Category: XP

The Federal Bureau of Investigation (FBI) is releasing this Private Industry Notification (PIN) to highlight how malicious cyber actors may seek to disrupt power generating operations, steal intellectual property, or ransom information critical for normal functionality to advance geopolitical motives or financial gain within the United States renewable energy industry. With federal and local legislature advocating for renewable energies, the industry will expand to keep pace, providing more opportunities and targets for malicious cyber actors.

Historical Cyber Incident Involving the Renewable Energy Industry’s Operations In 2019, a private company, which operates solar assets in the United States, lost visibility into approximately 500 MW of its wind and photovoltaic sites in California, Utah, and Wyoming as a result of a denial-of-service attack that exploited an unpatched firewall. While it was unclear if this specific incident was a deliberate cyberattack targeting this specific company, the incident highlighted the risks posed by a security posture that relies on outdated software.

Risks Associated with a Cyber Incident Impacting Solar Infrastructure A cyberattack against a solar panel system—residential or commercial—would likely focus on targeting the system’s operational technology (OT) software and hardware; specifically, malicious cyber actors could attempt to gain control over a solar panel system through the inverters. Inverters are responsible for converting the direct current (DC) energy that the solar panels generate into practical alternating current (AC) electricity. Some inverters have built-in monitoring systems that connect to the Internet, which increases their risk profile. If a malicious cyber threat actor took control of a residential inverter, they could attempt to reduce that solar panel system’s power output or target that home’s battery storage inverter (if one is onsite) to overheat it.

While cyberattacks against residential solar infrastructure have been rare historically, malicious cyber threat actors could seek to target microgrids, which local power systems use to operate independently of the larger electrical grid during a power outage. To attain a larger disruption, malicious cyber threat actors could attempt to target inverters at solar farms; however, researchers are working to counter this potential risk through a passive sensor device that can detect unusual activity in the electrical current.

This FBI PIN contains threat information, recommendations, and is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cybercriminals.

Researchers have been tracking the activity of a newly discovered threat actor group, Unfurling Hemlock, that may have been active for a while due to finding similar characteristics in older campaigns . These threat actors have distributed over 50,000 malware samples, which infect victims’ systems with up to ten different forms of malware at a time, mainly with information stealers and loaders. Researchers have considered these to be a type of “cluster bomb” attack, where each step of the attack includes an additional form of malware.

Unfurling Hemlock’s attack begins through a phishing email or an external website that initiates contact with the malware loaders to drop the malware.  Upon executing a malicious file named WEXTRACT.EXE, a chain of infections starts, and a series of nested compressed cabinet files begin to unpack malware onto the system. Researchers have found that each cabinet file includes a malware sample and the subsequent compressed file. The final compressed file contains two malware samples.

In the observed sample, Unfurling Hemlock was found to drop Mystic Stealer, Amadey, Redline, SmokeLoader, and finally, a second instance of Mystic Stealer and a utility that turns off system protections. Once the final stage has been extracted, the files execute in reverse order, starting with the utility disabling essential security features, such as Windows Defender, automatic updates, and notifications.

Recommendations

Avoid clicking links and opening attachments in unsolicited emails. Confirm requests from senders via contact information obtained from verified and official sources. Review the Don’t Take the Bait! Phishing and Other Social Engineering Attacks NJCCIC product for more information on common phishing and social engineering attacks. Facilitate user awareness training to include these types of phishing-based techniques. Maintain robust and up-to-date endpoint detection tools on every endpoint. Consider leveraging behavior-based detection tools rather than signature-based tools. Phishing and other malicious cyber activity can be reported to the FBI’s IC3 and the NJCCIC.

Build the skills you need to create new opportunities and accelerate your understanding of Microsoft Cloud technologies at a free Microsoft 365 Virtual Training Day from Microsoft Learn. Join us at Manage Microsoft Teams Collaboration Communications Systems to learn how to plan, design, configure, and manage a Teams Collaboration Communications System. You’ll explore the many Teams services, features, and capabilities that simplify collaboration and boost productivity. Note: Participants should have a prior understanding of the basics of Teams as well as networking, telecommunications, audio-visual and meeting-room technologies, and identity and access management. You will have the opportunity to: Learn how to plan, design, and manage Teams Collaboration Communications Systems. Find out how to configure and manage Microsoft Teams Phone, Microsoft Teams Rooms, and Microsoft Teams meetings. Understand how to manage and monitor services through the Teams admin center, Teams Rooms Pro portal, Microsoft Call Quality Dashboard, and Microsoft Teams PowerShell. Learn more about Teams-certified devices and calling plans. Join us at an upcoming two-part Manage Microsoft Teams Collaboration Communications Systems event: Delivery Language: English Closed Captioning Language(s): English
July 10, 2024 |  12:00 PM – 2:45 PM | (GMT-05:00) Eastern Time (US & Canada)   July 25, 2024 |  12:00 PM – 2:45 PM | (GMT-05:00) Eastern Time (US & Canada)

Visit the Microsoft Virtual Training Days website to learn more about other event opportunities.

