Tenable OT Security 2024 Release Notes

Users with Read-Only or Site Operator permissions can no longer download packet captures and Close Ongoing Captures.

It is not possible to revert to 3.19.70 (SP) from later versions due to a known issue with the revert script. This issue is specific to version 3.19.70 (SP) and does not affect 3.19 SP2 or later versions. For instance, if you upgrade from 3.18 to 3.19 SP2, you can revert your upgrade without any issues.

Compliance Dashboard

• The Compliance dashboard enables you to align key security measures with regulatory requirements, track your progress and improvements over time, and strengthen your security posture. For more information, see Compliance Dashboard.

• OT Security supports these security frameworks: CAF Principles, OTCC Sub Domains, ISO 27001 Controls, and NIS 2 Directive (Article 21).

FOX TLS Snapshots

• Support for Phoenix Contact ILC Snapshots.

• Includes Audit Log for tracking changes to FOX TLS configuration.

Security Hardening

• Internal Communications Encryption — Communications between modules or to external integration points leverages a stronger encryption cipher.

• Internal Database Encryption — Areas within the OT Security storage has a higher level of encryption ciphers applied.

Vulnerabilities

OT Security now identifies the new following vulnerabilities:

For more information about APIs, see the Tenable OT Security API documentation.

Enum value lastSnapshot was added to enum AssetField
Enum value BlockFoxDriver was added to enum BlockType
Enum value BlockFoxDriversProject was added to enum BlockType
Enum value AvgDays was added to enum FieldFunction
Enum value SecureModeFailure was added to enum IotConnectorStatus
Enum value UnknownFailure was added to enum IotConnectorStatus
Enum value lastSnapshot was added to enum LinkField
Argument snapshot: Boolean (with default value) added to field Mutation.newProtocolPolicy
Argument snapshot: Boolean (with default value) added to field Mutation.setProtocolPolicy
Enum value resolutionDuration was added to enum PolicyHitAggregationField
Type AggregationsAssetsExpressionsParams was added
Type AggregationsAssetsField was added
Type AggregationsAssetsSortParams was added
Type AggregationsAssetsSortParamsComplexFields was added
Field lastSnapshot was added to object type Asset
Field AssetMapTimeFrame was added to object type Config
Field lastSnapshot was added to object type LeanAsset
Type PluginHitsExpressionsParams was added
Type PluginHitsSortParams was added
Type PluginHitsSortParamsComplexFields was added
Type PluginsAssetsExpressionsParams was added
Type PluginsAssetsField was added
Type PluginsAssetsSortParams was added
Type PluginsAssetsSortParamsComplexFields was added
Field assetsExternalConn was added to object type Query
Field assetsExternalConnRaw was added to object type Query
Field eventAggregationsAssetsRaw was added to object type Query
Field pluginHits was added to object type Query
Field pluginHitsRaw was added to object type Query
Field pluginsAssetsRaw was added to object type Query
Field Query.pluginsRaw description changed from Raw dynamic query on plugins to Raw dynamic query on plugin hits
Type RawAggregationsAssetsComplexFieldParams was added
Type RawAggregationsAssetsComplexFieldParamsComplexFields was added
Type RawAggregationsAssetsComplexGroupingParams was added
Type RawAggregationsAssetsComplexGroupingParamsComplexFields was added
Type RawPluginHitsComplexFieldParams was added
Type RawPluginHitsComplexFieldParamsComplexFields was added
Type RawPluginHitsComplexGroupingParams was added
Type RawPluginHitsComplexGroupingParamsComplexFields was added
Type RawPluginsAssetsComplexFieldParams was added
Type RawPluginsAssetsComplexFieldParamsComplexFields was added
Type RawPluginsAssetsComplexGroupingParams was added
Type RawPluginsAssetsComplexGroupingParamsComplexFields was added
Type pluginHits was added

Vendor and Protocol Support

• MOXA Discovery Protocol — OT Security now actively detects and fingerprints MOXA devices. Query the device directly to identify it. Active queries to MOXA devices require MOXA credentials.

• Siemens SICAM 8050 RTU — OT Security now supports Siemens SICAM 8050. You can use active queries to fingerprint backplane modules, which require an SNMP v3 credential.

