We stay in the it OT discussion area and have a different view of completing view, how to control the access to the devices from a classical information technology area. This is called privileged identities, please. Welcome ya.
Thank you.
Hello. Good morning. Good morning. Yari you're with cyber arc, right. Have you already been involved in critical infrastructure protection? Yes.
A lot
Projects
Across the world.
It's in, it's an emerging market and a lot of people which are dealing with this technology for many years in the last two, three years started to realize that they have a really big issue with security and we are there to, to help them.
Okay. Thank you very much. S
Yours. Thank you so good morning, everyone. My name is I'm with cyber part of their product management team, and I'm focusing on OT and industrial control systems. So I would like to start with answering what is OT. I've been here for the last day and got a lot of questions.
So, so what is OT? So OT stands for operational technology and it is what drives the world around us so we can find it basically everywhere. Our power grid is operational technology. The water and sewage that we are using is powered by operational technologies, oil and gas, infrastructure, production lines, traffic lights, transportation system, all of that uses operational technology. Even the building management system in the building that we are sitting in is operational technology. So we understand it's all around us. It is used heavily by humanity.
So why do we keep hearing that this technology that is surrounding us is so insecure.
There are a couple of reasons. The first is that it is insecure by design, meaning that most of this technology was designed 15, 20 years ago, even 10 years ago. And security, wasn't the top priority for the engineers and developers that developed it. This is wasn't an issue in this market. Nobody thought about how to hack the power grid or hack your car or hack a building management system. There is always in this area of operational technology. There is a preference for availability over security.
A system needs to be up and running and whether or not somebody is trying to hack into it is not really a consideration. The power grid needs to be on all of the time. And this leads to decisions. Like if you have some kind of an operational system and you need to access it, don't make it a sophisticated and a hard password, make it a simple password, maybe only four digits, and don't use the alpha numeric, symbols, just numbers.
So people could access it very quickly.
That's great, but it's not so secure systems like operation technology, especially in the power grid and oil and gas industry and pipeline industry are a up and running 24 7. There is no, there is absolutely no downtime. And if there is downtime, it costs a lot of money. So if there is no downtime, there is no really time to do any kind of security patching. So systems are kept on running for many years without critical security patching, leading to more eh, vulnerabilities. And the general concept is that if it ain't broke, don't fix it.
Systems are there systems are running, don't try and mess with them if it's okay until it's not okay. So if it's so insecure, let's just isolate it from the entire world. We'll have a vulnerable system, but isolated with an air gap and other capabilities from the rest of the world and then will be safe.
Right?
Well, isolation as I, as I see it, eh, does it really exist? Not so much. We see again, and again, for example, we have the issue with removable media, which people are carrying their time drives and discon key other solutions from one network to another. So even if you do have an isolated network from time to time, people will bring their own software somehow to it. There are mistakes.
If you have some kind of a power plant, which you have one critical network and another more of a corporate type general usage network, people will make mistakes and connect the cable between one to the, to the other. And sometimes people will just put the connection temporarily to do something, you know, for 10 or 15 minutes. And then they'll forget that cable. So nobody knows that cable is there and there, there goes our isolation.
And of course, probably the biggest issue is that even this so-called isolated network are still connected to the outside world because of third party vendors that need, that need to support these kind of systems because of a corporate users that need to log onto the operational network. Sometimes we have engineers or technician that are in a remote location or at home, they need to access the critical network. Then they will access it remotely. So there is no real isolation. This is something that in most cases doesn't really exist.
And there are very few networks that are really isolated from the outside world. So we understand there is no real isolation. And we keep hearing that somebody is using that this is not isolated. We see over and over again, different attacks against operational technologies, critical systems are being hacked. Sometimes there is damage. Sometimes only information gets stole, but we don't know everything. And there are probably even a lot more attacks happening that don't reach the news. Cause most of these organizations will not undergo and report to a news reporter about this.
So we understand that there is no isolation. We understand that hackers will be able to hack into almost any kind of this network. If they spend enough time, then let's try and understand what a hacker will try and do once he's inside the network. So privilege accounts, this is what hackers are looking for most cases, if an hacker is inside organization and they will be inside organization, if they spend enough time and money, they won't try and hack or take control of a regular PC of a regular user.
Cause there is a limited amount of information that they can steal or limited amount of damage that they can inflict. What they will try to do is take a hold of a privilege account. Someone that can really do an account that really allow them to steal a lot of information and do a lot of damage.
Eh, so this is basically what both malicious insiders and external attackers will try and do get the privilege accounts, what we call the keys to the kingdom.
And this is a basic flow of an attack. Imagine your organization just above the network perimeter line, where we can see attackers coming from the outside or from the inside. And first thing that they will try to get after they're inside to get to a privileged account.
