HomeResourcesBlogCategory: Blog

Regulatory Growth Charts – July 2018

Source: Barb Wert, Regulatory Compliance Specialist 

Below are Compliance & Risks* quarterly regulatory growth charts as of July 2018, showing new regulations by year of entry into force (by subject and by region), by subject and region. 

  Compliance and Risks  C2P Global Regulations by Subject Regulatory Growth ChartsCompliance and Risks C2P Global Regulations by Region Regulatory Growth Charts

ANALYSIS

The past twelve months have seen a record number of new and proposed regulations – more than 1/3 cumulative increase from this time in July 2017 – including:

  • Approximately 40% increase in battery regulations
  • Over 50% increase in product safety regulations
  • e-Waste regulations have more than doubled
  • Approximately 25% increase in regulations dealing with hazardous substances

By region, the greatest increase in new and pending regulations for the last twelve months is from US & Canada, with growth of almost 200%.   Latin America w/ Caribbean region had just under 50% increase, and the EMEA w/ Central Asia had just over 20% increase.

FoxGuard tracks pending new legislation, as well as upcoming changes to existing legislation, and works closely with our supplier network to ensure continued compliance of systems and components.

*http://www.complianceandrisks.com/c2p/

 

 

 

Asset Management Project for Energy Sector

Source: Lindsey Hale, Program Manager

FoxGuard Solutions, Inc. is working with the National Cybersecurity Center of Excellence (NCCoE) located in Gathersburg, MD on their Energy Sector Asset Management (ESAM) Project and Use Case to develop practical, inter operable cybersecurity approaches that address the real-world needs of complex Operational Technology (OT) / Industrial Control Systems (ICS) environments. By accelerating dissemination and use of these integrated tools and technologies for protecting OT/ICS assets, the NCCoE will enhance trust in U.S. IT communications, data, and storage systems; reduce risk for companies and individuals using IT systems; and encourage development of innovative, job-creating cybersecurity products and services.

Also participating in the project are ForeScout Technologies, Tripwire, Dragos, Splunk, KORE Wireless, TDi Technologies and Veracity Industrial Networks.  The collective efforts from the collaboration with these companies and the NCCoE will result in a publicly available NIST Cybersecurity Practice Guide that will document best practices form the energy sector on how to effectively identify, manage, monitor and control their operational technology (OT) assets.  

The project aims to address the following features of asset management:

  • Asset Discovery: establishment of a full baseline of physical and logical locations of assets
  • Asset Identification: capture of asset attributes, such as manufacturer, model, operating system, internet protocol (IP) addresses, media access control addresses, protocols, patch-level information, and firmware versions
  • Asset Visibility: continuous identification of newly connected or disconnected devices, and IP (routable and non-routable) and serial connections to other devices
  • Asset Disposition: the level of criticality (high, medium, or low) of an asset, its relation to other assets within the OT network, and its communication (to include serial) with other devices
  • Alerting Capabilities: detection of a deviation from the expected operation of assets

Project Schedule:

  • Kickoff Meeting – June 2018 – COMPLETE
  • Build Architecture Draft – July 2018 – IN PROGRESS
  • Draft Practice Guide – February 2019
  • Tentative Draft Public Release for Public Comment – April 2019

Expected Industry Benefits 

  • Reduce cybersecurity risk and reduce impact to safety and operations
  • Development of an executable strategy that provides continuous OT asset management and monitoring
  • Faster response to security alerts/attacks/events through automation
  • Cybersecurity standards and best practices, while maintaining the performance of energy infrastructures

Interested in learning more? 

Engage with the NCCoE and follow the collaboration through the official project web page.

Note:  NIST does not evaluate commercial products under this Consortium and does not endorse any product or service used. Additional information on this Consortium can be found at https://www.nccoe.nist.gov/projects/use-cases/energy-sector/asset-management

You can also find the full Energy Sector Asset Management Project description here:

https://www.nccoe.nist.gov/sites/default/files/library/project-descriptions/es-am-project-description-final.pdf

Reference:

https://www.nccoe.nist.gov/projects/use-cases/energy-sector/asset-management

https://www.nccoe.nist.gov/news/nccoe-selects-technology-vendors-collaborate-asset-management-project-energy-sector

 

 

WANT TO LEARN MORE ABOUT PATCH MANAGEMENT?
FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

TALK TO AN EXPERT

 

Patch Industrial Control Systems

Industrial control systems (ICS) in critical infrastructure (CIKR) are high-risk targets for attack and exploitation. Patches and updates are necessary to help resolve security vulnerabilities and address functional issues.

