Hello, and welcome to our webinar. I'm John Tolbert, Director of Cybersecurity Research here at KuppingerCole. And today I'm joined by Kevin Kumpf, who's the Chief OT Strategist at Cyolo.
Welcome, Kevin. Pleasure to be here, John. Our topic today is The Evolution of Secure Access for Critical Infrastructure. So a little bit of logistics info before we get going. Everyone's muted centrally. There's no need to mute or unmute yourself. We're gonna do a couple of poll questions and then we'll show the results at the end. We will take questions and we'll answer those at the end of the presentations too. And then lastly, this is being recorded. So both our slides and the recording will be available in a couple of days time.
So I'm gonna start off talking about what is critical infrastructure? What are some of the security challenges and where does Zero Trust fit into that? And then I will turn it over to Kevin and he can do a deeper dive on critical infrastructure, security and the Cyolo platform. Then we'll do the poll results and look at questions again at the end. So first up, what do we mean by critical infrastructure and why does security matter? So I thought I'd start with just some definitions. Operational technology is sort of the overarching definition for all of the things that you see here on this page.
Operational technology includes hardware and software that control all sorts of different kinds of industrial equipment, different kinds of devices and processes. Critical infrastructure, our main focus today, that includes things like power generation, power distribution, pipelines, oil and gas, water treatment, wastewater treatment, traffic control, all the things that are really necessary for the proper functioning of society. Industrial controls, I think of this more on like the manufacturing, agriculture sides.
This includes a lot of well-known concepts like SCADA nodes, PLCs, programmable logic controllers, human and machine interfaces, various kinds of actuators and sensors. And then we have IoT and industrial IoT. These are the more commoditized IP-based devices that a lot of organizations are using now because they're lower in cost to deploy, but they can also be an important part of any of these different operational technology environments. So our first poll question is, does your organization run any of these following types of OT environments? The first one is critical infrastructure.
Second is industrial controls. Third is IoT or industrial IoT. And fourth is, no, we're just doing traditional IT for the enterprise. So as you might expect, things have gotten rather complicated in the last few years with IT systems being used in OT and especially critical infrastructure systems environments. So they have HMIs and PLCs and various kinds of actuators and sensors, but they're also using identity management and physical access controls. Identity management being really a key part of controlling who gets access to what.
And with these complex environments comes not only employees, but also contractors, system integrators, equipment manufacturers, lots of different people and processes need access to OT and critical infrastructure systems. So we see increasingly a mix of different kinds of technologies in OT and CIS environments. So why or how is it complex and where do you focus on securing it?
Well, of course, it's gotta be multi-layered security, defense and depth. Some of the challenges we see, some of the components are not directly accessible. They may be behind firewalls, network segmentation is mandated in some industries. Some of these devices don't run IP based protocols. So it can be difficult to interface with them.
Some controllers are mandated by regulations in some cases to be behind the firewall and only unidirectional communication can happen such that it can send information out to another environment about what's going on inside there but you can't allow any kind of access into it. Some environments are air gapped.
And then, like I said, we've got employees, partners, equipment manufacturers, lots of different kinds of users that need access to the various components of an OT or CIS environment. Other things we have to consider, some facilities are remote. Sometimes they're not permanently staffed. They may have low bandwidth or very weak network connectivity or it might not even always be on. So how do you deal with remote access needs in cases like this where facilities are far away and nobody's there 24 by seven? So now let's look briefly at the threat landscape for critical infrastructure.
Some of the most common attack vectors that we see in critical infrastructure, people have been very worried for the last few years about ransomware spillover from enterprise IT. There've been a number of cases where that has been a very big concern. And in fact, the operational technology environments have been shut down sort of preventatively to prevent that spillover. So that's definitely something that is top of mind for many CISOs today. There's social engineering, both physical as well as logical, trying to get access to an OT or critical infrastructure environment.
You know, physical being trying to social engineer someone into letting you into a facility, a bad guy into a facility. Oftentimes to deliver malware by USB or some other removable media. Because yeah, if it's an air-gapped environment and a bad actor wants to compromise it, they've got to walk it in and plug in USB. Maybe it has malicious firmware, but there are security solutions that can help check for malicious firmware and other malware on a USB device. Denial of service, you know, at the network layer can be disastrous for critical infrastructure.
