KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
In his talk, Martin Kuppinger, Principal Analyst at KuppingerCole Analysts, will look at security challenges in Industry 4.0 and how established technologies from IAM and cybersecurity might be utilized for improving security. His talk will also cover the wide range of themes to look at from a security perspective in Industry 4.0, including Edge Computing and SASE.
In his talk, Martin Kuppinger, Principal Analyst at KuppingerCole Analysts, will look at security challenges in Industry 4.0 and how established technologies from IAM and cybersecurity might be utilized for improving security. His talk will also cover the wide range of themes to look at from a security perspective in Industry 4.0, including Edge Computing and SASE.
Okay. And as you can see, my theme is also about securing industry photo. What I wanna do is in the next 20 minutes, sharing some, some sorts on also how technologies from identity and access management and cybersecurity could deliver to OT security needs, but also spend a little bit of broader umbrella around some of the things we, we as Analyst see around, how do we need to, to move forward when it comes to securing industry forward, or what is behind that? What leads to, to all these challenges and also where do we see these, these challenges evolving and why is it so important to do it?
So what is the topic in some way it's industry for this is probably not $4 quite a little earlier, but anyway, for clarification perspective of terminology, what are we talking about? We are talking about today about operational technology, which is hardware and software that controls industrial equipment assets, processes, and the event. So it's really on that manufacturing production industry side, the technology. And as we all understand, I believe there's the need for security closely related to that. There's the industrial IOT. So IOT basically could be split into consumer IOT.
So all the things we use as, as individuals in our daily life and whatever light bulbs and all these things in, in, in the home and the industrial IOT like interconnected senses instruments and other devices connected within the operation technology space. And this comes together in this, these concepts, which are not that new anymore, either called industry Porwal or smart manufacturing, which is a concept that is about connecting it.
So for instance, the auto process of a customer, the supply chain processes and OT for really integrating business processes with the manufacturing processes to increase, to improve automation on one hand, but also for a better customer experience. So if you decide that you newly auto, we should become a different color, ideally credited with ate in the process until because your change. So to speak directive flows into the control then of, of the belt in the, in the factory.
That would be in some way, this, this, this idea behind industry for the hyper connected business and production line, and this involves the supply chain. This involves the customer consumer the challenge, maybe the biggest challenge at the end arises from the fact that requirements in on the OT side are fairly different from the thinking from requirements we have on the it side.
Now, I think this becomes most visible when we talk about terminology. So it, people tend to talk first about it. Security OT people tend to speak first about safety, to very related concepts, where safety is about assuring that no one is damaged to the machines aren't damaged, that humans aren't damaged, that machines are available. And security is really more what we think about immediately when we think about cybersecurity and when we do good OT security, then it's about doing both, having both in our focus, safety and security and OT as the, the experts in the space know.
And many of you probably know better than me is evolving. So we have this traditional OT, so distributed devices connected by our field buses to control us and some supervisory control elements, supervisory systems, this scatter systems, although we, we know from terminology, which gives some graphical insight into what's happening across this network over time.
So this network moved closer to device controllers that then control these various devices moving to standard protocols of one anti IP, but also more specific protocols like MQTT and becoming more standard systems than very highly specialized solutions that the, the tendency then beyond that is to go into IOT platforms, delivering some black and play, having a more modern, more flexible software development. Also further, further improving and optimizing the communications, delivering more analytics, more capabilities overall.
So this entire environment, this change, but this change is happening slowly. So in many, if not most environments, you will still find a lot of sort of very traditional, very legacy style type of technology. So that situation comes or, or comes together with change. We are observing.
So there's that change, which it comes from the, at the end digital transformation, the digital journey, which is what would be the better term for organizations towards already delivering digital services towards automated, towards optimizing and, and connecting the entire business in a ways that it serve best serves. The customer comes with services is very flexible, very tightly integrated.
However, that also comes with security challenges. And one of the, the fundamental challenges is that we are connecting worlds that formally have been disconnected.
And my, my, one of my main rules for securities, once you're connected, you are under attack. So at the end, the consequence of this idea of connecting the business side, the business process and the technical manufacturing operational processes is that we also open the doors wider than before, but they have been fully closed before, but we are opening them wider than before for attackers. And so we have these, these two processes and the it attack vector.
