by Gary Mintchell | Oct 4, 2022 | Manufacturing IT, Operations Management, Security
Last week Tenable Chief Product Officer Nico Popp briefed me on a new approach to cybersecurity Tenable released today, October 4, 2022.
Three main ideas
- Exposure – Be proactive, there is now a larger attack exposure, key is provide visibility of exposure
- Management – security suppliers give a lot of stuff, but the key is how to operationalize
- Platform – contextualize exposure
New capabilities in Tenable One:
- Lumin Exposure View – Provides clear insight into an organization’s security exposure and allows security teams to answer critical questions such as: “how secure are we?” and “where do we stand in our preventative and mitigation efforts?”
- Attack path analysis (APA) – Provides insight into the attacker’s mindset by monitoring gaps across endpoints, identity privileges and cloud deployments to proactively visualize attack paths
- Asset inventory – Provides a centralized view of all assets, including IT, cloud, Active Directory and Web applications
Tenable is launching Tenable One, an exposure management platform that breaks down silos by bringing together internal data from Tenable’s tools and external exposure data from other sources, to provide one unified view into an organization’s assets and vulnerabilities across the attack surface. With Tenable One, Tenable has become a cloud and analytics-led platform-first company.
What is exposure management? This new category moves away from offering a “choose your own adventure” menu of self-limiting and siloed tools. Often referred to as the opposite of XDR, exposurement management allows security pros to gain a complete picture of their exposure and better allocate time/resources to focus on legitimately reducing risk.
by Gary Mintchell | Sep 30, 2022 | Automation, Security
Cybersecurity news continues to lead inputs to my inbox. Tenable has much news coming. This one has been waiting for a while for me to clear a lot of other news. This is an update to Tenable.ot to v3.14.
Four new capabilities in Tenable.ot
1. Deeper coverage of segmented assets — Active Sensors queries devices that are otherwise invisible to passive scanners — even if they are in a separate, isolated or non-routable network.
2. New sensor management capabilities — New sensor management capabilities provide better control and context to make the best security decisions. You can even deploy sensors on virtual machines and manage them through a single interface.
3. Consolidated global dashboard reporting — Enhanced global dashboard reporting helps security teams quickly gather telemetry from across the OT environment. User-configurable widgets make it easy to group assets by type, events, policies and risk scores. Security teams can efficiently identify high-risk assets and communicate risk effectively so executives can make informed decisions on business initiatives.
4. In-product signature and detection feed — The signature and detection feed assures you’re running the latest plugins.
by Gary Mintchell | Sep 27, 2022 | News, Organizations, Security
Do you program in Rust? Me neither. I had barely heard of it. I received this news. Valuable if you use Rust. Interesting for any other language to think about security within a language.
The Rust Foundation, the nonprofit organization dedicated to supporting and sustaining the Rust programming language, announced Sept. 13, 2022 it is establishing a dedicated security team. The team is being underwritten with generous support from the OpenSSF’s Alpha-Omega Initiative, which partners with open source software projects and maintainers to improve the global software supply chain security, and Rust Foundation’s newest Platinum member JFrog.
These investments from Alpha-Omega and JFrog include dedicated staff resources that will enable the Rust Foundation to create and implement security best practices. The first initiative for the new Security Team will be to undertake a security audit and threat modeling exercises to identify how security can be economically maintained going forward. The team will also help advocate for security practices across the Rust landscape, including Cargo and Crates.io, and will be a resource for the maintainer community.
JFrog just last week announced it is joining the Rust Foundation at the Platinum level. As part of the company’s investment in the Rust Foundation and ecosystem, JFrog has committed members of its Security Research team to work on the Rust Foundation Security Team. JFrog joins AWS, Google, Huawei, Meta, Microsoft, and Mozilla at the Platinum level.
by Gary Mintchell | Sep 23, 2022 | Automation, Manufacturing IT, Security, Services
Craig Duckworth, President and Co-Founder of Velta Technology, spoke with me shortly before I left for two conferences. I’m catching up, slowly. You may not have heard of Velta Technology. It’s just four years old. They are trying to find a niche within the cybersecurity market without being just another packet sniffing or intrusion detection company.
