WhiteHat Security Releases AppSec Stats Flash Volume 3

Cyber security news is always relevant, especially in our hyper-connected time. This tells of leaking information.

Findings reveal more than 40 percent of applications actively leaking information and at-risk of exposing sensitive data

WhiteHat Security, a wholly owned, independent subsidiary of NTT Ltd. and a world leader in application security, released AppSec Stats Flash Volume 3, the latest installment of the company’s monthly report and podcast reflecting on the current state of application security and the wider cyber threat landscape.

In AppSec Stats Flash Volume 3, WhiteHat Security’s Setu Kulkarni, vice president of corporate strategy and business development, and Zach Jones, senior director of detection research, are joined by Dino Boukouris, founder and managing director at Momentum Cyber, to primarily discuss how information leakage can expose vulnerabilities in connected applications across business-to-business partnerships, as well as analyze the latest application security data found in this month’s report.

“In any partnership or merger and acquisition activity, organizations reach a stage where they need to integrate applications to sync data, enhance productivity and grow revenue. While application integration issues have been simplified, there is still no way to predict how their security posture will be affected by the complex orchestrations that form a digital supply chain,” said Kulkarni. “When two companies decide to integrate their applications, they should explicitly account for the risks that both companies will inherit, particularly concerning sensitive user and infrastructure data.”

Key findings from AppSec Stats Flash Volume 3 include:

  • More than 40 percent of applications are actively leaking information and are at-risk of exposing sensitive data. “When we talk about information leakage, we often do not realize the vast amount of sensitive or partially sensitive information that the applications we interact with are collecting,” said Jones.
  • Exposure of A3-Sensitive Data, one of the leading vulnerabilities reported within information leakage, can result in a supply chain-type attack across connected applications. “Too often, by the time a formal security assessment takes place in an acquisition, application security is viewed as a ‘check-the-box’ diligence item as opposed to a key value driver,” said Boukouris.
  • Applications in the manufacturing sector continue to report the highest Window of Exposure, with 70 percent of applications having at least one serious vulnerability open over the previous 12 months. “Window of Exposure is a major concern as applications remain increasingly vulnerable across all industries, particularly manufacturing and finance. To improve these metrics, security and DevOps teams must take a holistic approach to identifying, prioritizing, and remediating these vulnerabilities in a manner that configures all changes with the development controls in process,” said Kulkarni.

Those interested in learning more about the findings and analysis in AppSec Stats Flash Volume 3 can now download the report and stream the latest podcast episode on WhiteHat Security’s websiteand popular platforms including Apple PodcastsSpotifyStitcherAmazon, and more. 

About WhiteHat SecurityWhiteHat Security, a wholly-owned, independent subsidiary of NTT Ltd., is the leading advisor for application security with the most comprehensive platform powered by artificial and human intelligence. Trusted for nearly two decades by Fortune 500 organizations, WhiteHat Security helps organizations accelerate their digital future in our application-driven world. WhiteHat Security is based in San Jose, California, with regional offices across the U.S. and Europe.

Companies Are Finding Ways To OT and IT Cybersecurity Solutions

Network cybersecurity news updates from Indegy, now part of Tenable, and Nozomi’s partnering efforts.

A visitor to the show floor of the annual ARC Advisory Group Industry Forum in Orlando a few years ago might have been surprised at the sheer number of new cybersecurity companies exhibiting. Adding to this number were a couple of established companies who had drunk the kool-aid and established cybersecurity practices.

My first thought, having been down this worn path too many times in my career, centered on how these companies could survive and, indeed, even find enough market to grow. Many companies are formed to sell. I figured that most of these new cybersecurity company founders were as much looking for exits at the Forum as much as looking for customers. Since that time, many have been acquired.

We only hope that, in the long run, this burst of creativity in the field will improve industrial control system (ICS) cybersecurity. Although the recent incident at a Florida water treatment facility shows how far we still need to go.

Tenable Cybersecurity

I had a brief chat with Barak Perelman, VP of OT Security at Tenable and former CEO of Indegy to discuss the threats to cybersecurity opened up by the great dispersion of industrial workers due to the Covid pandemic. 

