KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Join security experts from KuppingerCole Analysts and Cyolo as they discuss how access is evolving and the challenges that brings for OT/ICS/CIS environments. They will look at the potential benefits of technologies such as SIEM, SOAR, ITSM, PAM, IAM and XDR, and concepts such as MFA, ZTA, and ZTNA, as well as ways of reducing risk and meeting insurance requirements.
John Tolbert, Lead Analyst at KuppingerCole will give examples of threats to OT/ICS/CIS environments and the associated risks. He will describe how critical infrastructure differs from general IT, and how IT security tools can help protect it. He will also look at Zero Trust Network Access principles and how they apply.
Kevin Kumpf, Chief OT Strategist at Cyolo will explain the concept of application access, discuss a unified approach to using IT security tools, look at how these tools and process change can help address OT staff shortages, examine the impact of devices such as software PLCs on organizations, and explain how to achieve future-proof secure remote access.
Join security experts from KuppingerCole Analysts and Cyolo as they discuss how access is evolving and the challenges that brings for OT/ICS/CIS environments. They will look at the potential benefits of technologies such as SIEM, SOAR, ITSM, PAM, IAM and XDR, and concepts such as MFA, ZTA, and ZTNA, as well as ways of reducing risk and meeting insurance requirements.
John Tolbert, Lead Analyst at KuppingerCole will give examples of threats to OT/ICS/CIS environments and the associated risks. He will describe how critical infrastructure differs from general IT, and how IT security tools can help protect it. He will also look at Zero Trust Network Access principles and how they apply.
Kevin Kumpf, Chief OT Strategist at Cyolo will explain the concept of application access, discuss a unified approach to using IT security tools, look at how these tools and process change can help address OT staff shortages, examine the impact of devices such as software PLCs on organizations, and explain how to achieve future-proof secure remote access.
Hello and welcome to our webinar. I'm John Tolbert, director of Cybersecurity Research here at Kuppinger Coal, and today I'm joined by Kevin kf, who's the Chief OT strategist at c o.
Welcome, Kevin. Pleasure to be here. John. Our topic today is the evolution of secure access for critical infrastructure. So a little bit of logistics info before we get going. Everyone's muted centrally, there's no need to mute or unmute yourself. We're gonna do a couple of poll questions and then we'll show the results at the end. We will take questions and we'll answer those at the end of the presentations too. And then lastly, this is being recorded. So both our slides and the recording will be available in a couple of days time.
So I'm gonna start off talking about what is critical infrastructure, what are some of the security challenges, and where does zero trust into that? And then I will turn it over to Kevin and he can do a deeper dive on critical infrastructure security and the C L O platform. Then we'll do the poll results and look at questions again at the end. So first up, what do we mean by critical infrastructure and why does security matter? So I thought I'd start with just some definitions. Operational technology is sort of the overarching definition for all of the things that you see here on this page.
Operational technology includes hardware and software that control all sorts of different kinds of industrial equipment, different kinds of devices and processes, critical infrastructure. Our main focus today that includes things like power generation, power distribution, pipelines, oil and gas, water treatment, wastewater treatment, traffic control, all the things that are really necessary for the proper functioning of society. Industrial controls. I think of this more on like the manufacturing agriculture sides.
This includes a lot of well known concepts like SCADA nodes, PLCs, programmable logic controllers, human and machine interfaces, various kinds of actuators and sensors. And then we have i o OT and industrial iot. These are the more commoditized IP based devices that a lot of organizations are using now because they're lower in cost to deploy, but they can also be an important part of any of these different operational technology environments. So our first poll question is, does your organization run any of these following types of OT environments?
The first one is critical infrastructure, second is industrial controls, third is iot or industrial iot. And fourth is, no, we're just doing traditional IT for the enterprise. So as you might expect, things have gotten rather complicated in the last few years with IT systems being used in OT and especially critical infrastructure systems, environments. So they have, you know, HMIS and PLCs and various kinds of actuators and sensors.
But you know, they're also using identity management and physical access controls, identity management being, you know, really a key part of controlling who gets access to what. And you know, with these complex environments comes not only employees, but also contractors, system integrators, equipment manufacturers, lots of different people and processes need access to OT and and critical infrastructure systems.
So we see, you know, increasingly a mix of different kinds of technologies in OT and C I s environments. So why or how is it complex and where do you focus on securing it?
Well, of course it's gotta be multi-layered, security, defense and depth. Some of the challenges we see, you know, a lot of, some of the components are not directly accessible.
