Connect with us

Published

on

Houston Chronicle/hearst Newspapers Via Getty Images | Hearst Newspapers | Getty Images

The City of Wichita recently had an experience that’s become all too common — its water system was hacked. The cyberattack, which targeted water metering, billing and payment processing, followed the targeting of water utilities across the U.S. in recent years.

In going after America’s water, hackers aren’t doing anything special. Despite rising fears of AI use in cyber threats, the go-to criminal way into systems remains preying on human foibles, be it via phishing, social engineering, or a system still running on a default password — “old school” cyberattacks, according to Ryan Witt, vice president of cybersecurity firm Proofpoint.

The rising cybercrime wave targeting key infrastructure led the Environmental Protection Agency to issue an enforcement alert warning that 70% of water systems it inspected do not fully comply with requirements in the Safe Drinking Water Act. Without quantifying an exact number, the EPA said some have “alarming cybersecurity vulnerabilities” — default passwords that have not been updated, vulnerable single login setups, and former employees who retained systems access.

While the methods may be simple, an attack last year by an Iranian-backed activist group against 12 water utilities in the U.S. reinforced how purposeful “an attacker’s mindset” can be, according to Witt. The targeted utilities all contained equipment that was Israeli-made.

FBI, NSA, CISA all express concern

In February, the FBI warned Congress that Chinese hackers have burrowed deep into the United States’ cyber infrastructure in an attempt to cause damage, targeting water treatment plans, the electrical grid, transportation systems and other critical infrastructure. A Russian-linked hack in January of a water filtration plant in a small Texas town, Muleshoe — located near a U.S. Air Force base — caused a water tank to overflow. “Water is among the least mature in terms of security,” Adam Isles, head of cybersecurity practice for Chertoff Group, recently told CNBC.

Psychological impact on the population is also a strategic aim, seen not only in targeting of water assets but the Colonial Pipeline hack that made national headlines in 2021, and in the words of the federal Cybersecurity and Infrastructure Security Agency, featured “snaking lines of cars at gas stations across the eastern seaboard and panicked Americans filling bags with fuel, fearful of not being able to get to work or get their kids to school.” 

Attacks on U.S. water utilities’ IT systems can have a similar psychological impact, and even if the attacks don’t directly interfere with the operations of the utility, still lessen public trust in water supply. No hack to date has shut off the water to a population, but that’s the bigger worry, said Stuart Madnick, an MIT professor of engineering systems and co-founder of Cybersecurity at MIT Sloan.

Service hacking by China is meant to create 'panic and chaos', says Fmr. CISA Director Chris Krebs

Meddling with a water supply through attacks targeting IT (informational technology), like Wichita’s system, is minor in comparison to a successful attack on the OT (operating technology) that controls water plants. That is a massive risk, Madnick said, and the threat of it happening is not zero.

“We have demonstrated in our lab how operations, such as a water plant, could be shut down not just for hours or days, but for weeks. It is definitely technically possible,” he said.

A recent letter sent by EPA Administrator Michael Regan and National Security Advisor Jake Sullivan to the nations’ governors detailed the urgency of the threat. But Madnick is wary of the government’s ability to act quickly or robustly enough to prevent such an occurrence. Budgets, outdated infrastructure, and reluctance to move on an issue that may seem both vital and daunting suggest that the fixes may indeed not come quickly enough. “It has not happened yet, and serious action to prevent ‘likely’ will not happen, until after it has happened,” he said.

Outdated water utility technology

Like any modern system, water utilities rely on technology for monitoring, for operations, and for customer communication. The technology creates vulnerabilities — for providers and users — so the need for enhanced security measures is acute. “The community risk from cyberattacks includes an attacker gaining control of the operations of a system to damage infrastructure, disrupt the availability or flow of water, or altering the chemical levels, which could allow untreated wastewater to be discharged into a waterway or contaminate drinking water provided to a community,” said an EPA spokesman.

Witt says there are some initial steps to take in improving the cyber hygiene of dated systems. “Improving password strength, reducing exposure to public-facing internet, and the need for cybersecurity awareness training,” would go a long way to shoring up defenses, he said. Another potential fix is the deployment of what are called air-gapped systems that separate supervisory and control systems from other networks. Since the easiest way into these systems is to obtain credentials and then exploit the system, “A systems admin should not be able to access office systems such as email and be able to operate a control panel of a water system from the same laptop,” Witt said.

