The new network visibility mandate provides a good foundation for identifying risks and building better security programs at federal agencies.

By April, all federal agencies were required to begin complying with a new mandate from the US Cybersecurity and Infrastructure Security Agency (CISA) to "make measurable progress toward enhancing visibility into agency IT assets and associated vulnerabilities." In plain language, this means they must get better at monitoring their assets and evaluating their security vulnerabilities.

While complying with Binding Operational Directive 23-01 (BOD 23-01) won't on its own make agencies secure, it does provide a good foundation for identifying risks and building better security programs. Ultimately, federal IT directors will need to go beyond the letter of these BOD requirements and think about how they can use these new capabilities to improve their network operations and security processes.

**Understanding CISA BOD 23-01**

The new mandate focuses on two activities that are essential to improving operational compliance at scale for a successful cybersecurity program: asset discovery and vulnerability enumeration.

**Asset discovery** means finding all network-addressable assets that reside on an agency's network infrastructure by identifying all the associated IP addresses (hosts). This typically does not require special logical access privileges and is vital information for more advanced analytics and security investigations. But discovering networked assets gets harder as networks get bigger, more complex, and virtualized, and as users connect from more locations using a wider range of devices. Most concerning for CISA are bring-your-own (BYO) and other unauthorized devices that have acquired addresses and are present on the network but should not be. Discovery solves both problems: confirmation of approved devices that are present, and detection of devices that are present but are unauthorized.

**Vulnerability enumeration** identifies and reports suspected vulnerabilities on network assets. It detects host attributes (for example operating systems, applications, and open ports) and attempts to identify security flaws and issues such as outdated software versions, missing updates, and misconfigurations. It also involves tracking compliance with or deviations from security policies by identifying host attributes and matching them with information on known vulnerabilities.

The mandate specifies several general requirements that federal agencies must meet, including:

*   Performing automated asset discovery every seven days to maintain an inventory of devices
*   Identifying software vulnerabilities using privileged or client-based means where technically feasible (to provide the deepest inspection of access issues)
*   Tracking how often the agency enumerates its assets, what coverage of its assets it achieves, and how current its vulnerability signatures are
*   Providing this asset and vulnerability information to CISA's Continuous Diagnostics and Mitigation (CDM) federal dashboard

The mandate also includes more specifics such as how often to perform asset discovery and vulnerability enumeration, how to conduct those scans, and requirements for reporting this data to CISA. Importantly, CISA doesn't specify how to meet any of these objectives but leaves it up to the discretion of each agency's IT leadership.

**What This Means for Federal Agencies**

It's clear from this mandate that the old approach of doing compliance assessments every few years won't be sufficient. Agencies will need to build or buy a network automation and visibility solution that allows them to discover assets and find vulnerabilities at scale and across domains while also providing regular, ongoing status reporting.

Meeting these requirements doesn't mean an agency will be safe from cyberattacks, but it does help improve the security of IT resources. For instance, asset visibility is necessary for updates, configuration management, and other security and lifecycle management activities that significantly reduce cybersecurity risk, along with exigent activities like vulnerability remediation. But for a network topology with the scale and complexity of the federal government — with its broad deployment of devices and virtualized services — automation is the only realistic way to conduct security best practices (like updating device firmware with security patches, changing passwords regularly, and preventing firewall configuration drift).

**Complying With BOD 23-01**

The new CISA mandate stems from the realization that the historical approach of allowing individual agencies to determine how best to secure their networks isn't working. In practice, resource-constrained agencies deprioritized aggressive secure-access verification. They also did not fully account for how frequently their networks would change due to new technologies, new applications, and new projects all making the problem worse. This ultimately led to the declining security of federal IT infrastructure.

However, given that this new mandate does not come with any additional funding to meet it, agencies must rethink how they use existing operational and engineering resources to perform all the required visibility and vulnerability assessments in the weekly timeframes specified. In fact, they will need a solution that democratizes network automation to better leverage their available subject matter experts to define the required topology, secure access, and compliance needs. While a single engineer can test a device or create a vulnerability scan once, automation can continuously replicate and execute that work any number of times across the entire infrastructure automatically.

**Putting it All Together**

The reality is this automated approach is the only way to effectively meet the requirements of the BOD 23-01 mandate. Automation can apply accepted best practices — or any repetitive network task like those embodied in BOD 23-01 — at scale.

All in all, the BOD 23-01 mandate is a welcome first step toward securing the US federal government's digital footprint. Understanding what is connected and its vulnerability in near real-time will go a long way to identifying potential problems and possible attack vectors before they can be exploited. Federal IT directors must go beyond traditional labor-intensive approaches and consider network automation if they hope to successfully meet the mandate's requirements.

