URGENT AND CRITICAL: REMOTE CODE EXECUTION IN VARIOUS SPRING COMPONENTS NEEDS IMMEDIATE ATTENTION

Red alert! All enterprise software maintainers of software using Java libraries need to check if their systems are affected by the newly discovered vulnerabilities “Spring4Shell” since its announcement, between 29th and 30th March, 2022, affecting various Spring components.

CVE-2022-22963

Vulnerability Score: 9.5 (CVSS: 3.0 / AV:N / AC:L / PR:N / UI:N / S:U / C:H / I:H / A:H)
Platform: Java
Components: org.springframework.cloud:spring-cloud-function-core, org.springframework.cloud:spring-cloud-function-context
Affected versions: 3.1.6, 3.2.2 and older unsupported versions
Fixed in version: 3.1.7, 3.2.3

CVE-2022-22965

Vulnerability Score: 9.5 (CVSS:3.0 / AV: N / AC:L / PR:N / UI:N / S:U / C:H / I:H / A:H)
Platform: Java
Components: org.springframework:spring-beans
Affected versions: all versions before 5.2.20, all versions before 5.3.18 
Fixed in version: 5.2.20, 5.3.18

Please note that this affects also the spring-framework package and the spring-boot package, that both use the offending libraries. New versions of such packages have been made available. You can upgrade spring-framework to version 5.2.20 or 5.3.18, and you can upgrade spring-boot to version 2.5.12 or 2.6.6 (note that spring-boot itself includes spring-framework, no other upgrades necessary).

Which systems does these affect?

CVE-2022-22963 affects any project built using a vulnerable version of Spring Cloud, a framework that provides tools for developers to quickly build some of the common patterns in distributed systems. The “functions” part is a subsystem used to implement serverless functions like AWS lambda or Google Cloud Functions: if you are using such subsystem you are potentially affected.

CVE-2022-22965 affects any project built using a vulnerable version of Spring Framework, Spring Boot or the library spring-beans. A successful attack, however, can only be conducted undere these conditions:

  • JDK 9 or higher is used as the runtime environment
  • Apache Tomcat is used as the Servlet container
  • The application is packaged as a traditional WAR (in contrast to a Spring Boot executable jar)
  • There is a dependency with spring-webmvc or spring-webflux, or an endpoint is used with DataBinder enabled

Please note however that analysis are undergoing and the nature of the vulnerability is quite general: we suggest you keep monitoring this page for further updates.


Why do these threats demand an urgent patch?

Both vulnerabilities allows the attacker to remotely execute code on your system, with the ability to gain complete control of the underlying servers. It’s a simple exploit, as it requires only to send a crafted HTTP header in a request in order to execute code on the remote host. These vulnerabilities are actively exploited in the wild.


How can I check if my system is affected?

If you maintain any software using Java libraries, check if you are using any Spring Cloud Function library. The  Meterian BOSS scanner can be used to scan your codebase to identify all dependent software libraries.  If it is using the offending package, it will find the affected vulnerable versions and provide more information on how to mitigate this risk.

If you are a developer and you have access to the code, you can simply execute this command from your terminal:

CVE-2022-22963:

$ mvn dependency:tree | grep spring-cloud-function | grep compile
[INFO] +- org.springframework.cloud:spring-cloud-function-core:jar:3.1.2:compile

If you see any response lines, check the version: if it’s below 3.1.7 (as in the above example) or, if using 3.2.x, below 3.2.3, you may be affected.

CVE-2022-22965:

$ mvn dependency:tree | grep spring-beans | grep compile
[INFO] +- org.springframework:spring-beans:jar:5.3.11:compile

If you see any response lines, check the version: if it’s below 5.3.18 (as in the above example) or, if using 5.2.x, below 5.2.20, you may be affected.


My system has the vulnerable spring cloud function library — how can I mitigate the risk?

There are now patched versions of the affected components that resolve the issues, they are available via the standard Maven repositories. Upgrade the offending packages using the patched versions, as described in this article.

If the library is coming from a transitive dependency (it’s not one of your direct dependencies, but a dependency of them) you can just include an override in your root pom.xml (or where applicable) and retest that it’s not there anymore with the command shown before.

CVE-2022-22963:

    <dependency>
        <groupId>org.springframework.cloud</groupId>
        <artifactId>spring-cloud-function-core</artifactId>
        <version>3.1.7</version>
    </dependency>

Please be aware that there are multiple packages rooted in "spring-cloud-function": you will need to upgrade all of them, in particular "spring-cloud-function-context" which is also directly affected.

CVE-2022-22965:

    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-beans</artifactId>
        <version>5.3.18</version>
    </dependency>

Please be aware that you may need / may be better to upgrade the parent pom of the project using an unaffected version of spring boot / spring framework (see at the start of the article).


What can I do to proactively protect from such vulnerabilities?

We always suggest you regularly scan your software code bases. 

  • To do a scan from the command line using the Meterian CLI scanner
  • To include this as part of your continuous improvement efforts to build resilience into your software development lifecycle, see our documentation on the various integrations we support with GitHub ActionsAzure DevOps Pipelines, and others.


Are Meterian applications affected by the spring vulnerability?

We have verified our applications and none are using the offending packages in a vulnerable configuration. We maintain a continuous monitoring system to ensure our development operations are up to date with the latest known vulnerabilities in software components. Given the nature of this vulnerability we will be running a specific monitoring for the following days, while more details are unfolded in regards to those vulnerabilities.   

Related references

CVE-2022-22963

CVE-2022-22965

URGENT AND CRITICAL: REMOTE CODE EXECUTION IN VARIOUS SPRING COMPONENTS NEEDS IMMEDIATE ATTENTION

Visibility is vital if we are to improve safety and trust in open source

Image shows an observation deck, but the panorama is veiled behind white light or mist showing blank skies.  Do we know or see what we are building in our digital world?

Photo by Kate Trysh on Unsplash

Recent high profile cyber security incidents have reinforced the importance of cleaning up the open-source software supply chain. From Heartbleed to the Apache Software Foundation’s Log4j vulnerability, these highly publicised incidents have exposed the threats associated with the software supply chain.

Open source security vulnerabilities are nothing new. Heartbleed was a security bug in the OpenSSL cryptography library that affected many systems. Similarly, Log4Shell is a severe vulnerability, however in the case of Log4j the number of affected systems could well run into potentially billions. Many cybersecurity experts have characterised Log4Shell as the single biggest, most critical vulnerability of the last decade.

These incidents have brought into sharp focus the risks and galvanised a range of responses at national and international level. It even prompted the White House to convene an Open Source Software Security Summit in January that was attended by leaders from global technology companies including Google, Meta, Apple, and Cisco. Members of the open source community were also represented at the summit, as well as US government agencies, including the Cybersecurity and Infrastructure Security Agency, the National Security Council and the National Institute of Standards and Technology.

The gathering may have been precipitated by the Log4Shell vulnerability, but the wider context was clear. How do we ensure source code, build, and distribution integrity to achieve effective open source security management?

Open source under the microscope

Technology companies have been using open source for years as it speeds up innovation and time to market. Indeed, most major software developments include open source software – including software used by the national security community.

Open source software brings unique value, but it also has unique security challenges. It is used extensively, however, the responsibility of ongoing security maintenance is carried out by a community of dedicated volunteers. These security incidents have demonstrated that the use of open source is so ubiquitous that no company can blindly continue in the mode of business as usual. Recent research showed that 73% of applications scanned have at least one vulnerability[1]. These can be buried deep in the open source software supply chain that software-driven businesses rely on for basic functionality and security to accelerate their time to market.

