAGR) over the five-year forecast period are insurance (17.1 percent), federal/central government (16.1 percent), and healthcare (15.4 percent).

“Consumer IoT spending will reach $108 billion in 2019, making it the second largest industry segment. The leading consumer use cases will be related to the smart home, personal wellness, and connected vehicle infotainment,” said Marcus Torchia, research director, Customer Insights & Analysis. “Within smart home, home automation and smart appliances will both experience strong spending growth over the forecast period and will help to make consumer the fastest growing industry segment overall with a five-year CAGR of 17.8 percent.”

The IoT use cases that will see the greatest levels of investment in 2019 are driven by the industry spending leaders: manufacturing operations ($100 billion), production asset management ($44.2 billion), smart home ($44.1 billion), and freight monitoring ($41.7 billion).

The IoT use cases expected to deliver the fastest spending growth over the 2017-2022 forecast period provide a picture of where other industries are making their IoT investments. These include airport facility automation (transportation), electric vehicle charging (utilities), agriculture field monitoring (resource), bedside telemetry (healthcare), and in-store contextualized marketing (retail).

The United States and China will be the global leaders for IoT spending in 2019 at $194 billion and $182 billion respectively. They will be followed by Japan ($65.4 billion), Germany ($35.5 billion), Korea ($25.7 billion), France ($25.6 billion), and the United Kingdom ($25.5 billion).

Friday, January 4, 2019 @ 02:01 PM gHale

Rockline Industries just achieved 10 million safe work hours without a lost time accident (LTA) at its Arkansas operation, state officials said.

The Springdale, AR, campus earned the award for exceptional safety from the Arkansas Department of Labor. Rockline Industries is the seventh company to achieve the milestone since Arkansas began recognizing workplace safety in 1976.

McElroy Facilities get SHARP, Stay Safe
Haws gets Safer, Earns SHARP Status
Phoenix Sintered Metals gets SHARP
K&K Fabrication gets SHARP in MN

“Our dedicated associates have developed a ‘Safety Can Do’ culture and their efforts to prevent even minor incidents are the greatest contributors to our safety success,” said Mark Fougerousse, EHS manager of Rockline NWA. “We watch out for each other, and have pride in our work environment. Together, we are always striving to be a zero incident facility. That means we put extra effort toward troubleshooting situations others would consider to be very minor and we reduce risk when we see it.”

Rockline associates are responsible and accountable to themselves and the safety of teammates around them. All area personnel are made aware of any observed safety issues noted during the monthly inspections, helping everyone to know what to watch for and to prevent repeat issues in the future.

“We have an incredible group of dedicated employees who believe that zero injuries are possible, at work and home. We pay attention to little details and look out for each other’s safety with genuine concern, every day. More important than any milestone achieved is the knowledge that our employees are acting safely and have a safe place to work. We have accomplished this in an environment of increased growth and significant facility modification, and it is a privilege to work with such a dedicated team,” said Joel Slank, general manager of the Springdale facility.

The award from the department’s Occupational Safety and Health Division is part of Arkansas’ overall educational program to encourage workplace safety by honoring companies whose employees have accumulated a significant number of work hours without a lost day away from work due to a work-related injury or illness.

Rockline Industries started up in 1976 and is headquartered in Sheboygan, Wisconsin. It is a manufacturer of coffee filters and consumer, health care, industrial and institutional wet wipes. A family-owned company, Rockline has repeatedly created first-to-market product design solutions for the wet wipe consumer, and continues to provide innovative products to the nonwovens industry. Rockline employs nearly 2,500 people worldwide and has manufacturing facilities in Wisconsin, Arkansas, New Jersey, Tennessee, England and South China.

Friday, December 14, 2018 @ 02:12 PM gHale

GE has an update available to mitigate a path traversal vulnerability in its Mark VIe, EX2100e, EX2100e_Reg, and LS2100e, according to a report with NCCIC.

Successful exploitation of this vulnerability, discovered by Can Demirel of Biznet Bilisim, could allow an attacker to access system data, which could result in escalation of privilege and unauthorized access to the controller.

Siemens Fixes SINUMERIK Controllers
Rockwell Fixes MicroLogix, ControlLogix Modules
GE Proficy GDS Mitigates Vulnerability

A distributed control system , the following versions of the Mark Vie suffer from the vulnerability:
• Mark VIe Versions 03.03.28C to 05.02.04C
• EX2100e All versions prior to v04.09.00C
• EX2100e_Reg All versions prior to v04.09.00C
• LS2100e All versions prior to v04.09.00C

The affected versions of the application have a path traversal vulnerability that fails to restrict the ability of an attacker to gain access to restricted information.

CVE-2018-19003 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.4.

The product sees use mainly in the energy sector. It also sees action on a global basis.

No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely. However, an attacker with low skill level could leverage the vulnerability.

The path traversal vulnerability has been corrected by GE. GE recommends users upgrade to the current version of ControlST software as described in CSB25378, which is available to registered users via the GE Power ServiceNow portal.

In applications where the controller-hosted web server is not required, GE recommends turning off the web server. For all other applications, GE recommends updating the controller to the latest firmware version available in the current ControlST release.

With respect to EX2100e, GE recommends all standalone excitation controls be segmented from other networks using a firewall installed inside the excitation panels. External communication should be exclusively restricted to only those protocols specifically required for command and control, such as Modbus. Other services including HTTP must be blocked from external access.

To minimize the risk of exposure to this and any other vulnerabilities, GE recommends a defense-in-depth approach to protecting critical process control equipment. Guidance on technology and best practices to secure GE controllers from cyber attack are provided in the Mark VIe Control Systems Secure Deployment Guide (GEH-6839), which can be requested through GE Technical Support.

Additionally, GE recommends users of affected versions take the following mitigating actions while awaiting an upgrade:
• Maintain tight physical access control to all critical controllers
• Limit network availability to only the most critical needs and implement tight firewall restrictions
• Disable any unnecessary network related functions or enable only on an as needed basis

GE provides additional up to date information concerning this issue (requires customer account/login).

Or contact GE PSIRT.

Tuesday, December 4, 2018 @ 04:12 PM gHale

Following the Marriott International hotel chain breach, U.S. Democrat Senators Mark Warne, Ed Markey, and Richard Blumenthal want data security and consumer privacy legislation.

The Marriott hotel chain disclosed a huge data breach on November 30 which affected 500 million customers who had their data stored in the chain’s Starwood guest reservation database.

Verizon Details Breaches: ICS Attack
Suspect Discovered in British Airways Breach
British Airways Hit by Breach
ICSJWG: Solid Solutions ‘Not Rocket Science’

Moreover, the massive security breach happened in 2014, and Marriott found out about it on September 10 following an internal security alert regarding an attempt to access the Starwood reservation database.

“Breaches like this can lead to identity theft and crippling financial fraud. They are a black cloud hanging over the United States’ bright economic horizon. The American people deserve real action,” said Senator Markey. “It’s time for Congress to pass comprehensive consumer privacy and data security legislation that requires companies to adhere to strong data security standards, directs them to only collect the data they actually need to service their customer, and creates penalties for companies that fail to meet them.”

Senator Warner also requested new legislation requiring companies to limit the amount of data they collect from their customers, as well as remove the sensitive data they no longer use from their databases.

U.S. Senator Blumenthal said the failure to protect the sensitive data it was entrusted with by its customers highly increases their risk of being targeted by future identity theft and financial attacks.

Marriott completed its acquisition of Starwood in 2016.

In addition the Federal Trade Commission released an advisory about steps victims can take to in the incident.