Our Videos

uh overall trends and what are the challenges so to explain that i’m going to hand it over to uh prayer who will share with us some insights important thoughts around what are what do we see as current trends and challenges uh surprised uh happy to hear from you hey thank you very important points that you mentioned about the pillars of the NIST framework right i think that is where the the resource attention should go and that is where we are lacking currently in terms of if we see how the threat landscape is evolving actually it is um it is factored in the fact that uh many of the manufacturing entities out there have not really geared up you know their response mechanisms uh to factor in the kind of evolution evolutionary pressures that are out there which are working to make these hackers uh develop much uh you know much much what it’s a more important versions or variants of the malware out there to beat these three systems down and take down to take out data uh take out your confidential information and take out systems which are out there very recently them incidentally uh as recently as the thanksgiving week and right we saw expert in attacks on manufacturers right again there are a lot of these episodes which are tied in with either geopolitical events either with holidays or some kind of you know distraction that might be on the horizon or potential distraction that might be uh you know out there so when when we look at the trends that are happening obviously the attacks are on the rise and these attacks uh have definitely got an origin in the kind of challenges that manufacturers are facing in you know to improve and evolve uh their response mechanisms and also their strategies to sort of box in these cyber attacks and sort of you know take them away from their core systems and what they have in their ot and other infrastructures that we’re seeing so the governance mechanism is is what where the key challenges are emerging from because uh the structures and the NIST frameworks that freedom you mentioned are all geared towards id so ot is something that has been neglected for a very long period of time and this has got to do with various reasons but mainly what this has led to is that the mechanism the governance structures have not evolved to keep up with the kind of threat landscape changes that we’ve seen the last couple of decades then again we have seen that though there is a lot of attention coming in from the compliance side especially as far as the critical infrastructure is concerned but then again there are a lot of voluntary mandates that have been presented to you know various entities including critical infrastructure operators and manufacturers as well so these are early days for these frameworks to uh sort of be utilized and so for them to mature and settle in into the you know operational processes and what have you as far as the manufacturers are concerned we are going in that direction but we are not going fast enough so that has been that is becoming a challenge again enhancing the security levels and efficacy of existing OT security mechanics is very important this again is an outcome of this low evolution that is happening because all the mechanisms that we have are all geared towards id uh ot does require or rather he’s getting some attention but then again we can do with more attention more resources more planning more strategizing and to also operate with a large you know a lot of visibility so that we are very clear as to what is happening at various levels out there and what kind of breach tactics are these hackers and other actors out there playing with to create these challenges for us rolling out a compliance program again institutional response mechanisms have really lagged uh in in the kind of as i said they are not aligned to the forces which are playing out there so these are the forces which are putting not just an evolutionary pressure but they are also putting an economic pressure on manufacturers to sort of evolve themselves by that i mean that at one end we are seeing manufacturers sort of working towards putting these structures in place on the other we are also seeing that the hackers are staying a step ahead of these mechanisms and sort of creating these breaches and uh sort of you know other challenges security challenges for manufacturers at various points in time uh so you know everything takes a step back once this cyber attack uh takes place right there are a lot of revenue losses there is loss in production there is loss in capacity uh there will be reputational challenges that come in overall it creates a situation where the entire roadmap of a manufacturer gets disrupted and that has been the biggest outcome of a lack of a compliance program that runs across an enterprise system and infrastructure protection strategies again these have not kept up with it with what with the kind of evolution we’ve seen inside the space as for malware as far as malware developers are concerned things are moving but as i said they are not moving faster we need to do it a lot more we need to have much more um easy to adopt frameworks we need to also have some level of flexibility as far as institutions are concerned so that they can move much faster they can uh you know incorporate these frameworks and mechanisms much more easy easily and they can also uh sort of you know to what is to all these evolutionary forces that are operating you know around. Visit Compliance Kits