NIST’s National Cybersecurity Center of Excellence (NCCoE) has released for public comment a draft of Cybersecurity for the Water and Wastewater Sector: Build Architecture, Operational Technologies Remote Access. The comment period is open through July 15, 2024.

This Technical Note describes the product agnostic remote access reference architectures and presents three remote access example solutions the NCCoE plans to demonstrate as part of the Cybersecurity for the Water and Wastewater Sector: A Practical Reference Design for Mitigating Cyber Risk in Water and Wastewater Systems project. The Technical Note presents a traditional on-premises remote access reference architecture and two example solutions: one for medium to large water and wastewater systems (WWS) and one for very small to small WWS. A cloud-based remote access reference architecture and example solution are also described. 

The NCCoE first plans to address the remote access scenario and describing architectures and example solutions which allow authorized access to a water or wastewater utility’s Operational Technology (OT) assets. Subsequent publications will address the other identified risk scenarios and solutions.

Visit NCCoE’s Securing Water and Wastewater Utilities page to learn more about this project and submit comments.

Multiple vulnerabilities have been discovered in Mozilla products, the most severe of which could allow for arbitrary code execution. Mozilla Firefox is a web browser used to access the Internet. Mozilla Firefox ESR is a version of the web browser intended to be deployed in large organizations. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLEGENCE:
There are no reports that these vulnerabilities are being exploited in the wild

SYSTEMS AFFECTED:

• Firefox versions prior to 128
• Firefox ESR versions prior to 115.13

RISK:
Government:

• Large and medium government entities: High
• Small government entities: Medium

Businesses:

• Large and medium business entities: High
• Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Mozilla products, the most severe of which could allow for arbitrary code execution. Details of the most critical vulnerabilities are as follows:

Tactic: Initial Access (TA0001):

Technique: Drive-by Compromise (T1189):

• Memory safety bugs present in Firefox 127, Firefox ESR 115.12, and Thunderbird 115.12 which could be exploited to run arbitrary code. (CVE-2024-6604)
• Memory safety bugs present in Firefox 127 which could be exploited to run arbitrary code. (CVE-2024-6615)

Additional lower severity vulnerabilities include:

• Due to large allocation checks in Angle for GLSL shaders being too lenient an out-of-bounds access could occur when allocating more than 8192 ints in private shader memory on mac OS. (CVE-2024-6600)
• A race condition could lead to a cross-origin container obtaining permissions of the top-level origin. (CVE-2024-6601)
• A mismatch between allocator and deallocator could have lead to memory corruption. (CVE-2024-6602)
• In an out-of-memory scenario an allocation could fail but free would have been called on the pointer afterwards leading to memory corruption. (CVE-2024-6603)
• Clipboard code failed to check the index on an array access. This could have lead to an out-of-bounds read. (CVE-2024-6606)
• It was possible to prevent a user from exiting pointerlock when pressing escape and to overlay customValidity notifications from a <select> element over certain permission prompts. This could be used to confuse a user into giving a site unintended permissions. (CVE-2024-6607)
• It was possible to move the cursor using pointerlock from an iframe. This allowed moving the cursor outside of the viewport and the Firefox window. (CVE-2024-6608)
• When almost out-of-memory an elliptic curve key which was never allocated could have been freed again. (CVE-2024-6609)
• Form validation popups could capture escape key presses. Therefore, spamming form validation messages could be used to prevent users from exiting full-screen mode. (CVE-2024-6610)
• A nested iframe, triggering a cross-site navigation, could send SameSite=Strict or Lax cookies. (CVE-2024-6611)
• CSP violations generated links in the console tab of the developer tools, pointing to the violating resource. This caused a DNS prefetch which leaked that a CSP violation happened. (CVE-2024-6612)
• The frame iterator could get stuck in a loop when encountering certain wasm frames leading to incorrect stack traces. (CVE-2024-6613)
• The frame iterator could get stuck in a loop when encountering certain wasm frames leading to incorrect stack traces. (CVE-2024-6614)
• Memory safety bugs present in Firefox 127. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. (CVE-2024-6615)

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

• Apply the stable channel update provided by Mozilla to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
  • Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
  • Safeguard 7.5 : Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
     
• Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
  • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
  • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
     
• Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
  • Safeguard 10.5:  Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
     
• Restrict use of certain websites, block downloads/attachments, block JavaScript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)
  • Safeguard 9.2: Use DNS Filtering Services: Use DNS filtering services on all enterprise assets to block access to known malicious domains.
  • Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
  • Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.
     
