Regulatory Growth in 2017

Below are Compliance & Risks* quarterly regulatory growth charts as of October 2017, showing cumulative growth by subject and by region. * http://www.complianceandrisks.com/c2p/

   

Statistics provided by James Poe of Compliance & Risks indicate that in 2017 alone, over 2,000 new regulations were enforced or are pending, leaving manufacturers, distributors, and importers with well over 15,000 regulations to consider when assessing a product for global marketing.


Looking at statistics by region, the greatest number of new regulations for the subjects above were introduced in 2017 in the EMEA countries (Europe, Middle East, and Africa), including Central Asia.As a comparison, ten years ago, in 2007, only 457 new regulations were introduced for these same seven subjects, and manufacturers, distributors, and importers only had to consider a mere 3,860 total regulations when assessing products for global marketing. This reflects a growth of over 500%!

In 2007 the same region only introduced 269 new regulations, for a total of 2,185 in that year. The region with the greatest regulatory growth percentage from 2007 to 2017 is EMEA w/ Central Asia, with growth of over 725%. Second in line is US & Canada, with regulatory growth of over 600%.

FoxGuard tracks pending new legislation, as well as upcoming changes to existing legislation, and works closely with our supplier network to ensure continued compliance of systems and components.

Keeping Infrastructure Strong and Secure

November is Critical Infrastructure Security and Resilience Month, a nationwide effort to raise awareness and reaffirm the commitment to keep our Nation’s critical infrastructure secure and resilient. FoxGuard Solutions has committed to building awareness of the importance of critical infrastructure.

Industrial control systems in critical infrastructure are high-risk targets for attack and exploitation. FoxGuard combines its engineering and software services talent to develop unique cyber security solutions that protect industrial control systems (ICS)  in critical infrastructure markets bridging the gap between information technology (IT) and operational technology (OT) environments.  FoxGuard’s Patch & Update Management Services include asset analysis and monthly patch reporting.  Consistently monitored patches & updates can help resolve security vulnerabilities, functional issues and meet regulatory compliance requirements (NERC CIP).

During November, we focus on engaging and educating public and private sector partners to raise awareness about the systems and resources that support our daily lives, underpin our society, and sustain our way of life. Safeguarding both the physical and cyber aspects of critical infrastructure is a national priority that requires public-private partnerships at all levels of government and industry.

We know critical infrastructure as the power we use in our homes and businesses, the water we drink, the transportation systems that get us from place to place, the first responders and hospitals in our communities, the farms that grow and raise our food, the stores we shop in, and the Internet and communication systems we rely on to stay in touch with friends and family. The security and resilience of this critical infrastructure is vital not only to public confidence, but also to the Nation’s safety, prosperity, and well-being.

Managing risks to critical infrastructure involves preparing for all hazards and reinforces the resilience of our assets and networks, and staying ever-vigilant and informed.

This November, help promote Critical Infrastructure Security and Resilience Month by training your employees on cyber awareness, taking part in the Hometown Security effort, engaging with your community partners or supporting long term investments in critical infrastructure. We all need to play a role in keeping infrastructure strong, secure, and resilient. We can do our part at home, at work, and in our community by being vigilant, incorporating basic safety practices and cybersecurity behaviors into our daily routines, and making sure that if we see something, we say something by reporting suspicious activities to local law enforcement.

For more information, visit www.dhs.gov/cisr-month

 

WANT TO LEARN MORE ABOUT PATCH MANAGEMENT?
FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

TALK TO AN EXPERT

FoxGuard partners with BISIM in new simulation facility

FoxGuard Solutions is proud to be a part of Bohemia Interactive Simulations’ (BISim) opening of a new, state-of-the-art simulation technology demonstration facility for its customers and partners. The facility will bring together the latest technology in the simulation industry from a group of leading simulation software and hardware providers. Take the opportunity to preview innovative simulation technologies that will be unveiled at I/ITSEC 2017.

The BISim Tech Dev and Demo facility, located at BISim’s Orlando headquarters, includes the following technologies:

  • High-end and high-performance computer hardware supplied by FoxGuard Solutions.
  • VBS Blue IG, BISim’s new 3D whole-earth rendering technology for Image Generation applications, and VBS3, BISim’s virtual learning environment and flagship of the U.S. Army’s Games for Training program.
  • Emerging Virtual and Augmented Reality solutions created using the VBS platform including an F-18 Trainer developed for the US Navy and an AC-130 check-list trainer developed in partnership with Vertex Solutions Group and SA Simulations for Air Force Special Operations Command.
  • A 4-meter dome from QuantaDyn Corp. The system incorporates powerful high-fidelity 4K projectors and an AudioCue directional sound system from Barco and uses VBS Blue IG for visuals, Battlespace Simulation’s MACE software as the simulation host, and QuantaDyn’s DIScover software for interoperability.
  • A D-BOX Motion Cueing System and an Ausimtech Motion Platform combined for flight simulation applications including an F/A-18 Hornet and attack helicopter simulation.
  • Demonstrations of TerraSim database creation technology for BISim’s whole-earth technology, VBS Blue.

