Welcome to the KuppingerCole Analyst Chat. I'm your host, my name is Matthias Reinwart. I'm senior analyst and lead advisor here at KuppingerCole. My guest today is John Tolbert. He is a lead analyst working with KuppingerCole in the USA, hailing from Seattle. And welcome to you.
Hi, John. Good to have you.
Hi, great to be with you.
We want to talk about a topic that is often ignored. When you talk about it, security, we want to talk about security in the factory floor context in an industrial environment. So we want to talk about industrial security. And if we look at the news, or if you looked at the news, just quite recently, there were some industrial controls that have been in the news over the last year. When we look at these attacks to start, maybe from that point of view, what do they have in common? Where are they similar?
You know, that's a, that's a great question.
I think when you look at, especially like the last six months or so, yeah, there've been a couple of high profile attacks, probably the, the, the highest profile attack industrial controls was related to the colonial pipeline event back in may, where they had a ransomware attack and shut down the pipeline for a number of days, you know, stalling oil and jet fuel deliveries all around the south and east coast of the US. So, you know, it was pretty significant.
It didn't actually affect the production equipment from what we are led to understand based on reporting, it affected the office systems, but out of an abundance of caution, they shut down the pipeline and all the associated industrial controls around that in order to prevent the spread there, you know, there was another attack back in, I think it was January or February, a water treatment facility in Florida, and it was unsuccessful.
But in that case, the attacker was able to get in using a remote access tool.
And, you know, in, in many of these cases, we see that there are some commonalities things like services that are left on that. Shouldn't be old username, password combinations.
You know, when users that may have left the company or the organization should have been de provisioned, but weren't, and then just using passwords for allowing a remote in itself is something that, that shouldn't be possible. You know, so a lot of these vectors involve traditional enterprise.
It, but, you know, there are attacks that have happened against, let's say power generation and infrastructure in Eastern Europe a few years ago in the middle east. And, and these cases, a lot of the industrial controls infrastructure can be different than enterprise it. And that's what you know, can contribute to making it either a harder to secure industrial controls environments, or, you know, like in the case of colonial pipeline, they were concerned about crossover from their enterprise, it to industrial controls,
Right?
So we are talking about things that we would consider looking at traditional it security as cyber security, hygiene, or deep provisioning of accounts that are no longer in use. But, but this is obviously more difficult when we talk about OT, operational technology and ICS systems, why are they so hard or harder to protect?
How, why are they not that easy to defend?
Well, you know, in a lot of cases. So there's a lot of different reasons for that.
So, you know, in the enterprise environment, if everybody's got a laptop or a desktop, and we've got servers and clouds and things that are well understood and security tool vendors have been making solutions for for years.
And, you know, most of that involves some kind of an end point agent in, in many cases for like detecting malware and ransomware and the industrial controls world, you know, either a, there are machines that are maintained and controlled by the vendors of the industrial control system, and maybe they don't allow endpoint agents to be installed, or it might invalidate the warranty.
Sometimes that's the case in the healthcare field, from what I'm told to, you know, you'll have machines in a, in a medical environment that can't really receive point agents or other security tools that could be more difficult to even monitor not to mention secure. And then in other cases, they may have, you know, very proprietary operating systems.
You know, we also talk about industrial IOT, the internet of things. So even, you know, physically lighter weight devices that may not have upgrading systems that can support agents or, you know, they may not be all that user or administrator configurable. So it's difficult to have them participate in the same general enterprise. It security scheme that, you know, our regular office and cloud networks can benefit from every day.
Right? And we always hear these stories of these really old style operating systems, still being used to have this XPO running, just because things work that way.
And as long as the, as the walls are thick enough that nobody can attack that, that can keep on running, which might be at least a bit misleading when it comes to feeling secure in that area. If we look at the total numbers, of course, these OTT devices, IOT, industrial IOT devices are not that many compared to traditional office operating environments with tons and millions of machines.
But nevertheless, I would expect that there are specialist vendors that focus on providing security, especially for these, for these systems and for these highly endangered systems, what kind of solutions are there? I expect you, you have been doing some, some research here that I expect that there are some vendors who actually do that. What kinds of solutions are around that really tackle that problem?
