ABB and IBM to Bolster Cybersecurity for Industrial Operations

Another partnership in the news. I have visited IBM’s cybersecurity operations, and it has a powerful story to tell. This news should bolster ABB’s customers.

ABB process control systems can connect with IBM security platform for digital threat visibility.

ABB and IBM today announced a collaboration focused on connecting cybersecurity and operational technology (OT). As a first result of this collaboration, ABB has developed a new OT Security Event Monitoring Service that combines ABB’s process control system domain expertise with IBM’s security event monitoring portfolio to help improve security for industrial operators.

Industrial control system environments are increasingly targeted in cyber-attacks. In fact, IBM’s latest X-Force Threat Intelligence Index found that attacks on industrial and manufacturing facilities have increased by over 2,000% since 2018.

To better connect OT data with the broader IT security ecosystem, ABB has developed a new offering that allows security events from ABB to be sent to IBM’s security information and event management platform known as QRadar. 

The ABB solution was designed according to a reference architecture jointly developed by ABB and IBM. It provides the domain knowledge needed to swiftly react to security incidents related to process control and is especially suited for complex industrial processes in industries such as oil, gas, chemicals and mining. The new event collection and forwarding software which enables this integration is currently being used by early adopter customers and will be made broadly available by ABB in the coming months.

This collaboration marks the first time that OT data and process industry domain expertise is being brought directly into a Security Information and Event Monitoring (SIEM) system, allowing threats to be managed as part of an organization’s broader cybersecurity operations and strategy. 

“ABB’s collaboration with IBM makes it possible to analyze process control events in the context of security and impact to the operational environment, delivering strong improvement in our OT cyber threat visibility across the board,” said Robert Putman, Global Manager of Cyber Security Service for Industrial Automation at ABB.

Disruption of production due to a cyberattack or technical glitches can be costly in terms of lost production and damage to physical assets. Most mature operational monitoring is focused on the performance of the asset, whether it be a gas turbine for electricity, a drive system used to crush ore, or simple monitoring of pollution output from a chemical facility.

The new ABB offering allows ABB’s process control system data collection and forwarding technology to harvest event log detail from ABB process control systems, and share that information with IBM Security QRadar, which uses automation and artificial intelligence to help identify security anomalies and potential threats.

“We see the integration of these solutions as bringing market-leading capabilities together for a singular view of OT security,” said Dr. Andreas Kühmichel, CTO, Chemicals, Petroleum & Industrial Products, IBM. “With more comprehensive OT and IT security visibility, clients can help reduce the risk of production being suddenly interrupted due to a security event, resulting in costly downtime and broader risk to the company.”

The ABB and IBM technologies involved in this solution are designed on open platforms allowing them to operate on the edge and deploy easily across hybrid cloud environments spanning on-premise, private or public clouds. The joint solution is designed so that security processes operate via automation and do not disturb industrial workflows. The security analysis in QRadar operates through a use case library, which automatically flags incidents and triggers corresponding alarms.

The two companies plan continued collaboration in the realm of OT security, in order to develop new capabilities and offerings that address customer challenges in this space. 

Modular OT Cybersecurity Solution

It’s fascinating to watch PAS Global over the years build on its incumbent technology and expand into new areas of market needs. A few years ago the company made a substantial investment in people and technology development entering the cybersecurity market. By building upon its roots in process control and automation, I think has better viability than security-only startups that seemingly are always heading for acquisition.