The known unknown

The concept of known knowns, known unknowns and unknown unknowns has been widely used as a risk assessment methodology. When it comes to cybersecurity and the voracity of threat actors to exploit vulnerabilities, it is a useful analogy.

Let’s take Apache Log4J as an example. Companies often create products by assembling open source and commercial software components. Almost all software will have some form of ability to journal activity and Log4j is a very common component used for this.

How do you quickly patch what you don’t know you have?

Java logger Log4j 2 – A zero-day vulnerability

Log4J was originally released in 2001, and over the last 20 years it has been used in billions of software developments and applications across the world. For logging incidents within software, Log4j is used by everything from the humble 404 error message, gaming software such as Minecraft, and Cloud providers such as iCloud and Amazon Web Services, as well as for all manner of software and security tools.2 On 9 December 2021, the zero-day vulnerability in the Java logger Log4j 2, known as Log4Shell, sent shockwaves across organisations as security teams scrambled to patch the flaw. If left unfixed, attackers can break into systems, steal passwords and logins, extract data, and infect networks with malicious software causing untold damage, not least to brand reputations.

However, herein lies the problem. How do you quickly patch what you don’t know you have?

Often in the race to innovate, the first thing sacrificed is up-to-date documentation. Without it how does a company know if Log4J is integrated within its application estate, let alone know if it has been previously patched.

Improving safety and trust when speed is of the essence

If we are to increase safety and trust in software, we must improve transparency and visibility across the entire software supply chain. Companies should have the ability to automatically identify open source components in order to monitor and manage security risk from publicly disclosed vulnerabilities. A software bill of materials (SBOM) should be a minimum for any project or development. Without such visibility of all component parts, security teams cannot manage risk and will be unaware, and potentially exposed, to dangers lurking in their software.

Case study – Full Visibility within an Hour

To give an example; one of the largest UK based financial services company with millions of customers across the world discovered it had Log4J embedded within dozens of in-house developed software projects. Having seen the first reports of the vulnerability at the start of the business day, within an hour the security team had identified projects using Log4j and were able to start work on follow up activities. By the end of the day, the entire business had a concise list of projects at risk, some of which were already remediated.

How was this achieved?

The company had automated tooling integrated into their software development environment with comprehensive component security. This enabled them to quickly identify those software projects which depended on the affected log4j component.

This visibility allowed the company to devise remediation plans to mitigate the risks of the vulnerability in Log4J. The company was able to target valuable resources across multiple locations to ensure fixes were applied quickly to critical business applications within just a couple of hours. While they were implementing an action plan based on the organisation’s use of Log4j, some of its competitors without such comprehensive tools were still in the information gathering stage.

Innovating securely

As organisations continue to innovate at pace in order to reduce time to market, the reliance on open source software continues to increase. However, when the security of a widely-used open source component or application is compromised, every company, every country, and every community is impacted.

The White House has taken an important first step in trying to identify the challenges present in the open source software supply chain and encourage the sharing of ideas on ways to mitigate risk and enhance resilience. Organisations can and should take advantage of the many benefits that open source software can deliver, but they must not do it blindly. Ensuring you know the exact make-up of your technology stack including all the component parts is an important first step. Choosing discovery tools that have the widest comprehensive coverage is important, and so too is the flexibility to grade alerts so that only the most pressing threats are highlighted. This avoids ‘alert fatigue’ and enables security teams to focus resource where it matters most, putting organisations in a good position to act fast when vulnerabilities are discovered.

Hackers faced with stronger security defences will continue to turn their attention to the weaker underbelly of the software supply chain. Now is the time for organisations to implement integrated and automated tooling to gain comprehensive risk control of components in their open-source software supply chain. Only by increasing visibility, coverage of known unknowns and transparency can companies stay one step ahead.

1 Meterian research from aggregated and anonymised data of 2044 scanned software applications in 2020.

2 “What is Log4j? A cybersecurity expert explains the latest internet vulnerability”, The Conversation, Dec 21, 2022, https://theconversation.com/what-is-log4j-a-cybersecurity-expert-explains-the-latest-internet-vulnerability-how-bad-it-is-and-whats-at-stake-173896

Visibility is vital if we are to improve safety and trust in open source

An introduction to the world of SBOMs

3 minute read

We are sure many of you have been hearing about SBOMs. Nowadays, software include some components with code written by your own developers, but 80-90% of the code is typically from third-party developers. How can you know who produced what and when it absolutely needs to be replaced? Since Meterian has been managing SBOMs for awhile, we’re happy to share our know-how so you can consider a comprehensive strategy to manage your open source software supply chain. 

Photo by Raymond Rasmusson on Unsplash

What is an SBOM?

SBOM is an acronym that means Software Bill Of Materials. The concept originates from the manufacturing industry, where a bill of materials lists dependent components in machinery. A SBOM lists all third-party components present in your application. A good SBOM also lists the licences used by each component and, when possible, the specific copyright attribution. An excellent SBOM can also provide further information, such as possible relationships between those components to better understand any supply chain risk. You may have encountered SBOMs in the past, known as “third party notice” documents created to manage legal requirements, such as the one in the image below. 

Altova Third Party Software License Notice

However, modern SBOMs are “machine-readable”.  They follow a strict specification that can be understood by a computer. 

What machine-readable formats are used to publish SBOMs?

The most commonly used formats to define a SBOM are:

  • CycloneDX, a lightweight open-source standard designed for use in application security context and supply chain component analysis. This originated from within the OWASP community.
  • SPDX, an open source format with origins in the Linux Foundation, slightly more complex, and recently approved as ISO/IEC standard in version 2.2.1 as ISO IEC 5962:2021.
  • SWID, another ISO/IEC industry standard used by various commercial software publishers.

All these formats support a variety of use cases, but the first two (CycloneDX and SPDX) are the most versatile. Due to SPDX’s complexity, we think CycloneDX has an edge at this time, but only time can tell which of these formats will be the winner. To learn more about these formats you can also read the official NTIA publication, which drills down into the matter.

Why are SBOMs important? And how are they useful?

As a consumer of software, the main reason why you want to have access to the SBOMs of the systems you are using is to manage risks. When a very commonly used software component becomes vulnerable: how do you know what you need to patch and which subsystems are at risk? This is exactly what happened with the recent Log4Shell debacle. The logging library called Log4j, was suddenly exploitable with a very simple and repeatable attack. How do you know where it is? Which one of the systems you are using is suddenly at risk?  With a correctly managed archive of SBOMs, getting this information reduces to a very simple lookup task. Without it, it can be a real nuisance —a time consuming information hunt that disrupts everyone’s work flow.

As a producer of software, instead, you want to preserve and maintain an archive of all the SBOMs of the system you produce so that you can create and distribute timely patches to your customers. Having a systematic and comprehensive analysis of your most commonly used software packages would be useful indeed. Some companies were very fast in releasing patches to their customers, while others were extremely slow, mostly because they did not have the information.  You probably want to be in the first group of companies 🙂

Governments are also mandating the need for use of SBOMs, realising that software security needs to be regulated.  The U.S. Executive Order 14028 that mandates all federal agencies to require SBOMs from their suppliers.  This not only impacts the companies that have direct sales to the US government but also their own software suppliers.  As so many systems and devices have been connecting to the Internet to send and receive information, consequently our digital world relies on a software supply chain.  This “ripple effect” will be significant for many industries. 

It’s important to consider how software products you produce can meet basic security requirements and how the associated software security information is produced and managed in your organisation.   Similar legislation has already been proposed in Europe since the publication of  “Guidelines for securing the IoT” by ENISA (hint: SBOMs are required) and the ETSI EN 303 645 global standard for consumer IoT security, which is based on the UK government’s Code of Practice.  See also the recently published Product Security and Telecommunications Infrastructure (PSTI) Bill and more to come from the UK government to improve the UK’s cyber resilience.

