Full Report
Shopping for OT systems? A new CISA guide outlines OT cyber features to look for. Meanwhile, the U.S. government publishes a playbook for collecting AI vulnerability data. Plus, a White House EO highlights AI security goals. And get the latest on IoT security; secure app dev; and tougher HIPAA cyber rules.Dive into six things that are top of mind for the week ending Jan. 17.1 - How to choose cybersecure OT productsIs your organization evaluating operational technology (OT) products for purchase? If so, a new guide from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) aims to help OT operators choose OT products designed with strong cybersecurity features.The publication, titled “Secure by Demand: Priority Considerations for Operational Technology Owners and Operators when Selecting Digital Products,” highlights 12 cybersecurity elements that OT products should have, including:Support for controlling and tracking modifications to configuration settingsLogging of all actions using open-standard logging formatsRigorous testing for vulnerabilities and timely provision of free and easy-to-install patches and updatesStrong authentication methods such as role-based access control and phishing-resistant multi-factor authentication to prevent unauthorized accessProtection of the integrity and confidentiality of data at rest and in transitAccording to CISA, many OT products aren’t designed and developed securely, so they ship with security issues such as weak authentication, known vulnerabilities and insecure default settings. In fact, the agency says it’s common for hackers to target handpicked OT products instead of going after specific organizations. Thus, it’s critical for organizations, especially those in critical infrastructure sectors, to pick OT products built securely by using CISA’s “Secure by Design” principles.“When security is not prioritized nor incorporated directly into OT products, it is difficult and costly for owners and operators to defend their OT assets against compromise,” reads the guide, published in collaboration with other U.S. and international agencies.For more information about OT systems cybersecurity, check out these Tenable resources: “What is operational technology (OT)?” (guide)“Discover, Measure, and Minimize the Risk Posed by Your Interconnected IT/OT/IoT Environments” (on-demand webinar)“How To Secure All of Your Assets - IT, OT and IoT - With an Exposure Management Platform” (blog)“Blackbox to blueprint: The security leader’s guidebook to managing OT and IT risk” (white paper)“OT Security Master Class: Understanding the Key Principles, Challenges, and Solutions” (on-demand webinar)2 - JCDC publishes playbook to collect AI security info A new playbook published by the U.S. government aims to facilitate the collective, voluntary sharing of information among AI providers, developers and users about AI vulnerabilities and cyber incidents.The “AI Cybersecurity Collaboration Playbook” from CISA’s Joint Cyber Defense Collaborative (JCDC) details ways in which AI community members in government and in the private sector – both in the U.S. and abroad – can collaborate to help boost AI security for everybody.“The development of this playbook is a major milestone in our efforts to secure AI systems through active collaboration,” CISA Director Jen Easterly said in a statement.AI systems introduce unique cybersecurity challenges which make them vulnerable to attacks including model poisoning, data manipulation and malicious inputs. “These vulnerabilities, coupled with the rapid adoption of AI systems, demand comprehensive strategies and public-private partnership to address evolving risks,” the 33-page playbook reads.By collecting, analyzing and enriching information on AI vulnerabilities and cyber incidents, CISA would be able to help the AI community in a variety of ways, including by:Sharing information to improve detection and prevention of AI threatsExposing attackers’ tactics and infrastructureIdentifying and notifying victimsGenerating threat advisories and intelligence reportsOffering tailored recommendations, vulnerability management strategies and cyber defense best practicesThe playbook’s target audience is operational cybersecurity professionals, including incident responders and security analysts, and its goal is to help them collaborate and share information with CISA and JCDC about AI security.In addition, CISA also envisions organizations adopting the document’s guidance internally “to enhance their own information-sharing practices, contributing to a unified approach to AI-related threats across critical infrastructure.”For more information about industry efforts for collaborating on AI security:Cloud Security Alliance’s “AI Safety Initiative”MITRE’s “AI Incident Sharing initiative”Open Worldwide Application Security Project’s “AI Exchange”U.S. government’s “Testing Risks of AI for National Security (TRAINS) Taskforce”3 - New White House cybersecurity EO includes AI requirementsThe Biden Administration issued a sweeping cybersecurity executive order (EO) this week aimed at boosting U.S. cyberdefenses, and AI security is one area that it says must be strengthened.The “Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity” calls for promoting security “with and in” AI, saying it can speed up the identification of new vulnerabilities, scale up threat detection and automate cyberdefenses.