How newly exposed security weaknesses in industrial wireless, cloud-based interfaces, and nested PLCs serve as a wake-up call for hardening the physical process control layer of the OT network.

S4x23 — Miami — As IT and operational technology (OT) network lines continue to blur in the rapidly digitalized industrial sector, new vulnerabilities and threats imperil conventional OT security measures that once isolated and guarded physical processes from cyberattacks.

Two new separate sets of research released this month underscore real, hidden dangers to physical operations in today's OT networks from wireless devices, cloud-based applications, and nested networks of programmable logic controllers (PLCs) — effectively further dispelling conventional wisdom about the security of network segmentation as well as third-party connections to the network.

In one set of findings, a research team from Forescout Technologies was able to bypass safety and functional guardrails in an OT network and move laterally across different network segments at the lowest levels of the network: the controller level (aka Purdue level 1), where PLCs live and run the physical operations of an industrial plant. The researchers used two newly disclosed Schneider Modicon M340 PLC vulnerabilities that they found — a remote code execution (RCE) flaw and an authentication bypass vulnerability — to breach the PLC and take the attack to the next level by pivoting from the PLC to its connected devices in order to manipulate them to perform nefarious physical operations.

"We are trying to dispel the notion that you hear among asset owners and other parties that Level 1 devices and Level 1 networks are somehow different from regular Ethernet networks and Windows \[machines\] and that you cannot move through them in very similar ways," says Jos Wetzels, security researcher with Forescout. "These systems are reachable, and you can bypass safety checks if you have the right level of control. We are showing how to do this."

The highly complex attack sequence that the researchers demonstrated with a proof-of-concept (PoC) — and that they acknowledge would require the technical chops and resources of nation-state attackers — stands in stark contrast to a relatively simple new hack that another group of researchers pulled off that exposes plants via wireless network devices. Both of these separate sets of OT attack findings poke holes in traditional assumptions of inherent security at the lower layers of OT networks, and the two teams of researchers behind them shared their findings here this week at the S4x23 ICS/OT conference.

**Wireless Threat "Got Our Attention"**

In the second batch of research, a team at ICS security provider Otorio found some 38 vulnerabilities in products including cellular routers from Sierra Wireless and InHand Networks, and a remote access server for machines from ETIC Telecom. A dozen other bugs remain in the disclosure process with the affected vendors and were not named in the report.

The flaws include two dozen Web interface bugs that could give an attacker a direct line of access to OT networks.

Matan Dobrushin, vice president of research at Otorio, says his team used the open source WiGLE tool, a Shodan-style search app that locates and maps wireless access points around the world. WiGLE collects SSID or network names, encryption types (such as WEP or WPA), and the geolocation of a wireless access point. The team was able to locate various OT sites via those geolocated Aps that WiGL spotted, including an oil well with weak authentication to its wireless device.

The team discovered relatively simple ways for an attack to hack industrial Wi-Fi access points and cellular gateways and wage man-in-the-middle attacks to manipulate or sabotage physical machinery in production sites. In one attack scenario, the researchers pose, an attacker armed with a laptop could find and drive to a plant location and connect to the operational network.

"You don't have to go through all of the layers of the enterprise IT network or firewalls. In this example, someone can just come with a laptop and connect directly to the most sensitive physical part of that network," Dobrushin says. "This is what got our attention."

Physical proximity is just one of three attack scenarios the team discovered when they found the vulns in these wireless devices. They also could reach the plant wireless devices via oft-exposed IP addresses inadvertently open to the public Internet. But the third and most surprising attack scenario they found: They could reach the OT networks via blatantly insecure cloud-based management interfaces on the wireless access points.

Many of the devices that come with cloud-based management also contain interfaces with either very weak authentication, or no authentication at all. InHand Networks' InRouter302 and InRouter615, for example, use an unsecured communications link to the cloud platform by default, sending information in cleartext.

"It's a single point of security and failure," Dobrushin says of the weak management interfaces, and "the main attack surface" for plant wireless access points.

The onus is on the wireless device vendors to better secure their Web interfaces. "I think the biggest fail point here is not wireless itself, not the cloud itself: It's the integration point between the cloud and modern Web-based world, to the old industrial world. These integration points are not strong enough."

For example, an RCE vulnerability in the Sierra Wireless Airlink's AceManager Web interface could let an attacker inject malicious commands. The vulnerability actually bypasses a previous patch Sierra had issued in April of 2019 for another bug, according to Otorio.

**Lateral Movement Research**

Forescout's research, meanwhile, also shows how Purdue Level 1 of an OT network security is not as airtight as many industrial organizations believe. The company's findings demonstrate how a threat actor could spread an attack across various network segments and types of networks at the Purdue Level 1/controller level of the OT network.

