KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
OT products and technologies are insecure by design. Do you need connect a third-party maintainer to a PLC or other Industrial Control Systems and wonder how to secure and track access? No problem. We have it covered. In this session we will explore how to seamlessly and efficiently secure Remote Access to OT while providing maximum autonomy to the operational teams. We will explain the complicating factors of OT risk management and how to counter them.
OT products and technologies are insecure by design. Do you need connect a third-party maintainer to a PLC or other Industrial Control Systems and wonder how to secure and track access? No problem. We have it covered. In this session we will explore how to seamlessly and efficiently secure Remote Access to OT while providing maximum autonomy to the operational teams. We will explain the complicating factors of OT risk management and how to counter them.
So just, I maybe wait for people to sit, find your place. Okay. So good morning everyone, and thank you for attending. So I will be discussing and, and presenting to you today an approach to, at the same time improve a profess operational efficiency and secure OT environment and OT ecosystem. So me take this. So introduce myself quickly. I'm WA Betty, product director for Wix. I've been in cyber security for over 20 years as engineer, architect and product manager. So let me go straight to the point.
Maintenance in industrial environment is a key activity for both obviously business continuity and operational efficiency, especially for of course manufacturing, for healthcare, water, energy, all the essential that gives us functioning for maintenance, whether for the agnostics, for health check, for troubleshooting, for supervision, all those activities are mostly addressed remotely. ESP specifically since Covid activity, but in this global organization that we have, remote access and maintenance are both to be addressed to avoid downtimes.
Most of the time today, manufacturers provide their own tooling with their own VPN access. And so you have maintainers required to access the factory from different region with different identities and we need it emerge, a need for centralization and control of those access and to avoid the proliferation and of course the extension of the surface of attacks.
Therefore, we, we are providing and we are offering tool our product that manage identities, access and rights in the centralized way. But let's step back. How to proceed to provide this support for the operational efficiency and the business continuity at the same time. So first of all, as you had in the previous sessions, we need to ensure identification and authentication with nominated accounts. So getting rid of shared accounts, getting rid of the opacity and the lack of traceability that comes with it.
Next step is controlling this through approval workflows that could be more or less automated. So of course avoiding the, the layer of 16 or more approvals to go through the, but still still need some steps of approval, workflows, traceability, so meaning what's the perimeter, what the scope of this intervention from the maintainers and how to manage those Session. Having some recordings of course, as I said, for traceability, but not only in term of operational efficiency.
This helps understanding whether there's production errors, how this happens, how we can improve the process to be more efficient. And at the same time, this is all this and the metadatas that are generating are feeding the data lake that will provide all the necessary input to generate the next gen process in the production that will streamline the efficiency and the production.
Furthermore, password protection, so that means rotation of the password and together with that break of protocol that I introduced just before, that means that the third party maintainers does not know the credentials to access the machine. They don't need to know it. That's provided by, by the, the, the passion that's in the middle. And finally of course reduction of the rights and control of the privileges with the least privilege and moving forward. That's more with the elevation of privileges at, at need on need basis.
Also with ephemeral accounts and with zero trust meeting, really the real zero, the real zero trust, very difficult to, to say all those words with the zero standing privilege and getting rid of admin rights altogether. This is relying on four pillars, the segmentation. So with the ture of protocols filtering, so basing on on the traffic direction authentication, as I mentioned with getting rid of generic accounts and controlling the rights. Those pillars are the same on which rely the regulations and the compliance that the industrials have to address and be compliant.
So this, to give you the background and for you to follow a few use cases that will illustrate those points first. So securing the remote access, that's the basic flow that will illustrate all the steps I previously described. So the third party with a ate with a FA through a web interface by the way, through a mobile tablet anywhere in the plant that's very convenient. And then go through the bastion with the rapture, the, the, the, the protocol break which allow to access and record all the sessions to the different machines and the different protocols.
But then the complexity of the industrial landscape makes it necessary to enable the support of different kind of protocols. That's not enough to support R-D-P-S-S-H. Furthermore there are specific manufacturers that that have like cmns for PLCs for example. I won't list them all, but they have their own specific protocol. Therefore we, and in conjunction with them, we have created that what we call universal channeling, that unable to support any protocol as long as it's relies on PLC, on TCP, sorry.
