Webcast Transcript: Protecting Critical Infrastructure from Cyberattacks During Global Disruption
Booz Allen Hamilton, ProtectedIT, Virsec, Moderated by Maria Korolov
Oct 13 2020 | 49 mins
Description: The rapid move to enabling remote access during the pandemic has heightened security concerns, especially in the industrial control space. At the same time, Dark Reading reports that many IT and OT organizations have put new security initiatives “on pause” while they try to manage these rapid changes. As cyberattacks targeting critical applications and infrastructure continue to rise, this is potentially a recipe for disaster.
Join a panel of experts from Booz Allen Hamilton, ProtectedIT and, Virsec for an interactive discussion on how IT/OT teams can balance increased remote access and automation while maintaining security effectiveness and vigilance. The panel discussion will be moderated by well-known technology and security journalist, Maria Korolov.
Maria Korolov, Cybersecurity Journalist
Pia Capra, Senior Lead Technologist at Booz Allen Hamilton
Vishal Mahna, Global Practice Leader at Aveva, software arm of Schneider Electric
Damian Ehrlicher, CEO of ProtectedIT
Satya Gupta, Founder and CTO of Virsec
Maria: Hello everybody. Welcome to today’s webinar about protecting critical information, critical infrastructure from cyber attacks during this period of global disruption. This webinar is hosted by Booz Allen Hamilton, Protected IT and Virsec and we have other experts here as well. I am the host here, Maria Korolov. I’m a cybersecurity journalist. I’ve been covering this space for the past 20 years. And what we’re seeing this past year has been – sorry to say this – unprecedented. We have a time of budget problems at the same time as we have increased needs for security.
And the pandemic has also spurred an unprecedented move to enabling broad remote access especially in the industrial control space. At the same time, many IT and OT organizations have put new security initiatives on pause while they try to adjust to all these rapid changes and to this new normal. Because this isn’t just during the pandemic. It looks like it’s going to be continuing for a very, very long time. And as cyber attacks targeting critical infrastructure continue to rise this is potentially a recipe for disaster.
So first of all I’d like to introduce our speakers today and ask them about what they see as the top security concerns that they’re hearing from customers around IT and OT security. First up, Pia Capra. She’s the senior lead technologist at Booz Allen Hamilton and has an extensive background in operational security and the convergence between IT and operational security. Pia can you start us off and tell us what you’re seeing right now in this space?
Pia: Sure. Thanks Maria and thanks for that great introduction into some of the challenges that we’re seeing and then why we’re here today. So I’m excited to be a part of this panel and talk about the security concerns that we’re seeing with our clients. And I think a common challenge we’re hearing from a lot of our clients as they’re embarking on this IT OT convergence security journey is really gaining that visibility into the potential threats in their environment. And then how do they respond to those threats?
I think you mentioned we’re seeing a lot of increase in threat actors and how they’re constantly evolving and the number of attacks that are targeting OT systems both from commodity and nation state actors and really focusing in on targeting some of those highly critical OT systems and seeing the value in some of the ransomware attacks that we’re seeing and companies that are more likely to pay as they’re getting infected. I think this is coupled with the demand for real time metrics from those plant floors, the manufacturing and the OT environments as they’re seeing the value in getting some of those metrics and driving some of the business.
We’re seeing a lot of those devices that traditionally weren’t ever connected to the environment being connected to the environment. And that data while it’s really important to making some of those critical business decisions it’s also sensitive business information that those malicious actors are really interested in gaining. So I think gaining that visibility into some of those critical devices and those environments, that’s kind of a lot of the concerns that we’re seeing with our clients today.
Maria: All right. Well thank you for that overview, a lot of information there. Next we’re going to go Vishal Mahna who is the global practice leader at Aveva, which is a software arm of Schneider Electric. He is the practice head for the control business unit and has worked closely with Virsec, one of our sponsors on many cybersecurity projects. Vishal what are you hearing from your customers about the challenges that they’re facing right now?
