CIP Security Updated to Support User Level Authentication

This release has been sitting in my Dropbox for a month or so. It’s still worth noting especially since security became news a couple of times in the past few weeks.

ODVA announces that user level authentication has been added to CIP Security, the cybersecurity network extension for EtherNet/IP. Previous publications of the specifications for CIP Security included key security properties including a broad trust domain across a group of devices, data confidentiality, device authentication, device identity, and device integrity. CIP Security now adds a narrow trust domain by user and role, an improved device identity including the user, and user authentication. 

As IT and OT converge in industrial automation, the ability for controls engineers, IT administrators, and maintenance operators to securely access and modify device parameters grows even more critical. Device level security is a building block requirement of IIoT to protect critical assets and people from potential physical and increasingly likely financial harm. To meet this requirement, the robust CIP Security User Authentication Profile will provide user level authentication with a fixed user access policy based on well-defined roles and basic authorization via both local and central user authentication. CIP Security’s ability to authenticate via the device or through a central server allows for simplicity in smaller, simple systems and efficiency in large, complicated installations.

CIP Security already included robust, proven, and open security technologies including TLS (Transport Layer Security) and DTLS (Datagram Transport Layer Security); cryptographic protocols used to provide secure transport of EtherNet/IP traffic, hashes or HMAC (keyed-Hash Message Authentication Code) as a cryptographic method of providing data integrity and message authentication to EtherNet/IP traffic; and encryption as a means of encoding messages or information in such a way as to prevent reading or viewing of EtherNet/IP data by unauthorized parties. The new CIPTM User Authentication Profile provides user-level authentication for CIP communication at the application layer. In the future, CIP Security may make use of a CIP authorization profile that will enhance CIP to provide additional security properties such as general, flexible authorization where access policy can be based on any attribute of the user and/or system and potentially extending CIP Security to support other non-EtherNet/IP networks.

The new User Authentication Profile makes use of several open, common, ubiquitous technologies, including OAuth 2.0 and OpenID Connect for cryptographically protected token-based user authentication, JSON Web Tokens (JWT) as proof of authentication, usernames and passwords, and already existing X.509 certificates to provide cryptographically secure identities to users and devices. It uses a cryptographically secure user authentication session ID, generated by the target on presentation of a valid JWT by the user, to map between an authentication event and the messages sent by a user for CIP communications. The user authentication session ID is transmitted over EtherNet/IP using (D)TLS and a confidentiality-enabled cipher suite per CIP Security’s EtherNet/IP confidentiality profile.

“User authentication is another critical step in the development of CIP Security, a key network extension that is a part of the complete EtherNet/IP industrial communication ecosystem. CIP Security, as a part of a defense in depth approach, is designed as an effective deterrence to malicious cyber attackers who are looking for targets to disrupt plant operations,” stated Jack Visoky, EtherNet/IP System Architecture Special Interest Group (SIG) vice-chair. “With connected infrastructure and automation systems, CIP Security is more critical than ever before to protect valuable investments and production of essential products around the world from malicious cybersecurity attacks” said Dr. Al Beydoun, President and Executive Director of ODVA. “ODVA will continue to invest in the future development of CIP Security and EtherNet/IP to ensure that end users are protected from physical and financial harm perpetrated by bad actors.”

Through this update, CIP Security now offers even stronger device level security with a narrow trust domain by user and role, an improved device identity including the user, and fixed user authentication. ODVA continues to work to make sure that CIP Security stays on the cutting edge of device defense to best protect critical industrial automation assets to make sure that the promise of IIoT and Industry 4.0 can be fully achieved. Visit odva.org to obtain the latest version of The EtherNet/IP Specification including CIP Security.

Nymi Partners with ThinManager for End-User Authentication in Highly Regulated Plant Floor Environments

A few recent posts dealt with the “connected worker.” These are all workflow-oriented solutions. After talking with Chris Sullivan, CEO or Nymi, I learned about really connected workers. Previously I had seen Numi partner with Quupa for real-time location. Nymi has a raft of solutions. This partnership with Rockwell Automation through the ThinManager acquisition is a big deal for Rockwell Automation.

Nymi Inc. and ThinManager, a Rockwell Automation technology, have partnered to provide a full-feature, integrated, on-body solution that allows businesses to use ThinManager to deliver biometric-enabled touchless authentication with zero-trust security principles and access controls through the Nymi Band.