You know, they may be behind firewalls. Network segmentation is, is mandated in some industries. Some of these devices don't run IP based protocols, so you know, it can be difficult to interface with them. Some controllers, you know, are mandated by regulations in some cases to be behind the firewall. And only unidirectional communication can happen such that, you know, it can send information out to another environment about what's going on inside there, but you can't allow any kind of access into it.
Some environments are air gapped and then, you know, like I said, we've got employees, partners, equipment manufacturers, lots of different kinds of users that need access to the various components of an OT or c i s environment. Other things we have to consider, you know, some facilities are remote, sometimes they're not permanently staffed. They may have low bandwidth or you know, very weak network connectivity or it might not even always be on. So how do you deal with remote access needs in, in cases like this where facilities are, are far away and nobody's there 24 by seven.
So now let's look briefly at the threat landscape for critical infrastructure. Some of the most common attack vectors that we see in critical infrastructure, people have been very worried for the last few years about ransomware spillover from enterprise it. There have been a number of cases where that has been a a very big concern and in fact the operational technology environments have been shut down sort of preventatively to prevent that spillover. So that's definitely something that is top of mind for many CISOs today.
There's social engineering, both physical as well as logical, trying to get access to an OT or critical infrastructure environment.
You know, physical being, you know, trying to social engineer someone into letting you into a facility, a bad guy into a facility oftentimes to deliver malware by U S B or some other removable media because yeah, if it's an air gapped environment and a bad actor wants to compromise it, they've gotta walk it in and plug in U S B, maybe it has malicious firmware, but there are security solutions that can help check for malicious firmware and other malware on U SS B devices. Denial of service, you know, at the network layer can, can be disastrous for critical infrastructure.
And then there's insider threat sabotage. And then just more generally insecure remote access. We've all heard about a number of cases where insecure remote access was the way in for malicious actors, you know, using a, like a remote control software that had weak or practically no authentication that then granted them access to move around inside the, you know, the critical infrastructure systems. So how do we protect the various components? There are many different things that are needed, you know, following the defense in depth idea.
But first of all, you know, you've gotta know what you have. You can't protect stuff if you don't know that you've got it. So asset discovery and classification as well as vulnerability management are really the first steps. Then we have identity and access management, particularly zero trust. You've gotta be able to control access each, each request needs to be properly authenticated and authorized. Firewalls and network segmentation.
Network segmentation being, you know, a key principle for zero trust network access firewalls have mentioned, you know, for environments that that have to ensure one, one way communication, monitoring, sim security information and event management, your OT and C I SS systems generate a lot of information that needs to be analyzed from a security perspective perspective, it seems are are good tools for collecting that. There's also a need for OT or even critical infrastructure specific threat intelligence. And there are firms that that specialize in that.
The, the, the types of threats that critical infrastructure by industry and what their particular threats are. Then there's detection and response and then incident response detection and response. Being able to look at all that data and figure out if what's amiss, what's anomalous, what's suspicious, what's a clear sign of an attack, and then how do you do incident response, you know, in a more broadly, you know, process down way.
And backups being a, an important part of that too, being able to restore the different nodes within your critical infrastructure environment quickly to keep things up and running. And then lastly, I I put deception in here. There are distributed deception platforms that can sort of emulate an OT or critical infrastructure environment right down to the different kinds of machines and HMIS and PLCs. And that can be really helpful for organizations that want to collect intel on what an attacker would do if they had access to the real assets. So now we'll look at secure remote access.
What are the use cases for it in critical infrastructure? So off hours support, you know, not every organization's got 25, 24 by seven staff in these various locations.
You know, I mentioned that partners and integrators and even equipment manufacturers need to be able to get access to various components in critical infrastructure. So, you know, many times they're not on site and if you want to to get quick help, you've gotta have a good secure remote access solution for them. The remote locations, you know, just to sort of emphasize the point, some of these organizations have locations that can be six or eight hours away from you know, headquarters and they're not always staffed.
So if you need immediate resolution and you probably do, remote access is really the only way to get that going. Then the last two, you know, we see increasing use of cloud for as a data repository for doing, you know, advanced data analytics. A lot of critical infrastructure organizations wanna be able to leverage analytics for things like predictive maintenance. This is something that also requires good secure access control. Same for digital transformation. They're leveraging these cloud environments and other systems so that they can, you know, become more efficient.
