Cyber Integrity Software Update Released

I’m still catching up from the flurry of press releases in April and early May. This one from Hexagon Asset Lifecycle Intelligence and from the PAS group they acquired a couple of years ago. The new version is PAS Cyber Integrity 7.3. Updates include:

  • Delivering an enterprise-wide, holistic image of multiple risk domains with a clear understanding of vulnerabilities and enhanced risk-based decision-making
  • Utilizing proprietary risk scoring to rapidly identify risks in the environment of greatest concern while simultaneously considering the vulnerabilities and patching level of various assets
  • Precisely identifying systems at risk of penetration or exploit and providing meaningful and actionable data regarding risk level, vulnerabilities for remediation and the associated patches and upgrade paths providing the highest value
  • Prioritizing risk-reducing and vulnerability remediation activities that shrink the attack surface and quickly providing paths that reduce the greatest risk, with the least amount of effort

Honeywell Cyber Insights Announcement

Honeywell began sending press releases about things called Forge and Connect and Connected Enterprise in 2019. I was puzzled. Then came the pandemic making contact and conversations difficult. I think this was much like initiatives from a few other former automation companies now trying to become software companies—they had some ideas and appointed some GMs, but they were feeling their way forward, as well.

I was confused again this month. There was registration for something called Honeywell Connect, and then pre-brief for Honeywell Connect (for which I never received a link) and then for Honeywell User Group (HUG). I registered for so many things, I wasn’t sure what was next. Then there’s the issue that HUG is in Orlando—and I’m tired of going to Orlando and supporting Florida. 

Yesterday was Honeywell Connect—a series of announcements from the Honeywell Connected Enterprise group. The big announcement that concerns me follows.  HUG follows June 19 for the process systems group. That one is live. As it stands now, I’ll be there. If you’d like to connect and give me your thoughts on using all this new technology or where AR/VR is going, ping me at [email protected].

The big news from Connect is the release of Cyber Insights for operational technology applications. Its focus is improving the availability, reliability and safety of their industrial control systems and operations. Cyber Insights is designed to integrate information from multiple OT data sources in order to provide a customer with actionable insights into their facility’s cybersecurity vulnerabilities, threats and compliance, thereby helping reduce their overall cybersecurity risks.

Cyber Insights brings a tailored approach by providing a purpose-built cybersecurity solution for OT environments and users. It is designed to offer a site-level view of a facility’s cybersecurity posture and provide insights into security events, vulnerabilities, active threats and to manage compliance. Cyber Insights can help organizations strengthen their cyber resilience and respond faster to incidents through access to critical information at the right time.

Cyber Insights is pre-configured for OT use, with already available customization options designed to address certain needs specific to different industrial environments, while being vendor agnostic so that it can deployed on Honeywell control systems as well as many other systems. It is also deployed, supported and maintained by Honeywell Cyber Care services during the applicable subscription license term to help customers maintain continuous tuning and optimization as required for any system to run in peak form.

Public Cloud Data Breaches, Shadow Data Concerns Show Steep Rise

Cyber security must be the topic most showing up in my inbox over the past year or two. Every company is performing its own surveys and reports. That must mean there is no definitive analyst firm covering that subject. This survey and report from a company called Laminar looks at public clouds.

To tackle skyrocketing cloud data security issues, 97% of organizations now have a dedicated data security team.

Looks like its definition of public cloud includes AWS, Azure, GCP, and Snowflake (more on Snowflake in a post coming soon). Further, Laminar looks to “shadow data” as a particular function of concern. Shadow, or unknown, unmanaged data is growing as users now can proliferate data in just a few clicks. Shadow data can occur when copied data lives on in test environments, data gets mis-placed in storage buckets, legacy data isn’t deleted after a cloud migration, data logs become toxic, and orphaned backups are left stale.

The fast pace of cloud transformation and democratization of data has created a new innovation attack surface, leading to 3 in 4 organizations experiencing a cloud data breach in 2022 and the overwhelming majority (68%) of data security professionals naming shadow data as the No.1 concern of protecting cloud data. The State of Public Cloud Data Security Report 2023, released by Laminar today, reveals that concern over shadow data has increased to a whopping 93% compared to  82 percent the year before. This finding indicates a need for security teams to evolve processes and technologies to autonomously discover, classify, protect, and remediate sensitive cloud data stores, wherever they are located. 