Indegy was an operations technology (OT) firm brought into an IT company (Tenable) in late 2019. This is one way to bring IT and OT together. Perelman told me that overall IT and OT networks are more interconnected than ever. Threats can freely flow between networks. And 67% of OT organizations are reporting new and more sophisticated tactics being used against them.

I asked Perelman who within a prospective customer company Indegy had called on and who was the effective buyer. He said this was the biggest shift of the last two years. The customer was plant manager, engineering manager, etc. Now more likely the buyer is the IT cybersecurity team. The biggest success they’ve seen is with a combination of the forces, for example placing an engineer from the plant on the security team. Strategically, senior-level executives and the board level have become concerned. They went to their CISO first for results. So most Tenable projects are led by IT teams.

Another big change in the market is reflected in his slide deck. He used to have a slide on “air gap” but that has been dropped. “Everyone now understands that everything is connected.”

Prior to the pandemic and the movement to remote work in 2020, companies thought that they didn’t have exposure to remote access. Then they discovered that an engineer somewhere added an unauthorized cell modem for the ability to access the system remotely for troubleshooting purposes. After the pandemic, utilities, for example, have as much remote as possible. Many organizations understood they wouldn’t fight it anymore. If you can’t fight it, then join it. 

Nozomi Partnerships

Companies forming partnerships has been one of the biggest trends in the market during the past couple of years. Here are a couple featuring cybersecurity company Nozomi.

Tempered Combines Strengths with Nozomi Networks 

Tempered Networks and Nozomi Networks announced a new partnership and product integration to deliver a full-featured industrial security solution for network visibility, threat detection and remediation. The joint offering integrates Nozomi Networks’ leading network visibility, threat detection and incident response system with Tempered Network’s Zero Trust policy enforcement and centralized software-defined perimeter management console. Today’s sophisticated security threats are driving requirements for not only extreme visibility and intelligent threat detection, but also automated remediation that can lock-down vulnerable systems while ensuring continued availability for authorized access and continuity of business.

“As the leader in OT and IoT security visibility and threat detection, Nozomi Networks gives us a powerful partner to deliver greater insight and remediation capabilities to our customers,” said Jeff Hussey, Founder and CEO of Tempered Networks. “The AI-powered network analysis and anomaly detection that they provide can drive more accurate micro-segmentation and security policy enforcement into our Airwall platform, providing a more secure, rapid response approach against industrial-grade network attacks.”

“Tempered Airwall delivers the military-grade encryption and secure access policy enforcement that many of our joint customers rely upon to quickly remediate anomalies and threats in their networks,” said Chet Namboodri, Nozomi Networks Senior Vice President of Business Development and Alliances. “The combination of threat visibility and automated enforcement significantly improves security response. Ubiquitous threats like the SolarWinds attack continue to emerge and industrial connectivity for remote work and connected smart devices continue to accelerate. Our combined offerings provide strong detection and defense against the rapid proliferation of advanced persistent threats, actively buttoning down attack surfaces.”

The product integration includes the ability of Tempered to mirror secure traffic to Nozomi Networks solutions through a fully encrypted overlay for greater analysis and insight. Armed with AI-driven insights from Nozomi Networks, Airwall customers can take remediation steps or refine Tempered security policies through the Airwall Conductor management console API. The Nozomi Networks solution and Tempered Networks Conductor work in concert to refine Airwall zero trust policies and address identified threats, going beyond the capabilities of traditional network security devices like firewalls or remote access solutions.

“A two-way integration of network monitoring of IoT devices and secure, zero-trust, communications is brilliant,” said Richard Stiennon, industry analyst with IT-Harvest and author of Security Yearbook 2020. “Ensuring that all communications is stealthed and encrypted while preserving visibility into traffic is a winning combination.”

NanoLock Security and Nozomi Networks to Provide End-To-End Cyber Protection for Critical and Industrial Infrastructures

NanoLock Security, a leader in OT and IoT device-level protection and management and Nozomi Networks Inc, a leader in OT and IoT security and visibility, announced they have partnered to provide an end-to-end cyber protection and management solution to secure OT in critical and industrial infrastructure. The joint solution will be deployed in the Atlantica Cybernext Security Operations Center (SOC) to serve clients with the most technologically advanced solutions for protecting their business and infrastructure.