And then there's insider threat, sabotage, and then just more generally insecure remote access. We've all heard about a number of cases where insecure remote access was the way in for malicious actors, you know, using like a remote control software that had weak or practically no authentication that then granted them access to move around inside the critical infrastructure systems. So how do we protect the various components? There are many different things that are needed, you know, following the defense in depth idea. But first of all, you've got to know what you have.
You can't protect stuff if you don't know that you've got it. So asset discovery and classification as well as vulnerability management are really the first steps. Then we have identity and access management, particularly zero trust. You've got to be able to control access. Each request needs to be properly authenticated and authorized. Firewalls and network segmentation. Network segmentation being, you know, a key principle for zero trust network access. Firewalls I've mentioned, you know, for environments that have to ensure one-way communication.
Monitoring SIEM security information and event management. Your OT and CIS systems generate a lot of information that needs to be analyzed from a security perspective. IT seams are good tools for collecting that. There's also a need for OT or even critical infrastructure specific threat intelligence. And there are firms that specialize in the types of threats, the critical infrastructure by industry and what their particular threats are. Then there's detection and response and then incident response.
Detection and response, being able to look at all that data and figure out what's amiss, what's anomalous, what's suspicious, what's a clear sign of an attack. And then how do you do incident response, you know, in a more broadly, you know, process down way. And backups being an important part of that too, being able to restore the different nodes within your critical infrastructure environment quickly to keep things up and running. And then lastly, I put deception in here.
There are distributed deception platforms that can sort of emulate an OT or critical infrastructure environment right down to the different kinds of machines and HMIs and PLCs. And that can be really helpful for organizations that want to collect intel on what an attacker would do if they had access to the real assets. So now we'll look at secure remote access. What are the use cases for it in critical infrastructure? So off hours support, you know, not every organization's got 24 by seven staff in these various locations.
You know, I mentioned the partners and integrators and even equipment manufacturers need to be able to get access to various components in critical infrastructure. So, you know, many times they're not on site and if you want to get quick help, you've got to have a good secure remote access solution for them. The remote locations, you know, just to sort of emphasize the point, some of these organizations have locations that can be six or eight hours away from, you know, headquarters and they're not always staffed.
So if you need immediate resolution and you probably do, remote access is really the only way to get that going. Then the last two, you know, we see increasing use of cloud as a data repository for doing advanced data analytics. A lot of critical infrastructure organizations want to be able to leverage analytics for things like predictive maintenance. This is something that also requires good secure access control. Same for digital transformation, they're leveraging these cloud environments and other systems so that they can, you know, become more efficient.
But again, this should require a zero trust network access principle. So the IAM challenges, they're similar to what we see in enterprise IT, but again, it can be more complex because the different kinds of devices that are involved, you know, some don't use IP protocols, you know, there are often multiple domains involved. You've got all those different kinds of users from different organizations.
They need single sign-on, federation, and then still we have, you know, traditional problems of provisioning, deprovisioning and managing access entitlements that can be far more complicated in a distributed environment like this. And then again, to hit on zero trust, you have to properly authenticate and authorize each access attempt. So zero trust, I think, can be a big component in how you secure your OT and critical infrastructure. These other things here, secrets management, privileged access management, access logs and analytics, all those can be very important as well.
Privileged access management, again, can help you lock down accounts, service accounts, administrative accounts, prevent further compromise in the event one machine is compromised. Secrets management, same thing there.
You know, there's lots of need to secure password certificates, all sorts of different secrets that can be used in OT or CIS. And then again, access logs and analytics, very important for being able to figure out if you are seeing anomalous or suspicious behavior. So last slides here, sort of drilling down into zero trust for cyber resilience. I really liked the architecture diagram that NIST has in the special POP 800-207 for zero trust. Here you see different inputs, you know, things like continuous diagnostics and monitoring, industry compliance.
Many industries that operate critical infrastructure have special regulatory requirements for security, for identity and access management in particular. There's that OT specific threat intelligence, activity logs, but you also have, you know, the need to create data access policies. There's still lots of PKI. A lot of machines are using X.509 certificates for identity and authentication, identity management and SIEM. I like how this separates this out in the control plane and data plane.
