Weekly podcast: Meltdown and Spectre SCADA problems, Apple text bomb and WEF cyber risks

This week, we discuss further problems caused by patches for the Meltdown and Spectre vulnerabilities, a text bomb that crashes Apple devices and the World Economic Forum’s Global Risks Report 2018.

Hello and welcome to the IT Governance podcast for Friday, 19 January 2018. Here are this week’s stories.

As I touched upon last week, fixes for the Meltdown and Spectre CPU vulnerabilities seem to be causing as many problems as they’re addressing. Aside from compatibility issues with some antivirus software, a wide range of industrial systems are also affected.

ZDNet reported this week that several manufacturers of industrial systems had reported problems with the fixes, including Rockwell Automation, which “reported a dozen errors that are appearing in its FactoryTalk-based products after installing Microsoft’s Meltdown and Spectre patches for Windows systems”. Errors include “problems logging on to Rockwell’s security server, issues with the FactoryTalk admin console, and various other error messages”.

SCADA vendor Wonderware, meanwhile, said that Microsoft’s update was causing “instability for Wonderware Historian”, and told its UK customers running Historian that they “SHOULD NOT apply the Microsoft patch” because of issues with the Historian System Driver.

US ICS-CERT provides links to a number of advisories from industrial-equipment manufacturers, including ABB, Rockwell and Siemens. Siemens said it was “aware that some updates can result in compatibility, performance or stability issues on certain products and operating systems. Operating system vendors, such as Microsoft, are still working to address these compatibility issues with their updates. Siemens will therefore continue to evaluate the applicability of those updates.

“Siemens recommends consulting the product support documentation via the usual information channels, or to contact Siemens’ customer service for information on compatibility before applying the updates.”

With pressure mounting on vendors to fix the bugs, it’s only a matter of time before they’re exploited in the wild. Test and patch as soon as you can – and beware of phishing scams. Malwarebytes reports that there are sites pushing malware called Smoke Loader to German users under the guise of providing patches for Spectre and Meltdown. It’s likely that others will follow, as they did following the WannaCry ransomware outbreak last year.

Another so-called ‘text bomb’ that crashes Apple devices’ iMessage app was discovered this week. Reminiscent of 2015’s ‘effective power’ bug, the chaiOS bug caused devices to crash when they opened a link to a GitHub page hosting some JavaScript code. Unlike effective power, the new bug works on macOS devices as well as iOS ones. Software developer Abraham Masri tweeted about the bug on Tuesday, since when the offending code has been removed from GitHub and Masri’s account banned.

The World Economic Forum released its Global Risks Report 2018 this week, and it makes for predictably unsettling reading. The report places cyber attacks sixth in the top ten global risks by perceived impact, behind weapons of mass destruction, extreme weather events, natural disasters, failure of climate-change mitigation and adaptation, and water crises.

As well as warning that there is “a growing trend of using cyberattacks to target critical infrastructure and strategic industrial sectors, raising fears that, in a worst-case scenario, attackers could trigger a breakdown in the systems that keep societies functioning”, the WEF predicts that the “cost of cybercrime to businesses over the next five years is expected to be US$8 trillion”

It warns that organisations need to change their approach to cyber risk management. “Too often,” it says, “boards and C-suites approach risk analysis as a standalone activity to be ticked off a list, but then fall short on mitigating the risks that their analysis has identified. Think of an employee derailing cybersecurity plans by inadvertently clicking on a phishing email because not enough was done to spread risk awareness from the C-suite to the wider organization. To prevent this kind of breach, risk management needs to come out of its silo and become as much an organic part of operations as budgeting and project management. Organizations must do better in educating teams on risk awareness. But they also need to make sure their cultures encourage employees to feel that they can speak out and be taken seriously enough for problems to be dealt with.”

If that sounds familiar, you can find guidance on enterprise-wide information security best practice on our website at www.itgovernance.co.uk/infosec.

Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog.

Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.