Nozomi Networks’ real-time OT and IoT security solution provides network visibility, threat detection, and operational insight for OT and IoT environments, while NanoLock’s device-level protection and management solution tackles the rapidly growing Advanced Persistent Threats (APT) from both outsider and insider adversaries. 

Together, the joint security solution from NanoLock and Nozomi Networks introduces a holistic approach that spans the entire IoT and OT network. Adding NanoLock’s device-level protection and forensic data to Nozomi Networks’ advanced network visibility, threat, vulnerability and anomaly detection extends cybersecurity coverage to include: 

  • Lightweight, passive cyberattack prevention for devices such as smart meters, data concentrators, and controllers, with near-zero processing, power requirements and memory footprint 
  • Anomaly detection covering the network as well as IoT and OT devices 
  • Unified alerts and deeper device-level as well as network-level forensic data 
  • Centralized device visibility, risk monitoring, and intelligence management 
  • Secured and enforced OTA (Over-The-Air) device updates 

“With cybersecurity threats to critical infrastructure on the rise, our partnership with NanoLock Security delivers advanced, end-to-end protection,” said Chet Namboodri, Nozomi Networks Senior Vice President of Business Development and Alliances. “We’re teaming with NanoLock to strengthen utilities’ defenses against cyberattacks, using robust device and network-level detection and protection alongside extensive network visibility and risk assessment.” 

“We’re delighted to partner with Nozomi Networks to introduce a broader IoT and OT cybersecurity solution,” said Yanir Laubshtein, NanoLock’s Vice President of Cyber Solutions. “We see a critical need for a cybersecurity solution that starts at the device level and spans the network to bring comprehensive detection, protection, and management. Our joint offering addresses that need, while also bringing operational efficiency analytics to critical and industrial infrastructure.” 

NextGen Cyber Talent Announces First Pilot Cohort and Governing Board

Training people with skills necessary for the success of our industry and especially introducing young people to the types of high tech work available is key to our survival as an industry. I just learned about this new non-profit educator who launched operations seeking to close the cyber talent and diversity gap by training traditionally underprivileged and underserved segments.

NextGen Cyber Talent Inc. (“NextGen”), a nonprofit organization training the next generation of cybersecurity professionals, announces its pilot cohort and its first Governing Board. NextGen seeks to provide an avenue into cybersecurity careers for women, minorities and other underprivileged segments through education and mentoring, while simultaneously attacking the skills shortage and lack of diversity in the cybersecurity industry today. The organization partnered with Bay Area community colleges to select its initial pilot cohort and selected a diverse group of 20 students that will begin its online curriculum starting January 19th.

The Herjavec Group estimates that the number of unfilled cybersecurity jobs is expected to grow by 350%, from one million positions in 2013 to 3.5 million in 2021. In addition, (ISC)2 estimates that women account for less than a quarter of the overall cybersecurity workforce.

NextGen has been working with veteran executives and industry leaders to attack these deficiencies via Chapter and Strategic Advisory Boards and has finalized members for its initial Governing Board.

“We are excited to introduce our board of distinguished executives who will bring diverse expertise and insight in support of our mission,” said Founder & Co-Chair Krishnan Chellakarai. “Our work will address the lack of awareness of cybersecurity in younger generations and encourage them to consider building a career in this highly fulfilling field. The organization benefits from its deep network to ensure that NextGen’s board and leadership represents a variety of experts from technology, banking, health care, life sciences, and nonprofit backgrounds.”

“I am thrilled to have Tony Blevins and Phil Cox join Krishnan and myself on the Board to help make the NextGen vision a reality. The program is seeded by the principle of connecting successful leaders from industry with tomorrow’s up and coming talent”, said Co-Chair and Board Member Gary Gauba. “We look forward to building a thriving network of alumni over the coming decade with the active participation and support of industry luminaries like Tony, Phil and our Chapter Board members.”

NextGen’s Governing Board members are:

● Krishnan Chellakarai , Chief Information Security Officer, Gilead Sciences

● Gary Gauba, Managing Director & Founder of The CXO Fund

● Tony Blevins, Vice President of Procurement, Apple

● Phil Cox, Chief Operating Officer, Silicon Valley Bank

About NextGen Cyber Talent

NextGen Cyber Talent Inc. is a non-profit providing a platform to increase diversity and inclusion in the cybersecurity industry. It brings together cybersecurity experts, solution providers and enterprises to make a difference in this community and address a mounting cyber skills shortage and talent gap. Our overall approach will focus on successfully attracting under-represented students and educating them in cybersecurity, privacy and compliance technology, as well as providing them mentorship and opportunities to jump start their careers in the industry. NextGen was founded by Krishnan Chellakarai (CISO, Gilead Sciences) and Gary Gauba (Founder & MD, The CXO Fund).