Vishal: Thank you Maria and Pia. I think so. I have been with the company for 20 years operating in control and scale of DCS, operational technology in the last 20 years in the company. And we are embarking on this whole digital transformation on creating something called digital twin. And as Pia mentioned that there has been a tremendous action being done in the last two years to bring the IT OT convergence where we are merging these two areas where we have design, operations, engineering and operation technology. How you bring all of them together and create a cohesive intelligence where you are not only able to do the remote monitoring, able to create a connected worker story and able to march on the embark on the journey which creates an immense value.
We’re seeing a tremendous traction across all of our customers to oil and gas to mining to power to food and beverage where we lead on those spaces. And even the water and municipalities which are embarking on that which has been slow on adopting those technologies. So we are seeing that tremendous growth in there.
I manage most of the global projects created with our customers and working through that. During this whole pandemic and proliferation of this working from home, we are seeing that security is taking a paramount, which hasn’t always at the OT level, managing is critical and always there becoming more and more. How do you take this information, allow these remote users to operate these facilities, able to get more intelligence, able to take this information more securely through the edge, through the Cloud in which you’re hearing about all about IoT, about taking the whole AI technologies and enabling that information and securely able to take that information from IT to the OT and able to control those processes and create that one. So definitely that’s an area of growth and area of focus for us.
And we have been working with Virsec in a couple of projects. Where we are trying to bring that from but it all goes into a process. If you look at all the numbers that we’ll present later in the meeting, how much we are seeing attacks, how much of the security domain you pass through from IoT sitting in the business domain, OT sitting on a control domain. How you take that information, create the DMZ zones see different Purdue models and how you ensure that when the security is maintained during life cycle all this complex plans and operations at amount of data and able to deliver their project.
And one of the focus area, another focus area for us is the digital IT/OT convergence is also the areas for which we call it a digital delivery. Because we do a lot of programs across our global markets and how we’re still able to deliver those projects when we’re not traveling and we’re seeing that in this whole digital transformation allows us to deliver projects with no hiccups, able to still deliver those projects remotely sitting. So I think there is this COVID has also accelerated that how you go and securely able to manage those projects and customer successes, able to do workshop with them and able to get to the idea and get to the control and able to pass the IP and everything and devices and end point security.
There’s a lot that’s going to happen more. We’re going to connect more devices able to do our device management remotely, able to do much more intelligence on those things and how you bring all the information together to operate these facilities. So yes, we’re seeing that a lot in that whole market.
Maria: That’s a good point. The number of devices is also going to be increasing already and is going to be exploding any minute now with 5G and IoT. So yeah, that’s probably a big issue for all of our viewers today.
I want to talk to Damian Ehrlicher next. He’s the CEO of ProtectedIT, an integration and consulting firm headquartered in Chicago. And he works with many enterprises on security issues. Damian, what are you seeing right now in the top security firms, top security concerns that firms are facing?
Damian: I see a lot of the IT/OT convergence that Pia was speaking to as well. And first off I wanted to say thank you guys for allowing me to speak with this illustrious panel here today and disseminate some of the information that we’re seeing from our customers to all the people on.
I think that as an understanding of what the OT threat landscape actually is, is the long pole in the tent for a lot of our customers. From their identifying the critical applications and the interdependencies within that, is another piece to that puzzle. ‘Cause if you don’t really understand the applications and the resiliency, how do you mitigate that risk?
Also what we’re seeing is a lot of the manual processes needed for operational technology and incident response is the other long pole in the tent. A lot of our customers have a broad range of OT networks ranging from healthcare to autonomous vehicles to the standard ICS SCADA BCS aspects to it as well. So we’re seeing a lot of different aspects of the OT networks kind of cross our desks and we’re having to solve for a lot of those problems. And I think that a lot of the manual processes that we’re seeing is really some of the harder problems that we’re having to solve. And we’re trying to actually find ways to either automate or plug in technology to mitigate a lot of those risks.
So each individual customer that we run into has something unique to their business and their disaster recovery or incident response. So we take each individual customer and actually do our due diligence, sit down with them, understand what their IT landscape is and their OT landscape is and then start to build a business continuity based around their unique environment. So a lot of our customers are coming to us with these unique problems and we’re having to solve some of the unique problems and then look for ways to mitigate the risk if we can’t solve them.