In their proof-of-concept attack, the researchers first hacked a Wago coupler device in order to reach the Schneider M340 PLC. Once they got to the PLC, they employed two newly disclosed vulnerabilities they first found last year as part of the OT:ICEFALL set of vulns but were unable to reveal until Schneider had patched them, CVE-2022-45788 (remote code execution) and CVE-2022-45789 (authentication bypass). That allowed them to bypass the PLC's internal authentication protocol and move through the PLC to other connected devices, including an Allen-Bradley GuardLogix safety control system that protects plant systems by ensuring they operate in a safe physical state. Then they were able to manipulate the safety systems on the GuardLogix backplane.

What sets their findings apart is that it looks at lateral movement not just between Level 1 devices in the same network segment or to Layer 2 SCADA systems but spreading across nested devices and networks at Layer 1. And unlike previous PLC research, Wetzels and Daniel dos Santos, head of security research at Forescout, didn't just hack a PLC via an inherent vulnerability. They instead pivoted from the PLC to other systems connected to it in order to bypass the security and physical safety checks within the OT systems.

"We're not just talking directly \[to\] one of the PLCs. We're moving to all devices existing behind it to bypass the functional and safety constraints" of the PLC that would cause the device to halt or shut down the process, Wetzels says. "Or I can manipulate the PLC and cause physical damage."

Wetzels says some vendors provide incorrect guidance to OT operators that states that "nesting" PLCs via serial links or nonroutable OT protocols provides secure segmentation for those devices and the OT network. "We're demonstrating this is a faulty line of reasoning against a certain type of attacker," he says. The researchers show that all devices — valve controllers and sensors, for example — that reside under the PLC in other networks behind it also can be exposed and provide an attacker more detailed control of the systems.

"If you want to manipulate \[the physical processes\] at a deep level, you move deep into those networks," he says.

Another weak and often-overlooked link are network connections to third-party maintenance providers, for HVAC or water treatment plant work, for example. The maintenance contractor often has a remote connection to their packaged system, which then interfaces with the OT network. "The perimeter to the outside that exists at Level 1 is not hardened or monitored," Wetzels explains.

**How to Defend Against These Threats to OT**

Forescout's Wetzels and dos Santos recommend that OT operators re-evaluate the state of their Level 1 devices and interconnectivity. "Make sure nothing can be disabled by cyber means," Wetzels advises.

He also recommends that plants with Ethernet links that are not firewalled should add a firewall. And at the least, ensure visibility of the traffic with an intrusion detection system, he says. If the PLCs include IP-based access control list (ACL) and forensics inspection functions, deploy them to harden the devices, he says.

"Likely there's a lot of network crawlspace not on your radar," Wetzels said today in his presentation here. "At Level 1, between different \[network\] segments needs a perimeter security profile."

As for the wireless access point vulnerabilities and attacks Otorio revealed, the researchers recommend disabling weak encryption in wireless access devices, masking wireless devices publicly or at least whitelisting authorized devices, and ensuring strong authentication for IP-based devices.

They also advise disabling unused cloud-based services, which typically are on by default, and firewalling and/or adding virtual private network (VPN) tunnels among the connections.

Tom Winston, director of intelligence content at Dragos, says wireless access points in the industrial network should use multifactor authentication. "Access control is always a concern."

OT Network Security Myths Busted in a Pair of Hacks

78 new CVEs patched in this month's batch — nearly half of which are remotely executable and three of which attackers already are exploiting.

Microsoft has issued fixes for three zero-day bugs that attackers currently are actively exploiting in the wild.

One of them, tracked as CVE-2023-21715, is a security feature bypass vulnerability in Microsoft Office that gives attackers a way to bypass Office macro policies for blocking untrusted files and content. The second is an elevation-of-privilege vulnerability in Windows Common Log File System Driver (CVE-2023-23376), which allows an attacker to gain system-level privileges. The third is CVE-2023-21823, a remote code execution (RCE) bug in the Windows Graphics Component which also enables an attacker to gain system-level access.

**The Zero-Day Trio**

The three zero-day vulnerabilities were part of a substantially larger set of 78 new CVEs that Microsoft disclosed in its monthly security update Tuesday. The company assessed nine of these flaws as being of "critical" severity and 66 as presenting an "important" threat to organizations.

Nearly half the vulnerabilities (38) that Microsoft disclosed this month were remote code execution (RCE) bugs — a category of flaws that security researchers consider especially serious. Elevation-of-privilege bugs represented the next highest category, followed by denial-of-service flaws and spoofing vulnerabilities.