You know, there are, there's a couple of different approaches that we see.
So with industrial control systems, some of the vendors themselves provide, you know, security within their own platforms. So you're kind of limited, and they may not, in all cases work well together with the rest of your security infrastructure, but these platform providers have some proprietary security mechanisms.
So, you know, if you're running an environment that has, you know, one of these proprietary platforms, I would say, you know, do what you can to make full use of the security capabilities within that. I think one of the biggest problems that we have is over our lack of visibility on the operational technology, industrial control systems environments, and, and that's where there are a couple of really interesting technologies that come into play there first would be NDR network detection and response.
These are, you know, in many cases, sensors or appliances that either plug in, in line to the network or sort of live off of a span or tap port on a router or other network device, or, you know, live inside the hypervisor in a cloud, an infrastructure as a service instance, and they collect telemetry and, you know, they can take their two different methods high-level methods that they can use.
They can either decrypt the traffic and look for malicious goings on, in that, or, you know, more sophisticated.
And now really more commonly these days, the vendors in this area have learned to understand what threats look like even in encrypted traffic. So they watched the traffic going by across all your different environments and can alert your staff and, and even take action. So it's detection and response, you know, what, what kinds of responses can you get?
Well, ideally, you'd be able to do things like block that traffic blocked by IP or URL isolate a host or something like that, and then integrate with the rest of the security infrastructure. Typically something like a soar security orchestration automation and response tool.
So that's, that's India, the DDP distributed deception platforms. That's another area where, you know, it's kind of an active defense and that's what I think makes it really interesting.
It, it broadens the ability to pull in intelligence about attacks that may happen in your environment by creating fake resources, everything from, you know, fake sensors or computers or network segments themselves, but also, you know, things that an attacker might be interested in files, credentials, SSH keys, RDP sessions, and these platforms help an organization deploy these fake resources, manage them, change them up, you know, periodically so that they look realistic.
And they're designed to draw the attacker into this environment so that the customer organization can watch what's happening. Learn more about the tactics, techniques, and procedures that are being used against their deception environment so that they can better prepare for attacks against their real infrastructure if it happens. So both of these tools, NDR and DDP increased visibility and give customers that deploy them options that they otherwise would not have without these kinds of tools.
Right?
So this DDP really sounds like orchestrating honeypots at a larger scale and making sure that that, that you can monitor what's going on while your actual target systems are, are hidden behind them, or are at least outnumbered by, by the honeypots you have just recently published a leadership compass. So our, a document category that compares different products from different vendors in that area. And what can you provide an as information that, that, what, what did you learn from this leadership compass and from these different categories of, of, of products in this DDP sector?
This really sounds interesting.
Yeah, it is. It is fascinating.
I think, you know, having an active defense, you know, a way to get really, really pertinent intelligence about what may happen to your organization has a lot of value, especially in these areas for industrial controls, operational tech, medical gear, you know, medical networks, places that you may lack the visibility, this is, is a great way to pull this information.
And, you know, so what I discovered was that the vendors that are in the space have varying degrees of coverage in, in ICS and OT and IOT, you know, but they all are realizing that this is an area where their technologies can help quite a bit. So you'll see, you know, different kinds of environments that each of the vendors specialize in, you know, some have a really good coverage for those medical networks. Others have a good coverage for specific kinds of industrial networks, as well as enterprise it. So it's not just limited to industrial controls.
They do things like, you know, look at LDF and active directory and can, you know, pretend to be various kinds of general enterprise it servers. But there is a lot of good coverage for industrial controls by the DDP vendors that we surveyed and wrote about in the report,
Right? So it's not only for OT and ICS for industrial control systems, but, but, but it's really something where an area where they really make perfect sense and where they can support where other security mechanisms might not be applicable as you've mentioned earlier.
Yeah.
I, I think it's not just honeypots, I mean, it's kind of an evolution of the old honeypot idea, but these, it really is a platform. So it's a way of helping a customer automatically generate resources that look realistic and distributing those in ways that, you know, make sense, you know, do some network mapping, put things, you know, in places where they're parallel to, you know, other real assets, like you said, to kind of draw them in, in a way from the, the real assets, but it's, it's much more than a honeypot.