Maria: Thanks for bringing up business continuity. I’m going to want to get back to you on that later on. But first we want to get Satya Gupta. He’s the founder and CTO of Virsec and has extensive security experience and has over 30 patents to his name. Satya can you talk to us about what are the top security concerns that you’re seeing in this space?
Satya: Absolutely and thank you Maria, Pia, Vishal and Damian. Very nice to be talking to all of you. We, my company built a product that is very unique in the sense that it kind of takes a very different approach on security. We kind of embed a sensor into the application. So it’s like kind of watching over every move of the application. And it can spot very early on where the application is kind of veering off and letting an attacker get control.
So what we see with the IT and the OT customer that we work with is really, really interesting things. We’ve seen all kinds of attacks being described to us. One of the attacks of course now we can all see it happening in the name of COVID appears a lot of previously isolated networks that, OT networks where sort of like you don’t really ever connect them to the internet. But now more and more people are being able to connect to the internet.
And what we see is people taking their laptops and all home, working on it, coming back the next day and deploying the PLCs and all on the network and all. And so that basically opens up a whole new attack vector because when the laptop’ss at home and people play around, the kids play around with the laptop and it comes back in, there could be malware that’s sitting on your laptop that would get into the OT network. We’re also seeing a large part of the attacks seem to be where there are phishing emails that somebody is trying to keylogger on the system and then that keylogger is sort of making access into privileged resources.
We have even seen people getting worried about their VPN, especially home VPN that have not been batched. And how do you make sure that the VPNs both at home and in the OT network in some cases, the OT network the staff is very resistant to changing, updating their code, especially on these security devices. So security devices are themselves becoming like a very interesting vector to get into the network. And we’re seeing some plain old tech ware. Somebody calls in and says if you don’t give me blah, blah, blah, whatever it is that they want, we’re going to infect you with COVID. So it’s like they’re worried that the malicious insiders might do things in the network that – there’s some attackers out there. So there’s a whole mix of things that we’re seeing out there that customers are getting very worried about.
Maria: I don’t blame them. I’m worried about all those things too. So when dealing with these security issues we have our conventional security tools - antivirus, intrusion protection systems and so on. What’s the challenge of using them in operation technology environments? And Pia I’m hoping you can be the first one to talk about that topic.
Pia: Sure. Thanks Maria and Satya I think you kind of teed it up pretty well with some of the challenges that we see with some of these conventional security tools. You mentioned that these OT environments, they weren’t traditionally designed to be connected and they were isolated environments. And they weren’t designed with security in mind in general. I mean they were designed to maintain the highest safety and up time and productivity. And I think all of us can attest to going into client environments where we see devices that have been there for 20 plus years with no plans or ability to replace or update with latest software or hardware.
And that makes it challenging to implement some of those conventional security tools that you talked about Maria. And I think we talk about – Satya you mentioned also bringing in laptops and laptops that are getting now plugged into these OT networks. So we’re seeing devices that look like your traditional IT devices but there are specific uses for OT purposes and there’s restrictions from a vendor perspective. And this also poses a challenge when you’re trying to implement security tools that can often slow down some of those machines’ processes. And where these devices they really need to be able to process things very quickly to enable whatever is going on within the OT environment.
These traditional security tools can slow down those machines and have adverse effects within the process. And so they end up getting turned off or disabled by the users on the shop floor. And so I think it’s a bit of the challenge from a conventional security tool but also educating within the plant environment, within the OT environment of how we can develop other security tools and utilize other mitigation such as the Purdue model that I know Satya mentioned earlier during his introduction as well.
Maria: Satya, can you add to that?
Satya: One other thing that the attacker is looking to do is basically execute their code on whatever victim or server they’re looking to attack. And typically tools like antivirus, IPS and all, don’t really see, have the visibility that is needed to be able to distinguish further what code they’re executing. Is it the attacker-provided code or is it some developer-provided code? Like for instance we work closely with Vishal and Aveva and we see that we can actually distinguish when certain code is being executed versus some attacker code is actually executing.
