KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
When discussing the matters of industrial cybersecurity with IT experts, lamenting the historical divide between OT and IT seems to be a popular topic: you would often hear that the OT engineers are stubbornly ignoring the latest cyberthreats and do not see security as a priority in general.
When discussing the matters of industrial cybersecurity with IT experts, lamenting the historical divide between OT and IT seems to be a popular topic: you would often hear that the OT engineers are stubbornly ignoring the latest cyberthreats and do not see security as a priority in general.
All right. Good morning. Good afternoon. Good evening, ladies and gentlemen, welcome to another company. Call webinar. Our topic for today is fine tuning industrial control system, threat models to prioritize mitigations of the most vulnerable devices. My name is Alexei Balaganski. I am a Analyst Analyst call, and today I'm joined by Elon B, the CEO of ready flow. And before we begin, just a few words about company call. We are an independent Analyst house based in Germany, headquarter, but you have a pretty global reach with our team, distributed all around the world.
From the us to UK, all the way down to Singapore and Australia, we focus primarily on identity and access cybersecurity and artificial intelligence as research topics. And we offer plethora of various research materials, publications, events, webinars, like this one, and just all different ways of supporting you on your identity or security journey. We do provide quite a few advisory services for your company. So you will find more information about those on our website. Speaking of our events, here are hints of some of our upcoming events.
Later the year, you can see the range from industry focused ones like the finance world for financial industry, obviously, or blockchain, AI impact or consumer identity as well as more general events like our cybersecurity summits, which we will have several times in several locations this year. And of course you just missed our flagship event this year, the European identity of world conference, which we had less than a month ago, and which we will again have in May, 2020, if you housekeeping rules or you are all muted center, you don't have to worry about anything. Just enjoy the webinar.
We are recording today's presentation and we will publish all the materials on our website. Soon, latest tomorrow, and every registered interview will get an email is necessary links. We will have a Q and a session at the end, but please don't hesitate to ask your questions. Anytime the go to webinar control panel has a special questions section for that just type in your questions. They will be right aloud in the end. Our agenda for today is as usual split into three parts.
First, I will start with the general overview of our today's problem field, if you will. And we'll talk about the challenges and other approaches toward solving those challenges. And then I will head over to Elon will be given the more detailed presentation about the third detection models mentioned in the title. So basically he'll talk in detail how to make your industrial cybersecurity solution, more risk focused and business friendly and prioritize your actions according to your own tangible risks.
And as I mentioned in the end, we will have a Q and a session and without further do let's start with the webinar. So yes, today our topic is OT, operational technology, a very broad field, including all those industrial control systems and other low and higher level systems. I don't really need to recap all those acronyms. I'll just say that for years, for decades, the OT has developed pretty much separately from the traditional corporate it with completely different challenges and technologies and protocols and software.
And this is why even nowadays we have this multiple talks talking about a RT and irreparable divide between it and OT and how they have so many difficulties talking to each other and how this makes our, both it and OT security people lives difficult and complicated. Is it really true?
Well, yes and no, first of all, as we know, yes, everything is now connected. And what used to be an air gap or just a network not connected to any outside resource, your plant or your power grid or any other manufacturing focus network is nowadays not just interconnected to your corporate office network, but also has lots of holes in the perimeter punched to let your partners, your vendors, contractors, third part admins, and even customers to communicate directly to your industrial devices.
And this of course leads to a massive challenges for traditionally minded, OT people, and they have to rethink their existing strategies, their security strategies to address all those challenges and to overcome the legacy technical debt still hanging so cling into those networks. So, yes, what are those challenges? The challenges are obvious.
We are migrating from the traditional silo and isolated network model to what we call industry 4.0 here in Germany or smart manufacturing, the next industrial revolution, you name it, or they can no longer rely on physical access controls or security, web security or home that nobody outside of your network speaks the same protocols and communication formats. Yes, you have to deal with so many new requirements from your business units that make your whole enterprise interconnected, including those industrial networks.
Of course, you have to be agile. You have to keep up with technology like industrial IOT or the cloud, or yeah.
