New IT/OT Features Increase Visibility, Security and Control

Cybersecurity news continues to lead inputs to my inbox. Tenable has much news coming. This one has been waiting for a while for me to clear a lot of other news. This is an update to Tenable.ot to v3.14.

Four new capabilities in Tenable.ot

1. Deeper coverage of segmented assets — Active Sensors queries devices that are otherwise invisible to passive scanners — even if they are in a separate, isolated or non-routable network. 

2. New sensor management capabilities — New sensor management capabilities provide better control and context to make the best security decisions. You can even deploy sensors on virtual machines and manage them through a single interface.

3. Consolidated global dashboard reporting — Enhanced global dashboard reporting helps security teams quickly gather telemetry from across the OT environment. User-configurable widgets make it easy to group assets by type, events, policies and risk scores. Security teams can efficiently identify high-risk assets and communicate risk effectively so executives can make informed decisions on business initiatives. ​

4. In-product signature and detection feed — The signature and detection feed assures you’re running the latest plugins. 

Rust Foundation Establishes Security Team

Do you program in Rust? Me neither. I had barely heard of it. I received this news. Valuable if you use Rust. Interesting for any other language to think about security within a language.

The Rust Foundation, the nonprofit organization dedicated to supporting and sustaining the Rust programming language, announced Sept. 13, 2022 it is establishing a dedicated security team. The team is being underwritten with generous support from the OpenSSF’s Alpha-Omega Initiative, which partners with open source software projects and maintainers to improve the global software supply chain security, and Rust Foundation’s newest Platinum member JFrog. 

These investments from Alpha-Omega and JFrog include dedicated staff resources that will enable the Rust Foundation to create and implement security best practices. The first initiative for the new Security Team will be to undertake a security audit and threat modeling exercises to identify how security can be economically maintained going forward. The team will also help advocate for security practices across the Rust landscape, including Cargo and Crates.io, and will be a resource for the maintainer community.

JFrog just last week announced it is joining the Rust Foundation at the Platinum level. As part of the company’s investment in the Rust Foundation and ecosystem, JFrog has committed members of its Security Research team to work on the Rust Foundation Security Team. JFrog joins AWS, Google, Huawei, Meta, Microsoft, and Mozilla at the Platinum level. 

Introducing Velta Technology–Cyber Risk Management

Craig Duckworth, President and Co-Founder of Velta Technology, spoke with me shortly before I left for two conferences. I’m catching up, slowly. You may not have heard of Velta Technology. It’s just four years old. They are trying to find a niche within the cybersecurity market without being just another packet sniffing or intrusion detection company.

The company doesn’t sell just one product family. It relies on working with partners such as Claroty and Cisco to bring solutions to customers. It is comprised of multi-disciplinary industrial manufacturing and critical infrastructure experts. “We understand the differences between industrial and IT infrastructures, as well as the toolsets required to secure them.” In this regard, they are one of the companies attempting to bring IT and OT to the same table.

“Our experience and partnerships with the world’s leading solution providers in the industrial space allow us to integrate cybersecurity solutions with existing technologies. We bridge the gap in expertise and understanding from industrial assets on the plant floor across to the enterprise.”

Much of our conversation focused on risk. He talked about the role of the customer company’s board of directors as the key leadership element in focusing management on cybersecurity in order to mitigate risks of cyber intrusions. Velta works with customers to implement solutions to retrieve data and organize risk. They recognize that many IT trusted tools simply are not effective or even possible in the operations environment.

Here’s a summary of the company’s offering:

  • Technology & Tools
  • End-to-End Protection
  • Industrial Hardened Platforms : Appliances, Enclosures, Networking
  • Continuous Monitoring : Ability to see real time performance and threats
  • Secure Remote Access : With full Audit Tracking and Controls
  • Industrial Endpoint Protection : The definitive protection in the industry
  • Connected Devices Vulnerability Index (CDV Index): Identify your supply chain risks

Solutions

  • Visibility & Digital Safety
  • Velta Technology Visibility Program : Real-time visibility into the assets in your industrial environment, behavior anomalies, security threats and vulnerabilities. More than simply a moment-in-time Risk Assessment.
  • Velta Technology Digital Safety Standards : A continuous improvement methodology that supports protection of industrial assets. Covers everything from cybersecurity threats to process integrity issues that can impact environmental and human harm.

