FORGOT YOUR DETAILS?

Operational Technology (OT), Industrial Control Systems (ICS), SCADA System, Critical Infrastructure Protection (CIP)

Tenable.ot

Solution Overview

Tenable.ot protects industrial networks from cyber threats, malicious insiders and human error. Tenable.ot identifies and protects operational technology (OT) environments from cyber exposure and threats and ensures operational safety and reliability.

Tenable.ot

At the heart of every industrial facility is a network of industrial control systems which is comprised of purpose-built controllers. Sometimes known as Programmable Logic Controllers (PLCs) and Remote Terminal Units (RTUs), these controllers are dedicated industrial devices that serve as the bedrock of all industrial processes. Today’s sophisticated Operations Technology (OT) environments have a large attack surface with numerous attack vectors. Without complete visibility, security and control across the converged IT and OT, the likelihood of getting attacked is not a matter of ‘if’; it’s a matter of ‘when’.

Tenable.ot protects industrial networks from cyber threats, malicious insiders, and human error. From threat detection and mitigation to asset tracking, vulnerability management, and configuration control, our
Industrial Control System (ICS) security capabilities maximize the safety and reliability of operational environments. The solution delivers situational awareness across all sites and their respective OT assets - from Windows Servers to PLC backplanes - in a single pane of glass.

Converged Visibility

Threat Detection and Mitigation

Asset Tracking

Vulnerability Management

Configuration Control

Features Overview

Converged Visibility
Tenable.ot provides complete enterprise visibility by integrating with Tenable.sc as well as leading IT security tools, such as SIEM, other activity reporting tools, Next Generation Firewalls, vulnerability management tools and more. The platform also shares information with CMDB, asset inventory platforms, change management tools and more. Our RESTful API is designed to facilitate extraction of data even to proprietary tools, giving a more coherent view of the IT & OT environments in a single pane of glass.

Threat Detection and Mitigation
Tenable.ot detects and alerts about threats coming from external and internal sources - whether human or malware based. Leveraging multi detection methodologies Tenable.ot identifies anomalous network behavior, enforces network security policies and tracks local changes on devices. This enables organizations to detect and mitigate risky events in OT environments. Context-aware alerts include extended information and a comprehensive audit trail for fast incident response and forensic investigations.

Asset Tracking
Tenable.ot’s automated asset discovery and visualization capabilities provide a comprehensive up-to-date inventory of all network assets, including Workstations, Servers, HMIs, Historians, PLCs, RTUs, IEDs and network devices. Active device scanning capabilities enable the discovery of dormant devices in the network’s "blind" zone and local-only data. The inventory contains unparalleled asset information depth – tracking firmware and OS versions, internal configuration, running software and users, as well as serial numbers and back plane configuration for both IT and OT based equipment.

Vulnerability Management
Drawing on our comprehensive and detailed asset tracking capabilities, Tenable.ot generates risk levels for every asset in your ICS network. These reports include risk scoring and detailed insights, along with mitigation suggestions. Our vulnerability assessment is based on various parameters such as firmware versions, relevant CVEs, proprietary research, default passwords, open ports, hot fixes installed and more. This enables authorized personnel to quickly identify new vulnerabilities and efficiently mitigate risk factors in the network.

Configuration Control
Tenable.ot tracks and logs all configuration changes executed by a user or by malware, whether over the network or directly on the device. It provides a full history of changes made to device configurations over time, including granularity of specific ladder logic segments, diagnostic buffers, tag tables and more. This enables users to establish a backup snapshot with the "last known good state" for faster recovery and demonstrate compliance with industry regulations.

Benefits

Below are the some benefits when using Tenable.ot:

  • Gain full visibility across converged IT/OT operations. Eliminate blind spots which can harbor lateral threats that can traverse IT and OT.
  • Detect and mitigate threats that impact industrial and critical operations by leveraging multiple detection methodologies.
  • Identify and track IT and OT assets. Gain deep knowledge and situational awareness into the operation and state.
  • Reduce risk by identifying vulnerabilities and potential threats before they become exploits and impact industrial operations.
  • Track configuration changes with full audit trail capabilities. Determine whom, what and why changes were made as well as the result of those changes.

Unified Risk-based View Across Your Converged Infrastructure With Tenable.ot and Tenable.sc/Tenable.io Integration

Depend on your IT enterprise vulnerability management platform select, Tenable offer two handy integration with their existing Tenable.sc or Tenable.io with Tenable.ot

Network, System, Application and Custom Integration is a very time consuming and costly approach if it is done with a different brand of product. Tenable offer tenable.ot with their existing supported tenable.sc and tenable.ot is a very good value proposition for those need Unified Risk-based View Across Your Converged Infrastructure With Tenable.ot and Tenable.sc/Tenable.io Integration.

