, , ,

Hacking solar panel systems can bring the grid down

Nowadays, critical infrastructure requirements are focusing more and more on system security to guarantee that we don’t face crippling attacks on the critical systems that are supporting our society. Most of these requirements are focused on managing risks, which means companies need to assess their risk profiles first and identify the necessary measures to mitigate unacceptable risk levels.

If we translate that to the electrical grid, this means power plants and transmission companies face big efforts to control the risk levels of their systems because these companies are providing critical services for our society. What we are still lacking in this story, is the impact the society itself has on these systems.

We are imposing lots of security measures on the supply side, but none (yet) on the demand side. From a risk perspective, this causes imbalance. If we look at how a hacker could try to bring down the electrical grid, he has several options to do this:

  • Attack a power plant and reduce or increase the power capacity produced in a country/region and destabilize the grid
    • E.g. cause an incident at a nuclear plant, forcing it to shut down. Impact: max 1000MW per production plant
  • Attack the transmission or distribution system and limit the amount of power flowing to the users
    • E.g. take out a high voltage head station. Impact: depends on the connected capacity lines, load and alternative routes
  • Attack on a mass scale the devices of users that consume electricity at home and fluctuate the demand side so much that the electrical rid is destabilized
    • E.g. take control over solar panel inverters and switch them on/off every 2 min at full capacity .Impact: max. 3369 MW , depending on weather and size of attack

The last scenario is gaining the interest of hackers, as attacking these kind of devices requires less technical knowledge and is easily spread because most consumer devices are now internet connected and very vulnerable. As we are deploying solar panels on a fast rate (+10% increase per year) and they are using very similar (if not the same) hardware, the amount of end user devices (319.000 PV installations in 2017) to attack is rapidly growing. A quick report shows there are already more than 300 Belgian installations of SMA Sunny Boy which are connected directly to the internet.

 

, , ,

Toreon main sponsor Colloquium ICT en gezondheidszorg

The Professional Association for Nurses (NVKVV) organises its 23rd Colloquium on ICT and healthcare on 16 May 2019. With this colloquium, the ICT4Care working group brings together a broad range of ICT solutions for the healthcare sector and focuses on the use of ICT to support healthcare and logistics processes in the healthcare industry. An event where Toreon likes to put its shoulders to the wheel. That is why we have decided to work with the event as main sponsor this year.

For many years, this Colloquium and accompanying exhibition has been the meeting place for everyone involved in automation and healthcare. During this event, Toreon wants to emphasize the security aspect of digitization within the healthcare sector. With its many years of experience in ICT security and its extensive range of services and training, Toreon offers an answer to ICT security questions with which the healthcare industry is confronted.

Visit our presentations

If you want to know more about Toreon and ICT security, please visit our presentation of a case study on GDPR in collaboration with Gasthuiszusters Antwerpen GZA at 11h30 or our information session on Threat Modeling at 14h30.

In addition, visitors can always visit the Toreon exhibition stand for an overview of the services that Toreon can offer tailored to the healthcare industry.

Register now

Registration for Colloquium ICT en gezondheidszorg is still possible until the 10th of May.

Register for the colloquium

, , ,

Fostering a knowledge economy at Toreon using cryptocurrency

Toreon is proud to announce that we will be launching the Torbuck in the beginning of May, 2019.

Torbuck is our own cryptocurrency. It will enable our employees to value their knowledge and be rewarded for sharing it. Effectively, we are creating a knowledge economy within Toreon.

The Torbuck will be published on the Ethereum blokchain. In May, all of our employees will be able to access their Torbucks using a standard cryptowallet. They will be able to spend Torbucks on external training, as well as get paid by colleagues for their own knowledge sharing efforts. If a Toreon employee organizes an internal training, their colleagues will pay Torbucks to attend.

Our ICO (internal coin offering) came about when trying to solve a few issues we had.

First, as a cyber security consulting company, Toreon is all about people and their knowledge. Our people have to learn constantly. We try to stimulate knowledge creation and exchange as much as possible. Although everyone has a large personal budget for attending external training, internal knowledge sharing never comes easy. Putting it in our company bonus plan has worked only partly. The Toreon management never likes to use a top-down approach, but we’ve found ourselves forced to organize knowledge events ourselves to stimulate knowledge exchange. We needed a good incentive system to reward knowledge sharing.

Second, Toreon is an innovative company. We had identified Blockchain as a technology to watch and have actively tried to learn more about the technology, in order to assess early on what the security challenges could be. Our R&D effort has largely meant listening to other organizations trying out blockchain technology. It seems blockchain is ‘a technology looking for a use case’. We hadn’t really been able to find a project that would allow us to participate in the technology and apply our security knowledge.

Torbuck fills both needs: It allows our people to get rewarded for sharing knowledge. And it allows us to develop our own platform, to learn about blockchain development, its many pitfalls (a very immature technology) and of course security. The Torbuck will be a tool as well as a playground for our techies. Our ethical hacking team can’t wait to launch their attacks!

What’s in the future? If Torbuck is successful, we can expand its use. We could give our clients Torbucks as part of a loyalty program to spend on our services. It could become an integral part of the internal reward system. But first and foremost, it is a way to learn and share knowledge and not just about blockchain.

, ,

Toreon sponsored the Cyber Security Challenge

The Cyber Security Challenge has become a not to miss event for students and industry professionals. This year Toreon was one of its main sponsors, with a booth in the venue and its own ‘Toreon challenge’.

On Friday Steven and Catherine manned the booth and were subjected to some social engineering attacks by the contestants. Many of these teams were able to capture a part of a challenge solution from us this way. The teams had a lot of fun during this challenge.