CISA BOD 23-01: What Agencies Need to Know About Compliance

With the right collaboration among employers, educators, and policymakers, we can come together to create a more secure environment for all.

The Organisation for Economic Co-operation and Development (OECD), in partnership with Microsoft, recently released an extensive report analyzing over 400 million online job postings from January 2012 to June 2022 to better understand cybersecurity workforce supply and demand. Centered around insights from Australia, Canada, New Zealand, the UK, and the US, the report comes amid a backdrop of growing worker shortages and increased cyberattacks.

Cybersecurity failures are among the top 10 risks that have worsened the most since the pandemic. These failures have put more pressure on security teams and have caused the overall demand for skilled cybersecurity workers to outpace the current supply. (ISC)2 estimates that we have a worldwide shortage of 3.4 million cybersecurity workers, with nearly 70% of organizations dealing with a worker shortage. 

If organizations want to overcome this hurdle, they’ll need to come together with policymakers and educators to create a series of sweeping changes that empower current and future cybersecurity workers. 

The OECD's report reveals a number of insights into the most in-demand skills over the past decade. These include skill sets throughout cloud security, cybersecurity frameworks, and threat assessment. By examining these dynamics, companies can better measure their current needs against existing education and training programs to determine where gaps exist. However, this also means that companies will need to partner closely with educators and policymakers to create a sustainable talent pipeline that's equipped to meet the cybersecurity needs of tomorrow.

Based on the findings laid out in the report, here are three ways that the private and public sectors can work together to expand educational opportunities and create a more skilled cybersecurity workforce:

*   **Offer multiple career pathways within cybersecurity training**: Formal and informal cybersecurity training should be offered at various levels for a broad range of job roles in both long- and short-course formats. Additionally, organizations must work to establish clear progression pathways between training programs.

*   **Close the workforce gap with skills-based recruitment and formal education**: Cybersecurity skills are evolving quickly. Many types of education are relevant, including community and technical college programs, as well as skills-based certifications. Formal education is not the only path. Recruiting workers based on acquired skills can close the cybersecurity workforce gap by reducing entry barriers for young people and people with less experience. Investing in mentorship and curriculum co-design programs to meet the demand for cybersecurity skills beyond the technology sector also is worthwhile.

*   **Build basic digital skills first**: Digital skills are the foundation for cybersecurity skills. People of all ages, especially the most disadvantaged, need opportunities to develop essential online knowledge. For example, before engaging in cybersecurity-specific training, workers should first have a basic understanding of cloud computing. By embedding cybersecurity best practices throughout the organization and making cybersecurity the responsibility of all, organizations can raise the bar for defense across the board.

**How Diversity Can Help Fuel Cybersecurity**

In addition to insights around highly sought-after skill sets and job titles, OECD's report also reveals that demand for cybersecurity professionals has spread beyond the confines of major urban centers. It calls for a more decentralized workforce to meet demand in underserved areas. 

This landscape creates an opportunity for employees from more diverse professional backgrounds to break into the cybersecurity field. If companies are to close the skills gap and meet the current demand for cybersecurity workers, they will need to broaden their horizons to account for more nontraditional cybersecurity career paths. In doing so, they will enhance the industry with a broader range of unique experiences and life skills.

Recruiting more diverse candidates also allows companies to approach security challenges from different angles and identify solutions that may not have been considered otherwise. When a workforce is as diverse as the cybersecurity threats an organization faces, it can pull from a broader range of professional and personal experiences to more effectively and inclusively protect themselves and their end users. Additionally, weaving diversity throughout the recruiting and retention process helps ensure that security measures are effective for all users — regardless of their backgrounds or abilities. 

The challenges facing the cybersecurity sector are steep, but with the right collaboration among employers, educators, and policymakers, we can come together to create a more secure environment for all.

3 Ways to Build a More Skilled Cybersecurity Workforce

Thales will build new machine learning-powered data discovery and classification features based on Google Cloud's Vertex AI.

Thales is partnering with Google Cloud to add generative AI features to its CipherTrust Data Security Platform, the company said this week. The first project will be to build a data discovery and classification tool based on Google Cloud's Vertex AI machine learning platform.

Gartner estimates that companies will deploy more than 95% of new digital workloads on cloud-native platforms by 2025, up dramatically from 30% in 2021. But all of that cloud reliance comes with new or enhanced security threats, such as not knowing where sensitive data is being stored.