And that allows us to record and provide all the meta metadata and makes it very comfortable for the third party event network through their entire portal, for example, to manage and maintain the machines in the plant without any extra burden. Furthermore, for the provisioning VNC protocol is very widely used and that connection to a unique session, for example for sales stations like SCADA enable having full visibility for the auditors and for the mainten. Whenever we talk maintenance, we talk file transfer. So let's discuss that.
Of course, you need to maintain your machine update, upload updates, you need to get maybe some logs and if you have to maintain those machines, that is still possible and smoothly through through the, the, the patient that will allow to secure the SFTP protocol as well as antivirus seamlessly analysis that can happen without any impact and without agent to be installed within the plant.
So all this can also be addressed re through a SA software that and gives back to the OT maintainers, to the OT operators, the capability to create accounts on the fly and still being compliant with the corporate policy. So they don't need to go through the workflow, the IT workflow and obviously not add anything in the corporate network. They just have to have the ability to create new accounts for a short period to make it ephemeral ing MFA and then enabling full maintenance anytime and without providing any delay on the on, on the effective and pro and and enhancing productivity.
So all those use cases need to be addressed in a way that is adapted to the industry and to the, to the plant and to the architecture of the plant. The only success and as in previous session it was mentioned, the only success here to deploy this is possible only if you do it being adapted and to make it working for the manufacturers and for the industrial. So therefore, just a highlight quick view and the architecture. For example, if you take the pur model here, we see the need to, without disrupting the overall model to add a new layer that we could call industrial DMZ.
That helps making the road protocol break and enable sexualization without breaking the overall structure, whether on OT side or IT side. So we have come and position in the boundary between both. So that's the overall, I just want to show you here the flow. So we would go the third party first through the IT layer of course through the web connection, the remote connection, and then through the dm. Then that would access then to the PLC machines is so now just want to give you a few words about IC and how we are addressing this.
So you may know IC for the PAM as a PAM founder and for focusing on IT sector, but we are also really having a strategic approach on the OT and industrial sector and we, we position ourselves in the boundary because all those concerns are finally neither fully IT or fully ot. So it comes in the middle and it requires experience and skills and bringing people together to bring the right solution. So that's a strategy that we have developed and hiring to have in-house OT expertise. We have created OT brand three, three years ago to convey this. So I wanted to leave few minutes for the questions.
So any questions and if you have any plans or any questions on ot, come and meet us and or ask questions here. So I'm open to questions. Thank you very much.
Yeah, thank you for walking us through especially the architecture, giving a little deeper view into how to think about this problem. Check with the audience. If you have any questions, I can come to you, but while we're waiting for them, what do you see coming in the next six months to one year for these, these challenges?
So in the, in the future, of course, as you have heard here, everywhere in every conference we are talking a lot, a lot about ai and as you have seen here, we are managing a lot of data that helps our traceability, but that could help also to create the next generation of OT efficiency and operational efficiency that will address both security and efficiency. And I heard that in a, in a conference the previous day. This is the, you know, that's not anymore the OR philosophy, that's the end philosophy. So we need the security and operational efficiency.
So making our tools, not only securing but being mean to be more productive is the only way to make security widely spread and accepted. Because as my predecessors mentioned also, like I said, no, the security is not my point. I need someone to access my plan to fix my machine and that's all. And I need it quick. So if we address that, and by the way address security as well, that would serve all the people. So I think AI will dramatically change the landscape and help going to the next gen. Absolutely. Another question.
How is this solution and, and the OT brand now differentiated from a traditional PAM solution? The different, the difference is mainly in being specifically adapted and respect the established environment. We cannot just, let's say we cannot just change a name and say, okay, this is addressing OT now. So we have seen, there's various of specific protocols, there's specific use cases that need to be addressed in a dedicated way that would not be the same for it. And the difference also in addressing OT is that you have to address OT concerns and pain points together with IT pain points.
So it's an extra layer on top of this. So anything we do for it is still needed, but that's, there's an addition portion that we need to address and mainly to adapt.
So in, in that schema about the architecture, what I wanted to show is really that we don't change the model. We add a layer, but we respect the existing model because we don't, we cannot expect the factories and the the industry to change because of the need of enhanced security. Thank you. A last check in the room, last question then. Thank you very much for being here today. Thank You so much.
