Dragos OT Cybersecurity Year in Review 

New OT threat groups include VOLTZITE linked to Volt Typhoon; ransomware attacks grew 50 percent; state actors and unsophisticated hacktivist groups gained ground against OT systems.

Cybersecurity companies busily conduct surveys and issue reports. This news concerns Dragos’ release of its sixth annual OT Cybersecurity Year in Review report

The report named the emergence of three new threat groups, including VOLTZITE linked to Volt Typhoon, and found that ransomware continued to be the most reported cyber threat among industrial organizations with a nearly 50% increase in reported incidents. 2023 also saw the first time a hacktivist group achieved Stage 2 of the ICS Cyber Kill Chain. 

Based on data gathered from annual customer service engagements conducted by Dragos’s cybersecurity experts in the field across the range of industrial sectors, the top challenges industrial organizations need to address are:

  • Lack of Sufficient Security Controls: 28% of service engagements involved issues with improper network segmentation or improperly configured firewalls. 
  • Improper Network Segmentation: Approximately 70% of OT-related incidents originated from within the IT environment. 
  • Lack of Separate IT & OT User Management: 17% of organizations had a shared domain architecture between their IT and OT systems, the most common method of lateral movement and privilege escalation.
  • External Connections to the ICS Environment: Dragos observed four threat groups exploiting public-facing devices and external services and issued findings related to externally facing networks such as the internet in 20% of engagement reports.

Visibility Across IT, OT and IoT Domains to Illuminate Attack Vectors and Risks

Tenable One has some news today about the release of Tenable One. It is a visibility product that allows managers and others to see assets across an enterprise regardless of IT, OT, or IoT. You will notice a new marketing term in the release—at least new to me. The company is now called an “Exposure Management” company. They tell me that means it enables organizations to understand cyber risk in order to make more effective business decisions.

Tenable, the Exposure Management company, announced February 29, 2024 the release of Tenable One for OT/IoT. It is the first and only exposure management platform that provides holistic visibility into assets across IT and operational technology (OT) environments.

I cannot verify the “first and only” claim, but companies are often careful to define things such that they can make the claim. In this case, exposure management most likely is the key phrase (before anyone writes to me). Also they talk management. What they do is provide information for managers to be able to take informed actions.

Tenable One for OT/IoT extends visibility beyond IT, to include OT and IoT, and helps security leaders gain a clear picture of true exposure across their entire attack surface. This first-of-its-kind approach allows organizations to prioritize security risks wherever they reside – be it in the cloud, data center, or the OT environment – and most importantly, to understand how these risks create attack paths across their infrastructure.

Users can also view their global exposure, including OT assets, to see how their security posture compares to other companies in their industry and gain additional insights from their OT assets to make better decisions, faster.

Three key points:

  • Comprehensive visibility beyond the IT environment to the modern attack surface
  • Risk intelligence to mitigate operational risks
  • Actionable planning and decision making across enterprise and critical infrastructure environments

New Research Identifies Gaps in Securing Access to Connected OT Environments

This news reports yet another survey of managing security risk.

Cyolo, the access company for the digital enterprise, in partnership with Ponemon Institute, released a global study exploring how organizations that operate critical infrastructure, industrial control systems (ICS), and other operational technology (OT) systems are managing access and risk in an era of rising connectivity.

“Our world has become increasingly interconnected, and the findings of this report highlight the vital need for organizations to reevaluate and enhance their strategies for ensuring secure access into OT environments,” said Larry Ponemon, Chairman and Founder of the Ponemon Institute.

The report, “Managing Access & Risk in the Increasingly Connected Operational Technology (OT) Environment,” reveals that many industrial organizations lack the resources, expertise, and collaborative processes to effectively mitigate threats and ensure secure access to OT systems. The report is based on a survey of 1,056 security professionals across the United States and EMEA who work in organizations that run an OT environment and are knowledgeable about their organization’s approach to managing OT security and risk.