Services

  • Service and Support Options
  • Strategy & Advisory Support : Recommendations, designs and roadmaps to navigate safety maturity for industrial asset networks.
  • Deployment : From onsite Basic installation and configuration to Enhanced assistance for a full year.
  • Operationalize : Build programs for existing or new platforms to improve value and mitigation in your local environment
  • Managed Services : Basic/Standard/Premier options to deliver full-platform and resources for your organization.

 

IoT Vulnerability Disclosures Grew 57 percent from 2H 2021 to 1H 2022

Security, risk, and vulnerability to digital hacks consume half of my bandwidth—or so it feels. Part of the security trends includes each supplier performing research and writing reports. Here is a report from Claroty’s Team82 revealing a rise in IoT vulnerabilities, vendor self-disclosures, and fully or partially remediated firmware vulnerabilities 

Vulnerability disclosures impacting IoT devices increased by 57% in the first half (1H) of 2022 compared to the previous six months, according to new research released in August by Claroty, the cyber-physical systems protection company. The State of XIoT Security Report: 1H 2022 also found that over the same time period, vendor self-disclosures increased by 69%, becoming more prolific reporters than independent research outfits for the first time, and fully or partially remediated firmware vulnerabilities increased by 79%, a notable improvement given the relative challenges in patching firmware versus software vulnerabilities. 

Compiled by Team82, the report is an examination and analysis of vulnerabilities impacting the Extended Internet of Things (XIoT), a vast network of cyber-physical systems including operational technology and industrial control systems (OT/ICS), Internet of Medical Things (IoMT), building management systems, and enterprise IoT. The data set comprises vulnerabilities discovered by Team82 and from trusted open sources including the National Vulnerability Database (NVD), the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), [email protected], MITRE, and industrial automation vendors Schneider Electric and Siemens.  

Key Findings 

IoT Devices: 15% of vulnerabilities were found in IoT devices, a significant increase from 9% in Team82’s last report covering the second half (2H) of 2021. Additionally, for the first time, the combination of IoT and IoMT vulnerabilities (18.2%) exceeded IT vulnerabilities (16.5%). This indicates enhanced understanding on the part of vendors and researchers to secure these connected devices as they can be a gateway to deeper network penetration.  

Vendor Self-Disclosures: For the first time, vendor self-disclosures (29%) have surpassed independent research outfits (19%) as the second most prolific vulnerability reporters, after third-party security companies (45%). The 214 published CVEs almost doubles the total in Team82’s 2H 2021 report of 127. This indicates that more OT, IoT, and IoMT vendors are establishing vulnerability disclosure programs and dedicating more resources to examining the security and safety of their products than ever before. 

Firmware: Published firmware vulnerabilities were nearly on par with software vulnerabilities (46% and 48% respectively), a huge jump from the 2H 2021 report when there was almost a 2:1 disparity between software (62%) and firmware (37%). The report also revealed a significant increase in fully or partially remediated firmware vulnerabilities (40% in 1H 2022, up from 21% in 2H 2021), which is notable given the relative challenges in patching firmware due to longer update cycles and infrequent maintenance windows. This indicates researchers’ growing interest in safeguarding devices at lower levels of the Purdue Model, which are more directly connected to the process itself and thus a more attractive target for attackers.  

Volume and Criticality: On average, XIoT vulnerabilities are being published and addressed at a rate of 125 per month, reaching a total of 747 in 1H 2022. The vast majority have CVSS scores of either critical (19%) or high severity (46%). 

Impacts: Nearly three-quarters (71%) have a high impact on system and device availability, the impact metric most applicable to XIoT devices. The leading potential impact is unauthorized remote code or command execution (prevalent in 54% of vulnerabilities), followed by denial-of-service conditions (crash, exit, or restart) at 43%. 

Mitigations: The top mitigation step is network segmentation (recommended in 45% of vulnerability disclosures), followed by secure remote access (38%) and ransomware, phishing, and spam protection (15%).  

The primary authors of this report are Bar Ofner, security researcher at Claroty, and Chen Fradkin, data scientist. Contributors include: Rotem Mesika, threat and risk group lead, Nadav Erez, director of innovation, Sharon Brizinov, director of research, and Amir Preminger, vice president of research. Special thanks to the entirety of Team82 for providing exceptional support to various aspects of this report and research efforts that fueled it. 

Shields Up Against Cyber Attacks Due to War in Ukraine

At the start of the Ukraine conflict, CISA issued a “Shields Up” alert to all critical infrastructure in an effort to stave off potential cyber attacks from Russia. 6 months later, the proverbial “shields” are still up but is the U.S. critical infrastructure more secure because of it?