How should SBOMs be handled?

Very carefully :), because an SBOM contains the full list of the “ingredients” of your system or application. While open-source projects happily share this information to the world, the same does not apply to private companies. In fact, a malicious actor that gets hold of the SBOM of your system can then check if you are using any vulnerable components. There are public vulnerability databases, such as the NVD, which are very popular. Someone can simply browse in there and compose a list of possible attacks, try them, and maybe get lucky.  Probably 9 out of 10 vulnerabilities affecting components in your system won’t be exploitable, but having the ability to go through the whole list, certainly makes the task of finding an exploit much easier. 

There’s no need to keep SBOMs a complete secret, however, as long as a few simple principles are kept in check:

  • SBOMs need to be shared securely,
  • they need to be accessed only by the authorised parties, across organisational boundaries, and
  • they should not be tampered with.

In summary, it is essential to produce a precise SBOM, and it is just as vital to share it and maintain it securely with the correct (trusted) third parties.  

Why bother with SBOMs now?

In summary, it is essential to produce a precise SBOM, and it is just as vital to share it and maintain it securely with the correct (trusted) third parties.  In our hyper connected world, comprehensive coverage of components is important for preventative strategies and threat detection in supply chain attacks.  Therefore, implementing SBOM management proactively now will be worth something to your organisation when the next critical vulnerability appears and stand your organisation in good stead. All good collections are worth organising. How valuable is your collection of software?

Photo by Susan Q Yin on Unsplash
An introduction to the world of SBOMs

Urgent and Critical: Remote Code Execution in Apache Log4j needs immediate upgrade

Updated: 31 Dec 2021

5 minute read

This is a call to arms. All enterprise software maintainers of software using Java libraries need to check if their systems are affected by the newly discovered Apache Log4j vulnerability since its announcement on Dec 9, 2021. Since then several security vulnerabilities in the wild have been discovered.

CVE-2021-44832

Vulnerability Score: 6.6 (CVSS: 3.0 / AV: N / AC: L / PR: N / UI: N / S: C / C: H / I: H / A: H)
Platform: Java
Component: org.apache.logging.log4j:log4j-core
Affected versions: 2.0-alpha7 to 2.17.0 inclusive, except 2.3.2 and 2.12.4.
Fixed in version: 2.17.1

CVE-2021-44228

Vulnerability Score: 10.0 (CVSS: 3.0 / AV: N / AC: L / PR: N / UI: N / S: C / C: H / I: H / A: H)
Platform: Java
Component: org.apache.logging.log4j:log4j-core
Affected versions: all versions before 2.14.1, inclusive
Fixed in version: 2.15.0 but upgrade to 2.17.0 is required because of CVE-2021-45105

CVE-2021-45046

Vulnerability Score: 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) (updated 18/12/2021)
Platform: Java
Component: org.apache.logging.log4j:log4j-core
Affected versions: all versions up to 2.15.0, excluding 2.12.2
Fixed in version: 2.16.0 but upgrade to 2.17.0 is required because of CVE-2021-45105

CVE-2021-45105

Vulnerability Score: 7.5 (CVSS: 3.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Platform: Java
Component: org.apache.logging.log4j:log4j-core
Affected versions: all versions from 2.0-beta9 to 2.16.0, inclusive
Fixed in version: 2.17.0


Which systems does this affect?

Apache Log4j is probably the most common library used for logging in the Java ecosystem with over 400,000 downloads from its GitHub project. It is used in Java applications to log system and user activities, so there’s a serious possibility your Java software is using it. It is used, internally, by many other Apache frameworks such as Apache Flink, Apache Druid, Apache Flume, Apache Solr, Apache Flink, Apache Kafka, Apache Dubbo. It is also actively used in many other open source projects, like Redis, ElasticSearch, Elastic Logstash, Ghidra and many others.

Among all these open source components, one needs a special mention: Apache Struts. Yes, it is actively using Log4j. There exists a potential to trigger high-impact attacks against a wide variety of apps and services, similar to the scale witnessed in 2017. At that time, due to the vulnerability exploited in the Equifax megahack, 140 million customers’ data in North America and UK were breached. The latest version of Apache Struts, 2.5.28, uses by default Log4j version 2.12.21, which is vulnerable to this attack. This time, however, the scope for damage could be even wider, as Apache Struts is one of many Apache frameworks that use Log4j. 

The Java ecosystem is in very broad use in enterprise systems and web apps and many mainstream services are likely to be vulnerable. Therefore, software maintainers and developers should pay close attention to this vulnerability. 

This has been preliminary filed as CVE-2021-44228, and a subsequent vulnerability was also flagged, now filed under CVE-2021-45046.


Why does this threat demand an urgent patch?

This vulnerability allows the attacker to remotely execute code on your system, with the ability to gain complete control of the underlying servers.

This is actively exploited on the internet now and there is already a simple POC (proof of concept) available on the internet that explains how to do it. 

From https://www.wired.com/story/log4j-flaw-hacking-internet/:

“All an attacker has to do to exploit the flaw is strategically send a malicious code string that eventually gets logged by Log4j version 2.0 or higher. The exploit lets an attacker load arbitrary Java code on a server, allowing them to take control.  […]Minecraft screenshots circulating on forums appear to show players exploiting the vulnerability from the Minecraft chat function. On Friday, some Twitter users began changing their display names to code strings that could trigger the exploit. Another user changed his iPhone name to do the same and submitted the finding to Apple. Researchers told WIRED that the approach could also potentially work using email.”

If you maintain an enterprise system using Java software, you would need to update all affected applications, whether they are maintained directly by your organisation or your supplier organisation.

Within 2 days of the 2017 vulnerability being announced, several systems around the world were breached by exploiting the software weakness.  We do not want more cyber breaches of such scale and all need to react quickly to patch vulnerable systems.


How can I check if my system is affected?

If you maintain any software using Java libraries, check if you are using Apache Log4j.  Meterian BOSS scanner can be used to scan your codebase to identify all dependent software libraries.  If it is using Log4j, it will find the affected vulnerable versions and provide more information on how to mitigate this risk.

If you are a developer and you have access to the code, you can simply execute this command from your terminal:

$ mvn dependency:tree | grep log4j-core | grep compile
[INFO] +- org.apache.logging.log4j:log4j-core:jar:2.12.1:compile

If you see any response lines, check the version: if it’s below 2.16.0 (as in the above example) you may be affected.


My system has the vulnerable log4j library — how can I mitigate the risk?

There is a patched version of the library that resolves the issue.  Released by Apache Software Foundation, the solution is to immediately upgrade log4j to the latest log4j version 2.16.0.  The fixed version is available via Maven

If the library is coming from a transitive dependency (it’s not one of your direct dependencies, but a dependency of them) you can just include an override in your root pom.xml (or where applicable) and retest that it’s not there anymore with the command shown before:

    <dependency>
        <groupId>org.apache.logging.log4j</groupId>
        <artifactId>log4j-core</artifactId>
        <version>2.16.0</version>
    </dependency>

A set of mitigations, specific to the version you are using, are also available on the Apache Log4j website. The Apache Struts team provided specific advice on how to handle the issue.

If you are using an external product that runs with Java, you can also protect your systems by launching the JVM with this special parameter:

-Dlog4j2.formatMsgNoLookups=true

This is useful for tools like Jenkins, where you have control of the installation but you do not have control of the code, but please note that this does not protect against the latest CVE.


What can I do to proactively protect from such vulnerabilities?

We always suggest you regularly scan your software code bases. 


Are Meterian applications affected by the log4j vulnerability?

No. We have verified our applications and none are using log4j.  We maintain a continuous monitoring system to ensure our development operations are up to date with the latest known vulnerabilities in software components.   

