Operational Technology (OT) Conversation

156 views18637 WordsCopy TextShare
Singapore International Cyber Week
Detection and Response capabilities for cybersecurity incident in the Operational Technology environ...
Video Transcript:
foreign [Music] ladies and gentlemen welcome to Singapore International cyber week 2022. I'm Charmaine e and I'm delighted to be your host this afternoon detection and response capabilities for cyber security incident in the operational technology environment today may be challenging with Legacy equipment and vendor restrictions limiting the extent of cyber security capabilities that can be deployed to ensure cyber threat visibility with the constantly evolving cyber threat landscape threat detection and response for the OT capabilities also need to keep up and evolve to manage tomorrow's cyber threats this session today hopes to share insights involving people process
and technology that should be considered to manage tomorrow's threats to begin this afternoon's event allow me to introduce our opening remarks speaker the director of critical information infrastructure division cyber security agency of Singapore Mr Lim thien chin Mr Lim please [Music] [Applause] [Music] extreme panelists distinguished guests a very good afternoon welcome to the operational technology conversation track sicw 2022 pleased to have all of you with us joining today including those who are connecting virtually as the world gradually returns to a state of reminiscent of pre-coveted days some things are unlikely to go back to the
way they are more companies are connecting their OT systems to the corporate I.T systems to reap the benefits and efficiencies of digital connectivity covid-19 has accelerated this trend unfortunately with greater connectivity and efficiency also come greater risk and increase attack surfaces cyber threats to OT systems are also evolving they are becoming more sophisticated and not increasingly spilling over into the physical world with real world consequences as evidenced by incidents like Colonial pipeline JB foods and the Osman water plant attack in Florida this attacks on OT systems are not new but they have grown both in
number and impact that's the same goes time and tight wait for no man I would also argue that the same can be said about man-made events such as cyber attacks track actors do not care about the challenges of our time they aren't pulling their punches just because we are struggling with the difficulties of life it was in recognition of this growing cyber physical risk that CSA is capitalizing on every single opportunity to engage stakeholders in both the local and Regional OT ecosystems this OT conversation track is the finale of csa's three-part engagement Series in 2022
the OT cyber expert panel otcp in July focuses on promulgating sound practices in governance engineering and operation aspects of the OT owners the OT Isaac Summit in September cover a wide breadth of comprehensive topics ranging from cyber exercises to governance to technical capabilities and on the state of OT threat landscape today we move further Upstream into the OT ecosystem this forum aims to provide a platform for knowledge sharing and mutual learning between OT solution providers and we hope such experiences will continue to capitalize to catalyze deep and impactful conversation on technical capabilities between industry policy
makers and researchers to these ends CSA believe in building generative relationships around regulations moving away from scorekeeping to sense making and co-creation where regulators and the various stakeholders in the ecosystem can work together to build a culture of honesty trust open disclosure and shared discovery with that welcome again to the conversation I wish you all invigorating and fruitful discussion thank you [Applause] thank you very much Miss Salim it's with great pleasure to introduce our keynote address speaker the global head of solutions engineering at nozomi Network Mr Jeffrey Blake Mr Blake please [Applause] [Music] welcome again
and thanks hermane for that uh introduction I'm going to touch on a few things today that uh a really Food For Thought designed to get us talking and we have a panel session later uh some things for you to consider we if you've been to the show so far or if you've heard any of the other uh sessions there's a lot of talk about uh new things emerging threats and my talk is going to Center on really refocusing all of us around some fundamental pieces that we can address right away uh I live in the
U.S and uh the NBA basketball season just started and if you're a fan of basketball or or any professional sports you know that when they interview the coaches at the end of the season the winning coaches are always saying the same thing our dedication to the fundamentals of the sport are the things that bring the winds everyone loves to see the Exotic three-point half court shots and the buzzer beaters but it's the teams that are very consistent with their passing with their gameplay with their dribbling all of the less exciting pieces of the game those
are the winners and so that's the focus I'd like to sort of build an analogy around so the first thing and by the way I structured this uh like a top 10 list so uh much like some of the click bait you might be uh enticed into reading I kind of framed it out this way the first thing we can do let's stop saying that our OT systems are no longer a threat OT folks OT security people are very different than I.T folks who tend to be extraordinarily over paranoid with OT there's there's so much
more of a delivery of services that security doesn't always get the same level of attention that it should and so once compliance is reached once a an audit is passed or once a product is put in place to secure the OT Network many times um it's it's not thought about again so my guidance to you is stop saying you're compliant stop saying you're not a threat or not going to get threatened and stop saying you're not going to become a Target because your network is air gapped or or something of that sort keep in mind
stay paranoid stay focused uh the second thing you can do is recognize that industrial control systems are different from OT Mr Lynn talked a bit about the convergence of it and OT there's a lot of shared services that are beginning to emerge and become part of the conversation uh that's it's a very dangerous ground if those uh two networks are not strategically integrated and tactically managed so what I want to make sure we understand is the OT networks uh look a lot more like an I.T Network than a scada or an ICS Network might be
and and so the threats are very different as well um OT networks tend to have attacks that are a little less sophisticated there's a lot of uh malicious Insider threats there's script kitties and uh the uh the 2019 Ellsworth Kansas plans and the I think Mr Lynn also mentioned the old Mark Florida Water Treatment Plant those attacks were from people that worked at those facilities they were disgruntled employees that were terminated for one reason or another and their their introductions back into the network were from oversights default passwords that hadn't changed or uh the lack
of a uh termination process and accounts that were left open even after the employees were terminated those are things that are easy to fix but are often overlooked on the other hand industrial control networks and systems have very sophisticated attacks the the the processing power in those networks is very specific and the attacks are equally sophisticated so you think about stuxnet Dooku flame all of the Legacy uh attacks that were part of those networks very very sophisticated very very targeted and very very detailed so make sure your strategies are aligned in the right place especially
as you converge from it to OT um one of the best things to consider is segmentation and if you're managing an OT Network and uh I'll encourage you to if you don't already uh use the Purdue network of segmentation that is a wonderful way to really look at your organizational your topology your your approach to the network many products from the vendors that are here today aligned to that and it's it's very different from how we treat I.T but again in the spirit of convergence segmentation tends to be one of the best ways that we
can keep the attackers that are on the I.T side away from the OT side uh the fourth one is um let's not just believe that our trusted vendors uh are are embracing the same level of security awareness that we are within our our four walls if you have uh vendors that have secured excess or service accounts to update their um their assets that's great but you really need to have a unifying strategy each vendor does these things differently and it's it's a far different set of Access Control than we have on the I.T side these
things need to be strategically designed so that it's very obvious when when there's a problem and that takes a lot of work you really need to to do the exercises to get it right um really enumerating your assets and in in the OT world that's a lot of work as well but it's it's uh there's no Silver Bullet there's no you know single product that helps you with this but you do need to really begin to track at a baseline level all of your network traffic all of the patterns that describe um Baseline functionality of
specific operations and capturing the uh the specific function codes and the process variable data that are part of those messages is the way to do that um if if we look at it from the other way the the products that our vendors are supplying um very robust firewalling uh industrial uh or excuse me um IDs systems uh specifically with deep packet inspection are the ways that you're able to extract that data from the previous bullet that's where you get the data out and that's how you're able to establish very granular Baseline information and on top
of that you want to make sure that you have very specific industrial control system aware ids's and what that what I mean by that is you want to ensure that this specific codes for specific vendors help you describe what normal looks like that's where you get a baseline that's of high quality and that's where even small deviations from that Baseline can help you build the alarms that'll that'll describe what a potential attack might look like the the next two bullets I have are for folks that are using um OPC and these are a very specific
set of uh uh widespread um things that you want to address but you want to be able to at a very fine Rebel very fine grain level understand all of the traffic that's coming over those to UA ports and be able to know what normal looks like again you want to um you can enable your logs and aggregate them across the entire asset platform to really help you manage that and if you're turning on logging for the first time or if you're really looking at that as a solution which I highly recommend you want to
also build a Cadence around your strategy to continually review those logs continually refine what your Baseline looks like and continually enhance the way that you're able to pick up anomalous events so that's my food for thought I look forward to the panel q a later and I'm going to turn it back to our moderator thank you [Applause] thank you Mr Blake for sharing your perspectives with us ladies and gentlemen I'd like to invite Mr Paul Griswold the chief product officer for cyber security Honeywell to come on stage to share some insights on the areas involving
people process and technology that should be considered to manage tomorrow's cyber threat detection and response Mr Griswold please [Music] great thank you very much it's a great pleasure and a great honor to be here Singapore is one of my favorite places to come it was actually my very last trip before covet and one of my very first trips after covid so I've already been here twice this year so really really good to be back in my role at Honeywell our teams have the opportunity to work with all sorts of different companies around the world with
specific OT cyber security challenges and every single company is at a different place in their journey and while I'm not going to mention any company names or our legal team doesn't like that I will be sharing some of the things that we have seen as people progress along their Journey as they become more mature in their their cyber security operations I don't think it's a surprise to anybody at this conference that attacks are rising uh Jeffrey had spoken some Mr Lim had spoken to some as well so the the types of attacks uh continue to
