Modular OT Cybersecurity Solution

It’s fascinating to watch PAS Global over the years build on its incumbent technology and expand into new areas of market needs. A few years ago the company made a substantial investment in people and technology development entering the cybersecurity market. By building upon its roots in process control and automation, I think has better viability than security-only startups that seemingly are always heading for acquisition.

PAS Global announced Cyber Integrity now includes in-product expansion to support industrial organizations as they mature their operational technology (OT) cybersecurity capabilities. The cyber risk for critical infrastructure and process industries is greater than ever as digitalization projects and remote work requirements have expanded the attack surface. Industrial organizations are focusing more on addressing cyber risk but are at different stages of maturity. New modular licensing and deployment options in Cyber Integrity version 7.0 provide flexibility to address specific needs as sites advance their OT cybersecurity maturity:

  •  provides discovery and topology mapping of industrial control system environments down to Level 0 devices with unmatched depth and accuracy without passive network detection limitations and active network polling risks.
  •  includes inventory management and enables the identification of vulnerabilities hidden in industrial infrastructure, leveraging and enhancing regular feeds from the United States National Vulnerability Database (NVD).
  •  includes inventory and vulnerability & patch management as well as in-depth Level 3 to Level 0 OT asset configuration management with comprehensive cybersecurity configuration baselining, unauthorized configuration change detection, workflow-driven vulnerability remediation and incident response, risk analytics, compliance workflows and reporting, and backup and recovery support.

“PAS is introducing a breakthrough solution for industrial organizations to improve OT cybersecurity no matter their current state of maturity across sites,” said Eddie Habibi, CEO and Founder of PAS. “Whether a site is working to build their security foundation with an accurate and detailed OT asset inventory, ready for vulnerability assessment and patch management, or looking to establish a mature enterprise program, PAS Cyber Integrity has them covered. This modular capability is increasingly needed as digitalization and the accelerating shift to remote work caused by the COVID-19 pandemic expand the industrial cyber-attack surface.” 

“When evaluating cybersecurity technologies, we looked for a solution that could expand as our needs developed,” said Jamal Al-Balushi, Control & Automation Team Lead at Petroleum Development Oman. “Initially, our focus was to automate OT asset inventory, assess vulnerabilities, and prioritize our remediation efforts. This was part of a longer-term strategy to develop a mature enterprise OT cybersecurity program with back up & recovery and compliance reporting across sites. PAS Cyber Integrity meets our needs for today and will expand with us as we enhance our cybersecurity program in the future.”

As part of the announcement, PAS also unveiled a new OT Inventory Assessment Service. This service delivers an analysis of a site’s current OT inventory, identifies gaps with industry best practices, and documents the business value of having a more detailed inventory in place. The service is offered at no charge to qualified organizations.

“With seamless, in-product expansion, PAS is making it easy for industrial organizations to address their immediate OT cybersecurity needs and incrementally unlock new functionality as their sites and programs mature,” Habibi added. “Our assessment service helps OT teams understand the gaps which exist in their current asset inventory and strategies to close those gaps. The combination is a game changer for improving OT cybersecurity in critical infrastructure and process industries.”

Microsoft Acquires IoT/OT Security Leader CyberX

The news in brief: CyberX’s IoT/OT-aware behavioral analytics platform integrates with Azure security to deliver end-to-end security across managed and unmanaged IoT devices

Everyone has discussed Industrial Control Systems (ICS) cyber risks almost to the point of nausea for several years. Startups in the OT cybersecurity space began popping like dandelions in spring. For a couple of years their display spaces at the ARC Industry Forum paid for the room and then some.

While I like all these companies, I couldn’t see how any could make it long as a standalone company. Sure enough, CyberX has agreed to be acquired by Microsoft.

Here is the justification: As enterprises implement digital transformation and Industry 4.0 for greater efficiency and productivity, boards and management teams are increasingly concerned about the financial and liability risk resulting from the deployment of massive numbers of connected IoT and OT devices. Adversaries targeting this expanded attack surface can cause substantial corporate impact including safety and environmental incidents, costly production downtime, and theft of sensitive intellectual property.