ThinManager offers numerous features that allow the modern factory to lower energy cost, implement sustainable technology, and increase operational efficiencies. They are a natural fit for Nymi and its workplace wearable wristband, designed to help businesses remain secure while improving productivity, compliance, and active worker health and safety. 

As the world’s only workplace wearable wristband that, once authenticated at login, continuously authenticates the user’s identity until it’s removed from the wrist, the Nymi Band gives ThinManager users a powerful, secure form of authentication used for specially configured access control, logins, and e-signatures with just a tap. Other Nymi Band applications include social distancing and contact tracing.

“We see our product working side by side with ThinManager to help companies be secure, safe, and efficient in their day-to-day operations,” said Andrew Foxcroft, Vice President of Nymi. “The enterprise-class, secure industrial wearable Nymi Band, combined with ThinManager’s knowledge of the modern factory, provides a solution to address pain points in Pharma and highly regulated manufacturing processes.”

“We are very excited to collaborate with Nymi to provide additional cutting-edge user authentication options for our customers,” stated Tom Jordan, Marketing Lead for ThinManager.

ABB and IBM to Bolster Cybersecurity for Industrial Operations

Another partnership in the news. I have visited IBM’s cybersecurity operations, and it has a powerful story to tell. This news should bolster ABB’s customers.

ABB process control systems can connect with IBM security platform for digital threat visibility.

ABB and IBM today announced a collaboration focused on connecting cybersecurity and operational technology (OT). As a first result of this collaboration, ABB has developed a new OT Security Event Monitoring Service that combines ABB’s process control system domain expertise with IBM’s security event monitoring portfolio to help improve security for industrial operators.

Industrial control system environments are increasingly targeted in cyber-attacks. In fact, IBM’s latest X-Force Threat Intelligence Index found that attacks on industrial and manufacturing facilities have increased by over 2,000% since 2018.

To better connect OT data with the broader IT security ecosystem, ABB has developed a new offering that allows security events from ABB to be sent to IBM’s security information and event management platform known as QRadar. 

The ABB solution was designed according to a reference architecture jointly developed by ABB and IBM. It provides the domain knowledge needed to swiftly react to security incidents related to process control and is especially suited for complex industrial processes in industries such as oil, gas, chemicals and mining. The new event collection and forwarding software which enables this integration is currently being used by early adopter customers and will be made broadly available by ABB in the coming months.

This collaboration marks the first time that OT data and process industry domain expertise is being brought directly into a Security Information and Event Monitoring (SIEM) system, allowing threats to be managed as part of an organization’s broader cybersecurity operations and strategy. 

“ABB’s collaboration with IBM makes it possible to analyze process control events in the context of security and impact to the operational environment, delivering strong improvement in our OT cyber threat visibility across the board,” said Robert Putman, Global Manager of Cyber Security Service for Industrial Automation at ABB.

Disruption of production due to a cyberattack or technical glitches can be costly in terms of lost production and damage to physical assets. Most mature operational monitoring is focused on the performance of the asset, whether it be a gas turbine for electricity, a drive system used to crush ore, or simple monitoring of pollution output from a chemical facility.

The new ABB offering allows ABB’s process control system data collection and forwarding technology to harvest event log detail from ABB process control systems, and share that information with IBM Security QRadar, which uses automation and artificial intelligence to help identify security anomalies and potential threats.

“We see the integration of these solutions as bringing market-leading capabilities together for a singular view of OT security,” said Dr. Andreas Kühmichel, CTO, Chemicals, Petroleum & Industrial Products, IBM. “With more comprehensive OT and IT security visibility, clients can help reduce the risk of production being suddenly interrupted due to a security event, resulting in costly downtime and broader risk to the company.”

The ABB and IBM technologies involved in this solution are designed on open platforms allowing them to operate on the edge and deploy easily across hybrid cloud environments spanning on-premise, private or public clouds. The joint solution is designed so that security processes operate via automation and do not disturb industrial workflows. The security analysis in QRadar operates through a use case library, which automatically flags incidents and triggers corresponding alarms.

The two companies plan continued collaboration in the realm of OT security, in order to develop new capabilities and offerings that address customer challenges in this space. 

Modular OT Cybersecurity Solution

It’s fascinating to watch PAS Global over the years build on its incumbent technology and expand into new areas of market needs. A few years ago the company made a substantial investment in people and technology development entering the cybersecurity market. By building upon its roots in process control and automation, I think has better viability than security-only startups that seemingly are always heading for acquisition.