“The Federal Government must accelerate the development and deployment of AI, explore ways to improve the cybersecurity of critical infrastructure using AI, and accelerate research at the intersection of AI and cybersecurity,” the executive order reads.Among the executive order’s requirements for AI are:Launching a pilot program on using AI to improve cyberdefense of critical infrastructure in the energy sector. The Secretaries of Energy, Defense and Homeland Security would be in charge of the program, in collaboration with private-sector critical infrastructure organizations. The program may include:vulnerability detectionautomatic patch managementidentification and categorization of anomalous and malicious activity across IT or OT systemsThe Secretary of Defense must establish a program to use advanced AI models for cyberdefense.The Secretaries of Commerce, Energy and Homeland Security, and the National Science Foundation Director, must prioritize funding for their respective programs that encourage the development of “large-scale, labeled datasets needed to make progress on cyber defense research.”The Secretaries of Defense and Homeland Security, and the Director of National Intelligence must incorporate management of AI software vulnerabilities and compromises into their agencies’ process and “and interagency coordination mechanisms for vulnerability management.” These efforts should include incident tracking, response, reporting and sharing AI systems’ indicators of compromise.These AI-related actions all must be completed at various dates during 2025.The executive order covers multiple other areas. To get all the details and expert analysis, read our blog “New Cybersecurity Executive Order: What It Means for Federal Agencies” from Robert Huber, Tenable’s Chief Security Officer, Head of Research and President of Tenable Public Sector.4 - CISA publishes secure software development best practicesSoftware makers interested in improving the security of their development process and of their products have fresh guidance to peruse.As part of its “Secure by Design” program, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published cybersecurity recommendations for protecting organizations’ software development lifecycle.The best practices are organized into two categories — Software development process goals; and Product design goals — and include:Software development process goals:Address vulnerabilities before releasing the software product, and publish a vulnerability disclosure policy.Separate all software development environments, including development, build and test, to reduce the lateral movement risk.Enforce multi-factor authentication across all software development environments.Securely store and transmit credentials.Product design goalsReduce entire classes of preventable vulnerabilities, such as SQL injection vulnerabilities, memory safety vulnerabilities and cross-site scripting vulnerabilities.Provide timely security patches to customers.Don’t use default password in your products.Let users know when your products are nearing end-of-life status and you will no longer provide security patches for them.The recommendations “will help to protect the sector from cyber incidents, identify and address vulnerabilities prior to product release, improve incident response, and significantly improve software security,” reads a CISA statement.To get more details, read the full “Information Technology (IT) Sector-Specific Goals (SSGs)” fact sheet.For more information about secure software development:“CISA Tells Tech Vendors To Squash Command Injection Bugs, as OpenSSF Calls on Developers To Boost Security Skills” (Tenable)“Secure Development” (Software Engineering Institute, Carnegie Mellon Univ.)“Secure Software Development Framework” (NIST)“Secure development and deployment guidance” (UK NCSC)“OWASP Developer Guide” (Open Worldwide Application Security Project )5 - U.S. gov’t launches security label for IoT productsTo encourage the development of safer internet of things (IoT) devices for consumers, the U.S. government has introduced a new label for IoT products that meet National Institute of Standards and Technology (NIST) cybersecurity standards.Called the U.S. Cyber Trust Mark, the label will also help U.S. consumers know which IoT products are more secure, as they shop for internet-connected ware, such as baby monitors, security cameras, refrigerators, garage door openers and thermostats.