By integrating the CyberX platform with the Azure IoT stack, Azure Security Center for IoT, and Azure Sentinel, the first SIEM with native IoT support, Microsoft will now provide a simpler approach to unified security governance across both IT and industrial networks, as well as end-to-end security across managed and unmanaged IoT devices, enabling organizations to quickly detect and respond to advanced threats in converged networks.

“CyberX’s technology and team are a great addition to Microsoft,” said Michal Braverman-Blumenstyk, Corporate Vice President, Cloud & AI Security CTO, and Israel R&D Center GM. “With CyberX’s expertise and innovative platform, together with Microsoft’s exciting security products, Microsoft is offering a powerful and scalable solution that accelerates digitalization for enterprises at all phases of their IoT/OT journey.”

Founded in 2013, CyberX achieved tremendous growth with the world’s largest enterprises adopting its IoT/OT security platform to secure their facilities worldwide. Leveraging patented, IoT/OT-aware behavioral analytics, CyberX’s agentless technology deploys in minutes to deliver deep visibility into IoT/OT risk — including asset discovery, vulnerability management, and continuous threat monitoring — with zero impact due to its passive Network Traffic Analysis (NTA) approach.

“Nir and I founded CyberX with the goal of delivering a scalable solution that would be easy to deploy and reduce risk for enterprises worldwide,” said Omer Schneider, co-founder and CEO of CyberX. “We’re thankful to our loyal customers and partners as well as to our dedicated employees whose innovation and hard work made it possible for us to reach this important milestone, and also to our investors for their ongoing support.”

“By joining forces with Microsoft, we will rapidly scale our business and technology to securely enable digital transformation for many more organizations,” said Nir Giller, co-founder, GM International, and CTO of CyberX. “Together, CyberX and Microsoft provide an unbeatable solution for gaining visibility and a holistic understanding of risk for all IoT and OT devices in your enterprise.”

CyberX’s founders will join Microsoft and the platform will continue to be enhanced and supported by CyberX personnel. In addition, Microsoft is committed to the channel and will continue working with CyberX’s strategic reseller and technology partners worldwide. The CyberX platform will continue to be available in a hybrid model supporting both cloud-connected and air-gapped networks.

From the Microsoft point of view—Two years ago, Microsoft announced a $5 billion investment in IoT and with this acquisition, the company is eager to continue solving these challenges. Some specifics:

• With CyberX, customers can discover their existing IoT assets, and both manage and improve the security posture of those devices. For example, customers can, often for the first time, see a digital map of thousands of devices across a factory floor or within a building and gather information about their security state and connectivity.

• CyberX’s further integration with Microsoft’s broad portfolio will allow Microsoft to continue to deliver more value to customers. For example, in conjunction with Azure Sentinel, SecOps personnel will be able to identify threats that span OT and IT converged networks that were previously challenging to detect.

• Microsoft appreciates that some customers need help improving the security of their existing IoT environment and is excited that CyberX’s technology and team will be an incredible addition to the company’s commitment to both IoT security and innovation as customers work to digitally transform their businesses.

Don’t Look Now, Your Data Has Been Stolen

Tim Bandos, VP of Cybersecurity at Digital Guardian set aside some time to discuss his latest work, The DG Data Trends Report. Research for the report was performed during (and as a result of) the Covid-19 pandemic to study how much sensitive corporate data was “egressing” from the security of home base.

We talked last month, but I was in the midst of five or six virtual conferences and I’m only now beginning to catch up with the accumulated pile of other interviews and reports that come my way.

Digital Guardian has developed and implemented a technology that you can procure that includes an “agent” that gives visibility into data movements within and into and out of your corporate environment. It sounds pretty cool, actually.

To set the stage for the current crisis, Bandos points to the results of the 2007-2009 financial crisis:

[The crisis] led to 37 million unemployment claims. It also resulted in a slew of trade secret theft charges. In 2013, the Department of Justice said it charged more than 1,000 defendants with intellectual property theft between 2008 and 2012.

