I have known Eddie Habibi, founder and CEO of PAS (now PAS Global) for about 20 years. So I’ve followed the development of his company for that long. There was alarm management, and process safety, and process asset management. And the company grew at a typical pace for the market.
Then he went all-in on process control system cybersecurity. He accepted some investment money, hired some pros in the field, and combined security with what the company was already known for.
The results are in the latest press release from PAS Global LLC where it announced a 45% increase in term revenue year-over-year and increased market recognition of its solutions.
In March 2019, the company introduced an expanded Cyber Integrity offering with risk analytics for continuous operational technology (OT) endpoint security. Following this milestone, the company marked record growth in the adoption of this solution across multiple geographies and verticals including the United States, Europe, and the Middle East with leading organizations in the chemicals and oil & gas industries, in particular.
A Fortune 50 independent petroleum refiner was challenged with increasing cybersecurity risks as they deployed connected technology to achieve faster and more efficient production operations. PAS Cyber Integrity was deployed as the foundation for the refiner’s OT cybersecurity program to create an automated, comprehensive, evergreen OT asset inventory and to more quickly identify and remediate security vulnerabilities. What used to take the company months to assess “critical” or “high” ICS-CERT vulnerabilities can now be done in minutes across all refineries.
A global, integrated oil & gas company operating across five continents is pursuing digital transformation to grow its business, enter new markets, and compete more effectively. Underpinning this initiative is a cloud-based analytics platform. The team chartered with this program sought to leverage their multi-vendor industrial control system (ICS) data and ensure reliable data flows from field-level devices to their data lake. They sought a platform-independent solution that could not only deliver this data, but also provide a topological view of assets and site connections, monitor configuration baselines, and manage change. Additionally, the company’s cybersecurity team sought a solution that could provide comprehensive OT asset inventory and rapid vulnerability assessment capabilities. PAS Automation Integrity and Cyber Integrity were selected to address these needs.
A major electronic materials firm with operations in North America and Asia sought to establish an enterprise-wide cybersecurity program on an aggressive schedule to eliminate gaps in visibility and security controls. Cyber Integrity was selected to automatically build a detailed OT asset inventory for each site, identify patch levels across systems, and implement change management workflows. The company now has the inventory and configuration visibility it needs to support digitalization efforts including data lake, 5G, and artificial intelligence initiatives.
“Industrial organizations are increasing investment in cybersecurity solutions specifically built for OT not only to reduce their overall cyber risk but to ensure they can accelerate their digital transformation efforts safely,” said Eddie Habibi, Founder and CEO of PAS. “We are pleased to be working with a growing list of global companies who are leveraging PAS Cyber Integrity to give them the foundation they need for managing industrial cyber risk.”
The company also saw significant year-over-year growth in purchases of its operations management and process safety solution, PlantState Suite.
“Of equal importance is the work we do to help companies improve process safety through effective operations management,” Habibi added. “We are pleased to have been recognized once again as the market leader for both alarm management and safety lifecycle management. This is a testament to the hard work of the PAS team over many years and the confidence our customers place in our solutions.”
PAS cybersecurity and process safety management solutions are installed in more than 70 countries in over 1,450 industrial facilities for over 535 customers, including 13 of the top 15 chemical companies, 13 of the top 15 refining companies, 7 of the top 20 power generation companies, 4 of the top 5 pulp and paper companies, and 3 of the top 5 mining companies in the world.
I received a notice from CyberX about a industrial and industrial control phishing scam. It just goes to show that we all need to be continually vigilant and disciplined about attachments and links.
From the CyberX blog:
Section 52, CyberX’s threat intelligence team, has uncovered an ongoing industrial cyberespionage campaign targeting hundreds of manufacturing and other industrial firms primarily located in South Korea.
The campaign steals passwords and documents which could be used in a number of ways, including stealing trade secrets and intellectual property, performing cyber reconnaissance for future attacks, and compromising industrial control networks for ransomware attacks.
For example, the attackers could be stealing proprietary information about industrial equipment designs so they can sell it to competitors and nation-states seeking to advance their competitive posture.
Also, credentials can provide attackers with remote RDP access to IoT/ICS networks, while plant schematics help adversaries understand plant layouts in order to facilitate attacks. Design information can also be used by cyberattackers to identify vulnerabilities in industrial control systems.
The campaign uses spear phishing emails with industrial-themed attachments.
The IoT group that I’ve been working with for the past few years has been absorbed into the OEM group which is carrying on an expanded function. This blog post from Steve Todd, Dell Technologies Fellow, details the development of data confidence work that has been contributed to the open source Linux Foundation to seed Project Alvarium.