“These devices are part of Americans’ daily lives. But Americans are worried about the rise of criminals remotely hacking into home security systems to unlock doors, or malicious attackers tapping into insecure home cameras to illicitly record conversations,” reads a White House statement.IoT manufacturers will soon be able to seek the U.S. Cyber Trust Mark label by submitting their IoT products to accredited labs for testing. Tests will cover areas including password authentication, data protection, software updates and incident detection. IoT products that earn the label will also have a QR code that’ll link consumers to information such as:How to change default passwordsHow to configure the device securelyHow to access software updates and patches if they’re not delivered automaticallyThe end date of the product’s support periodParticipation in the U.S. Cyber Trust Mark program is voluntary for IoT manufacturers. IoT devices excluded from the program include motor vehicles, medical devices, and products used for manufacturing, industrial control and enterprise applications.To get more details, visit the U.S. Cyber Trust Mark home page.For more information about securing consumer IoT devices, check out resources from the IoT Security Foundation; the European Telecommunications Standards Institute; TechAccord; Internet Society; the U.K. National Cyber Security Centre; and the International Organization for Standardization (ISO). 6 - U.S. gov’t seeks tougher cybersecurity rules for health providersDoctors, hospitals, health insurers and other healthcare organizations may face stricter cybersecurity regulations in the U.S.That’s because the U.S. government is seeking to tighten the cybersecurity requirements in the Health Insurance Portability and Accountability Act (HIPAA).The new cybersecurity rules proposed by the Department of Health and Human Services (HHS) include:Develop and revise on an ongoing basis a technology asset inventory and a network map that illustrates the movement of electronic protected health information (ePHI) throughout the organization’s electronic information systems.Make risk analysis more specific by submitting written assessments that include:A review of the technology asset inventory and network mapReasonably anticipated threats to ePHI’s confidentiality, availability and integrityPotential vulnerabilities to the organization’s electronic information systemsA risk-level assessment of identified threats and vulnerabilitiesStrengthen contingency planning and security incident response with steps including:Draft written plans to restore certain electronic information systems and data within 72 hours.Prioritize restoration by analyzing criticality of systems and tech assets.Outline in writing how employees and the organization will respond to known or suspected security incidents.Conduct an audit at least once per year to ensure the organization’s compliance with HIPAA’s cybersecurity rules.With limited exceptions, encrypt ePHI at rest and in transit and require the use of multi-factor authentication.Conduct vulnerability scanning at least every six months, and penetration testing at least once a year.For more details about HHS’ new proposed cybersecurity rules and to submit public comments about them, go to the Federal Register’s “HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information” page. The comment period ends on March 7, 2025.
Analysis Summary
# Best Practices: Cybersecurity Strategy and Exposure Management
## Overview
These practices are derived from a Tenable Cybersecurity Snapshot, focusing on modern requirements for comprehensive cyber risk mitigation, particularly highlighting the need to comply with new regulatory directives (like the referenced Biden Executive Order) and manage the expanding attack surface through unified exposure management.
## Key Recommendations
### Immediate Actions
1. **Deploy Comprehensive Vulnerability Scanning:** Immediately utilize tools like Tenable Nessus Expert to attain visibility across the entire IT and cloud attack surface to identify existing weaknesses.
2. **Initiate Exposure Management Platform Adoption:** Begin the process of integrating exposure management capabilities (covering Cloud, Vulnerability, OT/IoT, and Identity) to gain a unified view of cyber risk.
3. **Review Cloud Security Posture:** If utilizing cloud environments, immediately assess the need for Cloud Security Posture Management (CNAPP) and Cloud Infrastructure Entitlement Management (CIEM) solutions.
### Short-term Improvements (1-3 months)
1. **Implement Attack Path Analysis:** Begin using attack path analysis capabilities to prioritize remediation efforts based on routes an attacker could take to high-value assets, moving beyond simple severity scoring.
2. **Automate Patch Management Workflow:** Deploy and integrate a dedicated Patch Management solution to streamline collaboration between security and IT teams, explicitly targeting the reduction of Mean Time to Remediate (MTTR).
3. **Establish Just-in-Time (JIT) Access Controls:** Implement JIT access features for cloud environments to temporarily grant elevated permissions only when necessary, minimizing standing privileges.
### Long-term Strategy (3+ months)
1. **Develop AI Security Strategy:** Develop and formalize security guidelines and requirements specifically addressing the unique risks associated with Generative AI (GenAI) deployment and usage within the organization, in alignment with emerging executive orders.
