by Gary Mintchell | Oct 23, 2019 | Automation, Commentary, Process Control, Security
I’ve followed Foxboro and Triconex for many years now in my coverage of the process automation business. A great company that, not unlike too many others, suffered now and again with very poor management. The company has now settled in nicely at its home in Schneider Electric and appears to be healthy here.
Much credit must go to Gary Freburger. He provided a steadying hand as the leader before and through the transition, as well as guiding the integration into the new home. He is retiring at the end of the year. I’ve met a number of great leaders and a few stinkers in my 20 years at this side of the business. Gary’s one of the great ones. And his chosen successor (see more below) seems more than up for the task of building on his successes.
Marcotte Succeeds Freburger as Process Automation President
This week’s major announcement revealed that Nathalie Marcotte has been selected to succeed Freburger as president of its Process Automation business, effective Jan. 1, 2020.
“After a long, successful industry career, including more than 15 years serving Invensys and Schneider Electric in various senior leadership roles, Gary has decided to retire,” said Peter Herweck, executive vice president, Industrial Automation business, Schneider Electric. “We thank him for his many contributions and his strong legacy of success. We wish him well, and I congratulate Nathalie on her appointment. She brings more than 30 years of industry knowledge, expertise and experience, as well as a long record of success. I look forward to working with her as we build on the success Gary has delivered.”
Since joining the Schneider organization in 1996, Marcotte has held several positions of increasing responsibility, including vice president of Global Performance and Consulting Services; vice president, North America marketing; general manager for the Canadian business; and, prior to her current position, vice president, marketing, Global Systems business. As the company’s current senior vice president, Industrial Automation Services, she is responsible for Schneider Electric’s Services business and offer development, ranging from product support to advanced operations and digital services. She is also responsible for the company’s Global Cybersecurity Services & Solutions business, including the Product Security Office.
“As we move through this transition, it will be business as usual for Schneider Electric and our Process Automation customers,” Marcotte said. “Gary and I are working very closely together to ensure there will be no disruptions to our day-to-day operations. This ensures our customers have the same access to the exceptional people, products and technology they have come to trust and rely on to improve the real-time safety, reliability, efficiency and profitability of their operations.”
“I thank Gary for his many contributions to Schneider Electric and to our industry in general. Under his leadership, our customers, partners and employees have never been better situated to succeed, today and tomorrow,” Marcotte said. “This transition will have no impact on our technology strategy and portfolio roadmap. We remain committed to our continuously-current philosophy, which means never leaving our customers behind. Now, by leveraging the strength of the full Schneider Electric offer, we can take the next step toward enabling an easier, less costly digital transformation for our customers, while keeping them on the path to a safer, more secure and profitable future.”
Following the opening keynotes, I had the opportunity to chat privately with Freburger and Marcotte. Following summarizes a few key takeaways.
Digitalization and Digital Transformation.
These topics were prominently displayed in the ballroom before the keynotes. In fact the welcome and opening presentation were given by Mike Martinez, Director of Digital Transformation Consulting. These are common themes in the industry—in fact, not only process automation, but also at the IT conferences I cover. Each company has its own unique take on the terms, but it still boils down to data, data integrity, databases, and data security. All of which were discussed.
Key Points From the Presidents.
Integration across Schneider Electric. One priority has been working with other business units (and their technologies) across the Schneider Electric portfolio. This could be PLCs and drives, but power is a huge emphasis. Schneider Electric management wants very much for its process automation acquisition to integrate well with its historic electric power business. This is seen as a strategic opportunity. One thought-provoking observation—is the process engineer/electrical engineer divide as serious as the IT/OT divide? No direct answer. But these domains have historically had little to no collaboration. One to watch.
Close working relationship with AVEVA. If you recall, Schneider Electric bundled its various software acquisitions including the ones from Invensys (Wonderware, Avantis) and used them to buy into AVEVA—the engineering software company. Bringing automation and software together was a constant source of pain for Invensys. Schneider Electric dealt with it through a separate company. Along the way, cooperation seems to be better than ever. Marcotte explained to me that Foxboro combines its domain expertise with the more broadly general software platforms to achieve customer values. See for example my previous post on Plant Performance Advisors Suite.
Cybersecurity. Marcotte has been leading Schneider’s cybersecurity efforts. These are seen as a key part of Schneider Electric’s offer. See especially the establishment of the ISA Global Cybersecurity Alliance. They don’t talk as much about Internet of Things as at other conferences, when I probed more deeply about IT, cybersecurity was again brought up as the key IT/OT collaboration driver.