BURDEN FOR ICS

A robust patching program for IT and OT environments requires a cyclical and consistently monitored 
solution to ensure a secure and healthy system. To build a complete patch management program 
FoxGuard Solutions provides Asset ID & Baselining, Patch & Vulnerability Reporting, GAP Analysis, 
Validation, Deployment, and a Transient Cyber Asset Program.

ASSET ID & BASELINE
Prior to monitoring patch data, it is crucial for the utility to properly document all of their critical assets from which to build a baseline. FoxGuard provides baselining services in order to build the foundation for all other steps in the patch management process.

REPORTING 
FoxGuard monitors operating systems, 3rd party software applications, network devices and field devices to provide monthly intelligence reports that track the release of cyber security patches specific to your environment. One source saves time and money.
          PATCH AVAILABILITY REPORT
          Once we have identified your asset inventory, FoxGuard can continuously monitor this 
          list to inform you when security patches are available and provide all of the necessary 
          documentation defining how your systems are impacted and can be protected.

          VULNERABILITY NOTIFICATION REPORT
          Keeping your eyes on patches alone may not be enough. FoxGuard provides a supplemental 
          vulnerability notification report. We will monitor your systems and notify you if a vulnerability 
          has been identified but the patch has yet to be released.

GAP ANALYSIS
Missing patches and updates can leave systems vulnerable to cyber attacks. Our solution collects the asset information, performs the patch analysis, keeps a log for and identifies the specific patches that are needed to get your system up-to-date and secure.
         AUTOMATE
          Automated collection of asset information, ensuring this information is current and accurate.

          ANALYZE
          Intelligent analysis of the types of patches available as compared to an asset’s current patch level.

          SAVE TIME & RESOURCES
          Management of patch gap is efficient since the user is only supplied necessary patches – eliminating 
          the time spent on superseded (out-of-date) patches.

          VULNERABILITY INTELLIGENCE
          Identify risks, threats and vulnerabilities based on missing patches.

VALIDATION
Patch Validation is a tedious, timely process that requires the right staff with the right aptitude in the right environment to safely and effectively test patches. This may require special equipment and the right discernment to understand how much and how deep to test each of your critical assets.

DEPLOYMENT
A diligent deployment process defends against malware, in-transit modification and corruption. Our engineers design a comprehensive, secure and easy-to-use patch deployment solution that best fits the needs of your specific environment.

TRANSIENT CYBER ASSET (TCA) PROGRAM
FoxGuard provides an innovative solution that will secure your laptops and other portable devices. Our solution protects these assets by deploying a gold image on a monthly basis. This gold image is updated to include OEM specific security patches and applicable operating systems, software and device drivers.

WANT TO LEARN MORE ABOUT PATCH MANAGEMENT?
FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

TALK TO AN EXPERT

Defense In Depth Strategy – Securing IT and OT Assets

Source: Marcie Killen, Marketing Manager

Protecting IT and OT equipment in critical infrastructure markets takes strategy, planning and layers of defense. When physically securing a location, there are multiple layers of defense (fences, locks, guards, biometric screening, etc). The same approach of having multiple layers is necessary with protecting control system assets as well. Vulnerabilities will continue to grow as systems become more connected. With a heightened sense of awareness through real-time monitoring and alerts, along with vulnerability notification, you can take the appropriate action to defend against a possible security breach. 

Most control systems were originally configured to perform in isolation – air-gapped so to speak. As the Internet of Things (IOT) has brought about more integration and connected devices, security risks have become a higher priority for protecting data. When securing control systems, there are three things that need to be considered: identify what you have, monitor your critical systems and protect against possible attacks.

Identify

Building an asset and network baseline is the first critical step in securing control system equipment. Our new Sentrigard Security Platform™ supports common IT and OT protocols like BACnet and Modbus. Assets may include: Operating Systems, Third Party Applications, Network Devices, Field Devices, Drivers, and Firmware.

Our team of engineers are trained and ready to help you identify and create your baseline, if you need assistance.