Thales will build a data discovery and classification machine learning feature using Vertex AI to help organizations find and categorize data, and then apply the correct controls to protect the data. The new capabilities, which will be part of CipherTrust Platform's Intelligence Protection service, will use machine learning to classify data into categories and subcategories, Thales said. Semantic context will help discover and classify information from a range of document repositories while ensuring sensitive data remains within defined boundaries. By using named entity recognition techniques, the service will be able to discover a range of sensitive information types.

Google Cloud's Vertex AI will allow Thales to automate processes and perform tasks in line with corporate policies.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Google Cloud GenAI Is Coming to Thales' Data Security Platform

If you have an IoT network powered by Pepper, you can now insure it through Embedded Insurance — even if your business is too small to support a SOC.

Consumers and small-to-midsize businesses (SMBs) that use Internet of Things (IoT) devices to manage smart homes and businesses have a new option for obtain cyber insurance — providing their service providers are using the Pepper IoT Platform-as-a-Service (PaaS) back end. The service, announced on June 28, allows users to opt for a minimum of $10,000 per device in coverage from their providers for each device without requiring them to submit cyber insurance applications. The insurance is available either as an add-on at the time of the sale from the service provider, or it can be purchased later.

Pepper CEO Scott Ford says that consumers currently have very few options to obtain comprehensive cyber insurance for their IoT devices. While individuals have some options to reduce their risk and become better candidates for cyber insurance, many do not know how to do so. Offering an actual cyber insurance policy — not just a rider to an existing home policy that might offer nominal coverage — provides real and measurable coverage for common cyber threats, he says.

While the consumer market is the primary target for this partnership, Ford says that SMBs that use surveillance cameras and similar IoT devices also can benefit from this low-cost cyber insurance alternative.

**Consumers Need Simple**

Toby Coleridge, chief product officer at Embedded Insurance (EI), which is Pepper's cyber insurance broker, says the process of obtaining a policy through his company — without the need to fill out long applications that must be processed through underwriting — is easy for the clients to understand. EI's policies are underwritten by Chubb, the top-ranking cyber insurance carrier in 2023.

Coleridge notes that these are real cyber insurance policies that are specifically designed to be simple to purchase. Unlike corporate cyber insurance policies — where rates and terms are based on an organization's existing cybersecurity controls, audits, penetration tests of networks, and negotiations with corporate boards, corporate counsels, and CISOs — these policies are off-the-shelf packages that are preconfigured and priced accordingly, much like purchasing an automobile policy.

"We haven't needed to look at putting in restrictions," he adds. "That's the complexity of SMB insurance versus the residential policy that we're using here. Ultimately, the whole point of this is to keep it as simple as possible."

Among the coverages offered are cyber financial fraud, cyber extortion (including ransomware coverage up to the policy's limits), identity theft, data restoration, device replacement, and cyber bullying. Policies are available starting at $5.28 per month per device. For higher limits, such as coverage up to $100,000 per device, the price could rise to $20 per device per month or more.

Coleridge sees personal cyber insurance as a growing market going forward. As social engineering attacks increase against individuals, the need for personal cyber insurance will increase as well, he says. "It's about protecting you against some of those threats that most consumers are probably naive to today," he adds.

**Security and Insurance Are Natural Partners**

Ford notes that in 2022 State Farm Insurance invested some $1.2 billion into the electronic alarm-monitoring security firm ADT, adding that the insurer could offer better rates to customers who proactively add security controls and thus become lower insurance risks. Similarly, Pepper late last year acquired Comcast business unit Notion, a smart property monitoring sensor system and app that enables home and small-business owners to monitor and reduce loss from costly property damage. In both cases, the acquired firms provide the new parent with on-the-ground intelligence that lowers the user's vulnerability to losses.

The partnership between Pepper and Embedded Insurance is similar to others. For example, earlier this month in the enterprise space, security operations center (SOC) and XDR vendor Arctic Wolf announced a similar program with cyber insurance carrier Cysurance. The Arctic Wolf model is designed for much larger enterprises that can support a SOC, as well as other enterprise-class security controls. As part of the program, Arctic Wolf customers can purchase up to $1 million worth of cyber insurance at an 80% discount from standard market rates.

Pepper and Embedded Insurance Partner on Cyber Insurance for Consumers, SMBs

Though government agencies have hundreds of devices exposed to the open Internet, experts wonder if CISA is moving at the right pace.

Researchers have discovered hundreds of devices running on government networks that expose remote management interfaces on the open Web. Thanks to the Cybersecurity and Infrastructure Security Agency (CISA), that will change quickly — possibly too quickly, according to some experts.