Tenable.ot and Tenable.sc Integration

Tenable.ot and Tenable.io Integration

Solution Components

360-Degree Visibility
Attacks can easily propagate in an IT/OT infrastructure. With a single platform to manage and measure cyber risk across your OT and IT systems, you have complete visibility into your converged attack surface. Tenable.ot also natively integrates with leading IT security and operational tools, such as your Security Information and Event Management (SIEM) solution, log management tools, next-generation firewalls, and ticketing systems. Together, this builds an ecosystem of trust where all of your security products can work together as one to keep your environment secure.

Threat Detection and Mitigation
Tenable.ot leverages a multi-detection engine to find highrisk events and behaviors that can impact OT operations. These engines include:

  • Policy-Based: With this unique capability, you can activate predefined policies or create custom policies that whitelist and/or blacklist specific granular activities that may indicate cyber threats or operational mistakes that trigger alerts. Policies can also trigger active checks for predefined situations. This is crucial to discover risky events that don’t rise above the statistical noise (e.g. malware, reconnaissance activity, querying device firmware versions from a human machine interface (HMI).
  • Behavioral Anomalies: The system detects deviations from a network traffic baseline based on traffic patterns. Pattern baselines include a mixture of time ranges, protocols, devices, etc. Among other things, it allows detection of suspicious scans indicative of malware or rogue devices in your network. It then sends context aware alerts with detailed information to your team so you can quickly respond and launch forensic investigations into what happened.
  • Signature Updates: In a partnership with the Open Information Security Foundation (OISF), Tenable.ot leverages the Suricata set of signatures along with Tenable’s proprietary signature rules. By leveraging crowdsourced data, you can detect attacks throughout all stages and get alerts with context about suspicious traffic that can indicate reconnaissance, exploits, installed malware, lateral propagation and more. The threat detection engine ingests new signature updates to address new threats as they evolve.

Asset Inventory and Active Detection
Leveraging groundbreaking and patented technology, Tenable.ot provides unparalleled visibility into your infrastructure—not only at the network level, but down to the device level. It combines native communication protocols to actively query IT, as well as OT devices in your ICS environment, to identify all of the activities and actions across your network.

Risk-Based Vulnerability Management
Drawing on comprehensive and detailed IT and OT asset tracking capabilities, Tenable.ot generates vulnerability and risk levels using Predictive Prioritization for each asset in your ICS network. These reports include risk-scoring and detailed insights, along with mitigation suggestions. Tenable’s vulnerability assessment includes parameters such as firmware versions, relevant CVEs, proprietary research, default passwords, open ports, installed hotfixes and more. This enables authorized personnel to quickly identify the highest risk for priority remediation before attackers exploit vulnerabilities.

Configuration Control
With Tenable.ot, you can track malware and user-executed changes made over your network or directly on a device. Configuration control provides a full history of device configuration changes over time, including granularity of specific ladder logic segments, diagnostic buffers, tag tables and more. This enables administrators to establish a backup snapshot with the “last known good state” for faster recovery and compliance with industry regulations.

Tenable.ot 3.9.14 Release Notes (2020-12-15)

To download Tenable.ot upgrade files, see: https://tenable-ot.sharefile.com/d-s5fe55420c492418cbced071043cfd9c6.

For a list of previous versions that are possible to perform a direct upgrade from, see: https://tenable-ot.sharefile.com/d-s832ad21b0b8647f7948e2d57d59e5b81.

New Features

Network Map Redesign

Tenable.ot's network map was rebuilt. Alongside an improved user experience, the user can now easily group and filter assets by their type, vendor, or risk level. This helps to make the map more useful, especially for large numbers of assets.

Increased IoT Visibility

Tenable.ot now identifies various IoT devices. If these devices are detected, they are shown in a new designated sub-tab.

New Asset Types

Tenable.ot now identifies the following device types:

Category New Type
IoT  Access Control System
IoT HVAC Module
IoT Lighting Control
IoT Smart Hub
IoT Smart TV
IoT Tablet
IoT Medical Device
Field Device Barcode Scanner
Field Device Industrial Sensor
Field Device Drive
Server Domain Controller
Network Device Repeater
OT Device Industrial Router
OT Device Industrial Switch
OT Device Industrial Gateway
OT Device Industrial Network Device

Saia PCD - Standard Active Support

Tenable.ot now detects the device model, firmware version, hardware version, CPU state, and the project name of SAIA PCD devices. This support level in particular facilitates the detection of their vulnerabilities.

Basic Active Support for Various Assets

Basic active support was added for the following devices:

  • Schneider PowerLogic EGX100 Gateway
  • Digi One SP Serial-Ethernet Bridge
  • Westermo EDW-1x0 Serial-Ethernet Bridge
  • Tait Communications TB9x00 DMR Base Station
  • Eaton 5PX UPS

Sync Now Tenable.sc and Tenable.io

Pushing data from Tenable.ot to Tenable.sc and Tenable.io can now be done on-demand via the user interface.

