KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Yes. The avoiding plan B is, is, is of course trying to make sure that we do things properly. And I always think back to when I was very early in my career and I had a manager who sort of took me under his wing and he said, you know, Graham, we never have enough time and money to do things properly, but we always have time and money to do it over. And what he was basically saying, and this is so true when it comes to security. In many cases, organizations are not taking the time and they're not putting the money into doing things properly. They're crossing their fingers.
They are hoping that nothing happens. And the problem is in, as we know, many companies get caught out and they end up having to spend a lot more time and a lot more money than they would've done had they done it properly in the first place. So I just want to go through just a, a couple of things that would allow us to keep ourselves on the straight and narrow and doing things that from a business sense, make a lot of sense. Okay. Particularly when it comes to the, the industry 4.0 environment where we're often dealing with situations that if they go bad, they can be catastrophic.
So with that, I'd just like to share you. I'd just a few, a couple of, of ideas here.
Well, in, in effect there's five. The first thing that we must do in an industry 4.0 environment is to make sure we know what we've got. We need to have an asset inventory or do create an asset register so that we know what it is that we're dealing with. It's often said that you can't manage anything that you don't know about. So what we're talking about here is making sure we know about our operational technology environment.
In, in, in that situation, we, we need to have a document, a documented inventory of what we've got. When I say inventory, what we need to know is what are the devices out there? We'll have some devices that are supervisory in nature. Typically a PC they're typically easy to deal with because we we've got tools that look after PCs and allow us to participate in a security operations center or something like that. But then we've got control systems. Sometimes they're going to be remote PLCs, like programmable logic controllers, and then it becomes a whole lot more difficult.
And in the past, my experience has been that a lot of the people, personnel that are looking after your PLCs and the devices that are measuring something or actuators that are doing something they're sort of kept close to their chest, they don't share that information. And they don't, they're typically not that good at, at, at documentation, but we need to know what those devices are out there. We need to, the basic information about the device is the manufacturer like where, what type of device it is, who it comes from, the date that it, that it was installed.
More importantly, the date of the last update. Okay. We need to know what the purposes of the device needs to be documented from that point of view. And we need to know where it is that sort of asset inventory is something that we need to put together. So we know what it is that we are dealing with, and that information should be regularly updated. Now there's tools to do this.
You don't, you don't have to think it all up. You don't have to make it up yourself. There's tools that, that, that, that you can get off the shelf. That'll do 90% of the work are putting together an asset register. In some cases, devices will be difficult to understand.
So for instance, if you're dealing with a PLC and Aspen programmed not to respond to any queries that might be sent to it, the, the, you will need to augment the documentation that you're able to generate with some manual work of actually going visiting the, your installation, making sure you know, the assignment of devices, terminals and things like this. Okay. So that's number one is, is, is getting an, an asset inventory together.
The next, the next basic that we should be looking after is make sure we no longer have any devices that are, I are using password that either easy to guess, or a password that's a default password. Like in some cases, equipment comes with a default password that you are when you go in and install, it are supposed to change to a password. That's not known by anyone else.
So the, if that's not happened and you are now using that device in production environment where it's using a password, that somebody could just go into the manual, find the password and, and, and then can get into your device. You're in a situation where you've deliberately put yourself in, in a vulnerable situation. So we need to make sure that we have gone through that activity of making sure passwords are changed. Also appropriately documented.
We need to keep, keep track of, unfortunately, in the OT space, we've not got to the place where we can go passwordless we are dealing with passwords when it comes to PLCs, I'm afraid so properly controlling that though, and making sure that we, we as appropriate regularly rotate passwords, like if somebody's leaving the organization and they have knowledge of the passwords, that's a good time to make the changes. If you can. Now I under understand there's difficulties. If we're talking about remote PLC and we don't have remote access to that, that PLC, it's difficult to change the password.
We've gotta send somebody out to do that. And it it's, it's, it's, it's quite a bit of work, but it's a lot less work than having to deal with a, a contravention where somebody has actually broken into your, your network in terms of the, the changing the password. In some cases, devices can be reset. You could do a hardware reset to reenable the passwords that originally came with the device. So you do not want to have a reset capability active that allows the initial password to be in re reinstated.
So you need to close that loop too, make sure that that hardware reset option mechanism is protected or not readily accessible. Okay. The next thing we need to do is patch devices regularly. Okay.