The control plane sort of following the tenants of, you know, the exact reference architecture with a separate policy decision point, separate policy administration point with a policy enforcement point that lives in the data plane. And again, this is used to facilitate very strong authentication and proper authorization. So second poll question, is your organization moving towards zero trust architecture for OT critical infrastructure? And take a few seconds to answer that. We've got three choices, yes, no, or not yet, or planning on doing it. Okay.
Well, thank you. We will take a look at those at the end. And just a reminder, if you've got questions on this subject for us, please feel free to enter them into the CMIT control panel and we'll take them after Kevin's presentation. So next up, Kevin.
Thank you, John. Pleasure to meet all of you here virtually. John has gone over many of the technical components of the infrastructure. And my goal right now is to talk those components where they fit in, into the environment and how they fit in. So with that said, what is secure remote access? Now you may be thinking that we should know what secure remote access is, but in reality, secure remote access is, it's an umbrella term. And that refers to the security measures, policies and technologies that an organization uses.
Locations inside or outside of the corporate office with a high level of security. Notice this term has come from the IT world.
And sadly, secure remote access has become a checkbox tool. Much like you'd say, I have an SFTP server, I have a file share, things like that. It's become a term. Even zero trust has become a term. So what CIOLO is doing and how I view the industry as a whole is we're shifting that paradigm.
The reason we're shifting that paradigm is that 80% of all outages, all events, and an event is an unintentional action, are attributed to mainly routine jobs, unscheduled changes, misconfigurations, or as we're now seeing, things that are going on between IT and OT crossing that boundary where a system is patched out of window. A system is accessed without the proper credentials, or as I've even seen SSL or other things are tried to be applied to a system that does not support it and that is causing issues and systems to go down.
So while we're all concerned about ransomware and decidedly so, how do we prevent the unintentional events that are happening to OT? Well, as we know, IT and OT are coming together. If we look at the IT side, that's the carpeted floor. If we look at the OT side, that's the graded floor. And this is an interesting image. The reason I left it by TechTarget was to show that from an industry perspective, the middle terms are a little concerning to me. Merging the two distinct networks and sharing the data that each collects and distributes. When you merge, you integrate.
And integration is not what we want to do in this space. Much like everybody says that we need to apply zero trust.
Well, as John has stated, zero trust is just a framework. And to show you how misunderstood it is, last year I presented at a very esteemed conference and all these people got up and were talking about their platforms with zero trust. And I got up and said, who knows what 800207 is? And nobody had a clue. And then I had to add the NIST special publication of 800207. And most of them still did not have a clue. So if we're gonna use terms that are like merging, integrating, if we're gonna talk about ZTA or ZTNA, we have to be precise.
Much like the term secure remote access, it is actually now secure access. Because if 80% of your events are unintentional and they come from users just doing misconfiguration or other things, we need to put guardrails and controls around those. What we're really doing is we're interfacing infrastructure. When we integrate, we expand the scope of the resources involved from a compliance and audit risk perspective.
If I sit down with a NERC SIP auditor and I'm looking at my electronic security perimeter as an example, and I state that I've just added these new resources to it, the auditor now immediately thinks they're in scope. So if we said we've integrated them in, which means to blend, to merge, or we've merged them in, that now expands the footprint. Interfacing is what we are really doing. When we integrate, the AIC approach transforms to the CIA approach. The AIC approach, which is really key to the OT world, which is availability, integrity, and confidentiality. Availability is first.
And the reason availability is first is because uptime is key. But as we see at the last point, safety remains first. The safety in AIC, in many cases, is silent. And in fact, there's many discussions on LinkedIn and other platforms right now about, you know, well, should there be the S or it's included? When there's more IT people coming into the OT world right now to take roles, and I've met many of them that have zero months experience, three months experience that are taking over programs, the safety is not applied.
If we look at the CIA approach from IT, which is really about the confidentiality, we must not lose the data. Availability is last, systems go down. How many times have you gone to an IT system, had it down, gone to a web browser? Even your cell phone is not considered critical, you know, you lose signal. And yet that is supposed to be your lifeline in emergencies and other things. So we need to ensure that the approach stays AIC. And then when we interface, we maintain those proper ICS boundaries from a regulatory compliance and audit perspective that I've spoken about.
