Speaking of Honeywell from yesterday’s post, here is another release, this one from their User Group meeting that are, of course, announcing AI use cases. They bring in another buzz word from the automation market—autonomy.
Announcements include:
AI-enabled cybersecurity solutions—Honeywell Cyber Proactive Defense and Honeywell OT Security Operations Center.
Expansion of the Honeywell Digital Prime platform to encompass an enterprise-wide set of solutions that effectively test and modify engineering projects before implementation.
Some details:
Honeywell Cyber Proactive Defense, which is designed to enhance cybersecurity for industrial environments by proactively identifying and mitigating potential cyber threats before they manifest into attacks. By utilizing AI and behavioral-based analytics, the solution helps detect anomalies in OT cyber behavior by establishing a comprehensive baseline of system operations and then provides actionable insights designed to strengthen OT cyber defenses. The software also features deception technology, which uses decoys within the network to help divert attackers from valuable assets.
Honeywell OT Security Operations Center, a vendor-agnostic and agentless service designed to provide industrials with advanced capabilities tailored to OT environments to monitor for early signs of a cyberattack. The offering integrates on-site incident management services, providing a 24/7/365 holistic view of the cyber threat landscape for users.
Honeywell Digital Prime Ecosystem, which now features three core Honeywell offerings – Solution Enhancement Support Program (SESP), Enabled Services and Assurance 360 – in one platform. Through consolidation, users can now leverage deep domain knowledge to optimize control systems and improve maintenance and operational effectiveness across an entire organization. It will also offer near real-time performance insights that can help users achieve desired outcomes more quickly, while requiring less reliance on the technical expertise of an experienced workforce.
Honeywell Cyber Proactive Defense and OT Security Operations Center are now available globally. The expanded version of the Honeywell Digital Prime ecosystem will be available to customers in Q4 2025.
Cybersecurity companies have specialized in reports over the past few years. Some are merely surveys. Journalists and marketing people love surveys. I had a graduate level class on those things including statistical analysis. I’m not so sanguine. On the other hand, some reports are based on these companies looking into their scrubbed data looking for trends. To develop this report, Honeywell researchers analyzed more than 250 billion logs, 79 million files and 4,600 incident events that were blocked across the company’s global install base.
This one holds forth some interest.
In a growing wave of sophisticated cyber threats against the industrial sector, ransomware attacks jumped by 46% from Q4 2024 to Q1 2025, according to Honeywell’s 2025 Cybersecurity Threat Report. The research also found that both malware and ransomware increased significantly in this period and included a 3,000% spike in the use of one trojan designed to steal credentials from industrial operators.
We should not be surprised given all the international turmoil and state actors at this time. When the Russia/Ukraine conflict is settled, we’ll likely see more criminal activity.
Here’s the obligatory quote in every press release.
“Industrial operations across critical sectors like energy and manufacturing must avoid unplanned downtime as much as possible – which is precisely why they are such attractive ransomware targets,” said Paul Smith, director of Honeywell Operational Technology (OT) Cybersecurity Engineering, who authored the report. “These attackers are evolving fast, leveraging ransomware-as-a-service kits to compromise the industrial operations that keep our economy moving.”
The Cybersecurity and Infrastructure Security Agency (CISA) in the United States defines incidents as substantial if they enable unauthorized access leading to significant operational downtime or impairments. Industry reports show that unplanned downtime, caused by cybersecurity attacks and other issues like equipment failure, cost Fortune 500 companies approximately $1.5 trillion annually representing 11% of their revenue.
Survey finding:
Ransomware still on the rise: 2,472 potential ransomware attacks were documented in the first quarter of 2025, which represent 40% of the annual total from 2024.
Trojans exploiting industrial access: A dangerous trojan targeting OT systems – W32.Worm.Ramnit – accounted for 37% of files blocked by Honeywell’s Secure Media Exchange (SMX). This finding points to a 3,000% spike in the trojan compared to the previous quarter.
USB based threats persist: 1,826 unique USB threats were detected via SMX in Q1 2025, with 124 never-before-seen threats – indicating a persistent risk via external media and USB devices. This built on a 33% increase in USB malware detections in 2023, following a 700% year-over-year surge in 2022.