What I believe is that the security tool needs to be right at the moment of execution, they need to be present in that environment. And they should really be, have the ability to pick out what code is executing. And then if we can do something like that, then it’s a whole new world out there, the world of attacks we’ve seen. So right now all these tools, the antivirus, the IPS, etcetera will treat the application that is under attack as a black box. And so you don’t really know what’s going on inside that. And so I feel that with the ability to go to the sophisticated technology you can actually make that distinction very quickly and that is something that you all should look at and to make sure the applications can be protected at run time.
Maria: So security is also being affected dramatically by the huge increase in remote access as you’ve all brought up. And we have a convergence between IT and OT that’s been going on for a while that’s been accelerated during this pandemic. Vishal, can you talk about how this is affecting security and what you are seeing happening in this regard?
Vishal: Yeah. As Pia mentioned, the IT and OT systems, it’s ongoing but it got accelerated in the last year and a half. And additionally we are seeing more and more edge control device management able to deploy on the air. And there is a whole drive towards is that how even we’re not doing some critical control or command we’re able to monitor and get that information and create the whole, accelerate this whole digital thing which we call it or we call it physical asset. Able to learn about the whole process and create intelligence around it or creating a very predictive analytics on the site. And that’s – you don’t do a control but you’re still building the data and how you get the information.
Second thing is Cloud and edge. Both are playing more important role in the recent, in those whole COVID scenario in the last eight to nine months that how you were able to deliver the project remotely, how you’re able to test those things in that scenario and take that information from the Cloud, go to the on premise and able to keep the push of the security so that you’re not in any way compromising the security but you’re running on a control layer. You have to all understand that even when this critical infrastructure software is controlling a multimillion dollar equipment process. Right?
So there’s a critical infrastructure, which can affect the safety and uptime as Pia covered that. Uptime is very big thing in any manufacturing process or data centered business, anything you’re operating. But if the security is there and we can have a good push and we build the product for the security from the get go and also utilizing some advanced tools to ensure that the entity and the endpoint and the network security is not compromised as we’re evaluating these processes. I think we are – we can do much more better job to accelerate all these critical infrastructure to move and adopt this whole IT OT conversion.
With the virus as a concern IT is a different landscape completely which is in OT. Second thing which Damian covered which are really important point they covered that. What we are seeing is that all of these facilities runs for 10, 15, 20 years when we design and build and all these multibillion dollar corporations which you build and these plans which runs. And there are a lot of information and devices. You’re going to find that you run it to the last we call it, right? You put a software. They’re running. They have been tested and you don’t want to disturb them. You want to just let it run.
So there is another drive. You’re seeing this here in last year and a half. We’re calling it either you can use the word modernization but in order to go and leapfrog that innovation there is a drive towards how we can capture that information and the data. And in order to do that security and taking the information or the software, maybe creating a dock it and being able to move that into a modern platform where you can take a gateway and put it to the Cloud. So the whole security is playing a role there that how you ensure at each level, how you make sure that there is a command, what level of command you do that and able to route everything to Cloud which is a lot because this whole COVID exploded that whole thing.
Can we remotely, monitor remotely access? Can redeploy those on the air and drive that whole thing. Right? So totally agree with that point. I think security is going to be in – but I think we have to think through the whole process. You need to understand that what are the OT compromises you’re doing? What is the IT? Can we create a three layers model where the control layer takes the data. It goes to the next level [Inaudible] layer there and then you go to the IP layer and then you create a layer at the top which is giving you more corporate type of view. And you’re still securely able to command those things. Right?
The more monitoring and when it comes to the control point and you add security, those tools will help us to know they’re deviating from the normal. Right? And that challenge which we’re going to there. But really I feel that with the pandemic our projects have not been slowed down. We are using all the security mechanism and able to do a lot of projects through the Cloud mechanism including a dedicated system for them to be able to create those Edge technology, able to deploy that. And we’re talking about some major municipalities. We’re using these technologies to still deliver that and able to not compromise the security portion. So and really I think we need to all start learning how to work remotely and how to still deliver this technology and solutions. Right?