So the language is important. How we use the terms is important. And now how we define things is important. As you can see, this is the current state of the IT-OT infrastructure. Many of you are looking at the center section and realizing that we have resources in the middle, that we have PAM, VPN, CASB, other things out there. And then we have on the left-hand side, the resources coming in, where are they located? On the right-hand side, you have a merging of applications and resources.
And so companies are now due to vendors, due to legacy applications that they cannot change, due to legacy ways they access that they cannot change, are adding multiple tools to the environment. And as we add these tools, the complexity grows. And the complexity is where we don't have the resources. I have one firm that I'm working with, has 200 facilities, has two individuals for OT security. When I asked how many people they had for their help desk, they replied that they have 50 people for their help desk. That's wonderful for the IT world. It's not wonderful for the OT world.
So when we have all these resources in the center of the screen here that are truly taking up time, energy, and effort, giving you multiple ways to get into an environment, and many of them are in fact, secure remote access type methodologies. Because remember, it's an umbrella term. We need to close that and control that down. The future state of where we want to be is unified digital identity management. This is not a made up term. This is where we take the digital identities of the users, the devices, the environments, and the resources, and we unify them in one controlled access plane.
If you look at the ZTA slide that John had put up, that slide shows that we have a controlled framework of policies, procedures, resources, inputs, and outputs. And as we're going to industry 4.0, that data is a two-way data. Now I know your infrastructure is in theory a one-way infrastructure, and I understand that. That connection from the resource that is that gateway, that secure remote access point needs to be a one-way out. But that one way out is producing data from both directions.
It's taking data in from users, passing it to applications, and it's taking data from applications and resources, users to applications, users to machines, or machines to machines, and pushing it through. So that adage where John talked about remote resources, being able to take a sensor, get that data out to somebody whether it is nobody at that sensor, but they need to know is critical.
Being able to have things in remote locations where there's limited bandwidth and being able to get there to understand those resources and what's going on because it is part of your integrated network is critical. And so if we look at identity-based, which is unified digital identity management, that's the evolution. So we started out with VPN, which is still out there, and that gave us encryption and what they termed, quote unquote, secure remote access. That gave you network layer access and control.
If we look at ZTA, ZTA is taking the concepts of policy, it's taking application access, network access, and it's taking basically cloud scalability out there and saying, we can put this out here in the cloud. Now, I caution you that people say, well, ZTA can go on the cloud non-premise. The platform, it can't, but if you talk to many of the vendors out there, they're giving you ZTA with cloud infrastructure, which is now expanding those safety systems and other areas to the cloud.
As I've said to many people, when people tell me just put everything to the cloud, it's perfectly fine, it's great, I ask them one question. Would you put the sensor to your vehicle's airbag in the cloud? Would you trust that to know that that distance away, or do you need that instantaneous control with your finger on that pulse immediately? That gets a different answer than put it to the cloud. So an identity-based, it's zero trust, not vendor trust.
And what that means is that these vendors that are coming with these solutions that are telling you, you must use this, or you must do that, you take away the control that they have. You basically say that through the platform that you're going to implement, you now have control. The other part of this is that you need something that's flexible, cloud, on-premise, or hybrid, which means it will do all three of those type of platform environments for you. This gives you flexibility. You need compliance and surveillance. What does that mean?
Well, going back to the OT does not have enough resources mindset, being able to have recordings, being able to have people that can go back and look at things that were done when a vendor is granted access into the environment, when a user internally from the IT side is given access, or even now if we have people out there in the OT environment that are using tablets on the shop floor, that are using a line of sight to do things that are at remote locations, you want to have that capability. Adaptable and integrable. What does that mean?
What that means is having the ability to tie into other platforms. As John had mentioned, a SIM, a SOAR, an XDR, threatened vulnerability management, being able to pull this information in and out. When you get to the core of what Zero Trust is, when you get to the core of what your SOARs and your firewalls and other things are doing, they're enforcing policy. They're enforcing policy on users and resources, assets, systems, the plethora of things that make up what an environment really is.
And so if we have the ability to pull and push policy, to compare policies, we now have the ability to take a firewall, pull its policy, look at that from the platform of such of CIOLO, find out what ports and services are open, and then at a time, put down a policy that says that a user can come in at a given moment in time, work with an application, and then turn off the policy to the firewall, turn off the policy to the user's application, turn off the user, and really drill down and now block that entire path, give you segments, give you total micro-segmentation.