go up every year we are seeing an increase in attacks that are specifically targeting OT systems as well so it's no longer just the the generic attacks that are just kind of a spray and pray type of approach where you try to get any way you can we're seeing specific attacks uh designed to take advantage and in break OT systems you can see a couple of different examples here um you know you have everything from uh targeted spearfishing you have uh you know other types of targeted attacks and these are certainly on the rise the
need for industrial cyber security continues to grow as well so especially when you look at digitalization and itot convergence some of the some of the advantages you may have thought you've had in the past like things being clearly air gapped or you know things just being offline and inaccessible just aren't really the case anymore and you know we've got a couple of stats here around organizations who experience some sort of Cyber attack the breaches that happen because of human errors so this is either somebody who is maliciously or just accidentally doing something that is enabling
some part of the attack uh in its chain the attacks themselves have a pretty long dwell time um you know up to two-thirds of a year 295 days and then you also have downtime for ransomware of about 22 days so if you think about that stat the downtime stat for an OT production you one of the good and bad things about OT attacks is you can actually measure what that attack is costing you if you look at an I.T attack where someone has stolen some data you know it's bad but you can't really necessarily put
an actual cost on what that data is worth and an OT process you know exactly how much money that product you're developing is making so if you're down for 22 days that's going to be very costly to the bottom line if we take a look at some some indicators specifically here in Asia you know again many companies are are still not very up to speed on uh cyber security for OT especially compared to their their I.T side uh we see you know many companies uh have impact by attacks and when you look at when people
make a decision to actually do something it's oftentimes after the attack has happened so it's in response to something bad that has been costly to the company that's when they they get around to actually looking for new modern solutions versus policies or other things that may happen in the past USB so USB is a one that we like to talk about a lot because in the IT world you know you can pretty much disable USB and we have this even at Honeywell with our laptops I cannot go to my laptop and put in a storage
stick and have that work that's just been locked down by device control you're very challenged in most cases to do this in a decimal environments because the way many of these systems are updated still is with a USB key and you also have the combination of different employees vendors and contractors coming in to do the updates so whereas in the IT world you can just lock USB down and the OT world you pretty much most cases have to leave it on in in many instances to allow the system updates so again you know if you
look at some stats specifically to the Honeywell USB threat report that was just put out a couple of months ago we're seeing an increase in attacks that are specifically designed to use removable media to get into the organization uh we saw 52 last year the previous year was 32 percent so you're seeing a pretty big increase there of the malware that we have analyzed uh 81 was was able to cause some sort of disruption to the industrial control system so it could be a loss of you loss of control or something even worse but vast
majority of this malware is designed to to cause some sort of harm and of the threats that we've seen 51 they have some sort of capabilities to establish some sort of remote access uh so you can think of the in some cases the USB threats are designed just to allow the attacker to get into the network and open up some sort of covert Communication channel once that's open they can do many different things through that channel and they they you know they can they can get that persistence one of the very interesting Dynamics with with
OT versus it is that in many cases the it and the OT people don't like each other and there's often some history there um you know sometimes it dates back to the I.T folks with very good intentions trying to implement some sort of technology or some sort of new processes in the OT environment they've ended up breaking something so if you're an operational manager or a plant manager your bonus your pay is is typically tied to your production so if you have systems they're going down even for a couple of hours because some new security
control was put in without being properly tested that's going to cause you some issues so when we look at where companies are on their Journeys um everyone's starting from from somewhat of a different place but we we see a couple of different categories one is companies that are very OT focused in general um so you know for instance companies that are in the Pulp and Paper industry or other types of manufacturing a lot of times they'll they'll be somewhat Advanced because they think OT first they're uh people in the secure cyber security department are you
know oftentimes OT veterans and they're able to put into place technology and processes and procedures that are pretty well tuned to the OT environment you can kind of contrast that with the other end of the spectrum where it's more of an I.T first type of mentality and in cases like that you a lot of times what you'll find is that it may be responsible for the overall security but they're not actually implementing controls they're creating policies and guidelines and procedures and things like that and they're giving them to the OT side of the house and
and really just kind of trusting that they're doing what the policies say and then when you mix into the the equation things like mergers and Acquisitions where you've acquired some new manufacturing facilities or some new plants that may be using completely different Technologies typically you're you're acquiring those things because of the value they produce so num you know your number one thing the first day is not going to be able to go in and mess around with whatever cyber security they may have in place so you just you get all sorts of different scenarios and
everyone is in a different point on their Journey but I did want to take a minute and just kind of talk about some of the differences that we typically see between it and OT so if you take a look at just the the First Dimension which is what the cyber security protects on the I.T side it's really going to be about information so it's going to be Trade Secrets customer lists uh other types of corporate information contracts items of that nature so it's typically kind of on the information side on the OT side what you're
protecting is assets and other types of process that actually produce you money so so critical infrastructure other types of things the the type of protections there are obviously going to be very different on the I.T side again if you have a breach of data that's going to maybe make your stock price go down it's going to have some legal consequences may also give a hit to your reputation none of which are good things on the OT side you know you're talking about maybe even some more severe consequences so not only do you have the the
potential economic loss for having your process be interrupted you also have things like potential loss of life you have environmental impact uh property damage things like that because the OT systems are controlling something physical if they go Haywire it's going to have some sort of physical effect if you look at how The Operators of OT versus it view their systems on the it side again availability reliability is is important but you can pretty much you know run patches every you know second Tuesday of the month and have a couple of minutes down time you know
you're generally able to do that type of thing on the I on the OT side interruptions are just not not acceptable so you you know even a minute of downtime can have a significant financial impacts from a skills perspective I don't think it's any secret that it's very difficult to fill cyber security jobs right now uh depending on what survey you look at if you have one role open you'll either have half a person or a third of a person or maybe even a quarter of a person who is able to fill that job so
you have literally negative unemployment within the I.T cyber security world on the OT side you have those same challenges because you need that same type of cyber security skill but you also need to find people who are familiar with the OT systems themselves so when you think about that you're trying to find you know kind of a unicorn because you got to have someone who's really good at the security side and also understands how the security side impacts the OT process so you have to have that domain knowledge and process knowledge and just you know
a much wider understanding when you look at the environments themselves so you know typically I.T you have a laptop that's you know maybe two to three years old um it's typically running a modern operating system running a modern processor and you're able to install the latest cyber security tools on there with without an issue most of the most of the times on the I on the OT side lots of Windows XP lots of Windows 7 even some Windows NT and even some things that may even be older than that you're not going to be able
to drop the latest EDR agent onto that type of system and have it perform well and you're definitely not going to be able to do that and have it not impact the the overall speed of the system itself so as a result you'll be impacting the process itself and then finally when you look at software and upgrades again on the it side you know pretty pretty well solved problem especially for for Windows devices and there are plenty of solutions out there that will go and help you solve your your non-windows devices but you know again
a you know a couple of minutes down time generally not a big deal on the OT side you have all sorts of different Dynamics there so even if you have a very critical patch that comes out and says you know if someone exploits this zero day vulnerability all these very bad things can happen it's still unlikely that someone's just going to throw that on there the next day they're going to do an analysis of how this closing this exploit would um would you know potentially reduce their exposure and they're also going to take a look
at the compensating controls where perhaps we have some other technology in place that we can use to buy us some time to do the patching which we have planned for six months from now so as you can see some some pretty Stark differences between the two and then this is one of the primary reasons why the IT solutions can't just be dropped into the OT Network and expected to work just like they do in it the biter attack framework this is a relatively new framework the past four or five years uh there's a miter attack
framework for cyber security in general and then there's also a specific one for ICS as well and you can see 12 different uh Dimensions or tactics uh that you can see there on those headers and then below there are over 250 techniques this slide is actually uh truncated because we couldn't get it all in one slide but you have all sorts of different entries in each one of these columns in terms of the the types and impacts and methods and procedures and things like that that different attacks use and it's great because you can use
this if you have the right skilled people and are collecting the right type of data to be able to map out different types of attacks onto the framework so you can understand where they're coming from what they're going after what the impact is going to be and things like that very few companies are at the level where they can do this on the I.T side effectively everyone kind of aspires to get there and there's certainly some companies that are doing some very advanced work in this area but having the skills the processes the Technologies in
place to be able to actually effectively use this is is something that's still evolving it's not very commonplace in the in the uh and the OT world at least as of yet so let's talk about early threat incident uh early threat detection and incident response and when you think of the front line of the people who are kind of on the receiving ends of these attacks it's not the I.T person it's somebody who is sitting there running a process uh that's connected to OT systems and the real question this comes down to training is what