Dustin Childs, head of threat awareness at Trend Micro's ZDI, which reported eight of the vulnerabilities in this month's update, says all the bugs that are under active attack represent a critical risk because threat actors are already using them.

"The Graphics Component bug (CVE-2023-21823) makes me worry on two accounts," he says. "Since this was found by Mandiant, it was likely discovered by a team working an incident response," Childs says. That means it's unclear how long threat actors might have been using it. Also worrisome is that the update is available through the Microsoft store, he notes.

"People who are either disconnected or otherwise blocked from the store will need to manually apply the update," he says.

Childs says that based on Microsoft's description of CVE-2023-21715, the security feature bypass vulnerability in Microsoft Office sounds more like an elevation-of-privilege issue. "It's always alarming when a security feature is not just bypassed but exploited. Let's hope the fix comprehensively addresses the problem."

Ultimately, all three bugs that attackers are actively exploiting are of concern. But a threat actor would still need to use each of these bugs in combination with some form of a code execution bug to take over a system, Childs says.

Automox recommends that organizations using Microsoft 365 Applications for Enterprise patch CVE-2023-2175 within 24 hours. "This vulnerability is an actively exploited zero-day that allows attackers to craft a file to bypass Office security features," Automox said in a blog post. It allows attackers to "potentially execute malicious code on end-user devices if they can coerce users to download and open files on vulnerable devices via social engineering."

**New Exchange Server Threats**

Satnam Narang, senior staff research engineer at Tenable, highlighted three Microsoft Exchange Server vulnerabilities (CVE-2023-21706, CVE-2023-21707, CVE-2023-21529) as issues that organizations should note because Microsoft has identified them as flaws that attackers are more likely to exploit.

"Over the last few years, Microsoft Exchange Servers around the world have been pummeled by multiple vulnerabilities, from ProxyLogon to ProxyShell, to more recently ProxyNotShell, OWASSRF and TabeShell," Narang said in a statement.

Exchange flaws have become valuable commodities for standard sponsored threat actors in recent years, he said. "We strongly suggest organizations that rely on Microsoft Exchange Server to ensure they've applied the latest Cumulative Updates for Exchange Server."

**RCE Bugs in Microsoft PEAP**

Researchers at Cisco's Talos threat intelligence group, meanwhile, pointed to three RCE bugs in Microsoft Protected Extensible Authentication Protocol (PEAP) as being among the most critical bugs in Microsoft's security update for February 2023.

The flaws, tracked as CVE-2023-21689, CVE-2023-21690 and CVE-2023-21692, allow an authenticated attacker to try and trigger malicious code in the context of the server's account.

"Almost all Windows versions are vulnerable, including the latest Windows 11," the company said in a statement.

CVE-2023-21689 — one of the three critical vulnerabilities in PEAP — allows attackers to get server accounts to trigger malicious code via a network call, according to Automox.

"Since this vulnerability is very likely to be targeted and is relatively simple for attackers to exploit, we recommend patching or ensuring that PEAP is not configured as an allowed EAP type in your network policy," the company said in its post. Affected organizations — those that have Windows clients with Network Policy Server running and have a policy that allows PEAP — should patch the flaw within 72 hours, Automox advised.

9 New Microsoft Bugs to Patch Now

Fire emergency, 911 services functioning, along with Oakland financial systems, city says.

More than a week after a ransomware attack on Oakland networks, some city services are still struggling to recover.

Although the Oakland officials assure residents fire emergency, 911 dispatch, and the Oakland financial systems are functioning normally, other operations haven't yet recovered from the Feb. 8 cyberattack. IT had to move some city systems offline as part of the effort to restore services.

Filing police reports and paying taxes are among the city services still offline, according to local news reports.

"The City's IT Department is working with a leading forensics firm to perform an extensive incident response and analysis, as well as with additional cybersecurity and technology firms on recovery and remediation efforts," Oakland officials said in their latest update on the city's cyberattack response and recovery efforts. "This continues to be an ongoing investigation with multiple local, state, and federal agencies involved."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Oakland City Services Struggle to Recover From Ransomware Attack

Researchers flag common misconfiguration errors and a template injection technique that could let an attacker take over the IT management network and connected systems.

Researchers have identified a template injection technique against the open source SaltStack IT configuration and orchestration platform, as well as common misconfiguration issues, which could allow attackers to gain over organization's network.