And identity modernization is the last part of this. It layers on top the ability to take legacy applications that cannot do MFA, legacy applications that have weak and shared credentials, vault those credentials, modernize those credentials so that you can do MFA even in air-gapped environments. So this is not a pie-in-the-sky thing. This is available today. And if you look at this slide, you can see this. You can see that basically we have the identity and access control sitting in level 3-2. This is right in your boundary.
As you can see, we have an edge, which is just SNI routing, which is basically, if you think of it, a reverse proxy. Now, we're talking reverse proxy here, but at the same time, we're talking secure remote access. The proxy gets you that outbound direction. The user is the entity that requires the secure access. So the platform is the vehicle to enable secure remote access. But as you can see, we have OT staff that now can be on-premise. So that is secure access. They're not remote, they're right there.
You can see that you have remote users at level 5 that are coming in from the cloud, your third parties potentially, your offsite workers. Those are considered secure remote access. Your internal staff at level 4 of the Purdue model. Now we're looking and saying they can be on-premise or they can be remote. Or an architecture such as SD-WAN. Now they are truly flexible to wherever you would like to call them. Because the infrastructure is no longer the deciding factor of where they're coming from. It's the application and resources and the defining of the network in that capacity.
But as you can see right here, one of the key points I want to point out on this slide is the firewall that sits behind the ID access control. With the ability to control firewalls, with the ability to control policies, with the ability to turn things on and off in a granular application level, based on user, based on access, based on time and other factors. Companies now can place firewalls even deeper in the infrastructure. They can give that true micro-segmentation. So a prime example of how this architecture flow may work, a sensor or actuator on the backend may give you an alert.
That alert would come out to your access control or your gateway if you want to frame it in that capacity. That would be passed up to a SIM. Now with safety being the key component because we know that IT tools are coming into the OT environment, that operator now can make a decision. That operator can make a decision of using his browser to get out to that platform. And we are a browser-based platform, truly agentless. Using a UI or API to enact that. And that means they could have that browser, but they can also have a scripted process that comes back through.
Or using a SOAR to now automate that process to say, if I see this go on, go out, pull this log, look at what's going on and tell me what I need to do from there. You can also use this from user control, injecting threat and vulnerability management. So if you get threat and vulnerability management information in your platform, you can turn around and say, okay, I see this platform here has this vulnerability. I want to deny remote users access to it, only give my users internally access.
And with the capabilities of the tools above, you can easily change a policy at any level of this architecture. How do we achieve those goals? From an operational perspective, we're mitigating your risk of an event or incident. And I put event first because of 80% of the problems out there are truly events. That's what we want to focus on. If you can mitigate the events, then you have less and less incidents out of that. And that is a foregone truth. I spoke with a company a couple of weeks ago where for months they were chasing their tail looking for malware.
It turns out that somebody was coming in and plugging in a USB into one of their control systems with music on it. The only way they found this was to see the person plug in the stack. They were going out and spinning up their incident response team continually. And it took them months. So this is an event that was of no consequence in nature to the individual doing it. It wasn't malicious, but it was truly causing incidents. We want to decrease the total cost of ownership and increase the ROI.
If you look at the platforms out there today, all my customers, all the people I speak to in the industry circle say, we want to reduce basically the number of platforms. We want people to work together and we want to basically increase the ROI because we're not getting more staffing. That leads to the seamless integration into not only the resources that are out there in the OT world, and as John alluded to the IIOT world that's coming out in others, but also to the platforms that they're using on the IT side. And improved detection audit reporting is really what the operational goals are.
And this meets to anything from their frameworks to their auditors, to their insurance that they're going for, cyber insurance risk. Lastly, here's your technological goals. These align very well to what you're trying to do with the ZTA architecture, or secure access, or your capabilities in the platform. And this slide is available, as I said, at the end of the presentation in the several days, but this is where we want to take the technology and truly make it work for you.
And so if you're taking all these features together and you're unifying them in a digital modern platform, you're really doing unified digital identity management for the platform. And that is the goal. That is the ultimate goal is to simplify the attack surface, improve availability, improve your risk posture, and improve your overall performance and productivity of the workers from a happiness, from a task, and from a input and say in the process perspective, because they're the ones using the tools.
