Ensuring the security of our products and the constant exploration of security issues in OT and IoT environments are top priorities for the Nozomi Networks R&D team. We’re always looking for ways to refine this effort because we know it’s critical to the security of the operational infrastructure we help monitor around the world.
That’s why today we are pleased to share that the Common Vulnerabilities and Exposures (CVE) Program has given us CVE Numbering Authority (CNA). As a CNA, we can now assign CVE numbers to newly identified vulnerabilities and publicly disclose information about these vulnerabilities. This includes assigning CVE numbers to vulnerabilities found in Nozomi Networks products, as well as third-party automation and industrial products not covered by another CNA.
About the Common Vulnerabilities and Exposures (CVE) Program
Recognized as the international standard for identifying and naming cybersecurity vulnerabilities, the Common Vulnerabilities and Exposures (CVE) Program maintains a community-driven registration of vulnerabilities. CVE IDs assigned through the registry make it possible to rapidly discover and correlate vulnerability information being used to protect systems against attack. The program, sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), is operated by MITRE and feeds the U.S. National Vulnerability Database (NVD).
“We are pleased to grant Nozomi Networks CVE Numbering Authority. In addition to a deep commitment to ensuring the security of their own products, a team of researchers in Nozomi Networks Labs also works to identify vulnerabilities in other industrial equipment and software. Nozomi Networks leads their industry in the number of responsible disclosures made to the United States ICS-CERT. They’ve consistently demonstrated a high level of professionalism and expertise in helping impacted customers and vendors quickly address identified vulnerabilities. Their specialized expertise in OT and IoT cybersecurity and the processes they have established to ensure the cybersecurity of their own products make them a valued member of the CNA team.”
– Scott Lawler, CEO LP3 and CVE Board Member
Nozomi Networks’ CVE Numbering Authority (CNA) Scope
CNA organizations assign and maintain CVE entries within their specific scope. In our case, Nozomi Networks will assign CVE IDs to public vulnerabilities found in our products and vulnerabilities found by Nozomi Networks Labs in third-party products not covered by other specific CNAs.
Our Continued Focused on Protecting Industrial Networks Around the World
Nozomi Networks researchers have made more than a dozen responsible disclosures, which have resulted in 13 CISA ICS-CERT Advisories to date. We use the MITRE ATT&CK Framework for ICS terminology in our detection and alerting capabilities, to support customers with immediate context for any detected activity. This also reduces the need for additional research to understand and respond to the behavior. Nozomi Networks products are ISO 9001: 2015 certified. The Quality Management System used formalizes product security steps to ensure state-of-the-art coverage of cybersecurity issues within them.
Last month, we launched a Product Security Incident Response Team (PSIRT) webpage to house security advisories and provide contact details for our security response team. Becoming a CNA helps us ensure a better incident handling procedure for customers, and a better workflow for the Security Advisory (SA) found by Nozomi Networks Labs.
We are honored to receive CNA status. Our passion for helping customers and the industry as a whole fuels Nozomi Networks’ history of innovation and success. This is a significant milestone that allows us to do even more to strengthen the security of the operational infrastructure that people rely upon around the world.
To learn more about our cybersecurity threat advisories, research reports and community tools, visit Nozomi Networks Labs.