Monitor

Once you have a baseline, you can then begin to monitor. Network monitoring is a critical part of a layered defense strategy. Going deep into your system and monitoring for protocol violations, misconfigured or faulty network devices, insider threats and intrusions will give you real-time visibility and advance threat detection.

Protect

With critical data collected, you can begin to protect against threats and unwanted traffic on your network. The more information you have, the easier you can defend against the ill-willed intruders exploiting vulnerabilities.

Ask us about patch management and vulnerability notifications which can provide yet another layer of protection in your in-depth strategy.

WANT TO LEARN MORE ABOUT OUR SENTRIGARD SECURITY PLATFORM AND TAKE CONTROL OF YOUR SYSTEMS?

FoxGuard provides a wide range of security solutions that help entities identify and mitigate gaps in the security of their systems and thwart off cyber-attacks. We host a webinar series to discuss ways to develop and implement a robust defense in depth strategy. Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

TALK TO AN EXPERT

 

Let our numbers tell the story

Source: Michele Wright, Product Manager

8,500+. 6,500. Hmmm… Wonder what these numbers mean? We’ll get to that.

As you may know, FoxGuard has completed its US Department of Energy Cybersecurity for Energy Delivery Systems (CEDS) project. For almost four years, we worked on simplifying patch management for OT equipment. (IT patch information came along for the ride, as well.) During this time, we built a variety of tools to make patch management easier. One of our big accomplishments, (among many, if I must say so myself), is that we built an aggregator of patch details. We created an internal tool that allows our team to track, monitor, aggregate input from almost 300 unique vendors to ensure that our customers have a streamlined way to review patches and make appropriate decisions for not only their compliance needs, but for risk-mitigation as well. While we were at it, we threw in evidence documentation to show that we did, in fact, check everything and provide visual evidence of the state of patches at the time we checked. (Did you know that some vendors will back-date patches? Our evidence documentation proves this, but that’s another story for another day.) There is no denying that patch mining is a tedious, more-complicated-than-you-think process. We know because we do it every day. Processes change. Vendors change. Security implications are a constantly moving target. This is an ever-evolving workflow and our team of experts has their hand on the pulse of this process.

As an output of our CEDS project, we have developed a managed service that helps customers not only with patch management, but with asset identification and baselining. When we started this process, we were amazed that asset inventory, which seems like such a basic process, was just not happening. Knowing the basics of what you have just isn’t enough to ensure that the patch you’re about to install is the right one. Pick the wrong patch, even just based on something as simple as you have picked the patch for the wrong version of the product you’re looking at, and you can brick an item and have far-reaching negative consequences. However, once you have a solid inventory, we’re back to the grind for regular monitoring of critical patches. This is where our Patch Availability Report comes in. This report does all of the heavy lifting. Also, our ICS Update tool is provided to you with this report and you are able to see metrics and understand at-a-glance the nature of your patches at any given time. Quickly understand how many patches you have to touch that month. How many address a security issue? How critical are the vulnerabilities being addressed? Put your eyes on the critical patches first to ensure you’re protecting your environment. As I’m known to say a lot, not all patches are created equal, so let us help ensure you’re staying on top of what’s most critical.

Now, back to those numbers. In about three years, FoxGuard has identified over 8,500 patches with almost 6,500 of those addressing security issues. Did we say patches are important? Let our numbers tell the story.

WANT TO LEARN MORE ABOUT PATCH MANAGEMENT?
FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

TALK TO AN EXPERT

Jumping the Air Gap in Industrial Control Systems

Monta Elkins, Air Gap and Industrial Control SystemsFoxGuard Solutions’ very own Hacker In Chief, Monta Elkins was one of the presenters at the ICS SANS Security Summit in January where he shared cyber security concepts needed to defend industrial control systems in critical infrastructure. Specifically he shared his air gap presentation. According to Monta, “Want a real cyber security challenge? In Industrial Control System security you’ll face the newest, incredibly sophisticated, most well financed and executed nation state sponsored attacks on the planet.

The SANS Institute was established in 1989 as a cooperative research and education organization. SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals at governments and commercial institutions world-wide. Renowned SANS instructors teach over 60 different courses at more than 200 live cyber security training events as well as online (https://www.sans.org/press/announcement/2018/01/24/1#addsearch=monta)

Monta shows how air gap does not prevent communication out of and into industrial control system.
He explored various ways to send data across an air-gap in Industrial Control Systems and other environments, including a live demo which you can watch here.