It’s been a struggle, but the Schneider Electric process automation business (Foxboro and Triconex) seems as strong as ever. And the people here—both internal and customers—are optimistic and energetic. That’s good to see.
by Gary Mintchell | Oct 17, 2019 | Security
If I would offer you an opportunity to spend $300 and make $50,000 right away with more to come and no additional expense, would you take it? What about downloading a cybersecurity hack for that much off the Dark Web and using it to steal a $50,000 car?
Such a possibility exists Etay Maor, Chief Security Officer of IntSights told me yesterday. His firm, a threat intelligence company focused on enabling enterprises to Defend Forward, released the firm’s new report, Under the Hood: Cybercriminals Exploit Automotive Industry’s Software Features. The report identifies the inherent cybersecurity risk and vulnerabilities manufacturers face as the industry matures through a radical transformation towards connectivity.
Car manufacturers offer more software features to consumers than ever before, and increasingly popular autonomous vehicles that require integrated software introduce security vulnerabilities. Widespread cloud connectivity and wireless technologies enhance vehicle functionality, safety, and reliability but expose cars to hacking exploits. In addition, the pressure to deliver products as fast as possible puts a big strain on the security capabilities of cars, manufacturing facilities, and automotive data.
The two main things that affect hackers’ motivation, regardless of their skills and knowledge are the cost effectiveness of the attack and the value of the information.
Vehicles usually have more complicated attack surfaces to penetrate compared to other options, i.e. attacks against banks or retail shops. That said, the automotive industry still has numerous attack vectors, just as any other industry: needs Phishing, credential leakages, leaked databases, open ports, and services, insider threats, brand security, and more.
Dark Web Forums
In the research, IntSights discovered online shops that sell car hacking tools that appear on the clear web and are easy to find. These online shops sell services that disconnect automobile immobilizers, as well as services that sell code grabbers and forums that give bad actors a complete tutorial on how to steal vehicles.
“The automotive manufacturing industry is wrought with issues, stemming from legacy systems that can’t be patched to the proliferation of vehicle connectivity and software as consumers demand more integration with personal devices and remote access,” said Maor. “A lack of adequate security controls and knowledge of threat vectors enables attackers to take advantage of easily acquired tools on the dark web to reap financial gain. Automakers need to have a constant pulse on dark web chatter, points of known exposure, and data for sale to mitigate risk.”
Top Vehicle Attack Vectors:
- Remote Keyless Systems
- Tire Pressure Monitoring Systems
- Software and Infotainment Applications
- GPS Spoofing
- Cellular Attacks
Other attack vectors explored include:
- CAN-BUS
- Attacking Can-BUS
- Remote Attack Vectors
- Car Applications
- Physical Attack Vectors
IntSights has “the industry’s only all-in-one external threat protection platform designed to neutralize cyberattacks outside the wire.” Its cyber reconnaissance capabilities enable continuous monitoring of an enterprise’s external digital profile across the clear, deep, and dark web to identify emerging threats and orchestrate proactive response.
by Gary Mintchell | Aug 6, 2019 | Security, Standards
Standards are useful, sometimes even essential. Standard sizes of shipping containers enable optimum ship loading/unloading. Standard railroad gauges and cars enable standard shipping containers to move from ship to train, and eventually even to tractor/trailer rigs to get products to consumers.
Designing and producing to standards can be challenging. Therefore the value of Best Practices.
Taking this to the realm of Industrial Internet of Things where data security, privacy and trustworthiness are essential, the Industrial Internet Consortium (IIC) has published the Data Protection Best Practices White Paper. I very much like these collaborative initiatives that help engineers solve real world problems.
Designed for stakeholders involved in cybersecurity, privacy and IIoT trustworthiness, the paper describes best practices that can be applied to protect various types of IIoT data and systems. The 33-page paper covers multiple adjacent and overlapping data protection domains, for example data security, data integrity, data privacy, and data residency.
I spoke with the lead authors and came away with a sense of the work involved. Following are some highlights.
Failure to apply appropriate data protection measures can lead to serious consequences for IIoT systems such as service disruptions that affect the bottom-line, serious industrial accidents and data leaks that can result in significant losses, heavy regulatory fines, loss of IP and negative impact on brand reputation.