Related references

Urgent and Critical: Remote Code Execution in Apache Log4j needs immediate upgrade

The Rising Role of Cyber Security in Sustainable Development and Growth

Last updated: 07/07/2021

12 minute read

Photo by Kervin Edward Lara on Pexels.com

The topic of sustainability is unmissable at the moment. As the urgency of the situation grows, it continues to demand attention from various sectors and industries within society. You may wonder where the cyber security industry fits into all of this. Whilst traditionally from very different worlds, they are united through the characteristics of constant innovation and the capacity to bring about real change for the better. Certainly, cyber security has a bigger role to play in the overarching battle for a more sustainable world than one may initially think. 

The Industry

As around two thirds of greenhouse gas emissions world wide are associated with burning fossil fuels1, renewable energy is a good place to start. The UK currently has the largest number of offshore wind resources in the world, equating to about 10GW in operation outside of the border2. Infrastructure such as this pushes us one step closer to meeting the UK’s target of reaching net zero emissions by 20502. It’s not just the UK that has set the ball rolling in the fight against greenhouse emissions, our friends across the pond are aiming for no electricity sector carbon emissions by 2035— as outlined by Biden3. So, whilst this growing industry means great things for our hopes of preserving the world we live in, mass investment means it is also shaping up to be a very lucrative market for cyber criminals to direct their efforts towards. Jim Guinn, global managing director for cyber security in energy, chemicals, utilities and mining at Accenture states, “The cybersecurity conversation in the renewable energy engineering and construction business is almost nonexistent today.”3 It is imperative that an industry gaining traction as quickly as this one protects itself with the necessary defense measures against cyber attacks.

How exactly are renewable energy plants made vulnerable to cyber hackers?

As mentioned before, sustainability shares close ties with new innovation. Renewables depend on control systems and distribution networks supported by technology. As many sources of renewable energy, such as wind and solar power are not readily available 24/7 like fossil fuels are— they require storage previsions that are also underpinned by technology4. IoT plays a huge role in the remote monitoring, control and regulation of off-shore wind turbines5. As we know, more than 75% of the code in use that makes these technologies a reality is open source, putting open source components smack bang in the middle of the sustainability conversation. However, older wind farms and their communication systems were never designed with the “security by design” mindset like the IEC 62443 standard6, similar to the GDPR principle7. As stated by Jim Guinn “renewables have lax cybersecurity standards, as they are an industry that may be more focused on building first and leaving cybersecurity as an afterthought”3.

Past attacks

A first example in which renewable energy facilities became victims of cyber attacks was the 2014 DragonFly hack8. The cyber criminal group used Remote Access Trojans (RAT) named Backdoor.Oldrea and Trojan.Karagany to infiltrate energy grid operators, major electricity generation firms, petroleum pipeline operators, and Energy industry industrial control system (ICS) equipment manufacturers located in the United States, Spain, France, Italy, Germany, Turkey, and Poland. The hackers had been present in systems since 2011 before detection. Although reports indicate that the overarching aim of the hack was to gather intelligence, later investigation suggested it also had the capacity to take control of physical systems themselves. 

A second example in which renewable energy facilities have fallen victim to cyber attack was the SPower hack of 2019. Unfortunately, the group gained the title of being the first U.S. provider of solar and wind renewable energy to have been the victim of a cyber-attack. A hacker used a vulnerability in a Cisco firewall to interrupt the connection between sPower’s wind and solar power generation installations and the company’s main command center9

More recently, Colonial Pipeline’s hack10– reported on 7th May 2021 fell victim to a cyber attack, highlighting just how seriously energy supplies can be affected by cyber criminal organisations. As a result of ransomware, one of the U.S’ biggest pipelines was forced to shut down operations11. In the subsequently released statement it was revealed that after a 90M bitcoin payout, Colonial Pipeline said that remediation is ongoing and each system is being worked on in an “incremental approach”12. This attack compromised around 45% of the East Coast’s fuel, including gasoline, diesel, home heating oil, jet fuel, and military supplies. Whilst the energy jeopardised in this case was not renewable, Jonathan White, director of NREL’s cybersecurity program office highlighted that “As the penetration of renewable generation and EV charging stations increases in the future, the consequence of a successful attack is likely to be similar in aggregate to those of a successful attack to a natural gas, coal or nuclear plant today”3. Thus, a cyber attack such as the one launched on Colonial Pipeline gives a worrying insight into the potential damage that could be launched on the renewable energy sector. 

Risks for the future

After using the Meterian web scanner to evaluate the security of some major UK energy suppliers, we were able to see that similar issues are being faced. For example, the UK’s biggest supplier of energy, British Gas received a security score of 0 out of a best possible 100. Our report indicates that they currently have components in use that pose a threat to their system, as well as components in use with undeclared licenses.

Again, after scanning https://firstlightfusion.com/, one of the UK’s leading renewable energy suppliers, we found 2 high threat level vulnerabilities and 3 medium threat level vulnerabilities, as well as components in use with undeclared licenses. 

As this sector grows in both relevance and monetary value, there is a need for adequate cyber security that is growing in unison. According to industry growth trajectories, the renewable energy sector is set to become a big target of cyber hackers. As shown in this blog, experts have not been afraid to warn that more needs to be done to reinforce the security of renewable plants. The need is made even more important to protect consumers’ faith in new energy sources that play an important role in our fight against climate change. 

There is some evidence that the tide is changing to benefit the cybersecurity of the energy sector, both traditional and renewable. On 12th May 2021 Biden issued The Executive Order on Improving the Nation’s Cybersecurity13. A few main points from the bill are:

  1. New and more stringent cyber security standards for government purchased software including multi-factor authentication and endpoint detection and response of software.
  2. Suppliers of technology must provide a SBOM (Software Bill Of Materials) that highlights the source of the software (supplier ID) that can be used to perform a risk assessment. This supplier ID can be used to alert high risk software if it is not verified by the digital signature applied to a SBOM14.
  3. There is to be the enforced sharing of intel surrounding cyber attacks, in the hope that the sharing of information will benefit us all. Jennifer Bisceglie, President and CEO of enterprise resilience company Interos Inc., stated that “we live in a world that people are, and companies are very concerned about their brand and reputation”15 and thus are reluctant to admit to cyber breaches. The new bill is set to remove fear of blame and shame and promote collaborative learning and continuous improvement for a safer and stronger society in the digital world.

An automatic, continuous line of defence protecting the open source components in use in renewable energy control systems is one way that Meterian can support the ongoing battle against carbon emissions. Whilst incremental in their support of rapid innovation, open source components are a pressure point to security systems of which cyber attackers are not afraid to make use of.

Visit our homepage to learn more about how Meterian can secure your businesses’ open source components—keeping cyber hackers out and your intellectual property in.

1 “Energy and climate change”. European Environment Agency, 11 May 2021, https ://www.eea.europa.eu/signals/signals-2017/articles/energy-and-climate-change

2 GOV.UK, 6 October 2020, https ://www.gov.uk/government/news/new-plans-to-make-uk-world-leader-in-green-energy

3 Vasquez, Christian. “CYBERSECUIRTY: Biden is eyeing renewable energy. So are hackers”. E&E News, 22 December 2020, https ://www.eenews.net/stories/1063721291

4 Ruhle, Micheal and Trakimavicius, Lukas. “Cyberattacks are the new challenge for renewable energy”. Politico, 18 July 2017, https ://www.politico.eu/article/opinion-cyberattacks-are-the-new-challenge-for-renewable-energy/

5 Taylor-Smith, Kerry. “How IoT can improve the performance of offshore windfarms”. NS Energy, 15 May 2020, https ://www.nsenergybusiness.com/features/iot-wind-power/

6 Freudenberg, Wolf K. “Why windfarms need to step up cyber security”. DNV, https ://www.dnv.com/article/why-windfarms-need-to-step-up-cyber-security-128082.

