Tenable OT Security 2023 Release Notes
Tenable OT Security 3.15.42 SP (2023-04-24)
Tenable OT Security recommends that you upgrade to this version if you use split port configuration or active queries via sensors.
Bug Fixes
Tenable OT Security 3.15.42 SP includes the following bug fixes:
| Bug fix |
|---|
| Nessus Scan via Sensor — Nessus Active Query can now send traffic via sensor route. |
| Nessus Scan in Split Port — Nessus scan can now work in split port mode (SFDC #01566712). |
| LDAP Settings — Resolved an issue in the UI when creating a new LDAP Authentication Server (Local Settings > Users & Roles > Auth Servers > LDAP). |
Tenable OT Security 3.15.39 SP (2023-02-24)
New Features
New Vendor Support
-
Basic passive and active support for Phoenix Contact - Tenable OT Security now passively and actively identifies the device model, family, type, and firmware version of Phoenix Contact (PCWorx and ProConOS protocols). This support also facilitates the detection of their vulnerabilities.
-
Basic passive and active support for Profinet CM (Context Manager) - Tenable OT Security now passively and actively identifies the device firmware version, hardware version, order number, and type.
-
Snapshot for Rockwell ControlLogix L8X and CompactLogix 538X families - Tenable OT Security can now take a snapshot for Rockwell controllers that are part of the L8X and 538X families.
-
Ability to merge Siemens S7-300 and S7-400 with FW 2.6.7 and older - This feature is disabled by default and can be enabled only from the API.
-
Enhancements for S7+ querying mechanism.
New Vulnerabilities (Plugins)
Tenable OT Security now identifies the new following vulnerabilities:
| Vendor | Family/Model | Plugin ID |
|---|---|---|
| Siemens | Scalance | 500788-500789, 500786, 500781-500783, 500778, 500772-500773, 500768, 500766, 500764, 500762, 500755-500760, 500749-500753, 500746, 500740-500742, 500735-500738, 500729 |
| Siemens | Desigo | 500787, 500785, 500779, 500776-500777, 500774, 500771, 500769, 500767, 500761, 500747, 500743-500745, 500735, 500730-500731 |
| Siemens | Apogee | 500748 |
| Phoenix Contact | ILC, RFC, AXC, S_MAX | 500784, 500780, 500775, 500770, 500765, 500763, 500754, 500739, 500732-500733, 500728 |
User-defined Nessus Scans
Nessus scans are now available through a dedicated page, allowing the user management, visibility, and flexibility in their scans:
-
Management - You can now create, edit, delete, save, and run custom Nessus scans.
-
Visibility - All plugins are visible and available for your selection.
-
Flexibility - You can now choose to scan multiple network assets (endpoint type is excluded) through an IP range.
IDS Engine Ruleset Updates
New IDS ruleset feed is available in Tenable OT Security. You can now obtain the newest set of IDS rules and install them at any time in two ways:
-
Cloud update — For systems that are connected to the internet, IDS rules are periodically and automatically downloaded. You can also initiate this update on demand.
-
Offline update — You can also upload a file containing the IDS rules to the system via the user interface. You can obtain the URL for this file from Tenable OT Security.
Dark Mode
Dark mode is now available in Tenable OT Security. It allows you to switch the color scheme of Tenable OT Security to a darker theme to provide a more comfortable viewing experience in low-light environments and potentially save battery life on your devices.
To activate dark mode, simply toggle the dark mode option on the top bar.
Export Dashboards
You can now export the dashboards on demand to a PDF file. If you export the dashboard when the dark mode is enabled, Tenable OT Security also generates the exported files in the dark mode format.
New Authentication Servers Page
You can now configure and manage your authentication servers' settings on the new Authentication Servers page (under the Local Settings - Users and Roles section).
On this page, you can now define, save, and enable multiple servers based on the authentication methods you use in your organization: Active Directory and LDAP.
Once configured, you can select the authentication server to which you want to connect in the login page's new drop-down menu.
Open Ports Mechanism Enhancements
The Open Ports table in the single asset page now shows all ports that were identified to be open. These include the current active port scans and passive conversations, active queries, Tenable Nessus, and Tenable Nessus Network Monitor.
You can control the desired aged-out period for considering a port to be open (under the Device page in the Local Settings - System Configuration section).
Usage Statistics
Tenable OT Security now gathers UI data for the purpose of learning, improving, and better understanding users needs.
When enabled (by default), Tenable collects telemetry information that cannot be attributed to a specific individual; it is only collected at the company level.
This information does not include Personal Data or personally identifiable information (PII). This can be turned on/off on the Device page under Local Settings - System Configuration.
Sensor - BPF from the Cockpit UI
Sensor BPF is now visible and available from the Cockpit UI.
Sensor - New Dedicated Port for the Authenticated Sensor
The sensor now uses a dedicated port (28304) for the authenticated sensor instead of the SSH port (22) that was used in V3.14.
The unauthenticated sensors remain in port 28303.
ICP V3.15 is now listening to both 22 and 28304 ports.
New Asset Types
Tenable OT Security now identifies the following new device types:
| Category | New Type |
|---|---|
| Controller | BMS Controller |
| Controller | Backplane Module |
| Controller | Robot |
| Server | Security Appliance |
| Server | Tenable EM |
| Server | Tenable ICP |
| Server | Tenable Sensor |
HTTP/HTTPS Banner Grabbing Enhancements
As of version 3.15, Tenable.ot added several enhancements for HTTP/HTTPS banner grabbing such as querying more port numbers from which to collect banners, parsing HTTPS certificates, and more.
Compressed Backup File
You can now download a compressed system backup file from the Local Settings - System Actions page.