Conversations Log

The conversations log has been extended to include 10,000 records.

Bug Fixes

Bug Fix
Factory Reset change "nessusfile" folder permission, preventing IO/SC integration to work
Asset removal scripts failed on version 3.8.x
ControlLogix and CompactLogix missing IOs on AB rack
Factory reset with split port doesn't reset nics configuration

Integrated Tenable Product Compatibility

The following table lists the Tenable product versions tested with this version of Tenable.ot.

Product Tested Version(s)
Tenable.sc 5.11 and later
Nessus 8.10.1 and later

Tenable.ot 3.8.17 Release Notes (2020-11-09)

To download Tenable.ot upgrade files, see: https://tenable-ot.sharefile.com/d-sa3d6ad208a314ad.

For a list of previous versions that are possible to perform a direct upgrade from, see: https://tenable-ot.sharefile.com/d-s6fa9363d35ba4f8.

Bug Fixes

Bug Fix
Post Factory reset system failed to initialize
Spike in conversation event, conversation deviation numbers divided by 100
After editing SNMP server, empty password is sent and the server is not working
Events that are already resolved displayed in the events tab on single asset page
Generate vector on external assets should not be presented
Attack Vector - Auto Generated Failed with error "no available source for destination" as all src assets in graph have Risk score 0
Reconnaissance tools needs libpcap (debian) and is not runnable
Email links in report presented with ICP IP address instead of config url

Integrated Tenable Product Compatibility

The following table lists the Tenable product versions tested with this version of Tenable.ot.

Product Tested Version(s)
Tenable.sc 5.11 and later
Nessus 8.10.1 and later

Tenable.ot 3.8.15 Release Notes (2020-10-16)

To download Tenable.ot upgrade files, see: https://tenable-ot.sharefile.com/d-s68d7ab484d04a549.

For a list of previous versions that are possible to perform a direct upgrade from, see: https://tenable-ot.sharefile.com/d-s488331a631b4e90b.

Bug Fixes

Bug Fix
Fixed migration issue to 3.8 GA.

Integrated Tenable Product Compatibility

The following table lists the Tenable product versions tested with this version of Tenable.ot.

Product Tested Version(s)
Tenable.sc 5.11 and later
Nessus 8.10.1 and later

Tenable.ot 3.8.13 Release Notes (2020-10-08)

To download Tenable.ot upgrade files, see: https://tenable-ot.sharefile.com/d-s1fd50e753e84da29.

For a list of previous versions that are possible to perform a direct upgrade from, see: https://tenable-ot.sharefile.com/d-s6aa49a309774c14a.

New Features

Attack Vectors

Tenable.ot will now allow users to perform predictive attack analysis by calculating potential attack vectors for each asset. An attack vector is a communication path that an attacker might use to reach a given asset in the network, by leveraging network connectivity and vulnerabilities of assets along the way.

It's presented in the single asset details page, in a dedicated new sub-tab, that can be accessed via the navigation bar.

The user can either choose a specific asset as a potential starting point for the attack or leave it up to the system to identify the most critical vector.

Matching Tenable User Interface Look and Feel

The Tenable.ot user interface now matches the rest of the Tenable product suite, particularly Tenable.io.

Integrations with Tenable.sc and Tenable.io can now be configured via the user interface

The respective configurations can be found in the ICP local settings tab. The user can set the frequency of data posting.

Cache for Syslog Messages

Syslog messages that are sent over TCP are now being cached in case of communication failures, to address syslog servers (e.g. SIEM systems) that are temporarily down. Cache size is up to 10,000 messages.

Detection of Vulnerabilities in Wibu's CodeMeter

A predefined policy was added, aimed at flagging devices that are susceptible to vulnerabilities in Wibu's CodeMeter license manager, which is used by several industrial automation vendors. The policy is based on a Suricata rule released by the research team, in response to the CISA advisory on this matter.

Vendor Support

ABB AC500 - Basic Passive and Standard Active support were added.

Leveraging FTP Responses for Asset Fingerprinting

Asset details are extracted and used for fingerprinting and classification.

Bug Fixes

Bug Fix
Integration of Tenable.io require server key on any update
Suricata configuration for Dell PoweEdge HW
User failed to delete group after used in complex group
Ignore RDP events when are executed from the box (as part of Nessus)

API Changelog

For more information about the API changes for this release, see the Tenable.ot API Changelog.

Integrated Tenable Product Compatibility

The following table lists the Tenable product versions tested with this version of Tenable.ot.

Product Tested Version(s)
Tenable.sc 5.11 and later
Nessus 8.10.1 and later

Tenable.ot 3.7.22 Release Notes (2020-09-14)

To download Tenable.ot upgrade files, see: https://tenable-ot.sharefile.com/d-s9366b39d2974a06b.