At lunchtime the teams battling for the finals on Saturday were announced and the teams that did not make the cut had a chance to play another game. Here all sponsors were role-playing employees of a hacked company and the contestants needed to figure out what happened. This was again a lot of fun seeing how the teams ran from one sponsor to the other trying to ask the right questions and solve the mystery.

On Saturday Toreon hosted one of the sponsor challenges and we opted to create a role-playing game in the style of a ‘choose your own adventure’ game. We received a lot of positive feedback on the style of this challenge; especially the original approach was appreciated by the finalists.

Saturday afternoon we watched the proceedings of the finals where Wouter, one of our interns, was performing exceptionally well. His team was constantly running in second and third place and they were able to grab second place in the end!

During the prize ceremony our managing partner Wouter Avondstondt handed out prizes to two winning teams. They received a copy of Cryptomancer, a role-playing game that combines cyber security with a fantasy setting.

 

, , , ,

Keep up to date with the latest Threat Modeling news and insights

Subscribe now to our monthly “Threat Modeling Insider” TMI newsletter – packed full of expert advice and articles to get you started with threat modeling.

Threat modeling has always been a passion and a cornerstone of the security services we provide. It helps to identify and mitigate potential security issues early on, when they are relatively easy and cost-effective to resolve.

This week we start our monthly newsletter “Threat Modeling Insider” (TMI). With this newsletter we promise you valuable and curated content from the field of threat modeling to your inbox on a monthly basis. Topics will include a threat modeling news digest, threat modeling resources, whitepapers, templates and presentations by threat modeling authorities and from our very own Toreon experts.

Subscribe to our monthly “Threat Modeling Insider” TMI newsletter.

A sneak preview

Thursday you’ll receive our first edition of the TMI newsletter including:

Additionally we’ll share updates and news on upcoming appearances and events to catch up with the Toreon team and our training sessions.

In conclusion: interested? Subscribe now and receive your first TMI newsletter on Thursday.

 

, , , , , , ,

Toreon presents Threat Modeling workshop at SecAppDev 2019

SecAppDev is an intensive one-week course in secure application development. For the 15th year in a row, SecAppDev organizes a leading-edge software security courses for developers, one of them is Toreon’s Whiteboard hacking (aka hands-on threat modeling).

Our White Board Hacking workshops put together everyone involved, such as product owners, architects and developers, to systematically analyze the application being designed and come up with the security measures needed to make it run securely. All of this happens before a single line of code is written!

Learn more about Whiteboard hacking

At SecAppDev our CEO Sebastien Deleersnyder proposes an action-packed 1 day Threat Modeling workshop as taught at OWASP, Black Hat USA and O’Reilly Security conferences. In groups of 3 to 4, participants are challenged to threat model two real-life use cases: a REST-based web application and an on-site IoT deployment.

Registration for the 2019 edition is now closed, but you can learn more about White Board Hacking at O’Reilly Velocity (San Jose), Black Hat (Las Vegas), HITB (Singapore and Dubai) or DevSecCon (London).

Consult the calendar

, , , ,

The increasing importance of ISO 27001 certification

Let’s do a little refresh about the ISO 27001 and 27002 standard. Back in the nineties the British Standard Institution (BSI) published the British Standard 7799, written by the UK Government’s Department of Trade and Industry. This standard consisted of 2 parts:
– Part 1 was a code of practice which could be seen as an ‘extensive buffet’ of security controls which could be implemented to manage information security
– Part 2 contained the specifications on how to implement an ISMS, including the introduction of the Plan-Do-Check-Act cycle in a future release.

Later on, both parts were adopted by ISO. After some revisions and name changes the BS 7799-1 standard is nowadays known as the ISO 27002 standard, while the BS 7799-2 standard is now known as the ISO 27001 standard.

As far as certification is concerned, it is quite obvious that an organisation can only become ISO 27001 certified. ISO 27002 certification is not possible as this standard only contains best practices and guidelines. About a decade ago Belgian companies were not very eager to obtain certification. And why should they? There was no real pressure from governments, clients or other organisations to clearly prove they securely manage information. And of course there were not that many threats as we face today. During the last few years we noticed a significant change. Why? On one hand, organisations need to protect themselves against the continuous introduction of new cyber threats, cyber attacks, vulnerabilities, technologies, social engineering techniques and even human errors. On the other hand, organisations are required to comply with new legislations as well as specific industry standards.

The GDPR requires organisations processing personal data to ‘adequately protect data’. But when is your data ‘adequately protected’ and even more: how can you easily prove you ‘adequately protect’ your data? ISO 27001 certification is one of the answers. Obtaining the certificate indicates that your organisation followed a risk based approach to identify and implement effective and efficient security controls to protect information on a continuous basis. As such, the certificate will be a great value when proving ‘adequate protection of data’ towards data protection authorities.

As far as the Belgian application of the European ‘Directive on security of network and information systems’ (NIS Directive) is concerned, we can determine that ISO certification will also be the preferred way to prove that an ISMS is maintained and that efficient security controls are in place to appropriately protect information. The transposition of the NIS Directive into a Belgian law is still in progress. As soon as the law is effective and the applicable organisations are notified, organisations have twelve months to adapt their information security policy and another twelve months to have all security controls implemented.

Both GDPR and the NIS directive indicate that obtaining or maintaining ISO 27001 certification will become more important than ever. At Toreon we already assist several organisations from different sectors getting ISO 27001 certified. Our direct and pragmatic approach is already appreciated by several customers. The Toreon GRC team will be more than happy to guide you through the complete certification process!