Description:
SANS Summit & Training Event

Speaker:
Monta Elkins, CISSP, GICSP, Hacker-in-Chief, FoxGuard Solutions

Presentation Score:
Attendees at the show rated Monta based on two areas:
1) value of the content presented 
2) presentation skill.

Scores are on a scale of 1-5 where
1 = poor     2 = fair     3 = good      4 = very good     5 = excellent.

FoxGuard Solutions’ Monta Elkins scored:
Overall          Content          Skill 
   4.513                4.377               4.649

 

Read more about the event here.

WANT TO LEARN MORE ABOUT PATCH MANAGEMENT?
FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

TALK TO AN EXPERT

The solution often turns out more beautiful than the puzzle

Completing a jigsaw puzzle is certainly a satisfying feat. From 1000’s of individual pieces to a completed masterpiece there is something so rewarding and gratifying in finishing a puzzle. So much so that often times completed jigsaw puzzles get framed and hung on the wall to enjoy as a work of art. We liken a completed jigsaw puzzle to a FoxGuard Patch Management program. Taking 1000’s of individual pieces and fitting them together to what can ultimately be looked at as a work of art. A FoxGuard patch management programs offers our customers assurance in all of the following areas: knowing what needs to be patched (Asset ID), which patches are available for said assets (Patch Availability), which patches apply (Patch Applicability), and most importantly that when said patch is installed it has been thoroughly tested to work in their specific environment (Patch Validation). What’s most substantial in knowing that a FoxGuard Patching program has been implemented is the ease of mind it affords the utility in knowing that the patches and updates are validated before installation – avoiding catastrophic effects.

The box of a jigsaw puzzle gives us an idea of how the pieces are supposed to fit together, but we know in reality that there is certainly a great deal of trial and error as pieces are joined together to form a work of art. Seemingly indistinguishable pieces are one by one evaluated for where they fit in the overall picture. Not a single piece of the puzzle goes untouched. Hours are spent evaluating testing and verifying that the puzzle pieces placed together on the table mirror what the box indicates our completed puzzle will ultimately look like. Piece by piece the puzzle takes shape until in the end it is a masterful work of art.  Really, there isn’t a better way to describe to you patch validation.  FoxGuard Patch Validation includes validating many aspects of a patch including:

  • A file is, indeed, from the identified patch source
  • The applicability of a patch within the scope of our patch management program
  • The patch may be installed without error and we can discern that installation
  • And, above all else, the file does not adversely impact operations.

Validation is the quality assurance that the puzzle pieces have fit the way they were intended and we’re well on our way to a complete masterpiece.

WANT TO LEARN MORE ABOUT PATCH MANAGEMENT?
FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

TALK TO AN EXPERT

NIST SP 800-171A and Supplements

Source: Barb Wert, Regulatory Compliance Specialist

Recently, NIST CSRC published an update to NIST SP 800-171 Rev. 1.  On June 13, NIST CRC also published the final version of NIST SP 800-171A – Assessing Security Requirements for Controlled Unclassified Information (CUI), along with two very helpful supplements:

  • CUI System Security Plan (SSP) Template
  • CUI Plan of Action (PoAM) Template

The System Security Plan (SSP) is required under NIST SP 800-171 Rev. 1, to outline the applicable security requirements already implemented into the system, and/or describe how the organization plans to meet the requirements not yet implemented.  The template includes fields for system identification, system environment, an assessment of each requirement (whether it has been implemented, or is planned to be implemented, or is not applicable), and a Record of Changes.

The Plan of Action (also known as Plan of Action and Milestones, or PoAM) is also required, to describe how any unimplemented security requirements will be met and how any planned mitigations will be implemented.

Organizations can provide the SSP and PoAM in any format; however, the templates provided by NIST provide an easy way to meet the requirements and document the system information.

More information about NIST SP 800-171A can be found at https://csrc.nist.gov/news/2018/nist-publishes-sp-800-171a

FoxGuard provides solutions that are “Built for Security” and built in a secure environment.  FoxGuard’s Information Security Management System (ISMS) includes ISO 27001:2013 certification and compliance with all applicable controls of NIST SP 800-171 Rev. 1.