happens when a blue screen of death comes up on one of their workstations so I think many of you are familiar with this um I would say windows has gotten much much much better but it certainly does still happen where you'll get one of these blue screens where the system just basically halts and resets you know a lot of times it's just some sort of bug but it's also a very common thing to happen when some sort of root kit or other type of malware is being installed so when you see this what would the
operator do would he just say oh this is some sort of glitch I'm not going to worry about it would they wait to see what happens would they ask an engineer or would they just wait for everything to come back up and just go about their daily business the next stage of this often looks like this where you have some sort of ransomware type of message popping up on the workstation and again the response to this in the OT environment could be very different than the it environment they could call the engineer they could call
it they could start pulling things out of the wall they could start pulling out network devices they could call law enforcement sometimes there's a shutdown button that they can press to uh to discontinue the process so this is where training comes in is very important because these are things that need to be contemplated and actually practice as well so when you're doing different types of safety drills and things like that with your OT system this is this is something that needs to be considered too so if you look at the operating challenge with OT you
just you have a lot of different types of data that are being produced in these environments typically the OT network is smaller than the it Network in terms of number of assets and things like that you can have a requirement area that's run by you know three or four hundred assets Max so you know you have you know a lot fewer devices connected to that Network than say you do in your corporate Network while your employees are even though it's smaller the data that's produced can still be very rich and it's also going to look
a lot different than the data on the it side so whereas in the IT world you're thinking of things like you know web access and email and and things like that OT logs just look different because the systems that are behind those logs are different so your rules and your capabilities you have in it just aren't going to drop right in even if you are able to collect the data so this is where a lot of companies you know frankly struggle even if they have the I.T side of the house very well figured out on
the OT side the logs look different you have trouble finding the right resources they may not have the cyber security and OT expertise maybe not monitoring 24 7 and you know again they maybe they haven't been doing that practice that incident response practice to really understand what would happen in the face of a of an attack so this is where proactive monitoring can significantly help reduce your cyber security risk the earlier you detect a threat the more likely you are to uh to reduce the impact of that threat so being able to look for not
only the iocs the indicators of compromise are where a lot of people start they want to know you know what should I look for with my intrusion detection device or what should I put into my clarity or mine in xiaomi or my dragos box to actually look for these different types of attacks in many cases there will be some iocs but they'll only give you part of the part of the problem and more advanced attacks are going to vary a lot so that's why a lot of these products I mentioned as well as other products
within the equation also focus on ttps as well so with ttps you're able to actually not necessarily look for hey something's talking to this IP address or something has this signature but you can get a feel for the overall tactics techniques and procedures that the attacker is using and with that if if you have the right people you can anticipate what's going to happen next and help to support that some companies do this themselves I mean with some of the more advanced companies we work with they either have a very Advanced security operations center where
they have kind of an OT section of it where they have the OT experts who are looking at the incoming logs and are able to analyze that in conjunction with the it logs or they have separate OT socks that they have built out sometimes regionally sometimes for a particular plan even but you know again they have that the OT specific capability there a lot of customers go to manage security service providers for this however even if they're doing their it in-house we have several customers who will Outsource their OT side to vendors like Honeywell other
type of vendors who are experts in in the field just because again it's so hard to find the experts collect the data correlate the data and know what to do with the data so when you take a look at the Potential Threat indicator is again on the OT network if you're doing your segmentation properly and you've architected your network well and you have the something resembling the Purdue model um outlined there now you can see that the indicators are you know perhaps a little bit different um you know you have performance degradation that could be
an indicator and again that's something that can be very sensitive in not process you have you know a lot of situations where credentials are just maybe not managed as well as they could be and Jeffrey's talked a little bit about this in his top ten where you don't have the proper procedures in place for when somebody has been terminated and everyone's using the same username and password and it's been the same for the past five years uh you know obviously not a good situation you also have things like controller changes or other types of uh
of aspects that would be unique to OT environments you know on the it side you generally don't have a bunch of plcs controlling anything so we mentioned logging so if you just take a look here you've got you know kind of a variety of different logs that need to be understood if you look at some of the the best Sim products out there and there there are a lot of really good options there and you look at some of the statistics especially some of the cloud cloud-based ones there's one that says we can search a
trillion logs and a quarter of a second you know a trillion logs in a quarter second is is very very impressive as long as you know what you're searching for and that's where the the complications come in you may be able to pull all this data in you know until the end of the day but if you're not really sure how to match the data up and use that to find the indicators of attacks or the ttps then you know you just just have a big database of stuff that you're trying to manually go through
so you know again an OT you're going to have things like firewalls vpns and other things that are you know common in the IT world as well uh then you have things like hmis and plcs and other types of equipment that are going to generate logs similar to their it counterparts but the logs are going to look a little bit different and they're going to have slightly different fields and they're going to have different things that you can key off that you really have to understand the log in order to be able to take advantage
of so if you take a look at just this example here you have IP addresses that may be where things start and you can map those down into the actual devices and the controllers pull out things like this this packet here is modifying a uh a firmware in other types of data that you can use to kind of put together the different pieces if you have the capabilities and the skills and the people know how to do it so if we look at how things are evolving over time um if we and again everyone is
on a different point of their Journey so I'm gonna go ahead and build this out here if you're kind of early on uh you know maybe you've got the I.T side very well buttoned up but your OT is is in the process of being modernized most people aren't going to start with really Advanced data correlation they're just not there yet so if you're on the fundamental side you know this is where you're going to be doing things like assessments and assessments take you know a couple of different forms asset Discovery is certainly certainly a big
part of that but there's also you know an aspect of physically walking around and seeing where things are connected and identifying things that look strange and you know a bunch of other things you can do avian patching um you know we're at secure remote access things like that these are all just kind of fundamental building blocks then on top of that you have kind of the people aspect as well so you have the awareness trainings you have the policies and procedures and simple things like backups uh you know oftentimes the best solution to recovering from
ransomware is a current up-to-date backup that you've actually practiced restoring in the past so you know again we kind of consider all those to be very fundamental as you get into the more um more of the recommended type of things this is where a regular automated asset Discovery comes in so you're able to pick up devices that you know may be showing up on the network for the first time sometimes they're legitimate sometimes you know a contractor left some sort of advice plugged in that they forgot to take with them sometimes they're they're malicious so
uh you know being able to have that visibility into the changes in your network and being able to respond quickly yeah things like vulnerability scanning USB security as well you also have the beginning of the the data collection so getting the data into this into a Sim type of product or a managed security service provider to be able to actually do this this more advanced analytics that we spoke about and then as you get into the advanced part this is where things like pen testing comes in tabletop exercises a full-blown OT sock either something you
build yourself or something that you've outsourced to an mssp and being able to report on Regulatory Compliance when we look at they're in general that most left half you know most people are are doing pretty well on the fundamentals but they may have not gone all the way over to the advance and a lot of times that could also be tied up into an overall digitalization type of strategy and projects so people are getting there but they're not quite there yet when you think about Advanced detection and response a couple of key things that to
consider either if you're going to do it yourself or if you're going to Outsource it to a specialist for for OT uh managed Services a couple different things to consider one is you know the basics so cyber security 101 having some sort of moderate skills on OT cyber security just to understand what you're looking at what you're dealing with from there you go into the the planning and justification phase and if this is something that you're building out this can involve you know finding the physical space getting the power pole getting the air conditioning put
in getting all of those other types of foundational elements there and then you also have the people and the training and the other types of things that go to you know truly take advantage of the investment from there again implementation and integration so having everything stood up having data come into it being able to actually do something with that data and then you go into a continuous Improvement cycle as well if you look at it from a build versus partner type of thing um or perspective you know certainly if you have the capabilities and you're
able to hire the people and you're able to keep those people and have the budget to stand up everything you need certainly build is is an option we tend to find that the uh the inflection point on that is somewhere around 10 different sites so if you're aggregating data from two or three sites a lot of times it doesn't make sense to build out this capability yourself it's something that we would be more cost effective with and use in a managed security service provider if you look at the Outsource option again you know you can
partner you can typically get up and running a little bit quicker here because that back-end infrastructure is already there and then there's many customers who will use kind of a combination of these two approaches you know again maybe the it data goes for the it Sim and they they Outsource the OT Sim maybe they have a follow the sun type of thing where they have people in the OT Sim 12 hours of the day and they Outsource it to mssp for the other 12 hours a day so there are lots of different options and combinations
that can also also be had uh here for an effective strategy we are seeing an increase in mssps and I think a key thing here is that if you are using an mssp it's not necessarily because you can't do it in-house is because you have made a strategic business decision that you don't want to do it in-house so if you think about all those challenges of the the equipment and the hiring and all this other types of things even if you could do it you may look at it and say this is something that's going