Following is a quick summary. Go to the blog for additional information about trusted data work.
A team of Dell Technologies specialists finished building the first-ever Data Confidence Fabric (DCF for short). The prototype code will be contributed to the Linux Foundation to seed Project Alvarium.
For several years, the CTO of the Dell Technologies Edge and IoT business unit has been touting a vision of data monetization. However, it’s hard to monetize untrusted Edge and IoT data. As he likes to say, “It’s midnight. Do you know where your data has been?”
Enterprise storage systems have delivered trusted data to applications for a long time. We started our initial investigation wondering if these same trust principles could be applied to Edge and IoT ecosystems. Recent developments in data valuation, distributed ledgers, and data marketplaces facilitated everything coming together.
Five Levels of Trust
We started with the EdgeX Foundry chair of the Core Working Group, Trevor Conn. Trevor wrote the first-ever Data Confidence Fabric software using Go Lang, the same programming language EdgeX is written in. His Data Confidence Fabric software registered with EdgeX as a client and began processing simulated device data. The initial confidence score for this data was “0” (no trust was inserted).
Dell Technologies then hired three computer science interns from Texas A&M to deploy EdgeX and the Data Confidence Fabric software on a Dell Gateway 3000 with a Trusted Platform Module (TPM) chip.
EdgeX was then adjusted to support N-S-E-W authentication by using VMware’s open-source Lightwave technology.
Dell Boomi software was invoked by the Data Confidence Fabric software to gather provenance and appended this metadata to the sensor reading.
The Data Confidence Fabric software then stored the data locally using IPFS (an immutable, open-source storage system). This fourth level of trust insertion gives an application confidence that the data/provenance has not been tampered with. It also has the additional benefit of enabling analytics to access data closer to the source.
The Data Confidence Fabric software then registered the data into VMware’s blockchain (based on the open-sourceProject Concord consensus algorithm).
Internet of Things installations along with industrial control systems constitute well known cybersecurity vulnerabilities within industrial plants and operations. CyberX, the IoT and industrial control system (ICS) security company, announced the availability of its “2020 Global IoT/ICS Risk Report” designed to sharpen awareness and knowledge of this critical area.
The data illustrates that IoT/ICS networks and unmanaged devices are soft targets for adversaries, increasing the risk of costly downtime, catastrophic safety and environmental incidents, and theft of sensitive intellectual property.
Some of the top findings noted that these networks have outdated operating systems (71 percent of sites), use unencrypted passwords (64 percent) and lack automatic antivirus updates (66 percent).
Energy utilities and oil and gas firms, which are generally subject to stricter regulations, fared better than other sectors such as manufacturing, chemicals, pharmaceuticals, mining, transportation and building management systems (CCTV, HVAC, etc.).
Now in its third year, CyberX’s “Global IoT/ICS Risk Report” is based on analyzing real-world traffic from more than 1,800 production IoT/ICS networks across a range of sectors worldwide, making it a more accurate snapshot of the current state of IoT/ICS security than survey-based studies.
Including the data presented in previous reports, CyberX has now analyzed over 3,000 IoT/ICS networks worldwide using its patented M2M-aware behavioral analytics and non-invasive agentless monitoring technology.
Recommendations Focus on Prioritization and Compensating Controls
The report concludes with a practical seven step process for mitigating IoT/ICS cyber risk based on recommendations developed by NIST and Idaho National Labs (INL), a global authority on critical infrastructure and ICS security.
Experts agree that organizations can’t fully prevent determined attackers from compromising their networks. As a result, they recommend prioritizing vulnerability remediation for “crown jewel” assets — critical assets whose compromise would cause a major revenue or safety impact — while implementing compensating controls such as continuous monitoring and behavioral anomaly detection (BAD) to quickly spot intruders before they can cause real damage to operations.
“Our goal is to bring board-level awareness of the risk posed by easily-exploited vulnerabilities in IoT/ICS networks and unmanaged devices — along with practical recommendations about how to reduce it,” said Omer Schneider, CyberX CEO and co-founder.
“Today’s adversaries — ranging from nation-states to cybercriminals and hacktivists — are highly motivated and capable of compromising our most critical operational systems,” said Nir Giller, CyberX GM, CTO and co-founder. “It’s now incumbent on boards and management teams to recognize the risk and ensure appropriate security and governance processes are in place across all their facilities to address it.”
