Cyber security round-up

Ponemon Institute, NIST, PAS, BSI, Software Engineering Institute, Rand, Red Hat, Leidos, W3C, Owl Computing, IBM, Atos, Siemens.

A Ponemon Institute study found that 68% of oil and gas companies had at least one security compromise in the past year. Only one-third of cyber managers rated their cyber readiness as ‘high.’

Recent cyber reports from NIST include Report 8151, on reducing software vulnerabilities; Special Publication 800-184 on recommendations for post-incident tactical recovery and strategic mitigation for the longer term; Draft Special Publication 800-190 on security in Docker-style application containers. More from NIST’s new Computer security resource center.

ICS cybersecurity solution provider PAS has released a new version of it Cyber Integrity software with a new ICS baseline functionality to monitor configuration changes.

BSI, the German federal office for information security has completed an in-depth security analysis of OPC-UA. While the study concluded that OPC-UA ‘does not contain systematic security vulnerabilities,’ shortcomings were noted in the reference implementation in that a) protection against replay attacks is missing, b) memory leaks can be used for denial of service attacks and c) documentation on security functions in the communication stack is lacking.

The Software Engineering Institute has published the fifth edition of its ‘Common Sense Guide to Mitigating Insider Threats a free, 175 page resource replete with recommendations.

Rand has published a 133 page free guide ‘The life and times of zero-day vulnerabilities and exploits,’ recommended reading in these times of WannaCry and Petya! The study is based on a dataset of over 200 vulnerabilities and provides recommendations as to what needs to be done when they are discovered.

Red Hat’s OpenSCAP 1.2 has been certified by NIST as a configuration and vulnerability scanner Red Hat Enterprise Linux 6 and 7-based systems.

A short briefing paper from Leidos finds that corporate security is likely get worse before it gets better. Over the past year, 2 billion records were compromised due to ‘lax security and a lack of enterprise commitment to protect customers.’ As IoT devices proliferate, 2017 ‘will be worse than 2016.’ US lawmakers need to ‘sharpen their knives.’

The worldwide web consortium’s W3C has published its Security disclosures best practices, a template for protecting users and applications from fraud, malware, and computer viruses.

Owl Computing’s OPDS-1000 ‘data diode’ has been selected by an unnamed multinational oil and gas exploration company to protect oil and gas exploration equipment in the field. Data from a PI historian, OPC, files, syslog messages and remote screens transited successfully through the one-way communications link.

IBM has announced ‘IBM X-Force Red,’ a team of experts that help clients ‘take a more programmatic approach to security testing.’ A cloud-based X-Force Red portal provides an end-to-end enterprise-class testing capability. IBM has also published its Threat Intelligence Index (registration required) describing 2017 as ‘the year of the breach!’

Atos has teamed with Siemens to help customers establish an integrated first line of defense against industrial cyber-attacks. Siemens has also signed a cyber security partnership with Darktrace to fast-track deployment of its AI-based ‘Industrial immune system’ cyber defense platform to the oil and gas industry.

Click here to comment on this article

Click here to view this article in context on a desktop

© Oil IT Journal - all rights reserved.