Bayshore Acquires GE Digital Op Shield CyberSecurity Solution and Furthers Partnership

Bayshore Networks is a provider of active industrial cybersecurity protection solutions specifically designed for OT environments, automation engineers, and plant operators. It has had a partnership with GE Digital. At this month’s 2021 ARC Industry Forum, spokespeople talked to us about this news of acquiring Op Shield from GE Digital as well as furthering their partnership.

The combination of Bayshore’s In-depth Policy Learning, Enforcement and Deep Content Inspection Engines combined with the Op Shield Advanced Management Console with Advanced Protocol Technology addresses the fact that while companies may have Threat Analytics’ and/or Detection Solutions, they need as part of a Cyber Security Triad, Advanced Prevention capabilities that are designed for the real-world OT Cyber skillsets that are realistically available on most plant floors today.

The overall combined solutions that emerge from this acquisition will be democratized to address most if not all major PLC brands giving Bayshore the most robust number of devices and protocols supported in the OT/ICS industry. The integrated solutions should be available in late Q3 of this year under the brand, Op Shield Next Generation.

Bayshore today continues to offer our Active IPS OT fuse for most Industrial PLC protection applications, our Unidirectional Gateway NetWall, our Industrial Secure Remote Access product OT Access, as well as our dedicated OT fuse Cimplicity and iFIX devices for GE installations as well as a Proficy Historian Connector for GE NetWall installations as well as many other Historian Connectors.

As more information becomes available we will keep all of our partners up to date. I want to thank all of you, our End Customers, our Channel and Alliance Partners, and our Investors for believing in our mission of Advanced Active Protection for OT/ICS Networks.

Bayshore Networks and GE Digital announced an expansion to their partnership to integrate their solutions to address the growing need to secure industrial and critical infrastructure networks. GE Digital’s OpShield technology will be integrated into Bayshore Networks’ advanced solutions providing sophisticated industrial cybersecurity and active prevention/protection for industrial equipment, including programmable logic controllers (PLCs), human machine interface (HMIs), and engineering workstations.

“We’re pleased to announce another way we will support organizations who need to protect operational technology (OT) environments, industrial processes, and plant operations,” said Steve Pavlosky, Director, Digital Product Management at GE Digital. “Being at the heart of an operation’s data visualization, control, and reporting, it is critically important to ensure companies are taking steps to protect this key element to their operations. The combination of Bayshore’s In-depth Policy Engine with GE Digital’s OpShield Management Console and Advanced Protocol technology addresses the fact that while companies may have threat analytics or detection solutions as part of a Cyber Security triad, they must have advanced prevention capabilities.”

GE Digital began working with Bayshore in 2019 to bring cybersecurity support to GE Proficy installations. With this extended partnership, Bayshore and GE Digital look forward to providing customers in all industries with software that includes Bayshore Networks’ advanced cybersecurity technology with GE Digital’s OpShield capabilities.

“Bayshore is tremendously excited to see the relationship with GE Digital expand to combine our joint technologies with the goal of launching OpShield NextGeneration as the premier detection/active prevention solution for the entire industrial marketplace as we jointly work to secure the world’s industrial and critical infrastructure networks,” said Kevin Senator, CEO of Bayshore Networks. “Together, we will support existing GE Digital customers as well as new customers with technology to protect their OT endpoints and networks from ever-changing and increasing cyber threats as well as advancing this combined technology to a broad range of control products from a variety of vendors. Bayshore’s advanced technology brings a whole new level of safety and resilience within the reach and control of plant operations everywhere regardless of PLC brand in use.”

This partnership combines GE Digital’s OpShield security technology with Bayshore’s Deep Content Inspection and Advanced Policy Learning and Enforcement, enabling Bayshore to create an integrated product line, to be called OpShield NextGeneration.