Demonstrations will be offered hourly and attendees will have time to test out the technologies themselves or ask questions.

Event Information:

The event will be held at BISim’s Orlando Headquarters Nov. 1st through Nov. 3rd from 9 a.m. to 5 p.m. with demonstrations on the hour and opportunities to experience the latest in cutting-edge VBS technology for yourself.

If you are interested in attending please email Lucas Sumners, lsumners@foxguardsolutions.com or call him at 540-382-4234 Ext. 184.

WANT TO LEARN MORE ABOUT FOXGUARD’S SIMULATION CAPABILITIES?

FoxGuard has 35+ years’ experience configuring computer solutions, integrating racks, developing images, securing licenses, and ensuring hardware, software and OS compatibility to free up your resources to pursue growth. We can configure and ship a turnkey solution to your designated solution.

LEARN MORE

 

 

Has your WI-FI been KRACKed?

Source: Trace Bellassai, Client Operations Engineer

WHAT IS KRACK
Key Re-Installation Attack (KRACK) is the newest attack to Wi-Fi, and one of the most serious to date. This attack allows malicious actors to infiltrate a wireless network and decrypt packets sent across that network. These vulnerabilities exist in the Wi-Fi Protected Access II (WPA2) security protocol, and not any individual implementation of it. Therefore, any WPA2 implementation is likely affected. This hits hard because WPA2 is one of the most commonly used wireless security protocols, and is the most secure among the other commonly used protocols. Similar to previous WPA2 attacks, KRACKs primary target is the WPA2 four way handshake, which is used in the protocol to authenticate the client with the wireless access point without actually disclosing the key. During the the packet exchange of the four way handshake, an attacker can use KRACK to trick a victim machine into re-installing a key that is already in use by replaying the handshake packets. These keys should only be used once, which promotes security, but this exploit has found the the WPA2 protocol is not immune from forced key reuse. Once key reuse has been forced, an attacker can decrypt any network traffic encrypted by WPA2, which allows attackers, in combination with other tools such as sslstrip, to steal sensitive information such as username and passwords by performing a man in the middle attack. The attack also allows them to not only view, but even inject malicious code into unencrypted http sites, opening the victim up to another range of attacks.
Android and Linux devices are especially vulnerable due to their implementation of the Wi-Fi standard, which suggests that the encryption key should be cleared from memory after it has been installed for the first time. This essentially forces these devices to install an all zero encryption key, rather than reusing the previous key, making it even easier for an attacker to decrypt, and inject malicious data. This extra vulnerability affects roughly half of the 2 billion android devices currently in use, which goes to show the enormous scale this exploit could have. Additionally, when updates do start rolling out for this vulnerability, both the wireless access point and the wireless client need to be patched to prevent against the exploit. One patched without the other still leaves equipment open to the KRACK exploit.

WHAT YOU CAN DO
There are several steps FoxGuard recommends users and IT Professionals take to help mitigate the vulnerability. Firstly, a Virtual Private Network (VPN) should be used whenever possible. This encrypts all traffic between the access point and the wireless client, and connects you back to either a server at work, or a public server and provides a reasonable layer of security. Being as this exploit does not actually allow the attacker to gain network access, but rather decrypt the wireless traffic, any traffic communicating via hardwired Ethernet cable would not be affected, therefore, wired connections should be used where feasible. Users should also be on the lookout to make sure their login sites are using HTTPS. This exploit coupled with a tool such as sslstrip could allow an attacker to force use of non secure websites, which allows them to easily capture passwords and other sensitive data. A properly configured web server should prevent this from happening, but users should always check to make sure they are using a secure HTTPS site before logging in. Lastly, as with any vulnerability, FoxGuard recommends remaining vigilant about released patches and updates that address the issue.