Software, the service, all this led to substantial erosion of the traditional ICS network perimeter and exponentially grow in complexity of those infrastructures and ultimately to ly expanded attack service. How do you deal with those? How do you deal with the challenges which traditional OT people have never have to deal? And by the way, that CA model, which is also in the abstract webinar has nothing to do with American intelligent agency.
It's all about confidentiality, availability and integrity, which has always been the foundational, the cornerstones of every it security architecture or strategy. And if you think about the OT security, isn't that fundamentally different, it still has to deal with the same three cornerstones it's maybe priorities slightly changed.
So yes, OT people still value, availability and integrity of their processes much higher, obviously because of the massively more potential impacts of a security breach. Nobody wants to lose human lives or incur myself industrial catastrophes if something is broken, but still confidentiality is also important. And it's grown in important.
And basically all those risks, which for decades tended to be dismissed by some other hardcore OT people as insignificant nowadays can lead to the same level of impact, both on business processes, manufacturing processes, and, oh, even if only the compliance violations alone are already massive headache to, to keep in mind.
And this is why I believe OT has quite a lot to learn from it security evolution, because this is exactly the timeline, which the traditional it going through the last 10 years with little bit more, it also started with traditional perimeter security, where the focus was on keeping through this outside of the castle wall, in the mode with solutions like firewalls. And then as the perimeter has gradually eroded, we had this, we had experienced this massive paradigm shift from protection to detection saying, okay, you can no longer say you won't be breached. You will be sooner or later.
And you buy strategy is to just know what's going on in your network at any time, use your security information and event management system to collect all security related data and have a massive team of experts watching those huge screens with data, scrolling up and reacting to every alert worked for some time. And then when the number of those alerts has gone up from thousands a day to tens of thousands, people quickly realize that having visibility is not the goal.
It's just a prerequisite, knowing that there are 10,000 bad things happening in your network, won't help you fix those 10,000 bad things. You have to know which ones are more important. And for that, you have to be able to understand the risk of each of those problems. You have to be able to evaluate not just individual risk of a particular, say vulnerability in software or hardware, or a known tech vector, or a piece of malware. You have to actually know the exact outcome of that potential threat to your network, to your business process and because of what T2 human action process.
So the next step was basically secure what we call security intelligence platforms. Those are next generation seems if you will, which at least claim to be able to filter out all the statistical noise and irrelevant threats and alerts, and only focus on those that matter for you for your specific business risks. And finally, the, the last, the latest iteration of the development is what I provisionally called insights.
That, yeah, it's nice to know which are the riskiest things happening in your network, but do you know how to fix those things? Do you know how to prevent those things from happening the, the first place? Do you know how to remediate them as quickly as possible when they are identified? Ideally in real time, this is where AI and machine learning has come to rescue. Yeah. AI is a massive buzzword nowadays, but not without reason what we have in the it field are pretty amazing developments.
I won't talk about them in detail, but I want to show you that the OT security has a lot to learn about this developments. And of course this it security evolution was impossible without reliance on business context, from your own network, from your own business units and processes.
And of course from threat intelligence collected from the rest of the world, whether it's provided to by third party, vendor or community or special contractor doing this for you, that intelligence is what separates you, knowing your risks from you, being able to address those risks and what are those risks anyway, on this picture, okay, I have to confess the numbers. I relevant. I've just listed some of the important risks ICS networks are facing nowadays in no particular order.
And they range from hardware problems, vulnerable legacy firmware in those POC devices with configurations of course, legacy software on the control stations are still running windows, XP, or lack of transport security, lack of network isolation and segmentation, malware, obviously device exploits and injections, obviously, but most notably insufficient skills and policies to cover those risks and insufficient visibility into things happening in your networks to think of it, nothing in this list actually is inherently unique for ICS.
The it networks face the same challenges of course, is a, is a twist. They will have different probabilities and risk. It impacts, but essentially you have again, a lot to learn from those guys. When it comes to security, we can look at a similar timeline and see that our, the first two steps are already more or less solved and addressed.
