Tenable.ot 3.7.18 Release Notes (2020-08-10)

To download Tenable.ot upgrade files, see: https://tenable-ot.sharefile.com/d-sfde665c7b9942aba.

For a list of previous versions that are possible to perform a direct upgrade from, see: https://tenable-ot.sharefile.com/d-sb0d4e3b0df840318.

New Features

Vendor Support

  • Emerson Ovation - Standard Active Support
  • Siemens S7+ - Premium Support Including Full Backplane Inventory
  • HART Protocol - Basic Passive Support

Asset Types - Increasing Type Catalog

Tenable.ot has taken another step forward to diversify the available types for asset classification. With that, it can better communicate to its users granular findings on their inventory and increase familiarization. On top of that, users are able to manually classify assets to each of the available types.

The new list of asset types:

Controllers Field Devices OT Devices OT Servers Network Devices Servers IoT Workstations Endpoints
Controller Field Device OT Device OT Server Network Device Server IoT Workstation Endpoint
PLC Actuator Industrial Printer Historian Router File Server Camera OT Workstation Mobile
DCS Smart Sensor   HMI Switch Web Server Panel Engineering Station  
IED Inverter   Data Logger Hub Virtual Server Projector Virtual Workstation  
RTU Relay     Wireless Access Point   VOIP Device    
Communication Module Remote I/O     Firewall   3D Printer    
I/O Module Power Meter     Converter   Printer    
CNC       Radio   UPS    
Power Supply       Serial-Ethernet Bridge   IP Phone    
        Gateway   Storage Device    

Integrating Nessus into Tenable.ot

Tenable.ot allows its users to perform a Nessus scan on assets of their choice. This allows them to harness the best of vulnerability assessments for all non-OT specific assets in the OT environment. Subsequently, Tenable.ot can reflect these vulnerabilities to Tenable.sc and Tenable.io based on the available integrations between them in order to allow for complete vulnerability assessment for all enterprise environments.

Users control over Nessus scans from Tenable.ot is comprehensive as they are launched only on single assets by user-activation only. At the same time, Tenable.ot prevents the execution of Nessus scans on assets which are identified as controllers, field devices and other OT specific devices. In addition it advises the user to take extra care when analyzing OT-related servers, and to consider such scans on maintenance time windows.

New Scan for Ripple20 vulnerabilities identification

Tenable.ot allows its users to perform a scan of their inventory to identify vulnerable devices related to the recently publicly available Ripple20 set of vulnerabilities. This is based on the Nessus plugin which was made available after the disclosure. Users can launch this scan manually and have full control on which assets to scan.

User Managed Intrusion Detection Rule Groups

On top of the existing out-of-the-box intrusion detection policies and available Suricata rules which are organized in predefined rule groups, Tenable.ot now offers extended flexibility in their accommodation to specific environments and circumstance. Users can now review the entire rule repository, which includes both curated and tenable own rules, and create user-defined policies to apply self chosen rules. In addition, the user can add or remove rules from existing threat detection policies in case further adaptation is needed.

PCAP Player

Users can now play network capture files (.pcap, .pcapng, .pcap.gz, .pcapng.gz) to Tenable.ot core platform. This can be used for simulation purpose or in order to analyze traffic that is not taken from the parts of the network that are monitored continuously. Uploading and playing network capture files are available from the PCAP Player page in the settings.

VPR and Threat Intelligence Indicators for CVEs

  • VPR

    Vulnerability priority rating, the output of Tenable Predictive Prioritization, helps organizations improve their remediation efficiency and effectiveness by rating vulnerabilities based on severity level determined by two components: technical impact and threat. The VPR score is now displayed for each identified CVE, both in the CVEs tab in the single asset page and in the general CVEs table under the Risk tab.

  • VPR Key Drivers

    For each CVE you can now view the global threat landscape key drivers to explain the CVE's VPR score.

    The following table describes the key drivers:

    Key Driver Description
    Vulnerability Age The number of days since the National Vulnerability Database (NVD) published the vulnerability.
    CVSSv3 Impact Score The NVD-provided CVSSv3 impact score for the vulnerability. If the NVD did not provide a score, Tenable.ot displays a Tenable-predicted score.
    Exploit Code Maturity The relative maturity of a possible exploit for the vulnerability based on the existence, sophistication, and prevalence of exploit intelligence from internal and external sources (e.g., Reversinglabs, Exploit-db, Metasploit, etc.). The possible values (High, Functional, PoC, or Unproven) parallel the CVSS Exploit Code Maturity categories.
    Product Coverage The relative number of unique products affected by the vulnerability: LowMediumHigh, or Very High.
    Threat Sources A list of all sources (e.g., social media channels, the dark web, etc.) where threat events related to this vulnerability occurred. If the system did not observe a related threat event in the past 28 days, the system displays No recorded events.
    Threat Intensity The relative intensity based on the number and frequency of recently observed threat events related to this vulnerability: Very LowLowMediumHigh, or Very High.
    Threat Recency The number of days (0-730) since a threat event occurred for the vulnerability.
  • CVSSv3

    We are now presenting the Common Vulnerability Scoring System (CVSS) v3 besides the former CVSSv2 and the new VPR score in the CVEs page on the general Risk tab and in the CVEs tab of single assets.

  • Base Scores

    NVD's base scores are presented per each identified CVE. The base scores are the characteristics of the CVE that are constant with time and across user environments. The Access Vector, Access Complexity, and Authentication metrics capture how the vulnerability is accessed and whether or not extra conditions are required to exploit it. The three impact metrics measure how a vulnerability, if exploited, will directly affect an IT asset, where the impacts are independently defined as the degree of loss of confidentiality, integrity, and availability.

Indicating Purdue Level of Assets

Every asset is now labeled with its level according to the Purdue Model for Computer Integrated Manufacturing. Based on that users can sort, filter and group by their Purdue level. The Purdue level designation of assets are available for users to edit.

Event Based PCAPs from Enterprise Manager

In version 3.5.13 we released the capability of extracting .pcap files filtered from the full network captures to specific events triggered by our policy based engine. We are now enabling this capability from the single site view of the Enterprise Manager as well.

Bug Fixes

Bug Fix
Aruba ClearPass integration - Slowed down the rate of information which is sent to ClearPass.
Report Performance Issues Fixed - Limited number of assets in CVE Drill Down chapter to 20.
Fix wrong units on Top Sources/Destinations Chart on network summary page
Setup Wizard redirected to blank white page (instead of reloading page)
Report with asset drill down information failed to be generated
Packet capture File Management for Sensors behind NAT fix.

Integrated Tenable Product Compatibility

The following table lists the Tenable product versions tested with this version of Tenable.ot.

Product Tested Version(s)
Tenable.sc 5.11 and later
Nessus 8.10.1 and later