Ensuring the security of our products and the constant exploration of security issues in OT and IoT environments are top priorities for the Nozomi Networks R&D team. We’re always looking for ways to refine this effort because we know it’s critical to the security of the operational infrastructure we help monitor around the world.
That’s why today we are pleased to share that the Common Vulnerabilities and Exposures (CVE) Program has given us CVE Numbering Authority (CNA). As a CNA, we can now assign CVE numbers to newly identified vulnerabilities and publicly disclose information about these vulnerabilities. This includes assigning CVE numbers to vulnerabilities found in Nozomi Networks products, as well as third-party automation and industrial products not covered by another CNA.
Nozomi Networks is an authorized CVE Numbering Authority (CNA). The CVE Program is the de facto international standard for identifying and naming cybersecurity vulnerabilities.
About the Common Vulnerabilities and Exposures (CVE) Program
Recognized as the international standard for identifying and naming cybersecurity vulnerabilities, the Common Vulnerabilities and Exposures (CVE) Program maintains a community-driven registration of vulnerabilities. CVE IDs assigned through the registry make it possible to rapidly discover and correlate vulnerability information being used to protect systems against attack. The program, sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), is operated by MITRE and feeds the U.S. National Vulnerability Database (NVD).
“We are pleased to grant Nozomi Networks CVE Numbering Authority. In addition to a deep commitment to ensuring the security of their own products, a team of researchers in Nozomi Networks Labs also works to identify vulnerabilities in other industrial equipment and software. Nozomi Networks leads their industry in the number of responsible disclosures made to the United States ICS-CERT. They’ve consistently demonstrated a high level of professionalism and expertise in helping impacted customers and vendors quickly address identified vulnerabilities. Their specialized expertise in OT and IoT cybersecurity and the processes they have established to ensure the cybersecurity of their own products make them a valued member of the CNA team.”– Scott Lawler, CEO LP3 and CVE Board Member
Nozomi Networks’ CVE Numbering Authority (CNA) Scope
CNA organizations assign and maintain CVE entries within their specific scope. In our case, Nozomi Networks will assign CVE IDs to public vulnerabilities found in our products and vulnerabilities found by Nozomi Networks Labs in third-party products not covered by other specific CNAs.
Our Continued Focused on Protecting Industrial Networks Around the World
Nozomi Networks researchers have made more than a dozen responsible disclosures, which have resulted in 13 CISA ICS-CERT Advisories to date. We use the MITRE ATT&CK Framework for ICS terminology in our detection and alerting capabilities, to support customers with immediate context for any detected activity. This also reduces the need for additional research to understand and respond to the behavior. Nozomi Networks products are ISO 9001: 2015 certified. The Quality Management System used formalizes product security steps to ensure state-of-the-art coverage of cybersecurity issues within them.
Last month, we launched a Product Security Incident Response Team (PSIRT) webpage to house security advisories and provide contact details for our security response team. Becoming a CNA helps us ensure a better incident handling procedure for customers, and a better workflow for the Security Advisory (SA) found by Nozomi Networks Labs.
We are honored to receive CNA status. Our passion for helping customers and the industry as a whole fuels Nozomi Networks’ history of innovation and success. This is a significant milestone that allows us to do even more to strengthen the security of the operational infrastructure that people rely upon around the world.
To learn more about our cybersecurity threat advisories, research reports and community tools, visit Nozomi Networks Labs.
Rising IoT Botnets and Shifting Ransomware Escalate Enterprise Risk
Find out about:
- The OT/IoT threat landscape:
- IoT malware
- COVID-19-themed malware
- The tactics and techniques of the most important threat actors
- The top 2020 ICS vulnerabilities and their ongoing impact on risk
- Recommendations for securing OT/IoT networks
- Press Release: Nozomi Networks Authorized To Be a CVE Numbering Authority
- Webpage: Nozomi Networks Labs
- Blog: Your Guide to the MITRE ATT&CK Framework for ICS
- Blog: What IT Needs to Know about OT/IoT Security Threats in 2020
- Blog: Ripple20 – New Zero-Day Vulnerabilities Send Shockwaves Across IoT
- On-Demand Webinar: Improving SOC Efficiency
- Podcast: Alessandro Di Pinto – A Day in the Life of a Threat Analyst
Co-Founder and Chief Technical Officer
Armed with a Ph.D. in Artificial Intelligence and an extensive background in systems engineering and software development, Moreno Carullo has led the way in redefining the ICS cybersecurity product category. A long-time member of the IEC TC57 WG15 subcommittee, he is also actively working to shape cybersecurity standards for power system communication protocols. As Founder and Chief Technical Officer at Nozomi Networks, Moreno leads an exceptionally talented software development team that uses agile development to quickly address the cybersecurity requirements of enterprise customers and partners.