41 Cybersicherheit von Embedded Systems, OT und IoT /invite Thomas Weber, CyberDanube

Eingebettete Geräte („embedded systems“) sind ein fester
Bestandteil unseres täglichen Lebens. Diese Geräte, die von Smart
Metern bis hin zu industriellen Steuerungssystemen reichen, sind
darauf ausgelegt, bestimmte Aufgaben auszuführen und werden in
der Regel mit begrenzten Ressourcen gebaut. Natürlich haben
„embedded systems“ oder auch OT/operational technology
IT-Sicherheitsprobleme. Zusammen mit Thomas Weber spreche ich
über die Cyber-Sicherheitsimplikationen dieser zahlreichen
Geräte. Wir gehen darauf ein, wo „embedded systems“ überall drin
stecken, welche Verwundbarkeiten sie haben und wie man ihre
Sicherheit verbessern kann. Wir veranschaulichen das am Beispiel
der Smart Meter Diskussion zur intelligenten Steuerung des
Stromnetzes. Zum Schluss sprechen wir auch noch über aktuelle
Entwicklungen in der EU, wie der EU Cyber Resilience Act, der
auch an den IT-Sicherheitsanforderungen von „embedded systems“
Verbesserungen einführt.
Shownotes

CyberDanube: https://cyberdanube.com/de/

Thomas Weber:
https://www.linkedin.com/in/thomas-weber-ce/?originalSubdomain=at

How do OT and IT differ?
https://www.cisco.com/c/en/us/solutions/internet-of-things/what-is-ot-vs-it.html

US NIST Guide to Operational Technology (OT) Security,
https://csrc.nist.gov/pubs/sp/800/82/r3/ipd

Characteristics of embedded Systems and IoT,
https://www.upskillcampus.com/blog/embedded-systems-characteristics-of-embedded-systems-and-iot

Embedded Software market shares,
https://www.gminsights.com/industry-analysis/embedded-software-market

Embedded System market size,
https://www.globenewswire.com/news-release/2023/01/25/2595562/0/en/The-Global-Embedded-Systems-Market-size-is-expected-to-reach-126-7-billion-by-2028-rising-at-a-market-growth-of-5-7-CAGR-during-the-forecast-period.html

Security challenges of Embedded IoT Design,
https://www.renesas.com/us/en/document/whp/how-solve-6-top-security-challenges-embedded-iot-design-0

OT Security best practices,
https://www.beyondtrust.com/blog/entry/operational-technology-ot-cybersecurity-4-best-practices

Benefits of smart meters,
https://www.smart-energy.com/regional-news/north-america/potential-benefits-to-society-through-smart-metering-initiatives/amp/

Societal benefits of smart metering investments,
https://www.sciencedirect.com/science/article/abs/pii/S1040619008001929

Demand Response,
https://www.iea.org/energy-system/energy-efficiency-and-demand/demand-response

Vulnerabilities in smart meters,
https://techmonitor.ai/technology/cybersecurity/how-secure-are-smart-meters

IT security of the smart grid,
https://smartgrid.ieee.org/bulletins/july-2018/security-and-privacy-concerns-in-smart-metering-the-cyber-physical-aspect

Resiliency of smart power meters,
https://www.sciencedirect.com/science/article/pii/S1877050915008492

Smart meter security,
https://www.researchgate.net/publication/333305127_Smart_Meter_Security_Vulnerabilities_Threat_Impacts_and_Countermeasures

Mitigating smart meter security risks,
https://eepower.com/technical-articles/mitigating-smart-meter-security-risk-a-privacy-preserving-approach/

Microsoft Multiple high severity vulnerabilities in CODESYS
V3 SDK,
https://www.microsoft.com/en-us/security/blog/2023/08/10/multiple-high-severity-vulnerabilities-in-codesys-v3-sdk-could-lead-to-rce-or-dos/

16 Car Makers and Their Vehicles Hacked via Telematics, APIs,
Infrastructure,
https://www.securityweek.com/16-car-makers-and-their-vehicles-hacked-telematics-apis-infrastructure/


Nachtrag: Sicherheit von öffentlichen WLANs und
Antiviren Tools

The Risk of Public Wifi,
https://www.forbes.com/advisor/business/public-wifi-risks/#:~:text=One%20of%20the%20biggest%20risks,your%20devices%20without%20you%20knowing.