to cost me a lot more in the long run versus Outsourcing it to somebody who's going to do that for me so using an mssp you know years ago you used to look at and say oh these guys can't handle cyber security themselves they've got to Outsource it these days that's no longer the case it's a very business oriented decision and some of the most advanced companies in the world have an mssp strategy because it makes the most sense for them so I'll take a quick look at a case study here so this was a
company that we worked with in Spain and they were generating about 100 million types of uh events per day in their OT uh environment they didn't really have the capability of getting this into their itsm they just didn't have the capacity and even if they were able to do that they didn't have the people to be able to make use of the data so they didn't have that active monitoring they didn't have really anything other than an IDs in place uh so they were looking for help on what they needed to do next so the
solution here was an advanced monitoring and incident response type of solution where data from the environment got fed into uh into the the centralized stock that was a managed sock at a very high rate you think about 100 million events in a day that's that's a lot of data that's moving back and forth but able to put that in there have outsourced experts look at it find those needles in the haystack find those indicators be able to correlate the data and then be able to give threat notifications and response guidance back to the customer example
of a dashboard here this is a key thing you know if you are going to use an mssp you don't want to rely on just you know having a report every three months of what they did there has to be you know one that that interaction so when something happens that mssp knows who to call and they have a relationship with the person on the other end of the phone and can work through the threats but you also want to have that that real-time visibility of what's going on as well so you know having a
dashboard that not only gives you the pretty graphs that are shown here but also details this is uh you know very important for companies especially when there's an attack that kind of bridges from it and OT being able to take the OT specific data and correlate that with the it specific data becomes very important especially during forensics and incident response so I'll leave you with a couple of questions here at the end here in terms of what what to worry about when it comes to these types of challenges so one is the ability to find
that needle in the haystack can you bring in all the logs can you correlate them properly do you understand them well enough to understand what a normal log looks like versus an attack you have the capabilities to perform that detector and response in house you have the OT capabilities on top of that you're able to do it 24 7 and if you tested so you know the testing is is really important I mean kind of an old joke is when you when you go do an incident response and you say hey do you guys have
an instant response plan they point to a Dusty binder that's been on the bookshelf since 1999 that's generally not a very good incident response plan so if you really have a proper process in place here it's something you're testing at least on a quarterly basis making sure roles and responsibilities are well known making sure who does what is well known and making sure that you actually can do this in a kind of a controlled environment uh to so that way when the real thing happens you're that more ready so with that 24 seconds to spare
I appreciate it and I think we're going to move on to the panel discussion [Applause] thank you very much Mr Griswold we're now going to be moving on to our next segment of today's program which is our panel discussion ladies and gentlemen we encourage you to use the slido function today ask all panel any questions feel free to scan the QR code and be part of today's conversation whether you're in the room with us physically or whether you are joining us virtually fall attendees in the room as well we're going to be having mics so
feel free to approach the mics and ask our panel any question that you desire without further Ado please join me in welcoming our moderator for today Mr Andre Shori the Chief Information Security Officer Apec Schneider Electric Mr Shorey please also joining us on the panel Mr Jeffrey Blake Global head of solutions engineering nozomi Networks Mr Blake please Mr Michael Lagana principal solution engineer apj clarity and I'd like to welcome Mr Paul Griswold back on stage Chief product officer for cyber security Honeywell [Applause] Mr Shorey stage is all yours thank you Charmaine and a special thank
you as well to CSA for once again hosting an amazing cyber security week um it's through dialogues and open discussion like this that we really helped to advance our profession and discipline um let me just do a quick recap of the panelists up here with me I did a little bit of research a little bit of background research on each of them so starting with Paul I found out that Paul is Bass from in Atlanta where of course he's responsible for honeywell's cyber security software uh managed services and Consulting Services portfolios so I also found
out that Paul's career spans almost 30 years beginning in 1995. um he has an MBA and is a computer science graduate from the prestigious Georgia Institute of Technology and of course Honeywell Paul's employer is also a global manufacturer of industrial OT and iot systems and Paul is responsible for the security of all of those so welcome Paul thank you for being here um Paul you've been with Honeywell as their Chief Park security officer for the past two years and before that I dug out that you're also at IBM as an executive director for almost a
decade focusing on their threat intelligence and intrusion Protection Systems so how has your threat intelligence background aided you and what insights can you share on the threat intelligence and intrusion protection in the OT cyber security world first of all I want to challenge you on the 30 years but I think you're actually right so we'll move on from that with the threat intelligence you know it over to Honeywell beginning of January 2020. I knew that the OT cyber security was going to be different than the nit's cyber security it was even more different than I
expected and when you look at it from the the lens of threat intelligence on the I.T side the threat intelligence is is I would say pretty rich um you you have some pretty good firms out there that are doing research and um and have you know some some good ideas of some of who the actors are I think there's a lot of opportunity on the OT side to expand that and certainly there are companies that are doing that uh you know to to the people on on the panel here they have some some very good
work in that res and research in that area but I think that OT still you know is not quite as rich as I.T so I think that's a great opportunity okay and do you think that that with increased um in threat intelligence and open knowledge sharing threat intelligence exchange as well that um that will actually improve our cyber security posture in the OT World potentially Beyond I.T yeah so that's a great question so the sharing component especially so when you look at attackers and if you've ever been on the dark web or some of these
message boards I mean there are people sharing stuff all the time and we've made great strides there especially with isacs so isacs are intelligent sharing communities uh that are often dedicated to certain industries so you'll have an ice act that's specifically to oil and gas you'll have one for electric power and things like that that is certainly again something that is is evolved over the past few years and I think if once we get to the point as practitioners and Defenders where we're as comfortable as sharing information as attackers are that'll be a very good
day fantastic um I'd also like to welcome Michael Lagana uh to this panel discussion and um OT cyber security conversation so OT uh sorry Michael of course hails to us from Clarity where he's been there Asia Pacific principal Solutions engineer so with over 20 years experience in engineering Michael is on the front lines of customer cyber security risks and challenges within industrial and critical infrastructure organizations every day I'm really glad to have him on today's panel as well so Michael um your work you work with a broad range of customers out there and you helped
design practical solutions to help them gain better insights and visibility into their OT environments in other words you're in the trenches with them every day I'm helping them to defend themselves so what's the reality on the ground for most organizations what are some of the biggest challenges that organizations face in improving their OT cyber capabilities and maybe you can share with us some of the success stories or maybe even some of the pain points they might have and through your experiences yeah thanks um yeah so working directly with customers is a privilege that we have
because we get to see those challenges firsthand um most of the time and and if you look at Gardner will tell us that the majority of our customers are in an awareness phase of cyber security for OT what that means is uh basically there's more than half of you out there are just looking at OT cyber security as an awareness piece you don't have you're not in the phase of your journey to be able to execute on a program that you're looking to build the remaining I think it's around 30 to 35 percent are in
a visibility phase which means that only really leaves 10 percent of our organizations in the field that are at a point where they can actually execute and extract maximum value in some of the the the solutions that Paul was talking about in you know deep analytics and and executing on programs and building playbooks and all of these effective mechanisms that helps you address the actual problem you're trying to solve oh so the biggest challenge we find when we start talking to these customers is they say I don't know what I have so I I don't
know what to protect so it's it's very important that when we're talking to customers we understand where they are on their OT cyber security Journey because if we don't and we start offering Solutions and and and uh and uh you know playbooks and and services to the customer that they're not in a maturity state to receive and consume then the tools that we're offering and the services we provide are ineffective and they're they're very hard to deliver so when we take a step step back and we really understand where the customer is on their Journey
we can then Target our Focus onto what exactly is going to work for you today you will have a plan that says you want to execute X up to this point maybe in six months and then you've got a one year plan and potentially a three-year plan so ensuring that we understand where you are along your journey enables us as OT vendors to help you secure your environments to offer you the right Solutions and the right technologies that are going to address the problems you have today and give you the ability to be able to
address the problems you want to be able to achieve in three years time or next year and you know just going back to to being the trenches and helping customers in their Journey here so um any insights to share in terms of you know maybe a particular segment that's a little bit more more mature or you know are there other segments you see that really need to up their game yeah especially in our region in Asia Pacific we're seeing a lot of um Mining and power gen utilities that are relatively mature in their Journey they'll
have a sock um they may not have a dedicated OT sock as Paul mentioned but they will definitely have an I.T sock and they're looking to bring that convergence per itnot sock together um one of the biggest challenges I think that we have is there's a lot of difficulty on the customer side to get buy-in from the security level so the itot security level where the really the the sizeos and the business is pushing for some sort of resolution or some solutions to a problem down into the actual weeds back onto the actual plant itself
and so what we're finding is even once we're providing some capability and some solutions to these organizations there's a disconnect between the sock let's say the the higher level security and the actual operations and as we've talked about and identified earlier today it's critical that we don't stop operations a security incident in OT needs to come back down to the plant or the site that it's applicable to and there needs to be a collaboration there needs to be context as to what has happened so that when we make decisions on how we resolve or mitigate