PAS Global announced Cyber Integrity now includes in-product expansion to support industrial organizations as they mature their operational technology (OT) cybersecurity capabilities. The cyber risk for critical infrastructure and process industries is greater than ever as digitalization projects and remote work requirements have expanded the attack surface. Industrial organizations are focusing more on addressing cyber risk but are at different stages of maturity. New modular licensing and deployment options in Cyber Integrity version 7.0 provide flexibility to address specific needs as sites advance their OT cybersecurity maturity:

  •  provides discovery and topology mapping of industrial control system environments down to Level 0 devices with unmatched depth and accuracy without passive network detection limitations and active network polling risks.
  •  includes inventory management and enables the identification of vulnerabilities hidden in industrial infrastructure, leveraging and enhancing regular feeds from the United States National Vulnerability Database (NVD).
  •  includes inventory and vulnerability & patch management as well as in-depth Level 3 to Level 0 OT asset configuration management with comprehensive cybersecurity configuration baselining, unauthorized configuration change detection, workflow-driven vulnerability remediation and incident response, risk analytics, compliance workflows and reporting, and backup and recovery support.

“PAS is introducing a breakthrough solution for industrial organizations to improve OT cybersecurity no matter their current state of maturity across sites,” said Eddie Habibi, CEO and Founder of PAS. “Whether a site is working to build their security foundation with an accurate and detailed OT asset inventory, ready for vulnerability assessment and patch management, or looking to establish a mature enterprise program, PAS Cyber Integrity has them covered. This modular capability is increasingly needed as digitalization and the accelerating shift to remote work caused by the COVID-19 pandemic expand the industrial cyber-attack surface.” 

“When evaluating cybersecurity technologies, we looked for a solution that could expand as our needs developed,” said Jamal Al-Balushi, Control & Automation Team Lead at Petroleum Development Oman. “Initially, our focus was to automate OT asset inventory, assess vulnerabilities, and prioritize our remediation efforts. This was part of a longer-term strategy to develop a mature enterprise OT cybersecurity program with back up & recovery and compliance reporting across sites. PAS Cyber Integrity meets our needs for today and will expand with us as we enhance our cybersecurity program in the future.”

As part of the announcement, PAS also unveiled a new OT Inventory Assessment Service. This service delivers an analysis of a site’s current OT inventory, identifies gaps with industry best practices, and documents the business value of having a more detailed inventory in place. The service is offered at no charge to qualified organizations.

“With seamless, in-product expansion, PAS is making it easy for industrial organizations to address their immediate OT cybersecurity needs and incrementally unlock new functionality as their sites and programs mature,” Habibi added. “Our assessment service helps OT teams understand the gaps which exist in their current asset inventory and strategies to close those gaps. The combination is a game changer for improving OT cybersecurity in critical infrastructure and process industries.”

Microsoft Acquires IoT/OT Security Leader CyberX

The news in brief: CyberX’s IoT/OT-aware behavioral analytics platform integrates with Azure security to deliver end-to-end security across managed and unmanaged IoT devices

Everyone has discussed Industrial Control Systems (ICS) cyber risks almost to the point of nausea for several years. Startups in the OT cybersecurity space began popping like dandelions in spring. For a couple of years their display spaces at the ARC Industry Forum paid for the room and then some.

While I like all these companies, I couldn’t see how any could make it long as a standalone company. Sure enough, CyberX has agreed to be acquired by Microsoft.

Here is the justification: As enterprises implement digital transformation and Industry 4.0 for greater efficiency and productivity, boards and management teams are increasingly concerned about the financial and liability risk resulting from the deployment of massive numbers of connected IoT and OT devices. Adversaries targeting this expanded attack surface can cause substantial corporate impact including safety and environmental incidents, costly production downtime, and theft of sensitive intellectual property.

By integrating the CyberX platform with the Azure IoT stack, Azure Security Center for IoT, and Azure Sentinel, the first SIEM with native IoT support, Microsoft will now provide a simpler approach to unified security governance across both IT and industrial networks, as well as end-to-end security across managed and unmanaged IoT devices, enabling organizations to quickly detect and respond to advanced threats in converged networks.

“CyberX’s technology and team are a great addition to Microsoft,” said Michal Braverman-Blumenstyk, Corporate Vice President, Cloud & AI Security CTO, and Israel R&D Center GM. “With CyberX’s expertise and innovative platform, together with Microsoft’s exciting security products, Microsoft is offering a powerful and scalable solution that accelerates digitalization for enterprises at all phases of their IoT/OT journey.”