Salt is open source software for automating networking and security functions based on events and specific configurations, similar to Puppet or Ansible. Written in Python, it is widely used in network administration and security. However, common misconfigurations and security issues in SaltStack, an implementation of Salt, would allow an attacker to execute remote code, achieve presence on and control over a management network, and infiltrate other systems connected to the initially compromised system, Alex Hill, an offensive security specialist at boutique cybersecurity firm Skylight Cyber, wrote in a a blog post. The research team identified a series of three simple management configurations and a "bonus injection" method that allowed them to achieve command execution across the target environment to run arbitrary code and even pivot to customer environments.

"Misconfigured Salt implementations are a high-value target that, if compromised, are likely to lead pretty rapidly to a much broader worst case level of network compromise and should hardened commensurately," Hill tells Dark Reading.

**Template Injection for Customer Access**

At its core, Salt provides automated infrastructure management that's focused on applying and maintaining state on devices; if a device on the network has an active state misaligned to the configured state, the platform tries to reapply previously defined configuration settings. That could mean custom scripts to push up-to-date configuration files for triggering a build pipeline to bring up fresh containers, Hill wrote.

Salt also manages devices via software agents — known as "minions" — that report to centralized master-controller devices.

The researchers discovered a Jinja template injection vulnerability in Salt that — while not new in and of itself — is novel in terms of its potential for exploit in the IT management space, Hill tells Dark Reading. The flaw can result in command execution that allows for attackers to run arbitrary code not only on the master device and its minions but also on customer environments. The team was able to trick the salt-master into issuing instructions to another victim minion running as root, basically allowing them to do whatever they wanted to it and opening the door to a host of nefarious activity by a potential attacker.

**Common Salt Misconfigurations**

Hill identified three "dead simple misconfigurations" that can easily take down an environment: automatic minion enrollment, secrets stored in files, and exposure of the pillar system's secret files.

Salt has an automatic enrollment feature to automate and streamline the provisioning of new customer infrastructure — such as engineer laptops or servers for new sites — but it also can allow rogue devices onto the network, Hill says. An attacker could spin up a system, install a minion, and auto-enroll the system onto the master controller — at which point, the attacker could issue in-built commands, read local files, and even explore the template injection method.

Secrets are exposed with Salt because the framework expects minions to be able to pull down any required files from the file\_roots directories when it tries to reset the device's state. All secrets, including passwords to the master device are exposed because they are in cleartext on the salt-master in web\_user.sls.

An attacker that controls a minion in the environment can also access the password and thus compromise the entire system, the Skylight researchers said.

Relatedly, having the pillar directory inside an accessible directory means that all minions — even ones that were not legitimately enrolled by the administrator — are able to see the contents of the Salt secrets directory.

**How to Secure Salt**

Hill included in the blog post what he calls a "cheat sheet" for organizations when deploying Salt to ensure they don't fall prey to making the common misconfiguration errors or create an environment that allows attackers to exploit the Jinja template injection vulnerability.

"Enterprises using SaltStack internally should be looking at how their implementation is configured and whether they have any of the highlighted issues currently," he says.

Organizations should overall adopt a security attitude of "trust no one" — in this case, the "no one" meaning "no minions."

"Assume all minions are rogue" as well as "compromised and not to be trusted," Hill advised in his post.

Configuration Issues in SaltStack IT Tool Put Enterprises at Risk

Lawsuits say hospitals using Meta Pixel code violated patient privacy — sharing conditions, medications, and more with Facebook.

Two hospital networks in Louisiana are being hauled to court in a pair of class-action lawsuits that accuses the hospitals of deploying Meta Pixel ad-tracker code and sharing sensitive medical data with Facebook in violation of the US Health Insurance Portability and Accountability Act (HIPAA).

LCMC Health Systems and Willis-Knighton Health Systems are being accused of deploying the Meta Pixel code on their sites, which shared information with Facebook — including medical conditions, prescriptions, doctors' names, and prior appointment history — so patients could be targeted for advertising, according to the law firm behind the action, Herman Herman & Katz.

"We are learning more and more about this shocking breach of trust as our investigation continues," Herman Herman & Katz partner Stephen Herman said in a statement about the data privacy lawsuits. "This was a gross invasion of privacy that went on for years."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Hospitals Sued for Using Meta's Ad-Tracking Code, Violating HIPAA

The goal: Ensure that data is always finely curated and accessible, and that security decisions get made with high-fidelity data.

In a tale seemingly as old as time, security teams have been continuously under siege. Be it novel attack paths, lethal adversaries, new technologies — such as public cloud, containerization, Kubernetes, and serverless computing — or stringent regulatory requirements, teams have faced quite the burden. To help shoulder the load, the industry has established frameworks and pushed out amazing tech, from SIEMs to CNAPPs and XDRs to CASBs. These processes and technologies have helped to keep attackers at bay and people protected, but have created a new problem of far too much data.