PAS Global announced Cyber Integrity now includes in-product expansion to support industrial organizations as they mature their operational technology (OT) cybersecurity capabilities. The cyber risk for critical infrastructure and process industries is greater than ever as digitalization projects and remote work requirements have expanded the attack surface. Industrial organizations are focusing more on addressing cyber risk but are at different stages of maturity. New modular licensing and deployment options in Cyber Integrity version 7.0 provide flexibility to address specific needs as sites advance their OT cybersecurity maturity:

  •  provides discovery and topology mapping of industrial control system environments down to Level 0 devices with unmatched depth and accuracy without passive network detection limitations and active network polling risks.
  •  includes inventory management and enables the identification of vulnerabilities hidden in industrial infrastructure, leveraging and enhancing regular feeds from the United States National Vulnerability Database (NVD).
  •  includes inventory and vulnerability & patch management as well as in-depth Level 3 to Level 0 OT asset configuration management with comprehensive cybersecurity configuration baselining, unauthorized configuration change detection, workflow-driven vulnerability remediation and incident response, risk analytics, compliance workflows and reporting, and backup and recovery support.

“PAS is introducing a breakthrough solution for industrial organizations to improve OT cybersecurity no matter their current state of maturity across sites,” said Eddie Habibi, CEO and Founder of PAS. “Whether a site is working to build their security foundation with an accurate and detailed OT asset inventory, ready for vulnerability assessment and patch management, or looking to establish a mature enterprise program, PAS Cyber Integrity has them covered. This modular capability is increasingly needed as digitalization and the accelerating shift to remote work caused by the COVID-19 pandemic expand the industrial cyber-attack surface.” 

“When evaluating cybersecurity technologies, we looked for a solution that could expand as our needs developed,” said Jamal Al-Balushi, Control & Automation Team Lead at Petroleum Development Oman. “Initially, our focus was to automate OT asset inventory, assess vulnerabilities, and prioritize our remediation efforts. This was part of a longer-term strategy to develop a mature enterprise OT cybersecurity program with back up & recovery and compliance reporting across sites. PAS Cyber Integrity meets our needs for today and will expand with us as we enhance our cybersecurity program in the future.”

As part of the announcement, PAS also unveiled a new OT Inventory Assessment Service. This service delivers an analysis of a site’s current OT inventory, identifies gaps with industry best practices, and documents the business value of having a more detailed inventory in place. The service is offered at no charge to qualified organizations.

“With seamless, in-product expansion, PAS is making it easy for industrial organizations to address their immediate OT cybersecurity needs and incrementally unlock new functionality as their sites and programs mature,” Habibi added. “Our assessment service helps OT teams understand the gaps which exist in their current asset inventory and strategies to close those gaps. The combination is a game changer for improving OT cybersecurity in critical infrastructure and process industries.”

Microsoft Acquires IoT/OT Security Leader CyberX

The news in brief: CyberX’s IoT/OT-aware behavioral analytics platform integrates with Azure security to deliver end-to-end security across managed and unmanaged IoT devices

Everyone has discussed Industrial Control Systems (ICS) cyber risks almost to the point of nausea for several years. Startups in the OT cybersecurity space began popping like dandelions in spring. For a couple of years their display spaces at the ARC Industry Forum paid for the room and then some.

While I like all these companies, I couldn’t see how any could make it long as a standalone company. Sure enough, CyberX has agreed to be acquired by Microsoft.

Here is the justification: As enterprises implement digital transformation and Industry 4.0 for greater efficiency and productivity, boards and management teams are increasingly concerned about the financial and liability risk resulting from the deployment of massive numbers of connected IoT and OT devices. Adversaries targeting this expanded attack surface can cause substantial corporate impact including safety and environmental incidents, costly production downtime, and theft of sensitive intellectual property.

By integrating the CyberX platform with the Azure IoT stack, Azure Security Center for IoT, and Azure Sentinel, the first SIEM with native IoT support, Microsoft will now provide a simpler approach to unified security governance across both IT and industrial networks, as well as end-to-end security across managed and unmanaged IoT devices, enabling organizations to quickly detect and respond to advanced threats in converged networks.

“CyberX’s technology and team are a great addition to Microsoft,” said Michal Braverman-Blumenstyk, Corporate Vice President, Cloud & AI Security CTO, and Israel R&D Center GM. “With CyberX’s expertise and innovative platform, together with Microsoft’s exciting security products, Microsoft is offering a powerful and scalable solution that accelerates digitalization for enterprises at all phases of their IoT/OT journey.”