2. **Integrate Exposure Metrics for Reporting:** Establish formalized processes for using exposure metrics and reporting (e.g., Lumin Exposure View) to support executive and board-level communication regarding cyber risk posture.
3. **Mandate Continuous Compliance Verification:** Integrate the security platform's capabilities to continuously map and report on the fulfillment of required cybersecurity standards (e.g., fulfilling SLCGP requirements).
## Implementation Guidance
### For Small Organizations
- **Prioritize Core Vulnerability Management:** Focus initial efforts and budget on a robust vulnerability management solution (e.g., Nessus Expert) covering IT assets and basic cloud configurations.
- **Leverage Free/Trial Offerings:** Utilize free trials (e.g., 7-day free trial for Nessus Expert) to rapidly assess the current state before committing to larger platform investments.
- **Focus on High-Risk Remediation:** Due to limited resources, strictly prioritize fixing discovered vulnerabilities that are part of known or plausible attack paths.
### For Medium Organizations
- **Adopt Unified Platform:** Transition to an integrated Exposure Management Platform (like Tenable One) to start connecting vulnerability data with cloud and identity exposures.
- **Develop Basic Attack Path Visuals:** Start mapping out common attack paths identified through path analysis to inform process improvements across security and IT operations.
- **Invest in Targeted Training:** Enroll key personnel in foundational training (e.g., Nessus Fundamentals course) to maximize the utility of deployed tools.
### For Large Enterprises
- **Integrate Across All Domains:** Ensure full integration of Cloud, Vulnerability, OT/IoT, and Identity exposure data within the central Exposure Management Platform.
- **Establish Governance for AI Security:** Create formal governance structures to manage security risks introduced by GenAI technologies, ensuring adherence to evolving regulatory mandates.
- **Streamline Remediation Workflow:** Utilize advanced reporting and automation features to enforce SLAs for patching and configuration fixes across disparate IT/OT/Cloud silos, focusing on quantifiable MTTR reduction.
## Configuration Examples
*No specific technical command-line configurations were provided in the source text; the guidance centers on product adoption and capability implementation.*
Key Configuration Capabilities to Activate:
1. **Cloud Infrastructure Entitlement Management (CIEM):** Configure to continually review and right-size permissions in cloud environments.
2. **Just in Time (JIT) Access:** Configure JIT policies to automatically revoke temporary elevated cloud access after a specified duration.
3. **Exposure AI Analytics:** Enable analytical features within the platform to provide risk-based prioritization based on business context.
## Compliance Alignment
- **SLCGP Requirements:** Tenable solutions are explicitly positioned to help fulfill all requirements of the SLCGP (Cybersecurity Plan).
- **General Framework Alignment:** The implemented capabilities align heavily with foundational security concepts emphasized by:
* **NIST Cybersecurity Framework (CSF):** Focuses heavily on Identify, Protect, and Detect functions through comprehensive visibility and risk prioritization.
* **CIS Controls:** Addressing critical controls related to continuous vulnerability management and identification of assets (Control 1 & 2).
## Common Pitfalls to Avoid
- **Ignoring Attack Path Context:** Do not rely solely on raw vulnerability severity scores (e.g., CVSS) for prioritization; this leads to spending effort on low-risk findings instead of critical path vulnerabilities.
- **Siloed Security Efforts:** Avoid managing Cloud Security Posture, Vulnerability Management, and OT Security in completely separate toolsets without connecting the data, as this obscures true organizational risk.
- **Delaying AI Security Assessment:** Postponing the assessment of AI-related security risks due to perceived regulatory ambiguity, as executive mandates already require proactive security measures for AI systems.
## Resources
- **Exposure Management Platform:** Tenable One (For unified visibility and risk communication).
- **Vulnerability Scanning:** Try Tenable Nessus Expert (For broad attack surface coverage).
- **Training:** Nessus Fundamentals On-Demand Video Course (For foundational tool proficiency).
- **Compliance Inquiry:** Direct inquiries regarding SLCGP fulfillment to `[email protected]`.