But again, this should require a zero trust network access principle. So the IAM challenges, they're similar to what we see in enterprise it, but again, it can be more complex because the different kinds of devices that are involved, you know, some, some don't use IP protocols, you know, there are often multiple domains involved. You've got all those different kinds of users from different organizations, they need single sign-on federation, and then still we have, you know, traditional problems of provisioning, de-provisioning and managing access entitlements.
That that can be far more complicated in a distributed environment like this. And then again, to hit on zero trust, you have to properly authenticate and authorize each access attempt. So zero trust I think can be a, a big component in how you secure your OT and critical infrastructure. These other things here, secrets management, privileged access management, access logs and analytics, all those can be very important as well.
Privileged access management, again, can help you lock down accounts, service accounts, administrative accounts, prevent further compromise in the event one machine is compromised. Secrets management, same thing there, you know, there's lots of need to secure password certificates, all sorts of different secrets that can be used in OT or C I s. And then again, access logs and analytics. Very important for being able to figure out if you are seeing anomalous or suspicious behavior. So last slides here, sort of drilling down into zero trust for cyber resilience.
I, I really like the architecture diagram that NIST has in the special pub 802 0 7 for zero trust. Here you see different inputs, you know, things like continuous diagnostics and monitoring industry compliance. Many industries that operate critical infrastructure have special regulatory requirements for security, for identity and access management. In particular, there's that OT specific threat intelligence activity logs, but you also have, you know, the need to create data access policies.
There's still lots of P K I, A lot of machines are using, you know, X 5 0 9 certificates for identity and authentication identity management and sim. I like how this separates this out into the control plane and data plane, the control plane sort of following the, the tenets of, you know, the exact reference architecture with a separate policy decision point, separate policy administration point with a policy enforcement point that lives in the data plane.
And again, this is used to facilitate very strong authentication and proper authorization. So second poll question, is your organization moving towards zero trust architecture for OT critical infrastructure? And take a few seconds to answer that. We've got three choices, yes, no or not yet or planning on doing.
Okay, well thank you. We will take a look at those at the end. And just a reminder, if you've got questions on this subject for us, please feel free to enter them into the cement control panel and we'll take them after Kevin's presentation. So next up Kevin, Thank you John, pleasure to meet all of you here. Virtually John has gone over many of the technical components of the infrastructure and my goal right now is to talk those components where they fit in, into the environment and how they fit in. So with that said, what is secure mode access?
Now you may be thinking that we should know what secure mode access is, but in reality, secure mode access is, it's an umbrella term and it refers to the security measures policies and technologies that an organization uses locations inside or out of the corporate office with a high level of security. Notice this term has come from the IT world and sadly secure mode access has become a checkbox tool. Much like you'd say, I have an SS F T P server, I have a file share, things like that. It's become a term even zero trust as we know has become a term.
So what colo is doing and how I view the industry as a whole is we're shifting that paradigm.
The reason we're shifting that paradigm is that 80% of all outages, all events and an event is an unintentional action, are attributed to mainly routine jobs, unscheduled changes, misconfigurations, or as we're now seeing things that are going on between IT and ot, crossing that boundary where a system is patched out of window, a system is accessed without the proper credentials or as I've even seen S SS L or other things are tried to be applied to a system that does not support it and that is causing issues and systems to go down.
So while we're all concerned about ransomware and and decidedly, so how do we prevent the unintentional events that are happening to ot? Well as we know IT and OT are coming together, if we look at the IT side, that's the carpeted floor. If we look at the OT side, that's the graded floor. And this is an interesting image. The reason I left it by tech target was to show that from an industry perspective, the middle terms are a little concerning to me. Merging the two distinct networks and sharing the data that each collects and distributes when you merge, you integrate.
And integration is not what we want to do in the space. Much like everybody says that we need to apply zero trust.
Well, as John has stated, zero trust is just a framework and to show you how misunderstood it is, last year I presented at a very esteemed conference and all these people got up and were talking about their platforms was zero trust. And I got up and said, who knows what 802 0 7 is? And nobody had a clue. And then I had to add the NIST special publication of 802 0 7 and most of them still did not have a clue. So if we're gonna use terms that are like merging, integrating, if we're gonna talk about Z T A or Z T N A, we have to be precise.
Much like the term secure remote access, it is actually now secure access. Because if 80% of your events are unintentional and they come from users just doing misconfiguration or other things, we need to put guardrails and controls around those. What we're really doing is we're interfacing infrastructure. When we integrate, we expand the scope of the resources involved from a compliance and audit risk perspective.