Founded in 2013, CyberX achieved tremendous growth with the world’s largest enterprises adopting its IoT/OT security platform to secure their facilities worldwide. Leveraging patented, IoT/OT-aware behavioral analytics, CyberX’s agentless technology deploys in minutes to deliver deep visibility into IoT/OT risk — including asset discovery, vulnerability management, and continuous threat monitoring — with zero impact due to its passive Network Traffic Analysis (NTA) approach.

“Nir and I founded CyberX with the goal of delivering a scalable solution that would be easy to deploy and reduce risk for enterprises worldwide,” said Omer Schneider, co-founder and CEO of CyberX. “We’re thankful to our loyal customers and partners as well as to our dedicated employees whose innovation and hard work made it possible for us to reach this important milestone, and also to our investors for their ongoing support.”

“By joining forces with Microsoft, we will rapidly scale our business and technology to securely enable digital transformation for many more organizations,” said Nir Giller, co-founder, GM International, and CTO of CyberX. “Together, CyberX and Microsoft provide an unbeatable solution for gaining visibility and a holistic understanding of risk for all IoT and OT devices in your enterprise.”

CyberX’s founders will join Microsoft and the platform will continue to be enhanced and supported by CyberX personnel. In addition, Microsoft is committed to the channel and will continue working with CyberX’s strategic reseller and technology partners worldwide. The CyberX platform will continue to be available in a hybrid model supporting both cloud-connected and air-gapped networks.

From the Microsoft point of view—Two years ago, Microsoft announced a $5 billion investment in IoT and with this acquisition, the company is eager to continue solving these challenges. Some specifics:

• With CyberX, customers can discover their existing IoT assets, and both manage and improve the security posture of those devices. For example, customers can, often for the first time, see a digital map of thousands of devices across a factory floor or within a building and gather information about their security state and connectivity.

• CyberX’s further integration with Microsoft’s broad portfolio will allow Microsoft to continue to deliver more value to customers. For example, in conjunction with Azure Sentinel, SecOps personnel will be able to identify threats that span OT and IT converged networks that were previously challenging to detect.

• Microsoft appreciates that some customers need help improving the security of their existing IoT environment and is excited that CyberX’s technology and team will be an incredible addition to the company’s commitment to both IoT security and innovation as customers work to digitally transform their businesses.

Don’t Look Now, Your Data Has Been Stolen

Tim Bandos, VP of Cybersecurity at Digital Guardian set aside some time to discuss his latest work, The DG Data Trends Report. Research for the report was performed during (and as a result of) the Covid-19 pandemic to study how much sensitive corporate data was “egressing” from the security of home base.

We talked last month, but I was in the midst of five or six virtual conferences and I’m only now beginning to catch up with the accumulated pile of other interviews and reports that come my way.

Digital Guardian has developed and implemented a technology that you can procure that includes an “agent” that gives visibility into data movements within and into and out of your corporate environment. It sounds pretty cool, actually.

To set the stage for the current crisis, Bandos points to the results of the 2007-2009 financial crisis:

[The crisis] led to 37 million unemployment claims. It also resulted in a slew of trade secret theft charges. In 2013, the Department of Justice said it charged more than 1,000 defendants with intellectual property theft between 2008 and 2012.

The DG report derives from real data from organizations spanning the globe and across multiple industry verticals. It is definitely not just a survey.

Following are a few tidbits from the survey.

    Since the onset of Covid-19, DG saw a 123% increase in the volume of data moving to USB drives and 74% of that data was classified according to the DLP practices. Now, much of this was taking work home. But much also this data can now not be controlled.
    With employees working from their homes, data egress via all means (email, cloud, USB, etc.) was 80% higher in the first month following the World Health Organization’s declaration. More than 50% of the observed data egress was classified data.
    Digital Guardian’s managed Detection & Response customers noticed a 62% increase in malicious activity, a number that in turn has led to an increase in incident response investigations—64% more than before the declaration.