“Protecting IIoT data during the lifecycle of systems is one of the critical foundations of trustworthy systems,” said Bassam Zarkout, Executive Vice President, IGnPower and one of the paper’s authors. “To be trustworthy, a system and its characteristics, namely security, safety, reliability, resiliency and privacy, must operate in conformance with business and legal requirements. Data protection is a key enabler for compliance with these requirements, especially when facing environmental disturbances, human errors, system faults and attacks.”
Categories of Data to be Protected
Data protection touches on all data and information in an organization. In a complex IIoT system, this includes operational data from things like sensors at a field site; system and configuration data like data exchanged with an IoT device; personal data that identifies individuals; and audit data that chronologically records system activities.
Different data protection mechanisms and approaches may be needed for data at rest (data stored at various times during its lifecycle), data in motion (data being shared or transmitted from one location to another), or data in use (data being processed).
Data Security
“Security is the cornerstone of data protection. Securing an IIoT infrastructure requires a rigorous in-depth security strategy that protects data in the cloud, over the internet, and on devices,” said Niheer Patel, Product Manager, Real-Time Innovations (RTI) and one of the paper’s authors. “It also requires a team approach from manufacturing, to development, to deployment and operation of both IoT devices and infrastructure. This white paper covers the best practices for various data security mechanisms, such as authenticated encryption, key management, root of trust, access control, and audit and monitoring.”
Data Integrity
“Data integrity is crucial in maintaining physical equipment protection, preventing safety incidents, and enabling operations data analysis. Data integrity can be violated intentionally by malicious actors or unintentionally due to corruption during communication or storage. Data integrity assurance is enforced via security mechanisms such as cryptographic controls for detection and prevention of integrity violations,” said Apurva Mohan, Industrial IoT Security Lead, Schlumberger and one of the paper’s authors.
Data integrity should be maintained for the entire lifecycle of the data from when it is generated, to its final destruction or archival. Actual data integrity protection mechanisms depend on the lifecycle phase of the data.
Data Privacy
As a prime example of data privacy requirements, the paper focuses on the EU General Data Protection Regulation (GDPR), which grants data subjects a wide range of rights over their personal data. The paper describes how IIoT solutions can leverage data security best practices in key management, authentication and access control can empower GDPR-centric privacy processes.
The Data Protection Best Practices White Paper complements the IoT Security Maturity Model Practitioner’s Guide and builds on the concepts of the Industrial Internet Reference Architecture and Industrial Internet Security Framework.
The Data Protection Best Practices White Paper and a list of IIC members who contributed to it can be found on the IIC website
by Gary Mintchell | Aug 5, 2019 | Internet of Things, Security
Cybersecurity is in the news more often than violence or politics, its seems. Last week I received two important pieces of news—both reported below. The first details vulnerabilities found in VxWorks—the most widely used Real-Time Operating System forming the foundation for process control. The other news concerns a survey of executives that shows continued cyber attacks on industrial systems.
Zero Day Vulnerabilities
Enterprise IoT security company, Armis, announced the discovery of 11 zero-day vulnerabilities, 6 critical, that affect Wind River® VxWorks versions since version 6.5, that include the IPnet stack, collectively known as “URGENT/11.” Updated releases have been provided. URGENT/11 does not impact versions of the product designed for certification, such as VxWorks 653 and VxWorks Cert Edition.
VxWorks, the leading real-time operating system (RTOS), is used in more than two billion devices across industrial, medical and enterprise environments such as mission-critical systems including SCADA, elevator and industrial controllers, patient monitors and MRI machines, as well as firewalls, routers, satellite modems, VOIP phones and printers. If exploited, URGENT/11 could allow a complete takeover of the device and cause disruption on a scale similar to what resulted from the EternalBlue vulnerability.
“VxWorks is the most widely used operating system you may never have heard of,” said Ben Seri, vice president of research at Armis. “A wide variety of industries rely on VxWorks to run their critical devices in their daily operations—from healthcare to manufacturing and even security businesses. This is why URGENT/11 is so important. The potential for compromise of critical devices and equipment especially in manufacturing and healthcare is a big concern.”
URGENT/11 includes six Remote Code Execution (RCE) vulnerabilities that could give an attacker full control over a targeted device, via unauthenticated network packets. Any connected device leveraging VxWorks that includes the IPnet stack is affected by at least one of the discovered vulnerabilities. They include some devices that are located at the perimeter of organizational networks that are internet-facing such as modems, routers and firewalls. Any vulnerability in such a device may enable an attacker to breach networks directly from the internet. Devices protected by perimeter security measures also can be vulnerable once the devices create TCP connections to the internet. These connections can be hijacked and used to trigger the discovered TCP vulnerabilities, allowing attackers to take over the device and access the internal network.