• Fox-TLS Protocol

  • OT Security now actively detects and fingerprints devices that use the FOX-TLS protocol.

  • Active queries to these devices require FOX-TLS credentials.

  • Tested on Phoenix Contact ILC 2050 BI device.

Advanced IoT Visibility

• OT Security now includes an IoT Connectors engine that allows you to integrate your IoT (Internet of Things) or VMS (Video Management System) servers.

• You can integrate your IoT/VMS servers using any one of the following connection methods:

  • Using a remote application API service

  • Using an agent

• After integration, OT Security imports all the devices that the application server manages, such as cameras, badge access systems, fire panels, and so on.

  For more information, see IoT Connectors.

Asset Relationships

• OT Security now provides a visual representation of asset relationships.

• You can use the Related Assets tab on the single asset page to track all known relationships of the asset.

• OT Security determines the relationship between assets automatically based on queries and passive monitoring. This prevents you from modifying these relationships manually.

• Related Assets is based on actual communication pathways to devices, which distinguishes it from Network Map that relies on Layer 3 (Internet Protocol or IP) connectivity.

  For more information, see Related Assets.

Asset Relationships - Nested OT Devices

• Nested devices are Programmable Logic Controller (PLC)s or other Industrial Control System (ICS) modules connected behind a PLC backplane or device. This is similar to a variable-frequency drive (VFD) connected directly to a communications adapter.

• In this version, OT Security detects nested devices only for Rockwell devices and Rockwell connection types such as CIP, DirectNet, ControlNet, DH+.

• OT Security observes nested relationships between OT devices passively or through the Backplane Scan active query.

• On the asset details page, Related Assets > Backplane view lists all related assets, and a icon indicates any nested devices beneath a module.

  For more information, see Nested Devices.

Asset Relationships - IoT Connectors

• OT Security maps all managed IoT devices to their respective application server.

• To view all managed IoT devices by a specific application server, you must configure the IoT engine and synchronize assets from the application server. In the example of an IP camera, you can see the VMS server that manages it. Navigating to this VMS server on the Inventory > IoT Connectors > Related Assets page lets you view all cameras that this VMS server manages.

Dynamic Fingerprinting Engine (DFE) Updates

You can now make Dynamic Fingerprinting Engine (DFE) updates from the cloud. Some key benefits of this feature are:

• On-Demand Updates: Instantly download and apply the latest classification changes directly from the cloud, ensuring your inventory is always up to date.

• Enhanced Flexibility: Access additional fingerprints without waiting for local updates or new version releases, providing immediate and continuous improvement.

• Seamless Integration: Incorporate new fingerprints as they become available, receiving critical updates between major version releases for enhanced responsiveness.

  For more information, see DFE Updates.

Exportable Executive Summary Report PDF

• OT Security now provides an option to generate and export an executive summary report in PDF.

• To view and download the Executive Summary report, go to Dashboards > Executive Report.

• This feature is an enhancement to an earlier version of the OT Security reporting feature.

For more information, see Generate an Executive Report.

Asset Diagnostic Export report

• You can now export a detailed diagnostic report of an asset for support purposes. You can also bulk export a diagnostics report for multiple assets. For more information, see Export Diagnostics.

Tenable Security Center Integration Enhancements

• Starting with Tenable Security Center 6.4, integrating with OT Security brings additional context in Tenable Security Center.

• After integration, OT Security asset details synchronize with Tenable Security Center. These asset details include: Name, Type, Category, Running State, Firmware Version, Vendor, Model, Family, Backplane Information, MAC, Purdue Level, Location, and Description.

• There are no special configurations or settings for this feature apart from running the latest version of OT Security and Tenable Security Center.

Active Queries Management Redesign

• Active Queries are now available as informative cards that you can customize as needed.

• You can create Query variations for each type of Active Query and customize them as in the earlier versions.

• A status column indicates whether active queries are running, stopped, or paused.

  For more information, see Managing Active Queries.

Active Queries Management — Executions History

• You can now download a CSV export of the last query execution details. If the active query targeted multiple assets or protocols, this information also appears in the exported results. During the initial setup, this helps troubleshoot queries against various assets. For more information, see Download Last Query Log.

