NTSC Technology Security Roundup

Weekly Roundup: January 16, 2017

Department of Homeland Security Alerts Public About Critical Security Vulnerability in Medical Devices

The Department of Homeland Security cautioned the public about a critical security vulnerability in a transmitter related to St. Jude Medical’s Merlin.net™ Patient Care Network (PCN) product. Implantable heart devices that communicate with this PCN interface through St. Jude’s transmitter are exposed to a risk of hackers exploiting this interface to cause death or harm to patients. MedSec Holdings found the flaw and medical device company St. Jude Medical (that recently merged with Abbott) released a patch on Monday, January 9 to cover the most critical vulnerabilities. Additional patches will be released that cover all remaining, less critical vulnerabilities.

Congress Reintroduces Email Privacy Act…Again

Once again, Congress has put forth the Email Privacy Act—a bipartisan, industry-supported, and privacy group-supported law. As a modernization of the 1986 Electronic Communications Privacy Act (ECPA), the law seeks to treat emails as part of the Fourth Amendment’s “persons, houses, papers, and effects” by making them obtainable by law enforcement only under a warrant. Under current law, a warrant is not needed to access people’s emails older than 180 days. While the Email Privacy Act passed 419-0 in the House last year, the law faces resistance in the Senate and by some federal agencies because it’s perceived to weaken law enforcement.

NIST Issues Draft Update to its Cybersecurity Framework

Now a standard document for cybersecurity experts and professionals, 2014’s Framework for Improving Critical Infrastructure Cybersecurity is getting an update. NIST released a draft update and wants feedback from the public by April 10, 2017. A news item on NIST’s website says, “Providing new details on managing cyber supply chain risks, clarifying key terms, and introducing measurement methods for cybersecurity, the updated framework aims to further develop NIST’s voluntary guidance to organizations on reducing cybersecurity risks.”

Northrop Grumman To Sell Machine-Learning Solution BluVector to LLR Partners

Private equity firm LLR Partners will acquire BluVector, an advanced, next-generation machine learning threat detection and cyber hunting solution, from Northrop Grumman. According to a press release, “BluVector will operate as a standalone business led by CEO Kris Lovejoy, who previously served as president of the business unit within Northrop Grumman. LLR Partners has committed $50 million to BluVector to support the acquisition and future growth plans.”

Securing Energy Infrastructure Act Seeks to Lessen Cybersecurity Risks by Reducing Reliance on Technology

Proposing a two-year pilot program to assess security vulnerabilities for energy infrastructure, the Security Energy Infrastructure Act was recently introduced in the Senate. The Act’s language gained some attention by its suggestion of protecting the grid through “analog and non-digital control systems, purpose-built control systems, and physical controls.” In other words, the bill’s sponsors and supporters reason that “retro” technology may more safely protect certain critical areas of the grid. After the pilot program, a working group will evaluate the results and submit a report that “describes the results of the Program, includes an analysis of the feasibility of each method studied under the Program, and describes the results of the evaluations conducted by the working group…”