It almost sounds like a ’50s SciFi movie.
For a couple of months into the Covid pandemic, my inbox collected a steady stream of press releases about what this or that company was doing to either fight the coronavirus or prepare workplaces and workforces for the return to the office. That mighty river has turned into a stream at the end of summer.
The CTO of a Siemens company on NPR’s Tech Nation with Moira Gunn (good podcast, by the way) and I have interviewed Siemens about its combining of technologies to provide for safer workplaces in light of infectious viruses.
Then I received this note from Marty Edwards, VP of OT Security, Tenable, whom I’ve known for years as a reputable security specialist. “Prediction: Workers who return to the office may well bring new vulnerabilities with them.”
“While many critical infrastructure workers who operate, manage and secure the OT that underpins our economy can’t bring their work home, some of their colleagues certainly can. It’s likely that functions such as sales, marketing, HR, finance and legal of many essential services –food and beverage, manufacturing and pharmaceutical companies — have shifted to a remote-work model. When stay-at-home orders are eventually lifted, many of these folks will return to their offices with equipment that will be re-connected to corporate networks. With this comes the added risk of new vulnerabilities and threats being introduced to either the IT or OT side of mission- and safety-critical operations. During this transition, it’s imperative security teams have visibility into where the organization is exposed and to what extent, enabling them to effectively manage risk on a day-to-day basis. Put simply, the security challenges aren’t gone once everyone is back in the office.”
I have not worked in an office for years, unless you call a coffee house an office. But, many people will be returning to offices in the next few months. They will expect safe workspaces. As will all the factory workers (think about the morons running meat processing plants).
It took a while for cybersecurity to catch up with the sudden working-from-home IT challenge. Now, we’ll have millions returning to the corporate intranet bringing who knows what (computer) viruses with them. Another type of security to deal with.
One way or another, engineers will be busy dealing with this crisis for many months. Probably along with all their other work.
The news in brief: CyberX’s IoT/OT-aware behavioral analytics platform integrates with Azure security to deliver end-to-end security across managed and unmanaged IoT devices
Everyone has discussed Industrial Control Systems (ICS) cyber risks almost to the point of nausea for several years. Startups in the OT cybersecurity space began popping like dandelions in spring. For a couple of years their display spaces at the ARC Industry Forum paid for the room and then some.
While I like all these companies, I couldn’t see how any could make it long as a standalone company. Sure enough, CyberX has agreed to be acquired by Microsoft.
Here is the justification: As enterprises implement digital transformation and Industry 4.0 for greater efficiency and productivity, boards and management teams are increasingly concerned about the financial and liability risk resulting from the deployment of massive numbers of connected IoT and OT devices. Adversaries targeting this expanded attack surface can cause substantial corporate impact including safety and environmental incidents, costly production downtime, and theft of sensitive intellectual property.
By integrating the CyberX platform with the Azure IoT stack, Azure Security Center for IoT, and Azure Sentinel, the first SIEM with native IoT support, Microsoft will now provide a simpler approach to unified security governance across both IT and industrial networks, as well as end-to-end security across managed and unmanaged IoT devices, enabling organizations to quickly detect and respond to advanced threats in converged networks.
“CyberX’s technology and team are a great addition to Microsoft,” said Michal Braverman-Blumenstyk, Corporate Vice President, Cloud & AI Security CTO, and Israel R&D Center GM. “With CyberX’s expertise and innovative platform, together with Microsoft’s exciting security products, Microsoft is offering a powerful and scalable solution that accelerates digitalization for enterprises at all phases of their IoT/OT journey.”
Founded in 2013, CyberX achieved tremendous growth with the world’s largest enterprises adopting its IoT/OT security platform to secure their facilities worldwide. Leveraging patented, IoT/OT-aware behavioral analytics, CyberX’s agentless technology deploys in minutes to deliver deep visibility into IoT/OT risk — including asset discovery, vulnerability management, and continuous threat monitoring — with zero impact due to its passive Network Traffic Analysis (NTA) approach.
“Nir and I founded CyberX with the goal of delivering a scalable solution that would be easy to deploy and reduce risk for enterprises worldwide,” said Omer Schneider, co-founder and CEO of CyberX. “We’re thankful to our loyal customers and partners as well as to our dedicated employees whose innovation and hard work made it possible for us to reach this important milestone, and also to our investors for their ongoing support.”
“By joining forces with Microsoft, we will rapidly scale our business and technology to securely enable digital transformation for many more organizations,” said Nir Giller, co-founder, GM International, and CTO of CyberX. “Together, CyberX and Microsoft provide an unbeatable solution for gaining visibility and a holistic understanding of risk for all IoT and OT devices in your enterprise.”
CyberX’s founders will join Microsoft and the platform will continue to be enhanced and supported by CyberX personnel. In addition, Microsoft is committed to the channel and will continue working with CyberX’s strategic reseller and technology partners worldwide. The CyberX platform will continue to be available in a hybrid model supporting both cloud-connected and air-gapped networks.