or put in compensating controls for the future we're doing something that's going to be effective so we we often see there's a huge gap there's is a big gap between what the it and you know the the I.T the sizo the business is looking to achieve and fundamentally the Gap to back right down to the to the specific site and operations teams that are actually supporting those systems thanks Michael now I'd like to now turn to Jeffrey can you know speaker from today so Jeff of course you're the global head of sales engineering at nozomi
Networks and with over 25 years of sales engineering experience including 13 years at Splunk um that's quite impressive fantastic I also found that you're licensed by the U.S Department of Homeland Security on Industrial Control Systems it's very impressive um Jeff I also believe that you and Paul know each other fairly well um you've also presented together at uh the last one was the Honeywell users group in Orlando in May right so yeah it's great that you guys can tour the world together it's brilliant you also addressed some of the prominent emerging challenges in the OT
cyber security space at that conference um would you mind sharing to with the audience today you know in your in your opinion what are some of the top emerging challenges for the for OT cyber security and and why are they your top choices yeah you could uh spend the whole conference talking about that it's uh I I think uh the biggest challenges are uh the the Dynamics and the way that the attacks are are manifesting and the and the nation-states that are delivering on them and and the huge amount of resources that are behind those
forces uh to to make to make them become the challenges that are very almost insurmountable for for uh for people on the defense so uh Paul talked a bit about um you know how we would uh aggregate our resources for that uh I I think um there's there's there's uh probably uh I don't know where to start with this but uh that I'll I'll let some of the other guys chime in but you meant you mentioned before we go to the other guys you mentioned nation states which is very very interesting so have we actually
seen any evidence or or indicators strong indicators that that some of these attacks are really Nations because it seems like most of the attacks are financially motivated right they're trying to to ransomware you they're trying to to disrupt your operations because they know that every second is costing you thousands of dollars um but you know a nation state really really takes that to a whole different level so maybe you can expand on that a little bit yeah I think the the there was sort of a a Continuum that that developed over the last decade or
so and where where you were mentioning uh ransomware and and a lot of the um very specific uh takes on uh uh theft and fraud and things those are I I think we've learned over time you guys can support me if this is correct or not but I think those are much more aligned with criminal activity and not so much with the nation-state I think the nation-state programs that are really uh pushing hard are those that are doing massive disruption uh like our uh the elections that we've had uh the recent elections in the U.S
and in in other countries and and much more uh campaign level uh disruption I think would be a good way to do that I mean I think when you look at the difference between the say cyber criminals versus nation state cyber criminals they deploy your ransomware they make money off of it they make a living off of it I mean some of them actually have pretty nice offices where people go in and work I mean but it's it's truly a way of financing a criminal Enterprise the nation-state stuff I think is a lot more scary
because a lot of times vulnerabilities will be discovered and just put in your back pocket and save it for later uh when when it might be needed is part of an overall Warfare type of campaign right I'm seeing I think we've seen a little bit of that in uh Eastern Europe this year right where campaigns are actively launched that were planted years ago which was very interesting it's been reported yeah it's a great point and one of the the scary things about nation state is it's very targeted so maybe that's to a degree a positive
for us we might know when there's a conflict like the conflict we have in in at the moment in Europe where the both sides I guess will be on high alert right we'll be looking for these attacks to be coming through what we're still seeing a lot of though is a lot of um uh threat bleed from I.T coming through with the new that new itot convergence that's coming through the digitization of all of all of our assets the industry 4.0 um Extended iot which really just brings connectivity right down to the lower levels of
the produced act that um that Jeff was talking about and so one of at one of the most common I guess detections we're seeing especially in in Australia New Zealand is ransomware and it's bled through from it breaches so having that uh visibility of the Ingress egress between that connectivity of OT and it is really going to help us to to curtail I guess some of those big ransomware attacks that are happening and and like you say they're there to make money that's all they're there for yeah just to add to that I think the
colonial pipeline example from uh it was earlier this year maybe it's late last year I live in the Southeastern part of the us so we were one of the states where it took a while for us to get gas for about a week or so and if you if you read the information that's been published on that attack they didn't actually get to the OT systems but they got to the billing system so rather than attack the process itself you attack how you get paid for the process and again if you're a a criminal organization
that's just as effective you're probably gonna get your money that way there's a lot more vulnerabilities at that it level than there is potentially down at a segmented isolated OT level Network so they'll Target their attacks to where they know they've got a higher chance of getting in and then potentially sit there for a while like an apt attack and then when the time is right sort of and we've seen that in yeah I.T vulnerabilities are enormous and represent a huge surface uh but to your point Paul with Continental uh whoever the attackers were mission
accomplished because even though they didn't get to the OT side management made the decision to shut down the OT side as a retroactive act to protect the uh that site of the network and so even without a breach they they were able to cause massive disruption and uh a cold winner for Paul but that's an interesting statement that you made that um you know on the surface and I agree with you on the surface that the I.T side definitely appears to have more vulnerabilities than the OT side um but um also thinking about patching cycles
and and and and and you know getting that once a year maintenance window if you're lucky um do you think it's maybe more or could it potentially be more that that attackers are finding it just easier because the vulnerabilities are really on the perimeter of the OT of the I.T side and OT you got to breach the perimeter to get into that soft chewy middle bit but but maybe there's might be even more vulnerabilities because you haven't patched in you know two three years I can start with that one so I mean I think that
you're right I mean when you look at the attack surface on the I2 side it's much broader right so you know but at the same time you do have probably a more High likelihood of having less vulnerabilities just because you're able to apply patches more I mean I think when you when we look at the OT side you know some of the most basic hygiene can really go a long way so like Jeff you talked about with doing zero trust and zoning and things like that I mean if you have very specific rules on what
can talk to what that's generally pretty effective if you're doing the identity and access control that's generally pretty effective so you're right I mean I I think it is when you know once you get in there there are there's probably you know a field day of vulnerabilities that have been out there for two or three years but I also think you have a better opportunity to prevent that excess from happening place thank you I think I think the business of cyber in I.T is much more mature than it is in OT you can count the
number of vendors that Supply I.T products versus the ones that Supply OT cyber products and what probably correlates heavily with that is the number of criminal Enterprises that automate uh hacking and and facilitate breaching on the I.T side so you anybody can get on the internet and buy uh you know threats as a service or any number of tool kits to to get into the I.T side where I don't think we've matured to that level that that there's enough of that content out there on the OT side yeah I agree with that and I think
one of the the key points of having many of our even excluding our I.T assets being on the boundary or or above OT we're seeing a lot more traditional I.T Assets in I.T roles inside the operations Network and that again it's a difference between OT and ICS so we have it based Assets Now in today's day and age controlling and managing ICS so those assets inherently bring extra risk and so the attackers know that windows will have vulnerabilities for example so what we need to be looking to address I guess is where does the where
does where do those assets reside gain visibility of those assets understand their risk posture and then either patch where we can and we know we can't patch right down to the lower levels of of Assets in ICS because of their legacy systems and for many other reasons but patch where we can and put in segmentation compensating controls for the for the for the I guess the vulnerabilities that we cannot patch and I guess that's somewhere where we can really enhance uh and it's not it can be it's not trivial but at the same time it's
not overly complicated um because we have a very good understanding of our I.T systems and our vulnerabilities on the it Network and we can sort of transition that down and cover more of our assets lower down the Purdue thank you um Paul I was I was watching your presentation earlier and then you touched many many interesting things to bear in mind when rolling out OT cyber security um but I also noted that that we often divide cyber security into you know most of practitioners in the gym I think just to buy cyber security into two
major segments it and OT right but um um you mentioned that that ICS is not OT right there is a differentiation so I suspect many of the audience would like a little bit more clarification how you define OT versus ICS who could help expand on that just just so that there's alignment and better understanding and deeper understanding I think there's actually from your presentation Jeff would say you wanna I I I'd be happy to yeah yeah please so uh my definition of OT is uh uh the superset of anything that would be part of a
a network which would include ICS as a subset so industrial Control Systems scada networks uh uh all of the uh industrial assets would be I would classify those as uh part of the ICS component the superset includes all of the switch level networks and all of the potentially any of the equipment that would represent DMZ and and on into the it that can be that's what I would Define as as the OT Network sort of the superset okay and and actually on on the heels of that I'm just wondering is there any kind of framework
or um metrics or Matrix that that maybe has uh different systems and different classifications and then and then maybe have a little bit of um different protection or defense mechanisms that you should focus on different priorities is that kind of mechanism out there yet uh I don't I don't think that down to that level from what we've seen we can definitely understand um the asset from the Purdue level the Purdue level gives us an ability to represent an asset and and how it resides in the whole OT network based on its function in the physical
process so from that we can then understand because of the role that it has and the actions that it takes on the physical Network we we can understand what to do to protect it so for example in a part of a question we have coming up later on is if we've got an asset that is a sensor or an actuator or a pump which which is a physical device on the plant on the site it may not have an IP address so there's no point trying to put in a system segmentation work on a device
