Good afternoon, ladies and gentleman, welcome to our equipping cold webinar, industrial control systems, understanding the access risks and security challenges. This webinar is supported by wall. The speakers today are Marcus festival, who is central and east new area manager at Wix. Me Martin equipping, I'm founder and principle Analyst at Ko a call before we start some short information about cooking, a call and some housekeeping information, and then we'll directly dive into the topics of today's webinars, Ko, a Coles, an Analyst company.
We're an international company with people in Europe, America, and Australia. We offer neutral advice, expertise, so leadership and practical relevance focused on the information, security topics, particular identity management, identity governance, but also other areas concerning the digital transformation. We provide our services in three types of, or three forms. One is research where we, for instance, deliver our leadership documents, which compare vendors and their products in certain market segments, where we do events.
I'll touch this in a minute and where we do provide advisory services to end use such as tools, choice, or maturity assessments.
We have a couple of upcoming events. So later this month we will run our consumer identity world Europe event in Paris and December, we will do our consumer identity world APAC and Singapore. We also will do end of February early March next year, our digital finance world, which focuses on the impact the digital transformation has on the finance business. And then next year mid-May we will do again, our European identity and cloud conference.
It's number 12 of this event, which will be held again again in Munich, the advisory spaces I've said we have, for instance, side of things like tools, choice, and other things, strategy development, et cetera. We also have maturity and readiness assessment. One of the new offerings we have is our GDPR readiness assessment, where we evaluate the state of organizations regarding their ability or their readiness for the upcoming GDPR regulations at general data protection regulation.
Having said, this let's move to the webinar itself.
So some guidelines here, you are muted centered, so you don't have to mute our yourself. We are controlling these features. We will record the webinar and the podcast recording will be available tomorrow, as well as slide X will be available tomorrow. And we will do a and a session questions and answers by the end of the webinar.
However, you can end the questions at any time using the questions, featuring the go to webinar control panel. And the more questions we have the better, the more likely our Q and a session will be. So let's have a look at the agenda. In the first part, I will have a quick look at what we are talking about, the terms such as ICS, industrial control systems, SCADA, industrial IOT, and more. And I particularly look at the specific security challenges for these types of systems and there vulnerability to cyber attacks.
And the second part, then Marco west file of folic will talk about taking back control over ICS and scanner systems by utilizing privileged access management. And after that, as I've said, we will do our Q and a session. So when we look at overall it, and at it industrial organizations, we have this typical it view, which focuses on the business systems, the administrative systems. So thep systems, whatever the office systems and all the other stuff, but there's another part of it, which is frequently called OT for operational technology operational.
It might be the even better term, which focuses on the industrial processes. So around manufacturing, around control systems, controlling systems and all that stuff. And this is the, the other part, which is a big part of it. And in these days of ever increasing cyber attacks, it moves more and more to the center of attention because obviously attacks to these systems, for instance, issues, security issues, and these systems mean that there's a very high risk to the manufacturing environments, the products created and all that stuff.
So when we look at these types of technologies, which are used for, for the management of the manufacturing environments, themselves sort of process control for supervisory control about processes, about the entire manufacturing, we have a couple of different terms and, and different technologies. So what we have is, so this umbrella term of OT for operational technology, so a term which is done used more as a so, so to speak a generic term, covering all the various things. And then we have this next area of industrial control system.
So this industrial control systems are the ones which are used to control systems, which are used to sort of keep control of, of production systems in a generic term. And then there are different variants and of them overlap with ICS, like program logic controllers, which are used to, to monitor longer running processes. Typically we have the DPCs discrete process control systems, which are more things like, like counting things like routing package than other stuff.
And we have scattered. So which is supervisory control.
So the supervisory of, for instance, sensor used in processes and collecting the data, providing it back, which is then again, sort of a subset of the ICS word. So they are far more tech terms and far more types of technologies in this broader space. But I think what becomes clear here is we have a variety of systems, which are used on one hand to actively control the actors in the industrial processes, which collect data back from the sensors. And these systems are critical for keeping the manufacturing process, the industrial processes up and running.