Overall key findings include:

  • Organizations allow dozens of third-party users to access OT environments. 73% permit third-party access to OT environments, with an average of 77 third parties per organization granted such access. Challenges to securing third-party access include preventing unauthorized access (44%), aligning IT and OT security priorities (43%), and giving users too much privileged access (35 percent).
  • Visibility into industrial assets is dismal. 73% lack an authoritative OT asset inventory, putting organizations at significant risk.
  • IT and OT teams share responsibility for OT security but do not communicate enough to achieve optimal outcomes. 71% report that IT or IT and OT together are responsible for securing OT environments. However, collaboration and communication are lacking, with 37% reporting little or no collaboration, and 19% reporting that teams talk about OT security issues only when an incident occurs.
  • Security is seen not only as a goal of IT/OT convergence but also as an obstacle. Reducing security risk is the top objective of companies pursuing IT/OT convergence (59%), and yet one-third (33%) of organizations not pursuing convergence cite security risk as a top factor for their decision.

Register to attend a joint webinar from Cyolo and Ponemon Institute, on Tuesday, March 12 at 11am ET here: Behind the Ponemon Report: Risk & Access Management in the OT Environment.

Getting Proactive About Securing Smart Manufacturing

A PR person recently contacted me about a new paper, Emerging Trends and Securing the Future of Smart Manufacturing, from an analyst firm new to me—Takepoint. Soon thereafter I was on a video call with analyst and author Jonathon Gordon.

He first mentioned about getting proactive with security. Too much cybersecurity is network detection after there is a problem. It is inherently passive. This may help some in recent scenarios where the goal of the intruder is ransomware. But what about now when nation-state actors are trying to gain access to critical infrastructure control in order to disrupt production or even cause major damage?

Gordon took a closer look at a control system. A potential vulnerability lies in the connection between the engineering workstation and the PLC. That is the cyber-physical connection. The focus needs to shift to mitigate this vulnerability. This workstation to PLC connection must be locked down.

These notes come from the company.

In today’s interconnected industrial world, data sharing is not just a convenience; it’s a necessity for growth and innovation. However, sharing data safely with partners, suppliers, or even within different departments of the same organization, requires a sophisticated approach to cybersecurity. The industrial CISO’s role evolves from just protecting data to enabling its safe and efficient flow across various networks, ensuring that it remains secure even when it’s outside their direct control.

 Innovation, especially in the context of Industry 4.0, naturally brings risks. But here’s the catch – innovation without risk is like swimming without getting wet; it’s just not possible. The key lies in understanding these risks – they can be accepted to a certain degree, actively mitigated, or in some cases, transferred (think insurance policies or outsourcing certain aspects). Ignoring these risks is not an option. Doing so is akin to flirting with the dark side, where the consequences can be severe and far-reaching.

In this dynamic environment, the role of the industrial CISO is not just reactive; it’s increasingly proactive. This means anticipating potential security breaches and having robust strategies in place. It’s about understanding not just the technology, but also the human and process elements of cybersecurity. Training staff, developing a security-conscious culture, and keeping abreast of the latest threats and countermeasures are all part of this proactive stance.

The message here is straightforward and urgent: cybersecurity in manufacturing isn’t a passive or reactive task; it’s an active, ongoing process. This involves regular risk assessments, identifying and mitigating vulnerabilities, and implementing robust security controls. Equally important is fostering a cybersecurity-aware culture throughout the organization, ensuring everyone from top executives to factory floor workers understands their role in maintaining security.

Two News Items Regarding CyberSecurity from Rockwell Automation

Automation Fair was this week. I expected many news releases. I’ve already reported on the one published. I checked out the “show daily” email from my friend Keith at Endeavor Media whose team reported on the presentations a series of executives made to the attending media. Not so much news as it was a survey of the breadth of Rockwell’s offering. 

I think that was the theme—don’t think of Rockwell Automation from the point-of-view of controls and drives. Check all the acquisitions from Plex for cloud-based MES, FiiX for cloud-based CMMS, Verve for Cybersecurity, plus material handling and more. Looking at financials, the traditional industrial control product business still is the greatest contributor. Software and control is still next, but services are catching up to it.

These releases concern cybersecurity and partnerships with Dragos and Claroty.