Maria: Damian, can you add to that?
Damian: Yeah. I think Vishal covered a lot of the salient points. But the increased threat landscape it’s come to the forefront. And I know I’m preaching to the choir here but more remote employees/endpoints it’s opened up the floodgates for malicious actors to gain access to critical data and intellectual property. You’re correct in stating there has been this risk in the past even with people working remotely from Starbucks or just from home. But the number has increased probably 10,000 fold if not larger. So companies have always mitigated this risk by tearing out the critical aspects of their business and patching areas that were most critical to business continuity. Now they really don’t have that luxury because the sheer amount of attacks.
And it’s kind of weird because in the data center industry this was brought to the forefront years back because large equipment manufacturers didn’t have high level security protocols in place. It was always pushed onto the end user. And as the age of the hyperscale Cloud providers began to grow, this was a major concern for companies to move their critical workloads into the third party Clouds. The BMS systems, the building management systems, needed the same level of protection as what they were putting into the racks. And they needed to integrate to manage these workloads effectively. They tried to cover this off with DSIM tools, data sensor infrastructure management, sorry for the acronym. But that really didn’t mitigate the risk unfortunately.
They also relied on a multitude of business continuity layers within the data center, battery backups, generators, etcetera as opposed to integrating the IT disaster recovery plans. So now that these IT programs are more reliant on OT and vice versa to deliver solutions, this pass the buck mentality was pushed more to the forefront. And I see a lot of these same trends coming back around the horn but in other areas of OT obviously, healthcare, home, all the other ones that we discussed coming up to this point, autonomous vehicles.
These networks were designed for very specific reasons and were built much differently from a bandwidth perspective. So you need to secure them in these unique networks and endpoints in unique ways first. Right? All the while maintaining the integrity of the application. I know that’s easier said than done but it’s not impossible especially with the right solution stack.
Maria: I want to talk about one of my favorite topics: patching. Every other cyber security article I write somebody says if only people had patched this in time we wouldn’t have had this problem. Of course in operational technology we have the problem of legacy systems, really old infrastructure, of critical infrastructure. You can’t take it offline. You’ve got the knock on effects of patching. If something goes wrong a lot of other things will break down. And you have networks maybe that weren’t designed to be accessible from the outside that are now exposed due to internet in general but also working from home.
And so we have a perfect storm creating patching problems and operational technology. Satya, can you talk about is there anything people can do? We know we have to patch more than ever. If a patch is released the criminals are on it the next day if not the same day. You can’t wait. You can’t wait to test it. You have to get the patch out. You can’t patch. What the heck do people do?
Satya: Absolutely. And Pia mentioned about this a few minutes ago. Some of the networks are the isolation between networks is breaking down and people really don’t want to [Break in Audio] the manufacturing sector for – Damian also mentioned about businesses contributing. And it’s also really a problem. I can totally emphasize with the operators out there. And they have a good reason. There’s also from a technical perspective we see 30 to 40 percent of the patches just don’t work. And so people are told deploy them and learn, burn their hands and then un-deploy. And so lots of people are very cautious about that. They want to make sure that – nobody really wants to be patching a system and then this whole thing, no good deed goes unpunished.
So it’s really a case of that. You don’t really want to touch it unless it’s totally broken and it just won’t operate at all. So there’s good reason. But what we see also that many of the gear that is used out there is 10, 15, 20 years old. It’s been end-of-life’d and there are no patches available. So that makes it even worse out there and especially when you’re dealing with an integrated system. As Vishal mentioned there’s lots of moving parts that have to come together. It’s a multimillion dollar manufacturing facility that so many touch points are there. So you have to be very, very careful to test your patch.
And that’s pretty much what we are seeing the few OT forward looking OT companies that we are very happy to be working with. And we see this in the IT world as well. The strategy seems to be you have for all of these mission critical applications you have a sort of like a active sort of like active sort of [Break in Audio] system where you can patch one of the pair and then typically if it’s running on a virtual machine it’s a lot easier because you just bring up the tested virtual machine that you tested it out to get in the testing area. And then you kind of bring it on, you then power on, it’s ready to go. And then you flip the button and you let the other active become operational again.
