Tenable.ot 3.4.9 Release Notes (2020-02-01)

New Features

New OT Devices Support

Support for the following models was added:

  • Yokogawa Prosafe - Level 1 Passive Support
  • Honeywell C300 - Level 1 Passive Support
  • PLC5 - Level 2 Passive Support, Level 2 Active Support
  • Serial DH+ Connection - Level 2 Passive Support, Level 2 Active Support
  • Cognex In-Sight Cameras - Level 1 Passive Support, Level 2 Active Support

The full list of vendor support and support levels description can be obtained from a sales engineer representative.

New SCADA Protocols Support

  • Detection of Modbus error codes – three new Modbus error codes are now flagged using designated policies - ‘illegal data address’, ‘illegal data value’ and ‘illegal function’.
  • Detection of IEC 60870-5-104 commands - several risky commands in IEC-60870-5-104 are now flagged using designated policies. Some examples for those are: Start, Stop, Reset and Data Transfer.

Asset Criticality

An OT Asset Risk Criticality was introduced (Low / Medium / High). The predefined value is based on the asset type, but it can be altered by the user. A ‘none’ level is also supported.

Asset Risk Score

An OT Asset Risk Score was introduced (ranging between 0 and 100). It is being calculated based on the events, vulnerabilities and CVEs associated with the asset and its criticality.

Integration with Tenable.sc

The integration of Tenable.ot and Tenable.sc utilizes OT CVE data to facilitate a unified VM platform across IT and OT. For configuration information, see the knowledge base article (requires an account).

Detection of Network Traffic & Conversations Spikes

The user can now receive alerts on anomalous network traffic throughput as well as an anomalous number of conversations taking place. Both metrics are often associated with the existence of an infected or a malfunctioning device/s. The referenceable time window and the sensitivity level to changes in the traffic are user configurable via the relevant policy.

USB Configuration Changes

The user can receive alerts on changes in the list of USB devices connected to MS-Windows machines, thus identifying insertion or removal of these devices. The frequency of this query is defined separately from the other WMI queries to enable more frequent settings.

Switch Interface Details

Mapping of all the interfaces of network switches is done periodically to monitor their state and health, including MAC addresses, name, status, alias, description and type for each interface. For configuration help, contact your Tenable representative and see the knowledge base article (requires an account).

Report Configuration

When generating a report, users can now control the asset drill-down portion. They can either exclude it completely or have it for only certain asset types, per their preference.

Health Check API

An API to query the system for its health state was introduced at:

GET https://<IP>/v1/healthcheck. It contains details regarding the hardware health, container health, the connected sensors throughput and other details.

New API authentication Method

Authentication using tokens was introduced in addition to the use of robots. The new method allows for authentication using an HTTPS authorization header:

"Authorization: Key <API token>"

or a URL parameter: https://IP/v1/<API request>?apikey=<API token>

System Log Export

System log messages can now also be sent over Syslog to SIEM products.

Deprecated Features

Change
Alerts drill down chapter in the report - The Alerts Drill Down chapter has been removed from the report. Indegy v3.4 has events instead of alerts, and hence this chapter is deprecated.
Showing the diagnostic buffer of Siemens Controllers - This query is no longer supported by the core platform and is removed from the UI.

Bug Fixes

Bug Fix
Resolve All Events Not Working
Policies Search and Filter Not Persistent on Reload
Asset Editing Requires Hard Refresh to Apply Values
Vulnerability Matching Overmatching in Some Cases due to NVD formatting