The report expanded its analysis to include threats delivered through additional plug-in hardware – known as Human Interface Device (HID) – including mice, charging cords for mobile devices, laptops and other peripherals often used when updating or patching software for on-premise systems.
Like I noted the other day, LLMs are so past tense. It’s all about Agents for marketing hype now. This release notes the release of “true” AI agents from a company called Abnormal AI. This relates to email security—which sounds like an oxymoron. These marketers do not hold back on bold claims.
Abnormal AI, the leader in AI-native human behavior security, unveiled its most ambitious product release to date—introducing autonomous AI agents that revolutionize how organizations train employees and report on risk and evolving its email security capabilities to continue to stop the world’s most advanced email attacks. In a year defined by the explosive use of malicious AI for cybercrime, Abnormal is doubling down on its mission to protect people. With its AI-native platform, Abnormal’s newest innovations bring intelligent automation to security awareness training, executive reporting, and advanced email threat detection.
In a recent survey, 53% of security leaders agreed that the effort required to run and maintain their organization’s current security awareness training program isn’t worth the impact it appears to be having. To solve this pain point, the launch of AI Phishing Coach allows organizations to replace ineffective, generic training with a personalized, autonomous AI platform. By converting real attacks blocked by Abnormal into tailored simulations for each user, it delivers instant coaching modules when users click—no more canned videos or impersonalized courses. For company-wide training, AI-generated videos are created on-demand, branded and customized to each organization’s threat landscape.
Unlike legacy training platforms that rely on static templates and outdated scenarios, AI Phishing Coach uses real-time behavioral threat data to deliver hyper-relevant training experiences. Because it’s powered by Abnormal’s behavioral AI engine, it learns from each organization’s threat environment and adapts training dynamically—providing proactive education before attacks succeed. It’s like giving every employee their own AI-powered security mentor—without adding any operational burden to security teams.
In addition to AI Phishing Coach, Abnormal is also launching AI Data Analyst to turn complex security data into instantly usable intelligence—providing admins with better reporting tools and saving teams dozens of hours in manual data aggregation. AI Data Analyst acts as an intelligent agent that proactively delivers reports directly to customers, highlighting the value Abnormal is bringing to their organization. Customers can then interact with the agent to ask follow-up questions, explore specific data points, or request customized board decks—complete with interactive slides and plain-language insights—tailored to showcase the impact of Abnormal AI on their security posture.
Earlier this month, Abnormal achieved FedRAMP Moderate Authorization in only 256 days, paving the way for federal agencies to easily adopt the platform. The company is also announcing expanded operations into Germany, with Japan and France to follow later this year. As we expand, the Abnormal Behavior Platform will be tuned for the nuances and language needs of each market.
In the cybersecurity game of “You make a move, and I counter it,” here is a new one on me—Identity Resilience. OK, I’m not an expert in the field. Identity theft has been around for a long time. Resilience has become a current beneficial concept. This news from Rubrik blends the two concepts.
In brief:
Disrupt Identity-Based Attacks: Counter fastest-growing threat vector with advanced resilience for complex identity environments
Unified Protection on One Platform: Designed for data and identity security to eliminate vulnerabilities from disparate point solutions
Complete Resilience Coverage: Protect across on-premises, cloud, and SaaS with visibility into data and identity interactions to accelerate detection and recovery
In a world of nonstop cyberattacks, Rubrik announced April 24 its upcoming solution, Identity Resilience, designed to secure the entire identity landscape alongside data. Identity Resilience aims to protect the most common entry points for attackers – human and non-human identities (NHIs) – to help organizations maintain operations with minimal downtime.
Identity Resilience aims to address a blindspot in enterprise security. A critical piece of infrastructure utilized by a vast majority of organizations, identity remains a consistent target for hackers. When compromised, these identity systems grant attackers access to critical data and credentials, and their disruption can prevent cyber recovery. Rubrik’s solution is designed to secure this vulnerable authentication infrastructure that powers virtually every major enterprise.