“URGENT/11 could allow attackers to remotely exploit and take over mission critical devices, bypassing traditional perimeter and device security. Every business with these devices needs to ensure they are protected,” said Yevgeny Dibrov, CEO and co-founder of Armis. “The vulnerabilities in these unmanaged and IoT devices can be leveraged to manipulate data, disrupt physical world equipment, and put people’s lives at risk.”
VxWorks is pervasive and trusted due to its rigorous and high-achieving safety certifications and its high degree of reliability and real-time accuracy. In its 32-year history, only 13 Common Vulnerabilities and Exposures (CVEs) have been listed by MITRE as affecting VxWorks. Armis discovered unusually low-level vulnerabilities within the IPnet stack affecting these specific VxWorks versions released in the last 13 years, from versions 6.5 and above. These are the most severe vulnerabilities found in VxWorks to date.
The IPnet networking stack was acquired by Wind River through its acquisition of Interpeak in 2006. Prior to the acquisition, the stack was broadly licensed to and deployed by a number of real-time operating system vendors.
Wind River has been working in collaboration with Armis on this matter, and customers were notified and issued patches to address the vulnerabilities last month. To the best of both companies knowledge, there is no indication the URGENT/11 vulnerabilities have been exploited.
Organizations deploying devices with VxWorks should patch impacted devices immediately. More information can be found in the Wind River Security Alert posted on the company’s Security Center.
Operational Downtime is the Most Common Impact of IoT-Focused Cyberattacks
As connectivity in the Industrial Internet of Things (IIoT) promises to transform the manufacturing and production industry, new research by Irdeto underlines the importance of cybersecurity, revealing that 79% of manufacturing and production organizations surveyed have experienced an IoT-focused cyberattack in the past year. This finding demonstrates the importance of cybersecurity as IoT devices proliferate across the critical infrastructure of these organizations, to ensure that the potential business benefits of IoT can be realized safely.
The Irdeto Global Connected Industries Cybersecurity Survey of 220 security decision makers in organizations in this sector (700 respondents in total) found that of the organizations that were hit by an attack, operational downtime (47%), compromised customer data (35%) and compromised end-user safety (33%) were the most common impacts. These findings clearly point to a direct bearing on revenue as well as health safety challenges presented by unsecured IoT devices.
The research also suggests that these organizations are aware of where the key cybersecurity vulnerabilities exist with their infrastructure, but do not necessarily have everything they need to address them. The most prominent vulnerabilities within manufacturing and production organizations were in mobile devices and apps (46%). This was followed by the IT network (41%) and the software used by the organization (40%) – which if referring to the OT equipment software which runs of the factory floor, could be hugely problematic.
However, despite this awareness, 92% of respondents feel their organization does not have everything it needs to address cybersecurity challenges. 44% state that their organization needs to implement a more robust security strategy. This is followed by a need for additional expertise/skills within the organization to address all aspects of cybersecurity (42%) and a need for more effective cybersecurity tools (37%).
This is compounded by the finding that, in the manufacturing sector, a total of 91% of manufacturers and 96% of users of IoT devices state that the cybersecurity of the IoT devices that they manufacture or use could be improved either to a great extent or to some extent. Failure to address these challenges could prove costly with the average financial impact as a result of an IoT-focused cyberattack in the manufacturing space identified as more than $280,000 USD, according to the survey.
“While the benefits of IoT may be in abundance in manufacturing and industrial environments, this connectivity also increases the attack surface and these findings demonstrate that there is an awareness of the cybersecurity challenges and impacts within the industry, but potentially a need to rethink strategies to mitigate the impact of potential cyberattacks,” said Mark Hearn, Director of IoT Security and Business Development, Irdeto. “Whatever the nature of the threat, industrial and manufacturing organizations must understand the scope of their current risk, ask hard cybersecurity-centric questions to vendors, and work with trusted advisors to safely embrace connectivity in their manufacturing process.”
As organizations fight to keep pace with the cybersecurity challenges in the manufacturing sector, they do have several security measures in place, but have often not implemented enough layers into their security strategy. 21% of organizations surveyed do not currently have software protection technologies implemented, while 39% do not have mobile app protection implemented, despite identifying mobile devices and apps as the greatest source of vulnerabilities. In addition, only 50% make security part of the product design lifecycle process.