You have multiple existing solutions, which will help to you to isolate your network with five and diodes, directional gay gateways help you segment your ICS network, put some traffic encryption and access management on top, all these tools they already exist and you have them for years or the next step, or was giving you visibility and not just knowing what's flowing through your network, but actually knowing how it all translates into specific SCADA specific. I say specific protocols, procedures, activities, and of course vulnerabilities.
So since you are dealing with the completely unique classes, class of devices in software and even relationships with your vendors are different update cycles. And so on, the challenges are the same. The tools are different, but these tools already exist again. So are when you look at the market for quote, traditional ICS security solutions, they are usually just that completely passive network monitor and solutions, which will help, you know, what's going on in your network. What's wrong, what's bad, but they usually don't help you to understand what's worse.
And what, what problems are the worst. So essentially have the ICS themes, if you will, which has not yet made this jump to the next generation. This is why this, the, the right part of my graph is all just about questions. When you're dealing with ICS risks, how do you quantify those? How do you measure them? How do you compare to risky events and decide which one has to be dealt with first, you have lots of business context, which can be derived from your manufacturing processes, existing business systems, but how do you derive value from that?
How do you integrate that value into your security strategy? And how do you make this dynamic? It's fine. If you can get a weekly report on the risk case in your network, but what if you want to do it in real time? And of course the next step again, how do you turn this alerts to actions? How do you know what to do? How do you deal with those problems, ideally in a nondestructive way, how do you refer to just saying kind of in the crowd wisdom, things which have, which other ICS customers have been dealing with, or even, how do you tap into your own history?
Like, do you have to have people memorizing, everything happened before, or do you have them Google every problem or either a chance to get a more sophisticated solution? When we are talking about going from visibility to the real actionable insights, again, we, it all boils down to the same development. It security intelligence solutions went a few years ago.
How do you turn thousands of irrelevant events, manual forensic analysis, and at best historical access to relevant data, into a realtime dynamic, prioritized risk based process, which also supports you with forensics and intelligent and actionable automation. It not just tells you what's going on, but also advises you how to deal with the problem. It essentially, it all boils down to calculating your risk impact. Obviously risk is defined product of probability and impact and calculating risk probability for ICS networks.
This is probably the, at least 50% of the secret source, or of course there are static vulnerability score for each detected vulnerability. But again, those are static. So have no relevance for your specific network structure, your business process though, they won't, they don't help alone. You can have five, 1,000 of vulnerabilities, discarding your network with the same vulnerabilities score. Where do you start? Of course you need to know your device status and connectivity from where erosion configuration challenges, connectivity, peculiarities.
If you will, to influence that risk probability, you also need to take the history of past attacks, ideally not just your own, but your peers as well into account. What's going on. What are the attackers up to at the moment in your country, in your industry? What were they up to last month and her own having all this information ideally should help you predict the future behavior.
Again, it's not just about knowing who you is going to attack you, but anticipating their most probable actual scenario. If you will, ideally, of course you should never experience it yourself. So this is where that certain intelligence coming from outside world comes into play. And again, the same applies to creating risk impact.
Risk impact is something which you cannot really outsource to somewhere someone else, because it will be unique for your business, for your network infrastructure, for your device, criticality for your individual policies, which define those availability, integrity, and confidentiality, the CIA model parameters, and again, your own internal history of processes, of policies, of even human safety requirements. Again, probability can be calculated using the industry average if you bill or some outside intelligence risk is something which is unique to your business.
You have to do it yourself, but you need tools that can automate the calculation for you that can make sure that your risk impact is again, a dynamic or value, a dynamic level, which changes daily, hourly, ideally in real time. And you always know what exactly is at stake. And finally, how do you turn all this into actions?
Again, it just the same process. You start with visibility and visibility is not. Your goal is a basic perquisite. You cannot protect what you do not see. You have to understand what are the basic risks or static vulnerabilities course, if you will, criticality of specific network segments and business processes, but then it becomes dynamic and it becomes interesting. You have to know what are your adversaries are up to, and for that, you have to know what they were up to recently. And of course you have to know who exactly is going, or you have to anticipate who is going to attack you.