Active Queries Management — 'Try Anyway' Button

• You can now override the limit to the number of active query attempts during troubleshooting. OT Security now provides a Try Anyway option to proceed with active queries on devices or network when you make any firewall or network changes to those queries.

Active Queries Management — Ping Query Added

• OT Security now includes a separate Ping query that relies on Internet Control Message Protocol (ICMP) to test whether an asset is routable or reachable. This query is essentially the same Ping query used during an Asset Discovery or Active Asset Tracking query.

Pendo Tool Integration

• Resource Center: Access to various helpful resources directly within the application:

  Note: Access to the Resource Center requires an Internet connection.

  • Knowledge Base Search: Search the product Knowledge Base (KB) within the application for quick answers and information.

  • Feature Updates: Receive in-app notifications about the latest feature updates and new releases.

  • Welcome Flow for New Users: A high-level sneak peek showcases the main values and key product features to give you a quick tour.

Tenable One - Open Ports Findings

• Along with assets and vulnerabilities, OT Security can now also synchronize open ports on monitored assets when integrated with Tenable One.

• You can use open port information for assets for dynamic tagging and to reveal more potential attack paths that may lead to compromise.

Vulnerability State Tracking

• OT Security now retains and displays mitigated (fixed) vulnerabilities.

• You can now see Active versus Fixed vulnerabilities when viewing an asset or the overall vulnerabilities on the Vulnerabilities page.

• Fixed vulnerabilities age out after one year.

Generic Protocol Parser

• OT Security now uses a generic protocol parser that allows you to add protocol detection capabilities quickly. This parser is an internal tool used in Tenable research.

• The generic parser relies on LUA scripts, and is powered by the embedded Suricata IDS engine.

Access Account Details from the "About" View

After activating OT Security, you can view your Tenable customer ID in the About view.

To access this information, click your username in the upper-right corner of the interface and select About from the drop-down menu. This view displays your account details, including your customer ID. Note that this customer ID is required when contacting Technical Support or Customer Success teams.

• If you have SNMP Ports query enabled in earlier versions, you must re-enable it under Active Queries Management settings.

• Conflicts in permission levels set by Role-Based Access Control (RBAC) settings lead to users inheriting the most permissive group's permissions.

For more information about APIs, see the Tenable OT Security API documentation.