So when I move forward, that leads us to the question, what is it the same, or where are the difference between it and OT? And if you compare these, these two areas, so from a usage perspective, OT is focused on the manufacturing and the physical value chain. It frequently is a very, very specific focus. So it's technology, which, which is built for a certain type of production. Obviously a lot of the stuff, which is whatever used in the nuclear blend is very different from the technology, which is used in, in a, in a production line, in of an automotive vendor.
On the other hand, if you look at it, we look at the business processes and there we have a high level of similarity even across industries.
So in the OT world, we have to deal with far more different systems than we have commonly in the it world and the, where we as it people, most of us probably as the attendees are it, people are looking at the owners are different. So business departments versus the people for manufacturing, the engineers, the devices are different.
So on OT, it's sensors, product lines, it's the ICS systems which connect these. While on the other side, we have the various types of devices, the servers, the cloud services and all that stuff. We have big differences in standards.
So in it, we have a lot of standardization. We always believe we could have even more, but we still have a lot of standardization. And we also have, and I think this is a very important thing. We have a relatively rapid, continuous modernization of equipment. While in the OT space, we find far more proprietary, highly specialized and mature to even outdated technology.
And the focus of O is in product. The focus of it is more so to speak people. And that leads us to very different perceptions when it comes to security or better set safety versus security.
And this is, I think, one of the most important learnings when starting to think about what does it, how can we apply security, or what does does security mean to operational technologies? So the main focus of OT is safety. So it's the safety of people, the safety of equipment, the safety of goods, the main focus of it is security. We have other other aspects here. So the component lifetime up to 30 years and beyond it, three to five years, maybe also seven or eight years or so, sometimes even a little more, but it's on average, far shorter than it's an OT.
On the other hand, the availability requirements in OT are very high.
If your production line stops, it costs you money in it. In most areas, it's more medium delays are acceptable, they are painful. They might lead to discussions, but they are to some extent, acceptable, realtime requirements vary between critical delays, accepted the physical security for critical its considered high. While you can walk to most of the stuff in OT environments, once you are in the, in the factory, once you're in the plant security standards are established in it and OT, we have less.
So there's a lot of stuff under development, but it's clearly not at that level we have in it. So we have really big differences and very important to understand is this notion of safety versus security.
However, we have to be clear at the end, if we are not secure in the OT environment, we will have a safety issue because it might be under attack.
Then it might be that security issues at the end result in safety issues. So safety versus security. When we look at it, the topics we are talking about are security are confidentiality, our integrity, continuity, authenticity authentication, and the OT space. It's availability, it's reliability, it's safety. So it's really a different perspective here.
And so by, by everything where we, or by, by every discussion, which is about how could we apply for instance, established it security technologies to OT environments. It's always about understanding that it's not only about security, confidentially, integrity, et cetera. It's not even first about these it's first about availability, reliability, safety. So we need to understand how we can combine this. And we also need to understand how issues in security, etcetera might affect availability, reliability, safety. This is where sort of the argument comes from.
So what are the consequences of failure?
And this is what is behind. So for it it's okay.
Data loss, data theft, data leakage, industrial P Nash. That can be very harmful, particularly as a loss and leakage of intellectual property, lack of compliance, delays and business processes. All of this can be probably even can be a major massive problem. But when we look at production down times, this is what immediately costs money. So production down times are expensive quality issues. So if there's something going wrong, it can lead to quality issues, liability topics, the cost of restarting production.
So there, there are some types of like equipment. If you need to restart them, it becomes extremely costly revenue loss.
Yes, which associated to production down times obviously is a big thing. And last, at least physical damage to people or material. So this is obviously the biggest challenge. And so clearly security for OT is even more complex than security for it because what can go wrong is far more critical and potentially costly than it's at the it side of things.
So we need to understand that when we think about how can we improve security? On the other hand, we have the challenge and that's what I wanna touch.
My next slide, that latest with smart manufacturing, we are moving towards a world where the manufacturing processes and all these systems are ISDs systems. The entire OT is more under attack than ever before. And I would even say the EST sense of industry for zero or smart manufacturing is you are connecting your business processes, your manufacturing processes, but that means in consequence that you also open up the manufacturing world to new types of tax. So in the business versus we have a lot of established attack vectors in the manufacturing areas.