And we see that there’s extreme of people on one side. There’s one school of thought that hey if it’s not broken don’t patch it kind of a thing. But the other people are beginning to see that the attackers are getting more sophisticated so it’s like you mentioned sticking your head inside kind of a scenario, right, when you know that the attackers know this and they would exploit this all this to their advantage.
So we know the third alternative is what we try to focus on is how about hardening the application to a point that it just cannot be attacked. It cannot – it’s sort of a utopian kind of a concept but more and more with these newer technologies we’re beginning to see that that’s actually possible if you could actually prevent the application from being supported. That’s something that a lot of people are working on.
And the other thing that we see is that these network tools and all that people are using short of the attackers being able to reach their victim, they’re able to sort of track in the network layer that these attacks are coming. So you could potentially end up cutting those users off who are known to be malicious users essentially. So there’s some alternatives. But as you mentioned the attacker knows that you’re not patching it all up and in time, you will get attacked. So it is very necessary to follow the best practices out here.
Maria: Damian can you add to that?
Damian: It’s candidly probably why my company is in business because of how painful this actually is. And it’s painful because you often have to pick and choose what gets patched and what doesn’t on a daily basis. I think that automation is key in this area for the obvious reasons. You can’t rely on manual processes here because it’s just too much. I’m not saying that human interaction in a decision tree isn’t important. But implementing as much automation as possible it is key to strategy. And it’s a quality strategy as well. I know that there are a lot of legacy systems out there that seem to spring vulnerabilities like an old boat. But there are tool stacks that can help mitigate with that and solve some of these problems.
Maintaining the integrity of the code and the application while addressing the network security is easier said than done. But understanding the appropriate tools to use for the systems in place in conjunction with a good business continuity disaster recovery/incident response plan will go a long way in mitigating this risk. So as painful as it is, it’s an absolute necessity. And I think that some of the automation tools that are coming out there, that could help with mitigating and go a long way in making this less and less of a manual process. Which at the end of the day is really what makes this so painful, right?
And in conjunction with the fact that even after you integrate a patch, it’s not 100 percent that it will work and you have to go through a testing QA before you push it to prod which becomes a manual process. I understand that. But if you could push as much to the automation side I think that will go a long way in making this less painful for your organization.
Maria: So you both have mentioned the problem of legacy systems when it comes to patching. Legacy systems have a lot of other security issues around them as well. But they’re a fact of life in the ICS world. So what do companies do today to deal with the problem or to try to kind of counteract some of these security issues around legacy systems? Pia is that something that you could help us with?
Pia: Sure. Yeah. I can definitely talk to that. And I think Damian, Vishal and Satya have kind of talked a little bit about some of the things that we’ve helped our customers implement around legacy operating systems because as you mentioned they are a fact of life. And a lot of these legacy operating systems they do control some of the more critical processes within a manufacturing or an oil and gas or an energy company. And so with that in mind we have to design security to protect these legacy operating systems. So I think looking at things like application white listing which I think is what Satya was talking about as well as some of the defense in depth topics that Vishal was looking at from restricting internet access, setting up zones, implementing firewall rules to then taking all of that data.
Where we’ve been successful with our clients is correlating that information into a centralized location and developing analytics to really help track and identify those potential threats to the environment and making sure that that activity is brought to the attention of the security operation centers or incident response responders to really make sure that those devices are monitored through a variety of different technologies and techniques.
Maria: And Vishal, would you like to add to that?
Vishal: Yeah. I think I will add a couple of items. One is on the patch first is a very good topic. I think we all have gone through that. I think the point which Pia mentioned, that’s what we do. What we do is that we have something called a security response plan. Which is always on the website where we mention that ok, this Microsoft or this patch has come and whether we have tested it or we’ve complied it with the whole teams, we have a dedicated team who is regularly ensuring that all key product which especially the product which are running on a DCS and SCADA layer which are 24 by 7 with the uptime and the criticality is so high.