The DG report derives from real data from organizations spanning the globe and across multiple industry verticals. It is definitely not just a survey.

Following are a few tidbits from the survey.

    Since the onset of Covid-19, DG saw a 123% increase in the volume of data moving to USB drives and 74% of that data was classified according to the DLP practices. Now, much of this was taking work home. But much also this data can now not be controlled.
    With employees working from their homes, data egress via all means (email, cloud, USB, etc.) was 80% higher in the first month following the World Health Organization’s declaration. More than 50% of the observed data egress was classified data.
    Digital Guardian’s managed Detection & Response customers noticed a 62% increase in malicious activity, a number that in turn has led to an increase in incident response investigations—64% more than before the declaration.

Five tips to protect data

1. Issue Data Governance Policy Reminders

2. Label Sensitive Information

3. Limit Access to Sensitive Data

4. Host a Remote Security Awareness Training Session

5. Consider Deploying Virtual Desktop Infrastructure or Desktop-as-a-Service.

A Different Take on Industrial Cybersecurity

Not too long ago, I received an email from noted cybersecurity guru Eric Byres who told me he was back in the industry after a brief hiatus as an advisor to Verve Industrial. The company didn’t register with me, and I went on to other things.

This week I received a message from an old PR contact who just picked up a new client–you guessed it, Verve Industrial. I agreed to an introductory call to find out more. I didn’t expect to be talking to anyone I knew, so the name didn’t register with me. Should have. I found myself talking with Rick Kaun this week. Now VP Solutions with Verve Industrial, turns out I knew him from previous stints with Matrikon and Honeywell.

The company began life as a SCADA and PLC integrator. The owner progressively noticed security situations and evolved a cybersecurity practice. Considering a way to grow, he took in funding and a new CEO (former McKinsey, but evidently not a bad guy–have to note that, I once worked for a couple of ex-McKinsey guys) and a new CTO. And a new VP Solutions.

The company takes a different strategy for its offering from others. Kaun notes the original solution was to white list devices on the network. To improve on that, many companies went to passive detection solutions.

Verve has an agent-based platform that allows for remote changes to the PLC or SCADA only with a trusted person at the console in the plant. It is compliant with OT topologies yet can talk the security talk with CISO types.

Not only for intrusion prevention, clients who use the system are currently getting 10x production.

I’m not a security expert. It’s just that cybersecurity is a crucial element of good IIoT design. So, here are some bullets to whet your appetite if you are looking for an interesting alternative to your current solution.

Verve Security Center

Benefits:

  • Faster & Lower Cost Deployment
  • Faster Time to Remediation
  • More Efficient Analysis, Reporting, and Audit with Integrated UI
  • Improved Approach to OT Business Risk Management
  • Lower Cost Security Management
  • NO Risk to OT Operations
  • Ability to Leverage Prior Tool Investment

Features:

  • Deeper & more comprehensive asset inventory
  • Faster time to remediation with closed loop vulnerability management
  • Better risk rating with view of vulnerabilities, process criticality plus all user accounts, risky software, network connections in a single risk score
  • Lower security management costs with scaled analysis and playbook development with local OT control over remediation – in same platform
  • Better detection with open-platform data ingestion from multiple OT and IT tool sets

Current solutions do not enable limited OT resources the rapid visibility and response to vulnerabilities and threats they need:

  • Traditional IT tools cannot protect IOT/OT embedded devices with proprietary firmware
  • IT vulnerability scanning tools can damage sensitive IOT/OT systems
  • Tools are siloed by function increasing necessary labor and specialized skills
  • Most OT-specific tools are passive detection only and offer limited remediation capabilities
  • Available solutions are expensive to deploy and manage

A fundamentally different approach to IT/OT security management:

  • Deploy across all IT/OT/IOT systems in minutes with no expensive hardware requirements
  • “Closed-loop” solution from assessment to remediation
  • Faster time to discovery and remediation
  • OT-safe agent/agentless solution for real time vulnerability assessment and end point management
  • Lower total cost of ownership
  • No silos: integrate NIST CSF and other compliance requirements in single platform

Cybersecurity Provides Yet Another Overlap for IT and OT or IioT

It was a typical request to set up an interview for a client, “For years, information technology (IT) and operational technology (OT) have operated as separate entities, but now we are beginning to see a shift within organizations.”