AVAILABLE PATCHES
Some vendors, such as Microsoft, have already released patches for the exploit. A list of vendors and their known responses to the exploit can be found here:
https://github.com/kristate/krackinfo#vendor-response-complete

MORE INFORMATION
Additional information on the attack can be found using the links below:
https://www.krackattacks.com/
https://www.wired.com/story/krack-wi-fi-wpa2-vulnerability/
http://www.zdnet.com/article/here-is-every-patch-for-krack-wi-fi-attack-available-right-now/
https://www.us-cert.gov/ncas/current-activity/2017/10/16/CERTCC-Reports-WPA2-Vulnerabilities

 

WANT TO LEARN MORE ABOUT PATCH MANAGEMENT?
FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

TALK TO AN EXPERT

Patching Lessons Learned – Part 4

“Private” Patches 

So far, we’ve learned that there is a difference in patching IT vs. OT equipment and that all patches are not created equal.  Our next lesson learned is that not all patches are readily available on the Internet. In many cases, product vendors will require a support contract in order to receive ongoing support and access to patches. As such, the utilities are required to know which vendors require this level of support in order to track and retrieve patches on an ongoing bases. For some vendors, this information may be provided on a customer-specific portal, through a newsletter or email or perhaps even a direct phone call. A variety of contact methods may be required for ongoing patch due diligence to confirm whether or not a patch was released during a designated time period.

 

Check back for more in our series on lessons learned that should be considered when building a healthy patch management program or click here to download the Ten Lessons Learned About Patch Management Whitepaper.

 

WANT TO LEARN MORE ABOUT PATCH MANAGEMENT?
FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

TALK TO AN EXPERT

Patching Lessons Learned – Part 3

All Patches are not Created Equal 

In our last post we learned that there is a difference between IT and OT environments. Now it is important to know that to ensure that you are installing the proper patches in the proper fashion, you must understand all patches are not created equal.  It is critical to know the four different types of patches and track which of the four types of patches apply to each of your devices:a. Primary – This is a patch that has dependent patches.b. Dependent – A primary patch exists that must be installed prior to installing the subsequent dependent patch.c. Standalone – These patches can be installed independently and have no other stipulations.d. Cumulative – These patches are also sometimes referred to as “roll-up”. This means that the latest release of a patch includes the features and bug fixes from all previous releases. 

 

 

Check back for more in our series on lessons learned that should be considered when building a healthy patch management program or click here to download the Ten Lessons Learned About Patch Management Whitepaper.

 

WANT TO LEARN MORE ABOUT PATCH MANAGEMENT?
FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

TALK TO AN EXPERT

Patching Lessons Learned – Part 2

 Information Technology (IT) vs. Operational Technology (OT)

Our last post focused on the definition of a “patch” and why “patching” is important.  Today, we are sharing some of our lessons learned with regard to building a healthy patch management program.For starters, all systems are not the same and should not be treated as such.

There IS a difference when it comes to patching in the Information Technology (IT) vs. Operational Technology (OT) environments.  With a common office desktop, if you have an issue with your computer, it may simply be rebooted after patch installation and, in many cases that will resolve the issue. However, with OT equipment, timing and validation are critical to patch installation on a critical asset. Additionally, many of these devices cannot be rebooted or turned off at will, as there could be grave consequences to doing so cavalierly. 

 

 

Check back for more in our series on lessons learned that should be considered when building a healthy patch management program or click here to download the Ten Lessons Learned About Patch Management Whitepaper.

 

WANT TO LEARN MORE ABOUT PATCH MANAGEMENT?
FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

TALK TO AN EXPERT

What’s a “Patch” and Why is It Important?

This is the first post in a series that we’ll be sharing with regard to Patch Management “lessons learned”.

FoxGuard Solutions has been in business since 1981 and has been serving the energy industry for over 25 years. We have also been providing patch management solutions for industrial control systems via original equipment vendors (OEMs), as well as directly to energy utilities for many years. We have a long history of doing this work which provides us with a unique perspective, as well as gives us extensive knowledge of the patching burden. As such, we want to share our insight and some “lessons learned” along the way.

It is important to level set on what a “patch” really is. According to Wikipedia (https://en.wikipedia.org/wiki/Patch_(computing), a patch can be defined as follows:A patch is a piece of software designed to update a computer program or its supporting data, to fix or improve it. This includes fixing security vulnerabilities and other bugs, with such patches usually called bugfixes or bug fixes.

In the instance of industrial control systems, patches are applied to firmware, operating systems and software applications installed as part of the control system suite. It is important to understand the scope and depth of equipment which is susceptible to needing a software patch applied.

