Cyber security round-up

EY infosec survey finds oils ‘worried.’ NIST posts Federal register notice for energy sector. Schneider Electric teams with Cylance. Siemens signs with Tenable. Cymmetria OK’s its own ‘hack back’ technology. Leidos’ ‘risk cube.’ Waterfall on Meldown/Spectre risk to control systems.

The 2017/18 EY Global information security survey included some 40 participants from the oil and gas vertical. EY found that companies are making good progress in identifying and resolving vulnerabilities. Even so, they are ‘more worried than ever about the breadth and complexity of the threat landscape.’ To bolster defenses, EY advocates ‘cyber fusion,’ a multilayered response that is integrated into every facet of an organization’s operations.

The US NIST National cybersecurity center of excellence has posted a Federal Register notice for the energy sector asset management use case. Technology vendors are invited to participate in the project which is to combine commercially available and open source technologies to provide guidance on how energy companies may enhance operational technology and industrial controls system asset management.

Schneider Electric has partnered with antivirus specialist Cylance, a CMMI Level 5 certified solution provider, to harden cybersecurity across its industrial software portfolio. Cylance’s AI-powered endpoint protection blocks malware, file-less attacks and advanced persistent threats.

Siemens is to deploy industrial cybersecurity solutions from Secure-NOK across its Ruggedcom portfolio. The solution targets, inter alia, oil and gas installations and transportation. Siemens has also signed with Tenable to provide energy, utilities and oil and gas companies with a new solution for industrial asset discovery and vulnerability management. Tenable’s passive vulnerability detection solution for scada and control systems provides continuous visibility of operational risk.

Jonathan Braverman, legal counsel of Cymmetria, has performed an in-depth analysis of the US Computer Fraud & Abuse Act of 1986 in relation with Cymmetria’s new MazeHunter product. He finds that Mazehunter’s ‘Hack Back’ technology complies with US and international laws. The standalone incident response product complements Cymmetria’s MazeRunner flagship adding a threat hunting capability, enabling direct action against attackers, ‘taking the fight to the enemy.’

A new publication from Leidos lists eight steps for a successful insider risk program. Insider risk is evaluated as a ‘risk cube,’ as defined in the following C-Suite-friendly math:

Risk = f (Threat x Vulnerability) AV

(where AV = asset value).

Meanwhile, as Waterfall’s Ulf Frisk reports, the Meltdown/Spectre saga continues as Microsoft introduced an even worse vulnerability while fixing the Meltdown vulnerability in Windows 7 and Windows 2008 Server R2! The ‘fix’ means that ‘any program can read or write any word in any other program’s memory, or the kernel’s memory. The cure is worse than the disease.’ The problem is particularly acute for industrial control systems using these older operating systems.

Click here to comment on this article

Click here to view this article in context on a desktop

© Oil IT Journal - all rights reserved.