If I sit down with a NERC SIP auditor and I'm looking at my electronic security perimeter as an example and I state that I've just added these new resources to it, the auditor now immediately thinks they're in scope. So if we said we've integrated them in, which means to blend, to merge or we've merged them in, that now expands the footprint Interfacing is what we are really doing when we integrate the A I C approach transforms to the C I A approach, the A I C approach, which is really key to the OT world, which is availability, integrity, and confidentiality.
Availability is first and the reason availability is first is because uptime is key. But as we see at the last point, safety remains first. The safety in a I c many cases is silent. And in fact there's many discussions on LinkedIn and other platforms right now about, you know, well should there be the SS or it's included when there's more IT people coming into the OT world right now to take roles and I've met many of them that have zero months experience, three months experience that are taking over programs. The safety is not applied.
If we look at the C I A approach from it, which is really about the confidentiality, we we must not lose the data availability. Last systems go down. How many times have you gone to an IT system, had it down gone to a web browser, E even your cell phone is not considered critical.
You know, you lose signal. And yet that is supposed to be our lifeline in emergencies and other things. So we need to ensure that the approach stays A I c and then when we interface, we maintain those proper i c s boundaries from a regulatory con compliance and audit perspective that I've spoken about. So the language is important, how we use the terms is important and now how we define things is important. As you can see, this is the current state of the IT T O OT infrastructure.
Many of you are looking at the center section and realizing that we have resources in the middle that we have pam, V P N, css B, other things out there. And then we have on the left hand side the resources coming in. Where are they located? On the right hand side you have emerging of applications and resources. And so companies are now due to vendors due to legacy applications that they cannot change due to legacy ways they access that they cannot change are adding multiple tools to the environment.
And as we add these tools, the complexity grows and the complexity is where we don't have the resources. I have one firm that I'm working with has 200 facilities, has two individuals for OT security. When I asked how many people they had for their help desk, they replied that they have 50 people for their help desk. That's wonderful for the IT world. It's not wonderful for the OT world.
So when we have all these resources in the center of the screen here that are truly taking up time, energy, and effort, giving you multiple ways to get into an environment and many of them are in fact secure remote access type methodologies because remember it's an umbrella term. We need to close that and control that down the future state of where we want to be is unified digital identity management. This is not a made up term. This is where we take the digital identities of the users, the devices, the environments and the resources and we unify them in one controlled access plane.
If you look at the Z T A slide that John had put up, that slide shows that we have a controlled framework of policies, procedures, resources, inputs and outputs. And as we're going to industry 4.0 that data is a two-way data. Now I know your infrastructure is in theory a one-way infrastructure and I understand that that connection from the resource that is that gateway, that secure remote access point needs to be a one way out. But that one way out is producing data from both directions.
It's taking data in from users, passing it to applications and it's taking data from applications and resources users to applications users to machines or machines to machines and pushing it through. So that adage where John talked about remote resources, being able to take a sensor, get that data out to somebody where there is nobody at that sensor but they need to know is critical. Being able to have things in remote locations where there's limited bandwidth and being able to get there to understand those resources and what's going on because it is part of your integrated network is critical.
And so if we look at identity based, which is unified digital identity management, that's the evolution. So we started out with V P N, which is still out there and that gave us encryption and what they term quote unquote secure mode access that gave you network layer access and control. If we look at Z T A Z T A is taking the concepts of policy, it's taking application access, net network access, and it's taking basically cloud scalability out there and saying we can put this out here in the cloud.
Now I caution you that people say well Z T A can go on the cloud non-premise and in our platform it can. But if you talk to many of the vendors out there, they're giving you Z T A with cloud infrastructure, which is now expanding those safety systems and other areas to the cloud. As I've sped to many people, you know when people tell me, just put everything to the cloud, it's perfectly fine, it's great. I ask them one question, would you put the sensor to your vehicle's airbag in the cloud?
Would you trust that to know that that distance away or do you need that instantaneous control with your finger on that pulse immediately that gets a different answer than put it to the cloud. So an identity based, it's zero trust, not vendor trust. And what that means is that these vendors that are coming in with these solutions that are telling you you must use this or you must do that, you take away the control that they have. You basically say that through the platform that you are going to implement, you now have control.
The other part of this is that you need something that's flexible cloud on-premise or hybrid, which means it will do all three of those type of platform environments for you. This gives you flexibility. You need compliance and surveillance. What does that mean?
Well, going back to the OT does not have enough resources. Mindset being able to have recordings, being able to have people that can go back and look at things that were done. One of vendor is granted access into the environment when a user internally from the IT side is given access or even now if we have people out there in the OT environment that are using tablets on the shop floor that are using line of site to do things that are at remote locations, you want to have that of capability, adaptable and integrable. What does that mean?