For the most part, attacks that have occurred have been preventable, according to the EPA. “Systems were victimized by destructive and costly cyberattacks because they failed to adopt basic cyber resiliency practices,” the EPA spokesman said. “All drinking water and wastewater systems are at risk — large and small, urban and rural,” he said. 

While it has not been a tool needed to date in these water utility attacks, AI is coming alongside the concerted cyber efforts of geopolitical rivals. “Rapid advances in artificial intelligence are giving cyberthreat actors more sophisticated tactics, techniques, and procedures to penetrate operational technology that controls critical infrastructure facilities,” the EPA spokesman said. “These attacks have been linked to a variety of types of malicious actors, including hackers working on behalf of or in support of other nations who could use disruptions to U.S. critical infrastructure to their strategic advantage.”

Continue Reading

Technology

Chinese medical devices are in health systems across U.S., and the government and hospitals are worried

Published

on

By

Chinese medical devices are in health systems across U.S., and the government and hospitals are worried

A popular medical monitor is the latest device produced in China to receive scrutiny for its potential cyber risks.  However, it is not the only health device we should be concerned about. Experts say the proliferation of Chinese health-care devices in the U.S. medical system is a cause for concern across the entire ecosystem. 

The Contec CMS8000 is a popular medical monitor that tracks a patient’s vital signs.  The device tracks electrocardiograms, heart rate, blood oxygen saturation, non-invasive blood pressure, temperature, and respiration rate.  In recent months, the FDA and the Cybersecurity and Infrastructure Security Agency (CISA) both warned about a “backdoor” in the device, an “easy-to-exploit vulnerability that could allow a bad actor to alter its configuration.”  

CISA’s research team described “anomalous network traffic” and the backdoor “allowing the device to download and execute unverified remote files” to an IP address not associated with a medical device manufacturer or medical facility but a third-party university — “highly unusual characteristics” that go against generally accepted practices, “especially for medical devices.”

“When the function is executed, files on the device are forcibly overwritten, preventing the end customer—such as a hospital—from maintaining awareness of what software is running on the device,” CISA wrote.

The warnings says such configuration alteration could lead to, for instance, the monitor saying that a patient’s kidneys are malfunctioning or breathing failing, and that could cause medical staff to administer unneeded remedies that could be harmful. 

The Contec’s vulnerability doesn’t surprise medical and IT experts who have warned for years that medical device security is too lax. 

Hospitals are worried about cyber risks

“This is a huge gap that is about to explode,” said Christopher Kaufman, a business professor at Westcliff University in Irvine, California, who specializes in IT and disruptive technologies, specifically referring to the security gap in many medical devices.

The American Hospital Association, which represents over 5,000 hospitals and clinics in the U.S., agrees. It views the proliferation of Chinese medical devices as a serious threat to the system. 

As for the Contec monitors specifically, the AHA says the problem urgently needs to be addressed. 

“We have to put this at the top of the list for the potential for patient harm; we have to patch before they hack,” said John Riggi, national advisor for cybersecurity and risk for the American Hospital Association.  Riggi also served in FBI counterterrorism roles before joining the AHA. 

CISA reports that no software patch is available to help mitigate this risk, but in its advisory said the government is currently working with Contec. 

Contec, headquartered in Qinhuangdao, China,  did not return a request for comment. 

One of the problems is that it is unknown how many monitors there are in the U.S. 

“We don’t know because of the sheer volume of equipment in hospitals. We speculate there are, conservatively, thousands of these monitors; this is a very critical vulnerability,” Riggi said, adding that Chinese access to the devices can pose strategic, technical, and supply chain risks. 

In the short-term, the FDA advised medical systems and patients to make sure the devices are only running locally or to disable any remote monitoring; or if remote monitoring is the only option, to stop using the device if an alternative is available. The FDA said that to date it is not aware of any cybersecurity incidents, injuries, or deaths related to the vulnerability.

The American Hospital Association has also told its members that until a patch is available, hospitals should make sure the monitor no longer has access to the internet, and is segmented from the rest of the network.

Riggi said the while the Contec monitors are a prime example of what we don’t often consider among health care risk, it extends to a range of medical equipment produced overseas. Cash-strapped U.S. hospitals, he explained, often buy medical devices from China, a country with a history of installing destructive malware inside critical infrastructure in the U.S.  Low-cost equipment buys the Chinese potential access to a trove of American medical information that can be repurposed and aggregated for all sorts of purposes. Riggs says data is often transmitted to China with the stated purpose of monitoring a device’s performance, but little else is known about what happens to the data beyond that. 