7 https ://gdpr-info.eu/art-25-gdpr/

8 “Emerging Threat: Dragonfly/ Energetic Bear – APT group”. BROADCOM, 30th June 2014, https ://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=16fb565a-8297-4641-8105-b5d0d4db3ee1&CommunityKey=30643d26-dab8-4c4b-a34e-5f6f02d58ff6&tab=librarydocuments

9 Cimpanu, Catalin. “Cyber-attack hits Utah wind and solar energy provider”. ZDNet, 31 October 2019, https ://www.zdnet.com/article/cyber-attack-hits-utah-wind-and-solar-energy-provider/

10 “Colonial Pipeline confirms it paid $4.4m ransom to hacker gang after attack”. The Guardian, 20 May 2021, https ://www.theguardian.com/technology/2021/may/19/colonial-pipeline-cyber-attack-ransom

11 Galiordi, Natalie. “Colonial Pipeline aims to restore operations by end of the week after cyberattack”. ZDNet, 10 May 2021, https ://www.zdnet.com/article/colonial-pipeline-aims-to-restore-operations-by-end-of-the-week-after-cyberattack/

12 Stevens, Pippa. “Owner of pipeline shuttered by cyber attack aims to restore service by end of the week”. CNBC, 10 May 2021, https ://www.cnbc.com/2021/05/10/colonial-says-parts-of-fuel-pipeline-being-brought-online-aims-to-restore-service-by-end-of-week.html

13 The White House, 12 May 2021, https ://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/

14 Brooks, Richard. energycentral, 21 May 2021, https ://energycentral.com/c/ec/cybersecurity-executive-order-requires-new-software-security-standards-synopsys

15 Roby, Karen. MSN, “Expert: Biden’s executive order on cyber security is a good start toward protecting organizations”. 26 May 2021, https ://www.msn.com/en-us/money/smallbusiness/expert-bidens-executive-order-on-cybersecurity-is-a-good-start-toward-protecting-organizations/ar-AAKnd7E?ocid=uxbndlbing

The Rising Role of Cyber Security in Sustainable Development and Growth

Rust— the new language shaking up the open source programming world

Rust is a relatively “new” software language across all the available ones at this time and rising in popularity among developers. Having been voted ‘most loved’ language for the past five years1, it is no wonder that Rust is gaining more attention. Read on to hear why we think Rust is worth your time.

Why a developer should consider Rust

Rust is a system language, along the lines of C and C++, but at the same times it incorporates many of the features of higher level languages, such as:

  • A reliable memory management (without a garbage collector)
  • An extremely low overhead
  • The use of static typing
  • A build design that prioritises performance (at the level of C and C++)
  • The use of a modern package management ecosystem

Remember Go? Rust will almost be faster than Go in run-time benchmarks because it has superior fine-grained control over how concurrency works in terms of threads and shared resources2

Additionally, Rust is being considered for use in the Linux Kernel3 by Linus himself, which is no small feat. Rust also supports WebAssembly4, just in case you fancy writing some web stuff 🙂

Rust has also become the ideal candidate for  IoT application development. Labeled as fast, reliable, and secure by Smart Device Management organisation Dwello5 who switched to Rust for their IoT platform. As they build IoT applications, developers have many programming languages to choose from. Some popular options are Java, C, JavaScript and Python. C and C++ are especially popular for device-run code. Another, less popular, option today is Rust, but that is likely to change. Let’s start with the characteristics of any programming language that makes it a good candidate for IoT development.

Application performance is a top priority, especially for code running on devices with minimal CPU and memory resources.  Developers can develop highly performant applications with C and C++, but at a cost. C and C++ developers know all too well the risks and challenges of dealing with bugs related to memory management such as unhandled null pointers and failing to deallocate unused memory.

Another component of a good IoT development language is developer productivity. Productivity is often a byproduct of skills, tools, and programming language abstractions and patterns. Popular programming languages are well supported by development environments. Additionally, developers acquire build tools and skills with time and experience; as a result, language abstractions and patterns are a key consideration with regards to developer productivity.

For those looking for both application performance and developer productivity, Rust is an increasingly popular option. The IoT market size is expected to grow from $250.72 billion in 2019 to $1,463.19 billion by 20276. Clearly, this is an area of the tech world that is only set to expand in influence. Meterian prioritises remaining at the forefront of innovation and supporting languages that have a vital role in ever advancing tech trends.

Why Meterian has decided to add Rust to its supported languages

First of all, Rust is big in open source, so it’s a natural continuation in our mission to support open source. Although security is extremely important in the Rust philosophy, there are vulnerable packages appearing in the wild. The GitHub advisory database7 does not have an entry for Rust (although some advisories do surface here and there) and the NVD database contains only a portion of all the vulnerable Rust components. Meterian is ingesting not only the NVD and other official security Rust databases, but it’s also actively monitoring many Rust open source projects at their source. Our ongoing efforts for getting the optimal coverage of all known vulnerabilities for open source dependencies extends our mission to Rust developers so we can maximise preventative care for Rust coding projects. 

Rust is important to pay attention to because on average every single rust open source project we scanned contains at least 1 vulnerable component that often could be patched.

Sizing up the risks in the Rust ecosystem

Rust, like all other modern languages, has an ecosystem of components, called “crates”, that are available from the open source community, which is accessible at crates.io. Although as a Rust developer you will always prefer writing some code from scratch (at the end of the day, this is a system language), it’s highly likely you won’t be reinventing the wheel. As shown on the screenshot from May 6th, over 60,000 crates with over 6.8 billion downloads, this is a significant size.

There’s a good chance that, if you never checked, you have been using a crate affected by a publicly disclosed vulnerability. Unless you are in application security and unless you spend half of your time reading bulletin boards, advisories, mailing lists, you won’t know about it. However, hackers do. They keep an eye on these vulnerabilities and routinely develop automated attacks to exploit them. In fact, hackers have it nailed to a T. The vulnerabilities are made public on open source vulnerability databases, the code is open source, they already have a botnet to run them (maybe even your Amazon Alexa or Google Play). All of a sudden, your shiny new service written with the latest cutting edge technology is vulnerable, and it can be used to exfiltrate confidential user data from your backend!

Let’s assume, for example, that you are using hyper, an HTTP library:

Screenshot taken from: https://www.rust-lang.org/

Since hyper is a relatively low-level library, it’s meant to be a building block for other libraries and applications. It may be a transitive dependency, a crate that is pulled in your code as the result  of another crate that is used. In particular version 0.12.34 of hyper has an interesting vulnerability: it allows an attacker to remotely execute code on the machine where your code is running. Check out this Common Vulnerabilities and Exposures ID CVE-2020-35863 for more details.  This security vulnerability would allow the attacker, for example, to install a very simple bot on your server, open an undetected tunnel and start pulling data from your proprietary system.

This is the beauty of a tool that detects the problem automatically and informs you promptly. We prioritise your time so that you can focus on the solution to remediate the issue, maximising productivity whilst maintaining high standards of open source security. 

What can Meterian do for you?

Sign up for a free account to see how our invisible security platform can work seamlessly in your software development life cycle (SDLC) and auto-remediate vulnerable components.