What that means is having the ability to tie into other platforms, as John had mentioned, a sim, a soar, an X D R threatened vulnerability management, being able to pull this information in and out. When you get to the core of what zero trust is, when you get to the core of what your source and your firewalls and other things are doing, they're enforcing policy, they're enforcing policy on users and resources, assets, systems, you know the plethora of things that make up what an environment is really is.
And so if we have the ability to pull and push policy to compare policies, we now have the ability to take a firewall, pull its policy, look at that from the platform of such of colo, find out what ports and services are open and then at a time put down a policy that says that a user can come in at a given moment in time, work with an application, and then turn off the policy to the firewall, turn off the policy to the user's application, turn off the user and really drill down and now block that entire path and give you segment, give you total micro-segmentation and identity modernization is the last part of this.
It layers on top of the ability to take legacy applications that cannot do M F A legacy applications that have weak and shared credentials. Vault those credentials, modernize those credentials so that you can do M F A even in air gapped environments. So this is not a pie in the sky thing. This is available today. And if you look at this slide, you can see this, you can see that basically we have the identity and access control sitting in level three slash two. This is right in your boundary.
As you can see we have an edge which is just SS n i routing, which is basically, if you think of it a reverse proxy. Now we're talking reverse proxy here, but yet at the same time we're talking secure remote access. The proxy gets you that outbound direction. The user is the entity that requires the secure access. So the platform is the vehicle to enable secure remote access. But as you can see we have OT staff that now can be on premise. So that is secure access. They're not remote, they're right there. You can see that you have remote users at level five that are coming in from the cloud.
Your third parties potentially your offsite workers, those are considered secure remote access. Your internal staff at level four of the Purdue model. Now we're looking and saying they can be on premise or they can be remote or in architecture such as SSD wan. Now they're truly flexible to wherever you would like to call them because the infrastructure is no longer the deciding factor of where they're coming from. It's the application and resources and the defining of the network in that capacity.
But as you can see right here, one of the key points I wanna point out on this slide is the firewall that sits behind the ID access control with the ability to control firewalls, with the ability to control policies, with the ability to turn things on and off in a granular application level based on user, based on access, based on time and other factors. Companies now can place firewalls even deeper in the infrastructure. It can give that true microsegmentation. So a prime example of how this architecture flow may work. A sensor or actuator on the backend may give you an alert.
That alert would come out to your access control or your gateway if you want to frame it in that capacity, that would be passed up to a sim. Now with safety being the key component, 'cause we know that IT tools are coming into the OT environment, that operator now can make a decision that operator can make a decision of using his browser to get out to that platform. And we are a browser-based platform, truly agentless using a UI or a P I to enact that.
And that means they could have that browser, but they can also have a scripted process that comes back through or using a SOAR to now automate that process to say, if I see this go on, go out, pull this log, look at what's going on and tell me what I need to do from there. You can also use this from user control, injecting threat and vulnerability management. So if you get threat and vulnerability management information in your platform, you can turn around and say, okay, I see this platform here is this vulnerability. I want to deny remote users access to it.
Only give my users internally access. And with the capabilities of the tools above, you can easily change a policy at any level of this architecture. How do we achieve those goals? From an operational perspective, we're mitigating your risk of an event or incident. And I put event first because if 80% of the problems out there are truly events, that's what we wanna focus on. If you can mitigate the events, then you have less and less incidents out of that. And that is a foregone truth. I spoke with a company a couple weeks ago where for months they were chasing their tail looking for malware.
It turns out that somebody was coming in and plugging in and A U S B into one of their control systems with music on it. The only way they found this was to see the person plug in the stick. They were going out and get spinning up their incident response team continually and it took 'em months. So this is an event that was of of no consequence in nature, you know, to the individual doing it wasn't malicious, but it was truly causing incidents. We wanted to decrease the total cost of ownership and increase the R O I.
If you look at the platforms out there today, all my customers, all the people I speak to in the industry circle say we want to reduce basically the number of platforms. We want people to work together and we want to basically increase the R O I because we're not getting more staffing. That leads to the seamless integration into not only the resources that are out there in the OT world. And this John alluded to the I A O OT world that's coming out in others, but also to the platforms that they're using on the IT side.
An improved detection audit reporting is really what the operational goals are. And this meets to anything from their frameworks to their auditors, to their insur insurance that they're going for cyber insurance risk.