I hope that gives you enough understanding of what we're talking about, and John, I pass it back to you. Great, thanks, Kevin. That was really insightful. And thanks for highlighting the distinction between CIA and AIC. That's something that we've talked about, critical infrastructure operators with many times over the last few years. The difference between, one of the main differences between enterprise IT security and critical infrastructure security is, you need to feel safe. You need to make sure that employee worker safety is paramount.
And then also being able to deliver the critical infrastructure service. If it's electricity, we all know how important that is.
So yeah, that's a big distinction between, I think traditional enterprise IT and any of these OT environments, but especially critical infrastructure. I agree. And the tough part is, what are we defining as critical infrastructure these days? Because we're looking at even the distinction of IOT versus IOT devices out there. People many times will talk to me and use the terms interchangeably.
And if you look at where a lot of the threats have come from it's been from consumer electronic devices, placed into a corporate network, baby monitors, cameras and things like that, that I just needed that. It's on a home network that now is tied to a corporate network and other areas. If you look at the industrial devices out there, they're trying to at least make some security strides into those. They're not just the mass produced products.
And so if you're going to tie these into your infrastructure, if you're gonna talk about things like MQTT and other technologies that are coming into the environment, how do you really protect the power grid and things like that when there's no cohesive vision for how these all work together? And industry 4.0 is not that vision. Industry 4.0 is just the data exchange and the concepts as we know.
Okay, before we go into Q&A and discussion, let's take a look at our poll results. So the first question was, does your organization run any of the following kinds of OT? And fortunately today our audience is made up almost half of critical infrastructure operators. Thank you for being here. We also see IOT or IIOT, and then a third of our viewers are traditional IT for enterprise.
Well, thank you for your answers. Next one, please. Is your organization moving to zero trust for OT? A little more than a third say yes, and nearly half say not yet, but it's planned.
Well, that's great. I think we're big believers in the need for zero trust architecture for OT. And it's great to see that most organizations are either there or trying to get there. Any thoughts on that? Trying to get there. Any thoughts on this, Kevin? The first survey struck me as interesting. Nobody here from an industrial controls perspective. And that space is very, I don't wanna say ambiguous, but if we look at the energy sector and utilities and critical infrastructure as a whole, CISA has their sectors out there and they've expanded and those have grown.
And I see more sectors coming out of that. Actually, I see subsectors in the future. But the concept that those are critical infrastructure, and yet there's not critical controls, I think there's a disconnect in how some people view this.
You know, there are industrial controls and critical infrastructure, as you know. So having that be a zero sort of either says that the context of what people understand the environment says or the context of the way they took the question really is a little interesting. On the second, your thoughts on that, John, what do you think?
Yeah, I definitely think that's possible. Could be, you know, this was about critical infrastructure. So critical infrastructure, people are likely to wanna join in.
But yeah, so much of it is applicable for industrial controls, because in some cases software can be similar. Definitely concepts are very similar.
Again, that primary difference could be between AIC versus CIA with industrial controls too. Yeah, but this is a good mix. I'm glad to see so many people from critical infrastructure here, and thank you. On the second slide about zero trust, that is interesting that you see people that have started the journey and people that are not yet but planned. And the question I would have is who is driving this? And when we look at organizations that are driving this, many times it is IT.
And the reason I say IT is because if you look at an organization, how many organizations have a CISO on both the OT side and the IT side? It's generally the OT people report up through IT. The projects that are pushed are the IT projects. Having been a CISO at a major utility, I was not called the CISO, I was called the director of OT security. And yet the CISO of the IT side would continually come to me and saying, what does this mean? I don't understand this. And yet my budget trickled down from her budget, the directives trickled down from her directives.
And so when you look at zero trust and you say you're moving to this, I don't meet many people out there in the OT world that are saying, you know what, this is my mission is to go to zero trust because I believe in it for OT. So I really think that the organizations that are moving to this, many of them are driven by IT principles and policies. And are we maintaining that AIC versus CIA?
You know, that could very well be. I was writing a document on too long ago that was looking at who's responsible for OT security.
And, you know, you pointed out some interesting things there. You know, there's a lot of variety in reporting structures and reporting structures as a topic itself kind of sounds boring, but it's not as you know then because a lot of things like budget and priorities get decided by reporting structures.