1 https: //insights.stackoverflow.com/survey/2020#overview

2 Howarth, Jesse. “Why Discord is switching from Go to Rust”. Discord, 4 Feb 2020, https: //blog.discord.com/why-discord-is-switching-from-go-to-rust-a190bbca2b1f

3 Salter, Jim. “Linus Torvalds weighs in on Rust language in the Linux kernel”. Arstechnica, 25 March 2021, https: //arstechnica.com/gadgets/2021/03/linus-torvalds-weighs-in-on-rust-language-in-the-linux-kernel/

4 “Why Rust?”, https: //www.rust-lang.org/what/wasm

5 Hiner, Jeff. “We Rewrote Our IoT Platform in Rust and Got Away With It”. Medium, 31 July 2019, https: //medium.com/dwelo-r-d/we-rewrote-our-iot-platform-in-rust-and-got-away-with-it-2c8867c61b67

6 Fortune Business Insights, https: //www.globenewswire.com/en/news-release/2021/04/08/2206579/0/en/Global-IoT-Market-to-be-Worth-USD-1-463-19-Billion-by-2027-at-24-9-CAGR-Demand-for-Real-time-Insights-to-Spur-Growth-says-Fortune-Business-Insights.html

7 https: //github.com/advisories

Rust— the new language shaking up the open source programming world

Open Source Licensing- the Weirder the Better

5 minute read

Photo by Sora Shimazaki on Pexels.com

As it’s a requirement that all open source projects are released under at least one open source license, they hold a great deal of influence in how said open source code is used and re-distributed by others. Whilst some licenses can be difficult to make head or tail of due to complicated non-developer language, there are some more relaxed licenses that take the opportunity to have some fun with their requirements. So, to save you doing it, we have assembled our top 5 all time quirky open source licenses to look out for: 

  1. The Beerware License

Written by Danish software developer Poul-Henning Kamp, this license states that if the user thinks the stuff they reuse is worth it they must buy the creator a beer in return. The license’s original notation can be found here. Kamp states his reasoning for the Beerware license is an act of defiance against ‘lawyers trying to interpret freedom’, believing that free open source code should remain free regardless of how much profit is made through its use. Since the requirement is optional, based on the contingency that the user believes the code is ‘worth it’, this license falls under the category of ‘CopyRight only’ licenses. If the requirement were mandatory, the license would be classed as ‘non-free’, and Kamp would most likely be drunk a lot of the time. 

  1. The Chicken Dance License

Otherwise known as the CDL, this license requires employees affiliated with organisations using the open source code to perform ‘The Chicken Dance’ for varying amounts of time, depending on how many units are distributed. The license was created by Andrew Harris with the goal of making “intellectual property far more entertaining to deal with”. Similarly to Kamp, Harries includes himself in wanting fewer lawyers in software – suggesting that the motive behind this wacky license holds strong roots in open source principles of open collaboration. The ‘Chicken Dance’ in question can be found here, but if you can’t master it don’t worry- the license states that moving in a chicken like manor is sufficient.

  1. The Don’t Ask Me About It License 

Perhaps the most simple of the licenses included in the blog, this license simply requests that users do not pester the creator with any issues they may be having with the file. The nod to lack of responsibility is admirable, there is something to be said for wanting to lead a quiet life post software development.

  1. The Hot Potato License

This license states that ‘all rights are reserved by the last person to commit a change to this repository’. Thus, the rights are passed on from person to person infinitely- like a game of hot potato. However, to avoid anyone interrupting this game of hot potato, users are prohibited from making drastic changes to the repository that would do so. It’s a nice touch from the creator to give us all the opportunity to control the rights of such a well known open source license at least once in our life 

  1. The Do What The F*** You Want License

The Do What The F*** You Want License is a ‘very permissive’ license that can be taken as a direct stand against the principle of licencing software in general. Whilst playing by the rules of licencing, this license intends to be a free pass for distribution without any constraints. However, in the attempt of being so liberal, this license actually poses an issue for some major corporations. For example, Google finds the license too unclear to use confidently. As a result, they have banned the use of components under this license completely. However, if you like the look of this license don’t let Google scare you off, wtfpl.net offers guidance on how to make the most of it.

Whilst there is a funny side to open source licensing, failure to stay on top of your business’s license compliance management could be detrimental. A strong defence of these risks, as well as efficient software composition analysis tools will help manage the use of open source in your code base and avoid hefty fines and diminished customer relations. In this way, legal due diligence is an important step in agile development as it allows to ‘push forward’ and remediate any legal obstacles blocking a decision from being made. To read more about cyber due diligence, check out our past blog.

Get in touch with a member of our team to learn more about how Meterian can help your business master License Compliance Management.

Open Source Licensing- the Weirder the Better

Which Open Source License is best for you?

3 minute read

Photo by Pixabay on Pexels.com

The right open source license is necessary to protect your intellectual property and an important factor in maintaining license compliance management. As well as this, open source licensing underpins the essence of open source values in facilitating open redistribution. The integration of license compliance management into your CI/CD pipeline is just another way of optimizing the efficiency of your software supply chain. The best license for you will be shaped by your reason for creating code and your goals for redistribution. Use our introductory guide to decide which is best for you. Licenses and legal terminology are that of a very different world than what developers are used to. Because of this, we have organised our guide into developer persona categories. Simply pick the Dev that aligns most closely with yourself to learn more.

Devs working within a community:

If you are collaborating with an existing community or project, the best option for you is to align with the community you are a part of by adopting the project’s existing license. This can be found under the ‘license’ or ‘copying’ file of a project. If this fails, simply contact the maintainers of your community for clarification. As the licensing decision has already been made for you, you can spend less time on legalities and more time on software innovation- lucky you.

Devs not looking to overcomplicate:

The MIT license is perfect for devs that want to keep things straightforward. It is relaxed in that redistribution requires little to no control criteria other than the continuation of copyright and licensing details. The material that falls under this license is able to be used for both commercial and private use, as long as a copy of the license and copyright notice is included in any instances of modification or distribution. However, when using this license you should be aware that limitation of liability is included. As well as this, there is no warranty provided with this license.

Devs that care about sharing improvements:

The GNU General Public License v3.0 allows you to copy, distribute and modify projects under the condition you note all modifications and dates of modification in the source files. All modifications made to GPL-license code must also be made available under the GPL with installation instructions for future devs. This license forbids users from sub-licensing, although it provides software that does have the right to run and distribute the code. Users should be aware that this license includes a limitation of liability, meaning that the owner cannot be charged for damages associated with code using this license.

We hope this quick read has shed some light on the world of license compliance management. Whilst it may be confusing at first, it is worth taking the time to pick the right license for you and your project to best publish your software and display your innovation. For more information on potential risks associated with license compliance, see our past blog: ‘How the wrong license can harm your business’.

Get in touch with a member of our team to learn more about how Meterian can help your business master License Compliance Management.

Which Open Source License is best for you?

Spotify vs Hacker, Round 2: Room for Improvement

5 minute read

We can all admit that as dreary as 2020 has been, it has at least been consistent in its dreariness. One organisation that can definitely vouch for this is music streaming giant Spotify. In true 2020 style, Spotify wrapped up the end of the year with a data breach on November 12th1 in which customers’ private account details were exposed.

Image of woman's left hand holding mobile phone with Spotify logo on screen
Photo by cottonbro on Pexels.com

Now, we may wonder why a hacker would be interested in Spotify accounts. Sadly, it’s not because they want to steal music inspiration from us. The details of targeted private accounts include customer display names, passwords, genders and D.O.B.’s which were leaked to various Spotify business partners. Speaking of business partners, we must also note that a Spotify breach does not solely expose Spotify users but may also put customers on connected devices or platforms at risk. The interconnectedness of our information sharing means that a problem for Spotify could be a problem for us all. This information is harvested by malicious actors to perform credential stuffing attacks, in which stolen passwords are used to uncover more stolen passwords for other sites and applications.