Lastly, here's your technological goals. These align very well to what you're trying to do with the Z T A architecture or secure access or your capabilities in the platform. And this slide is available, as I said at the end of the presentation in several days. But this is where we want to take the technology and truly make it work for you. And so if you're taking all these features together and you're unifying them in a digital modern platform, you're really doing unified digital identity management, the platform. And that is the goal.
That is the ultimate goal is to simplify the attack surface, improve availability, improve your risk posture, and improve your overall performance and productivity of the workers from a happiness, from a task and from a input and say in the process perspective because they're the ones using the tools. I hope that gives, gives you enough understanding of what we're talking about and John, I pass it back to you.
Great, thanks Kevin. That was really insightful and thanks for highlighting that distinction between C I A and A I c. That's something that, you know, we've talked about critical infrastructure operators with many times over the last few years.
You know, the difference between, one of the main differences between enterprise IT security and critical infrastructure security is, you know, you need to fail safe, you need to make sure that employee worker safety is paramount. And then also being able to deliver the critical infrastructure service if it's electricity. We all know how important that is.
So yeah, that's, that's a big distinction between I think traditional enterprise IT and any of these OT environments, but especially critical infrastructure. I, I agree and, and the tough part is what are we defining as critical infrastructure these days? Because we're looking at even the distinction of I A O OT versus IOT devices out there. People many times will talk to me and use the terms interchangeably.
And if you look at where a lot of the threats have come from, it's been from consumer electronic devices placed into a corporate network, baby monitors, cameras and things like that that I just needed that, you know, that's on a home network that now is tied to a corporate network and other areas. If you look at the industrial devices out there, they're trying to at least make some security strides into those. They're not just the mass produced products.
And so if you're going to tie these into your infrastructure, if you're gonna talk about things like M Q T T and other technologies that are coming into the environment, how do you really protect the power grid and things like that when there's no cohesive vision for how these all work together. And Industry 4.0 is not that vision. Industry 4.0 is just the data exchange and the concepts as we know.
Okay, Before we go into q and A and discussion, let's take a look at our poll results. So the first question was, does your organization run any of the following kinds of ot? And fortunately today we, our audience is made up almost half of critical infrastructure operators. Thank you for being here. We also see I O OT or I I O T and then a third of our viewers are traditional IT for enterprise.
Well, thank you for your answers. Next one, please. Is your organization moving to zero Trust for ot? A little more than a third say yes and nearly half say not yet, but it's planned. Well that's great. I think we're big believers in the need for zero trust architecture for ot and it's great to see that most most organizations are either there or trying to get there. Any thoughts on these? Kevin? The first survey struck me as interesting. Nobody here from an industrial controls perspective.
And that space is very, I don't wanna say ambiguous, but if we look at the energy sector and utilities and critical infrastructure as a whole, you know, CSSA has their sectors out there and you know, and they've expanded and, and those have grown and I, I see more sectors coming out of that actually I see sub-sectors in the future. But the concept that those are critical infrastructure and yet there's not critical controls. I I I think there's a, there's a disconnect in how some people view this.
You know, there are industrial controls and critical infrastructure as you know. So having that be a zero sort of either says that the context of what people understand the environments as or the context of the way they took the question really is a little interesting on the second.
And I, your thoughts on that John? What? What do you think?
Yeah, I definitely think that's possible. Could be, you know, this was about critical infrastructure. So critical infrastructure people are likely to wanna join in.
But yeah, so much of it is applicable for industrial controls because in some cases software can be similar. Definitely concepts are very similar.
Again, that primary difference could be between A I C versus C I A with industrial controls too. Yeah. But this is a good mix. I'm glad to see so many people from critical infrastructure here and thank you. On the second slide about zero trust, that is interesting that you see people that have started the journey and people that are not yet but planned.
And, and the question I would have is who is driving this? And when we look at organizations that are driving this many times, it is it, and the reason I say it is because if you look at an organization, how many organizations have a CSO in both the OT side and the IT side, it's generally the OT people report up through it. The projects that are pushed are the IT projects having been a CISO at a major utility, I was not called the ciso, I was called the director of OT security. And yet the CISO of the IT side would continually come to me and saying, what does this mean? I don't understand this.
And yet my budget trickled down from her budget. The directives trickled down from her directives. And so when you look at zero trust and you say you're moving to this, I don't meet many people out there in the OT world that are saying, you know what, this is my mission is to go to zero trust because I believe in IT for ot. So I really think that the organizations that are moving to this, many of them are driven by IT principles and policies. And are we maintaining that A I C versus C I A?