So yeah, it's not completely common where the responsibility for OT and CIS security rolls up under, let's say the enterprise CISO. In many cases, those organizations have evolved separately. So you've got the people who maintain critical infrastructure are not necessarily that connected with the team that does enterprise IT security.
So yeah, there can be competition for budget. There can be a lack of clarity between the goals or how to harmonize the goals for OT and IT security.
Well, I agree. Okay, well, thanks for sharing the results. We will now start looking at our Q&A.
Okay, what is the most important thing in OT environments? I guess that means for security. I will start by saying, I suppose that again goes back to our AIC versus CIA discussion. You need to be able to fail safely. So obviously you need strong authentication and good authorization, but you also in times of emergency need to make sure that people can get in to do their jobs. So there's a concept of break the glass, being able to apply a very, very strict logging and monitoring.
It's hard to say what the single most important thing is because in a defense in depth situation, all the layers really rely on all the adjoining layers to provide that overall increase in security posture. What are your thoughts, Kevin? So if we put the AIC versus CIA and safety aside, one of the key things I think that is most critical right now is a plan for people processing technology from an incident response perspective.
And the reason I sort of hung on that a little bit is when I spoke a couple of weeks ago, I was at a conference and there was some of the high level executives from the OT IT world. And I asked them how many had an incident response plan for OT and of the 50 or 60 people in the room, two people raised their hand. So break glass is wonderful, safety is wonderful, but if you don't know what you're gonna do, I actually feel at this point that people know what to do from an OSHA perspective, because as soon as you mention OSHA, we immediately take action.
But if you haven't even laid out a plan, if you haven't even figured out what your people process technology would be, if something does happen, aside from the OSHA side, which is safety and ops, suddenly you need to report, where do you go from there? So next question, what drives the confusion around zero trust access versus zero trust architecture, ZTA and ZTNA? I think ZTA, zero trust architecture is the overarching principle.
And that's really founded on the principle of least privilege, and that's where we derive the need for proper authentication and authorization for every request context, looking at user attributes, environmental attributes, what are the resource attributes and figuring out, is this a proper access request?
That sort of drives things like zero trust networks that access, which is more specific to the actual access request to get into, let's say a network VPN, VPN replacement, as some like to talk about zero trust and things like SAS is being, but yeah, I think zero trust architecture is being sort of the high level view of instantiating all the various principles and zero trust network access as being more around satisfying particular use cases. Any thoughts you wanted to add to that, Kevin?
Yeah, who's driving the confusion? I honestly think the vendors are. And if you have vendors that don't know what 800-207 is, and they are telling you that you need to go to zero trust, you need to pull back and question, why are you telling me to do something that, in fact, there's firms out there for zero trust, which I find this kind of interesting. But there is another one out there, which is ZTAA, which is Zero Trust Application Access, that's a term I've heard as well. So with ZTAA, people think it's about the users accessing applications.
And ZTAA, they think it's network access. But then they say, well, if it's network access, then it's just like a VPN that leaves you vulnerable. I think just codifying around what 800-207 is and getting the foundational concept of that slide that you have, John, is the roadmap to whatever you want to call it. It just has to be done with the proper people process technology around that framework. And it literally is a framework. So it really is up to us as an industry to educate better and to not use buzzwords that people don't know, such as integrate versus interface, is another example.
Where do IIoT and IoT fit into this vision? You know, that's a good question.
You know, IoT, the promise of IoT was to be able to outfit and instrument all sorts of things, you know, more cheaply, you know, using commoditized devices. They can use IP, they can use, you know, your traditional networking infrastructure. And I think all that's great.
But, you know, in many, many, many cases, security was not part of the original design there, which makes it far harder to try to secure an environment that's got a bunch of IoT devices. And, you know, and this, I think, is one of those areas where network segmentation, micro segmentation can be very useful, but even that in itself just adds to the overall complexity of trying to secure an environment that has a whole lot of IoT devices. But that's not going to go away because in many cases, they are more cost-effective to operate.
Yeah, I look at that and I say, when people say the term IoT to me, to me, it doesn't mean Internet of Things, it means Internet of Threats. And it literally has become that. And yet there are people out there that if you just Google IoT and ZTA, you'll see all the major vendors say how to secure IoT devices in a Zero Trust methodology or Zero Trust is the only way.