On June 13, CISA released Binding Operational Directive (BOD) 23-02, with the goal of eliminating Internet-exposed management interfaces running on edge devices in Federal Civilian Executive Branch (FCEB) agency networks. The announcement came soon after CISA's advisory about Volt Typhoon, the Chinese state-backed advanced persistent threat (APT) that leveraged Fortinet FortiGuard devices in espionage campaigns against US government entities.

To gauge how significant BOD 23-02 would be, researchers at Censys scanned the Internet for devices exposing management interfaces in federal civilian executive branch (FCEB) agencies. The scans revealed nearly 250 qualifying devices, as well as a number of other network vulnerabilities outside of the scope of BOD 23-02. 

"While this level of exposure probably doesn't warrant an immediate panic, it's still worrisome, because it could be just the tip of the iceberg," says Himaja Motheram, security researcher for Censys. "It suggests that there may be deeper and more critical security issues, if this kind of basic hygiene isn't being met."

**How Exposed FCEB Organizations Are**

Devices qualifying under BOD 23-02 include Internet-exposed routers, switches, firewalls, VPN concentrators, proxies, load balancers, out-of-band server management interfaces, and any others "for which the management interfaces are using network protocols for remote management over public Internet," CISA explained — protocols like HTTP, FTP SMB, and others.

Censys researchers discovered hundreds of such devices, including various Cisco devices exposing Adaptive Security Device Manager interfaces, Cradlepoint router interfaces, and popular firewall products from Fortinet and SonicWall. They also found more than 15 instances of exposed remote access protocols running on FCEB-related hosts.

The search was so bountiful that they even uncovered many federal network vulnerabilities beyond the scope of BOD 23-02, including exposed file transfer tools like GoAnywhere MFT and MoveIt, exposed Barracuda email security gateways, and various instances of defunct software.

Organizations often don't know their level of exposure or don't understand the implications of exposure. Motheram emphasizes that unprotected gear was all quite simple to find. "And what was trivial for us to find is, honestly, probably even more trivial for amateur threat actors out there."

**How Edge Devices Get Exposed**

How is it that so many devices are exposed on otherwise highly scrutinized government networks?

Joe Head, CTO of Intrusion, points to any number of reasons, including "convenience of the administrator, lack of operational security awareness, lack of respect for adversaries, use of default or known passwords, and lack of visibility."

James Cochran, director of endpoint security at Tanium, adds that "staffing shortages can cause overworked IT teams to take shortcuts so they can make the management of the network easier."

Consider, too, the traps unique to the government that can make the problem even worse. "With little oversight and concern about potential threats, devices can get added to the network under the guise of being 'mission critical,' which absolves them from all scrutiny," Cochran laments. Agencies can also merge or expand, with gaps in their network and security integration. “Over time, the overall networks begin to resemble something out of a Mad Max movie, where random things are bolted together and you are not sure why."

**Will BOD 23-02 Turn Things Around?**

In its directive, CISA indicated that it will begin scanning for qualifying devices and informing the culpable agencies. Upon notification, offending agencies will have just 14 days to either disconnect these devices from the Web, or "deploy capabilities, as part of a zero-trust architecture, that enforce access control to the interface through a policy enforcement point separate from the interface itself."

That two-week period will force relevant agencies to act fast to secure their systems. But that could be difficult, Motheram acknowledges. "In theory, removing devices that are exposed from the Internet should be simple, but that's not always the reality. There can be some bureaucracy to deal with when changing access policies that add friction," she explains.

Others believe the burden is undue. "This is not a responsible timeline," Cochran says. "Since the problem is so widespread, I would expect there to be significant impacts to the identified agencies. This is the same as trying to untangle a bunch of wires by sawing through them."

Others applaud CISA's no-nonsense approach. "It is hard to come up with a timeline to stop doing what should have never been done," Head says, arguing that 14 days may be too long to wait. "Five minutes would be more advisable as managers task the corrective network changes. It has been standard practice not to expose management interfaces to the public Internet for years, so making it mandatory is prudent and reasonable."

CISA Wants Exposed Government Devices Remediated in 14 Days

**LONDON****,** **June 29, 2023** **/PRNewswire/ --** IEC standards have long been considered _de facto_ for the European power grid sector. But the cost and complexity inherent in implementing them has inhibited full adoption, until now.