Is it another script PD, or is it another nation state or a major intelligence agency backed by millions of investments. And those risk insights, those dynamic risk calculations have to be done locally by yourself using the right tools. And only then you can actually apply those risk measurements and insights to your detected vulnerabilities only then you'll get actionable insights, which don't just tell you where to look, but what to do and what, what to expect in the future, if you will. And whether that are further ado.
I think I hand over to Elon will be giving you much more details about implementing such threat detection, models, and risk calculation. And for importantly, automating those using the right tools. So Elon stage oath, Hi there everybody.
Thank you, Alexei for the overview. We just prepare everything. So I hope you see my screen now, as Alexei said, we are focusing on how to automate and how to make the risk prioritization process more intelligence. So it will give you the right alerts and the right recommendations and not just overload you with a lot of things that you cannot really handle. So that will be the, the focus of my presentation, a bit of an overview about Raif flow. So Raif flow is a company that is focusing on cyber security for industrial automation, networks, ICS, and scale.
The networks the company has been around for a few years and we are backed up by two major corporates. One is engineering from Singapore. The other one is the rug group from Israel, of course, because we are dealing with this industry, which is quite unique of the O cyber security. We have people combining this, both from the industry companies like Siemens and buildings and others, and also from the industrial cybersecurity companies that brought this areas like EMC and the Israeli defense forces beyond trust. And some others, we already have quite a lot of deployments throughout the world.
A lot of it started in critical infrastructure like EDF and others, and then working also with different partners around the world to build a bigger solution like the solutions with the Palo Alto and the RSA and others, and also working with local partners, whether it's cybersecurity partners or whether it's industrial automation partners, in terms of the portfolio, we provide the portfolio, which is quite extensive to cover all of your life cycles, starting from the, doing an assessment.
And we'll discuss more how we provide you the, the risk monitoring and the risk recommendations, and then going also into the prevention and detection with different types of products. And eventually also provide you support in the continuous monitoring of your network, not just the initial assessment and implementation, but actually supporting you through the continuous operation of the system. Because we have seen too many cases where people are deploying such intelligent systems, but they cannot really keep them up to date and operate them over time.
So we also support this phase of the continuous operation. Since we have been around for a few years, we've been deploying our systems all over the world. We have quite a few customers, 76 customers. As of end of last year, we have thousands of sites which we are deploying. And we also have cooperation with different automation vendors and all kind of OEMs from the industrial market. We have been deploying our solutions throughout a lot of different verticals, critical infrastructure manufacturing, even building automation is becoming quite popular.
So we have gained experience from the different areas. And this is what we bring into the, the solution that we are providing up to date to our customers based on all this experience that we have gained in the market. What we have seen when we are operating our systems and deploying our systems and discussing with our customers over time is that it started in the OT market, in the industrial market with mapping the assets because customers usually did not know even what they have in their networks. And it went into the anomal detection and so on.
But eventually after you do this initial phase, you want to understand more about your risk. You want to do it continuously. You want to understand what is the actual impact on your business and not just the theoretical impact. And you want to understand what are the, the emerging threats. So this is where we evolve our system to make sure that it is providing you this kind of insights.
So if we look on the overall market evolution, it started with the visibility, providing you all the information, then providing you some recommendations, how you can improve the hygiene of your network, but eventually you need to get to the higher level, the insights level, where we take into account the risks in an intelligent way. And then we provide you some concrete, actionable measures, how you can reduce your overall risk.
So when we're looking about risk management about risk assessment, what are the problems that are specific also for the OT market is that these are networks which are quite complex, quite big with a lot of different devices, a lot of legacy devices, devices that cannot be patched devices that have already a lot of known vulnerabilities. So a manual risk assessment process for this kind of network, you can probably do it once by the time you finish it, probably there is already new information that changes some of this information. You need to be more dynamic.
You also need to take into account information that is not in the standard processes, like the impact of the, the business processes, like the issues of how critical is different devices. What is the risk of the humans? The people that are have access to the different service in the network and so on. So this is where we focus our solution in terms of enhancing the, the risk assessment process. So when we are looking on this process, there are a few things that we took take into account. When we are looking on the overall process, of course, it's probability multiplied by the impact.