From the Microsoft point of view—Two years ago, Microsoft announced a $5 billion investment in IoT and with this acquisition, the company is eager to continue solving these challenges. Some specifics:
• With CyberX, customers can discover their existing IoT assets, and both manage and improve the security posture of those devices. For example, customers can, often for the first time, see a digital map of thousands of devices across a factory floor or within a building and gather information about their security state and connectivity.
• CyberX’s further integration with Microsoft’s broad portfolio will allow Microsoft to continue to deliver more value to customers. For example, in conjunction with Azure Sentinel, SecOps personnel will be able to identify threats that span OT and IT converged networks that were previously challenging to detect.
• Microsoft appreciates that some customers need help improving the security of their existing IoT environment and is excited that CyberX’s technology and team will be an incredible addition to the company’s commitment to both IoT security and innovation as customers work to digitally transform their businesses.
Tim Bandos, VP of Cybersecurity at Digital Guardian set aside some time to discuss his latest work, The DG Data Trends Report. Research for the report was performed during (and as a result of) the Covid-19 pandemic to study how much sensitive corporate data was “egressing” from the security of home base.
We talked last month, but I was in the midst of five or six virtual conferences and I’m only now beginning to catch up with the accumulated pile of other interviews and reports that come my way.
Digital Guardian has developed and implemented a technology that you can procure that includes an “agent” that gives visibility into data movements within and into and out of your corporate environment. It sounds pretty cool, actually.
To set the stage for the current crisis, Bandos points to the results of the 2007-2009 financial crisis:
[The crisis] led to 37 million unemployment claims. It also resulted in a slew of trade secret theft charges. In 2013, the Department of Justice said it charged more than 1,000 defendants with intellectual property theft between 2008 and 2012.
The DG report derives from real data from organizations spanning the globe and across multiple industry verticals. It is definitely not just a survey.
Following are a few tidbits from the survey.
Since the onset of Covid-19, DG saw a 123% increase in the volume of data moving to USB drives and 74% of that data was classified according to the DLP practices. Now, much of this was taking work home. But much also this data can now not be controlled.
With employees working from their homes, data egress via all means (email, cloud, USB, etc.) was 80% higher in the first month following the World Health Organization’s declaration. More than 50% of the observed data egress was classified data.
Digital Guardian’s managed Detection & Response customers noticed a 62% increase in malicious activity, a number that in turn has led to an increase in incident response investigations—64% more than before the declaration.
Five tips to protect data
1. Issue Data Governance Policy Reminders
2. Label Sensitive Information
3. Limit Access to Sensitive Data
4. Host a Remote Security Awareness Training Session
5. Consider Deploying Virtual Desktop Infrastructure or Desktop-as-a-Service.
I have known Eddie Habibi, founder and CEO of PAS (now PAS Global) for about 20 years. So I’ve followed the development of his company for that long. There was alarm management, and process safety, and process asset management. And the company grew at a typical pace for the market.
Then he went all-in on process control system cybersecurity. He accepted some investment money, hired some pros in the field, and combined security with what the company was already known for.
The results are in the latest press release from PAS Global LLC where it announced a 45% increase in term revenue year-over-year and increased market recognition of its solutions.
In March 2019, the company introduced an expanded Cyber Integrity offering with risk analytics for continuous operational technology (OT) endpoint security. Following this milestone, the company marked record growth in the adoption of this solution across multiple geographies and verticals including the United States, Europe, and the Middle East with leading organizations in the chemicals and oil & gas industries, in particular.
A Fortune 50 independent petroleum refiner was challenged with increasing cybersecurity risks as they deployed connected technology to achieve faster and more efficient production operations. PAS Cyber Integrity was deployed as the foundation for the refiner’s OT cybersecurity program to create an automated, comprehensive, evergreen OT asset inventory and to more quickly identify and remediate security vulnerabilities. What used to take the company months to assess “critical” or “high” ICS-CERT vulnerabilities can now be done in minutes across all refineries.
A global, integrated oil & gas company operating across five continents is pursuing digital transformation to grow its business, enter new markets, and compete more effectively. Underpinning this initiative is a cloud-based analytics platform. The team chartered with this program sought to leverage their multi-vendor industrial control system (ICS) data and ensure reliable data flows from field-level devices to their data lake. They sought a platform-independent solution that could not only deliver this data, but also provide a topological view of assets and site connections, monitor configuration baselines, and manage change. Additionally, the company’s cybersecurity team sought a solution that could provide comprehensive OT asset inventory and rapid vulnerability assessment capabilities. PAS Automation Integrity and Cyber Integrity were selected to address these needs.
A major electronic materials firm with operations in North America and Asia sought to establish an enterprise-wide cybersecurity program on an aggressive schedule to eliminate gaps in visibility and security controls. Cyber Integrity was selected to automatically build a detailed OT asset inventory for each site, identify patch levels across systems, and implement change management workflows. The company now has the inventory and configuration visibility it needs to support digitalization efforts including data lake, 5G, and artificial intelligence initiatives.
“Industrial organizations are increasing investment in cybersecurity solutions specifically built for OT not only to reduce their overall cyber risk but to ensure they can accelerate their digital transformation efforts safely,” said Eddie Habibi, Founder and CEO of PAS. “We are pleased to be working with a growing list of global companies who are leveraging PAS Cyber Integrity to give them the foundation they need for managing industrial cyber risk.”