Riggi says individuals aren’t at acute medical risk as much as the information being collected and aggregated for repurposing and putting the larger medical system at risk. Still, he points out that, at least theoretically, is can’t be ruled out that prominent Americans with medical devices could be targeted for disruption. 

“When we talk to hospitals,  CEOS are surprised, they had no idea about the dangers of these devices, so we are helping them understand.  The question for government is how to incentivize domestic production, away from overseas,”  Riggi said. 

Chinese data collection on Americans

The Contec warning is similar at a general level to TikTok, DeepSeek, TP-Link routers, and other devices and technology from China that the U.S. government says are collecting data on Americans. “And that is all I need to hear in deciding whether to buy medical devices from China,” Riggi said. 

Aras Nazarovas, an information security researcher at Cybernews, agrees that the CISA threat raises serious issues that need to be addressed. 

“We have a lot to fear,” Nazarovas said. Medical devices, like the Contec CMS8000, often have access to highly sensitive patient data and are directly connected to life-saving functions.  Nazarovas says that when the devices are poorly defended, they become easy prey for hackers who can manipulate the displayed data, alter vital settings, or disable the device completely.  

“In some cases, these devices are so poorly protected that attackers can gain remote access and change how the device operates without the hospital or patients ever knowing,” Nazarovas said. 

The consequences of the Contec vulnerability and vulnerabilities in an array of Chinese-made medical devices could easily be life-threatening.  

“Imagine a patient monitor that stops alerting doctors to a drop in a patient’s heart rate or sends incorrect readings, leading to a delayed or wrong diagnosis,” Nazarovas said. In the case of the Contec CMS8000, and Epsimed MN-120 (a different brand name for the same tech), warning from the government, these devices were configured to allow remote code execution by the remote server.  

“This functionality can be used as an entry point into the hospital’s network,” Nazarovas said, leading to patient danger.  

More hospitals and clinics are paying attention. Bartlett Regional Hospital in Juneau, Alaska, does not use the Contec monitors but is always looking for risks. “Regular monitoring is critical as the risk of cybersecurity attacks on hospitals continues to increase,” says Erin Hardin, a spokeswoman for Bartlett.  

However, regular monitoring may not be enough as long as devices are made with poor security. 

Potentially making matters worse, Kaufman says, is that the Department of Government Efficiency is hollowing out departments in charge of safeguarding such devices. According to the Associated Press, many of the recent layoffs at the FDA are employees who review the safety of medical devices. 

Kaufman laments the likely lack of government supervision on what is already, he says, a loosely regulated industry. A U.S. Government Accountability Office report as of January 2022, indicated that 53% of connected medical devices and other Internet of Things devices in hospitals had known critical vulnerabilities. He says the problem has only gotten worse since then. “I’m not sure what is going to be left running these agencies,” Kaufman said.

“Medical device issues are widespread and have been known for some time now,” said Silas Cutler, principal security researcher at medical data company Censys. “The reality is that the consequences can be dire – and even deadly. While high-profile individuals are at heightened risk, the most impacted are going to be the hospital systems themselves, with cascading effects on everyday patients.”  

Continue Reading

Technology

Substack boosts video capabilities amid potential TikTok ban

Published

on

By

Substack boosts video capabilities amid potential TikTok ban

Rafael Henrique | SOPA Images | AP

After posting almost 200 videos, amassing hundreds of thousands of followers and racking up millions of views, Carla Lalli Music is quitting YouTube. Substack is her new focus. 

Music is a cookbook author and food content creator, and she is shifting her focus to Substack, a subscription platform that lets creators charge users subscriptions for access to their content. Music told CNBC she came to that decision after earning more in one year of using Substack, nearly $200,000 in revenue, than she did by posting videos on YouTube since 2021. 

Music is the exact kind of content creator that Substack is trying to lure to its platform as TikTok’s future in the U.S. remains in limbo. 

San Francisco-based Substack launched in 2017 as a tool for newsletter writers to charge readers a monthly fee to read their content. The platform allows creators to connect to their followers directly without having to navigate algorithmic models that control when their content is shown, as is the case on TikTok, Google’s YouTube and other social platforms. Substack has raised about $100 million, most recently at a post-money valuation of more than $650 million, the company told CNBC.