This is the basis calculation, but you need to understand how do you measure the probability? We'll talk about that in, in a minute. And also what is the impact, which is specific for industrial network. In many cases, it's difficult to measure it by dollars, which is the best way, but you can still get information from the process owner about what are the most critical processes for their actual generation.
Also, what is more critical for safety? So they have some other considerations and what is less critical in the overall aspect. Then an important area is Alexei Alexei mentioned before you need to consider what is your attacker model, whether you are a target for a nation state, or whether you are a target just for a regular hackers, according to that, you can define different risks and you can evaluate the different attack vectors. And then you can decide where you spend your money in a more intelligent way.
And of course, you need to look on all of the devices and, and look at it in a dynamic way and think how easy it is to compromise a device based on the connectivity, based on the vulnerabilities and so on. So these are the things that you need to take into account.
So we're not an important area that we took into account into our algorithms, into our tools is the attacker model, meaning that you want to know how to prioritize your spending of your solutions eventually based on who is your typical attacker, whether you are a critical infrastructure, that is a target, a potential target for a nation state attacker, or whether you adjust a private manufacturing plan that probably a regular hacker for run somewhere or some other commercial aspect is more applicable for you.
So you need to, to fine tune also your assessment of the threat and accordingly, you can spend your money in a more in intelligent way. So as we said, we need to understand what is the typical relevant attacker. And according to that, to evaluate what are the tools and the measures that they can use, whether they can use zero days, whether they can use the non vulnerabilities on the protocols, on the specific industrial systems and so on. And according to that, we can fine tune our assessment of the, the reasons you can see here.
We have done a lot of work about doing this modeling of the different attackers, looking on a lot of databases of, of past attacks, what we have seen and what the industry has seen. And eventually we define the different types of attackers, low, medium, and high in aspects of what they can exploit on the protocols and what they can exploit on vulnerabilities in the devices themselves, specifically, whether it's on the it side, on the OT side and so on. So we take all this information, we try to make it simple for the customer, giving us the ranking of the different applicable attackers.
And then we take all this information, which is much more detailed into the calculation of the exploitability and the risks. So when we are talking about exploitability, of course, you need to look on what are the relevant CVS, what are the relevant vulnerability? Then you take it on the specific device and the specific version, not just saying I have a specific vendor, and these are the vulnerabilities. You need to know the model of the PLC. You need to know the, the firmer and according to take, to take the relevant CVS, you also need to know what is your network?
What are the protocols that are used for this device? What is the connectivity, whether it's connected to another site, whether it's connected to the internet and so on. And also what is the type of the device, if it's a server, a PLC windows and Linux and so on, and eventually based on all this information and lot of databases that we have collected about the different use of different attacks of protocols and vulnerabilities, you can also use a probability, how much a specific protocol NTP version three, how much, what is the probability of this protocol to being used for tech?
Another aspect, which is important is the impact analysis. You want to know when you are looking on a specific device, it might have a, a big potential vulnerability, but maybe just the light in the lobby. So it's not very important. So you need to understand what are the business processes and our system is mapping them automatically to understand what are the business processes. And then together with the input of the user, we can understand which processes are more critical, which is the generation, which is the safety, which is just the, the light in the garage. And so on.
And according toted, we prioritize the, the risk. So you will take care of the risk, which are most critical and not the risk, maybe with our, in a bigger vulnerability and a bigger score, but are not that critical. In terms of the business process, we take all this information. We take the Techer model, we take the exploitability of the device in terms of the way that you can access it in terms of the vulnerabilities. And we take, when we take the impact, eventually we calculate it into the CIA model that Alexei mentioned.
We calculate the impact into the CIA on a different level of high, medium layer on, on each of them. And we use all of that in order to create the attacker graph. What are the ways to attack the most sensitive devices in the, in the network? You can download our white paper to read more information about that. So this is a way that gives you using all this intelligent information, which is very specific for your network and for an industrial network, to understand eventually where you need to take care of what are the most critical attack vectors.