To face off against this data-driven world, CISOs and security teams will need to embrace the data and look outside of traditional security personas to adopt a new model of working: security data operations, or simply (and catchier) SecDataOps.

SecDataOps is a term used to describe the process of integrating data into the entire security life cycle, whether for risk management, incident response, or cyber-threat intelligence production. Quantitative data about your environment, assets, business domain, and adversaries must be used. This also means security teams have to adopt strong data analysis, engineering and science processes from data collection and storage to dissemination and archiving. The goal of SecDataOps is to ensure that data is always finely curated and accessible, and that security decisions are made with high-fidelity data.

**Joint Task Force**

SecDataOps need not be a formalized reporting structure all at once but instead can be a joint task force and an additional horizontal responsibility in a security program. Occasionally, SecDataOps may bleed into enterprise architecture, enterprise IT, and other teams as needed. Instead of forcing all your security engineers to become data engineers, consider first bringing in big data consultants and other experts to help take account of how data moves in the organizations, where it's stored, how much it costs, all the way down to schema and formats.

Once the governance and management of raw data available to a team directly from security tools or from environments (e.g., cloud APIs, configuration management databases, existing data lakes) is complete, metrics need to be defined. Service-level agreements (SLAs) are typically formalized agreements but are a great way to hold your burgeoning SecDataOps practices to high quality standards.

Strong SLAs define the purpose of setting the SLA (the why), the promise and specific metric (the what and how), and any specific requirements (the when), if applicable. Creating these SLAs from the start that align to both the overall SecDataOps program and for specific datasets, data feeds, or projects will be important to achieve cohesion and long-term SecDataOps success.

Only once a strong baseline is set can specialized projects or process overhauls can be carried out. This same contextual approach can be applied to cloud security posture management remediation or as enrichment for real-time investigatory requirements such as pulling in ownership and asset data into a security alert investigation.

The leadership decision of a SecDataOps team is an important choice and may need to change as the team matures. When existing as an additional responsibility or joint task force, it may make sense to have the CISO run the function no matter what their level of hands-on technical acumen is; this is to hold the cross-functional team together. The results of SecDataOps will have a strong business emphasis, as the goal is to rapidly detect, pinpoint, and address various risks.

Harnessing data and building generative adversarial networks and massive business-intelligence dashboards to quantify cyber-risk is the exciting part of SecDataOps. But large parts of the work will be formative and the outcome for protecting the business is still the primary goal. Do not fear bringing in outside talent to build out the data piece of the equation. Having a team that is ready to cross-train and learn from one another will be vastly more successful than throwing security engineers to the data wolves.

This security data problem is not going away. Starting off is simply an information gathering operation: meet with your teams, understand how they harness data, what data they wish they had, and start from there. Do not get lost dreaming of what cool machine-learning algorithms you can deploy when sometimes the best outcome is well-governed data. SecDataOps is the way we win this data war and defeat our adversaries.

Why SecDataOps Is the Future of Your Security Program

**CORK, Ireland--(****BUSINESS WIRE****)--** Vaultree, the Data-In-Use Encryption leader, today announced the appointment of Rinki Sethi to the company's board of directors.

Rinki Sethi is the current vice president and chief information security officer at BILL, where she leads global information technology functions. She is also responsible for leading efforts to protect BILL’s information and technology assets and advise the company’s continued innovations in the security space.

Sethi brings decades of security and technology leadership expertise, including her recent roles as VP and CISO at Twitter and Rubrik, Inc. She has been at the forefront of developing cutting edge online security infrastructure at several Fortune 500 companies such as IBM, Palo Alto Networks, Intuit, eBay, Walmart.com and PG&E. Sethi also serves on the board of ForgeRock, a global digital identity leader. She advises many other startups and VCs.

Sethi holds several recognized security certifications and has a B.S. in Computer Science Engineering from UC Davis and a M.S. in Information Security from Capella University.

“Bringing Rinki on board underscores our strong focus on innovation in the field. With Vaultree on the journey to solving major cryptographic problems around data security and encryption, it is incredibly important to us that we work with industry experts like Rinki to ensure we bring Data-In-Use Encryption to the forefront and enable businesses to significantly reduce the risks of plaintext data exposure,” said Ryan Lasmaili, CEO and co-founder of Vaultree. “Trust and confidence are other important pillars that Rinki will bring with her to support Vaultree in creating an encrypted future where plaintext data no longer exists, and Data-In-Use Encryption is the standard across all industries.”