We know, by connecting the processes also in some way, lead to connecting tech vector. So, so imagine, and Ren were attack hitting your business and tripling down into at least parts of the OT environment, all nicely hyperconnected.
So, so how, how, how well are you prepared for that situation? How good are you backups? How fast can you recover? How fast can you get your production up and running again? So the question clearly is are you prepared? Are you resilient? And when you're prepared for this talk, I also looked at a couple of articles. I found in internet, including the Wikipedia, which is always a good source.
And so I, I read an article article done on, on the PLCs and there is section on security and this really raises the question. Did we pay enough attention? Are we good enough today for a challenge that is out there for, for quite a while?
So, so in 19 19 8, that it has been pointed out that most programmable controls have a lack of strict access control, virtual processes, etcetera stairs, the risk in 2010, we had this stocks snap computer room. We had other similar types of attacks. And before that there was little attention, but even then the, the point is that the situation is still not easy to handle.
And, and when you go to 2021 ly vulnerabilities at, at a very highest score, then are still hard to address. And, and when the solution only to live with network access to affect the devices, then this, from my perspective demonstrates how long the journey still is we need to solve. And it is complex journey because it's not a single element.
We, we, we just can protect. We have multiple layers, we have sensors, we have controllers, we have control systems in it and OT the, that, that work, depending on the environment environment you are managing, depending on the type of devices you are mentioning or things you're managing. Sometimes there are different organizations even which can access this and different people in these organizations. So we have a complex scenario with a lot of communication in between. And the question we must ask ourself is where, where to start. I'm I have a strong belief.
And also when you look at concepts, well established concepts these days, like zero trust security, then this is about multilayer security. So we must think about where can we add layers of security, easier for the communication between different layers, less we have in this picture, or for the elements of a certain layer. And generally speaking more is better, but it's not easy, not always easy to achieve, and it's not becoming easier when we look at the evolution. So when you take this picture and say, okay, what is happening nowadays?
Then, then we have this event of edge computing. So we have elements in between that are increasingly important to our it at OT. Cause they, they help utilizing on one hand services, we get from the cloud on the other hand to help reducing the amount of data that is transmitted is traveling outside of the OT environment, by moving workloads and processing close to the edge. And so this is so to speak the factory, the edge, and then somewhere which could be cloud or somewhere else.
Then we have in some way, an advantage in the sense of we get a, we get a device that also in some way isolates and, and can act some sort of gateway. But on the other hand, we also have this situation that we are with edge computing also, still continue and follow on this evolution of opening up our OT environments. So edge computing can have a positive impact if it'll right. It also adds complexity and another level where, which we need to secure. And it definitely does not remove the need for sufficiently protecting the OT world.
So to speak the left left hand side, more of this picture, we still need to do as much as we can in security as is, as is feasible. So this, so to speak the situation we are in, we have a, an established model of industry Porwal, or we have the reality that our OT environments are connected to the outer space. We will continue that journey with also more and more IOT platforms delivered from the cloud. It's more and more edge computing in that. And we need to understand where can we improve our resilience? Where can we improve our security at which levels?
And this always must be, as I've said, something which is multi, and we can, can't just rely on a single level of protection. So what could be the approach for that to secure, to, to make this world more secure?
And what, what is very clear is we can't just turn the wheel back or the clock back. It is a reality we're dealing with. And we need to, to, to understand if we want to, to follow the path. If we go down the path in the digital age towards more and more connectivity, immediate reaction, I just, yesterday I read an article, I believe it was in an article for McKinsey, which was about just in time in, in fashion, just in time, product production and fashion, where the, the what's produced is directly. So to speak controlled by what people buy.
So to always have more or less the, the most fashionable staff on stock and in production, this will not disappear. This is the reality. And we require that, but we must then think about how do we organize it. And one of the things I believe is very important is we need to think about unification.
So, and this unification starts with a common language because the language is the basis for a common understanding. And the understanding is the foundation for a common culture. So we need to have this language where we understand security is different in safety, and we need to create the understanding of the culture. From there. We must move to a common ownership of it and OT security there, you can't split in a hybrid connected business. This is a thing which is so closely related that you need a Bal CSO.