Scope is defined in NERC CIP based on the User’s ability to apply an update and may include: 

    –    Devices (network, field, and other single-purpose devices that run firmware)
    –    Appliances (usually an embedded or full OS with a controlled set of installed applications and services)
    –    Workstations
    –    Servers

Each of these items may have their own unique way of managing, validating, installing and monitoring for patches, making it difficult to manage a healthy and comprehensive patch management program. When patching is so involved and difficult, it is worthwhile to talk through WHY it is so important. It may be obvious, but energy utilities are high-risk targets. Attacks such as Stuxnet and the one in Ukraine show that the “bad guys” (funded Nation States, not just casual hackers) have their eyes on this industry. In addition, patches are crucial to protect against vulnerabilities.

According to Kaspersky Labs Industrial Control Systems Vulnerabilities Statistics, there were: 

    –    4,189 known vulnerabilities in ICS in 2015
    –    426 had exploits available
    –    4,170 had patches available

If protecting critical assets from vulnerabilities is not motivation enough, regulatory standards, such as NERC CIP-007-6, R2.1, 2.2, 2.3 and 2.4, have clear requirements surrounding patch management with large fines threatened as consequence for failure to comply. Now that we understand what needs to be patched and why, check back for more in our series on lessons learned that should be considered when building a healthy patch management program or click here to download the Ten Lessons Learned About Patch Management Whitepaper.

 

WANT TO LEARN MORE ABOUT PATCH MANAGEMENT?
FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

TALK TO AN EXPERT

CUSTOM INDUSTRIAL COMPUTING LEADER ANNOUNCES OEM RESELLER AGREEMENT WITH LENOVO

FoxGuard Solutions provides OEM customers one-stop shop for custom configured computers.

CHRISTIANSBURG, Va. (September 20, 2017) – FoxGuard Solutions, Inc. and Lenovo today announced approval of FoxGuard Solutions, Inc. as a North American OEM reseller, further strengthening Lenovo’s support to OEM customers. “We are extremely pleased to include Lenovo products in our custom configured OEM solutions as part of Lenovo’s one-stop-shop approach to serving businesses,” said Patrick Patterson, V.P. of Industrial Computing at FoxGuard. “FoxGuard shares Lenovo’s customer-first approach, and this partnership enhances our ability to design and integrate custom computer solutions that meet our clients’ application, budget and preferences.”

Utilizing more than 35 years’ experience configuring computer solutions, integrating racks, developing images, securing licenses and ensuring hardware, software and OS compatibility, FoxGuard’s turnkey solutions enable customers to free up internal resources and focus on growth.

“OEM customers rely on Lenovo OEM partners to help manage their product from concept to launch to life cycle. We are pleased to add FoxGuard Solutions to the OEM reseller team,” said Nathan Blom, Director, North American OEM at Lenovo.

About FoxGuard Solutions:
FoxGuard Solutions, Inc. has been bridging the gap between IT and OT technology environments for over 35 years via integrated hardware, software and security solutions. Based in Southwest Virginia, FoxGuard serves customers in more than 60 countries from their secure, ISO-certified, ITAR-registered facility. Providing configuration, testing, certification, integration, kitting, regulatory/export compliance and life cycle management programs, FoxGuard’s solutions are “Built for Security.”

###

National Newswire Release: 
http://www.prnewswire.com/news-releases/custom-industrial-computing-leader-announces-oem-reseller-agreement-with-lenovo-300523361.html?tc=eml_cleartime

Media Contact: 
Patrick Patterson
p. 887.446.4732
e. ppatterson@foxguardsolutions.com

Security Patch could have prevent breach.

The Equifax security breach exposing sensitive information of approximately 143 million consumers is one that we now know could have been prevented with the installation of a security patch that was made available two months before the breach occurred.
Equifax has indicated, “We know that criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.”
Apache Struts is a framework for developing Java-based applications that run both front-end and back-end Web servers. Many industries including internet companies, banks, government agencies, and many large Fortune 500 companies rely on Apache Struts.
It’s been reported that Equifax failed to update its web applications, despite proof that the bug gave cyber-thiefs an easy way to take control of sensitive sites and consumer information. Patching the security hole would have been labor intensive and difficult because it involved downloading an updated version of Struts and rebuilding all associated applications. There were websites which depended on dozens or even hundreds of such applications which likely were stored on many servers scattered across multiple continents. Plus, you don’t just release rebuilt applications into production without extensive testing to ensure that the updates don’t break key functions of the unit itself.
The bottom line is that cybersecurity, and more specifically patch management, isn’t always easy or convenient but it is worth it. And, we feel that our Patch Management program sets-up companies like Equifax for success to prevent these and other types of attacks.

For more information related to Apache Struts CVE-2017-5638:
https://nvd.nist.gov/vuln/detail/CVE-2017-5638

 

WANT TO LEARN MORE ABOUT PATCH MANAGEMENT?
FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

TALK TO AN EXPERT