Summary of Key Findings
- Broken Windows: Outdated Operating Systems. 62 percent of sites have unsupported Microsoft Windows boxes such as Windows XP and Windows 2000 that no longer receive regular security patches from Microsoft, making them especially vulnerable to ransomware and destructive malware. The figure rises to 71 percent with Windows 7 included, which reaches end-of-support status in January 2020.
- Hiding in Plain Sight: Unencrypted Passwords. 64 percent of sites have unencrypted passwords traversing their networks, making it easy for adversaries to compromise additional systems simply by sniffing the network traffic.
- Excessive Access: Remotely Accessible Devices. 54 percent of sites have devices that can be remotely accessed using standard management protocols such as RDP, SSH and VNC, enabling attackers to pivot undetected from initial footholds to other critical assets. For example, during the TRITON attack on the safety systems in a petrochemical facility, the adversary leveraged RDP to pivot from the IT network to the OT network in order to deploy its targeted zero-day malware.
- Clear and Present Danger: Indicators of Threats. 22 percent of sites exhibited indicators of threats, including suspicious activity such as scan traffic, malicious DNS queries, abnormal HTTP headers, excessive number of connections between devices and malware such as LockerGoga and EternalBlue.
- Not Minding the Gap: Direct Internet Connections. 27 percent of sites analyzed have a direct connection to the internet. Security professionals and bad actors alike know that it takes only one internet-connected device to provide a gateway into IoT/ICS networks for malware and targeted attacks, enabling the subsequent compromise of many more systems across the enterprise.
- Stale Signatures: No Automatic Antivirus Updates: 66 percent of sites are not automatically updating Windows systems with the latest antivirus definitions. Antivirus is the very first layer of defense against known malware — and the lack of antivirus is one reason why CyberX routinely finds older malware such as WannaCry and Conficker in IoT/ICS networks.
I’ve followed Foxboro and Triconex for many years now in my coverage of the process automation business. A great company that, not unlike too many others, suffered now and again with very poor management. The company has now settled in nicely at its home in Schneider Electric and appears to be healthy here.
Much credit must go to Gary Freburger. He provided a steadying hand as the leader before and through the transition, as well as guiding the integration into the new home. He is retiring at the end of the year. I’ve met a number of great leaders and a few stinkers in my 20 years at this side of the business. Gary’s one of the great ones. And his chosen successor (see more below) seems more than up for the task of building on his successes.
Marcotte Succeeds Freburger as Process Automation President
This week’s major announcement revealed that Nathalie Marcotte has been selected to succeed Freburger as president of its Process Automation business, effective Jan. 1, 2020.
“After a long, successful industry career, including more than 15 years serving Invensys and Schneider Electric in various senior leadership roles, Gary has decided to retire,” said Peter Herweck, executive vice president, Industrial Automation business, Schneider Electric. “We thank him for his many contributions and his strong legacy of success. We wish him well, and I congratulate Nathalie on her appointment. She brings more than 30 years of industry knowledge, expertise and experience, as well as a long record of success. I look forward to working with her as we build on the success Gary has delivered.”
Since joining the Schneider organization in 1996, Marcotte has held several positions of increasing responsibility, including vice president of Global Performance and Consulting Services; vice president, North America marketing; general manager for the Canadian business; and, prior to her current position, vice president, marketing, Global Systems business. As the company’s current senior vice president, Industrial Automation Services, she is responsible for Schneider Electric’s Services business and offer development, ranging from product support to advanced operations and digital services. She is also responsible for the company’s Global Cybersecurity Services & Solutions business, including the Product Security Office.
“As we move through this transition, it will be business as usual for Schneider Electric and our Process Automation customers,” Marcotte said. “Gary and I are working very closely together to ensure there will be no disruptions to our day-to-day operations. This ensures our customers have the same access to the exceptional people, products and technology they have come to trust and rely on to improve the real-time safety, reliability, efficiency and profitability of their operations.”
“I thank Gary for his many contributions to Schneider Electric and to our industry in general. Under his leadership, our customers, partners and employees have never been better situated to succeed, today and tomorrow,” Marcotte said. “This transition will have no impact on our technology strategy and portfolio roadmap. We remain committed to our continuously-current philosophy, which means never leaving our customers behind. Now, by leveraging the strength of the full Schneider Electric offer, we can take the next step toward enabling an easier, less costly digital transformation for our customers, while keeping them on the path to a safer, more secure and profitable future.”
Following the opening keynotes, I had the opportunity to chat privately with Freburger and Marcotte. Following summarizes a few key takeaways.
Digitalization and Digital Transformation.