Actually, I have no interest for another “IT/OT Convergence” story. I think that Leader organizations have structured things to bring the groups together. Even the average firms have seen the light. As usual, there’s no hope for the laggards.

The reply bounced back to me. Seems that the take is less the now trite IT/OT Convergence theme and really how the groups are coming together due to risks inherent in some of the wide open IoT networks and devices for cybersecurity breaches.

Phil Neray, VP of IoT and Industrial Cybersecurity at CyberX, told me that board-level concern about risk levels due to cybersecurity breaches in their manufacturing operations have led to directives to the CISO to lead risk assessment and mitigation at the plant level as well as the enterprise level. This leads directly to working with plant operations people.

More data is flowing around manufacturing, but more devices coming online don’t support agents thereby increasing attack surface. This has raised awareness of increased risk including awareness at the board level. Not to mention there have been some some significant cyber attacks including the Norse Hydro ransom ware attack that cost perhaps up to $41 million. Merck was hit with a ransom ware attack. And then there was the Triton attack on safety controllers.

These incidents have alerted boards to huge risk potential leading to directing the CISO to avert such future attacks.

As for specific informatin from CyberX, Neray says it has the only patent on behavior anomaly detection. This allows its system to detect faster, more accurately than peers in industrial security.

CyberX continuously monitors the network looking for something suspicious or unauthorized. But plant people are often suspicious of IT solutions believing IT does not understand the critical nature of not shutting down processes for a reboot. This is where leadership must step up. Neray notes this must be both top-down and bottom-up. The Board and top management must say, “We want you to prioritize security.” The security team must also spend time in the plant explaining the what and why of the system. Building trust only results from face time.

Sometimes a detection points to an equipment issue as well as malware. One example was a plant with new PLCs shutting down intermittently. They called IT. “Did you do something to the network to cause this?” IT looked at the CyberX console and ran the reports of alerts. They noticed that when the PLCs were installed the network was not configured correctly causing the network to be pinged too often. Fix that and the problem was solved. The cybersecurity system can even become a plant controls troubleshooting aid.

Neray pointed to a report published in late 2019 called the Global 2020 IoT/ICS Risk Report. This was an analysis of real-world vulnerabilities garnered from studies of real networks. The study pointed out these problems:

BROKEN WINDOWS: OUTDATED OPERATING SYSTEMS

62% of sites have outdated and unsupported Microsoft Windows boxes such as Windows XP and Windows 2000. Unsupported Windows boxes no longer receive regular security patches from Microsoft. The figure jumps to 71% if we include Windows 7, which reaches end-of-support status in January 2020.

HIDING IN PLAIN SIGHT: UNENCRYPTED PASSWORDS

64% of sites have unencrypted (cleartext) passwords traversing their networks.The reason cleartext is dangerous is because it makes gaining access to restricted systems easy — since these passwords are transmitted “in the clear” and can easily be sniffed. Legacy devices that don’t support modern protocols such as SNMP v3 or SFTP are usually the culprits for leaving passwords in cleartext.

EXCESSIVE ACCESS: REMOTELY ACCESSIBLE DEVICES

54% of sites have devices that can be remotely accessed using standard protocols such as RDP, SSH, and VN. One of the primary attack vectors for ransomware is remote access protocols, which enable attackers to move laterally and expand their presence throughout networks.

CLEAR AND PRESENT DANGER: INDICATORS OF THREATS

22% of sites exhibited indicators of threats. CyberX’s network traffic analysis flags suspicious activity such as scan traffic, malicious DNS queries, abnormal HTTP headers, excessive number of connections between devices, and known malware such as LockerGoga and EternalBlue.