However, the majority of organizations that don’t already have these measures in place, state that they plan to implement them in the next year. In addition, 99% of the manufacturing organizations surveyed agree that a security solution should be an enabler of new business models, not just a cost. These findings suggest that attitudes towards IoT security are changing for the better.
“As the manufacturing industry embraces IoT technology it’s clear that there are many cybersecurity challenges that must be addressed, but the industry attitude towards cybersecurity is on the right track,” added Steeve Huin, Vice President of Strategic Partnerships, Business Development and Marketing, Irdeto. “As the scope of connected manufacturing grows, the opportunities and the risks are magnified and it is imperative that organizations upskill and implement robust cybersecurity strategies to ensure they mitigate the threat and safely take advantage of the benefits that IoT can bring.”
by Gary Mintchell | Aug 1, 2019 | Internet of Things, Manufacturing IT
Cybersecurity as a concept or even as a term didn’t exist when I discussed the future of connected control systems devices with my customer, a senior control systems engineer for an automotive component manufacturer in the 1990s. He was aware of potential problems of connectedness when he told me, “I will never run a wire from a control system in this plant.”
Today? Everything is connected. Cybersecurity is a known, if sometimes devalued, challenge. How much do organizations understand the risk exposure of IoT devices? Deloitte and Dragos, Inc. share top risks to organizations in current IoT environment.
Key takeaways:
- In the digital age, cyber is everywhere. Cyber risk now permeates nearly every aspect of how we live and work. Organizations should better understand how to manage the risks created by known and unknown Internet of Things (IoT) and Industrial IoT (IIoT) devices.
- Security-by-design saves time: it takes longer to retroactively fix issues than it does to do it correctly the first time when building the product.
- Security-by-design reduces cost: it costs more to mitigate the risk of vulnerability exploitation than to implement security in the beginning.
- According to a recent Deloitte poll, nearly half of respondents (48%) realized it is imperative, when developing or deploying secure-by-design connected products and/or devices, that both of these conditions exist:
- o DevSecOps embedded throughout the design/acquisition, implementation, and deployment lifecycle.
- o Cross-functional technology that includes teaming with legal, procurement and compliance across pre- and post-market deployments.
Why it matters?
The number of cyberattacks, data breaches and overall business disruption caused by unsecured IoT/IIoT devices are increasing because many companies don’t know the depth and breadth of the risk exposures they face when leveraging IoT devices and other emerging technologies. IoT and IIoT are a set of business and technology innovations that offer many compelling benefits, but they also present significant cybersecurity risks and a greatly expanded attack surface. Mitigating these risks by understanding IoT/IIoT platform security can help organizations realize greater potential and benefits of these innovations.
Why is security-by-design important?
Deloitte and Dragos are teaming on a number of client initiatives to help organizations embed a security-by-design approach and to manage the risk of industrial control systems (ICS) and operational technology (OT) environments by enabling them to better monitor and assess threats. Organizations can benefit from a better understanding of threats in this environment, which can then be used to develop and embed cybersecurity strategies into organizational and technology strategy.
Security-by-design (for designing an IoT/IIoT product) is about incorporating cybersecurity practices by default into the product’s design as well as (for onboarding an acquired IoT/IIoT product) incorporating cybersecurity practices by default into the environment in which the IoT product is implemented.
Beyond securing ICS and OT systems, this combination of cyber risk services and technologies can provide a more complete picture of an organization’s ICS and OT threat landscape through active monitoring that can better inform scenario planning and response.
The following top risks were outlined by leaders from Deloitte Risk & Financial Advisory’s cyber practice and Dragos in a recent Deloitte Dbriefs webcast, The Internet of Things and cybersecurity: A secure-by-design approach:
Top 10 security risks the current IoT environment poses
- Not having a security and privacy program
- Lack of ownership/governance to drive security and privacy
- Security not being incorporated into the design of products and ecosystems
- Insufficient security awareness and training for engineers and architects
- Lack of IoT/IIoT and product security and privacy resources
- Insufficient monitoring of devices and systems to detect security events
- Lack of post-market/ implementation security and privacy risk management
- Lack of visibility of products or not having a full product inventory
- Identifying and treating risks of fielded and legacy products
- Inexperienced/immature incident response processes
Key quotes
“Security needs to become embedded into the DNA of operational programs to enable organizations to have great products and have peace of mind. Today all sorts of products are becoming a part of cyber: from ovens to instant cookers, 3D printers to cars. Organizations need to consider what can actually go wrong with what is really out there and look at those challenges as a priority.”