We are ensuring that we are telling the response plan that ok, this patch is affecting the systems or this is where the effect is going to happen. But before you put the patch this software has been tested, compatible and showing that what you need to take or you don’t have to take. And if anything is effecting our software we are need to patch that. So we put that whole response plan along that one. Second thing what we have done is that we have built – four years back we started something called security built into the product and the technology and should not be afterthought of the release just like nowadays user experience becoming – you build in quality security is becoming in team now.
So we have created a security checklist ensuring that we are not only focusing on the product but also the project teams and the customers. When they’re dealing with that, the full cyber security compliance is there around that area. Third thing we’ve done on the patch which Damian covered, the more automation we can do on detecting, which we call it the asset management software. Basically you know that what software is deployed on each of those nodes, what type of component is deployed and what is the name over there. And so that you are fully aware of that and sort of blindly going and applying a patch you exactly know what you need to do or what you don’t need to do. So the more automation you can do it on that one, more you can build a security as a best practices in your team and also training the staff, certifying them, certifying our delivery people or delivering those projects, ensuring that you have good partners. Like Virsec continuously with that would take over the software part of the companies.
And we ensure that when those technologies have been tested continuously as a continuous product ability. So if you’re releasing a new release band of November, it’s already ensured that when we have tested with all of our compliance products and compliance tools and other things. That kind of thing we ensure that when you release a product and you said look at some type of product which is not complying with your technology. You don’t want to do like that. So ensuring that the whole partnership and technology partnership is also working along with that one. So ensure that we support this type of security endpoint, this type of software that first need a full checklist from a day get-go.
And also we have invested heavily on creating a cybersecurity tagger team across all of our regions globally to ensure that when they know the best practices, we know the network, we know the endpoints, we know what ports need to be open, which ports are read only or they’re one way or whatever it may be. And you’ve seen a lot of those things now companies are using as well to just protect the security from transferring either from the OT to other things. And all these models are created which you want to use that for, right? What we’ve really done is that kind of looking at networks, the partners, the devices when we are doing IoT, looking at all of our processes, right, and then the people. And that we can cover the whole area around the security.
Maria: All right. Ok. We’ve got a few minutes left for one last topic I want to ask you guys about. And that is about how we think about security. Do operational technology teams need to change the way they think, how they approach the question of protecting critical infrastructure, how they interact with IT teams? And I’d like to ask all of you about this topic starting with Damian.
Damian: So I think the easy answer or the obvious answer is yes. Knowledge sharing in integrated ticketing systems is a must in the future. The right hand needs to know what the left hand is doing. And for the most part this is people, processes and procedures problem. Right? It’s a technology problem but I think a lot of those technologies are being developed right now. So in most cases this falls on the executive leadership to drive these initiatives. It eliminates the finger pointing and incents the teams and work down the path to integrate these teams so that they have an understanding of why.
Why did you design a network like this? Why did you write the code for these parameters? And I think oftentimes people bring in companies like Booz to kind of play Solomon or to help with putting in a lot of these people processes and procedures and then doing the implementations of them as well. The technology – it’s really already being developed and implemented to solve a large portion of these problems. But it’s really coming down to people, process, procedure and culture to deliver on this.
So to answer your question I think that that’s happening in a lot of spaces. I think that SOCs are being combined. They’re bringing in IT and OT teams together for seats within the SOC and within the NOCs as well so that they understand the problems that they’re having on each individual side. So I think that if the executive leadership teams take control over this and push the culture down to a certain extent, I think that will alleviate a lot of these problems moving forward.
Pia: Yeah. I agree with what you said Damian. I think we’ve seen over the past couple of years that the technology space is growing with tools that can be utilized to secure OT environments. And I think that’s going to continue to evolve and grow as the threats within the OT environment continue to evolve. And I think looking at where some of our clients are going today it’s definitely about the people, the processes, the procedures that need to be implemented. And I think not only from the top down from the executive level down but from the bottom up as well.
I think educating within the OT environment with the automation engineers, the process engineers of why cybersecurity is important and why it’s important not to access the internet or plug your phone in to charge on a device within the OT environment. I think those things are equally important to educating at the C level what those threats are to the OT environment. And then coming into the security operations center, making sure you have from a IT perspective they’re definitely going to have your expertise from a cyber perspective.