Type ActiveQueriesOpType was removed
Field ActiveQuery.operation changed type from ActiveQueriesOpType! to OpType!
Field ActiveQueryBase.operation changed type from ActiveQueriesOpType! to OpType!
Field AssetDiscovery.operation changed type from ActiveQueriesOpType! to OpType!
Field PingEnabled was removed from object type Config
Enum value PingType was removed from enum DiscoveryQueryTypes
Enum value NessusAdvancedScan2Type was removed from enum FirewallOpType
Enum value NessusAdvancedScanType was removed from enum FirewallOpType
Field InactiveProbing.operation changed type from ActiveQueriesOpType! to OpType!
Enum value DnsType was removed from enum ItQueryTypes
Enum value InactiveAssetProbe was removed from enum ItQueryTypes
Enum value PortScanAssetEnrichment was removed from enum ItQueryTypes
Enum value PortScanQueryType was removed from enum ItQueryTypes
Type for argument operation on field Mutation.createActiveQuery changed from ActiveQueriesOpType! to OpType!
Field PortScan.operation changed type from ActiveQueriesOpType! to OpType!
Default value for argument countTimeout on field Asset.eventAggregations changed from 700 to 3000
Default value for argument countTimeout on field Asset.eventAggregationsRaw changed from 700 to 3000
Default value for argument countTimeout on field Asset.events changed from 700 to 3000
Default value for argument countTimeout on field Asset.eventsRaw changed from 700 to 3000
Default value for argument countTimeout on field Asset.plugins changed from 700 to 3000
Enum value VideoManagementSystem was added to enum AssetType
Default value for argument countTimeout on field Baseline.links changed from 700 to 3000
Enum value FoxTls was added to enum BasicCredentialsTypes
Enum value Moxa was added to enum BasicCredentialsTypes
Enum value NoSpaceLeftOnDevice was added to enum CannotUpdatePluginSetReason
Enum value NoSpaceLeftOnDevice was added to enum CannotUpdateSuricataRulesReason
Enum value IotConnectors was added to enum Capability
Enum value FoxTls was added to enum CredentialsType
Enum value Moxa was added to enum CredentialsType
Enum value SicamSnmp was added to enum CredentialsType
Enum value AssetDiscoveryType was added to enum DiscoveryQueryTypes
Enum value DnsType was added to enum DiscoveryQueryTypes
Enum value InactiveAssetProbe was added to enum DiscoveryQueryTypes
Enum value PortScanAssetEnrichment was added to enum DiscoveryQueryTypes
Enum value PortScanQueryType was added to enum DiscoveryQueryTypes
Default value for argument countTimeout on field EventAggregation.events changed from 700 to 3000
Enum value AssetDiscoveryType was added to enum FirewallOpType
Enum value osVersion was added to enum IcpSensorField
Default value for argument countTimeout on field Mutation.bulkEditAssets changed from 700 to 3000
Default value for argument countTimeout on field Mutation.bulkEditAssetsWithRemove changed from 700 to 3000
Default value for argument countTimeout on field Mutation.bulkHideAsset changed from 700 to 3000
Default value for argument countTimeout on field Mutation.bulkRestoreAsset changed from 700 to 3000
Default value for argument countTimeout on field Mutation.resolveEvents changed from 700 to 3000
Default value for argument countTimeout on field Plugin.affectedAssets changed from 700 to 3000
Enum value fixedAssets was added to enum PluginField
Enum value vprLevel was added to enum PluginField
Enum value CIP_ETHIP_UDP was added to enum ProtocolType
Enum value DOT1BR was added to enum ProtocolType
Enum value DOT1BR_CORRUPT was added to enum ProtocolType
Enum value MOXA_HTTP was added to enum ProtocolType
Enum value SICAM_SNMP was added to enum ProtocolType
Default value for argument countTimeout on field Query.assets changed from 700 to 3000
Default value for argument countTimeout on field Query.assetsForGrid changed from 700 to 3000
Default value for argument countTimeout on field Query.assetsPendingDeletion changed from 700 to 3000
Default value for argument countTimeout on field Query.assetsRaw changed from 700 to 3000
Default value for argument countTimeout on field Query.eventAggregations changed from 700 to 3000
Default value for argument countTimeout on field Query.eventAggregationsRaw changed from 700 to 3000
Default value for argument countTimeout on field Query.events changed from 700 to 3000
Default value for argument countTimeout on field Query.eventsForGrid changed from 700 to 3000
Default value for argument countTimeout on field Query.eventsRaw changed from 700 to 3000
Default value for argument countTimeout on field Query.groupedAssetsRaw changed from 700 to 3000
Default value for argument countTimeout on field Query.groupedEventsRaw changed from 700 to 3000
Default value for argument countTimeout on field Query.iemPluginsRaw changed from 700 to 3000
Default value for argument countTimeout on field Query.iemPolicies changed from 700 to 3000
Default value for argument countTimeout on field Query.iemRecentEvents changed from 700 to 3000
Default value for argument countTimeout on field Query.iemSensorsRaw changed from 700 to 3000
Default value for argument countTimeout on field Query.links changed from 700 to 3000
Default value for argument countTimeout on field Query.plugins changed from 700 to 3000
Default value for argument countTimeout on field Query.pluginsRaw changed from 700 to 3000
Argument countTimeout: Int (with default value) added to field Query.systemLog
Argument filter: SystemLogExpressionsParams added to field Query.systemLog
Argument search: String added to field Query.systemLog
Argument slowCount: Boolean added to field Query.systemLog