For a list of previous versions that are possible to perform a direct upgrade from, see: https://tenable-ot.sharefile.com/d-seef9789fa134f489.

New Features

Basic Active Support

  • Andritz Thyne, Lenze IO, MVK Metal IO, Eaton Power Xpert, Ocean Controls KTA, Sick, Comet, Silex Technology and other IOT devices.

Bug Fixes

Bug Fix
Missing Sync Now on Tenable.io and Tenable.sc Integrations
Adding Nessus Scan Results to Tenable.io and Tenable.sc Integration
Fix Issue with Split Ports
Fix Issue of limited option to Copy & Paste from Grids
Fix CVE Matching for Yokogawa https://us-cert.cisa.gov/ics/advisories/icsa-20-224-01
Enable special characters for SMTP password
Fix setting date and time manually, the time sent should be in UTC (time configured - timezone)
Fix user unable to delete DNS server after it was entered
Fix run now should be disabled when no CIDRs are entered
Fix user allow to send empty SNMP V3 form
Fix Network Summary default time value was browser GMT without calculating time zone

API Changelog

For more information about the API changes for this release, see the Tenable.ot API Changelog.

Filenames and MD5 Checksums

File MD5
cobex_3.7.22.tar.xz.gpg a2fa4e66b0916748aa5e0ef4b2a4a010

Integrated Tenable Product Compatibility

The following table lists the Tenable product versions tested with this version of Tenable.ot.

Product Tested Version(s)
Tenable.sc 5.11 and later
Nessus 8.10.1 and later

Tenable.ot 3.7.18 Release Notes (2020-08-10)

To download Tenable.ot upgrade files, see: https://tenable-ot.sharefile.com/d-sfde665c7b9942aba.

For a list of previous versions that are possible to perform a direct upgrade from, see: https://tenable-ot.sharefile.com/d-sb0d4e3b0df840318.

New Features

Vendor Support

  • Emerson Ovation - Standard Active Support
  • Siemens S7+ - Premium Support Including Full Backplane Inventory
  • HART Protocol - Basic Passive Support

Asset Types - Increasing Type Catalog

Tenable.ot has taken another step forward to diversify the available types for asset classification. With that, it can better communicate to its users granular findings on their inventory and increase familiarization. On top of that, users are able to manually classify assets to each of the available types.

The new list of asset types:

Controllers Field Devices OT Devices OT Servers Network Devices Servers IoT Workstations Endpoints
Controller Field Device OT Device OT Server Network Device Server IoT Workstation Endpoint
PLC Actuator Industrial Printer Historian Router File Server Camera OT Workstation Mobile
DCS Smart Sensor HMI Switch Web Server Panel Engineering Station
IED Inverter Data Logger Hub Virtual Server Projector Virtual Workstation
RTU Relay Wireless Access Point VOIP Device
Communication Module Remote I/O Firewall 3D Printer
I/O Module Power Meter Converter Printer
CNC Radio UPS
Power Supply Serial-Ethernet Bridge IP Phone
Gateway Storage Device

Integrating Nessus into Tenable.ot

Tenable.ot allows its users to perform a Nessus scan on assets of their choice. This allows them to harness the best of vulnerability assessments for all non-OT specific assets in the OT environment. Subsequently, Tenable.ot can reflect these vulnerabilities to Tenable.sc and Tenable.io based on the available integrations between them in order to allow for complete vulnerability assessment for all enterprise environments.

Users control over Nessus scans from Tenable.ot is comprehensive as they are launched only on single assets by user-activation only. At the same time, Tenable.ot prevents the execution of Nessus scans on assets which are identified as controllers, field devices and other OT specific devices. In addition it advises the user to take extra care when analyzing OT-related servers, and to consider such scans on maintenance time windows.

New Scan for Ripple20 vulnerabilities identification

Tenable.ot allows its users to perform a scan of their inventory to identify vulnerable devices related to the recently publicly available Ripple20 set of vulnerabilities. This is based on the Nessus plugin which was made available after the disclosure. Users can launch this scan manually and have full control on which assets to scan.

User Managed Intrusion Detection Rule Groups

On top of the existing out-of-the-box intrusion detection policies and available Suricata rules which are organized in predefined rule groups, Tenable.ot now offers extended flexibility in their accommodation to specific environments and circumstance. Users can now review the entire rule repository, which includes both curated and tenable own rules, and create user-defined policies to apply self chosen rules. In addition, the user can add or remove rules from existing threat detection policies in case further adaptation is needed.

PCAP Player

Users can now play network capture files (.pcap, .pcapng, .pcap.gz, .pcapng.gz) to Tenable.ot core platform. This can be used for simulation purpose or in order to analyze traffic that is not taken from the parts of the network that are monitored continuously. Uploading and playing network capture files are available from the PCAP Player page in the settings.