Yes, they're also established, but yet rare attack vectors. Yes, we have things like stocks that and docu.
But when we look at most of the attack vectors, they are still targeted at the business process.
However, by connecting the process and I said, this is the EST sense of industry for growth, smart manufacturing. We also sort of connect the attack vectors. So the established attack vectors sort of can cause damage also the manufacturing environments or the manufacturing environments become vulnerable to by two, two other types of vectors we had starting with ransonware. And when you look at some of the large ransonware attacks, we have have seen over the past couple of months. So if they, if the, the display at railway stations are affected, then it's one sign.
It's not sort of the full manufacturing thing, but it shows we are crossing sort of the borders. And we had scenarios. Also one of just recent ransonware attacks where automotive production environments were affected because we are connecting not only the processes, but we are also opening up the door for new types of attacks. So we need to get better in security for these environments. No way.
However, we have something I touch technology in this environments is to some extent older that it was before. So there might be some physical access controls or not. So it's relatively easy to enter many, many plants, manufacturing environments. Some are well secured, some not there's to some extent, a little bit the thinking of security, but security. So if no one knows the system, it's hard to attack there, it's still the notion of dedicated communication lines. We have it in some areas, but we are opening it up.
But what we definitely have is a lack of, or at least insufficient authentication authorization encryption, a lot of systems in the, the, the, the fabric floor are, are just opened. So they can be accessed by people with little or no authentication.
So the, the level of, of security here frequently is below what we find in the business, it environments.
And there's also this notion of performance, be security.
However, as, as I've said with industry, for, or smart manufacturing with sort of the hyper connected enterprise with the growing agility and new requirements to do a lot of things new and differently, these requirements are changing. And so we have to access from the internal network and the direct or indirect access from the internet. So frequently, it's, it's really more indirect thing. But at the end, if you have some cables or, or, or wireless connections in some way, then you have an immensely growing attack surface. And this is the challenge we have. And all the things are part of OT.
I T also, when we go bigger than it's about smart, smart meters, grits and cities, which also are connected, which are potentially attack new types of distribution models, new types of identities, which want to have access, which want to connect with the organizations and potentially connect through that then with, with systems, which never have been opened before.
And we have an overall growing complexity of infrastructures. And with all of that, we need to rethink how we deal with it.
And one of the points, one of the starting points for security from our perspective is looking at the accounts. So what is, what about account management in OT? So we have very frequently, we find shared accounts, which are used by a lot of people with frequently, not very strong authentication, at least privileged principle. Hmm. Rarely found to be honest, access management, not very well sought out. Most accounts in use are not very individual, low privileged accounts, but are high privileged accounts or plus some things like then we have this maintenance period maybe are between Christmas.
And so, and early January in that period, couple of hundreds of externals get access for maintenance of all the production lines. Cetera, always highly privileged accounts for these systems with little control.
Some of these accounts might survive to maintenance, period, whatever frequently, insufficient account management, and very frequently a lack of access governance, all these things, which we know are not at here at that level. We know from it. So what needs to change? We need a combined view on security plus safety. We need to get a crippled the network.
So the entire access path, we need to look at protect legacy by layered security. So a lot of stuff we have in OT, we will not be able to replace. So we need to think about layer security. We particularly need to understand the risks and act on the risks. So this is maybe the first thing, what is really the security risk and what does it mean to safety? What does it mean to all our requirements we have for production environments? Yes. We ideally get to new OT systems with new architecture and it best practice for security, but this will be a long way.
So we also have to deal with what we have. We need to enforce transport security. We need to tech where things going on, et cetera. We need to do a lot of things here. So on the other hand, we can build on existing investments in it security.
And it's, I think a good idea to look at this because there are a lot of things we can do. It sort has got it all. We have provisioning how to manage the accounts, access governance, who has access to what adaptive indication is easy, but also step up authentication, flexibility, and authentication, but the right level of authentication for what needs to be done.
Firewalls, intrusion, detection, security intelligence platforms, which identify anomaly in the behavioral patterns and privilege management last, not least so how to manage privileged access. And as I've said, we have a lot of privileged access and this is where I believe we can. It security apply to OT the right way with understanding specific requirements of OT can help a lot to make these environments, the ICS, the industrial control systems, more secure.