Vist Sectrio Security Operations Center

uh this is something that i wanted to just share with everybody uh a quick uh you know a snippet of a particular ics device uh controller uh which is you know which is one of the several uh devices that are to be installed in the operational facilities right we have different scada systems which run on modbus your bacnet uh your bass controllers that are connecting on your layer two uh protocol level uh that are connected inside your infrastructure now when we see this uh when we do an assessment on this uh we see that there is already a cve that has been identified which is vendor specific and the criticality so the cbe 3.0 based on the scores has identified that there is a buffer overflow issue uh but then how uh how do we actually look at specific endpoints that are uh carrying out these type of device profiles and then build controls on it NIST because if i use my existing security that are for our i.t systems my desktops laptops and mobiles they will not even have a way to list out these kind of vulnerabilities that are very specific to these devices so that’s where we uh kind of have laid out what exactly we think should be uh the process that we you know we work with our customers and most of them follow is basically fingerprinting based on what we scan on their device so what the accesses do people have on uh you know your ics devices like these uh what kind of privilege privileges that your admins your operational uh team actually has on the device type on this what is the password policies which are you know preliminary uh checks that has to be cleared off making sure that we are not using iec 62443 default password we have we not uh we’re basically employing the zero trust which means unless required nobody gets in the access into these devices uh then going a little bit further down to understand what does the protocol vulnerabilities look like are there any existing protocol vulnerabilities that can expose even though the devices and the infrastructure is inherently secure uh maybe there is somebody else trying to communicate over it maybe they’re exploiting a vulnerability that exists within the protocol or the message that are either in transit or at rest so those are some of the important aspects to start with and based on that we see fingerprinting and then identifying contextual based current profile so this is what it gives you here is what my current profile looks like here these are all the different vulnerabilities i’ve identified uh maybe i will only pick the top the critical ones that are directly going to impact our business then create a NERC CIP response plan for it and then assessing what does my uh vulnerability management for that look like how do we overlay so one of the most important aspects that missed also uh you know talks about quite a lot is it’s not here to replace anything that is currently in uh practice but it is to overlay and compliance uh complement your existing security controls with some of these things which are talking about certain uh vulnerabilities or certain gaps that are identified not covered by our traditional security measures and then establishing uh you know your target profile customized templates based on what our findings are and further to that enabling your detection mechanisms and then your response uh playbooks so this gives you a clear streamlined view of how you include or adopt to all the security uh you know you know security uh postures building your security postures and adopt that security strategy with your existing operations and not replacing anything

there is a question which says how do you scan the ot devices identified in the related uh and the related vulnerabilities so uh i mean great great question because as i was mentioning earlier it’s not always possible to actively probe some of these ot devices especially understanding that their critical nature and their very very time or resource intensive ways how they respond to uh to external uh communications right so there are more than one way we actually uh scan the devices uh one is what we call it as a passive uh scanning so we basically look at all the different uh traffic that comes out uh from these uh endpoints or devices uh through let’s say uh just just uh studying the peak cap of that is coming from the switch or the gateway or of trying to passively monitor it uh running some specific uh uh sdk scripts on uh you know to get the data from its tertiary servers like your historian servers what are the logs that are generating and then mapping out these different sources to identify what are the related vulnerabilities now in certain cases if there are very specific uh in-depth vulnerability assessment that are required uh we do need to have you know we do need to reach out to those devices or at least have a an inventory of what the devices look like uh and then we do look ups on our own end to uh already identified our existing vulnerabilities within our honeypot lab and then map that profile with what our customers have uh so these are several techniques that we use to scan them passively uh with a very low intensive way mapping it to the profiles we already have in the lab and then seeing what are the commonalities between these devices and what we have even if we do not have certain things we kind of use uh you know we kind of use the passive scanning techniques to monitor it conduct the protocol analysis within the solution and then provide results in the form of reports or even alerts uh some cases hopefully that answer the question