VPR and Threat Intelligence Indicators for CVEs

  • VPR

    Vulnerability priority rating, the output of Tenable Predictive Prioritization, helps organizations improve their remediation efficiency and effectiveness by rating vulnerabilities based on severity level determined by two components: technical impact and threat. The VPR score is now displayed for each identified CVE, both in the CVEs tab in the single asset page and in the general CVEs table under the Risk tab.

  • VPR Key Drivers

    For each CVE you can now view the global threat landscape key drivers to explain the CVE's VPR score.

    The following table describes the key drivers:

    Key Driver Description
    Vulnerability Age The number of days since the National Vulnerability Database (NVD) published the vulnerability.
    CVSSv3 Impact Score The NVD-provided CVSSv3 impact score for the vulnerability. If the NVD did not provide a score, Tenable.ot displays a Tenable-predicted score.
    Exploit Code Maturity The relative maturity of a possible exploit for the vulnerability based on the existence, sophistication, and prevalence of exploit intelligence from internal and external sources (e.g., Reversinglabs, Exploit-db, Metasploit, etc.). The possible values (High, Functional, PoC, or Unproven) parallel the CVSS Exploit Code Maturity categories.
    Product Coverage The relative number of unique products affected by the vulnerability: LowMediumHigh, or Very High.
    Threat Sources A list of all sources (e.g., social media channels, the dark web, etc.) where threat events related to this vulnerability occurred. If the system did not observe a related threat event in the past 28 days, the system displays No recorded events.
    Threat Intensity The relative intensity based on the number and frequency of recently observed threat events related to this vulnerability: Very LowLowMediumHigh, or Very High.
    Threat Recency The number of days (0-730) since a threat event occurred for the vulnerability.
  • CVSSv3

    We are now presenting the Common Vulnerability Scoring System (CVSS) v3 besides the former CVSSv2 and the new VPR score in the CVEs page on the general Risk tab and in the CVEs tab of single assets.

  • Base Scores

    NVD's base scores are presented per each identified CVE. The base scores are the characteristics of the CVE that are constant with time and across user environments. The Access Vector, Access Complexity, and Authentication metrics capture how the vulnerability is accessed and whether or not extra conditions are required to exploit it. The three impact metrics measure how a vulnerability, if exploited, will directly affect an IT asset, where the impacts are independently defined as the degree of loss of confidentiality, integrity, and availability.

Indicating Purdue Level of Assets

Every asset is now labeled with its level according to the Purdue Model for Computer Integrated Manufacturing. Based on that users can sort, filter and group by their Purdue level. The Purdue level designation of assets are available for users to edit.

Event Based PCAPs from Enterprise Manager

In version 3.5.13 we released the capability of extracting .pcap files filtered from the full network captures to specific events triggered by our policy based engine. We are now enabling this capability from the single site view of the Enterprise Manager as well.

Bug Fixes

Bug Fix
Aruba ClearPass integration - Slowed down the rate of information which is sent to ClearPass.
Report Performance Issues Fixed - Limited number of assets in CVE Drill Down chapter to 20.
Fix wrong units on Top Sources/Destinations Chart on network summary page
Setup Wizard redirected to blank white page (instead of reloading page)
Report with asset drill down information failed to be generated
Packet capture File Management for Sensors behind NAT fix.

Integrated Tenable Product Compatibility

The following table lists the Tenable product versions tested with this version of Tenable.ot.

Product Tested Version(s)
Tenable.sc 5.11 and later
Nessus 8.10.1 and later

Tenable.ot 3.6.33 Release Notes (2020-07-14)

To download Tenable.ot upgrade files, see: https://tenable-ot.sharefile.com/d-s8ba6342ec004b86a.

For a list of previous versions that are possible to perform a direct upgrade from, see: https://tenable-ot.sharefile.com/d-s10cc31311564736a.

New Features

Vendor Support

  • Premium Support for ABB RTU 540/560

Tenable.io Integration

  • Added integration capabilities to Tenable.io. Integration setup is done with Tenable Support assistance and requires a Tenable.io Access Key, and Secret Key.

Detection of Ripple20 exploit attempts

  • Added an Intrusion Detection rule group which will detect successful identification attempts or exploits of Ripple20 affected assets over the network.