Smart Grid Forums, an independent conference organizer specialized in the European power grid sector has been facilitating meetings on various IEC standards for more than 10 years. Key standards include IEC 61850 for substations, IEC CIM for control centers, and IEC 62443 for OT cybersecurity. The objective of these meetings have been to support grid operators in assessing the business case for the standards, conducting pilot projects to test their technical feasibility, and educating the wider utility workforce, to mobile large-scale deployment in support of the Energy transition.

"This year it has become clear that these standards are inter-dependent" says Mandana White, CEO of Smart Grid Forums. "Whilst utilities have been working with them in focused silos, the reality is that without their effective interworking, grid operations will not be able to run seamlessly and reliably."

As a result, Smart Grid Forums are hosting a joint meeting brining all three utility IEC standardization communities together at one time in one venue. Each group will benefit from a dedicated case-study programme that deep dives into the latest lessons learnt from the implementation of each standard whilst also being able to access information and networking related to the other standards.

The week-long event begins with a choice of 3 Fundamentals Workshops, providing participants with the foundational knowledge they need in IEC 61850, IEC CIM, and IEC 62443. The main 3-day conference opens with a series of high-level plenary sessions on the macro issues facing the standardization community, and then breaks out into three technical tracks focused on utility case-studies. The week wraps up with a Communication briefing designed to help technical teams translate their engineering know-how into organizational priorities using language that will influence the Board and secure long term investment.

70+ SPEAKERS INCLUDING:

·  Christoph Brunner, Convenor, TC57 WG10

·  Gabriel Faifman, Co-Convenor, TC65 WG10

·  Svein Olsen, Lead Member, TC57 WG13,14 & 16

·  Alex Apostolov, Editor-in-Chief, PacWorld

·  Jennifer MacKenzie, Lead Design Engineer, Scottish Power Energy

·  Anders Johnson, Power Systems Specialist, Vattenfall Networks

·  Barry Coatesworth, Cybersecurity Advisor, Scottish Power

·  Philip Westbroek, OT Security Officer, Enexis

·  Damien Ploix Chief of Cybersecurity, Enedis

·  Mohammed Radi, Network Data Modelling Engineer, UK Power Networks

·  Rui Pena, Senior Consultant, E-REDES

·  Anna Elgersma, Data Architect, Alliander

DISCUSSION TOPICS INCLUDE:

·  GLOBAL STANDARDISATION REVIEW - Evaluating the rate of IEC standardization take-up globally and identifying market trends and lessons to be learnt for Europe

·  WORKING GROUP IMPROVEMENTS - Evaluating the benefits of working group participation and identifying how the IEC can better engage utility contribution in the interest of wider market development

·  WORKFORCE ENGAGEMENT - Establishing a training culture that rapidly advances IEC 61850 competence of engineering, operations, and maintenance teams to drive organizational change at pace

·  PROCESS BUS - Leveraging IEC 61850 standardization to drive the cost-efficiency and accessibility of process bus architectures for grid networks

·  VIRTUALISATION - Determining the roadmap from digital to virtual substations and prioritizing the implementation steps to commit to in the next 2-3 years

·  IEC 62443 FOR THE GRID - Determining how IEC 62443 can be leveraged in combination with ISO 27001 to drive end-to-end cybersecurity of the IT-OT integrated digital grid

·  IMPLEMENTATION PLANNING - Creating a IEC 62443 implementation roadmap with clear priorities for utilities, suppliers and system integrators on both a governance and technical level

·  PATCH MANAGEMENT - Ensuring the effective application of IEC 62443 guided patch management regimes to maximize the lifecycle of OT infrastructure

·  CIM FOR A CENTRALISED REPOSITORY - Applying CIM to all grid systems to promote centralization and to build a coordinated set of data models

·  INTERNAL-EXTERNAL DATA EXCHANGE - Reviewing the latest developments with CGMES to support TSO-DSO data exchange and interoperability

TESTIMONIALS FROM PAST EVENTS

"As usual high-quality presentations and relevant topics." 

Anders Johnsson, Power system specialist, Vattenfall Eldistribution AB

"In my opinion this is the best industrial conference about smart grid and IEC 61850." 

Andrea Bonetti, Senior Specialist, Megger Sweden AB

"This was a great opportunity to learn about the IEC 62443 concepts, controls and framework."

Anja Ivanovska, Info Sec Specialist, EVN

"A refreshing insight and different angle on cyberthreats and possible measures for the OT domain."

Bas Mulder, Technologist OT, TenneT

"Great opportunity to meet, exchange, discuss and develop ideas concerning CIM."

Ruben Haasjes, Data Consultant, Alliander

"Bringing utilities from across the world together to digitally transform our energy systems." 