I was wondering if I should have more security than I have being a manufacturing and industrial site. Indeed I saw a sharp peak of hits from Russia and Ukraine at the outset of the war. But it was only a blip. But what if I weren’t a media site but a critical infrastructure site?

Security information comes at me faster than to my friend Greg Hale who specializes on the subject at Industrial Safety and Security Source. Recently I talked with Ron Fabela, CTO of critical infrastructure cybersecurity firm, SynSaber. This company is working directly with operators across oil & gas, electric, water infrastructure and nuclear to maintain a “Shields Up” posture.

More than six months has passed since the initial flurry of war and increased cyber attacks in the US. I wondered what the state of “Shields Up” was these days. Have we kept up the urgency? Or have we learned to live with it?

Rob suggested that astute executives should have used the directives to get some much needed budget. He pointed out that one cannot sustain a high alert indefinitely. And that IT and security executives should not over hype the situation. Still, when attention is suddenly focused on a risk area, it makes sense to lay a plan and ask for budget to implement strategies. Plus, sometimes the government brings money with its directives, something that is always a big help.

Expanding on the topic, like its peers, SynSaber initiated a study to discover what reported Common Vulnerabilities and Exposures (CVEs) could tell us from the 681 CVEs reported via the Cybersecurity and Infrastructure Security Agency (CISA) ICS Advisories in the first half of 2022.

Breaking up the reported CVEs into remediation categories (i.e., can it be patched with software, a firmware update, or something more complex requiring protocol or whole system changes) or taking a look at attack vector requirements can provide critical insights for teams to assess these and future CVEs as they are reported.

We hope that by analyzing and counting these vulnerabilities with new methods, this context can be used by all industrial security teams to better understand and remediate future vulnerabilities.

Key Findings

● For the CVEs reported in 2022, 13% have no patch or remediation currently available from the vendor (and 34% require a firmware update)

● While 56% of the CVEs have been reported by the Original Equipment Manufacturer (OEM), 42% have been submitted by security vendors and independent researchers (remaining 2% were reported directly by an asset owner and a government CERT)

● 23% of the CVEs require local or physical access to the system in order to exploit

● Of the CVEs reported thus far in 2022, 41% can and should be prioritized and addressed first (with organization and vendor planning)

Industry IoT Consortium and International Society of Automation Combine For Security Maturity Model

The most optimistic trend I see in our market concerns cooperation and collaboration. There’s a lot of that going on. Here’s one I didn’t really see coming—the Industry IoT Consortium (IIC) and the International Society of Automation (ISA). They recently announced the IoT Security Maturity Model (SMM): 62443 Mappings for Asset Owners, and Product Suppliers, and Service Suppliers.

“This new guidance adds the service provider role. It extends the previously published IoT Security Maturity Model (SMM): Practitioner’s Guide to provide mappings to existing 62443 standards and specific guidance for the asset owner, product supplier, and service provider roles,” said Ron Zahavi, Chief Strategist for IoT standards at Microsoft and IoT SMM co-author.

The IIC IoT SMM helps organizations choose their security target state and determine their current security state. By repeatedly comparing the target and current states, organizations can identify where they can make further improvements.

The ISA99 committee developed the 62443 series of standards, which the International Electrotechnical Commission (IEC) adopted. The standards address current and future vulnerabilities in Industrial Automation and Control Systems (IACS) and apply necessary mitigation systematically and defensibly. The ISA/IEC 62443 standards focus on maturity, but only on the maturity of security programs and processes.

“Achieving security maturity targets can be difficult to put into practice without concrete guidance,” said Frederick Hirsch, co-chair of the IIC ISA/IIC Contributing Group. “These 62443 mappings enable practitioners to better achieve security maturity by relating IIC IoT SMM practice comprehensiveness levels to ISA/IEC 62443 requirements. In this way, IACS asset owners and product suppliers can achieve appropriate maturity targets more easily.”

Eric Cosman, co-chair of the ISA99, said, “While standards such as ISA/IEC 62443 are needed to codify proven and accepted engineering practices, they are seldom sufficient. Joint efforts such as this provide the practical guidance necessary to promote and support their adoption.”

Pierre Kobes, a member of both ISA99 and IEC Technical Committee 65, said, “It is not about more security but about implementing the appropriate security measures. IoT SMM: 62443 Mappings for Asset Owners and Product Suppliers helps companies select the adequate security levels commensurate with their expected level of risk.”

You can download IoT SMM: 62443 Mappings for Asset Owners, Product Suppliers and Service Providers from IIC and ISA websites. You will find a complete list of the contributing authors in the document. Work is underway to add the service provider role to the document in a future revision.