But getting that insight from those on the OT floor on the ground floor to understand what is this device that’s been impacted, what are the proper responses that we can take within the environment to make sure that we’re not going to upend a process or upend some of the safety or things that are going on within the OT environment are super important. So I think bringing those two teams together to collaborate and developing those processes for effective collaboration and communication are very important.
Satya: I absolutely agree with what Pia just said that bringing in collaboration between the IT and the OT mindset is very, very important. We’ve seen technologies that have typically the OT sector doesn’t move as fast as the IT sector. And that’s a problem because the attackers just don’t care. They can do very well. They can find an open door. And for too long they’ve been looking at technology that sort of do everything from a distance. So we need to be able to use technology, cyber controls that can really observe pretty much like the GPS that’s running in your car. It gets to see everything that you’re moving, where you’re going. And it alerts you as you get into trouble at the very moment that you get into trouble. So we need technology that can actually sort of ride along your application and figure out if the kind of stream from the guardrails they develop are laid out for you.
And the other thing that I want to say that this whole COVID mindset. A lot of people are thinking that once all the vaccines are available we go back to the old ways and all. And that just won’t – it’s not the right strategy at all. I would say that people need to think that this is path forward. We need to make change of mindset. The OT has to be protected with as much care as the IP does and let’s not assume that the bad guys are out of the OT network.
Maria: And Vishal?
Vishal: I think everyone has mostly covered as you saw that Maria and Pia and Damian covered all of them. I would just add a couple of things that definitely security has to be in like a discipline in every of the companies now which we have done. Secondly I would add one more point to create good partnerships because security is not something, as an OT company, it’s like we are not the security expert. We can build up a product. We can learn from others. I think it’s good to create some partnership, learn from others, do some technical workshops, attend the webinars, see what’s going around you and then educating your company. You are the best advisor of your company as well. You are the messenger as well. So we need to bring the awareness in our own corporations.
Second is the point which Pia is covered very well. I’ve worked in automation for almost 25 years now. We are dealing with a lot of this automation mechanical, chemical, process engineers, design engineers which are – their focus is more on keeping the facility lights on and running these plans all the time, right? But how you make them simple for them, create some checklists and create that awareness and not – IT people are more focused toward software but the OT people are more focused on running and operating those facilities. Right? So how we go and make it simplify that cybersecurity profile.
Even though we have thousands of checklists going from web to port to the network to the data, how you simplify all those best practices and ensure that when it is smoothly done to some kind of digitized process or technology so that they can focus on what the end goal they’re trying to achieve. Right? So that’s what we have done in our company learning through these partner companies and products and simplifying that whole thing. So that’s another point I will add simplification because there’s so many companies that are working on what really we need to do, areas we focus on which like for example, the Virsec team works very closely with us.
So their kind of culture that ok, this is where they differentiate. This is where other companies differentiate. Ok. So for all these security, if you’re going to endpoint security, this is the software to comply with us. So we don’t have to bother too much to test it. We test it but we don’t have to know how internally the logic is working and how they’re monitoring the process and the solution. That’s not what we want to learn. We want to learn the you find the checklist. We validate for six months, eight months, we harden the software and we’re good to go. Right?
The third layer which I think Pia has covered which I really liked was that ensuring that when we are – we have continuous kind of – because IT and OT they’re continuous. A workshop or team collaboration has to happen between both the groups which we can continuously learn from each of those. All of those are different departments in the companies and how you work them together and that will go forward.
Maria: I would love to talk more about all of this. I have so many follow up questions. I’m sure our audience does too. So I want to let you know if you’re watching this that you can get more information on the websites of each of the companies represented here today. And I hope there’s going to be a slide up with that data. And you can go back to the beginning slide as well that had some of that contact information on it. I want to thank everybody for taking the time to participate in this today. Thank you Pia, Vishal, Damian and Satya of course. Thank you for sponsoring this event. And I hope to see you guys all next time.