Now, if it's a supervisory system is typically going to be a, a high level computer. So it's, it's, it's, it's running an, a commercial operating system and that's not too difficult. Okay. Most suppliers of PCs have the capability of accepting a patch and most organizations are putting out regular patches that need to be installed. Now in an industrial system, you don't want auto updates on please. Okay.
An update, as we all know in the windows environment can create difficulty. Now, sometimes ATRA an automatic update on our laptops. Some function no longer works. We do not want that situation in an industrial situation. So we're not going to do auto auto updates. We don't want the situation where windows comes along, makes the update. And then our system no longer works. That can be catastrophic in an industry 4.0 environment. So we don't do auto updates, but we do have regular updates. And that's typically quite easy on a, a supervisory system.
Supervisory system can be taken offline and non-production hours. And the update applied when you do the update, make sure that you have a test routine that you follow to ensure your application is still working properly. Okay? Al always have a rollback option so that you can roll back to a previous version. If something goes wrong. If the patch is, is, is, is doing some difficulty to this system, that's making the, the process no longer work.
So we do want to do those updates and, and take advantage of what the manufacturer provides for us, because typically an update is removing of vulnerability. And that's what we want. If it's a PLC, it's a whole lot harder. Okay.
Again, as mentioned, the PLCs are typically in a remote environment or sometimes a hostile environment in those situations, actually sending somebody in to do that is, is, is going to be expensive. If it's in a sensitive environment, you're gonna send two people. You don't want just one person doing it.
So, but, but again, not doing it is going to potentially expose you to vulnerabilities that you could have avoided if you'd put in the time and effort and cost to, to, to fix them. So patching our devices is, is something that we want to do, and we'll need to have some mechanism in place to allow us to do that.
Now, in some cases, OT product is in it's in service for such a long time that you don't, you don't have any more patches coming. Like the bender has stopped doing active maintenance.
It's in a, it's in a maintenance only mode. And there's no patches coming. That's not necessarily bad. Do not just rip out equipment because the, the manufacturer has said, we're not doing anymore updates to it.
You know, it's doing a good job that you don't need to go end of life. On, on, on a piece of equipment.
I know, I know some installations that are 30 years old and they're still doing the job that they were were designed to do. A fourth item is segmenting the network. Now this is very contentious and there's no right or wrong answers here. Okay. Some people say, oh, you, you should make sure that you have access to the OT network from the it network to make sure that you could take advantage of all of the opportunities that have come along in the it space. Like let's face it.
In the last five years, there's been an immense advancement in computer facilities to assist in monitoring, to assist in identifying issues. You've got systems, operations centers, you've got sea tools, event management tools. You've got the response tools tools to help you in, in, in devising a response. So there's lots of things that are there that help us in the it space. And in the OT space. Sometimes we say, no, I can't connect to the network. I'm not going to use all of, because it's very sensitive and it's going to stay segmented. And if that's the corporate approach fine.
But if you do have the opportunity and we are more and more seeing this now, when we are moving into the 5g space, 5g space, the 5g technology in say a private 5g installation has immense capabilities of slicing the network into different location, or I should say sub-nets with different capabilities and different security protection. So is, do think through what that network segmentation might do for you, because if it can be done properly and intelligently, it could indeed really provide some protection for you.
So think through where you might segment that if you, if you running a, a site, a factory, for instance, has got a, a cat five cabling through it. I mean, that's an ideal situation where you've got your network on the, in the factory and you're gonna put an edge device, and then you have your access to the, the public network.
You know, that's an ideal sort of environment that to do a separation, if you, your factory is in head office, like it's all part of a big complex, then potentially use some network segmentation to help you maintain the security you need on the sensitive parts of your network. Okay.
The, the, the last item that I would suggest for plan a is to disable any services on your systems that aren't necessary for the task at hand. So, as we all know there, a lot of background op operations, there's things happening in the background that we, you know, and on, on our laptop, we want that because it's monitoring things for us and giving us notifications when something happens, you don't want that on a, an industrial installation.
You, you want to remove as, as many of those unnecessary services as, as possible. And if you've got open ports, like again, some, some equipment PLCs will, will be listening on a certain port, make sure that if you don't need that, that those, those are disabled. Okay. Cause cuz an open port is, is, is a potential vulnerability for us when it comes to our operational technology. So those were the, the, the main items that I want to wanted to mention.
I don't, in terms of, of further slides, I, I don't have further items, but if there's any questions I would I'd entertain notes.