API

  • API Key - API improved to align with the standard Rest API spec. Starting 3.6.33, the API uses the 'X-APIKey' header instead of 'Authorization'

    The new header is: 'X-APIKeys: key= <API_KEY>'

    For example:

    curl -v -k -H 'X-APIKeys: key=Mbvf2sXdROWBrB99MBXwXN-LqYrWVxPEyos1IJk9e9aNPLOlWalkHkAfsS4=' https://IP/v1/status

Bug Fixes

Bug Fix
Grouping Assets by Site fix for Enterprise Manager
Appliance Data Auto-Refresh for Enterprise Manager
Network Summary Widgets Fix of Units & Colors
Traffic and conversation graph on Network Traffic Summary fixed
Filter for empty missing name "Blank" in Exclude from policy
Fix Siprotec4 snapshots conversation delay check
Fix empty data in single vulnerability page
Active Querying RTU 540 failed
Missing the show password option in "Retype New Password" field
Fix save button is enabled when it should not for bulk edit assets
Setup wizard | Split Interface | Fields name are not displayed until clicking on the screen/refresh
Conversation | Duration column filter is not sorted correctly
User unable to copy data from UI
Additional Suricata rules to 3.6 SP
Unicode decoding issue for WMI querying for USB details
ABB RTU 540/560 Premium Support

Integrated Tenable Product Compatibility

The following table lists the Tenable product versions tested with this version of Tenable.ot.

Product Tested Version(s)
Tenable.sc 5.11 and later

Tenable.ot 3.6.26 Release Notes (2020-06-17)

To download Tenable.ot upgrade files, see: https://indegy.sharefile.com/share/view/se7c5a8e3ae840868.

For a list of previous versions that are possible to perform a direct upgrade from, see: https://indegy.sharefile.com/d-scc1038977f54f58a.

For documentation relating to this release, see the Tenable.ot 3.6.x User Guide.

New Features

Vendor Support

  • Bachmann M1 - Standard Active Support
  • Moxa Devices - Basic Passive Support

Threat Detection

  • DNP3 Events - The system now detects various DNP3 commands, e.g. Select, Operate, Warm/Cold restart etc, as well as errors originating from internal indicators, such as function codes that are not supported and parameter related errors.
  • Non-secure FTP and Telnet logins - The system now alerts on login attempts in both FTP and Telnet, and indicates whether the login was successful or not.
  • ABB Data Plane events - The system now detects unauthorized MMS write events to ABB 800xA controllers. With that, users can get alerts on any write commands, and set allowed ranges for operational parameters. This is currently available only over the API.

Risk Widget

A designated widget presenting the risk score of each asset was added. This widget consists of a breakdown of the different components on which the risk score of the asset is based - e.g. the events associated with it, its detected vulnerabilities as well as its user defined criticality.

Vulnerabilities

The system now detects various asset-specific and network-wide vulnerabilities, beyond CVEs. Examples are: existence of obsolete versions of M-S Windows, usage of unsafe protocols and open network ports known to be risky.

Exclusions

The system now allows the user to exclude an event from a policy. Excluding an event after it was flagged will mean there'll be no future occurrences of similar events as a result of the same policy. This increases the user control over which events are being flagged and reduces false positives. This is being done directly from the events grid.

Usability Improvements

  • Bulk Edit of Asset Details - Users can now edit details of multiple assets at once. Users can select a range of assets using Shift Key.
  • Expansion of the Events Power Panel - Users can now set the height of the Power Panel in the Events grid -either collapsing it to ease browsing through the grid or expand it to investigate the details of a certain event.
  • The system now allows users to configure the accessible URL for the UI (FQDN), supporting only one accessible URL at any given time.

Berkeley Packet Filter

Berkeley Packet Filter (BPF) was now implemented on the ICP, to allow filtering inbound traffic to it.

Bug Fixes

Bug Fix
Groups name links are not working.
Reports - "Failed to generate report" is displayed, but report is created.
Vulnerabilities single page - Actions button is disabled.
Policies - SCADA Events - Can't create DNP policies.
Read only user - Vulnerabilities - Single page is not displayed.
FTP Events - Event trigger without details - Should extract the clear text credentials.
Events - Download capture file - Can't download pcap for event when first capture file is still ongoing.

Integrated Tenable Product Compatibility

The following table lists the Tenable product versions tested with Tenable.ot 3.6.26.

Product Tested Version(s)
Tenable.sc 5.11 and later

Tenable.ot 3.5.29 Release Notes (2020-05-07)

To download Tenable.ot upgrade files, see: https://indegy.sharefile.com/d-s59eff1a082a47ce9.

For a list of previous versions that are possible to perform a direct upgrade from, see: https://indegy.sharefile.com/d-s648016c0e1742108.

New Features

Vendor Support

  • Siemens S7-1200 & S7-1500 - Premium Active Support
  • Niagara AX & Niagara 4 - Standard Active Support
  • Basic Active Support for Multiple OT/IOT Devices - Schneider Electric PowerLogic, Bosch IndraControl, Siemens Scalance, Siemens RS900, Moxa EDS, Moxa NPort, Moxa MGate, Cisco Stratix 5700, Cisco Catalyst, Cisco IE-2000, Cisco IE-5000, Lantronix and others.

Improved IEM Upgrade Process

Simplifying IEM Cluster Upgrade by automating the process from the IEM based on SSH connection between IEM and IMS.