“Identity systems are not only complex and hard to manage, but they have also become the primary gateway for attackers aiming to access an organization’s valuable data,” said Mike Tornincasa, Chief Business Officer at Rubrik. “Today, we signal our commitment to identity protection, to address our customers’ needs by detecting threats that target identities and proactively reduce identity risks, just as we have successfully done with data security.”
Similar to how Rubrik monitors and sustains data, the company’s anticipated capabilities are designed to identify, monitor, and safeguard critical, sensitive, and active identities, including non-human identities (NHIs) such as machines using service accounts and access tokens.
NHIs, which outnumber their human counterparts, are complex to manage and introduce vulnerabilities that are increasingly targeted by attackers who compromise and escalate privileges. Current identity security approaches fail to provide enterprises the capability to assess NHI risk, view data access, and track suspicious activity over time.
Too often, identity management, identity protection, and data security are siloed as different products run by different teams in an organization. In contrast, Rubrik uniquely aims to combine these capabilities to provide new capabilities, and a holistic view of identity and data.
Hybrid Protection for Active Directory (AD) and Entra ID: With automated and orchestrated recovery workflows, organizations can restore complex hybrid identity environments – like Active Directory forests and full Entra ID tenants – faster and with greater confidence than before. Active Directory recovery can involve up to 22 manual steps. Rubrik reduces that with an easy-to-use wizard, dramatically cutting complexity and time to recovery. As a result, these capabilities are among the fastest-growing in Rubrik’s history, safeguarding millions of identities and the sensitive data they access.
Comprehensive Risk Analysis for Human and Non-Human Identities: With a unified view across identity providers showing human and non-human identities who have access to sensitive data, organizations can identify dormant or orphaned accounts, detect risky privilege escalations, and expose problematic combinations of access that traditional tools often miss. Beyond visibility, organizations can track the risk associated with identities and target remediation by revoking identity access, data access, or both. This approach enforces the least privilege, shrinks their attack surface, and proactively shuts down potential identity-based threats.
Complete Identity and Data Context: Instead of working with limited context from identity providers, organizations can tie identity-based information with sensitive data (e.g., healthcare, financial) context, privilege, and activity. This critical context can reduce remediation work while strengthening risk posture before a cyber attack, thereby speeding up threat hunting and remediation during and after an attack.
Keeping track of the many changes within the cybersecurity solution ecosystem takes more time than I can devote. I’m glad my old colleague Greg Hale made that his focus. Rubrik first came to my attention just a couple of months ago. They did get a mention in a post several years ago as an executive invested in a company that never crossed my path again.
Rubrik’s unique proposition is resiliency. In this news, the company announced capabilities related to users of Google Cloud.
In its ongoing commitment to deliver comprehensive cyber resiliency, Rubrik announced April 9 upcoming capabilities designed to help ensure Google Cloud customers can quickly recover their business from a cyberattack or operational disruption.
“As organizations increasingly shift their business-critical data to the cloud, they’re confronted with new challenges in protecting sensitive information against rapidly evolving cyber threats—challenges their traditional security technologies simply can’t address,” explained Anneka Gupta, Chief Product Officer at Rubrik. “We aim to empower Google Cloud customers to address these challenges with confidence, enabling them to strengthen their cyber resilience, streamline data protection, optimize backup and recovery processes, and ensure business continuity in the face of any cyber incident.”
“For organizations navigating today’s complex cyber threat landscape, comprehensive cyber resiliency is non-negotiable,” said Stephen Orban, Vice President of Migrations, ISVs, & Marketplace at Google Cloud. “Our collaboration with Rubrik provides customers with the tools and technologies to establish isolated recovery environments on Google Cloud, fortified by the proactive security insights and expertise of Mandiant.”