Jakub Sliva, Asset Data Specialist, Stedin

To find more about how you can get involved contact the SGF team directly at:

We are an independent B2B event provider serving the smart grid technical community. We monitor the market, conduct depth interviews, and translate the insights into techno-commercial meetings that empower participants to accelerate their grid modernisation plans, drive renewables integration, and help meet climate goals.

SOURCE Smart Grid Forums

IEC Standardization Leaders Convene in Amsterdam to Review Utility Interworking of Key Standards

New online safety bill could force encrypted messaging apps like iMessage and WhatsApp to scan for child abuse material, but platforms warn about privacy implications.

Apple has joined more than 80 technology experts and organizations in an appeal to UK lawmakers to consider the broader privacy ramifications of pending legislation called the Online Safety Bill.

The legislation, moving its way through Parliament, is intended to force accountability for technology platforms used to distribute child abuse materials.

Platforms like iMessage and WhatsApp use end-to-end encryption (E2EE), which prevents anyone but the sender and recipient from viewing the contents of a message. E2EE also keeps law enforcement from identifying illicit materials.

In its current form, the Online Safety Bill allows, under some circumstances, the UK's communications regulator Ofcom to force platforms to scan messages for prohibited content.

In a statement, Apple said it was willing to work with the British government to purge abusive content on its platform, but adds that breaking end-to-end encryption comes with other privacy risks, according to reports.

"End-to-end encryption is a critical capability that protects the privacy of journalists, human rights activists, and diplomats," Apple said, according to the BBC. "It also helps everyday citizens defend themselves from surveillance, identity theft, fraud, and data breaches."

"Apple urges the government to amend the bill to protect strong end-to-end encryption for the benefit of all," Apple added.

In addition to Apple's objections, an open letter to Technology Minister Chloe Smith from the Open Rights Group (ORG) warned about the security risks associated with this kind of open spying on citizens without their consent. The letter was signed by more than 80 national and international civil society organizations, academics, and cyber experts, the ORG said.

"The inconvenient truth is that it is not possible to scan messages for bad things without infringing on the privacy of lawful messages," the ORG open letter read. "It is not possible to create a backdoor that only works for 'good people' and that cannot be exploited by 'bad people'."

Other encrypted messaging apps like WhatsApp and Signal told the BBC they adamantly refuse to weaken the privacy on their platforms, with Signal putting out a statement in February that if the legislation became law it ... "would absolutely walk," meaning it would halt services to the UK altogether rather than comply with proposed Online Safety Bill requirements.

Apple Objects to UK Bill That Would Break Encrypted Messaging

Patches are available for three bugs, but with technical details and PoCs now available, threat actors can craft targeted attacks.

Organizations running business-critical applications on SAP's Application Server for ABAP platform technology may want to read and heed details of a technical paper presented at Trooper's cybersecurity conference in Germany this week.

The paper, from research firm SEC Consult, provides technical details and proof-of-concept (PoC) code for four critical vulnerabilities in the server-side implementation of the Remote Function Call (RFC) communications interface in all releases and versions of SAP's NetWeaver Application Server ABAP and ABAP platform (AS ABAP).

**ABAP Kernel Affected By At Least One Of the Flaws**

The vulnerabilities give attackers a way to remotely execute arbitrary code on affected systems, access critical data, move laterally to other SAP systems on the same network, and execute other malicious actions. At least one of the flaws exists in the ABAP kernel, meaning a very large number of SAP products are affected.

"Remote unauthenticated attackers may exploit the identified issues to take full control of vulnerable application servers. This could result in a full compromise of confidentiality, integrity, and availability of data," SEC Consult said in a note to customers warning about the issues; it also shared the warning with Dark Reading.

Researchers at SEC Consult discovered and reported the vulnerabilities to SAP over the last two years. They identified the first one at the end of 2020 and the last one earlier this year. SAP issued patches for each of the identified issues soon after SEC Consult reported them to the company. Even so, SEC Consult waited till now to disclose technical details of the flaws to ensure SAP had enough time to properly address the issues.

"The identified vulnerabilities affected many different SAP products as the ABAP kernel was affected," says Johannes Greil, head of the SEC Consult Vulnerability Lab. "Hence profound work needed to be done to mitigate and test/verify the fixes for all of those products."

With technical details and proofs of concept (PoCs) for the flaws now becoming available, threat actors have information to craft targeted attacks, he says. So unpatched systems could pose a risk for organizations. "Our advice is — if it was not already done — to implement the patches and necessary configuration changes immediately as the issues are of critical risk," Greil notes. "Because of the high business risk, we also informed many customers already a few months ago in March 2023 and urged them to patch."