how can we implement zero trust architecture in an ot environment uh so we start that’s a great question uh again uh one of the most first things to implement a complete zero uh trust architecture is to start early on in the design phase of uh the ota environment and knowing that we will not be able to go back because the infrastructure already is in place so the first thing we can currently propose is usually what we work with our customers is even before uh you know deploying the product or installing technology that can focus on what the security detection or the response should look like the first thing we look at is what are the current uh you know accesses what is the threat assessment and threat landscape look like so based on the scanning we say hey there could be a policy checks that are done and then uh what are the accesses uh who has the accesses who are authorized to use either the whole network or even a part of the network and then map this out telling that is this access even available and then following the uh you know methodology of least privileges so first thing is if anybody has uh does not require an access in this case uh accessing any type of your ot environment or any endpoints in the ot environment then it should be revoked or completely removed so that’s the first step then we move on to the technology aspects of it where now we are seeing that there are quite a lot of you know ip and ot integrated uh environment uh and environmental issues that we are seeing a lot so what systems uh how how exactly are these message communications happening uh are we seeing there are any certain type of koti commands so sometimes uh inheritory we have seen that there are specific ot commands that are being executed and run on some of these devices just for testing for certain type of checks that are performing so making sure that who’s executing this command are these uh and then looking at these systems devices uh end of the day they could be a linux uh they could be a windows based systems or servers and what are the uh you know basically looking at what are the commands that are allowed to be executed in this of the environment and disable anything that is not allowed and then uh doing a through architectural analysis uh based on the vulnerability assessment and testing of those devices and then addressing those vulnerabilities so i i think these are the top two to three ways how we can actually start looking at zero trust uh for the overall uh you know infrastructure uh within the ot environment and then continue to maintain it

what we see here is the overall OT Security landscape and in this webinar we want to cover uh the overall infrastructure security that can span across your ip your iot and your operational technology what we’re seeing here uh especially with the ip security that that currently majority of the companies have adopted to is just the tip of the iceberg there is a big depth of operational technology security out there which is still unknown most of the companies still find it as a wild west because of various reasons and it will be an interesting way how these two merge together and that’s something that we uh provide to most of our customers and uh glad to be part here having this conversation with you uh trying to exchange some thoughts more about the operational technology space uh how the critical infrastructure how the cyber physical systems are closely connected and getting connected with the ip environment and what are the implications challenges that we see and how do we overcome that so it’s an interesting topic and uh personally my favorite one uh so with that uh directly diving uh deep into uh what what do we have so nist has been working uh you know extensively on building the uh cyber security framework for many years now uh however the most recent one uh due to the large attacks that we have seen especially in the united states uh you know requires this you know requires this attention that is uh that is uh you know that’s the topic of the r uh today uh where the nist cyber security framework uh you know globally covers uh you know main uh five main areas as we put it so while there is uh the whole uh aspect of what does the confidentiality to our data look like where is our information what does the integrity of our data look like and where is how how do we maintain the availability personally when we look at cyber physical systems we see that yes there is confidentiality to the data that is being sent out with the ip the information that is required is important but also most importantly when we talk about operational technology it’s the availability that is critical to us so when we talk about the availability it can have direct implications towards the physical access to those systems uh they are generating or they’re actually responsible for day-to-day operations and any cyber attacks on those physical systems can uh negatively impact the businesses have caused downtime uh i mean recently we had seen about a year and a half ago pemex one of the largest uh companies working on critical infrastructure in mexico had about two weeks downtime they had to pay almost five million dollars in ransom and they also uh ended up losing their productivity for over two weeks and there are several several instances as that most recently i was reading today where aws has a major outage that’s causing several amazon and related sites and businesses to uh stop still for a few hours losing millions and millions of dollars so looking at all these things uh what we see when we talk about uh cyber security framework especially building a profile is to have two main uh you know two main footprints or blueprints uh where we we kind of look at uh you know what does our current profile look like and what should be our target profile uh that we will be building and how do we how do we customize that to our business now uh there is no uh you know based on based on uh i think the experiences that the industries have today there is no specific template that the csf mandates or guides it actually gives the guidelines the best practices that can be customized to individual organizations based on how their infrastructure is laid out based on how their network topology is what kind of iit and ot integrations they have today so with that starting with the first step it’s critically important to ensure uh uh where and how do we look at uh you know what is the identification so what is what what are where and how our assets uh are identified so now this is a continuous process the first thing to know is what is out there that we know or we do not know maybe there is something there are some attack surfaces that has been existent for years and we just do not have the existing controls or do not have the existing skills uh within the company uh to actually look at specific areas how these uh you know how these assets respond to potential intrusions or potential data explorations or anything that is related to a potential attack let’s say uh so the most important thing that uh the the cyber security framework guides is to be able to identify uh conduct a risk uh mitigation process so a risk assessment followed by the risk mitigation where uh i’m able to identify understand what exactly is my vulnerability where is my attack surface today uh what does uh you know uh basically talking about uh what is the risk appetite that our businesses have and then scoring those risk appetites based on the criticality or the severity of the information that we identify now this has been an existing uh for years or for decades in i.t but the most important thing is when i look at industrial or operational technology there are top three things that come into picture one is the protocols that are actually used to communicate between or communicate by these industrial purpose-built devices they may be using legacy protocol some of them using proprietary protocols which are very vendor specific now how do we know that some of those protocol level vulnerabilities are not exposed