Once they have a privileged account, they're try and do some reconnaissance inside our network, our operational and critical network, and do some what we call lateral movement, move from one server to another, from one application to another, until they reach their target. If they have a, a specific target where they will do the data, the stealing of data or the damage that they are planning.
So what we at cyber a are focusing, assuming that an attacker again, will be able to penetrate the network and they usually are able to do that is prevent them from any kind of access to this privilege account. And if they do get access to one privilege account, prevent them from moving to another privilege account by securing this space.
So here I'll, I'll, I'll talk about a, a, a specific customer of ours that he had to have his operational network have third party access. Cause cause it was very dependent on third party vendor for support.
It's a, a very large multinational electric utility company dependent on getting the remote access from its vendors. As I said, almost on a day to day basis. So it was dependent on a large number of vendors, vendors, keep calling the control room, asking for remote access. So it was very hard to keep track on what vendor got access to what system and when and why, what is he planning to do, who will authorize this access? So all of this information and approval process, once you're talking about the big multinational utility, that's a problem.
You have too many people accessing your most secured users, your privileged users from remote, and you don't really know what they're doing and if something breaks, who's gonna take the fall for it.
So what we've done is implement our solution, the privilege session management, taking control of all of the process of getting approval from remote third party vendors, give providing them access to our privilege account remotely. We know exactly who's the person accessing this privilege account. We know why we know when and we control whatever is actually doing, and we can even record it.
Now I won't get into the technical bits of it, but we can see on the top a general view of what an OT network will look like. We, we see, see the OT network at the bottom. We see the corporate network at the top. We see some kind of a DMZ between those networks and a remote front party vendor. After it will get the usual VPN access to our DMZ, then it will need to go into a session approval process where we will, the solution will authenticate the specific user.
We don't just rely that this is an employee of, of some vendor. We know exactly who this person is.
We give him only the, we authorize him to access only the specific, the systems that they actually need. We can on even make him ask for permission. So he will say, I need access to system a from nine to eight or from nine to 10, eh, I'm doing this kind of work. I need to patch something. I need to upgrade something. I need to change a configuration. So all of this information is logged. We have someone, someone on our internal network that we trust that will approve this.
So taking control of this process and allowing that third party vendor have access to whatever system it needs, all of this, even that remote user, we allow him to access some privilege account. He is not aware of that privilege account password in our process of letting him into the network. We do the logging of the session and we just provide him with the access. So we create this kind of isolation between the remote, a third party vendor and the target system, making it an isolated from attacks.
One more thing is that in this world, it's not just, it's not, it's different from the it world. Of course you have different devices, different protocols, different technologies. One of the technologies that we've been working on is an integration for, with the GE energy, for example, one of their very pub, very well known device, the D 20, the we've worked with GE energy on this, making sure that our system can manage privilege accounts on top of this device. This is an I E D and intelligent electronic device. Usually you will find it in a electric substations.
You can, you know, in electric utility could have hundreds, maybe thousands of those devices. So it very, very required of it's very important to manage this kind of accounts.
In, in specific, there are specific regulation for this in north America, there is a specific regulation that requires energy utilities to manage these privilege accounts and the regulations called RCIP.
And this is something that we've done with G energy. So this is a very good example of how we take technology that was born and built for the general it security. And you can use it for the OT world as well. So to summarize, as I said, with enough effort, hackers will get into any OT network. It's just a matter of time and energy and money.
Once inside these hackers will try to get a hold of privileged account. And so this is the focus preventing remote hackers or users from accessing your privilege account without the control of, of your supervisors and your it security team. That's it. Thank you very much. If you have questions, I'm at the cyber a booth. Thank you.
Thank you very much life. Thank you. I assume you made one basic assumption. Namely that's the protocols are secure, right? I mean the, the privilege identity is of primary importance.
If I have no chance or I need a high effort for actually getting past the authentication, right? So, so this is a excellent solution, but what do you recommend for addressing this, this vulnerability at the protocol level?
Well, there are issues with the protocol level, of course, and there, this is why a lot of utilities try to isolate you have vulnerabilities, then you try to isolate. And this is another good example.
Why, if you can't trust a protocol, then you really need to check whoever has access to this network. And this is again, another reason why you need to have something or some solution that will control any access privilege or non-privileged to your very sensitive network. Cause if there is a problem at the protocol level, it's, it's, it's, it's very big.
It's not, not something that a single vendor or single solution can, can solve. You have to really isolate it and use something like what I've described to, to control whoever have access to that net network.
Okay. So it basically means that the protocol level is an additional topic to address besides the identity management.
Yes. It's peace. Yeah. It's another vulnerability and just making the isolation even a bigger problem.
Okay. Thank you very much again. Thank
You. Thank you.