**Details On the Four Bugs**

The four vulnerabilities that SEC Consult discovered and reported to SAP are CVE-2021-27610, CVE-2021-33677, CVE-2021-33684, and CVE-2023-0014.

CVE-2021-27610 is an authentication bypass vulnerability in AS ABAP that allows adversaries to escalate privileges on affected systems. The vulnerability gives attackers a way to establish their own communication with a vulnerable system and reuse leaked credentials to impersonate user accounts and claim a trusted identity. Successful exploitation can lead to full system compromise, SEC Consult said.

SEC Consult described CVE-2021-33677 as an information disclosure vulnerability in the AutoABAP/bgRFC Interface that allows an adversary to remotely enumerate user accounts and get the vulnerable service to execute specific requests to targeted hosts and ports. CVE-2021-33684 is a memory corruption bug that an attacker can exploit to remotely crash processes, gain remote code execution, and corrupt data. CVE-2023-0014, the most recent of the four flaws that SEC Consult reported to SAP, is a design issue that enables lateral movement in SAP system environments.

Greil describes most of the vulnerabilities as critical, especially CVE-2023-0014 and CVE-2021-27610, which, when combined, allow for easy lateral movement. "The current one from 2023 is especially important because it is more effort to patch because of additional necessary configuration changes," Greil says. Some deeper technical SAP understanding would be necessary to perform lateral attacks and exploiting the attack chain because the SAP technology stack and naming conventions differ from the usual IT security protocols, he notes. "The buffer overflow is also of high risk because it is exploitable before authentication. But we did not verify remote code execution," Greil says.

The vulnerabilities exist in a wide range of business-critical SAP products including SAP ERP Central Component (ECC), SAP S/4HANA, SAP Business Warehouse (BW), SAP Solution Manager (SolMan), SAP for Oil & Gas (IS Oil&Gas), SAP for Utilities (IS-U), and SAP Supplier Relationship Management (SRM).

Researchers Detail 4 SAP Bugs, Including Flaw in ABAP Kernel

New program provides organizations a way to show customers and partners their cybersecurity posture meets rigorous standards of CREST accreditation.

**EAST GREENBUSH, N.Y., June 28, 2023 —** The Center for Internet Security, Inc. (CIS®) today announced the launch of a joint initiative with CREST, an international not-for-profit accreditation and certification body, to help advance security and resilience to achieve better global cybersecurity.

As cyber threats continue to escalate to unprecedented levels globally, CIS and CREST are launching the CIS Controls Accreditation program to provide organizations a way to show customers and partners that their cybersecurity posture meets the best practice guidance as set forth in the CIS Critical Security Controls (CIS Controls) underpinned by the rigorous standards of CREST accreditation.

Establishing, maintaining, and proving an organization’s security posture remains a high priority for business, government, and regulatory bodies. CIS Controls Accreditation is an exclusive opportunity for CIS SecureSuite Members (Controls, Consulting & Services, and Product Vendor) and CREST Members to offer consulting services to end user organizations who wish to demonstrate that their implementation of security best practices is guided and externally assessed in accordance with the training and validation defined by two renowned authorities in cybersecurity. 

"The ability to digest all the data and controls from various devices and systems is essential in this massive shift to evidencing security," said Tom Brennan, Executive Director, CREST Americas Region. "Together, CIS Controls and CREST accreditations give our joint members an accelerated path to meet risk and compliance requirements in addition to providing a methodology for continuously monitoring their security posture. By using CREST on top of the CIS Controls, security professionals can monitor security from infrastructure that can be observed, tested, and enhanced."

The CIS Critical Security Controls are a set of globally-recognized and widely-used best practices that provide a prioritized path to improve an enterprise’s cybersecurity posture. This is the first initiative pairing the CIS Controls with a program to deliver accredited consulting.

"CIS is pleased to partner with CREST to provide end user organizations a selection of recognized consultants to advise on the implementation of and assessment against the CIS Controls," said Curtis Dukes, CIS Executive Vice President and General Manager, Security Best Practices. "We see this as a significant step forward in our efforts to secure enterprises and safeguard against current and emerging threats.

The joint CIS and CREST offering is available to members of both organizations here.  