This is just a, a snapshot showing you, for example, in our IC, how you can see the business processes, and also how you can see automatically, for example, which are the CVEs, which are applicable per device. And eventually also, what is the exportability score, whether it's in high risk, whether it's in low risk and so on, all of this is automatically generated by the system. After afterwards, as I mentioned, the system is also calculating the attack graph.
So here you can see different examples based on the attacker model with whether it's an attacker that can exploit industrial protocols, or whether it's an it kind of a focused attacker. Then you will see different attack vectors, whether you will see whether they can get to the critical PLC or whether they can just get to the HMI. And you need to focus on fixing that.
So according to that, you can decide where you need to focus your efforts, whether you need to focus the efforts on catching this HMI server, or whether you need to focus on hardening the PLC, because the cus the attacker can get to the actual industrial systems. Another aspect, which is very important is that after we provide all this information about the te graph, the prioritization of the risk and so on, eventually it's an issue of a budget. You need to decide what you are doing today, what you will do next year and, and so on.
So forth will a roadmap correlate that to the different economical versions and present eventually a plan to get the budget. So on top of prioritizing the, the risks and, and the how to mitigate them, you also need to take into account what risks will the, the mitigation of which risks will eventually give you the best impact. So you want to look in an easy way, not just about the different risk, but you want to see, for example, as shown in this graph, that if you handle one risk, you go and reduce your score in a, in a very significant way.
And if you take the second measure, you continue to improve it. But actually if you continue to handle some additional risks with risk mitigation, because there are many of them that are impacting different devices, if you continue to handle more and more of them, probably the impact will be quite minimal.
So, so this is a very important tool. So you can understand and plan your budget spending according. And you can say, I can either take care of the one big one that will give you the biggest impact, or I can also take the, the second measures, but actually after these two, I can stop because the rest of them will be a big change that I need to do some very infrastructure kind of a change in my natural.
So, so this is an important tool to take everything together, another aspect, which we did not cover here, but we can provide will be led to provide additional information in an offline discussion is about the insights. So once we give you the recommendations, once we give you the risks, we also give you the insights, the recommendations, how to take care of them. So you can also generate from that in an easy way, your plan in terms of improving your security posture in terms of implementing the different security controllers.
And then together with this graph, you can understand what is the, the relevant roadmap for the implementation. So if I summarize the, the, the process of getting to this actionable insights to reduce the, the risks, first of all, you need to get the mapping of course, of all the assets, but you need to get also all the vulnerabilities.
Very, very important part is the business processes, because this can change totally the evaluation of the risk and how to take care of the prioritization. So this is a very important part of the, the overall process. You need to look on the devices in terms of their exploitability in terms of how they're connected, because the device that is going through data diode, even if the have vulnerability is much less critical than a device that is connected to the internet, for example. So you need to look on the exploitability. You need to look on the CI requirements.
Safety device will have a different CIO requirements than an operational devices and so on. And then eventually you want to get insights from the tools. So you will understand in an easy way, in an actionable way, what you can improve.
And also, as I've shown in the, in the previous graph to understand which are the two, three main measures that you want to take, you know, to improve your overall the status and all of this will be done through the, our system. So you don't need to go through this whole process manually because from our point of view, this is an ongoing process.
After you do it, after you improve your process, you want also to, to see what is the level of improvement yet, yet you get, you also want to run it after one month or after a quarter to see whether you had some new devices, some new CVS, some new connectivity that might have changed your posture. So you want to run it on kind of a continuous basis. So you need to do it together with the system and not in a manual way. So this is the overview of the algorithms that we are using in our system to provide you this actionable insights and, and the prioritization of the, the risks.
I will now hand back to Alexei and open it for any questions. Okay, well, thanks a lot Ilan for your kind of detailed explanation, how our vision is actually supposed to work in reality. And by the way, I am really sorry for our attendees, for those technical difficulties we had during your speech, or you going to edit them out of our recording. So if you want to watch it again, without all those glitches, you're welcome, we will publish it tomorrow. And we are now in our Q and a session. So please again, use the questions box on the, go to webinar control panel to submit your questions.
And we have the first one already. So how does this prioritization of business process actually work? Does your system do it automatically, or is it a manual process for your customers?