For more information, see the knowledge base article (requires an account).

Bug Fixes

Bug Fix
Report Performance Improvements
IEM Redirect Bugs on Specific Site Pages
IEM Site Name Consistency
SIPROTEC 5 FW Change Event Issues
Post Upgrade Some Grids State Returns to Default
S7-1200 Firmware Changes False Positives due to Invalid Packets

Integrated Tenable Product Compatibility

The following table lists the Tenable product versions tested with Tenable.ot 3.5.29.

Product Tested Version(s)
Tenable.sc 5.11 and later

Tenable.ot 3.5.13 Release Notes (2020-04-08)

To download Tenable.ot upgrade files, see: https://indegy.sharefile.com/share/view/s4a6881aafb2458ab.

For a list of previous versions that are possible to perform a direct upgrade from, see: https://indegy.sharefile.com/share/view/sbcbb72c602847c68.

New Features

New OT Devices Support

  • SICAM AX - Standard Active Support
  • Siprotec 4 - Premium Active Support
  • Concept - Premium Active Support
  • Beckhoff - Basic Passive & Standard Active

PCAP Extraction for Events

Event-specific capture files (in .pcap format) are now available for users to download and investigate on third party platform, or for sharing with non-users of Tenable.ot. Selected as a row action, a .pcap file is generated and downloaded, containing only event-related traffic.

Terminology Update - Vulnerabilities & CVEs

Updated terminology when describing vulnerabilities in order to align with other Tenable products. In previous releases, the term "vulnerabilities" was used to described CVEs (Common Vulnerabilities and Exposures) – now, the term will be CVEs.

Remove Assets

Users can now remove assets from Tenable.ot solution. Remove assets is available from the Single Asset Page via the Inventory Grid Action. Removed Assets can be viewed and restored from the Settings > Assets > Removed Assets page.

Asset Discovery "Run Now"

The Asset Discovery Query, aimed to discover assets periodically, can now be initiated on demand. This query can be configured and initiated from Settings > Queries > Asset Discovery.

Set-up Wizard for Tenable.ot Sensors

Tenable.ot sensors are utilized to collect traffic from remote network segments that are not visible from the main switch. The new Sensor Set-up Wizard enables users to define the IP of the Sensor as well as the IP of the Tenable.ot platform to which the sensor will be sending the compressed data from the remote network.

Bug Fixes

Bug Fix
Fix issue with Setup Wizard Finishing
Set Date is set for one day before user selection
Fix user defined Asset Types do not affect asset risk score
Fix No Results in Grid Filters
Update Asset Map License - Remove Watermark
Fix report hanging with configuration
Fix missing asset details in specific policy scenario
Fix Resync button clickability

Integrated Tenable Product Compatibility

The following table lists the Tenable product versions tested with Tenable.ot 3.5.13.

Product Tested Version(s)
Tenable.sc 5.11 and later

Tenable.ot 3.4.26 Release Notes (2020-03-27)

To download Tenable.ot upgrade files, see: https://indegy.sharefile.com/d-s5fce669a4404962a.

For a list of previous versions that are possible to perform a direct upgrade from, see: https://indegy.sharefile.com/d-sa613f25d7464e1f9.

Bug Fixes

Bug Fix
Fix Asset Map Expired License Watermark
Fix Install Process with a large number of pcaps
Fix ABEthernet PCCC Issues
Fix Risk Score Calculation Timeout
Fix DB Upgrade Race Issue
Fix ABethernet shepherd infinite loop

Integrated Tenable Product Compatibility

The following table lists the Tenable product versions tested with Tenable.ot 3.4.26.

Product Tested Version(s)
Tenable.sc 5.11 and later

Tenable.ot 3.4.25 Release Notes (2020-03-18)

To download Tenable.ot upgrade files, see: https://indegy.sharefile.com/share/view/s04cb61bb7614b0aa.

For a list of previous versions that are possible to perform a direct upgrade from, see: https://indegy.sharefile.com/share/view/s77d2fc97a5f4f658.

New Features

PCAP Simulation via API

Tenable.ot enables users to leverage the API in order to simulate traffic from PCAP files. Users can play any one of the following formats: pcappcap.gzpcapngpcapng.gz.

For more information on how to use the API, see the knowledge base article (requires an account).

Bug Fixes

Bug Fix
General
Tenable.sc import tool failed to import data for asset missing IP address array.
Performance
Proxy Arp Auto Detection Fix.
Improved Queue Management & Draining.
Fixed Services Startup Issues.
Improved Efficiency in DB Transactions.
User Interface
Fix Log In Flow Issue.
Fix Event Severity Filter Missing Values.
Fix "Resync" Behaviour.
Fix Report Configuration Not Working.
Missing the show password option in "Retype New Password" field
Change in Navigation Tree to include Reports in Main Navigation.