CISA Best practices public WiFi,
https://www.cisa.gov/sites/default/files/publications/Best%2520Practices%2520for%2520Using%2520Public%2520WiFi.pdf

Die Schlangenöl Branche,
https://www.golem.de/news/antivirensoftware-die-schlangenoel-branche-1612-125148.html

Schutz oder Schlangenöl?,
https://www.heise.de/select/ct/2017/5/1488560529789980

Do you still need Antivirus?,
https://www.security.org/antivirus/do-you-need-antivirus/

Is Antivirus Software Becoming Obsolete?,
https://www.poweradmin.com/blog/are-malware-threats-making-antivirus-software-obsolete/

31 Antivirus Statistics and Trends,
https://dataprot.net/statistics/antivirus-statistics/#:~:text=On%20average%2C%20antivirus%20software%20is,25%25%20successful%20at%20detecting%20malware.&text=Statistics%20on%20computer%20viruses%20and,%2Dthe%2Dline%20antivirus%20software.

Do you need antivirus protection in 2023?,

https://surfshark.com/blog/do-i-need-antivirus

You Don’t Need to Buy Antivirus Software,
https://www.nytimes.com/wirecutter/blog/best-antivirus/

Understanding Anti-Virus Software,
https://www.cisa.gov/news-events/news/understanding-anti-virus-software

Antivirus and other security software,
https://www.ncsc.gov.uk/collection/device-security-guidance/policies-and-settings/antivirus-and-other-security-software

Virenschutz und falsche Antivirensoftware,
https://www.bsi.bund.de/DE/Themen/Verbraucherinnen-und-Verbraucher/Informationen-und-Empfehlungen/Cyber-Sicherheitsempfehlungen/Virenschutz-Firewall/Virenschutzprogramme/virenschutzprogramme_node.html

Timecodes

04:26 Definition embedded systems


10:10 Entwicklungsgeschichte der embedded systems


14:14 CodeSys Schwachstelle


17:24 IT Sicherheitsaspekte von embedded systems


30:32 Smart Meter  


43:20 EU Cyber Resilience Act


49:45 Ausblick 
Hinweise

Blog & Podcast über die dunkle Seite der Digitalisierung:
Cyber-Sicherheit, Cyber-War, Spionage, Hacker, Sabotage,
Subversion und Desinformation. Kommentare und konstruktives
Feedback bitte auf percepticon.de oder via Twitter. Dieser Cyber
Security Podcast erscheint auf iTunes, Spotify, PocketCast,
Stitcher oder via RSS Feed. Am Anfang folgt noch ein kleiner
Nachtrag zur letzten Folge mit den Top 10 IT-Sicherheitstipps,
nachdem mich etwas Feedback dazu erreichte.
Sound & Copyright

Modem Sound, Creative Commons.

Vint Cerf, „Internet shows up in December 1975“, in: IEEE
Computer Society, Computing Conversations: Vint Cerf on the
History of Packets, December 2012.

L0pht Heavy Industries testifying before the United States
Senate Committee on Governmental Affairs, Live feed from CSPAN,
May 19, 1998.

Barack Obama, Cybersecurity and Consumer Protection Summit
Address, 13 February 2015, Stanford University, Stanford, CA.

Michael Hayden, „We kill people based on meta-data,“ in: The
Johns Hopkins Foreign Affairs Symposium Presents: The Price of
Privacy: Re-Evaluating the NSA, April 2014.

Bruce Schneier, „Complexity is the enemy of security, in IEEE
Computer Society, Bruce Schneier: Building Cryptographic Systems,
March 2016.

Beats, Bass & Music created with Apple GarageBand