NOT MINDING THE GAP: DIRECT INTERNET CONNECTIONS

27% of sites analyzed have direct connections to the internet. Security professionals and bad actors alike know that it takes only one internet-connected device to provide a gateway into IoT/ICS networks for malware and targeted attacks, enabling the subsequent compromise of many more systems across the enterprise.

STALE SIGNATURES: NO AUTOMATIC AV UPDATES

66% of sites are not automatically updating their Windows systems with the latest antivirus definitions. Antivirus is the very first layer of defense against known malware — and the lack of antivirus is one reason why CyberX still finds older malware such as WannaCry and Conficker in IoT/ICS networks.

Continual Market Development Pays Off For Process Control Supplier

Continual Market Development Pays Off For Process Control Supplier

I have known Eddie Habibi, founder and CEO of PAS (now PAS Global) for about 20 years. So I’ve followed the development of his company for that long. There was alarm management, and process safety, and process asset management. And the company grew at a typical pace for the market.

Then he went all-in on process control system cybersecurity. He accepted some investment money, hired some pros in the field, and combined security with what the company was already known for.

The results are in the latest press release from PAS Global LLC where it announced a 45% increase in term revenue year-over-year and increased market recognition of its solutions.

In March 2019, the company introduced an expanded Cyber Integrity offering with risk analytics for continuous operational technology (OT) endpoint security. Following this milestone, the company marked record growth in the adoption of this solution across multiple geographies and verticals including the United States, Europe, and the Middle East with leading organizations in the chemicals and oil & gas industries, in particular.

A Fortune 50 independent petroleum refiner was challenged with increasing cybersecurity risks as they deployed connected technology to achieve faster and more efficient production operations. PAS Cyber Integrity was deployed as the foundation for the refiner’s OT cybersecurity program to create an automated, comprehensive, evergreen OT asset inventory and to more quickly identify and remediate security vulnerabilities. What used to take the company months to assess “critical” or “high” ICS-CERT vulnerabilities can now be done in minutes across all refineries.

A global, integrated oil & gas company operating across five continents is pursuing digital transformation to grow its business, enter new markets, and compete more effectively. Underpinning this initiative is a cloud-based analytics platform. The team chartered with this program sought to leverage their multi-vendor industrial control system (ICS) data and ensure reliable data flows from field-level devices to their data lake. They sought a platform-independent solution that could not only deliver this data, but also provide a topological view of assets and site connections, monitor configuration baselines, and manage change. Additionally, the company’s cybersecurity team sought a solution that could provide comprehensive OT asset inventory and rapid vulnerability assessment capabilities. PAS Automation Integrity and Cyber Integrity were selected to address these needs.

A major electronic materials firm with operations in North America and Asia sought to establish an enterprise-wide cybersecurity program on an aggressive schedule to eliminate gaps in visibility and security controls. Cyber Integrity was selected to automatically build a detailed OT asset inventory for each site, identify patch levels across systems, and implement change management workflows. The company now has the inventory and configuration visibility it needs to support digitalization efforts including data lake, 5G, and artificial intelligence initiatives.

“Industrial organizations are increasing investment in cybersecurity solutions specifically built for OT not only to reduce their overall cyber risk but to ensure they can accelerate their digital transformation efforts safely,” said Eddie Habibi, Founder and CEO of PAS. “We are pleased to be working with a growing list of global companies who are leveraging PAS Cyber Integrity to give them the foundation they need for managing industrial cyber risk.”

The company also saw significant year-over-year growth in purchases of its operations management and process safety solution, PlantState Suite.

“Of equal importance is the work we do to help companies improve process safety through effective operations management,” Habibi added. “We are pleased to have been recognized once again as the market leader for both alarm management and safety lifecycle management. This is a testament to the hard work of the PAS team over many years and the confidence our customers place in our solutions.”

PAS cybersecurity and process safety management solutions are installed in more than 70 countries in over 1,450 industrial facilities for over 535 customers, including 13 of the top 15 chemical companies, 13 of the top 15 refining companies, 7 of the top 20 power generation companies, 4 of the top 5 pulp and paper companies, and 3 of the top 5 mining companies in the world.