Okay. You got the point.
So it's really also, as you said, an active way of defending against the attackers by, by creating a wide range of additional said assets and that, that look yeah. Trustworthy and look interesting for the, for the attacker you've mentioned before the, the NDR sector, as well as being the second part of, of the weapons that you have when defending OT and ICS. I understand you're working on a leadership compass or at least a document around that topic as well. Is there something already available where you can shed some light on that market? Although it is not yet published.
Yeah.
This was an update to a leadership compass. We published last year on NDR.
So yeah, I'm working on it right now and trying to get as much information as we can about how this, how these solutions help in the OT and ICS world. And I'm pleased to say that there's a lot of good coverage amongst some of the vendors in this report, too, for both the OT and ICS in IOT.
You know, there, there are different protocols, a lot of different acronyms there, but, you know, there are different protocols that work in each environment and being able to not just detect that, but figure out if, if something is malicious happening inside that, that protocol traffic, that's, what's really key for increasing the visibility. And, you know, in many cases, the NDR tools can help with that.
I would say that, you know, look for the report when it comes up, cause it will, I'll try to provide more detail about which kinds of environments are covered by which vendor tools, because there are differences between, you know, the types of protocols, the types of industrial settings, where each, each tool might work best, but there, this, the good news is there are solutions that can help companies and organizations that are in the various industries and running different kinds of equipment.
There are, there are security solutions available and we're, we're trying to bring all that to light in these leadership campuses.
Right? So for those who are interested in learning more about that topic, I understand the DDP leadership compass is already out and can be, can be looked at at our website KuppingerCole dot com and the are, will be out soon.
So for those interested in that topic, and I have to admit me as well, I would like to have a more, a better understanding for these also for these converging security solutions, because they cover not only traditional it security, cyber security, but also the OT part. And I think that's really interesting to get to a bigger picture and to understand how these very different infrastructures can be protected as well, getting to a common approach towards cybersecurity.
And, and if we talk about cybersecurity, of course, we need to mention the cyber security leadership summit, an event that we will be hosting in November in Berlin and online. So it will be hybrid again, just like the EIC that has been executed in September in Munich and on the internet and cyber security. In that context, when we say cyber security leadership, we'll also have a look at that as well. Am I right?
Yeah. I'm looking forward to the, this edition of our CSLs.
You know, the last few years we've had really good participation, brilliant has been a great place for that. We've, you know, come to know lots of experts across Europe who have attended CSLs in past years. And I know there's an emphasis on the leadership aspect this time, too. So there will be technical content and there will be lots of information and resources available for those who were involved in, you know, leading cybersecurity organizations.
So we're, we're definitely forward to that event next month. And, you know, hoping as many people can join us online or in person as possible.
Absolutely. I'm looking forward to that as well. And as you said, we are looking on the technical at the technical aspects, but we're also looking at the people who are responsible at the C level at the CSOs, but people who are really in charge when it comes to taking the right decisions and to get to well-informed decisions. I think CSLs really is a great place to be. We've talked about the existing DDP leadership compass.
We talked about the upcoming NDR leadership compass. Is there other research that's coming up there in that area as well? Or are you looking at specific products vendors in more detail? What else is to be expected in that area?
We do have some other research plan probably for early 20, 22 that covers industrial controls specifically.
And we'll take a broader view, not just technology specific like DDP or NDR, but, you know, try to provide a more comprehensive look at how organizations that have these kinds of environments can protect them and integrate that into their overall cybersecurity architecture. So yeah, we do have more things like that plan for next year as well.
That sounds really promising. And I'm really looking forward to that because we just also, as analysts need to broaden our view there as well, because these systems are as important as the office, the traditional office, it as well.
So for today, thank you very much, John, for being my guest today, I will be, as I said in Berlin, we will be talking to each other for, in Berlin for this event as well. And I'm really looking forward to talk to you soon again for another episode of this podcast and for the time being, thank you so much, John.
Thanks.