Custom Range Filter for IP Addresses
You can now filter the Inventory table for a specific range of assets based on a specific range of IP addresses.
EM - System Log
You can now view the Enterprise Manager (EM) System Log under the Local Settings menu.
EM - Factory Reset
On the Enterprise Manager (EM) you (the administrator) can now perform a factory reset on the machine and return it to its initial and default configuration.
API Changelog
For more information about the API, see the Tenable.ot API documentation.
API breaking changes (removal of ServiceNow):
Enum value ServiceNow was removed from enum ActionType
Member ServiceNowServer was removed from Union type ActionUnion
Field serviceNowServers was removed from object type Integration
Field archiveServiceNowServer was removed from object type Mutation
Argument servicenowActions: [ID!] was removed from field Mutation.editPolicies
Field newServiceNowServer was removed from object type Mutation
Field setServiceNowServer was removed from object type Mutation
Field testAdHocServiceNowServer was removed from object type Mutation
Field testServiceNowServer was removed from object type Mutation
Field serviceNowServer was removed from object type Query
Field serviceNowServers was removed from object type Query
Type ServiceNowServer was removed
Type ServiceNowServerConnection was removed
Type ServiceNowServerEdge was removedAPI additions:
Enum value extendedRunStatus was added to enum AssetField
Enum values BackplaneModule, Bms, Robot, TenableEm, TenableIcp, TenableSensor were added to enum AssetType
Enum values InvalidFile, Unchanged were added to enum CannotUpdatePluginSetReason Enum values NessusUserScan, ReadUpdates, WriteUpdates were added to enum Capability Enum value extendedRunStatus was added to enum LinkField
Enum value PHOENIX_CONTACT, PROFINET_CM were added to enum ProtocolSuperType
Enum value PC_WORX, PROCONOS, PROFINET_CM were added to enum ProtocolType
Enum values BackplaneModule, Bms, Robot, TenableEm, TenableIcp, TenableSensor were added to enum UserDefinedAssetType
Input fields bindDn, bindPw, domainAppend, groupBaseDn, host, port, userBaseDn were added to input object type ProviderOptionsParams
Field APIKey.groups has description this property is always empty
Field APIKey.groups is deprecated
Field APIKey.groups has deprecation reason deprecated since 3.10 (RBAC), groups are determined by the attached User
Field AdProviderOptions.rootCa changed type from String to String!
Field extendedRunStatus was added to object type Asset
Field compressionInProgress was added to object type BackupDetails
Fields lastModifiedBy, lastModifiedDate were added to objects ActivityPolicy, AssetGroup, AssetFunction, AssetList, AssetPolicy, AssetTypeFamilyGroup, EmailGroup, IDSGeneralPolicy, IDSSrcDstPolicy, IntrusionPolicy, IpList, IpRange, NetworkPolicy, Policy, PortGroup, PortPolicy, ProtocolGroup, RecurringGroup, RuleGroup, ScheduleFunction, ScheduleGroup, SegmentGroup, TagGroup, TagValuePolicy, TimeInterval
Type CanUpdateSuricataRuleSet was added
Enum value CannotUpdatePluginSetReason.PluginSetUnchanged was deprecated with reason this value will change in the future to Unchanged, so always check for both
Type CannotUpdateSuricataRulesReason was added
Field backupCompression was added to object type FlagList
Type LdapProviderOptions was added
Type LdapProviderOptionsConnection was added
Type LdapProviderOptionsEdge was added
Field extendedRunStatus was added to object type LeanAsset
Field deleteNessusUserScan was added to object type Mutation
Field editNessusUserScan was added to object type Mutation
Field nessusUserScanAction was added to object type Mutation
Field newNessusUserScan was added to object type Mutation
Field updateSuricataRuleSet was added to object type Mutation
Type NessusUserScan was added
Type NessusUserScanConnection was added
Type NessusUserScanEdge was added
Field source was added to object type OpenPorts
Type OpenPortsSource was added
Field Plugin.id has description Plugin ID
Field Plugin.name has description Name
Field PluginDetails.cpe is deprecated
Field PluginDetails.cpe has deprecation reason please use cpes, this should be plural
Field cpes was added to object type PluginDetails
Field cves was added to object type PluginDetails
Type PluginFamily was added
Type PluginFamilyArgs was added
Type PluginFamilyConnection was added
Type PluginFamilyCount was added
Type PluginFamilyCountConnection was added
Type PluginFamilyCountEdge was added
Type PluginFamilyEdge was added
Type PluginsBasic was added
Type PluginsBasicConnection was added
Type PluginsBasicEdge was added
Type PluginsIndividualArgs was added
Type PluginsOfFamily was added
Field canOfflineUpdateSuricataRuleSet was added to object type Query
Field canOnlineUpdateSuricataRuleSet was added to object type Query
Field ldapAuthProviders was added to object type Query
Field nessusUserScan was added to object type Query
Field nessusUserScans was added to object type Query
Field pluginFamilies was added to object type Query
Field pluginsOfFamily was added to object type Query
Field suricataRuleSetDownloadUrl was added to object type Query
Field suricataRuleSetInfo was added to object type Query
Type ScanAction was added
Type SelectionStatus was added
Object type Subscription has description WARNING: Experimental feature! This can change without a warning
Type SuricataRuleSetDownloadUrl was added
Type SuricataRuleSetInfo was added
Object type Time has description The `Time` scalar type represents date and time values as specified by [RFC3339](https://www.rfc-editor.org/rfc/rfc3339.html).
Type UpdateResult was added
Type UserScanStatus was addedFilenames and MD5 or SHA-256 checksums are posted at Tenable OT Security Download page.