So to speak one that speaks those languages or way you say you could argue, okay, common on language. And it's only one language, but at the end, it must be someone who understands both. You need also establish a common understanding about the risks, the risk mitigation, the risk responses stand. So what does it mean if you do something on that side or that side, what is the impact? How do you manage this? Because a lot of things happen because you start connecting without fully getting the understanding consequences.
From there, it is then about implementing a holistic approach and security from ITT, OT, and back or OT to it. And back, however you'd like to phrase it, you, you need to understand what are the assets across everything? How do you assess risks? How do you assess security across everything policy management that affects both, both sides, security analytics that gives you a holistic insight into the security risks, using identity in the access management, across everything.
And, and I think there's a huge identity in access management. Cion OT security, this Wikipedia quote I brought up earlier, there was this notion of little authentication, little excess control.
And yes, this is a challenge because we have these challenges and these, all these questions. So who's allowed to access which data into which event, the more complex it gets. A depending on the, the environment, it's not just your own organization, they are the suppliers and they are your employees. They might be a certain level of customer data request on where does my, whatever, how far, how far is my in production from partners?
Sometimes even governmental organizations when it comes to certain regulatory compliance aspects, etcetera, maybe insurance companies, and it's about ensuring the risk. So there's also need for a lot of data exchange. There's a lot of distributed data, and clearly it's easy to, to start the control systems, but we must also think about how far can we go with an authentic axis of people where we know this is Martin who is doing that, and it's exactly Martin. And we have, I think many of you are aware of that.
We have still a lot of open systems without much authentication, standing around in the factories where someone that walks a worker walk to the system does something and without authenticating, and we need to get better here. And I believe I have a strong belief that aside of the specialized technology. So we have a lot of good specialized technology for artistic here, ably a lot of talk about such technologies. We also have a number of, I am cybersecurity technologies that can help good old enterpri on yes, it is something where you can have.
If worker walks to the, to, to PC the factory, you can have an automate, a very easy authentication and switching into that context of the worker, it works in hospitals. And then it also can work in factories because it, it works for these environments where the fast user switching, privileged access management. So I controlling for instance, what your suppliers or what the suppliers of your, your production equipment do on these equipments. It's a case for privileged access management, secrets management. The love is about dealing with keys and certificates. We have technologies to do so.
And we have technologies evolving like cloud infrastructure, entitle management management, like dere, digital resource and Thailand access management, which we UN wield in September in our European identity conference, you will find a ton of material at our website, which are built to manage access to resource resource in highly volatile environments. They are not built for OT specifically, but they might emerge into this areas. So to sum it up a few gold rules, secure the insecurity, fold assume that everything you have is unsecure. There's no security by default secured hearted harden.
It don't trust the supplier apply learnings from it. Security. There are some good concepts. And if you have the common language and the common understanding, this might be something where, which becomes mutual, beneficial. Think about how to handle patients updates. Very critical safety is a challenge in that space, but how do you deal with it? How do you handle it? Because not patching, can't be the answer in these days. It might be that you isolate, but figure out how you can do it. Where are the windows? You can do it. What are the tests you need? How can you do both?
Do both security and safety. Where can you think multilayer don't trust software, Singapore, solar, etcetera, software security you've seen and implement a well working third party risk management across your supply chain security starts not just at your organization. It starts way earlier, very quickly, five steps to success, security isn't growth catalyst. Only if you would ride, you will succeed. You will grow, understand your risks. There are your risks, and you need to act upon, think about segmentation where are needed, but don't lightly trust it. It's not isolation.
It is helping to reduce impact and increased resilience, but it's not a no brainer. Think about identities and access you use as consequently, as you can across everything. So if someone or something accesses a service, then that should be about authentication, about authorization, about auditing, apply the serial trust principles. Don't trust the single entity, but go for multilayer security at all levels, from the network to the software and improve your process and policies, your documentation, all that stuff.
Even for the old legacy elements in your OT, you need new processes, characteristic tools to win. In this reality we have of industry photo. Thank you.