In addition to its recent $12.8m Series A funding round, the appointment of Sethi will be instrumental in fulfilling Vaultree’s mission to protect the sensitive data of people and enterprises worldwide.

“I am joining Vaultree because I am very excited about their mission and how it will unleash the power of data by processing encrypted data. I am also very impressed by the team Vaultree has built and am looking forward to joining this journey with them,” said Rinki Sethi. “The idea is to democratize and demystify data privacy and encryption. As we move toward a world where every human will have ’privacy traces’ online, we are tackling a real-world issue. Data security is not only one of today's hot topics but also the topic of tomorrow.”

**About Vaultree**

Vaultree has developed the world’s first Fully Functional Data-in-Use Encryption solution that solves the industry’s fundamental security issue: persistent data encryption, even in the event of a leak. Vaultree enables enterprises, including those in the financial services and healthcare / pharmaceutical sectors, to mitigate the great financial, cyber, legal, reputational, and business risk of a data breach in plain text. With Vaultree, organizations process, search and compute ubiquitous data at scale, without ever having to surrender encryption keys or decrypt server-side. If a leak occurs, Vaultree’s data-in-use encryption persists, rendering the data unusable to bad actors. Integrating Vaultree into existing database technologies is seamless, requiring no technology or platform changes. Vaultree is a privately held company based in Ireland and the U.S. For more information, please visit www.vaultree.com.

Vaultree Appoints Technology Industry Veteran Rinki Sethi to Its Board of Directors

State of XIoT Security Report: 2H 2022 from Claroty's Team82 reveals positive impact by researchers on strengthening XIoT security and increased investment among XIoT vendors in securing their products.

**NEW YORK****,** **Feb. 14, 2023** **/PRNewswire/ --** Cyber-physical system vulnerabilities disclosed in the second half (2H) of 2022 have declined by 14% since hitting a peak during 2H 2021, while vulnerabilities found by internal research and product security teams have increased by 80% over the same time period, according to the State of XIoT Security Report: 2H 2022 released today by Claroty, the cyber-physical systems protection company. These findings indicate that security researchers are having a positive impact on strengthening the security of the Extended Internet of Things (XIoT), a vast network of cyber-physical systems across industrial, healthcare, and commercial environments, and that XIoT vendors are dedicating more resources to examining the security and safety of their products than ever before.

Compiled by Team82, Claroty's award-winning research team, the sixth biannual State of XIoT Security Report is a deep examination and analysis of vulnerabilities impacting the XIoT, including operational technology and industrial control systems (OT/ICS), Internet of Medical Things (IoMT), building management systems, and enterprise IoT. The data set comprises vulnerabilities publicly disclosed in 2H 2022 by Team82 and from trusted open sources including the National Vulnerability Database (NVD), the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), \[email protected\], MITRE, and industrial automation vendors Schneider Electric and Siemens.

"Cyber-physical systems power our way of life. The water we drink, the energy that heats our homes, the medical care we receive – all of these rely on computer code and have a direct link to real-world outcomes," said Amir Preminger, VP research at Claroty. "The purpose of Team82's research and compiling this report is to give decision makers in these critical sectors the information they need to  properly assess, prioritize, and address risks to their connected environments, so it is very heartening that we are beginning to see the fruits of vendors' and researchers' labor in the steadily growing number of disclosures sourced by internal teams. This shows that vendors are embracing the need to secure cyber-physical systems by dedicating time, people, and money to not only patching software and firmware vulnerabilities, but also to product security teams overall."

**Key Findings**

*   **Affected Devices:** 62% of published OT vulnerabilities affect devices at Level 3 of the Purdue Model for ICS. These devices manage production workflows and can be key crossover points between IT and OT networks, thus very attractive to threat actors aiming to disrupt industrial operations.
*   **Severity:** 71% of vulnerabilities were assessed a CVSS v3 score of "critical" (9.0-10) or "high" (7.0-8.9), reflecting security researchers' tendency to focus on identifying vulnerabilities with the greatest potential impact in order to maximize harm reduction. Additionally, four of the top five Common Weakness Enumerations (CWEs) in the dataset are also in the top five of MITRE's 2022 CWE Top 25 Most Dangerous Software Weaknesses, which can be relatively simple to exploit and enable adversaries to disrupt system availability and service delivery.
*   **Attack Vector:** 63% of vulnerabilities are remotely exploitable over the network, meaning a threat actor does not require local, adjacent, or physical access to the affected device in order to exploit the vulnerability.
*   **Impacts:** The leading potential impact is unauthorized remote code or command execution (prevalent in 54% of vulnerabilities), followed by denial-of-service conditions (crash, exit, or restart) at 43%.
*   **Mitigations:** The top mitigation step is network segmentation (recommended in 29% of vulnerability disclosures), followed by secure remote access (26%) and ransomware, phishing, and spam protection (22%).
*   **Team82 Contributions:** Team82 has maintained a prolific, years-long leadership position in OT vulnerability research with 65 vulnerability disclosures in 2H 2022, 30 of which were assessed a CVSS v3 score of 9.5 or higher, and over 400 vulnerabilities to date.

