The third edition of Cyber Signals, a yearly report which highlights security trends and insights from Microsoft’s 8,500 security experts and 43 trillion daily security signals, was recently launched. In this edition, experts present new information on broader threats to critical infrastructure posed by converging information technologies, the Internet of Things (IoT), and operational technology (OT) systems.
Some of the report’s highlights include:
- Unpatched, high-security vulnerabilities identified in 75% of the most common industrial controllers in customer OT networks.
- Over one million connected devices publicly visible on the internet running Boa, an outdated and unsupported software widely used in IoT devices and software development kits.
- An 78% increase in disclosures of high-severity vulnerabilities from 2020 to 2022 in industrial control equipment produced by popular vendors.
The US National Institute of Standards and Technology (NIST) and its National Cybersecurity Center of Excellence (NCCoE) published a draft practice guide for trusted internet of things (IoT) onboarding and lifecycle management. This guide demonstrates how organisations can protect their IoT devices and networks. It details standards, practices, and technology to demonstrate mechanisms for trusted network-layer onboarding of IoT devices. The guide also shows how to provide network credentials to IoT devices in a trusted manner and maintain a secure posture throughout the device lifecycle.
The third ministerial meeting of the EU-US Trade and Technology Council (TTC) was held on 5 December 2022 in Washington, DC, USA. During the meeting, the two parties:
- Reiterated the importance of cooperating on trust and security in the ICT ecosystem and noted that the TTC Working Group on ICTS security and competitiveness plans to discuss transatlantic subsea cables’ connectivity and security, including alternative routes, such as the transatlantic route to connect Europe, North America and Asia.
- Reiterated their commitment to developing and implementing trustworthy artificial intelligence (AI), building on the Joint Roadmap on Evaluation and Measurement Tools for Trustworthy AI and Risk Management.
- Announced plans to launch a pilot project to assess the use of privacy-enhancing technologies and synthetic data in health and medicine.
- Announced plans to establish an expert task force to strengthen research and development cooperation on quantum information science, develop common frameworks for assessing technology readiness, discuss intellectual property, and export control-related issues as appropriate, and work together to advance international standards.
- Announced progress on increasing standards cooperation, for instance through the Strategic Standards Information mechanism meant to enable the EU and the USA to share information about international standardisation activities and react to common strategic issues.
- Announced that the US Department of Commerce and the European Commission are entering into an administrative arrangement to implement an early warning mechanism to address and mitigate semiconductor supply chain disruptions in a cooperative way.
- Stressed the importance of eliminating the use of arbitrary and unlawful surveillance to target human rights defenders, and expressed concerns over government-imposed internet shutdowns.
- Announced plans to enhance transatlantic trade, for instance through developing joint best practices for the use of digital tools to simplify or reduce the cost of commercial actors’ interactions with the governments in relation to trade-related policy, legal requirements, or regulatory requirements.
- Announced the launch of a Talent for Growth Task Force to facilitate exchanges of experiences on training and capacity building and serve as a catalyst for innovative skills policies.
These and other commitments and initiatives are outlined in the joint statement issued at the end of the meeting.
Kaspersky Security, a major security firm, has recently published its advanced threat predictions for 2023, identifying email servers and satellites as major cyberattack targets in the year 2023. The report states that 2023 will be characterised by destructive ‘cyberattacks of unprecedented gravity’ against governments, key industry providers, and high-profile civilian infrastructures. Another point of concern is the safety of underwater cables and fiber distribution hubs against physical attacks.