that is uh non-ip based so we do have that in that that knowledge today we can classify those assets in that way and then from there we can then building the building the appropriate controls to try and secure them as best as we can things like ensuring that those devices are shipped and then when they're deployed they're not just using default passwords they're not using clear text passwords these are the small steps we can take right down to that level knowing the type of device it is exactly what's going to protect us from day one
with very minimal effort and and for example default passwords is a is a big one for ICS devices at level zero level one right I think the question of Frameworks is a good one so you know when we look at um you know our customer sites you'll find some similarities but everyone is almost a snowflake right I mean every site's doing something slightly different so it's going to have some unique characteristics I think the Purdue model is a great way of looking at you know where do you put in your segmentation where do you uh
limit traffic and things like that we also the other two Frameworks that we typically will use will be that miter attack framework for ICS that's a great one where you're actually doing a detection and response type of thing from a strategy perspective we often will use the nist cyber security framework a pretty well known framework and if you look at it it's it's very simplistic to the point where it's this beautiful and that you can get it to apply to an idea an itnot Network equally well so when you look at the um you know
identify protect the tech respond and recover you're gonna have some slight differences on the OT side but they all fit into those categories pretty well so it could be very helpful for for helping customers understand exactly what control goes to what problem they're trying to solve I'll I'll pile on to the NIS uh framework that's that's probably the most widely embraced at least in the U.S it is a U.S standard but as far as a global standard I don't think there's anything out there our most mature customers of ours um that they're refining a model
that looks you've got an asset inventory and then you've got a list of potential vulnerabilities against all those and that's really sort of the Holy Grail is merging those two so that in real time you can you can see what you're uh you know your risk exposure really looks like okay all right thanks Jeff um you know I like to open up and uh to the questions to the audience and there's a few Mike's microphones set up in the room please feel free put up your hand and jump up um you know we've been satisfying
my career curiosity this whole time I really like to encourage the audience to reach out and and pop some questions out and satisfy your curiosity today and also take a look at the online questions but if anyone in the room might have something that was on their mind that they'd like to ask about OT cyber security if not let me go to the questions on slido so up first uh David Ong is asking a question and I'm not sure if it's queuing up but it's about more with more countries mandating data Cloud to be localized
due to data and privacy protection laws how can OT socks or managed service providers circumvent this challenge if manage OT assets are spread across borders with that one this is I'm chuckling because this is an acute problem when you when you look at the regulations and it truly is almost a country by country type of analysis that we have to do you know and in some cases if you look closely at the regulation it has to do with data residency but the people analyzing the data can be remote another case is the data the people
everything has to be localized into that country so there's not a one-size-fits-all answer on on this one unfortunately I mean it truly is is country by country and the way we look at it at is Honeywell is is it really depends on demand and business case so you know whereas it may be very easy to justify setting up a a sock in one area of the world because there are lots and lots of potential customers there um you know in a smaller country that has very strict data regulations we're probably more likely to partner with
somebody locally to provide that service I think I'll add to that in uh I guess you can also and there are gpdr in Australia New Zealand for example there's verb regulations with foreign investment review board which mandates data on within country and also people within country uh I guess from uh man a high level management of your overall business which as we say can be definitely Global and we work with many customers that don't just have sites in Australia have some sites in Australia and then the majority are spread across southeast Asia and even some
in Europe what that means is when we're monitoring those systems for those customers we need to securely give them access to the metadata in the cloud potentially if it's if it's required by them and also meet these exact regulations if it's an mssp um it falls on the mssp if it falls on the OT vendor as a SAS offering which we have it'll be in country so if we're pushing out monitoring capabilities to an organization that has sites globally then the data within each of those GEOS will stay in that Geo from a visibility point
of view Jeff did you want to weigh in on that as well I don't think I could add much more than what Michael said but uh I I have never run across a customer that really wanted uh detail level data from one region to be merged with another region it's it's it's it's it's pretty well defined by country as Paul points out um I think the bigger challenges is is getting uh cloud-based services in in some regions of the world where it just now today does not exist and the and the resistance to uh embracing
uh the infrastructures that are out there today are are uh are challenged yep I absolutely agree in fact um I was just about to raise a point about Cloud as well um definitely with more more analytics happening happening and centralized management happening as well um I think that cloud enabled Services may also be the direction in the future for a lot of OT cyber security system or OT networks rather and so so how do you imagine we're going to be able to to Really effectively protect that because now you're you're really seeing the OT and
it system becoming you know essentially a single organism so and we all know about all the club reaches I mean there was a recent one Michael as you're aware in in Australia with Optus which is cloud related as well right um isn't that really a a step that has to be taken very very carefully or are companies just rushing to embrace Cloud a little bit too quickly no no one's rushing uh the customers that I have that that are uh tentative about it are not rushing and I I think to to Michael's point the big
piece to emphasize is uh you can manage a widespread you know multi-region area uh by by using the metadata so it's a matter of awareness it's a matter of educating uh people that that we're not exporting data out of the borders we're not taking critical data or personal data out of country um we're sending up uh metadata to help manage and and to help help defend in terms of uh in terms of it that way a couple of thoughts on that particular so if you look in the IT world zit world's generally ahead of the
OT world I mean I can remember in my previous role speaking with the CSO of a major airline and you know two years prior to this conversation she had said we're never moving to the cloud ever it's just a corporate decision we're never moving in cloud two years later she's like we're moving everything to the cloud and you know really what the inflection point was the cost and the the capabilities so it was cheaper to put things in the cloud and you got better capabilities faster capabilities that solve your problem in a more efficient manner
so on the OT side I think that we'll get there and I think the difference between people who would be earlier adopters versus maybe later on have to do with whether or not the the process that they're supporting is a revenue generator or a cost so you know if you look I'll just make up an example here if you look at for instance like a connected car um that's probably going to be Cloud first and connected cars are driving the revenue of Automotive Bill manufacturers so there's probably more likely to to move to the cloud
there because you're moving so quickly and your generated Revenue off of that if you look at you know maybe some older types of manufacturing where it's really more of an optimization type of mode there they're probably not going to be as likely to move to the cloud anytime soon just because they won't get the benefit from it yeah I 100 agree and and it's one of the challenges we've seen in the last 18 months to two years is we've had exactly that same there's a lot of hesitancy in ot to move to Cloud fully understandable
um but then we've seen a transition to be to see more and more organizations being open to discussing Cloud um it's not a matter of we shouldn't be asking the question to the customers about or are you open to Cloud we should be asking the questions around again where are you on your journey do you have scope to run an uh a system that's going to take all the complexity away from you and put it back onto the service provider put it back onto the OT vendor to say well we will take care of all
of that for you and we'll offer to you as a service which is what we're starting to do now with our customers across this region and globally at Clarity so it's uh I don't think it's a an effective uh method to talk to customers about do you support cloud or not because there will be varying different systems that will leverage cloud and things that will not leverage Cloud it's more about where are you on your journey and does it fit into your current journey and if it does when when are you looking to achieve that
and we can help you with that yeah yeah I think there's probably different layers too like I mean for instance if I look at the products that I've planned for for our portfolio there's not one single thing that will be only Cloud so there'll always be an on-prem type of option and an on-prem sensor or what have you to be able to collect data now there could be options where if you want certain capabilities you really need to have the cloud version but for OT I mean I don't think we're going to be in a
situation where it's all Cloud all the time I'm assume interesting and I think it has a little bit to do with which particular segment of OT we're talking about as well so I was thinking while you were speaking about BMS systems for example right a lot of that analytics about when when's the optimal time to replace an air filter is something that that maybe can be sent and and there's also that economy on scale as well because you need to compare that data with something else right it's not just about when's the best time in
that particular building to replace an air filter but when's When's the best time across all the buildings in a particular country or a particular region to replace the air filter that data is also relevant in terms of the the intelligent decision making right so I think that has a lot to do with it but definitely secure systems where uptime becomes you know production Industrial control uh industrial automation systems for example I would absolutely agree yeah yeah I might add BMS systems is large scale right massive scale and for cloud operational efficiency for these types of
devices is critical it's it's almost as important than the security itself because if the device Falls over because it needs to be upgraded and we've missed that life cycle management we've got a big problem when it comes to BMS BMS take Marina Bay Sands for example is massive right the amount of iot devices that would be connected around this building would be astronomical so having a cloud service that would be able to effectively manage not only the security of those devices but also the operational efficiency of those devices and the life cycle management gives you
a kind of a different approach to protect that asset as well outside of cyber so it's the cloud really has some additional capabilities that you may not have with an on-prem solution for example actually a really interesting point too is if you think of bms's in predictive maintenance types of use cases or even manufacturing I think there certainly is the opportunity for cyber type of guidance to come in with maintenance type of guidance so if you think about a package sort or you know those things have conveyor belts on them that just go out so