Five tips to protect data

1. Issue Data Governance Policy Reminders

2. Label Sensitive Information

3. Limit Access to Sensitive Data

4. Host a Remote Security Awareness Training Session

5. Consider Deploying Virtual Desktop Infrastructure or Desktop-as-a-Service.

A Different Take on Industrial Cybersecurity

Not too long ago, I received an email from noted cybersecurity guru Eric Byres who told me he was back in the industry after a brief hiatus as an advisor to Verve Industrial. The company didn’t register with me, and I went on to other things.

This week I received a message from an old PR contact who just picked up a new client–you guessed it, Verve Industrial. I agreed to an introductory call to find out more. I didn’t expect to be talking to anyone I knew, so the name didn’t register with me. Should have. I found myself talking with Rick Kaun this week. Now VP Solutions with Verve Industrial, turns out I knew him from previous stints with Matrikon and Honeywell.

The company began life as a SCADA and PLC integrator. The owner progressively noticed security situations and evolved a cybersecurity practice. Considering a way to grow, he took in funding and a new CEO (former McKinsey, but evidently not a bad guy–have to note that, I once worked for a couple of ex-McKinsey guys) and a new CTO. And a new VP Solutions.

The company takes a different strategy for its offering from others. Kaun notes the original solution was to white list devices on the network. To improve on that, many companies went to passive detection solutions.

Verve has an agent-based platform that allows for remote changes to the PLC or SCADA only with a trusted person at the console in the plant. It is compliant with OT topologies yet can talk the security talk with CISO types.

Not only for intrusion prevention, clients who use the system are currently getting 10x production.

I’m not a security expert. It’s just that cybersecurity is a crucial element of good IIoT design. So, here are some bullets to whet your appetite if you are looking for an interesting alternative to your current solution.

Verve Security Center

Benefits:

  • Faster & Lower Cost Deployment
  • Faster Time to Remediation
  • More Efficient Analysis, Reporting, and Audit with Integrated UI
  • Improved Approach to OT Business Risk Management
  • Lower Cost Security Management
  • NO Risk to OT Operations
  • Ability to Leverage Prior Tool Investment

Features:

  • Deeper & more comprehensive asset inventory
  • Faster time to remediation with closed loop vulnerability management
  • Better risk rating with view of vulnerabilities, process criticality plus all user accounts, risky software, network connections in a single risk score
  • Lower security management costs with scaled analysis and playbook development with local OT control over remediation – in same platform
  • Better detection with open-platform data ingestion from multiple OT and IT tool sets

Current solutions do not enable limited OT resources the rapid visibility and response to vulnerabilities and threats they need:

  • Traditional IT tools cannot protect IOT/OT embedded devices with proprietary firmware
  • IT vulnerability scanning tools can damage sensitive IOT/OT systems
  • Tools are siloed by function increasing necessary labor and specialized skills
  • Most OT-specific tools are passive detection only and offer limited remediation capabilities
  • Available solutions are expensive to deploy and manage

A fundamentally different approach to IT/OT security management:

  • Deploy across all IT/OT/IOT systems in minutes with no expensive hardware requirements
  • “Closed-loop” solution from assessment to remediation
  • Faster time to discovery and remediation
  • OT-safe agent/agentless solution for real time vulnerability assessment and end point management
  • Lower total cost of ownership
  • No silos: integrate NIST CSF and other compliance requirements in single platform

Cybersecurity Provides Yet Another Overlap for IT and OT or IioT

It was a typical request to set up an interview for a client, “For years, information technology (IT) and operational technology (OT) have operated as separate entities, but now we are beginning to see a shift within organizations.”

Actually, I have no interest for another “IT/OT Convergence” story. I think that Leader organizations have structured things to bring the groups together. Even the average firms have seen the light. As usual, there’s no hope for the laggards.

The reply bounced back to me. Seems that the take is less the now trite IT/OT Convergence theme and really how the groups are coming together due to risks inherent in some of the wide open IoT networks and devices for cybersecurity breaches.