You Know, that could very well be, it was writing a document not too long ago that was looking at who's responsible for OT security. And you know, you pointed out some interesting things there.
You know, there's a lot of variety in reporting structures and reporting structures is a topic itself kinda sounds boring, but it's not as you know then because a lot of things like budget and priorities get decided by reporting structures. So yeah, it's not, it's not completely common where the responsibility for OT and C I s security rolls up under, let's say the enterprise C I S O. In many cases those organizations have evolved separately. So you've got the people who maintain critical infrastructure are not necessarily that connected with the team that does enterprise IT security.
So yeah, there can be competition for budget, there can be a lack of clarity between the goals or how to harmonize the goals for OT and IT security. I agree. Okay. Well thanks for sharing the results. We will now start looking at our q and a. What is the most important thing in OT environments? I guess that means for security? I will start by saying, I suppose that again goes back to our A I C versus C I A discussion.
You, you need to be able to fail safely. So in obviously you need strong authentication and, and good authorization, but you also in times of emergency need to make sure that people can get in to do their jobs.
So, you know, there's a concept of of break the glass, you know, being able to apply a very, very strict logging and monitoring. There's, it's hard to say what the single most important thing is because in a defense in depth situation, all the layers really rely on all the adjoining layers to provide that overall increase in security posture. What are your thoughts Kevin? So if we put the A I C versus C I A and safety aside, one of the key things I think that is most critical right now is a plan for people process and technology from an incident response perspective.
And the reason I sort of hung on that a little bit is when I spoke a couple weeks ago, I was at a conference and it was some of the high level executives from the OT IT world. And I asked them how many had an incident response plan for ot? And of the 50 or 60 people in the room, two people raise their hand. So break glass is wonderful, safety is wonderful, but if you don't know what you're gonna do, I actually feel at this point that, you know, people know what to do from an OSHA perspective because as soon as you mention osha, it's, we immediately take action.
But if, if you haven't even laid out a plan, if you haven't even figured out what your people process technology would be, if something does happen aside from the OSHA side, which is safety and all of a sudden you need to report, where do you go from there? So the next question, what drives the confusion around zero trust access versus zero or zero Trust architecture Z T A and Z T N A, I think you know, Z zt A zero trust architecture is the, the overarching principle and and that's really founded on the principle of least privilege.
And that's where we derive, you know, the need for proper authentication and authorization for every request context.
You know, looking at user attributes, environmental attributes, what are the resource attributes and figuring out is this a proper access request that that sort of drives things like zero trust networks access, which is more specific to the actual access request to get into, let's say a network V P N V P N replacement as some like to talk about zero trust and, and things like SSIS being, but yeah, I think of zero trust architecture as being sort of the, the high level view of instantiating all the various principles and zero trust network access as being more around satisfying particular use cases.
Any thoughts you wanted to add to that, Kevin? Yeah, who's driving the confusion? I honestly think the vendors are, and if you have vendors that don't know what 802 0 7 is and they are telling you that you need to go to zero trust, you need to pull back and question, you know, why are you telling me to do something that, you know, in fact there's firms out there you for zero trust, which I find is kind of interesting. But there is another one out there which is Z T A A, which is zero trust. Trust application access. That's the term I've heard as well.
So with Z T A, it's, it's, people think it's about the users accessing applications and Z T N A, they think it's network access, but then they say, well if it's network access, then it's just like A V P N, it leaves you vulnerable. I think just codifying around what 802 0 7 is and getting the foundational concept of that slide that you have, John, is the roadmap to whatever you want to call it, it just has to be done with the proper people process technology around that framework. And it literally is a framework.
So it really is up to us as an industry to educate better and to not use buzzwords that people don't U no such as integrate versus interface is another example. Where do I I IOT and IOT fit into this vision?
You know, that's a, that's a good question. You know, iot, the, the promise of IOT was to be able to outfit and instrument all sorts of things, you know, more cheaply, you know, using commoditized devices, they, they can use ip, they can use, you know, your traditional networking infrastructure.
And I think all that's great, but you know, in many, many, many cases, security was not part of the original design there, which makes it far harder to try to secure an environment that's got a bunch of IOT devices in, you know, and this I think is one of those areas where network segmentation microsegmentation can be very useful, but even that in itself just adds to the overall complexity of trying to secure an environment that has a whole lot of IOT devices. But that's not gonna go away because in many cases they are more cost effective to operate.