To access Team82's complete set of findings, in-depth analysis, and recommended security measures in response to vulnerability trends, download the full State of XIoT Security Report: 2H 2022 report.

Cyber-Physical Systems Vulnerability Disclosures Reach Peak, While Disclosures by Internal Teams Increase 80% Over 18 Months

**DENVER****,** **Feb. 14, 2023** **/PRNewswire/ --** Ping Identity, the intelligent identity solution for the enterprise, has formed a new strategic alliance with Deloitte, a leader in global security consulting services, to help the organizations' shared clients improve advanced Identity Access Management (IAM) Solutions selection and onboarding. Through the alliance, Ping and Deloitte's shared clients will be able to streamline digital identity management and effectively authorize which employees, customers, vendors, and suppliers can access sensitive corporate resources.

Deloitte brings to the alliance its significant experience in identity and access management across strategy, implementation and operations-managed services for both workforce and customer IAM solutions in a global customer ecosystem. Ping Identity brings its strength in single sign-on (SSO) and multi-factor authentication (MFA) technologies as well as advanced capabilities like identity authorization, risk and fraud mitigation, and overall IAM orchestration. Deloitte and Ping's shared clients will have access to intelligent identity solutions able to scale enterprise-wide and to offer customers a secure and frictionless experience. 

"We're moving into an experience-first world where identity is paramount to enable security and frictionless interactions," said Andre Durand, CEO and founder of Ping Identity. "Our IAM solutions align well with Deloitte's deep knowledge of connected customer journeys and trusted customer experiences. This alliance will help more organizations reduce risk and accelerate time-to-value as they look to modernize their identity strategies."

As part of the alliance, Deloitte will receive Ping Identity's dedicated sales training, certifications, product roadmap updates, and marketing resources that strengthen and secure access to the cloud, mobile, SaaS, and on-premises applications across the hybrid enterprise.

"As the digitization of businesses continues to increase, providing a trusted employee and customer experience is imperative for organizations," said Nakul Sharma, a Deloitte Risk & Financial Advisory managing director, Deloitte & Touche LLP. "Offering visibility and transparency around how data is used is important to building trust throughout the enterprise as well as with consumers. Our alliance with Ping is an important step in our ecosystem growth to offer Deloitte clients enhanced identity management solutions to help secure identities and data across digital engagement channels."

As used in this document, "Deloitte" means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of our legal structure. Certain services may not be available to attest clients under the rules and regulations of public accounting.

**About Ping Identity**

At Ping Identity, we believe in making digital experiences both secure and seamless for all users, without compromise. That's digital freedom. We let enterprises combine our best-in-class identity solutions with third-party services they already use to remove passwords, prevent fraud, support Zero Trust, or anything in between. This can be accomplished through a simple drag-and-drop canvas. That's why more than half of the Fortune 100 choose Ping Identity to protect digital interactions from their users while making experiences frictionless. Learn more at www.pingidentity.com.

Ping Identity and Deloitte Forge Alliance to Give Organizations Advanced Identity and Access Solutions

**ARLINGTON, Va.****,** **Feb. 14, 2023** **/PRNewswire/ --** ThreatConnect, maker of leading threat intelligence operations (TI Ops) and risk quantification solutions, announced today the company's accelerated growth through 2022 and market leading position heading into 2023.

"With a tumultuous year marked by geopolitical and economic uncertainty that increased pressure on CISOs and their teams to improve security effectiveness and efficiency, ThreatConnect had a tremendous year in both new customer acquisition and product innovation," said Balaji Yelamanchili, CEO of ThreatConnect. "As we enter 2023, we're positioned to continue delivering market leading product innovation that enables our customers and partners to manage efficient TI Ops with quantifiable risk mitigation strategies."

**Customer & Revenue Growth** 

*   Substantial double-digit growth in new logo and expansion business, including some of the world's largest technology, financial services, healthcare, governmental, and cyber security organizations choosing ThreatConnect for their TI Ops and risk quantification initiatives.
*   Expanded risk quantification and TI Ops deployments with three of the top five software companies in the world, 12 global financial services organizations, and 33 other large enterprise customers.
*   Now serving nearly 200 global customers, including five of the top 10 software companies in the world, three of the top five airlines, three of the top five pharmaceutical companies, two of the top five insurance providers, and more than 10 defense and federal agencies.