Rockwell Automation will provide ICS/OT Cybersecurity Threat Detection Services, leveraging the Dragos Platform to help Industrial Manufacturers Secure their Environments

Dragos Inc. announced the expansion of its combined capabilities in partnership with Rockwell Automation. With this expansion, Rockwell will be making the Dragos Platform available to organizations for enhanced ICS/OT cybersecurity threat detection, providing global deployment services and support capabilities to help customers operationalize their security investment. 

The threat detection capabilities build on the previous global agreement between Dragos and Rockwell for the OT Incident Response Retainer (IRR) program that helps industrial organizations prepare for, respond to, and recover from cyber incidents in OT environments. 

  • Improved threat detection and response across the entire industrial OT network. 
  • Greatly enhanced visibility into the OT environment allowing industrial organizations to inventory and monitor assets, track vulnerabilities, and leverage network monitoring to investigate issues and incidents. 
  • Fast, efficient, and effective threat detection to help maintain safety and uptime as a result of continuously updated knowledge packs focused on ICS networks for Rockwell-specific and third-party vendor hardware. 
  • The collective experience and intelligence of Dragos and Rockwell to enhance knowledge for industrial defenders, including whitepapers, webinars, and other resources.
  • Rapid operationalization of cybersecurity investment with the global deployment and support footprint at Rockwell Automation. 

Claroty and Rockwell Automation Expand Capabilities to Include SaaS-powered OT Security Solution xDome

Claroty announced an expansion of its capabilities with Rockwell Automation, Inc. with the addition of SaaS-powered industrial cybersecurity platform Claroty xDome to Rockwell Automation’s global services portfolio. Additionally, Rockwell Automation customers now have access to Claroty’s complete suite of cloud-based and on-premise OT security offerings. 

Claroty xDome provides comprehensive security coverage, integrated interoperability, and deep bidirectional technology alliances. The partnership expansion highlights Rockwell’s pioneering stance in OT security by offering a cloud-hosted OT security solution to its customers. This step positions Rockwell on the vanguard of enabling secure digital transformation, underpinning the company’s dedication to innovation and security. 

Rockwell Automation To Acquire Verve Industrial To Bolster Cybersecurity Offering

Rockwell Automation keeps its acquisition team busy. This announcement reveals an acquisition in the cybersecurity area bolstering the services business part of the company. Before long the services business will be larger than the software & control business. Still trailing the traditional product portfolio, though.

Rockwell Automation Inc., the world’s largest company dedicated to industrial automation and digital transformation, announced it has signed a definitive agreement to acquire Verve Industrial Protection, a cybersecurity software and services company that focuses specifically on industrial environments, expanding the offerings of Rockwell with an industry-leading asset inventory system and vulnerability management solution.

The Verve Security Center platform enables real-time asset inventory, vulnerability management, and risk remediation that will strengthen Rockwell’s current offerings and address these issues.

“The foundation of OT cybersecurity starts with visibility into assets – you can’t protect what you don’t know you have. This continues to be a critical challenge for manufacturers,” said Matt Fordenwalt, Rockwell’s senior vice president, Lifecycle Services. “With the Verve acquisition, our customers can quickly assess their assets, prioritize risk, and apply countermeasures to mitigate vulnerabilities – all within a single platform. The addition of Verve to our suite of solutions allows customers to further build resiliency and continuously improve the security, safety, and availability of their operations.”

The Verve Security Center platform was built to provide IT-level security while addressing the unique challenges of the OT environment. At the center of the Verve platform is an asset inventory system that recognizes all industrial assets, regardless of manufacturer. Verve’s proprietary approach communicates directly with the assets, gathering critical information without impacting network performance and interrupting production. It then aggregates a wide range of data sources, including Rockwell’s partner technologies, into its platform as a “single pane of glass” that provides actionable insight for customers to quickly address their highest risk assets.

Verve professional services also provide ongoing remediation, along with strategic roadmap and business case development, further deepening Rockwell’s cybersecurity consulting capabilities. Going forward, customers will benefit from comprehensive capabilities that span the entire attack continuum with the combined expertise of Verve, Rockwell, and Rockwell’s technology partnerships.

The acquisition is subject to customary approvals and is expected to close in the first quarter of Rockwell’s fiscal year 2024. At close, Verve will report into Rockwell’s Lifecycle Services operating segment.

Follow this blog

Get a weekly email of all new posts.