the um the conveyor belt may need a 30 minute down time to all the things being replaced you you can imagine systems in the future will be able to say during that 30 minutes you should apply these two patches because they're going to give you the most bang for your buck solve your your you know your most pressing vulnerabilities and just kind of combine the workflows for the two fantastic um we have a question from the floor do you think it's worth the effort going into level zero or one none for I'm assuming the the
Purdue model uh for non-ip device monitoring after implementing Solutions like Clarity and azomi so I guess that's going to be directed you guys first but but we'll Weighing on on the Purdue model later you you kind of touched on that already Michael it's uh you know it okay philosophically as much data as you can get to help represent what might be a an anomaly or or any sort of negative impact to your operations I think that's that's key how how you do that at that level is probably running into some device dependencies and things like
that but uh uh yeah do you have more to I totally agree I guess to answer the question directly is yes 100 percent it's worth going down to that level those assets are important if not the most important devices in the ICS Network period mainly because they are directly affecting the physical process so having visibility of those assets again it sets that foundation for you to build further programs of security without that visibility how do you protect those assets whether they're IP based or not so 100 I think it's it's worth going down to that
level and we have ways to get down there so that's no problem and another question from Flora um just bookending to what you just said Michael with the increase in smart iot sensors so again towards that visibility using OT installations one of the challenges and takeaways in terms of controlling and monitoring such sensors against attacks that if you look open to anyone yeah briefly first so from a smart sensor or iot sensor device a point of view Challenge and takeaway it's it's understanding the the profile of the device the challenge is understanding its normal uh
operating Behavior once we know that and once we have Solutions in place like like ours OT monitoring that and an iot monitoring in place we can Baseline we can build compliance Frameworks for the communication behavior and we can measure that 24 7. any deviation from that we can then start triggering alerts we can just generate tracking so we can visualize what traffic is deviating for example for one of these sensors and then we can even take take it to the next step again thinking about that Journey on where the customer is if you're up to
you know level four of your journey and you want to start doing uh you know blocking of traffic you can then take that intelligence and feed it into your firewalls and start actioning Security on Those iot sensors I guess yeah I mean I think I'll just give a personal example and you can kind of contrast it to a building like this but in my house it's just me and my wife we don't have any kids we have 80 devices with IP addresses on it and that's you know if you look at you know the home
automation and smart TVs and tablets and and Apple TVs and all the other things it's pretty pretty quick to get up to 80 and if you multiply that by you know say a door sensor on every door in this building you're easily into the the thousands if not tens or hundreds of thousands so I think one of the interesting things about iot devices in particular is just the the sheer number of them and the amount of data that they they produce so back to the previous point we talked about about what's going to kind of
be a Tipping Point to move to Cloud I think that is going to be one because as you have more and more of these things deployed it's just going to be a lot harder for you to have an on-prem solution to manage them all the other thing I'll mention about this is that when you look at these devices obviously you're not going to put an agent on them you know it's really network monitoring is what you're going to be able to to do and you know hopefully you're able to do that you know on clear
text traffic sometimes and you know especially more advanced devices they use encrypted traffic so you got to use special approaches on that but um you know a common approach on this is just doing Simple password rotation where you know you're not just putting in the default password that's kind of like step one but step two is having an automated procedure in place where you are changing out the password every 30 days with some sort of identity management capability I think this represents an enormous challenge for organizations uh I'll piggyback off a couple things you both
said uh definitely the size and the scope I mean if you're talking about a factory floor the OT guys know there's a finite number of assets they know exactly where everything is nothing is moving around per se and and it's it's complicated to manage but it's it's very very well-bounded in terms of the the finiteness of it to to Paul's point if we we do a lot of um smart cities uh work with with those kinds of operations and there there's an infinite number of connections that could be made and and planning for a a
very high number of unknown things is uh is a huge challenge not just from a capacity perspective but also from a security perspective and so though those are uh troubling in terms of uh how do we approach this I think that's very different for the OT folks to manage and because it's a lot of these Protocols are IP based with iot and because it's Cloud to your point Paul uh a lot of that Management's going into the I.T security folks and they're not prepared for it either so it's uh who's going to own it and
who's going to really Embrace this that's uh these are these are big things to think about and and I I very interesting point raised as well in terms of home ownership and all the iot that's coming into our homes as well and I know this is a little bit outside of of industrial OT systems but I think that that you know when it comes to cyber security and why we do cyber security it's important to for people to understand you know what's a personal impact right how does this impact you if a factory goes down
and and you know the widget that you want to buy is delayed for two months um that's an inconvenience but if some if an attacker's in your house that's a very very different different story I think right so do you think that um there might actually be a opportunity or perhaps a a need and and again this is being proactive but a need to actually start thinking about how to protect uh commercial or or private iot networks because essentially you have an iot Network in your house nowadays right I mean your phone's an iot device
so you've had it for years and most people don't realize that but when you think about you know that the average home router right there right now it just does like stateful traffic a very basic filtration and things like that doesn't understand OD protocols in any shape or sense and has no ability to to really do anything with that smart light bulb so you know what are some of the maybe some of the things that um are needed or what can owners do today or what can we do tomorrow so I mean I can I
can comment on that a little bit in terms of what I do with my own house um you know it's it kind of goes back to the basics so using VLAN so things can't talk to each other they can't get out to the internet except under you know very certain configurations but you know I've been in technology for 30 years so you know I know how to do this if you look at someone like my mom you know she's not going to know how to do that so I think there's an opportunity and I I
think you know when in terms of who's going to address that opportunity I think it will be kind of the home security system type of people um and even maybe some of the other people providing services like internet and things like that and it'll essentially be a managed service it won't be a managed service like we think of it in the industrial world but I I definitely think that there is a gap there and I I think if you look at some of the kind of the more scary stories about people finding just open cameras
with default passwords on Showdown and using it to see what's going on in like a baby's room I mean it's you know it's there are many many instances of that out there so I think I think it definitely is a an opportunity for somebody David Ong submitted a question he asked some argue that regulation encourages asset owners to do the minimum to comply whereas without regulations are there incentives to do better due to the in the the mutual interests in protecting assets preventing disruption and protecting reputation yeah what are your thoughts on that would you
would you agree or disagree that I think David's asking you know should we have more incentives but incentives are always good sure I'm not exactly sure how we would start with that but uh to address the first part of the statement uh uh it's it there there's there compliance does drive a lot of organizations to shoot for the minimum bar and and and stay there but I can also point to you guys can back me up I think our most mature organizations are the ones that have uh heavy regulations and and have imposed a lot
of compliance uh by industry and that's that's really lifted all you know Rising titleists all boats kind of concept I think that's uh that that's my experience yeah I'd agree with that I mean I think you know there's obviously a difference between being compliant and being secure um Jeffrey and I are actually just talking uh before the thing I I once had a cyber security host based product that I used to manage and we were pulling the product from the market and we went to a customer and we said this is going to be updated
anymore and they said I don't care I said why don't you care and they said we just need to have it on if it's on we're compliant it doesn't need to be up to date it doesn't need to be looking for anything but if we have it installed and on then we're complying we don't have to worry about it so I think you're right I mean I think there are certainly a bare minimum when it comes to compliance that you can do and maybe raise your your cyber security posture up a bit and some things
have more teeth than others but you know ultimately I don't think you can rely on just being compliant to say yes I'm also secure yeah I'll add also to that with uh in terms of Regulation it's it's definitely it's a great Point that's raised we do see a lot of evidence of organizations trying to tick boxes but it but ultimately at the end of the day there's two things that are happening the first thing is they're underlying you know interest and incentive to protect their Assets in the first instance should still be the same whether
there's regulation or not the second thing I'd say is that uh especially in my in Australia New Zealand is we're seeing the government enforcing more compliance and uh regulation that has uh how would I describe it some sort of uh um responsibility for you to address and if you don't address and you get audited then you do not comply even though you have ticked the Box so I think governments are starting especially in Australia and this is where the the security has really taken a big step forward in the last 12 to 18 months specifically
when the sake act came out came out was that people were ticking boxes so now we've they've sort of steered away uh steered the the regulation in a way to start saying we need mandatory risk risk Risk Management Systems put in place that are documented and you need to show evidence that you have them so I guess it takes away that you're not just ticking a box anymore you actually do have to have regulation and evidence so I think more and more governments will probably end up doing that to encourage organizations to to go and
go the whole mile and of course keeping in mind that that compliance with Regulators is the minimum cyber security that you need to do so I think if you have a mature cyber security program or you do do have a a serious approach to cyber security you should be taking those boxes automatically anyways and going beyond that right I agree with that if you're a critical infrastructure organization you are mandated you are providing a critical service to the community so you must comply there's no option really if you fall in that vertical you fall in
those verticals sorry within critical infrastructure you you must comply it's the regulation again would encourage anyone in the audience please grab a microphone throw the questions up there or slider as well as available to you um a couple of questions back from me um thinking about people processing technology where would you invest where would you invest thinking about OT systems OT networks or OD infrastructure smart factories where's the num what how would you prioritize those three I won't say which one would you only throw money in because you need all three but how would you