The company also saw significant year-over-year growth in purchases of its operations management and process safety solution, PlantState Suite.
“Of equal importance is the work we do to help companies improve process safety through effective operations management,” Habibi added. “We are pleased to have been recognized once again as the market leader for both alarm management and safety lifecycle management. This is a testament to the hard work of the PAS team over many years and the confidence our customers place in our solutions.”
PAS cybersecurity and process safety management solutions are installed in more than 70 countries in over 1,450 industrial facilities for over 535 customers, including 13 of the top 15 chemical companies, 13 of the top 15 refining companies, 7 of the top 20 power generation companies, 4 of the top 5 pulp and paper companies, and 3 of the top 5 mining companies in the world.
Internet of Things installations along with industrial control systems constitute well known cybersecurity vulnerabilities within industrial plants and operations. CyberX, the IoT and industrial control system (ICS) security company, announced the availability of its “2020 Global IoT/ICS Risk Report” designed to sharpen awareness and knowledge of this critical area.
The data illustrates that IoT/ICS networks and unmanaged devices are soft targets for adversaries, increasing the risk of costly downtime, catastrophic safety and environmental incidents, and theft of sensitive intellectual property.
Some of the top findings noted that these networks have outdated operating systems (71 percent of sites), use unencrypted passwords (64 percent) and lack automatic antivirus updates (66 percent).
Energy utilities and oil and gas firms, which are generally subject to stricter regulations, fared better than other sectors such as manufacturing, chemicals, pharmaceuticals, mining, transportation and building management systems (CCTV, HVAC, etc.).
Now in its third year, CyberX’s “Global IoT/ICS Risk Report” is based on analyzing real-world traffic from more than 1,800 production IoT/ICS networks across a range of sectors worldwide, making it a more accurate snapshot of the current state of IoT/ICS security than survey-based studies.
Including the data presented in previous reports, CyberX has now analyzed over 3,000 IoT/ICS networks worldwide using its patented M2M-aware behavioral analytics and non-invasive agentless monitoring technology.
Recommendations Focus on Prioritization and Compensating Controls
The report concludes with a practical seven step process for mitigating IoT/ICS cyber risk based on recommendations developed by NIST and Idaho National Labs (INL), a global authority on critical infrastructure and ICS security.
Experts agree that organizations can’t fully prevent determined attackers from compromising their networks. As a result, they recommend prioritizing vulnerability remediation for “crown jewel” assets — critical assets whose compromise would cause a major revenue or safety impact — while implementing compensating controls such as continuous monitoring and behavioral anomaly detection (BAD) to quickly spot intruders before they can cause real damage to operations.
“Our goal is to bring board-level awareness of the risk posed by easily-exploited vulnerabilities in IoT/ICS networks and unmanaged devices — along with practical recommendations about how to reduce it,” said Omer Schneider, CyberX CEO and co-founder.
“Today’s adversaries — ranging from nation-states to cybercriminals and hacktivists — are highly motivated and capable of compromising our most critical operational systems,” said Nir Giller, CyberX GM, CTO and co-founder. “It’s now incumbent on boards and management teams to recognize the risk and ensure appropriate security and governance processes are in place across all their facilities to address it.”
Summary of Key Findings
- Broken Windows: Outdated Operating Systems. 62 percent of sites have unsupported Microsoft Windows boxes such as Windows XP and Windows 2000 that no longer receive regular security patches from Microsoft, making them especially vulnerable to ransomware and destructive malware. The figure rises to 71 percent with Windows 7 included, which reaches end-of-support status in January 2020.
- Hiding in Plain Sight: Unencrypted Passwords. 64 percent of sites have unencrypted passwords traversing their networks, making it easy for adversaries to compromise additional systems simply by sniffing the network traffic.
- Excessive Access: Remotely Accessible Devices. 54 percent of sites have devices that can be remotely accessed using standard management protocols such as RDP, SSH and VNC, enabling attackers to pivot undetected from initial footholds to other critical assets. For example, during the TRITON attack on the safety systems in a petrochemical facility, the adversary leveraged RDP to pivot from the IT network to the OT network in order to deploy its targeted zero-day malware.
- Clear and Present Danger: Indicators of Threats. 22 percent of sites exhibited indicators of threats, including suspicious activity such as scan traffic, malicious DNS queries, abnormal HTTP headers, excessive number of connections between devices and malware such as LockerGoga and EternalBlue.
- Not Minding the Gap: Direct Internet Connections. 27 percent of sites analyzed have a direct connection to the internet. Security professionals and bad actors alike know that it takes only one internet-connected device to provide a gateway into IoT/ICS networks for malware and targeted attacks, enabling the subsequent compromise of many more systems across the enterprise.
- Stale Signatures: No Automatic Antivirus Updates: 66 percent of sites are not automatically updating Windows systems with the latest antivirus definitions. Antivirus is the very first layer of defense against known malware — and the lack of antivirus is one reason why CyberX routinely finds older malware such as WannaCry and Conficker in IoT/ICS networks.