Instead, I want to hand over to Marcus west file, who will right now do the second part of this presentation and talk about how to do it right. So to speak.
So thank you very much, Mr. Kuppinger very interesting. So my name is Marcus west file. I'm the area manager here for the central and for wall. And I will tell you something about the industry control systems, the topic here, that's understanding the excess wisdom and security challenges. And I will follow up on the very interesting part of so privilege access management could be different things.
I will give you a, a short overview, what works here offers and where we are, and some high potential fuels into the ICS space. So for you never heard about Wix. Wix is a French cyber security vendor. It's not a real software vendor. So we are offering software.
Yes, but you know, you don't need to be on any kind of software. So that means we are delivering here full speed of appliances, which are completely pre-installed and preconfigured. We developed here privileged access management technology and drive that on a bus down solution.
That means here we are entering as a appliance as a proxy solution. We are a public company listed on the next in Paris. We have more than 500 customers for the moment we are. We have more than 85 employees. I think we will hit the hundred employees numbers by beginning of next year.
We have some patents and we are dealing here together with partners and we are covering today 33 countries. Yeah. Copy our code named us here as leaders in the product and innovation categories and code 2017 leadership for management, access management, make it easy and scalable. So cyber security is the heart of indicative transformation. We are know in cloud security. It's a very hot topic without any security services in the cloud, we will see a lot of news in the newspaper, like data approaches and text and so on. So security it's one of the most important part here.
And this comes as well right now into the ICS space. Yeah. Into scatter systems, into power plants, factory floors, maintenance systems, shop floor, and as well in the IOT space.
Yeah, we are talking about smart city, smart home smart offices, smart meters, connected cars, and so on everything which talks TCP IP could be affected. That means security is, must be implemented by design from the first day and what we all know in endpoint and on, on premises and data centers. Security is always existing. Yeah. So 25 years, 30 years ago, they invest a lot of money into security solutions. And if you are buying new technologies, so security will be a part of that. We are talking here about the privileged accounts, internal, external threats, and how to reduce the it risks.
When we have a few on the ICS base here on specialists on power plants or factory floor, the investments, which took place was very high in the last couple of years. So the most of the companies invested a lot in VPN solutions in firewall solutions, in antivirus, IPS IDs, and some other security solutions. But on the other hand, when you have, or when you are privileged do then you have access to all the data. Yeah. We have the right privilege user with the right administrator, like code or the main administrator or any kind of, of system administrator.
You have access to all information and VPN firewall antivirus will not stop you. Yeah. And this is something very special take control of the privileged user. When you are interacting with operators, with subcontractors, maintenance workers, engineer, workstation, time workstation, they are always privileged accounts available. So don't let privileged access undermine your activity.
What is architecture is what we are today see is in the current setup, we have some users coming from the internet, external users.
We have internal users, which are connecting to the target system and the external users are coming through a firewall system. And what we are doing here, we will not change the compute infrastructure. We will add here a of security with the wallets appliance, we will take control of the privileged users. That means we will take over the control of the keys of the passwords. And we are controlling and monitor all privileged sessions. Yeah. If the user comes from the internet, it's coming from internally, it, we are supporting here every kind of, of clients, every kind of target systems.
So the privilege access management, especially here on the ICS cybersecurity space, let's talk about access, risk and security challenges. What we are seeing today, especially here in, in Europe, that we have a lot of production lines, a lot of production plans and manufacturing, lot of oil, gas companies, energy, obviously wind energy or typical control systems like Siemens control systems or from Schneider or any other windows. That means these systems are affected. That means if a privileged user, you can shut down here, the environment you can shut, shut down everything.
And this, as Mr co said, this cost will money. So what are the detailed security challenges here? So one point is here, the control and monitor access. You need to know what the privileged users are really doing on the target systems. Yeah. You have to get life view. You can interact, you can stop activities.
When you see some suspicious activities, you can stop and you get access on all privileged access. That means you have to control of all privileged access isolation of the, that means every connection to your targeted device can be isolated.
That means when you are target device, you kind of jump to another systems. So in the so like wanna cry and some other randomware text are deploying over the network. And when you have completely isolated your ICS and target systems, since this can be avoided. So the most or one of the big challenges are set of limited it knowledge. I come to this point on the next page here, you have to use an easy, or it has to be easy in the usage and very high level of security. And the most or challenge is here.