Founded in 2013, CyberX achieved tremendous growth with the world’s largest enterprises adopting its IoT/OT security platform to secure their facilities worldwide. Leveraging patented, IoT/OT-aware behavioral analytics, CyberX’s agentless technology deploys in minutes to deliver deep visibility into IoT/OT risk — including asset discovery, vulnerability management, and continuous threat monitoring — with zero impact due to its passive Network Traffic Analysis (NTA) approach.

“Nir and I founded CyberX with the goal of delivering a scalable solution that would be easy to deploy and reduce risk for enterprises worldwide,” said Omer Schneider, co-founder and CEO of CyberX. “We’re thankful to our loyal customers and partners as well as to our dedicated employees whose innovation and hard work made it possible for us to reach this important milestone, and also to our investors for their ongoing support.”

“By joining forces with Microsoft, we will rapidly scale our business and technology to securely enable digital transformation for many more organizations,” said Nir Giller, co-founder, GM International, and CTO of CyberX. “Together, CyberX and Microsoft provide an unbeatable solution for gaining visibility and a holistic understanding of risk for all IoT and OT devices in your enterprise.”

CyberX’s founders will join Microsoft and the platform will continue to be enhanced and supported by CyberX personnel. In addition, Microsoft is committed to the channel and will continue working with CyberX’s strategic reseller and technology partners worldwide. The CyberX platform will continue to be available in a hybrid model supporting both cloud-connected and air-gapped networks.

From the Microsoft point of view—Two years ago, Microsoft announced a $5 billion investment in IoT and with this acquisition, the company is eager to continue solving these challenges. Some specifics:

• With CyberX, customers can discover their existing IoT assets, and both manage and improve the security posture of those devices. For example, customers can, often for the first time, see a digital map of thousands of devices across a factory floor or within a building and gather information about their security state and connectivity.

• CyberX’s further integration with Microsoft’s broad portfolio will allow Microsoft to continue to deliver more value to customers. For example, in conjunction with Azure Sentinel, SecOps personnel will be able to identify threats that span OT and IT converged networks that were previously challenging to detect.

• Microsoft appreciates that some customers need help improving the security of their existing IoT environment and is excited that CyberX’s technology and team will be an incredible addition to the company’s commitment to both IoT security and innovation as customers work to digitally transform their businesses.

Don’t Look Now, Your Data Has Been Stolen

Tim Bandos, VP of Cybersecurity at Digital Guardian set aside some time to discuss his latest work, The DG Data Trends Report. Research for the report was performed during (and as a result of) the Covid-19 pandemic to study how much sensitive corporate data was “egressing” from the security of home base.

We talked last month, but I was in the midst of five or six virtual conferences and I’m only now beginning to catch up with the accumulated pile of other interviews and reports that come my way.

Digital Guardian has developed and implemented a technology that you can procure that includes an “agent” that gives visibility into data movements within and into and out of your corporate environment. It sounds pretty cool, actually.

To set the stage for the current crisis, Bandos points to the results of the 2007-2009 financial crisis:

[The crisis] led to 37 million unemployment claims. It also resulted in a slew of trade secret theft charges. In 2013, the Department of Justice said it charged more than 1,000 defendants with intellectual property theft between 2008 and 2012.

The DG report derives from real data from organizations spanning the globe and across multiple industry verticals. It is definitely not just a survey.

Following are a few tidbits from the survey.

    Since the onset of Covid-19, DG saw a 123% increase in the volume of data moving to USB drives and 74% of that data was classified according to the DLP practices. Now, much of this was taking work home. But much also this data can now not be controlled.
    With employees working from their homes, data egress via all means (email, cloud, USB, etc.) was 80% higher in the first month following the World Health Organization’s declaration. More than 50% of the observed data egress was classified data.
    Digital Guardian’s managed Detection & Response customers noticed a 62% increase in malicious activity, a number that in turn has led to an increase in incident response investigations—64% more than before the declaration.

Five tips to protect data

1. Issue Data Governance Policy Reminders

2. Label Sensitive Information

3. Limit Access to Sensitive Data

4. Host a Remote Security Awareness Training Session

5. Consider Deploying Virtual Desktop Infrastructure or Desktop-as-a-Service.