Argument sort: [SystemLogSortParams!] added to field Query.systemLog
Enum value SICAM_SNMP was added to enum RestrictedProtocolType
Enum value EmptyClientResponseError was added to enum SnapshotStatus
Enum value SicamSnmp was added to enum SnmpV3CredentialsTypes
Enum value VideoManagementSystem was added to enum UserDefinedAssetType
Field lastRunBy was added to interface ActiveQuery
Field usageInfo was added to interface ActiveQuery
Field lastRunBy was added to object type ActiveQueryBase
Field usageInfo was added to object type ActiveQueryBase
Type ActiveQueryExecution was added
Type ActiveQueryExecutionConnection was added
Type ActiveQueryExecutionEdge was added
Type ActiveQueryExecutionOnAsset was added
Type ActiveQueryExecutionOnAssetConnection was added
Type ActiveQueryExecutionOnAssetEdge was added
Type AgentConnector was added
Field activePlugins was added to object type Asset
Field fixedPlugins was added to object type Asset
Field relationships was added to object type Asset
Field lastRunBy was added to object type AssetDiscovery
Field usageInfo was added to object type AssetDiscovery
Type AssetRelationship was added
Type AssetRelationshipConnection was added
Type AssetRelationshipEdge was added
Type AssetRelationshipExpressionsParams was added
Type AssetRelationshipField was added
Type AssetRelationshipIoTConnectorsDetails was added
Type AssetRelationshipNesting was added
Type AssetRelationshipNestingCipIpDetails was added
Type AssetRelationshipNestingControlNetDetails was added
Type AssetRelationshipNestingDhPlusDetails was added
Type AssetRelationshipNestingUnknownDetails was added
Type AssetRelationshipSortParams was added
Type AssetRelationshipSortParamsComplexFields was added
Type CanDownload was added
Type CanUpdateDfe was added
Type CannotUpdateDfeReason was added
Type ChannelType was added
Field IotConnectorsAvailable was added to object type Config
Type ConnectionType was added
Field dstPort was added to object type Conversation
Field Conversation.port is deprecated
Field Conversation.port has deprecation reason Use dstPort instead
Directive deprecated was added to field Conversation.port
Field srcPort was added to object type Conversation
Type CoreOsVersion was added
Type DfeDownloadUrl was added
Type DfeInfo was added
Field customerId was added to object type EmLicenseDetails
Field id was added to object type EmUser
Type Error was added
Type ErrorCategory was added
Type ErrorKey was added
Type ErrorVariable was added
Type ErrorVariableConnection was added
Type ErrorVariableEdge was added
Type ExacqAddOptionsParams was added
Type ExacqConnector was added
Type ExacqEditOptionsParams was added
Field lastRunBy was added to object type InactiveProbing
Field usageInfo was added to object type InactiveProbing
Type IotConnectionMethod was added
Type IotConnectorInfo was added
Type IotConnectorInfoConnection was added
Type IotConnectorInfoEdge was added
Type IotConnectorStatus was added
Type IotConnectorType was added
Type IotConnectorWebProtocol was added
Field errors was added to object type Job
Field customerId was added to object type LicenseDetails
Type LogRecordField was added
Type MilestoneAddOptionsParams was added
Type MilestoneConnector was added
Type MilestoneEditOptionsParams was added
Type MobotixAddOptionsParams was added
Type MobotixConnector was added
Type MobotixEditOptionsParams was added
Field activeQueryExecutionsCsv was added to object type Mutation
Field addAgentIotConnector was added to object type Mutation
Field addExacqIotConnector was added to object type Mutation
Field addMilestoneIotConnector was added to object type Mutation
Field addMobotixIotConnector was added to object type Mutation
Field assetReport was added to object type Mutation
Field assetsReport was added to object type Mutation
Field createSnmpQuery was added to object type Mutation
Field deleteIotConnector was added to object type Mutation
Field editAgentIotConnector was added to object type Mutation
Field editExacqIotConnector was added to object type Mutation
Field editMilestoneIotConnector was added to object type Mutation
Field editMobotixIotConnector was added to object type Mutation
Field editSnmpQuery was added to object type Mutation
Field testAgentIotConnector was added to object type Mutation
Field updateDfe was added to object type Mutation
Type OpType was added
Field fixedAssets was added to object type Plugin
Field Plugin.totalAffectedAssets description changed from Total affected assets on the plugins, with no regard to the filter to Total affected assets on the plugin, with no regard to the filter
Field totalFixedAssets was added to object type Plugin
Field vprLevel was added to object type Plugin
Field lastRunBy was added to object type PortScan
Field usageInfo was added to object type PortScan
Field activeQueryExecutions was added to object type Query
Field activeQueryExecutionsOnAsset was added to object type Query
Field canOfflineUpdateDfe was added to object type Query
Field canOnlineUpdateDfe was added to object type Query
Field dfeDownloadUrl was added to object type Query
Field dfeInfo was added to object type Query
Field iotConnector was added to object type Query
Field iotConnectors was added to object type Query
Type QuerySource was added
Type RelationshipDirection was added
Type RelationshipType was added
Field osVersion was added to object type SensorDetails
Type Snmp was added
Type SnmpOptionsParams was added
Type SystemLogExpressionsParams was added
Type SystemLogSortParams was added
Type SystemLogSortParamsComplexFields was added
Field id was added to object type User
Type VprLevel was added