Bayshore will be the exclusive provider of this combined technology to customers worldwide through GE Digital, Bayshore, and other sales channels. OpShield NextGeneration can protect most HMI and supervisory control and data acquisition (SCADA) systems from unauthorized and potentially high-risk or dangerous network activity such as unscheduled configuration changes, unscheduled maintenance events, indicators of reconnaissance and surveillance, Denial of Service (DoS) attacks, network spoofing and piggybacking.

“Industrial companies will now usually agree that they have hosts and applications which are no longer separated, or “air-gapped” off for safe, isolated operations from the rest of the company or from outsiders and the internet.“ said Sid Snitkin, Vice President Cybersecurity Advisory Services, ARC Advisory, “These types of systems are susceptible to certain OT network attacks. And with the influence of the pandemic, the industrial attack surface and the resulting cyber risk just continues to increase.”

“Bayshore understands industrial protocols and can easily retrofit into existing network deployments without having to change existing infrastructure, security practices, or even configuration changes to the equipment,” said Kevin Senator.

Bayshore Networks will begin offering the current OpShield product line to customers in late Q1 with an intended launched of OpShield NextGeneration in 2021 that covers most major PLC vendors with leading edge active protection.

PAS Releases Sensor and Data Integrity

New capability ensures configuration data integrity and signal tracing to improve process safety, reduce cyber risk and support digital transformation

PAS (now PAS Global, part of Hexagon) has long provided some valuable and interesting solutions for process automation. Its Integrity series of configuration management tools now integrated with its cyber security work offers many benefits. This announcement was highlighted at our meetings (virtual, of course) at the 2021 ARC Industry Forum.

PAS Global announced Sensor Data Integrity, a new Automation Integrity module, which enables industrial organizations to ensure configuration data integrity for smart and traditional sensors with signal tracing and validation. This addition to Automation Integrity helps reduce both process safety and cyber risk in support of digital transformation and Industrie 4.0 initiatives.

As industrial organizations expand their deployment of smart sensors, it is becoming increasingly more complex to manage configuration consistency across field device management, distributed control systems (DCS), programmable logic controllers (PLC), safety instrumented systems (SIS), historians and other operational technology (OT). Managing the complex configuration of millions of multi-vendor sensors consistently has become a major challenge for industrial companies. The lack of effective sensor management also puts digital transformation initiatives at risk of falling short of their intended benefits, potentially wasting multimillion-dollar investments.

The new Sensor Data Integrity module provides multi-vendor:

  • Discovery of smart, industrial IoT, and traditional analog sensors
  • Visibility to the complete inventory and potential cyber vulnerability for sensors
  • Creation of templates to define approved configuration for each sensor type
  • Automated detection of configuration errors
  • Automated identification of devices that don’t match assigned templates
  • Cross-checking of parameters (ranges, units, etc.)
  • Support for large-scale, multi-site sensor deployments
  • Sensor signal tracing, validation and visualization

The information provided by Sensor Data Integrity can also be leveraged by sensor asset management systems (AMS) to support instrument calibration and can feed PAS Cyber Integrity to support cybersecurity vulnerability assessments.

“PAS has a strong history of customer-led innovation and the development of Sensor Data Integrity builds on that tradition,” said Eddie Habibi, PAS Founder. “The expansion of smart sensors is making it increasingly difficult for operations teams to monitor for configuration drift and inconsistencies. This means teams are spending more time trying to find issues instead of correcting them, which increases the risk of poor plant performance and cyber vulnerabilities. PAS, now part of Hexagon, is the first technology provider addressing this challenge with a multi-vendor solution that works across OT systems.”

With Sensor Data Integrity, industrial organizations will:

  • Reduce manual effort in reconciling sensor and field device configurations
  • Improve plant performance and reduce safety risk (e.g., fewer unit trips due to bad configurations)
  • Reduce sensor configuration drift and errors by more than 40%
  • Enhance decision-making with higher-quality sensor diagnostics
  • Leverage sensor data for vulnerability assessment and obsolescence planning
  • Reduce sensor-related cost overruns before startup (e.g., accelerated loop check out)

“Multi-vendor sensor configuration management is a long-standing challenge in the industrial sector and the problem is only getting worse with the proliferation of smart sensors,” said Larry O’Brien, Research VP ARC Advisory Group. “In a 2017 study, ARC estimated the process industries lose as much as $1 trillion per year due to unplanned downtime. Misconfigured or inconsistent sensor configurations are key contributors to these events. We are pleased to see PAS, with support from key customers, has introduced sensor data integrity to address this pervasive and growing problem.”