Phil Neray, VP of IoT and Industrial Cybersecurity at CyberX, told me that board-level concern about risk levels due to cybersecurity breaches in their manufacturing operations have led to directives to the CISO to lead risk assessment and mitigation at the plant level as well as the enterprise level. This leads directly to working with plant operations people.

More data is flowing around manufacturing, but more devices coming online don’t support agents thereby increasing attack surface. This has raised awareness of increased risk including awareness at the board level. Not to mention there have been some some significant cyber attacks including the Norse Hydro ransom ware attack that cost perhaps up to $41 million. Merck was hit with a ransom ware attack. And then there was the Triton attack on safety controllers.

These incidents have alerted boards to huge risk potential leading to directing the CISO to avert such future attacks.

As for specific informatin from CyberX, Neray says it has the only patent on behavior anomaly detection. This allows its system to detect faster, more accurately than peers in industrial security.

CyberX continuously monitors the network looking for something suspicious or unauthorized. But plant people are often suspicious of IT solutions believing IT does not understand the critical nature of not shutting down processes for a reboot. This is where leadership must step up. Neray notes this must be both top-down and bottom-up. The Board and top management must say, “We want you to prioritize security.” The security team must also spend time in the plant explaining the what and why of the system. Building trust only results from face time.

Sometimes a detection points to an equipment issue as well as malware. One example was a plant with new PLCs shutting down intermittently. They called IT. “Did you do something to the network to cause this?” IT looked at the CyberX console and ran the reports of alerts. They noticed that when the PLCs were installed the network was not configured correctly causing the network to be pinged too often. Fix that and the problem was solved. The cybersecurity system can even become a plant controls troubleshooting aid.

Neray pointed to a report published in late 2019 called the Global 2020 IoT/ICS Risk Report. This was an analysis of real-world vulnerabilities garnered from studies of real networks. The study pointed out these problems:

BROKEN WINDOWS: OUTDATED OPERATING SYSTEMS

62% of sites have outdated and unsupported Microsoft Windows boxes such as Windows XP and Windows 2000. Unsupported Windows boxes no longer receive regular security patches from Microsoft. The figure jumps to 71% if we include Windows 7, which reaches end-of-support status in January 2020.

HIDING IN PLAIN SIGHT: UNENCRYPTED PASSWORDS

64% of sites have unencrypted (cleartext) passwords traversing their networks.The reason cleartext is dangerous is because it makes gaining access to restricted systems easy — since these passwords are transmitted “in the clear” and can easily be sniffed. Legacy devices that don’t support modern protocols such as SNMP v3 or SFTP are usually the culprits for leaving passwords in cleartext.

EXCESSIVE ACCESS: REMOTELY ACCESSIBLE DEVICES

54% of sites have devices that can be remotely accessed using standard protocols such as RDP, SSH, and VN. One of the primary attack vectors for ransomware is remote access protocols, which enable attackers to move laterally and expand their presence throughout networks.

CLEAR AND PRESENT DANGER: INDICATORS OF THREATS

22% of sites exhibited indicators of threats. CyberX’s network traffic analysis flags suspicious activity such as scan traffic, malicious DNS queries, abnormal HTTP headers, excessive number of connections between devices, and known malware such as LockerGoga and EternalBlue.

NOT MINDING THE GAP: DIRECT INTERNET CONNECTIONS

27% of sites analyzed have direct connections to the internet. Security professionals and bad actors alike know that it takes only one internet-connected device to provide a gateway into IoT/ICS networks for malware and targeted attacks, enabling the subsequent compromise of many more systems across the enterprise.

STALE SIGNATURES: NO AUTOMATIC AV UPDATES

66% of sites are not automatically updating their Windows systems with the latest antivirus definitions. Antivirus is the very first layer of defense against known malware — and the lack of antivirus is one reason why CyberX still finds older malware such as WannaCry and Conficker in IoT/ICS networks.