You are not able to, to install any kind of software that means on a client and a, and as well on the target systems.
Yeah. You are not able to install any kind of software in a production machines, in a control machine, in a, in a manufacturing machine. So it must be run without any kind of software. So the access risk and security challenges are when we are here, we are talking in the ICS space. Usually not with it guys. We are talking with the plant managers. We are talking with production guys. We are talking with maintenance, shop floor service owners.
We are responsible that the production is up and running and availability is up to a hundred percent. Yeah. So that means this is a big change in it. You are talking with the it manager, you are talking to system administrators, but in the ICS space yeah.
In the, in the industry, you are talking at the end to the man in the smoke. Yeah. And let's underline this with a nice picture.
Yeah. So these are our context today. Yeah. When we are talking about security, these are not it guys.
They, these are responsible for the production systems. So, and access risks here are, if, if there is an emergencies that means production system not working anymore, then you need an emergency access to the, to the system. Yeah. So like on demand connection. So you have to add an approval workflow that the it service provider or the owner, or the vendor of the production machine needs to get access to the target, but you have to approve it. That means the service owner, the maintenance, the shop floor responsibility person has to approve the access.
Or you have a maintenance, you have a support issue. You have to upgrade the software. Then you need a secure channel from the internet directly to the ICS target systems. And you have sometimes very limited it infrastructure, which is completely most of the time, different as the internal it network. We have some regulations here which are worldwide, but which are very important for, for the European market here, like the ISO 27 0 0 1 as an example, or we have the it security act on 2015, or we have some IEC regulations and some more regulations are upcoming in the next year.
And security's really a major part of that in ISO yes. Privilege access. It's really a part of that.
Let's talk about a use case or a business case. Yeah. One of our customers is Ganta in Switzerland, it's a Swiss hoop, specialize in a agrichemicals. They are working or interacting in 90 countries. They have hundred 12 production and supply sites. And around nearly up to 30,000 employees. And what we did here in the monthly side is we add a layer of security in the ICS space. That means we have here external or third party network.
That means here for the external service providers, they have an own office network and they have a special industry network. And we are here implemented in the middle. That means for the internal users, they can connect from the office network with the office equipment directly to the target, to the production machines. And what we, and the policy, what was deployed is here. The proxy RDP, that means only the keyboard, the screen, and the mouse is allowed no file transfer, no access, no use, no print, nothing.
So that means you can full control the user, the access to the machine.
So we have full access control for the remote maintenance for users coming from the internet, like service providers that can enable here very easy, the remote connection. We have some nearly the same policy deployed like the proxy RDP, but we have added here the probation workflow.
So a real, yeah, an approval workflow, and all sessions are recorded as a video and text. That means all activities, all actioned. What has been done. All the target device will be monitored and recorded. So the automation group leader of Sygenta said about our solution, where we are looking for robust solution to provide remote maintenance capabilities and secure links between production and office systems has helped meet our expectations and has evolved and meet our specific needs. We particularly appreciate the management of local requests and validations and registration of all actions.
And we are talking with different technology companies, Siemens. So the chief information, the curity are said about our solution, but still represents very trust on for remote connection for the intra systems in a complete transparent way. And without any performance loss for the users today, we are partnering with Siemens, with Schneider electric and as well with other production vendors.
And our customers here, especially in the industry sector are here energy from Germany, Porwal PSA group, inclusive energy, and a lot of other customers we deliver here, a wider band of white papers of case studies of block posts. We here special white papers about ICS, about the role of privilege access management and industry four zero. We have here case studies in the ICS space. We have a new ebook here available the security of industrial control system and its impact on the wider organization together to see it speak group, all information are available on our website, www.dot com.
You will find us on LinkedIn, Twitter on YouTube with some very nice videos, which explain our solution in detail, we have a special document about privilege access management for the ISO 20 27 0 1 compliance, where we are focusing and highlight here, the parts of the privilege access management. And we deliver here as well. Other white papers, like case studies from our customers here in German language as well in English or in French.