Meterian web scanner scan of www.Spotify.com, showing a security score of 0, a stability score of 99, and a licensing score of 72

Moreover, this would not be the last experience Spotify had of data breaches in 2020. A week later, a cyber criminal under the guise ‘Daniel’ infiltrated celebrity Spotify accounts including Dua Lipa and Lana Del Rey2. Although in this case it was not customers PII that was exposed, it still casts a shadow on Spotify’s claim of prioritising “protecting privacy and maintaining user’s trust” as outlined in an official statement released on the 9th December 20203.

Screenshot of twitter post of Lana Del Rey's  twitter account hacked

Enter now: Meterian web scanner, which we’ve used to perform a quick surface scan of http://www.spotify.com to identify what security, stability and licensing risks of open source components are within the website’s codebase. Here we can see that Spotify currently has a security score of 0 out of 100, with 1 known vulnerable component – jquery 2.1.3 which has at least one high and several medium threats as confirmed by NVD4. Although we do not know for sure what the unlocked route of entry was in Spotify’s case, this open source entry may well have been it. Subsequently, there is nothing stopping cyber criminals from using this chink in the armour to perpetrate similar breaches in the future. 

Although the vulnerability was discovered on November 12th, Spotify disclosed that it was present within the system from as far back as April. This means that more than 320 million user’s personal data was at risk for at least 7 months prior. Having carried out our own analysis in a matter of minutes, we immediately notice that the vulnerable component in use is actually more than three years out of date! We hope their web and mobile apps get greater scrutiny with regards to the maintenance of their open source dependencies. At Meterian we have developed a security platform that automatically identifies known vulnerabilities in software applications’ open source supply chain. To give our customers the best chance of resolving such issues, the platform can be easily integrated in software development teams’ DevOps process. The continuous nature of DevSecOps empowers development teams to be the first line of defence as they code applications.

Open source components have become fundamental components of applications that are relied upon for basic functionality and security. Since over 90% of applications consist of open source components nowadays, securing this part of a business’ IT and software has become an area that requires greater scrutiny in quality and maintenance.

Meterian helps ensure software applications’ open source supply chain is free from any known vulnerabilities that could compromise the application’s security and stability. Is it worth risking to damage the firm’s reputation and competitive edge in the market?

Curious to see what we can automatically report on your software applications? Detect known vulnerabilities in your open source software supply chain before your own applications become an Achilles heel. Get in touch and see how Meterian can make your company’s application security defence more robust. 

1 Whittaker, Zack. “Spotify resets passwords after a security bug exposed users’ private account information.” Tech Crunch, 10 Dec 2020, https:// techcrunch.com/2020/12/10/spotify-resets-user-passwords-after-a-bug-exposed-private-account-information/

2 “Dua Lipa and other Spotify artists’ pages hacked by Taylor Swift ‘fan’”. BBC News, 2 Dec 2020, https:// bbc.co.uk/news/technology-55158317.

3 “Spotify Breach Notice Letter.” Spotify, 9 Dec 2020, https:// beta.documentcloud.org/documents/20422370-spotify-breach-notice-letter-californiadocx

4 U.S. Department of Commerce. “National Vulnerability Database.” https:// nvd.nist.gov/vuln/search/results?adv_search=true&cpe_version=cpe%3A%2Fa%3Ajquery%3Ajquery%3A2.1.3

Spotify vs Hacker, Round 2: Room for Improvement

Cyber Security and IoT

Last updated: 07/07/2021

How can we enjoy social gatherings in restaurants or busy spaces again?  This is possible with robots, devices, space partitions and humans occupying the same space.  With imagination, we will re-create the bustling spaces redefined with IoT technology.

What is IoT? 

If you’re new to IoT, see from Wikipedia: “The Internet of things (IoT) is a system of interrelated computing devices, mechanical and digital machines provided with unique identifiers (UIDs) and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.”1  

Basically, an IoT device is one that has an internet connection, even though normally it wouldn’t.  Your smart boiler and smart thermostat are examples of IoT devices. You talk to them using an app on your smartphone. You tell the smart boiler to heat water so you can take a shower, and the smart thermostat to warm up the room to a cosy temperature by the time you arrive home.

In recent months, as the reach and severity of the COVID-19 pandemic increased, adopting IoT solutions started joining the frontline in many countries outside Asia in order to manage the crisis. With the boost in increased use of digital and remote technologies, videoconferencing has become the norm for office meetings, school lessons and exercise classes.  The capabilities of video conferencing, email and messaging technologies has shown just how productive remote work can really be, with studies showing that 65% of pandemic remote workers wished to continue working from home and only 2% wished to return to the office.2

These efforts are likely to take a step further with IoT.  Many countries have set up temperature measurement systems at the entrance of public places such as airports and train stations.  Restaurant managers are also recording the temperature of staff who are preparing food.  If this collected data (temperature) could be transferred and analysed in the cloud through an app, it could result in real-time analysis. 

To orchestrate such a system requires planning and a clear understanding of what is most valuable to protect and why.  There are many benefits and use cases of IoT.

Benefits of IoT

IoT, artificial intelligence, and the analysis of vast amounts of real-time data sets (aka Big Data) can be used to slow down proliferation of pandemics to avoid future global health crises.  Such real-time connected intelligence, dubbed “nowcasting”, could be gained from medical devices connecting over the internet.  Trend monitoring of wearable devices could analyse population-level influenza trends daily according to a recent study from Scripps Research scientists.3

As seen during COVID-19 isolation period, this preventive action to stop the virus spread combined with telehealth services lets health care providers advise patients without risking exposure.

Robot surveillance for social distance monitoring can alleviate the stress on police or community patrol since robots don’t get tired of doing repetitive tasks — observe, record, count, report and take action. 4


Key reasons for implementing IoT projects are summarized in Microsoft Azure’s IoT survey featured in their IoT Signals report, which highlight the top three reasons as improving Safety and security, Operations optimization, and Quality assurance.

 Source: 2019 Microsoft Azure IoT Signals

During COVID-19 crisis, we have seen that doctors and health care providers can maintain some employees’ productivity while social distancing and relying on the right connected devices and computing systems.  Logistics companies, supermarkets and the food supply chain can track the quality and quantity of goods and produce from shore to shop or farm to market with minimal manual effort.  Eventually, the click-pick-and-collect journey of groceries delivered by Ocado5 will be done entirely with robotics. Another instance in which IoT can act as a useful tool for retail stores is by tracking consumer and employee location data. Michele Pelino, senior analyst in infrastructure and operations research at Forrester said, “The idea is to use information about location: GPS capabilities in phones. Over time, there will be more opportunities to create location-based experiences to interact with a brand”. Possibilities for the next year include the ability for customers to use GPS to check in, allowing them to maintain distance by avoiding queues.

IoT Risks

As with all new technology, great progress comes with risks in uncharted fields.  

Since the explosion of the internet of things (IoT) across industries, companies providing products or services in any IoT ecosystem must carefully evaluate and examine possible threats of malicious intent.

We have been warned children’s toys6 and baby monitors’7 cameras have been hacked by strangers invading privacy and security of the home.  In the UK, regulations for IoT devices are gradually being introduced to catch up with the 300% surge in cyberattacks using IoT devices8, and similarly in the US9.

In the United States, FBI warned 10 the US private sector in February: “Software supply chain companies are believed to be targeted in order to gain access to the victim’s strategic partners and/or customers, including entities supporting Industrial Control Systems (ICS) for global energy generation, transmission, and distribution”. Recently we have seen this exact industry area targeted in oil pipeline system company Colonial Pipeline’s Ransomware attack. This led to the take down of the largest fuel pipeline in the U.S., and Colonial Pipeline paying out a huge $4.4m crypto currency ransome.