 

NIST CSRC Publishes SP 800-171 Rev. 1 with updated Errata

Source: Barb Wert, Regulatory Compliance Specialist

On June 7, 2018, NIST CSRC published an update to NIST SP 800-171 Rev. 1.  The update is to the Errata, and includes “minor editorial changes to selected CUI security requirements, some additional references and definitions, and a new appendix that contains an expanded discussion about each CUI requirement”, according to the CSRC’s release notice.

NIST SP 800-171 Rev. 1 – Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations – is a requirement of DFARS 252.204.7012 for Federal contractors and subcontractors.  The publication sets out confidentiality-oriented controls required for all components of nonfederal information systems that process, store, or transmit CUI (Controlled Unclassified Information).

More information about NIST SP 800-171 Rev. 1, including the newly published version, can be found at https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final.

FoxGuard provides solutions that are “Built for Security” and built in a secure environment.  FoxGuard’s Information Security Management System (ISMS) includes ISO 27001:2013 certified and compliance with all applicable controls of NIST SP 800-171 Rev. 1.

Vulnerability 101

Source: Trace Bellassai, Client Operations Engineer

As more and more devices are connected to the internet, the number of potential targets rises. With this increase, the number of vulnerabilities that can be exploited also grows. Vulnerability, Exploit and Payload are some of the most used words in the cyber security industry. We wanted to give a quick explanation on how these words are intended to be used. Welcome to our Vulnerability 101 Lesson.

Vulnerability 101

VULNERBILITY – What isn’t working
A vulnerability is a weakness or flaw in a computer system that could allow an unauthorized person to gain access to a system. Common flaws that could be used include race conditions, buffer overflows, input validation errors, and user interface failures. Vulnerabilities come in many forms, including hardware, software, configuration, and even social engineering. This may best be used in an analogy using your home. You have your home locked tight and dead bolted, but unknown to you, your lock can easily be picked. The fact that the lock can easily be picked is a vulnerability in your home security.

Example: In the case of WannaCrypt and ExPetr, which we saw emerge in mid 2017, both used a vulnerability in Microsoft’s SMB protocol to spread to more systems.

There can be more than one way to “get in” and do bad things!

EXPLOIT – How a vulnerability is used
An exploit takes place after a vulnerability is discovered. It utilizes the vulnerability to gain unauthorized access to a system. This generally comes in the form of a piece of software that has been developed to perform the exploit. The kind of control gained depends on the system as well as the seriousness of the vulnerability. For example, a database exploit would allow an attacker to gain access to the information in the database, change information, or delete information. In the example of your home, this would be someone crafting a tool to use against your locks vulnerability, such as a bump key, or lock picks.

Example: WannaCrypt and ExPetr both used the EternalBlue exploit to take advantage of the Microsoft SMB vulnerability. This exploit allowed the attacker to execute remote code on the systems and spread the payloads. Though the two attacks used additional exploits to assist in spreading their infections, they have the Eternal Blue exploit in common, so patching against one would have largely prevented the other from spreading.

PAYLOAD – What is done or taken as a result of an exploit
So now that we have recognized a vulnerability, and created an exploit to take advantage of that vulnerability, the next stage is to create a payload to perform some malicious act. The vulnerability and exploit allow an attacker to gain unauthorized access to a system, but the payload is what is done or taken once the attacker has access. Modern day attacks are very sophisticated and generally utilize any number of exploits and payloads to complete their task. This is where risk assessment comes into play. Total security is impossible, anyone who says that something it totally secure is naive to believe so, as security is a scale and is never absolute. Risk assessment allows you to determine how likely an attack is to occur on your system based on the vulnerabilities in the system, as well as how valuable a system is. Prioritizing these risks is paramount to security management. In the example of your home, the payload could be related to what someone might do once in your home, such as steal your jewelry and TV.

Example: In the case of WannaCrypt and other ransomwares, the payload encrypts people’s data and demands payment for them to get their data back. While this is certainly a terrible thing to do, some attacks have even more malicious intent, such as ExPetr. ExPetr masqueraded itself as a ransomware, but the payload’s intent was really just to cause destruction. The attackers in this case simply wanted to make sure the data on the drives was not recoverable. Going even one step further would be an attack like Stuxnet, which specifically targeted ICS equipment and caused centrifuges to literally spin out of control and tear themselves apart, which only goes to demonstrate the real world affects these attacks can make.


WANT TO LEARN MORE ABOUT PATCH MANAGEMENT?
We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

TALK TO AN EXPERT