• Block execution of code on a system through application control, and/or script blocking. (M1038:Execution Prevention)
  • Safeguard 2.5 : Allowlist Authorized Software: Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.
  • Safeguard 2.6 : Allowlist Authorized Libraries: Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently.
  • Safeguard 2.7 : Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
     
• Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040: Behavior Prevention on Endpoint)
  • Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
  • Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.
     
• Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources. Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. (M1017: User Training)
  • Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.

REFERENCES:

Mozilla:
https://www.mozilla.org/en-US/security/advisories/

https://www.mozilla.org/en-US/security/advisories/mfsa2024-29

https://www.mozilla.org/en-US/security/advisories/mfsa2024-30

CVE:                                                                                                          

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6600

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6601

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6602

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6603

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6604

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6605

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6606

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6607

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6608

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6609

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6610

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6611

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6612

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6613

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6614https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6615

Build the skills you need to create new opportunities and accelerate your understanding of Microsoft Cloud technologies at a free Microsoft 365 Virtual Training Day from Microsoft Learn. Join us at Prepare Your Organization for Microsoft Copilot for Microsoft 365 to learn how to implement AI to help ignite creativity, enhance productivity, and strengthen computing and collaboration skills. You’ll learn about the capabilities of Copilot, including how it works, how to configure it, and how to set it up for more powerful searches. You’ll also explore how Copilot works with Microsoft Graph—and your existing Microsoft 365 apps—to provide intelligent, real-time assistance. You will have the opportunity to: Understand the key components of Copilot for Microsoft 365 and how it works. Learn how to extend Copilot with plugins. Get guidance on completing the necessary Copilot technical and business requirements to prepare for implementation. Learn how to assign Copilot licenses, prepare your organization’s Microsoft 365 data for Copilot searches, and create a Copilot Center of Excellence. Join us at an upcoming Prepare Your Organization for Microsoft Copilot for Microsoft 365 event: Delivery Language: English Closed Captioning Language(s): English

Visit the Microsoft Virtual Training Days website to learn more about other event opportunities.

The Cybersecurity and Infrastructure Security Agency (CISA) has collaborated with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) to release an advisory outlining a People’s Republic of China (PRC) state-sponsored cyber threat group’s activity. The following organizations also collaborated with ASD’s ACSC on the guidance:

The National Security Agency (NSA) The Federal Bureau of Investigation (FBI) The United Kingdom’s National Cyber Security Centre (NCSC-UK) The Canadian Centre for Cyber Security (CCCS) The New Zealand National Cyber Security Centre (NCSC-NZ) The German Federal Intelligence Service (BND) and Federal Office for the Protection of the Constitution (BfV) The Republic of Korea’s National Intelligence Service (NIS) and NIS’ National Cyber Security Center (NCSC) Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and National Policy Agency (NPA)

The advisory is based on current ACSC-led incident response investigations and shared understanding of a PRC state-sponsored cyber threat group, APT40—also known as Kryptonite Panda, GINGHAM TYPHOON, Leviathan, and Bronze Mohawk in industry reporting.

APT 40 has previously targeted organizations in various countries, including Australia and the United States. Notably, APT 40 possesses the ability to quickly transform and adapt vulnerability proofs of concept (POCs) for targeting, reconnaissance, and exploitation operations. APT 40 identifies new exploits within widely used public software such as Log4J, Atlassian Confluence, and Microsoft Exchange to target the infrastructure of the associated vulnerability.

CISA urges all organizations and software manufacturers to review the advisory to help identify, prevent, and remediate APT 40 intrusions. Software vendors are also urged to incorporate Secure by Design principles into their practices to limit the impact of threat actor techniques and to strengthen the security posture of their products for their customers.

For more information on PRC state-sponsored threat actor activity, see CISA’s People’s Republic of China Cyber Threat. To learn more about secure by design principles and practices, visit CISA’s Secure by Design webpage.

