NanoLock Security, ISTARI push device level OT cyber protection, meet emerging global federal guidelines

Device-level zero-trust OT cybersecurity company NanoLock Security aligned with ISTARI to provide ISTARI’s clients with NanoLock’s device-level zero trust OT (operational technology) protection against cyber threats caused by internal and external adversaries. The alliance will also meet emerging federal guidelines for U.S., EU, and Singapore’s critical infrastructure installations. 

The partnership will enable ISTARI’s clients, which include large enterprises in critical infrastructure sectors such as manufacturing, energy and utilities, gas and water, chemicals, and pharma, to utilize NanoLock as part of ISTARI’s OT cybersecurity solutions suite. Moreover, the device-level prevention offered by NanoLock will ensure vendor-agnostic protection for both new and legacy OT assets against both external and internal cyber threats. 

NanoLock’s zero-trust industrial product suite protects industrial manufacturing at the device and machine level, with no impact on performance and functionality. With NanoLock, ISTARI’s industrial clients will be able to protect their production environments from external and internal cyber threats, including OT ransomware, malware events, credential misuse, third-party service providers, employee negligence, and human errors.

Addressing how the NanoLock-ISTARI collaboration would secure critical infrastructure against cyber threats in the current threat landscape, especially those that can bring about ‘cross-industry disruptive/destructive’ ICS/OT malware, Eran Fine, co-founder and CEO of NanoLock, told Industrial Cyber that at NanoLock, the focus is on ensuring the operational integrity of critical infrastructure.

“Existing solutions such as IDS, IPS, and PAM that are undoubtedly required, either provide post-incident detection – without preventing the damage or rely on network connections. They also do not protect from insiders,” Fine said. “NanoLock’s differentiator is in its ability to deliver prevention-based, device-level protection that ensures the integrity and the continuity of production lines and operations at all times, including in the event of an insider attack. Where we are, Level-1 device protection remains an untapped market – a market in which we are first movers and category definers.”

Abel Archundia, managing director of global advisory & life sciences and industrials for ISTARI told Industrial Cyber that cyber threats against manufacturing, energy, and industrial sectors are escalating around the world. “At the same time, we are seeing a significant rise in insider events and human errors, creating an urgent need for zero-trust cyber protection at the device level.”

“The reason we added the device-level, zero-trust NanoLock solution to ISTARI’s OT cybersecurity capabilities is because it extends the offering to our clients,” according to Archundia. “NanoLock’s solution is single-mindedly focused on prevention. It protects OT critical assets. With NanoLock as a partner, we can provide manufacturing companies, utilities, and critical infrastructure device-level protection.”

The OT cyber industry is currently facing significant challenges in dealing with the threat landscape of cross-industry disruptive and destructive malware, Madison Horn, CEO and founder of Roserock Advisory Group, told Industrial Cyber. “Despite the complexity of this issue, the industry must rise to the occasion and address it head-on. The industry’s goal has been to achieve full visibility of assets or at least have a comprehensive asset management repository. However, this has proven difficult and expensive due to the prevalence of legacy devices, limited manpower, and other factors.”

“Furthermore, the management of the exploding number of new vulnerabilities has hindered the OT industry in a reactive mode, according to Horn. “If security professionals’ role is to shorten the time it takes to detect an attack, prevent an attack, or minimize the impact, the industry must move to a more active state of security. To achieve this, stakeholders must rationalize and understand the environment, calculate the potential impact and likelihood of risks, and focus investments.”

By applying a zero-trust model focused on systems with the highest potential impact, such as PLCs, the industry can move towards a more active state of prevention, Horn added. “This can mitigate risks and potentially stop attackers from executing attacks with such efficiency in current environments where even dropping a pin through the stack is possible. Focused preventive measures of layered security allow security teams more time to detect an intruder before the objective is achieved or even prevent an attack from being performed by limiting the ability of an attacker to gain privileged access to critical systems that interact with the physical world.”

Horn added that the OT cyber industry faces significant challenges in dealing with the current threat landscape. “However, by applying a zero-trust model and implementing focused preventive measures, the industry can move towards a more active state of security and minimize the impact of attacks.”

Looking into exactly how the NanoLock-ISTARI announcement explicitly calls for the implementation of device-level zero-trust architecture, Fine said that there is increasing awareness in the industry about the critical need for device-level, zero-trust protection. “We believe that with ISTARI offering our solution, more and more companies will have a chance to implement the industry’s first device-level, zero-trust architecture and ensure that their mission-critical assets are protected.”

Archundia said that ISTARI partners “with innovative solutions to support our clients on their journey to becoming digitally resilient. With NanoLock, we are providing our clients end-to-end protection.”

The executives also look into the additional safeguards that have been put into place by NanoLock-ISTARI to meet emerging federal guidelines for U.S., EU, and Singapore’s critical infrastructure. They also throw light on how these would be updated as the regulatory framework across these nations continue to build in response to the current threat landscape.

“We believe it is inevitable that the US will follow Singapore and the EU and will soon turn recommendations into binding regulations in order to protect critical infrastructure from massive cyber-threats,” Fine said. “When it comes to NanoLock’s ability to help meet emerging guidelines and regulations, the answer is in the very solutions we offer – device-level, zero-trust protection designed to secure industrial manufacturing at the device and machine level, with no impact on performance and functionality.”

The Cyber Security Agency of Singapore’s recent updates to the Codes of Practice for Critical Infrastructure (CSA CCoP 2.0) lays out clear best practice examples for the industry and urges device-level critical OT asset protection, Archundia said. “The new European Union regulation, NIS2, explicitly requires the adoption of active cyber protection and prevention, including the zero-trust principle and device configuration, plus cyber hygiene practices.” 

Following in their footsteps, Archundia points out that the U.S. Federal Government’s National Institute of Standards and Technology (NIST) published the new ‘Guide to Operational Technology (OT) Security’ (NIST SP 800-82r3), which calls for the protection of individual OT devices from exploitation.

“While the U.S. NIST is a guidance and a draft, the Singaporean and EU regulations are in effect and being enforced. We believe that these unfolding developments attest to the increasing awareness and commitment to protecting critical infrastructure and entire industries,” Archundia added. “With NanoLock, our industrial clients will be able to protect their production environments from external and internal cyber threats, including OT ransomware, malware events, credential misuse, third-party service providers, employee negligence, human errors, and more.”

Horn pointed out that recent guidelines issued, such as the newly released White House National Cybersecurity Strategy, have emphasized the need for vendors in the critical infrastructure space to adopt an active approach towards security. “This means prioritizing a principle of zero-trust – the concept of ‘secure-by-design’ – placing a higher level of responsibility on vendors and reinforcing the security of existing devices and legacy systems. This shift is crucial, enabling the industry to better prioritize preventive measures on existing systems and reducing the number of inherited vulnerabilities on new devices. 

Overall, “the new guidance will have positive impacts on the industry over time and force all parties within the energy value chain to be actively engaged and responsible for mitigating risks,” she added.

Earlier this month, the Federal Bureau of Investigation (FBI) reported in its Internet Crime Complaint Center (IC3) that the agency has seen an increase in an additional extortion tactic used to facilitate ransomware in 2022, as the number of reported ransomware incidents has decreased. The IC3 report comes in the wake of the cyber landscape providing ample opportunities for criminals and adversaries to target U.S. networks, attack critical infrastructure, hold money and data for ransom, facilitate large-scale fraud schemes, and threaten national security.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.