Yeah, I, I look at that and I say when people say the term iot to me, to me it doesn't mean internet of things, it means internet of threats and it literally has become that. And yet there are people out there that if you just Google IOT and Z T A, you'll see all the major vendors say how to secure IOT devices in a zero trust methodology or zero trust is the only way. Well if you cannot validate the device, if you cannot enforce policy on it, if you cannot credential against the device, how do you enforce any policy, any structure on it?
This is where the distinction between trying to get a level of security on industrial internet of things versus IOT things is critical and yet companies are gonna go to the bottom dollar of what's cheapest, most effective, what's made, you know, you know, across in those nation state countries of concern to us. And you know, a trust model is not gonna help that. Yep. What's the future state of secure remote access?
Yeah, I think that the state is, you can't trust anything at this point as remote. You have to take things to heart and say that all access needs to be secure. And this is from people to applications, from people to resources, from resource to resources. We're talking about with I, OT and IOT devices out here across the boundary between io, IT and ot, it's all secure access. Remote one oh away when the concept of remote workers now means you can be sitting in a different building but still on the same campus.
So the remote term went away, the secure access is what we need to focus on is the secure part. Yeah, for sure.
I mean, again, thinking about critical infrastructure, if you've got remote sites, they're of course going to be remote. But yeah, if you're coming from just an IT network to an OT network, that in itself is, is kind of remote access.
And again, that's where you need strong authentication, strong authorization to, for every request context, whether you call it remote access or internal access, because a lot of those distinctions are much more blurry than they used to be. Once again, it's the industry that's been doing it, leading the charge in many ways. What's driving the need for OT and IT integration?
Well, you know, as I was saying earlier, I think there's a realization that for some kinds of use cases, cloud can be very useful for storing data for, you know, running data analytics programs for helping manage some of these kinds of environments, but then also even those that want to run these kinds of solutions on premises, it's still, you know, trying to connect your IT and ot and again, for maybe historical reasons, those environments have not been that, that well connected before.
And there's reticence on the part of people with titles like director of OT security to want to connect that because of, you know, fears of ransomware spillover from, from the IT world. But yet the business, I guess the business desire is to connect those so that you can leverage IT tools sort of in their own traditional environment. What would you say is driving the, the convergence between IT and ot?
Well, it's interesting. I s a Global Cybersecurity Alliance has actually a deck out there on the benefits of IT and OT quote unquote integration. And it really comes down to lower cost of, you know, commercial off the shelf software transfer of the best practices to OT i e patch management and other things using those best of breed tools that have worked in the quote unquote IT world, ease of use of performing security and analytics, pulling it together. You want that merged lower fixed cost, getting rid of redundant systems out there, being able to real-time track.
But then they also put out there the risks of that as well in their slide deck and their publication, which comes down to the disruption of i c s resources and critical systems and accurate information that could be sent to system operators. And the one thing that they do state about, you know, if you're gonna do this, even though they're saying here's all the benefits, is to ensure that the first step in an instant response plan is to disconnect OT from it. Because when you look at it, who controls the firewalls in that D M Z area is generally it.
If they're underneath the tech, they're not gonna have time for you. So it's, it's the business driving the vision of saving money, getting the same product across. So we got time for one more. The context of integrate versus interface. Why does that matter? Since you described it, how about you take that up on me? Easy integrate means you're blending of two things together, interface.
The context of it means to put together, and I have one slide that I actually presented at a conference a couple weeks back that shows this in very purest form and it's people playing soccer versus people playing football in the N F L and they're both called football. If you go to the uk, they're gonna tell you soccer's football, if you go to the US they're gonna say, football is football, soccer is soccer.
And so when you talk about integrating as the blending of two, as I said, if you walk up to an auditor and say, we've integrated our systems, you're defining scope, you're changing mindset, you're pushing that boundary of cott software across everything. If I tell you we now use one virus platform integrated across the environment, your first thought is then I should be able to touch every resource and manage every resource. There's no disconnecting that if you're managing it in that capacity, if your vision is that. So it really is important how we address it and view it and contextualize it.
Great. Well thank you. We're up at the top of the hour. Thanks for the great presentation Kevin, and thanks to all of our attendees. Any any parting words?
I, I just think that, you know, we need to be clear on how we envision things clear, on how we speak, clear on how we understand why IT tools are coming in because they are, IT resources are coming in. We can't be adversarial. We have to support each other and have a common vision. Agreed. Okay. Well thanks again everyone, join us for our next webinar and have a good rest of your day.