So, so it's a combination. Basically we are doing the mapping of the business processes automatically, and then we are combining it with the user input. So we show you the 10, 12 business processes that our mapped, and then we let the user provide us some more information about the prioritization. So some of it, based on our experience, we already know this is the part that is more related to the VMs, to the HVAC and so on. And some of them, we know these are more peripheral systems and so on, but we want the customer, the operator to be involved in this process.
So after we put the mapping and we give our about what are the different processes, we are going through the process of having the operator, provide their inputs, and they can also do some manuals, correlation the businesses, also giving their input about the, If understand, you can tell your customer, Hey, look, looks like this 10 water pumps are actually a part of, I don't know, some Porwal management facility process. And then they are supposed to define how critical this is, or does it go beyond that?
Can you, for example, let the customers change that discovery or somehow tune it, how, or can you just start with a initial automated values and then decide later? Yeah.
So, so the answer is yes, yes. And so you can do all of these options. We give you the mapping of the business processes, as we understand them, these are all the, the water pumps and all of them are connected to some water, delineation process. And so on.
You can, first of all, you can do the fine tuning. You can say, no, this LC is actually connected to this HMI just for some maintenance, but actually it's part of a separate process. We give default values, according to our knowledge for each of these different processes, but the customer can change these values per process, or even per specific device, but they can start also with our default, Can you maybe elaborate a little bit on that, on those redefined values? Where do they come from? Is it your own research or it just kind of combined with them of your customers or something else?
How do you come up with those models? So, so this is it's, it's based on what we have seen from both databases of attack and the impacts and so on, but also what we have our view about the importance of different devices in the network. So eventually we tie into a CIA model. So we give each of these aspects of the CIA. We give them a grading, according to how critical is this device. So if it's a safety device, for example, the availability will be very critical. If it's some collection information, then it's more about the integrity of the data.
So based off on this experience in the different applications, we have defined our default values for the different types of devices and processes. Okay, great.
So again, please submit your question through the questions tool and we have the next one already. Okay. Okay. So the question is, how do I know, or how do I anticipate which type of attacker is actually going to attack me?
So, so this is from our point of view, it's first of all, you can try several of them and, and see what is the outcome in terms of the risks in terms of the, the expenses that are related to that. And then you can decide what is your acceptable risk are on the other end, when you are not a critical infrastructure, you are not power utility, a critical substation. Then you can assume that the nation state attacker will not spend the efforts on the finding a zero vulnerability on your PLC in order to, to get some run somewhere on your system.
So we assume that the customers can make some assumptions on their different exposure, I would say level. And according to that, to define and take some assumptions about what is their relevant attacker model, but you can also try it because everything is automated in the system. You can also try with the server such models and see what does it mean if I want to be more cautious and I take it one level up, what is the change in the, in the tech vectors? What is the change in the risk?
Whether now I need to spend additional 10 million, then probably I can assume that the nation state will not attack me. So there will not be this kind of zero day, just to get some run somewhere, a combination of your initial assumption. Plus you can play with the system and do some fine tuning for it. So does it mean that you actually have risk modeling features built into your platform? Basically you can just, I don't know, drag a slider or choose a click a button and see here, my risk is going to change this way, or what exactly do you mean with trying it out?
Like, yes, Yes. Basically you can, in the system, you can, after we do the initial mapping and then the business processes and so on, you can change with the configuration, just with the, with the menu. You can change which attacker model is applicable for your network. And you can see what are the new risks, what will be now more risky and so on. So all of this is done in an interactive way and you can play with these different parameters. Okay. But kind of anticipate in the next question, which I will read a little bit later.
So do you provide some kind of guidance to your customers or do they have to know it all themselves? We help the customer to decide.
So, so we, we are working. Yeah.
So, so we are working very closely with the, our customers to give them the initial guidance on how to use the, the tools and how to use all these options in terms of the Techer models and the CIA configuration. So on it's a lot of information. And the problem is that in many cases, these are different audiences. You have the OT people and you have the cybersecurity people. And not necessarily, we have the combined team when talking to the customers.