And we have some other interesting documents available, like the key challenges about ISO, or we have an executory issue from our friends from available and more and more ebook are coming soon about ICS. So we are here, the key play industry security, what is made for sharing. That means we are helping our customers to add a new layer of security to the ICS space, to get control of the privilege access and are here in the consultancy space and all information which are here. What you have seen are available on our website and will be distributed on at the end of this webinar.
So please find here my contact details. So if you have some questions, I'm happy to answer. If you have some questions in later on, please contact me at any time on my email or on my phone. And I would like to say, thank you for your time.
Thank you, Mr. Al. And with that, we moved in over to our Q and a session, and we already have a couple of questions here. And so it's time for the participants to enter first questions so that we have a lively Q and a session.
I think one of the, one of the interesting questions, obviously, which frequently comes up when looking at OT environments be the factory floor or whatever else is that it's not necessarily the newest OS there, it might be proprietary system. So, so what kind of OS will be supported on the target of the managed target?
So what, what can you manage there?
Yeah. This is a good question. So usually what you have said in your presentation, these ICS systems are running up to 30 years or longer. Yeah. There's a big difference as in the it environment, that means you have systems like windows, CE windows, XP windows, 2000 or an older line system. At the end, you have to support every OS. That means all native protocols, like SSH talent, RDP, VC, or analog in, and some others. So that means we are supporting all kind of operating systems and all common protocols to connect to these systems.
So, so also they're really old ones let's say dos or so.
Yeah. Yes. Yeah. If there is, if there's a does with a command line or 30
Years, you know, I'm, I'm, I'm in the pre window days and, but by far pre Linux days, realistically seen, okay.
So, so what needs to be installed in the production environment? I think this is one of the other fears clearly organizations have, so what needs to be installed there?
Yeah. So I showed this in my presentation, we are having a solution with come, comes as an appliance systems, like a proxy solution. There's a preconfigured virtual appliance, which will be implemented in the network, usually in the ICS or in the OT network. Yeah. And it's running very close to the target system. So that means every connection goes through our wall appliance to the target system.
And then we are able to get full control of the access and can control and monitor the complete access. So there's nothing to be installed. So that means no software yeah. On the client systems, no software on the target it's completely solution.
And yeah, it's completely available as a virtual appliance and we are supporting as well cloud environments. That means when you are outsourced networks or outsourced production lines, then these can be controlled as well.
Okay. So what are, are the, the, or the server requirements? Do you need specific hardware there or how do these systems then run? That's another of the questions we have here.
So on, on the server or on the target side here, the, you need nothing to install. Yeah. We are using the, the right available protocol, like SSH or tablet and so on. And we are connecting to that target systems and yeah, our systems is coming as a, as a, as a proxy solution and it runs, it runs in between, between a client and the target.
Okay.
And, and from what I understood, you have a couple of customers in that space where you already have installed it in production environments.
Yes.
Yeah, sure. We have a lot of, we have a lot of, of customers coming from the industry from the manufacturing side, from the automotive space, from the energy power grid. And we have a lot of installations here. Lot of reference customers as set here, like the big ones, all ones. And we can offer here references and a lot of information about, and we can share a lot of our experience here.
Okay. We have a set of other questions here, which are more about sort of deployment of that. So around trials, training, language support, maybe you can talk a little bit about these topics as well.
Yeah.
So free trials, or if you would like to test our solution, then it's very easy usually. So we have to download our appliance, which is a, an ISO file working in, we are supporting the most of the common virtual platforms here, like VMware HyperV Oracle, virtual box and so on. And you can, we have an easy way of setup. So the solution is completely pre-installed and mostly preconfigured for the most environments. And we will help here all prospects during the trial period.
So we, that means we are supporting them onsite or remotely. We are offering trainings as well. That means here for the implementation, like professional services for, we are supporting the customers during the whole, our period, and as well later on for the production guys as well, they have to use our solution. We will deliver here hands-on material, very best practices, how to use our solution and very helpful information, which are very easy to understand and at the end, easy to use.
Okay. Thank you. I think we are through all the questions we had here, so thank you very much, Mr.
West for thank you very much to all the attendees for listening to this covering call webinar and hope to have you soon again. And one of our upcoming webinars.