**Threat Intelligence Operations Innovation**

The company's product and engineering teams delivered a variety of new features that enable cyber threat intelligence (CTI) teams to more efficiently investigate and create intelligence, and work with security operations (SecOps) teams to consume and operationalize threat intelligence.  These new features are designed to deliver better security outcomes in terms of mean time to detect (MTTD) and mean time to resolve (MTTR) potential threats and incidents, and drive efficiencies across teams and tools.

**Specific Innovations:** 

ThreatConnect made many useful product enhancements, including:

*   ThreatConnect's Collective Analytics Layer (CAL™), powered by Big Data and Machine Learning, increased its volume of data by 25% versus prior year to over 176 billion points of data used for scoring potential indicators of compromise (IOCs), providing insights for investigations, and categorizing relationships between indicators, threat actors, malware, and campaigns. By merging anonymized insights from ThreatConnect users with this massive data set creates the ability to have better confidence scoring and enrichment on potential IOCs that very few other players in the market can claim.
*   Natural Language Processing (NLP) capabilities to recognize MITRE ATT&CK® techniques by extracting insights from open source blogs, research, and other sources. This enables customers to get faster insights on relevant threats they are investigating.
*   Highly intuitive graph investigation capability that incorporates the customer's threat intelligence and internal case & investigation data, with insights from CAL's Automated Threat Library, including threat actors, campaigns, and ATT&CK techniques, and a growing number of third-party intelligence and enrichment sources.
*   A new reporting engine that makes it easy to create and disseminate threat intelligence reports with graphs, tables, images, and narrative descriptions.
*   New Enrich Anywhere capability automates the addition of context to indicators of compromise, allowing users to easily identify false positives and pinpoint actionable intelligence.  
*   Streamline the work of the SOC by infusing relevant threat intelligence directly into every step of their case workflow, and allowing for relevant artifacts and findings to be promoted for validation as threat intelligence by the CTI team.
*   Measure the work being done by the team with case and analyst efficiency metrics.
*   Stronger multi-tenant management of clients for MSSP and multi-tiered organizations with the introduction of Super Admin Users who can answer RFI's or work alongside analysts in other organizations without leaving their ThreatConnect instance.

**Risk Quantification Break Out Year**

*   Significant double digit annual sales growth, including new customers in healthcare, finance and manufacturing.
*   Launched technology alliance and go-to-market partnership with SecurityScorecard, resulting in 14 net new customers.
*   New go-to-market partnership with 3 of the top global software vendors.

**Industry recognition**

Winner of multiple industry accolades, including the Global Infosec Awards, Cybersecurity Excellence Award, and the top 100 most Innovative Cybersecurity companies by Expert Insights.

**Experienced Leadership and Board Advisors**

In 2022, the company added seasoned cybersecurity operators to its executive ranks with cybersecurity veterans. Balaji Yelamanchili, previously EVP and General Manager of Symantec's Enterprise Security business, joined the company as Chief Executive Officer.  Burney Barker, a veteran of Forescout, Gigamon, and Dell EMC, joined the company as Chief Revenue Officer.  In the Chief Marketing Officer role, Charles Gold joined the company, bringing more than 25 years of executive experience at category leaders including Sonatype, Virtru, and FireMon.

The company also added an elite group of enterprise cybersecurity leaders as Board Advisors.  This esteemed group includes Colin Anderson, current CISO at Ceridian and former CISO at Safeway and Levi Straus, Myrna Soto former CISO at MGM and Comcast and current Board member at Spirit Airlines and Trinet, and Patrick Joyce, CISO at Medtronic.  They will advise the company's Board and executive team on strategic product and go-to-market matters.

"Enterprises are transforming  their approach to security operations to support their move to the cloud and the digital economy while at the same time addressing a growing threat landscape and emerging threats like ransomware,"  said Yelamanchili.   "Our TI Ops and risk quantification solutions are critical to these initiatives and, given our momentum in 2022 and near term product roadmap, I couldn't be more excited about this coming year."

**About ThreatConnect**

ThreatConnect enables threat intelligence operations, security operations, and cyber risk management teams to work together for more effective, efficient, and collaborative cyber defense and protection. With ThreatConnect, organizations can infuse ML and AI-powered threat intel and cyber risk quantification into their work, allowing them to orchestrate and automate processes to get the necessary insights, and respond faster and more confidently than ever before. More than 200 enterprises and thousands of security operations professionals rely on ThreatConnect every day to protect their organizations' most critical assets.

Source

DARKReading