These topics were prominently displayed in the ballroom before the keynotes. In fact the welcome and opening presentation were given by Mike Martinez, Director of Digital Transformation Consulting. These are common themes in the industry—in fact, not only process automation, but also at the IT conferences I cover. Each company has its own unique take on the terms, but it still boils down to data, data integrity, databases, and data security. All of which were discussed.
Key Points From the Presidents.
Integration across Schneider Electric. One priority has been working with other business units (and their technologies) across the Schneider Electric portfolio. This could be PLCs and drives, but power is a huge emphasis. Schneider Electric management wants very much for its process automation acquisition to integrate well with its historic electric power business. This is seen as a strategic opportunity. One thought-provoking observation—is the process engineer/electrical engineer divide as serious as the IT/OT divide? No direct answer. But these domains have historically had little to no collaboration. One to watch.
Close working relationship with AVEVA. If you recall, Schneider Electric bundled its various software acquisitions including the ones from Invensys (Wonderware, Avantis) and used them to buy into AVEVA—the engineering software company. Bringing automation and software together was a constant source of pain for Invensys. Schneider Electric dealt with it through a separate company. Along the way, cooperation seems to be better than ever. Marcotte explained to me that Foxboro combines its domain expertise with the more broadly general software platforms to achieve customer values. See for example my previous post on Plant Performance Advisors Suite.
Cybersecurity. Marcotte has been leading Schneider’s cybersecurity efforts. These are seen as a key part of Schneider Electric’s offer. See especially the establishment of the ISA Global Cybersecurity Alliance. They don’t talk as much about Internet of Things as at other conferences, when I probed more deeply about IT, cybersecurity was again brought up as the key IT/OT collaboration driver.
It’s been a struggle, but the Schneider Electric process automation business (Foxboro and Triconex) seems as strong as ever. And the people here—both internal and customers—are optimistic and energetic. That’s good to see.
If I would offer you an opportunity to spend $300 and make $50,000 right away with more to come and no additional expense, would you take it? What about downloading a cybersecurity hack for that much off the Dark Web and using it to steal a $50,000 car?
Such a possibility exists Etay Maor, Chief Security Officer of IntSights told me yesterday. His firm, a threat intelligence company focused on enabling enterprises to Defend Forward, released the firm’s new report, Under the Hood: Cybercriminals Exploit Automotive Industry’s Software Features. The report identifies the inherent cybersecurity risk and vulnerabilities manufacturers face as the industry matures through a radical transformation towards connectivity.
Car manufacturers offer more software features to consumers than ever before, and increasingly popular autonomous vehicles that require integrated software introduce security vulnerabilities. Widespread cloud connectivity and wireless technologies enhance vehicle functionality, safety, and reliability but expose cars to hacking exploits. In addition, the pressure to deliver products as fast as possible puts a big strain on the security capabilities of cars, manufacturing facilities, and automotive data.
The two main things that affect hackers’ motivation, regardless of their skills and knowledge are the cost effectiveness of the attack and the value of the information.
Vehicles usually have more complicated attack surfaces to penetrate compared to other options, i.e. attacks against banks or retail shops. That said, the automotive industry still has numerous attack vectors, just as any other industry: needs Phishing, credential leakages, leaked databases, open ports, and services, insider threats, brand security, and more.
Dark Web Forums
In the research, IntSights discovered online shops that sell car hacking tools that appear on the clear web and are easy to find. These online shops sell services that disconnect automobile immobilizers, as well as services that sell code grabbers and forums that give bad actors a complete tutorial on how to steal vehicles.
“The automotive manufacturing industry is wrought with issues, stemming from legacy systems that can’t be patched to the proliferation of vehicle connectivity and software as consumers demand more integration with personal devices and remote access,” said Maor. “A lack of adequate security controls and knowledge of threat vectors enables attackers to take advantage of easily acquired tools on the dark web to reap financial gain. Automakers need to have a constant pulse on dark web chatter, points of known exposure, and data for sale to mitigate risk.”
Top Vehicle Attack Vectors:
- Remote Keyless Systems
- Tire Pressure Monitoring Systems
- Software and Infotainment Applications
- GPS Spoofing
- Cellular Attacks
Other attack vectors explored include:
- Attacking Can-BUS
- Remote Attack Vectors
- Car Applications
- Physical Attack Vectors
IntSights has “the industry’s only all-in-one external threat protection platform designed to neutralize cyberattacks outside the wire.” Its cyber reconnaissance capabilities enable continuous monitoring of an enterprise’s external digital profile across the clear, deep, and dark web to identify emerging threats and orchestrate proactive response.