what we had seen uh last year november uh some of these potential threat actors actually stayed dormant in the networks for almost six months before they could actually uh you know exploit the networks right so that actually creates a good segue for me to start off what exactly as part of the manufacturing profile that we talk about there is an important gap analysis step that is required by most of the organization to perform before they start or during their uh you know security strategy discussions and how exactly are we going to initiate some of these controls that are relevant to our organizations right so frameworks like these and especially the NIST cybersecurity framework profile that these mandates it is uh while there are several other frameworks uh this this specific one actually is used as an outcome based uh model especially focused on the business needs to achieve what will be the desired state and now uh it’s again a moving window so we see that threat landscape changes almost every single day so it definitely is something that i would like to highlight that it’s a continuous process that uh we you know work with our customers and generally what we have seen is that when it is done right it’s done in a more continuous manner and not at uh you know what we see uh in some times where uh because of the time and because of the budgets and how the security is taken as an afterthought towards the digital transformation uh we see that it it is usually once or twice a year and that is something that mindset is changing and this is becoming a line item in almost every single critical needs as part of the project as part of your back end operations our supply chain program every aspect in the in the overall product life cycle or any any kind of uh you know initiative new initiative that companies come in uh this kind of profile setting is actually becoming a standard norm uh that it mandates so what what do we see here so this is where we actually talk about what is our current profile or what does the current state look like in our infrastructure and what is the target or the desired state that we would want to achieve and what are the list of items that we would need in order to achieve that state so as we see we’ve identified again a non-exhaustive list of about four uh you know different uh topics or major points which talks about this current state so a uh yes our operational technology is complex uh we have quite a bit of legacy infrastructure so how well do we know what is exactly what is connected uh to our iot network so we always have been talking about purdue models uh with the advent of iot and indus digital industry four dot org transformation uh there is a break in that purdue model so there are uh solutions there are technology today which is getting bolted on to our legacy infrastructure in order to do predictive maintenance remote monitoring analytics and any any data that we can get out of our uh industrial control systems right so that becomes critical to understand how well do we know what is connected uh how what is our inventory look like which is connecting back to our ide networks what are the assets which are monitored by our existing uh security operations team and what controls do we have so that’s the limitations of otn ics security controls that we see today so now the frameworks that we see they’re not they’re not prescriptive so they’re not prescribed to follow any specific template uh to stay compliant right but they help you being compliant against several others that we have talked in the past uh talk uh mentioning about your uh nerdsip talking about your iec 62443 inisa so there is several different compliance metrics and standards that are coming there and how well do we identify what is required for us to map it with those compliances uh that we are working based on the industry that we are part of uh right and and also the risks on the industrial machines itself so can we afford a downtime on a critical infrastructure so today do we have enough controls that talk about how do we uh afford that downtime uh or how do we mitigate or minimize that downtime and uh what also the uh talking about the compatibility of our current existing technology which we have in rit versus the legacy technology uh and are we using the same set of controls to actually monitor our industrial control system do we have a focused or targeted approach on what exactly do we need to make uh do we need to have in place in order to monitor uh or even even respond to certain type of threats that i’m seeing in my industrial network right so those are some of the things in the in its current state the organizations has seen but then where exactly can they go from here how this profile helps them is by building out an action plan so mainly talking about i have 108 controls that i need to match now it’s a complex exhaustive process but most of those controls are already available with our existing security planning cycle uh we have we already have implemented a certain percentage of that so what is the gap that we see today which we do not have and how do we bring those controls in into our existing uh you know into our existing security monitoring is something that we will identify now there is other caveats that come into it uh talking about the current needs so is this a plan uh let’s say 2022 or do