Integrated Tenable Product Compatibility

The following table lists the Tenable product versions tested with Tenable.ot 3.4.25.

Product Tested Version(s)
Tenable.sc 5.11 and later

Tenable.ot 3.4.9 Release Notes (2020-02-01)

New Features

New OT Devices Support

Support for the following models was added:

  • Yokogawa Prosafe - Level 1 Passive Support
  • Honeywell C300 - Level 1 Passive Support
  • PLC5 - Level 2 Passive Support, Level 2 Active Support
  • Serial DH+ Connection - Level 2 Passive Support, Level 2 Active Support
  • Cognex In-Sight Cameras - Level 1 Passive Support, Level 2 Active Support

The full list of vendor support and support levels description can be obtained from a sales engineer representative.

New SCADA Protocols Support

  • Detection of Modbus error codes – three new Modbus error codes are now flagged using designated policies - ‘illegal data address’, ‘illegal data value’ and ‘illegal function’.
  • Detection of IEC 60870-5-104 commands - several risky commands in IEC-60870-5-104 are now flagged using designated policies. Some examples for those are: Start, Stop, Reset and Data Transfer.

Asset Criticality

An OT Asset Risk Criticality was introduced (Low / Medium / High). The predefined value is based on the asset type, but it can be altered by the user. A ‘none’ level is also supported.

Asset Risk Score

An OT Asset Risk Score was introduced (ranging between 0 and 100). It is being calculated based on the events, vulnerabilities and CVEs associated with the asset and its criticality.

Integration with Tenable.sc

The integration of Tenable.ot and Tenable.sc utilizes OT CVE data to facilitate a unified VM platform across IT and OT. For configuration information, see the knowledge base article (requires an account).

Detection of Network Traffic & Conversations Spikes

The user can now receive alerts on anomalous network traffic throughput as well as an anomalous number of conversations taking place. Both metrics are often associated with the existence of an infected or a malfunctioning device/s. The referenceable time window and the sensitivity level to changes in the traffic are user configurable via the relevant policy.

USB Configuration Changes

The user can receive alerts on changes in the list of USB devices connected to MS-Windows machines, thus identifying insertion or removal of these devices. The frequency of this query is defined separately from the other WMI queries to enable more frequent settings.

Switch Interface Details

Mapping of all the interfaces of network switches is done periodically to monitor their state and health, including MAC addresses, name, status, alias, description and type for each interface. For configuration help, contact your Tenable representative and see the knowledge base article (requires an account).

Report Configuration

When generating a report, users can now control the asset drill-down portion. They can either exclude it completely or have it for only certain asset types, per their preference.

Health Check API

An API to query the system for its health state was introduced at:

GET https://<IP>/v1/healthcheck. It contains details regarding the hardware health, container health, the connected sensors throughput and other details.

New API authentication Method

Authentication using tokens was introduced in addition to the use of robots. The new method allows for authentication using an HTTPS authorization header:

"Authorization: Key <API token>"

or a URL parameter: https://IP/v1/<API request>?apikey=<API token>

System Log Export

System log messages can now also be sent over Syslog to SIEM products.

Deprecated Features

Change
Alerts drill down chapter in the report - The Alerts Drill Down chapter has been removed from the report. Indegy v3.4 has events instead of alerts, and hence this chapter is deprecated.
Showing the diagnostic buffer of Siemens Controllers - This query is no longer supported by the core platform and is removed from the UI.

Bug Fixes

Bug Fix
Resolve All Events Not Working
Policies Search and Filter Not Persistent on Reload
Asset Editing Requires Hard Refresh to Apply Values
Vulnerability Matching Overmatching in Some Cases due to NVD formatting

E-SPIN Value Proposition

E-SPIN have actively promoted Tenable's full range of products and technologies as part of the company Vulnerability Management solution portfolio – for infrastructure, network, server, host and application vulnerability assessment and reporting and Security Management solution portfolio – for security and risk compliance audit and configuration check/reporting. E-SPIN is active in providing consulting, supplying, training and maintaining Tenable products for the enterprise, government and military customers (or distribute and resell as part of the complete package) in the region E-SPIN do business.

E-SPIN also in the business for provide infrastructure monitoring, from datacenter, server farm, enterprise network (wired and wireless), virtualized network and cloud infrastructure to OT (ICS/SCADA) equipments for complete visibility for the infrastructure with various of network performance and diagnostics (NPMD) portfolio we carry and represented.

The enterprise range from university to listed corporation IT security professionals on the vulnerability assessment and penetration testing, security audit, or IT security company on the security operation center (SOC) for configuration security check and audit for security risk compliance or red team / cyber security / cyber warfare / military security defense applications and infrastructure network audit.

Please feel free to contact E-SPIN for your inquiry and requirement, so we can assist you on the exact requirement in the packaged solutions that you may require for your operation or project needs.

TOP