Cyber security round-up

Lloyd’s Register reports on IIoT cyber-risk. NIST publications: Zero Trust architectures, Recovering from ransomware. OGTC/Baringa study of Cyber security in UK oil and gas. Acronis Cyber Backup for ‘air-gapped’ environments. Asigra’s Deep MFA cloud-based backup. Noble Group deploys Alsid’s Active Directory security. SCADAWall, new ‘data diode’ from Bayshore Networks. Chevron selects for OT cyber security. Cynet’s breach prevention platform. RigNet’s Cyphre encryption for the harsh edge. CME Software Engineering Institute open sources Kalki IoT security platform. SEI announces ‘Vince’ vulnerability reporting platform. IIC white paper on software trustworthiness best practices. Surge Engineering joins ISA Global Cyber Security Alliance. ISA/Saudi Aramco host ISA/IEC 62443 OT cyber security webinars.

Lloyd’s Register Foundation has published a 68-page, free report on the Industrial Internet of Things (IIoT) cyber-risk landscape. LR’s Report Series: No. 2020.1 covers current and future approaches to IIoT operational security and risk management. The report does more enumerating of potential problems that offering the ‘practical next steps’ promised in the introduction, omitting IIoT protocol considerations such as OPC-UA or MQTT and their security. This approach may be useful for managers of a brigade of ‘hands-on’ security engineers (perhaps provided by LR). When they are through locking down today’s IIoT, a manager can then raise the issue of quantum computing, presented as having ‘the most important potential for disruption’.

A new Special Publication SP 800-207 from the US NIST covers zero trust architectures. Zero trust is a cyber security paradigm that ‘moves defenses from static, network-based perimeters to focus on users, assets, and resources’. The 60-page report has a US Federal government focus but covers issues such as multi-cloud security and joint venture data security. NIST Special Publication SP 1800-11 is a 450 page (!) treatise on Recovering from ransomware and other destructive events. Probably worth reading before any bad stuff happens.

The UK Oil and Gas Technology Council (OGTC) has commissioned a report from Baringa on Cyber security in the UK oil and gas industry. The 37-page study describes significant cyber incidents in history that have befallen oil companies and NOCs which remain ‘likely targets for similar attacks in the future’. Following regulatory pressure, operators and suppliers are making ‘significant investment in cyber security initiatives’. The study investigates cyber security in the supply chain and the thorny issue of ‘IT/OT ‘convergence’. Cyber risk management stood out as a priority. Here, ‘security is struggling to keep pace with business initiatives aimed at delivering new digital technologies’. Oil and Gas has been disrupted by significant digital transformation with many businesses planning and executing large-scale and ambitious change agendas. These bring new risks, which are challenging how cyber security is currently managed across the industry. A ‘multifaceted, collaborative approach to breaking down and overcoming these challenges is required’. Baringa found that security specialists are often considered to be scaremongers and their language is often too technical and unclear. This leaves business leaders disinterested in cyber security and uninformed on relevance to its operations. Despite the potential risks to health and safety, such events are unlikely, and may be dismissed with a ‘so what’ from senior leaders. Cyber security regulation in the UK Oil and Gas industry has been ‘uplifted’ with the introduction of the EU-derived NIS Directive and the Cyber Assessment Framework (CAF). Non-compliance with the Directive may result in a fine of up to £17 million.

Acronis Cyber Backup SCS Hardened Edition is a disk image backup solution for safeguarding sensitive data in air-gapped, ‘no internet’ environments. Acronis Cyber Backup features FIPS-validated encryption and RSA key generation, as well as an Intel-pioneered, hardware-based random number generation method to ensure complete protection.

Asigra has announced cloud-based backup with deep multi-factor authentication. Deep MFA policy settings and controls prevent backup data deletions or malicious encryption caused by malware (including ransomware), by criminal organizations, or human error. Deep MFA immutable retention prevents malware or unauthorized actors from deleting, modifying, or encrypting data in storage. More from Asigra.

Commodities trading group Noble Group has deployed Alsid’s Active Directory (AD) security solution to protect and harden its AD and entire IT infrastructure. Cyber ‘hygiene’ has been improved with the removal of thousands of ‘forgotten’ organizational units and accounts inside the domain. Hidden AD admin accounts are a major security concern because once compromised, they allow cybercriminals full access to an organization’s systems.

Bayshore Networks has rolled-out SCADAwall, a new hardware device that provides safe, non-routable, one-way data transfer from trusted sources in-plant to untrusted destinations, such as corporate IT and other outside business destinations. A ‘data diode’ physically separates the plant from the risk of internet exposure or malicious activity while allowing critical plant data to flow into corporate business systems. SCADAwall is a low cost, rack mounted 1 gigabit/sec unit providing content-inspection and policy enforcement for data in-transit

Chevron has selected for its operational technology cyber security. is to replace Chevron’s manual, spreadsheet cybersecurity practices with ‘scalable, digitized processes’.

New XDR and Response Automation capabilities are components of Cynet 360 V4.0 autonomous breach prevention platform. Version 4.0 of Cynet 360 also includes an Incident View feature to help security administrators reduce response times ‘to minutes instead of hours or days’.

RigNet’s Cyphre. patented encryption technology now operates at 5x the speed and is optimized for harsh edge environments. Cyphre delivers ‘military-grade’ cybersecurity to protect against cache-memory side channel attacks such as Heartbleed, Spectre, and Meltdown. The new capabilities are based on Cyphre’s recently awarded US Patent (No. 10,623,382) for an innovative transport layer security protection that increases end-user security by keeping session keys out of memory and preventing them from being stolen in a cache attack.

Carnegie Mellon’s Software Engineering Institute has released the source code for Kalki, a ‘software-defined’ IoT security platform. Kalki allows IoT devices that are not fully trusted to be integrated into networked systems, providing new capabilities for keeping networks and physical assets safe. IoT device vulnerabilities have enabled many recent attacks such as the Mirai botnet and the Ripple20. Many IoT devices now added to SCADA systems have little or no onboard security. Kalki fixes this with network -level security and fine-grained monitoring with ‘µmboxes’ (micro-m-boxes) that provide virtualize security tuned to a device’s specific vulnerabilities, traffic and sensors. Download the Kalki source code here. And watch the video.

The SEI’s CERT/CC unit has also announced ‘Vince’, the Vulnerability Information and Coordination Environment, a web platform for collaborative software vulnerability reporting. Vince replaces the SEI’s 20 year-old legacy email reporting system. Vince is now live.

The Industrial Internet Consortium has published a white paper on software trustworthiness best practices. The 45-page publication covers safety, security, privacy and reliability of IIoT software and provides ‘practical and actionable’ best practices for recognizing, addressing, managing and mitigating risks and their sources.

Surge Engineering has joined the ISA Global Cyber Security Alliance, reflecting a ‘stronger focus’ on cybersecurity for its scada systems engineering capabilities. The ISA unit builds on the UN-endorsed ISA/IEC 62443 cyber security standard. Other oil country GCSA members include Honeywell, Rockwell Automation and Petronas. More from Surge.

A series of upcoming webinars co-hosted by ISA and Saudi Aramco will provide an overview of the ISA/IEC 62443 series of standards, ISASecure certifications, and end-user and supplier perspectives on OT cyber security. Presentations from Aramco, Chevron, ExxonMobil, and others. More from ISA.

Click here to comment on this article

Click here to view this article in context on a desktop

© Oil IT Journal - all rights reserved.