**About CIS**

The Center for Internet Security, Inc. (CIS®) makes the connected world a safer place for people, businesses, and governments through our core competencies of collaboration and innovation. We are a community-driven nonprofit, responsible for the CIS Critical Security Controls® and CIS Benchmarks™, globally recognized best practices for securing IT systems and data. We lead a global community of IT professionals to continuously evolve these standards and provide products and services to proactively safeguard against emerging threats. Our CIS Hardened Images® provide secure, on-demand, scalable computing environments in the cloud. CIS is home to the Multi-State Information Sharing and Analysis Center® (MS-ISAC®), the trusted resource for cyber threat prevention, protection, response, and recovery for U.S. State, Local, Tribal, and Territorial (SLTT) government entities, and the Elections Infrastructure Information Sharing and Analysis Center® (EI-ISAC®), which supports the rapidly changing cybersecurity needs of U.S. election offices. To learn more, visit 

CISecurity.org or follow us on Twitter: @CISecurity.

**About CREST**

CREST is an international not-for-profit, membership body representing the global cyber security industry with the goal to help create a secure digital world for all. CREST focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration and proving security posture. Through rigorous quality assurance of its members and delivering professional certifications to the cyber security industry. CREST accredits over 350 member companies, operating across dozens of countries, and certifies thousands of professionals worldwide across governments, regulators, academic institutions, training partners, professional bodies and other stakeholders around the world. For more information, please visit us at https://www.crest-approved.org/

Center for Internet Security, CREST Join Forces to Secure Organizations Globally

Stellar leverages cyber physical system detection and response (CPSDR) to prevent unexpected system changes from impacting operational reliability and availability.

**IRVING, Texas & TAIPEI, Taiwan --** (BUSINESS WIRE) — TXOne Networks, a leader in industrial cybersecurity, announced its Stellar solution for defending operational stability. Employing TXOne Networks’ unique approach to security, Cyber-Physical System Detection and Response (CPSDR), Stellar supports the priorities of security and operations without either team having to sacrifice capability or performance. Already protecting customers in semiconductors, manufacturing, oil and gas, automotive, pharmaceuticals and other many other industries, Stellar is the first solution to offer seamless detection and prevention capabilities with complete oversight for legacy and new OT devices. With intuitive management and informed automation, implementation is quick and simple while remaining non-impacting to resource-restricted devices.

The behavioral patterns of the OT devices and cyber-physical systems on plant floors are automatically established and continuously monitored. Even a single abnormal interaction demands scrutiny that common cybersecurity approaches borrowed from information technology (IT) are often not designed to recognize or address. Stellar, however, analyzes the baseline “fingerprints” of each individual device to reveal _any_ unexpected behavior that threatens reliable and stable operations. The TXOne Networks solution then prevents the unexpected change and generates alerts to complete wider analysis. In this way, Stellar is not limited to combatting known threats; rather, by leveraging TXOne Networks’ OT-native CPSDR capabilities, Stellar’s stability-driven approach addresses unexpected system changes before operations can be impacted.

Stellar consists of an agent that works with an organization’s OT devices and a centralized management console that streamlines management and policy control. A comprehensive OT-context-focused database, which TXOne Networks maintains in partnership with leading device original equipment manufacturers (OEMs), informs the accurate identification and preservation of more than 8,000 OT/industrial control system (ICS) applications, certificates and devices.

To balance the priorities of security and operations teams, Stellar delivers complete protection of operational environments and the OT devices that they comprise of, including:

*   Multi-method threat prevention to secure OT/ICS devices from malware and abuse threats

*   Operations behavior anomaly detection to prevent malware-free attacks

*   Operation lockdown to safeguard operational integrity, reduce the chance of downtime and reduce the requirements for outages (especially valuable for “non-patchable” systems)

*   Trusted control of USB devices to protect against their unauthorized access

"An increasing number of organizations today recognize OT operations as pivotal hubs for generating business value," stated Terence Liu, the Chief Executive Officer of TXOne Networks. "Numerous prominent industry leaders across diverse sectors are already entrusting our Stellar Endpoint security solution to safeguard their critical assets. With the introduction of the CPSDR feature in Stellar 3.0, enterprises can uphold operational stability and proactively mitigate unforeseen threats."

Learn more about Stellar. Follow TXOne Networks on Blog, Twitter, and LinkedIn.

**About TXOne Networks**

TXOne Networks offers cybersecurity solutions that ensure the reliability and safety of industrial control systems and operational technology environments. TXOne Networks works together with both leading manufacturers and critical infrastructure operators to develop practical, operations-friendly approaches to cyber defense. TXOne Networks offers both network-based and endpoint-based products to secure the OT network and mission-critical devices using a real-time, defense-in-depth approach. www.txone.com

Source

DARKReading