This year, Substack has broadened its focus beyond newsletters, and on Thursday, it announced that creators can now post video content directly through the Substack app and monetize these videos.

“There’s going to be a world of people who are much more focused on videos,” Substack Co-founder Hamish McKenzie told CNBC. “That is a huge world that Substack is only starting to penetrate.”

Substack began this push after the social media landscape was thrown into flux as a result of the effective ban of TikTok in January that caused the popular Chinese-owned service to go offline for a few hours. TikTok was also removed from Apple and Google’s app stores for nearly a month. 

The disruption to TikTok in January happened as a result of a law signed by former President Joe Biden to force a sale of the Chinese-owned app or have it effectively banned in the U.S. On his first day in office, President Donald Trump signed an executive order extending TikTok’s ability to operate in the U.S., but that order expires on April 5. 

Days after TikTok went offline, Substack launched a $20 million fund to court creators to its platform.

“If TikTok gets banned for political reasons, there’s nothing to do with the work you’ve done, but it really affects your life,” McKenzie said. “The only and surefire guard against that is if you don’t place your audience in the hands of some other volatile system who doesn’t care about what happens to your livelihood.”

Moving beyond newsletters

McKenzie says that they are going after creators on competing social media platforms to start sharing their video content on Substack.

“Video-first creators, people who are mobile oriented, there’s a whole lot of new possibility waiting to be unlocked once they meet this model in the right place,” McKenzie said. 

Already, Substack has more than 4 million paid subscriptions with over 50,000 creators who make money on the platform, the company said. Substack says that 82% of its top 250 revenue-generating creators have already integrated audio or video into their content, reflecting a growing emphasis on multimedia content.

Prior to the video announcements, Substack allowed creators to post videos on the app to Notes, which is the platform’s front-facing feed format. But the feature did not allow creators to publish video content behind Substack’s paywalls. 

The update enables creators to put video content behind a paywall and it provides data on estimated revenue impact. It also allows them to track viewership and new subscribers.

Carla Lalli Music is a cookbook writer and food creator.

Carla Lalli Music

Our base case for TikTok is that it gets banned in the U.S.: Lead Edge Capital's Mitchell Green

Continue Reading

Technology

Anne Wojcicki has a new offer to take 23andMe private, this time for $74.7 million

Published

on

By

Anne Wojcicki has a new offer to take 23andMe private, this time for .7 million

Anne Wojcicki attends the WSJ Magazine Style & Tech Dinner in Atherton, California, on March 15, 2023.

Kelly Sullivan | Getty Images Entertainment | Getty Images

23andMe CEO Anne Wojcicki and New Mountain Capital have submitted a proposal to take the embattled genetic testing company private, according to a Friday filing with the U.S. Securities and Exchange Commission.

Wojcicki and New Mountain have offered to acquire all of 23andMe’s outstanding shares in cash for $2.53 per share, or an equity value of approximately $74.7 million. The company’s stock closed at $2.42 on Friday with a market cap of about $65 million.

The offer comes after a turbulent year for 23andMe, with the stock losing more than 80% of its value in 2024. In January, the company announced plans to explore strategic alternatives, which could include a sale of the company or its assets, a restructuring or a business combination. 

Read more CNBC tech news

23andMe has a special committee of independent directors in place to evaluate potential paths forward. The company appointed three new independent directors to its board in October after all seven of its previous directors abruptly resigned the prior month. The special committee has to approve Wojcicki and New Mountain’s proposal.

“We believe that our Proposal provides compelling value and immediate liquidity to the Company’s public stockholders,” Wojcicki and Matthew Holt, managing director and president of private equity at New Mountain, wrote in a letter to the special committee on Thursday.

Wojcicki previously submitted a proposal to take the company private for 40 cents per share in July, but it was rejected by the special committee, in part because the members said it lacked committed financing and did not provide a premium to the closing price at the time.

Wojcicki and New Mountain are willing to provide secured debt financing to fund 23andMe’s operations through the transaction’s closing, the filing said. New Mountain is based in New York and has $55 billion of assets under management, according to its website.

23andMe declined to comment.

WATCH: The rise and fall of 23andMe

The rise and fall of 23andMe

Continue Reading

Trending