A vulnerability has been discovered in OpenSSH that could allow for remote code execution. OpenSSH is a suite of secure networking utilities based on the SSH protocol and is crucial for secure communication over unsecured networks. It is widely used in enterprise environments for remote server management, secure file transfers, and various DevOps practices. Successful exploitation of this vulnerability could allow for remote code execution in the context of the unprivileged user running the sshd server. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

THREAT INTELLIGENCE:
There are no reports of this vulnerability being exploited in the wild.

SYSTEMS AFFECTED:

• OpenSSH versions 8.7 and 8.8 and corresponding portable versions​​​​​

RISK:
Government:

• Large and medium government entities: High
• Small government entities: Medium

Businesses:

• Large and medium business entities: High
• Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:
A vulnerability has been discovered in OpenSSH, which could allow for remote code execution. Details of the vulnerability include: 

Tactic: Initial Access (TA0001):

Technique: Exploit Public-Facing Application (T1190):

• CVE-2024-6409: A signal handler race condition vulnerability was found in OpenSSH’s server (sshd) where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd’s SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). This issue leaves it vulnerable to a signal handler race condition on the cleanup_exit() function.

Successful exploitation of this vulnerability could allow for remote code execution in the context of the unprivileged user running the sshd server. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

• Apply appropriate mitigations provided by OpenSSH or affected Linux vendor to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
  • Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
  • Safeguard 7.6: Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets: Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.
  • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
     
• Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
  • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
  • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
• Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc. (M1035: Limit Access to Resource Over Network)
   
• Use intrusion detection signatures to block traffic at network boundaries. (M1031: Network Intrusion Prevention)
  • Safeguard 13.3: Deploy a Network Intrusion Detection Solution: Deploy a network intrusion detection solution on enterprise assets, where appropriate. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service.
  • Safeguard 13.8: Deploy a Network Intrusion Prevention Solution: Deploy a network intrusion prevention solution, where appropriate. Example implementations include the use of a Network Intrusion Prevention System (NIPS) or equivalent CSP service.
     
• Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
  • Safeguard 13.10:  Performing Application Layer Filtering:  Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway.

REFERENCES:

OpenSSH:
http://www.openwall.com/lists/oss-security/2024/07/08/2

Oligo Security:
https://www.oligo.security/blog/critical-openssh-vulnerability-cve-2024-6387-regresshion

RedHat:
https://access.redhat.com/security/cve/CVE-2024-6409

Ubuntu:
https://ubuntu.com/security/CVE-2024-6409

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6409

Date/Time: Wednesday, July 10, 2024 | 10:00–11:30 AM ET

Description

Join the NIST NCCoE for a webinar to discuss guidance and considerations for trusted IoT onboarding to help organizations safeguard both their IoT devices and their networks. 

The NCCoE, in collaboration with 11 product and service providers, has produced five builds demonstrating network-layer onboarding and two builds demonstrating the factory provisioning process. The configurations offer secure ways to provision devices to a network using their network credentials.

Recently, we released the final draft publication of NIST Special Publication 1800-36, Trusted IoT Device Network-Layer Onboarding and Lifecycle Management, which includes updates to several of the builds. The public comment period for the publication is open until July 30, 2024.

During this webinar, attendees will:  

• Meet the NCCoE IoT Onboarding team and their industry collaborators 
• Learn about the latest updates to Draft NIST SP 1800-36, Trusted IoT Device Network-Layer Onboarding and Lifecycle Management, and how it can be used to help organizations protect both their IoT devices and their networks  
• Hear from the project’s collaborators about example technology solutions using Wi-Fi Easy Connect, BRSKI, and Thread 
• Engage in a Q&A period with the project team and industry experts  
• Gain resources and additional information for implementation 

Speakers

• Tim McBride, Deputy Director, NIST NCCoE
• Paul Watrobski, Principal Investigator, NIST NCCoE  
• Brecht Wyseur, Senior Product Manager and Product Strategy, Kudelski IoT 
• Nick Allott, CEO, NquiringMinds  
• Steve Clark, Security Technologist, WISeKey 
• Dan Harkins, Fellow, HPE Aruba  
• Andy Dolan, Senior Security Engineer, CableLabs 
• Craig Pratt, Lead Software Engineer, CableLabs 
• Darshak Thakore, Principal Architect, CableLabs 

Contact Us

If you have any questions about this event, please reach out to the team at iot-onboarding@nist.gov.  

To receive the latest project news and updates, consider joining the NCCoE IoT Onboarding Community of Interest (COI). You can sign up by completing the COI form or by emailing the team declaring your interest. 

View Agenda and Register