Verve and aDolus Partner for Endpoint Cybersecurity Solution

Verve embeds aDolus’ ability to generate SBOMs and validate components for improved cybersecurity.

Our combined offering is the only platform that enables end users to manage the security of their ICS/OT endpoints down to vulnerabilities in hidden subcomponents.” — Eric Byres, P.Eng, ISA Fellow

I recently caught up with Verve Industrial CEO John Livingston to go over the news of a partnership with Eric Byres’ new company, aDolus Technology. Livingston reminded me that, unlike most cybersecurity solutions that sit on the network and perform packet analysis looking for anomalies, Verve is an endpoint management tool that speaks a language comfortable to CISOs. He told me that market acceptance has been good, with sales doubling in 2020. Partly, I’m sure, due to stresses on security due to the sudden migration of employees from offices to home, and partly due to CISOs recognizing a different type of solution.

aDolus Technology Inc., a global authority on software intelligence for critical infrastructure, announced its partnership with Verve Industrial, a leading industrial control system management and cyber security provider. The partnership brings the power of the aDolus FACT platform’s IoT/OT SBOM (software bill of materials) analysis and validation into Verve’s IoT/OT endpoint vulnerability management platform. 

“Supply chain attacks like the recent SolarWinds hack are now front-page news, and we are working with Verve to reduce the risk these attacks pose to critical systems,” said Eric Byres, CEO of aDolus and inventor of the Tofino Firewall. “Our combined offering is the only platform that enables end users to manage the security of their ICS/OT endpoints down to vulnerabilities in hidden subcomponents.” 

The FACT platform correlates information from diverse sources about ICS, IIoT, and IoT firmware and software to provide continuous assurance that packages (and all their subcomponents) are legitimate, tamper-free, and safe to ship and install. Verve embeds this intelligence as an easy-to-use “FACT score” that indicates a component’s trustworthiness. 

With over 25 years of OT experience, Verve is an OT/ICS cyber security company, partnering with customers to bridge IT OT security challenges in industrial environments. The Verve Security Center provides a robust asset inventory, vulnerability assessment, threat detection and the ability to safely remediate risks in a unified software-based platform.

“Current approaches that rely on passive detection of software miss the underlying reservoir of risk of both OS and application software as well as the hidden risks of vulnerable components within OT/IoT firmware,” said John Livingston, CEO of Verve. “Through this partnership, our customers can not only identify ‘known’ risks, but immediately check for vulnerabilities hidden in their embedded firmware.”

The Verve Security Center continues to deliver the most innovative capabilities to its clients in a single, easy-to-use platform and aDolus’ FACT platform is the latest in Verve’s ability to both simplify and improve their client’s risk management. 

To learn more about the partnership between aDolus and Verve Industrial to reduce risk in industrial environments, join our webinar on February 25th: Why 40 Years of Product Outsourcing, Corporate Acquisitions, and Bad Spelling Leaves OT Security Flaws Hidden.

About aDolus Technology Inc.
aDolus provides an ecosystem called FACT (Framework for Analysis and Coordinated Trust) for brokering information about IoT and Industrial IoT software. FACT helps facilities determine if updates are safe to install on mission-critical devices. FACT aggregates information from vendors, asset owners, system integrators, consultants, and security researchers, and applies decades of security expertise to build a “FACT score” of trustworthiness. Much like a FICO credit score, FACT makes it quick and easy to make installation decisions, enforce policies, and ensure governance of security processes via an audit trail. Visit us at www.adolus.com.

About Verve Industrial
Verve Industrial Protection has ensured reliable and secure industrial control systems for 25 years. Its principal offering, the Verve Security Center, is a unique, vendor-agnostic OT end point management platform that provides IT-OT asset inventory, vulnerability management, and the ability to remediate threats and vulnerabilities from its orchestration platform. Verve’s Design-4-Defense professional services support clients in ensuring their OT environments are designed and operated in a secure manner. To learn more about Verve Industrial, please visit us at www.verveindustrial.com