So after we've been working with multiple customers and we have seen that they need this kind of support, we have also launched recently a model of an MSSP managed security service provider, where the customers can hook up with this kind of a service provider that is more on the security expertise. And then the customer can get this kind of a continuous guidance, not just on the initial risk scoring, but also on the continuous evaluation of different attacks and what is new in the market and how they are benchmark according to others and the threat intelligence.
So, so after seeing more and more of these kind of processes, we came up with this managed service model together with different partners around the world, you know, to make it more scalable and still very accessible for the customer. Okay, great. So it was exactly the next question. So does your customer have to be an expert in security and I take it, no, you have everyone covered including the ops and less qualified people.
Okay, great. Next question. Yeah. So We'll have some time. Yeah. We assume that in some cases it will be combined team, which is great, but in many cases we, we are discussing with the ops people. So that's why we believe that the MSS piece can cover this missing aspect and bring the, the security expertise and guide the together with the customer, ask them some kind of guided questions, you know, to make sure that they cover the right aspects in this risk evaluation. Okay. Okay. The next question is actually really interesting or, and kind of touchy a little bit.
So can you actually share an example of high profile hack of, or systems and how ready flow solutions helped to detect remediate or prevent those? Yeah, so we cannot, of course share specific details of such cases, but we have seen cases where, for example, a network of a customer was connect, which was quite a critical customer, was connected through some indirect measures to the internet for some very temporary maintenance operation. But unfortunately nowadays all this scanning tools in internet in the internet are very quick.
So we have seen very quickly after this temporary connection, that there was a scanning that found this access to the devices. And it was quite amazing because it was also very quick that they understood that this is an embedded device, an industrial kind of a device. So they were trying to use also a scanners, which are applicable to the embedded my operating systems and not just to the it ones. And this was something that our system was able to alert immediately. And then the customer, which was actually quite good on the security side, they just did not consider indirect aspect.
They immediately disconnected this maintenance process. So this was kind of an example. There were also cases where we saw actually it attacks like it was in the north sky with the active director. We have seen also cases where attacks related to crypto checking. The cryptocurrency markers were impacting such a facilities because it was just it service that were not patched properly. And then they were impacted once. There was again, some indirect access to the internet to download some new version of one of the devices. The phrase is a really interesting follow up question.
So would you say that your solution actually can replace tools which are specifically designed to prevent transex like those antiviruses and EDRs all this world, or will you work together with them? No, eventually we, we work together.
We, we are more focused on the industrial aspect. So our system is taking also information from these kind of EDR and anti viruses and so on. So we want the devices in the network to be up to date with the, the, the best available security measures and with the, the firewalls that will have the IP blacklisted so on. And we are taking all this into account and then highlighting for the operator where they still have some potential attack vector.
So if you are using an antivirus or using an EDR, or you are using some firewalls with some configurations, but they are not up to date, we will give you an highlight saying, because we also provide kind of a continuous threat intelligence with our MSS piece will tell you based on the recent attacks that happened in the last couple of weeks, now, there is a higher exposure, higher probability for this new kind of an attack model, and you are exposed to it because you are using active directory with the old protocols, for example. Okay.
So, and again, I'd like to highlight that last part of your, those models, attacker assessment model. They only make sense when they're constantly updated, not just once a year, once a month, but really good of daily cause new attacks appear even more often than daily, I guess. So. And if you don't have this threat intelligence provided by or reliable or outside service, you will never be able to follow up on that.
So, yeah. And, and did I just understand you correctly, you will actually propose to install an antivirus or a specific machine because of that. Right? So yeah.
Yes, of course, depending on the operation and aspects, in cases, HMIS, you cannot install antivirus and so on, but it is better to have these kind of solutions. And as you mentioned, you need to have this kind of updates on the, the threat landscape. Otherwise your calculation of the risks is, is, is incorrect.
Okay, great. I think we have actually reached, we have one minute left and I don't see any new questions yet. So it only remains to me to say, thank you for joining me in the today's webinar and thanks to all the attendees and to everyone who will be watching this as a recording or hope to see you in some of our future events and webinars and have a nice day.