A full 95% of respondents believe that cloud environments are different enough (than on-premises) to require unique security solutions. Given their concerns about on-premises solutions, more security professionals are considering deploying cloud-native security platforms to improve sensitive data protection. 

● 71% said cloud-native security solutions should provide autonomous scanning

● 63% want to deploy a dynamic, performant platform 

● 54% say such a solution should offer asynchronous operations 

● 53% would like the platform to provide an agentless architecture 

Click to read the full report.

State of XIoT Security Report 2H 2022

The latest trend among cyber security firms is to conduct surveys and issue reports. This report comes from Claroty’s Team82. They found that vulnerabilities disclosed declined while vulnerabilities found by internal research and product security teams have increased.

Cyber-physical system vulnerabilities disclosed in the second half (2H) of 2022 have declined by 14% since hitting a peak during 2H 2021, while vulnerabilities found by internal research and product security teams have increased by 80% over the same time period, according to the State of XIoT Security Report: 2H 2022 released today by Claroty, the cyber-physical systems protection company. These findings indicate that security researchers are having a positive impact on strengthening the security of the Extended Internet of Things (XIoT), a vast network of cyber-physical systems across industrial, healthcare, and commercial environments, and that XIoT vendors are dedicating more resources to examining the security and safety of their products than ever before.

Key Findings

  • Affected Devices: 62% of published OT vulnerabilities affect devices at Level 3 of the Purdue Model for ICS. These devices manage production workflows and can be key crossover points between IT and OT networks, thus very attractive to threat actors aiming to disrupt industrial operations.
  • Severity: 71% of vulnerabilities were assessed a CVSS v3 score of “critical” (9.0-10) or “high” (7.0-8.9), reflecting security researchers’ tendency to focus on identifying vulnerabilities with the greatest potential impact in order to maximize harm reduction. Additionally, four of the top five Common Weakness Enumerations (CWEs) in the dataset are also in the top five of MITRE’s 2022 CWE Top 25 Most Dangerous Software Weaknesses, which can be relatively simple to exploit and enable adversaries to disrupt system availability and service delivery.
  • Attack Vector: 63% of vulnerabilities are remotely exploitable over the network, meaning a threat actor does not require local, adjacent, or physical access to the affected device in order to exploit the vulnerability.
  • Impacts: The leading potential impact is unauthorized remote code or command execution (prevalent in 54% of vulnerabilities), followed by denial-of-service conditions (crash, exit, or restart) at 43%.
  • Mitigations: The top mitigation step is network segmentation (recommended in 29% of vulnerability disclosures), followed by secure remote access (26%) and ransomware, phishing, and spam protection (22%).
  • Team82 Contributions: Team82 has maintained a prolific, years-long leadership position in OT vulnerability research with 65 vulnerability disclosures in 2H 2022, 30 of which were assessed a CVSS v3 score of 9.5 or higher, and over 400 vulnerabilities to date.

Cloud Range Live-Fire Cybersecurity Training

Mindful people are marked by curiosity. At least, that is one characteristic. I don’t know about being mindful, but I embody a healthy dose of curiosity. A press release came my way from a company I had never heard of touting a process I also had never heard of—range. So, I had to investigate. In addition to the Web (yes, you can still do research by searching on the Web, but thanks to Google, it’s not as easy or as fruitful as it used to be), I also talked with Debbie Gordon, CEO  of Cloud Range.

This technology solution relates to cybersecurity. Specifically, these solutions provide training for varieties of personnel regarding identifying and thwarting cyber attacks. The “range” term is known in the IT world. Cloud Range, Gordon told me, is the first company to take the concept, develop it specifically for the operations environment, and use it to train operators, engineers, manufacturing IT, and any others who may be involved. 

Gordon used the metaphor of a flight simulator. It’s better for a pilot to train on abnormal situations in a device that isn’t going to crash and kill everyone on board. The problem for operations people lies in the fact that they may have never experienced a cyber attack. They may treat it as just another alarm that can often be ignored.

Cloud range also understands that while IT’s concern is data, OT’s concern is uptime. This requires an entirely new look at how to train and solve the problem.

On to the news:

Cloud Range introduced Cloud Range for Critical Infrastructure—the first-of-its-kind full-service, live-fire simulation training specifically designed to proactively train and prepare incident responders (IR) and security operations (SOC) teams in operational technology (OT) and information technology (IT) environments to defend against cyber attacks to critical infrastructure. 