• An issue may occur during the upgrade process that requires you to resize the /tmp partition. Resize your /tmp partition if you encounter a failed upgrade due to lack of available space.

Filenames and MD5 or SHA-256 checksums are posted at the OT Security Download page.

EM-ICP Pairing Migration

• After you upgrade to version 3.18, re-pair all previously linked sites or ICPs.

• A newly upgraded Tenable OT Security Enterprise Manager (OT Security EM) 3.18 has no linked sites, so you need to pair your ICPs.

• Make sure to note down the paired sites (ICPs) list before you upgrade OT Security EM.

• If you were unable to snapshot or document the previously linked sites, a script is available to fetch these details. For assistance, contact Tenable Support.

Enterprise Manager (EM) — Licensing

• The OT Security EM now features in-product licensing to activate the console.

• All OT Security EM customers should have a 20-digit activation code specifically for EM.

• Contact your Customer Success Manager if you do not have your EM activation code.

License Enforcement During ICP Upgrade

• When upgrading Tenable OT Security (ICP), the license must be valid to begin the update.

• If the license has exceeded or aged out, automatic updates are blocked or you are required to reapply the license.

Vendor and Protocol Support

• Honeywell C300 — OT Security includes the following new policies that detect code upload and download events.

  • Honeywell Code Download

  • Honeywell Code Upload

• Siemens SICAM 8050 RTU — OT Security now supports Siemens SICAM 8050 RTU over SNMP v3. You can send queries directly to these devices to detect and fingerprint them. The active queries used to fingerprint these RTUs rely on SNMP v3, which requires an SNMPv3 credential.

Role-Based Access Control (ICP)

OT Security now includes the following changes to Local Settings > Users Management:

• Product administrators can now configure permissions for user groups using Zones.

• Configurable Zones based on asset groups.

• These zones determine the assets that a user or group can view.

• A user can only view assets that belong to the user's group along with assets, vulnerabilities, and events.

• OT Security monitors the assets outside the zone but hides them from those outside the relevant zone.

• You can configure non-admin accounts to be part of a specific group and zone to limit their visibility to relevant assets.

Enterprise Manager - Role-Based Access Control

OT Security EM now includes these changes in Local Settings > Users Management:

• Includes settings that control visibility and administrative rights for each linked site.

• You can now control which user groups can access each OT Security ICP.

• You can now configure the permissions for users in both OT Security EM and ICP level. Each EM user can now access the linked ICPs and set the access for read-only or write access.

Enterprise Manager - Support for Authentication Providers (LDAP, AD, and SAML)

• In OT Security EM, you can now leverage SSO providers (SAML) for authentication.

• OT Security EM now supports configuration of AD and LDAP authentication.

Enterprise Manager - ICP-EM Pairing Process via the OT Security Interface

• You can now use the Enterprise Manager page in OT Security to pair your ICP with OT Security EM. You can pair using an API key or username and password.

• The Enterprise Manager page provides a step-by-step guide to pair your ICP with EM.

• In OT Security, you can access the page from Local Settings > System Configuration > Enterprise Manager. For more information, see Pair ICP with Enterprise Manager.

Customizable Classification Banner

• OT Security now includes a Classification Banner option in the Local Settings > Device page. You can use this option to enable a persistent banner on the OT Security interface for compliance purposes. For example: Add a banner "Confidential" to the interface.

• In alignment with DFARS 252.204-7012, you can now set this banner accordingly for your CUI (Controlled Unclassified Information) or sensitive data.

• Users cannot clear or hide this banner or classification marking. This global setting affects all OT Security users.

Tenable One — Findings and Weaknesses

• If you integrated OT Security with Tenable One, you can now view and prioritize your OT Security vulnerabilities from within Tenable One without further configuration.

• Once you upgrade to the latest release, you can access both asset context and vulnerability details within Tenable One.