 In addition to attacks against supply chain software providers, the FBI said the same malware was also deployed in attacks against companies in the healthcare, energy, and financial sectors.

The Most popular supply chain attack is 2017’s NotPetya ransomware attack11. Due to a lack of patches to keep software in their Windows computer systems up to date, cyber criminals were able to gain access to computers and install a malware that spread through the networks of organizations like wildfire.  Multinational companies, AP Moller-Maersk, Reckitt Benckiser and FedEx, were crippled and they were not even the target of the state-sponsored attack.  Just collateral damage, and the estimated loss is $10 billion12.  

Gavin Ashton recently wrote in his personal blog about his insider view of the NotPetya experience, which cost Maersk $300 million: “you should put up a damn good fight to stop these attacks in the first case. … Staying with the home analogy; Yes, there’s security cameras and wizard cloud-connected ‘Internet of Things’ (IoT) devices and all kinds of expensive measures and widgets, but a lot of organisations fail simply on the basics. Lock the damn door.”13

The Value Security Adds to Systems

Such risks and misfortunate events are avoidable and can be mitigated.  

There is a range of use cases in which security indeed adds value to IoT systems.  For example:

  1. Need to prove authentic origin of products such as fresh produce or medications? Eliminate loss by tracking products with encrypted data.
  2. Need to guarantee the integrity of data?  Prevent tampering and fraud by ensuring systems have security controls for identification, authentication and authorization.
  3. Prevent cloning/faking/tampering of trackers or meters?
    • Ensure data of logistics/transport/utility/food services is confidential end-to-end
    • individual contact tracing. Ensure tracker data is confidential end-to-end
    • Prevent device/software tampering that could affect pricing and billing
  4. At home and with health care providers, 
    • Safeguard customer privacy by preventing intrusion into home systems
    • Comply with patient privacy regulations by protecting data at rest (stored on devices/systems)  and in motion (when sent from a device over the network to another device/system).

In the IoT ecosystem, it is crucial for organizations to have visibility into all connected devices and systems. As more employees use cloud apps and mobile devices for work, the traditional network security perimeter has lost relevance. This means more attention is needed on endpoint monitoring and protection, which includes not only employees’ devices to perform work, but also devices in the worker’s environment whether at home or at work. At work the environment may be an open plan of office desks, a clinician’s patient room, or on the assembly line of a manufacturing plant.  Each environment will have its unique characteristics.  For more on the role of IoT and the fight against COVID-19 in sensitive areas, read our blog: Cyber Security and IoT: Health Care and Well-Being in our Shared Spaces.

The user/actor in the environment may also vary and the device’s mobility would affect its position and environment.  IoT system design must take many of these factors into consideration and use secure-by-design principles to protect the value of the information that is being moved around the ecosystem.  There is no panacea to protect all aspects because in the IoT ecosystem the hardware, software, and services are provided by different vendors.   Each aspect will need to be secured to be fit for its purpose within the context of its environment and ecosystem.  Methods to update and/or remove devices are required to keep up with the pace of business and technological advancements.

Just as hardware devices come with basic security benefits that can be used and will need to be updated over time, the software of open source components used by IoT devices must also be maintained.  Continuous updates are essential.  New aspects of information and human security will need to be included.  In the context of autonomous vehicles, software must be resilient against both malicious actors as terrorists as well as unauthorised but friendly users, such as a child who could use a smartphone to direct the car to go to school, for example.

Look Out Ahead for CyberSecurity in IoT

The future is not promising to be better in terms of cybersecurity threats and malicious attacks.   Globally there were nearly 27.5 billion installed IoT devices number of installed IoT devices at the end of 2020, which is set to rise to 45.9 billion by 202514. So, with both of these figures growing, it is clear to see that IoT devices are the perfect vessel for cyber criminals to carry out attacks.

80% of data breaches can be prevented with basic actions, such as vulnerability assessments, patching, and proper configurations.  Getting basic cyber hygiene right is critical to help prevent cyber attacks.  There are always those who destroy unity and stifle positive progress.  Cyber criminals unfortunately will continue to innovate with artificial intelligence to increase their attacks at machine speed from anywhere in the world and on a scale comparable to that of a pandemic.

How a Software Bill Of Materials can help prevent cyber attacks

The National Telecommunications and Information Administration (NTIA) defines a Software Bill Of Materials (SBOM) as “a complete, formally structured list of components, libraries, and modules that are required to build (i.e. compile and link) a given piece of software and the supply chain relationships between them. These components can be open source or proprietary, free or paid, and widely available or restricted access.” A bill of materials such as this acts as a comprehensive compilation of all internal parts of the software, including third party contributions. This would facilitate the tracking of individual components such as libraries or source code within software programs. With a complete and traceable inventory, companies can see and manage the risks associated with open source libraries by identifying vulnerable systems as early as possible. Furthermore, it allows developers to monitor what components they use by vetting the code in their projects. Finally, this level of transparency would allow for a more informed purchasing experience for consumers. President Biden recently formalized the importance of SBOMs through the Executive Order on Improving the Nation’s Cybersecurity15, in which it was made mandatory that all software used by the US government came with its own SBOM— so as to prevent from SolarWinds type hacks in the future.

If you are interested in automated auditing of your software applications for open source compliance risks and security vulnerabilities, get in touch.

1 Wikipedia, https ://en.wikipedia.org/wiki/Internet_of_things

2 Mlitz, Kimberly. “Work from home & remote work- Statistics and Facts”. Statistica, 30 March 2021, https: //www.statista.com/topics/6565/work-from-home-and-remote-work/.

3 “Fitness wearables may improve real-time tracking of seasonal influenza outbreaks.” Scripps Research, 16 January 2020, https ://www.scripps.edu/news-and-events/press-room/2020/20200116-wearable-flu.html.

4 Stieg, Cory. “This $75,000 Boston Dynamics robot ‘dog’ is for sale—take a look”. Make it, 22 June 2020, https ://www.cnbc.com/2020/06/22/75000-boston-dynamics-robot-dog-for-sale-take-a-look.html.

5 Banks, Martin. “Google Solving Together – Ocado Technology readies clients for more changes to online retail’s ‘new normal”. 15 June 2020, https ://diginomica.com/google-solving-together-ocado-technology-readies-clients-more-changes-online-retails-new-normal

6 “What did she say?! Talking doll Cayla is hacked”. 30 January 2015, https ://www.bbc.co.uk/news/av/technology-31059893 .

7 “Smart camera and baby monitor warning given by UK’s cyber-defender”. BBC News, 3 March 2020, https ://www.bbc.co.uk/news/technology-51706631.

8 Kelly Early. “What do the UK’s newly proposed IoT laws look like?”. Silicone Republic, 28 January 2020, https ://www.siliconrepublic.com/enterprise/uk-iot-internet-of-things-regulation-laws.

9 https ://www.nist.gov/internet-things-iot

11 Cimpanu, Catalin. “FBI warns about ongoing attacks against software supply chain companies”. ZD Net, 10 February 2020, https ://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/

12 Hall, Kat. “Largest advertising company in the world still wincing after NotPetya punch”. The Register, 7 July 2017, https ://www.theregister.com/2017/07/07/ad_giant_recovering_from_notpetya/.

13 Ashton, Gavin. GVNSHTN, Maersk, me & notPetya, 21 June 2020, https ://gvnshtn.com/maersk-me-notpetya/.

14 Belton, Padraig. “In 2021, as you work from home hackers eye your IoT”. Light Reading, 1 April 2021, https ://www.lightreading.com/iot/in-2021-as-you-work-from-home-hackers-eye-your-iot/d/d-id/766350

15 “Executive Order on Improving the Nation’s Cybersecurity”. The White House, 12 May 2021, https ://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/.

Cyber Security and IoT