The company doesn’t sell just one product family. It relies on working with partners such as Claroty and Cisco to bring solutions to customers. It is comprised of multi-disciplinary industrial manufacturing and critical infrastructure experts. “We understand the differences between industrial and IT infrastructures, as well as the toolsets required to secure them.” In this regard, they are one of the companies attempting to bring IT and OT to the same table.
“Our experience and partnerships with the world’s leading solution providers in the industrial space allow us to integrate cybersecurity solutions with existing technologies. We bridge the gap in expertise and understanding from industrial assets on the plant floor across to the enterprise.”
Much of our conversation focused on risk. He talked about the role of the customer company’s board of directors as the key leadership element in focusing management on cybersecurity in order to mitigate risks of cyber intrusions. Velta works with customers to implement solutions to retrieve data and organize risk. They recognize that many IT trusted tools simply are not effective or even possible in the operations environment.
Here’s a summary of the company’s offering:
- Technology & Tools
- End-to-End Protection
- Industrial Hardened Platforms : Appliances, Enclosures, Networking
- Continuous Monitoring : Ability to see real time performance and threats
- Secure Remote Access : With full Audit Tracking and Controls
- Industrial Endpoint Protection : The definitive protection in the industry
- Connected Devices Vulnerability Index (CDV Index): Identify your supply chain risks
Solutions
- Visibility & Digital Safety
- Velta Technology Visibility Program : Real-time visibility into the assets in your industrial environment, behavior anomalies, security threats and vulnerabilities. More than simply a moment-in-time Risk Assessment.
- Velta Technology Digital Safety Standards : A continuous improvement methodology that supports protection of industrial assets. Covers everything from cybersecurity threats to process integrity issues that can impact environmental and human harm.
Services
- Service and Support Options
- Strategy & Advisory Support : Recommendations, designs and roadmaps to navigate safety maturity for industrial asset networks.
- Deployment : From onsite Basic installation and configuration to Enhanced assistance for a full year.
- Operationalize : Build programs for existing or new platforms to improve value and mitigation in your local environment
- Managed Services : Basic/Standard/Premier options to deliver full-platform and resources for your organization.
by Gary Mintchell | Sep 12, 2022 | Automation, News, Security
Security, risk, and vulnerability to digital hacks consume half of my bandwidth—or so it feels. Part of the security trends includes each supplier performing research and writing reports. Here is a report from Claroty’s Team82 revealing a rise in IoT vulnerabilities, vendor self-disclosures, and fully or partially remediated firmware vulnerabilities
Vulnerability disclosures impacting IoT devices increased by 57% in the first half (1H) of 2022 compared to the previous six months, according to new research released in August by Claroty, the cyber-physical systems protection company. The State of XIoT Security Report: 1H 2022 also found that over the same time period, vendor self-disclosures increased by 69%, becoming more prolific reporters than independent research outfits for the first time, and fully or partially remediated firmware vulnerabilities increased by 79%, a notable improvement given the relative challenges in patching firmware versus software vulnerabilities.
Compiled by Team82, the report is an examination and analysis of vulnerabilities impacting the Extended Internet of Things (XIoT), a vast network of cyber-physical systems including operational technology and industrial control systems (OT/ICS), Internet of Medical Things (IoMT), building management systems, and enterprise IoT. The data set comprises vulnerabilities discovered by Team82 and from trusted open sources including the National Vulnerability Database (NVD), the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), CERT@VDE, MITRE, and industrial automation vendors Schneider Electric and Siemens.
Key Findings
IoT Devices: 15% of vulnerabilities were found in IoT devices, a significant increase from 9% in Team82’s last report covering the second half (2H) of 2021. Additionally, for the first time, the combination of IoT and IoMT vulnerabilities (18.2%) exceeded IT vulnerabilities (16.5%). This indicates enhanced understanding on the part of vendors and researchers to secure these connected devices as they can be a gateway to deeper network penetration.
Vendor Self-Disclosures: For the first time, vendor self-disclosures (29%) have surpassed independent research outfits (19%) as the second most prolific vulnerability reporters, after third-party security companies (45%). The 214 published CVEs almost doubles the total in Team82’s 2H 2021 report of 127. This indicates that more OT, IoT, and IoMT vendors are establishing vulnerability disclosure programs and dedicating more resources to examining the security and safety of their products than ever before.