– Sean Peasley, a partner in Risk & Financial Advisory and the Consumer & Industrial Products leader and Internet of Things (IoT) Security leader in Cyber Risk Services at Deloitte & Touche LLP
“Organizations need to think through this. There are a lot of requirements and they need to figure out a strategy. When looking at product security requirements, I see this as a challenging aspect as organizations get a handle around what they are manufacturing. There are organizations for example in industries such as health care, medical devices, and power and utilities that are starting to ask questions of their suppliers as they consider security before they deploy devices into their customer ecosystem. Where I see a lot of organizations struggle is in understanding system misconfiguration or not having the architecture they thought they did in order to make sure their manufacturing environment is reliable.”
– Robert M. Lee, CEO at Dragos Inc.
About the online poll
More than 4,200 professionals across industries and positions participated in and responded to poll questions during the Deloitte Dbriefs webcast, “The Internet of Things and cybersecurity: A secure-by-design approach” held May 30, 2019. Answer rates differed by question.
A majority (81%) of respondents indicated that information security is accountable for the securing of connected products in their organization. The information security team is still primarily where boards look to drive their cyber agenda but as the 2019 Future of Cyber survey indicates, cyber is becoming everyone’s responsibility. It is critical to understand that if you are the plant manager you likely have the responsibility to the safety and liability of the operation. But the challenge is that everyone does have a role to play. Ultimately, the CEO is going to be held accountable.
Organizational confidence in security
How confident are respondents that their organizations’ connected products, devices, or other “things” are secure today? Not very. More than half
of respondents (51%) were somewhat confident, while 23% were uncertain or somewhat not confident, with only 18% feeling very confident in their organizations’ ability to secure connected products and devices. This may be as a result of there being an overall lack of standardization across industries for security and awareness of cyber risks and connected devices.
Guidance for security-by-design
A positive revelation in the results was when 41% of respondents indicated that they look to industry and professional organizations for guidance in driving security-by-design within their organizations. Another 28% said that they look first to regulatory bodies and agencies that set the standards; and 22% indicated their leading practices were developed internally for providing that guidance in driving security-by-design.
According to Peasley and Lee, it is a favorable strategy for organizations to understand leading practices and standards of peer organizations first, and then look to the regulatory bodies that are starting to shape standards and regulations and help inform the standards and regulations that are to come.
These results conflict with another question regarding whether their product teams use a defined set of product cybersecurity requirements as input for requirements selection. Twenty-eight percent use an industry defined framework, and 41% indicated a custom framework, while 30% of respondents indicated “No” that they didn’t use a defined set of requirements. The results of this question indicate there is still much work to do across the industry to influence and inform on standards for cybersecurity.
Considerations for organizations
• Understand the current state of product security and develop a cyber strategy: Whether designing connected products or acquiring such products to implement internally, assess how products, including the data they produce, are protected and develop a cyber strategy to drive improvement.
• Establish security-by-design practices: Integrate security-by-design into the design of the product itself or into the design of the ecosystem architecture, through requirements, risk assessments, threat modeling and security testing.
• Set the tone from the top: Ensure the right people are engaged and have ownership of the process – from leadership to the relevant product security subject matter experts to the product teams.
• Have a dedicated team and provide them with ample resources: Don’t expect enterprise security teams to cover missions without adding new resources for them; build a dedicated team that has product-based experience and provide training as needed to increase knowledge.
• Leverage industry-available resources: Rather than developing and providing unique questionnaires to your device vendors, use publicly-available industry resources.
Worth noting
• “Secure IoT by design: Cybersecurity capabilities to look for when choosing an IoT platform”
• According to the recent Deloitte “2019 Future of Cyber” survey, there are notable gaps in organizations’ abilities to meet cybersecurity demands for the future. Results from the survey indicate that many cyber organizations are challenged by their ability to help better prioritize cyber risk across the enterprise (16%). To see additional results the Future of Cyber survey, download a copy.
The Dragos ICS asset identification, threat detection, and response platform distills decades of real-world experience from an elite team of ICS cybersecurity experts across the U.S. intelligence community and private industrial companies. Dragos’ offerings also include threat hunting and incident response services, and Dragos WorldView for weekly threat intelligence reports. Dragos is headquartered in the Washington, DC area.
Deloitte provides industry-leading audit, consulting, tax and advisory services to many of the world’s most admired brands, including nearly 90% of the Fortune 500 and more than 5,000 private and middle market companies.