The digital convergence of OT and IT in critical infrastructure sectors has increased the focus of cyber attacks against OT and industrial control system (ICS) environments. This has accelerated the need for cyber defense teams to understand, train, and prepare to protect these assets. However, OT and IT environments can have very disparate objectives, setups, and risks. OT security requires different protocols, analysis, forensics, and other security methods than traditional IT security networks. That’s why OT/ICS security teams require unique training to ensure they can overcome the threats and challenges they face. 

Cloud Range for Critical Infrastructure is the industry’s first and only full-service OT/ICS/IoT cyber range simulation training environment with dynamic, live-fire OT/ICS, OT/IoT, and IT/OT incident response and security operations exercises. The customizable OT environments include unlimited network scenarios to simulate any organization’s OT/IT network and emulate any industrial sector, including energy, nuclear, transportation, communications, water systems, buildings/facilities, and more. The new OT solution not only strengthens the resilience of security teams, but also improves operational efficiency by providing a collaborative environment for IT/OT teams to work and train together and remove the complexity and friction between them that is common in most organizations. 

The product is a program with a taskmaster where personnel set aside a training time of around four hours to participate in the simulation.

Cloud Range for Critical Infrastructure mimics potential real-life cyber attacks and enables cyber defenders to see and understand an attack before it actually happens, preparing them to be ready to defend. Attack scenarios are mapped to the MITRE ATT&CK Framework for Industrial Control Systems (ICS) so teams can understand the specific tactics taken by adversaries. The immersive, live-fire cyber range environment gives OT IR and ICS security teams the needed expertise, judgment, skills, and muscle memory required to be ready when a real attack occurs. 

Cloud Range training missions are led by expert attackmasters providing teams with real-time guidance. Additionally, security leaders receive performance metrics and analysis with prescribed training plans based on the results of an exercise.

Learn more about OT cyberattack simulation training by watching the webinar, “Conquer OT Attacks in an IT-focused World” featuring Debbie Gordon, founder and CEO of Cloud Range; Bryan Singer, Principal Director, Global OT Incident Response Lead at Accenture; Mark Cristiano, Global Commercial Director – Cyber Security Services at Rockwell Automation; and Lucian Niemeyer, CEO of Building Cyber Security.

Protection From Coming Hardening of DCOM

[Note: If you had previously signed up to receive new posts via email, you’ve noticed that they stopped and then restarted. WordPress had notified me that this service had ended. I recently saw where it was active, but not supported. Update: I’ve received multiple messages from one post. I’ve changed the frequency to daily updates. We’ll see how that works.

You can subscribe to an occasional newsletter that I’ve been playing around with. It comes through my HEY.com email account. If you haven’t checked out Hey, give it a look. I haven’t moved my business email there, yet, but I like the new take on an email client. My email address there is [email protected] You can check it out by clicking on the mail button at the right sidebar.]

I actually thought that the whole DCOM technology situation was over. That is an old Microsoft Windows technology long since passed by in usefulness. Except, there’s a lot of it laying around with OPC Classic. As we often say, technologies change slowly in industrial and manufacturing applications. This is a potential snafu. I first wrote about Velta Technology last September. This news is about a partnership to offer a solution to the looming hardening of DCOM.

­­Velta Technology and TXOne Networks Inc. are teaming to help organizations safeguard their industrial control systems (ICS) and avoid potential revenue disruptions ahead of an imminent Microsoft Windows Distributed Component Object Model (DCOM) hardening patch enablement. In the absence of a proper mitigation strategy, the DCOM hardening patch could potentially shut down ICS equipment impacting plant production and operations.

Beginning March 14, 2023, the Microsoft hardening patch can no longer be disabled and will trigger a forced update which strengthens authentication between DCOM clients and servers. The patch is a core component of automation software products from companies such as Rockwell Automation, GE, Honeywell, Siemens, and others.

Velta Technology and TXOne Networks have partnered to provide a cost-effective and time-efficient interim solution that will maintain operations following the patch. Velta Technology’s industrial cybersecurity experts are utilizing TXOne Networks’ Stellar endpoint protection as a stopgap to the hardening patch, providing customers ample time to develop a more manageable, long-term solution.

Follow this blog

Get a weekly email of all new posts.