Firmware: Published firmware vulnerabilities were nearly on par with software vulnerabilities (46% and 48% respectively), a huge jump from the 2H 2021 report when there was almost a 2:1 disparity between software (62%) and firmware (37%). The report also revealed a significant increase in fully or partially remediated firmware vulnerabilities (40% in 1H 2022, up from 21% in 2H 2021), which is notable given the relative challenges in patching firmware due to longer update cycles and infrequent maintenance windows. This indicates researchers’ growing interest in safeguarding devices at lower levels of the Purdue Model, which are more directly connected to the process itself and thus a more attractive target for attackers.
Volume and Criticality: On average, XIoT vulnerabilities are being published and addressed at a rate of 125 per month, reaching a total of 747 in 1H 2022. The vast majority have CVSS scores of either critical (19%) or high severity (46%).
Impacts: Nearly three-quarters (71%) have a high impact on system and device availability, the impact metric most applicable to XIoT devices. The leading potential impact is unauthorized remote code or command execution (prevalent in 54% of vulnerabilities), followed by denial-of-service conditions (crash, exit, or restart) at 43%.
Mitigations: The top mitigation step is network segmentation (recommended in 45% of vulnerability disclosures), followed by secure remote access (38%) and ransomware, phishing, and spam protection (15%).
The primary authors of this report are Bar Ofner, security researcher at Claroty, and Chen Fradkin, data scientist. Contributors include: Rotem Mesika, threat and risk group lead, Nadav Erez, director of innovation, Sharon Brizinov, director of research, and Amir Preminger, vice president of research. Special thanks to the entirety of Team82 for providing exceptional support to various aspects of this report and research efforts that fueled it.
by Gary Mintchell | Sep 9, 2022 | Automation, Process Control, Security, Technology
At the start of the Ukraine conflict, CISA issued a “Shields Up” alert to all critical infrastructure in an effort to stave off potential cyber attacks from Russia. 6 months later, the proverbial “shields” are still up but is the U.S. critical infrastructure more secure because of it?
I was wondering if I should have more security than I have being a manufacturing and industrial site. Indeed I saw a sharp peak of hits from Russia and Ukraine at the outset of the war. But it was only a blip. But what if I weren’t a media site but a critical infrastructure site?
Security information comes at me faster than to my friend Greg Hale who specializes on the subject at Industrial Safety and Security Source. Recently I talked with Ron Fabela, CTO of critical infrastructure cybersecurity firm, SynSaber. This company is working directly with operators across oil & gas, electric, water infrastructure and nuclear to maintain a “Shields Up” posture.
More than six months has passed since the initial flurry of war and increased cyber attacks in the US. I wondered what the state of “Shields Up” was these days. Have we kept up the urgency? Or have we learned to live with it?
Ron suggested that astute executives should have used the directives to get some much needed budget. He pointed out that one cannot sustain a high alert indefinitely. And that IT and security executives should not over hype the situation. Still, when attention is suddenly focused on a risk area, it makes sense to lay a plan and ask for budget to implement strategies. Plus, sometimes the government brings money with its directives, something that is always a big help.
Expanding on the topic, like its peers, SynSaber initiated a study to discover what reported Common Vulnerabilities and Exposures (CVEs) could tell us from the 681 CVEs reported via the Cybersecurity and Infrastructure Security Agency (CISA) ICS Advisories in the first half of 2022.
Breaking up the reported CVEs into remediation categories (i.e., can it be patched with software, a firmware update, or something more complex requiring protocol or whole system changes) or taking a look at attack vector requirements can provide critical insights for teams to assess these and future CVEs as they are reported.
We hope that by analyzing and counting these vulnerabilities with new methods, this context can be used by all industrial security teams to better understand and remediate future vulnerabilities.
Key Findings
● For the CVEs reported in 2022, 13% have no patch or remediation currently available from the vendor (and 34% require a firmware update)
● While 56% of the CVEs have been reported by the Original Equipment Manufacturer (OEM), 42% have been submitted by security vendors and independent researchers (remaining 2% were reported directly by an asset owner and a government CERT)
● 23% of the CVEs require local or physical access to the system in order to exploit
● Of the CVEs reported thus far in 2022, 41% can and should be prioritized and addressed first (with organization and vendor planning)