Precisely designed for Google Cloud, this collaboration delivers:
Cloud-Based Isolated Recovery Environment in Google Cloud – Rubrik, in collaboration with Mandiant, is developing a cloud-based isolated recovery solution on Google Cloud. This solution is designed to enhance organizational cyber resilience by ensuring business-critical data backups are secure from cyber threats and efficiently, safely replicated to Google Cloud via Rubrik’s Secure Vault after an incident. By leveraging Rubrik’s Data Threat Analytics and Orchestrated Application Recovery Playbooks, combined with Mandiant’s periodic security assessments and Incident Response services, it aims to establish a secure recovery environment on Google Cloud, to enable swift core application restoration and business continuity.
Strengthened protection of Google Cloud Engine and Google Cloud SQL – New threat-analytics capabilities are planned for Anomaly Detection, Data Discovery and Classification, Turbo Threat Hunting, and Threat Monitoring. These capabilities are designed to work together to proactively detect cyber threats, accelerate incident response and recovery, and ensure sensitive data remains protected and compliant.
Enterprise-grade protection for Google Workspace – Rubrik’s solution is designed for Google Workspace customers, to help them protect their mission-critical SaaS data from cyber threats, insider risks, and accidental deletion, through newly-offered immutable backups, automated anomaly detection, and rapid, granular recovery.
Rubrik’s strengthened protection of Google Cloud Engine is available now. New threat analytics capabilities, expanded protection of Google Cloud SQL, expanded protection of Google Workspace, and Cloud-Based Isolated Recovery Environment are planned to be generally available at a later date.
A company called Armexa, new to me in the cybersecurity ecosystem, sent a release about an analysis they made regarding the thoroughness of risk assessments. They advocate a “bow-tie” method, detailed below. This is not my area of expertise, so I pass along as a tool in your belt.
The Blind Spots in Most Risk Assessments
Many cybersecurity assessments fall short because they only focus on one or two parts of the puzzle instead of the full picture. Here’s what often gets missed:
Only looking at external threats: Some assessments zero in on external threats like malware, phishing or hackers accessing the OT environment from the enterprise/business networks but overlook internal threats such as maintenance laptops, accidental misconfiguration errors, and unauthorized wireless access points that can bypass perimeter security controls.
Assuming compliance equals security: Publishing policies and following standards is important but just because an organization has them in place doesn’t mean they’re properly applied – or that they actually reduce risk.
Overlooking “double jeopardy” scenarios: Traditional risk models plan for one thing to go wrong at a time. But cyber incidents are intentional. Attackers can, and often do, take down multiple systems at once.
Focusing on vulnerabilities: Many assessments focus on discovery of vulnerabilities, such as outdated operating systems, known vulnerabilities (i.e., CVEs), weak passwords. Listing vulnerabilities is helpful, but without asking what would happen if the vulnerability was exploited, you’re not actually assessing risk
If you’re not linking security gaps to real operational and financial consequences, it’s almost impossible to know what really matters – or what to fix first.
The Three Elements Every Risk Assessment Should Cover
A truly effective risk assessment goes beyond simple gap analysis. It looks at the full picture by connecting three key elements:
Threats – What could cause a cyber incident?
Malware, phishing, ransomware
Human errors or insider threats
Unknown or unauthorized devices on your network
Vulnerabilities – Where are the weak spots?
Networks without proper separation
Devices that connect both IT and OT networks
Policies that are weak – or not followed at all
Consequences – What happens if something slips through?
Loss of control over key operations
Production downtime and financial losses
Safety hazards, regulatory fines, and environmental impact
Check out the web page for a discussion of weaknesses. Here they offer their better way to connect the dots—Bow Tie Analysis
Bow Tie Analysis is a visual method that clearly shows how threats, vulnerabilities and consequences are connected in a clear, structured way. It helps teams:
See how one issue can trigger a chain of events
Pinpoint which controls matter most, and whether they’re working
Understand what’s still at risk, even with protection in place
Meet regulatory expectations with a clear, easy-to-explain model
By mapping out risks in a straightforward, visual way, Bow Tie Analysis helps security teams and senior leadership understand where to focus – and where to take action first.
Is It Time to Rethink Your Approach?
If your risk assessment doesn’t connect threats, vulnerabilities and consequences, there’s a good chance some critical gaps are being overlooked. Cyber risk isn’t just an IT issue – it affects operations, finances and most importantly, safety.