Rediscovered Asset Policy

• OT Security now includes a new policy: Rediscovered Asset.

• The Rediscovered Asset policy allows you to track assets that are offline for a specific period of time.

• The default policy name is "Asset Rediscovered after two hours of inactivity".

• You can create this policy from Policies > Network Events > Rediscovered Asset.

Custom Threat Detection (IDS) Signatures

• You can now manually upload all IDS-specific Indicators of Compromise (IoCs) to OT Security.

• You can now import Suricata formatted IDS rules into OT Security by using the command line.

Syslog Event Alerts Cache ("Store and Forward")

• In the event of a disrupted connection using TCP Syslog, OT Security caches events and sends them once the connection is re-established.

• The Allow syslog message caching option is available when creating a new Syslog Server in Local Settings > Syslog Servers.

• OT Security sends the cached events instantly in their queuing order while the connection was down.

Enterprise Manager — Site Sensors Visibility

• OT Security EM now includes the following two widgets specific to sensors:

  • Sensors Status: Indicates how many sensors are online versus offline.

  • Sensors per Site: Indicates the number of online or offline sensors per site linked to OT Security EM.

Enterprise Manager — Licensing

• OT Security EM now includes in-product licensing to activate the console. Contact your Customer Success Manager if you do not have an activation code for your EM.

Enterprise Manager — Appliance Details

• OT Security EM includes the following additional metrics about all paired OT Security appliances (ICPs):

  • CPU utilization, memory, disk, plugin and IDS timestamps, and license properties and consumption.

  • The Sensors column of the ICPs page shows the total number of sensors versus the number of online sensors. The column also includes a link to the Sensors page for that site.

New Configuration Flow for Authentication Servers

• OT Security EM now includes a simplified workflow for the AD/SSO/LDAP configuration.

• You can now assign user groups in OT Security to specific authentication servers.

• The improved Authentication Servers workflow affects both OT Security and OT Security EM.

Support for KEV Plugin Property

Any vulnerabilities that OT Security detects that are on the Known Exploited Vulnerabilities (KEV) catalog from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) now show their due date. The KEV catalog helps security teams prioritize which risks to fix first so that they mitigate the greatest threats to their organizations. For more information, see Known Exploited Vulnerabilities.

Tenable Software Updates

OT Security has now updated to the latest versions of Tenable Nessus and Tenable Nessus Network Monitor.

Multiple Authentication Servers

OT Security now supports multiple authentication servers to facilitate the use of multiple SSO or LDAP services across the organization.

Active Query — Multi-port Configuration

OT Security can now initiate active queries directed at multiple ports for a single protocol. If your organization uses a variety of network ports for the same protocol, this allows you to inform OT Security to check all possible ports for details about the device or services.

License Upgrade Requirement

When updating OT Security, make sure the license has not aged out or exceeded. If this is the case, re-license the system after completing the software update.

WMI Installed Software Improvement — Windows LTSC Support

A WMI query on a Windows Long-Term Servicing Channel (LTSC) device now accurately requests and lists all installed software.

Backup and Restore - Powered by Tenable Core

The backup and restore capabilities has moved from OT Security and are enabled within Tenable Core to allow you to manage backups and to restore the backup from OT Security. You can now configure system backup within Tenable Core under Backup/Restore. For more information, see Restore a Backup in the Tenable Core user guide.

Changes to DNS Configuration

DNS server configuration has moved from OT Security to the Networking page in Tenable Core.

Vulnerabilities

OT Security now identifies the new following vulnerabilities:

Conflicts in permission levels set by Role-Based Access Control (RBAC) settings lead to users inheriting the most permissive group's permissions.

Oracle Linux 8 Support

You can now install OT Security using the Tenable Core with Oracle Linux 8 option.

Passive Monitoring Support

When you run OT Security on Oracle Linux 8, you can use the ERSPAN (Encapsulated Remote Switch Port Analyzer) traffic feeds for passive monitoring.

Upgrade to Tenable Nessus Network Monitor 6.3.1

OT Security now supports Tenable Nessus Network Monitor 6.3.1.

Management User Interface Changes

With the OT Security release on Oracle Linux 8, OT Security now has an improved login flow and management pages.

Filenames and MD5 or SHA-256 checksums are posted at the Tenable OT Security Downloads page.