Well, if you cannot validate the device, if you cannot enforce policy on it, if you cannot credential against the device, how do you enforce any policy, any structure on it? This is where the distinction between trying to get a level of security on industrial Internet of Things versus IoT things is critical. And yet companies are going to go to the bottom dollar of what's cheapest, most effective, what's made across in those nation state countries of concern to us. And a trust model is not gonna help that. Yep. What's the future state of secure remote access?
Yeah, I think that the state is, you can't trust anything at this point as remote. You have to take things to heart and say that all access needs to be secure. And this is from people to applications, from people to resources, from resource to resources, we're talking about with IoT and IoT devices out here, across the boundary between IoT and OT, it's all secure access. Remote went away when the concept of remote workers now means you can be sitting in a different building, but still on the same campus. So the remote term went away.
The secure access is what we need to focus on is the secure part. Yeah, for sure.
I mean, again, thinking about critical infrastructure, if you've got remote sites, they're of course going to be remote. But yeah, if you're coming from just an IT network to an OT network, that in itself is a remote network. That in itself is kind of remote access.
And again, that's where you need strong authentication, strong authorization for every request context, whether you call it remote access or internal access, because a lot of those distinctions are much more blurry than they used to be. Once again, it's the industry that's been doing it, and it's been leading the charge in many ways. What's driving the need for OT and IT integration?
Well, as I was saying earlier, I think there's a realization that for some kinds of use cases, cloud can be very useful for storing data, for running data analytics programs, for helping manage some of these kinds of environments. But then also even those that want to run these kinds of solutions on-premises, it's still trying to connect your IT and OT.
And again, for maybe historical reasons, those environments have not been that well-connected before. And there's reticence on the part of people with titles like director of OT security to want to connect that because of fears of ransomware spillover from the IT world. But yet the business, I guess, the business desire is to connect those so that you can leverage IT tools sort of in their own traditional environment. What would you say is driving the convergence between IT and OT?
Well, it's interesting, ISA Global Cybersecurity Alliance has actually a deck out there on the benefits of IT and OT, quote-unquote, integration. And it really comes down to lower cost of commercial off-the-shelf software, transfer of the best practices to OT, i.e. patch management and other things, using those best-of-breed tools that have worked in the, quote-unquote, IT world. Ease of use of performing security and analytics, pulling it together, you want that merged. Lower fixed costs, getting rid of redundant systems out there, being able to real-time track.
But then they also put out there the risks of that as well in their slide deck and their publication, which comes down to the disruption of ICS resources and critical systems and accurate information that could be sent to system operators. And the one thing that they do state about, if you're gonna do this, even though they're saying, here's all the benefits, is to ensure that the first step in an incident response plan is to disconnect OT from IT, because when you look at it, who controls the firewalls in that DMZ area is generally IT.
If they're underneath the tech, they're not gonna have time for you. So it's the business driving the vision of saving money, getting the same product across. So we've got time for one more. The context of integrate versus interface. Why does that matter? Since you described it, how about you take that one? Easy. Integrate means you're blending of two things together.
Interface, the context of it, means to put together. And I have one slide that I actually presented at a conference a couple of weeks back that shows this in very purest form. And it's people playing soccer versus people playing football in the NFL. And they're both called football. If you go to the UK, they're gonna tell you soccer is football. If you go to the US, they're gonna say football is football, soccer is soccer.
And so when you talk about integrating as the blending of two, as I said, if you walk up to an auditor and say we've integrated our systems, you're defining scope, you're changing mindset, you're pushing that boundary of COTS software across everything. If I tell you we now use one virus platform integrated across the environment, your first thought is, then I should be able to touch every resource and manage every resource. There's no disconnecting that if you're managing it in that capacity, if your vision is that. So it really is important how we address it and view it and contextualize it.
Great. Well, thank you. We're up at the top of the hour. Thanks for the great presentation, Kevin. And thanks to all of our attendees. Any parting words? I just think that we need to be clear on how we envision things, clear on how we speak, clear on how we understand why IT tools are coming in because they are. IT resources are coming in. We can't be adversarial. We have to support each other and have a common vision. Agreed. Okay.
Well, thanks again, everyone. Join us for our next webinar and have a good rest of your day.