prioritize it's always people it's it's they're the uh uninformed unaware uh staff are your biggest vulnerability I don't care what else you've invested in that's that that has to be the top priority um and then just general awareness uh how how the operations align with security and uh as you mature uh make making sure that the the training the awareness and the that becomes program is highest and and rolled out as as a function of the uh Improvement I'd agree 100 with that I mean I think process and Technology driven by people so you know
ultimately you know you can have the latest gadgets and things like that in there but if you don't have the the people in there to tune them and make them make sense and the process is to do something when they actually turn something up then you're you know you're not gonna get very far yeah I would also 100 agree with that except I would also say one of the key things that can help us understand the types of processes we should be implementing and the types of people we need is visibility so we have a
full understanding of the com and the complete picture of our OT environment now we know what we need to do and who we need to do it so whilst people in process I think is are the mo the two most important pieces uh I don't know if then technology maybe should come in front just from just for that awareness phase just for that visibility phase to say right now we know where we stand now we can implement the right people and the right processes because we have the visibility and just a book and just to
add on to all the excellent comments today I think as I see so myself when resource becomes a constraint when you don't have the people and you don't have the time to wait for the people to to develop and have that Talent pipeline then you're you're back to technology so you end up throwing investing money in technology only to realize that you still need people to operate exactly so it's a little bit of a cycle yeah it is okay um I wanted to touch on zero trust and I hope I hope we can do this
quickly because I also have another question about you know just looking to afford to the future but but what do you see the role of zero trust playing in the OT Network I know it's been bandied around and people it's so hard to roll out zero trust in the IT world as it is um and and this isn't this is beyond segmentation of course this is really about authentication to between devices but do you really think that that zero trust is the right direction to go and and do these devices really need to a authenticate
against each other I mean in the OT environment how many devices really do talk to each other leaving aside you know iot for now which is the sensor Network on top of that but really your production lines um your building control systems good so I can start with that one so if you look at the life cycle of OT environments especially something like oil and gas then you know you're talking 20 30 years between refreshes so during a refresh you know absolutely you should be looking at a secure network design that includes zero trust principles
to the extent that the device is supported is a very good point you know even if you're doing a refresh it doesn't mean that the devices that you're refreshing with are brand new I mean oftentimes it could be older technology that you rely on and it just doesn't support zero trust but I think it is something that you should do when you were able to um you know I would not Advocate taking a something that's you know 10 years into his 20-year life cycle and ripping it out just to put in zero trust but I
do think it's a part of a fundamental fundamental building block um on a new type of system being deployed yeah I think zero trust as a principle is is a great principle the the reality of zero trust in ICS is not trivial it's it's not it's not just it's not as easy as we would like to hope it is and and it's not as easy to deploy however that doesn't mean there's no place for it it's definitely something we should be focusing on and there are parts of our ICS and our OT environments that we
can 100 effectively employ a zero trust principle uh sector you know segment but if there are it's there's a time and a place for it and the biggest challenge we have is is where we can Implement zero trust um and that's what we're finding with our customers is a lot of them are saying yes we understand that the principle of zero trust in reality it can't happen in my environment so we we as OT security vendors need to revisit that and really understand how we can do more in that space we are doing some good
stuff especially around remote access and stuff like that with zero trust but we can do way more and we need to work on that I think for the future I guess yeah agree 100 as a principal as a as an architectural design principle it's great if you're talking to a vendor about zero trust it means there's a new version of their product they want you to buy and there's probably a dozen things like I said at the beginning of my talk that you can do that are going to make your environment much more robust before
you start getting into the next new thing I think that was zero trust as well um very often we think about confidentiality and integrity right the availability kind of comes in at the end whereas in the OT system it's it's the opposite it's backwards availability is number one so if your device doesn't authenticate to the next device down the line and talk to it what does that do to your availability right so that is a big challenge yeah it's hard to get right yep absolutely um let's see I'm holding I'm holding the the future question
well you know what I'm just going to throw it out I'm gonna throw it right now um so in your opinion what do you imagine might be the next big technological development of OT and iot cyber security and again feel free use your imagination where would you what what do you think you would like to see as a real technological development that's really going to be useful in this space that's a very tricky question no right no right or wrong answers you know this is yeah I think it's not new but I think one of
the things that may give us that step forward in next gen is is SAS his cloud how do we do more in the cloud for OT to give organizations more effective ways to to manage their OT cyber security uh I guess concerns we've got amazing Technologies out there today that can go really deep we can dissect protocols until there is no packets left on The Wire but at the end of the day um we're always finding new ways to gain visibility we're always finding new ways to integrate to the existing text actually that organizations already
have and that's key and that's where we're investing a lot of time but I think maybe SAS is there's something in the SAS in the future that might be able to take us to that next level Maybe interesting I agree I I think uh and Michael and I are in the same boat you can track uh Innovations in it in OT uh sort of as a laggard from uh some of the more innovations that you see in in It software Enterprise products and the adoption of uh new technologies whether it's blockchain or machine learning AI
you're going to see a lot of those uh things mature in other areas and then make their way into OT but I agree that's uh cloud is probably far more of a bigger impact than than all those together so yeah I mean I would tend to agree with the cloud answer I mean I think another aspect is you know there's really not a concept of automated response to any great level in OT environments where you know just everyone is is rightfully so concerned about doing the wrong thing and knocking a process offline and not being
able to recover I think over the next several years especially being able by cloudy and AI machine learning whatever buzzword you want to use I think you will get to the point where you are able to automate some responses um you know it may not be isolating a device from the network like like you do in it but things around blog collection things around uh some sort of automated forensics I think that uh you know I think that's kind of the next Frontier in okay catching up with it oh fantastic listening to your your answers
is giving me just the hair in the back of my neck is just Rising going like I really look forward to the future um thank you gentlemen so much for the Fantastic conversation thank you for your insights your knowledge your experience as well I think everyone in this room and online has benefited from that I really appreciate um all of you making the the trip down to Trek down to Singapore as well to share your knowledge I also wants to again shout out to CSA attention did an amazing job putting this together Raymond was also
very very relevant in terms of helping to arrange this and bring it all together and I'd like now to hand back to the lovely Charmaine foreign thank you very much Mr Shore in our panelists I'd like to invite you invite you back to a seats at this point thank you very much one more time for our entire panel please ladies and gentlemen [Applause] an amazing conversation uh hearing everybody's thoughts on the OT environment we hope to keep the conversation going and everyone in the room is invited to the foyer for some light Refreshments mingle and
network of course and on behalf of sicw 2022 thank you so much for choosing to spend the afternoon with us and have a great rest of the day ahead thank you see you soon foreign [Music]
Related Videos
Controls Con 2024 | Cyber Security for BAS Panel
44:59
Controls Con 2024 | Cyber Security for BAS...
Cochrane Supply & Engineering
21 views
International IoT Security Roundtable - Leadership Dialogue
2:18:16
International IoT Security Roundtable - Le...
Singapore International Cyber Week
136 views
International IoT Security Roundtable - Technical Panel
2:00:03
International IoT Security Roundtable - Te...
Singapore International Cyber Week
54 views
Let’sTalkCyber Diplomacy and the Indo–Pacific – International Negotiations on Cybersecurity
59:16
Let’sTalkCyber Diplomacy and the Indo–Paci...
Singapore International Cyber Week
181 views
Building Automation Systems, Smart Buildings, and 5 Ways To Make Buildings Cyber Secure
58:16
Building Automation Systems, Smart Buildin...
Veridify Security
21 views
International IoT Security Roundtable – Opening Segment & Leadership Dialogue
2:18:16
International IoT Security Roundtable – Op...
Singapore International Cyber Week
45 views
SG Cyber Safe for Enterprises
31:04
SG Cyber Safe for Enterprises
Singapore International Cyber Week
30 views
High-Level Panel: Ransomware Exposed – Insights into Operations and Safeguarding Techniques
1:12:27
High-Level Panel: Ransomware Exposed – Ins...
Singapore International Cyber Week
30 views
International IoT Security Roundtable – Technical Panel
1:54:41
International IoT Security Roundtable – Te...
Singapore International Cyber Week
30 views
SICW Women in Cyber
1:42:58
SICW Women in Cyber
Singapore International Cyber Week
253 views
EU, Singapore and Czech Republic Seminar on Critical Information Infrastructure Protection CIIP
23:53
EU, Singapore and Czech Republic Seminar o...
Singapore International Cyber Week
38 views
ASEAN Ministerial Conference on Cybersecurity AMCC Opening Ceremony edited
29:08
ASEAN Ministerial Conference on Cybersecur...
Singapore International Cyber Week
203 views
SICW Opening Ceremony & SICW High-Level Panels - Opening Plenary
3:31:11
SICW Opening Ceremony & SICW High-Level Pa...
Singapore International Cyber Week
150 views
High-Level Panel: Cyber Multilateralism and the Race against Change - Affirming the UN’s Relevance
1:06:14
High-Level Panel: Cyber Multilateralism an...
Singapore International Cyber Week
45 views
High-Level Panel: Securing the Future – Public-Private Partnership for Cyber Resilience
1:12:37
High-Level Panel: Securing the Future – Pu...
Singapore International Cyber Week
45 views
OT is Everywhere! Operational Technology explained.
1:34
OT is Everywhere! Operational Technology e...
Osaango Academy
5,187 views
SICW Women in Cyber
2:13:11
SICW Women in Cyber
Singapore International Cyber Week
51 views
High-Level Panel: The Cyber Attrition Conundrum - A Sharp Sword or A Blunt Blade?
1:05:35
High-Level Panel: The Cyber Attrition Conu...
Singapore International Cyber Week
58 views
Scams and Mobile Security
2:45:01
Scams and Mobile Security
Singapore International Cyber Week
48 views
High-Level Panel: The Cyber Attribution Conundrum - A Sharp Sword or A Blunt Blade
1:05:35
High-Level Panel: The Cyber Attribution Co...
Singapore International Cyber Week
16 views
Copyright © 2024. Made with ♥ in London by YTScribe.com