KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
To the session. I know this is the last session of a bunch of sessions you've already heard, and I will do one very simple and small thing. This is to draw your attention to a threat, which in some companies somehow is neglected during this time. And what I have to tell about today is based on observations we did during the last week month, let's say about during the summer and the autumn this year.
And, but let's start into it. The title is when assets are to it, what we mean with as a very, very much, very, very many different meanings when you're talking about it, assets, what I'm talking about are those servers, which are normally windows server line of servers, which directly support OT machinery in the factories, in the different locations of a company. I want draw your attention to those things. And I have a good reason for that. So let's but before I do, so I think you should know a little bit about how I'm thinking about, so let's start with that.
I'm afraid I cannot hear you anymore Now back again. Yes. Okay. So I'm in favor or I'm a fan of management approach towards OT risk towards OT security, which really starts with a well designed risk assessment, which means not starting with buying the big, huge solutions, which help you to seize the whole OT network and all these things. What we really prefer at several companies is first to find out what are the most important asset? What part of the production lines causes the most problems when it cows down, perhaps through a cyber attack and things like that.
So this is something you must know about the questions. You also have to ask yourself when dealing with all these securities. I does it seem to be still so difficult to work on this topic because OT security is something we are talking about for several years now. It's still at many companies very much at the beginning. And why is it so complicated? I know that I've written on article for the German information security magazine case, which was 2016, where we dealt with the question. Why do OT security projects often started to get to get on and on and on to start?
And let's see, what are the problems are? Sorry.
Again, have problems to switch. Let me please reopen the, the presentation. Something has gone wrong. There we are. Okay. Do you see the presentation again? I think so. Yes. Question. We have many companies come across when they are starting with security is who's really accountable. It's still very differently organized in the companies. In some companies, we have the it department with just all the stuff and is also in charge with all the OT security.
Then we have special OT security organizations, and we have a lot of still a lot of company versus a real, no real OT security organization in place, but it's done somehow on the fly with asking the it security and then trying to do something in OT security without some kind of systematic approach. Second one, which is always a topic between it, security management, OT and all the different stakeholders in the company is how do we assure non-destructive security availability, the most important factor in most cases for production lines.
So something like all the other problems we have in it, security are not so important. Everyone is focus. The machines must run third one. And you have thought a little bit about that in the presentation before this would we discover security breach? And I know that many companies at the moment are experimenting with solutions like MoSo and others, which show them what is really happening in the OT security network. But in many cases, on the other hand, they elect the cap capacity to deal with all the alarms which are coming from those.
Cause this is a reason why I support the idea of first taking in the most risk, the machines, the production lines, the different systems with the most, with the highest risk club. Okay. So most of the companies wouldn't discover a security breach with this directly targeted to the OT environment. Perhaps they would detect something else if they do it a little bit difference. And this is the, what the presentation is involved. Yeah. So talent gap is a problem. We don't have to talk about still a problem. You don't get so many specialists for OT security at the moment on the market.
So this will take time until we have specialists from the universities and from other sources, we really can focus on that compliance of course, something which always is a problem. Thai sucks for many companies, for example, and what the heck is our status or, well, we are doing, how do we gain security maturity? You have to find companies at the moment. And there are more, more like the huge consulting firms who do very, very professional risk assessments at the moment. And this is something which should be done at the beginning anyway.
And if you're looking at all these different topics, always, it's a question. When we extend security to the OT environment, will it be something which enables business or will it be something which makes, makes it more difficult? And this is a question often posed by those or responsible for the different factories or locations. So if you look at this, you'll find out that there companies at the moment still don't know how, what to focus on when they are talking on security. And this is a problem which sometimes leads them to a focus, which is perhaps not the best for the beginning.
So what would a company do if they are fluent? Okay, we will do something like risk assessment covering our OT environment. They would sit down perhaps with a consultant, with an external help to find out which aspects have influenced on their OT security environment. And then they refer, find out that the map of what has influenced instantly grows from days to day, there is a facility management because there has to be proper traumatization of the environments where the machines are working.
There is a product system acquisitions nowadays it's often the case that contracts have been there for a long time and security isn't even mentioned in that. So you are under the problems that you even don't know, what kind of security levels, the systems, which are already working for you have and how will it be in the future. Any many companies at the moment are very much involved in finding new forms of contract interacting with the suppliers. So this is you very topic at the moment.
Next one you will find out of course, are risk maintenance, remote maintenance, and all these things, which may be a threat to the production lines. Then you have your program, your controller program developers. In most cases, this is something which exists. And we also, the developers themselves, for example, have find out, have found out already how to store their programs, how to secure them against the inacceptable access and so on. But in many companies there, islands of this from a very, very different kind, all over the company.
So this is something which also has to be done in a systematic way in which has to be done in a way, which, but it's a little bit similar to what is done in the I physical security of course, has to make sure that only the right people are at the right places. You have one huge problem, which is the past digitization, which is taking place at the moment. Sometimes digitization of production lines starts before it is even thought about security.
And then it's always difficult to get security in before something has been developed, which after that has been modified again, due to security constraints, third party vendors, we have already talked about that. Always a problem, because you have to integrate them into your security management. You have internal manufacturing of systems, which is not something easy to understand, and you have to deliver the plant factory managers. I've already mentioned it.
Those managers often are those who hesitate to deliver security because they think that security makes it much more difficult to work on the top floor. Everything like this will be just covered during OT risk assessment. And immediately these companies will find out that it will take very, very long to get into the systematic or security. But what I have seen during the last month and weeks is something which is somehow funny or which I don't understand. There is one factor which everyone really should know about because it's so obvious.
And this is that there are not only those very special OT systems on the shop floor with their own protocols, with their own way of communicating with their internal that floor. But there are always supporting windows and line of service around some of them run databases where important information is start about the different steps of the production line. Or for example, for the placement of woods in the stocks integrated in the production process. Sometimes there are windows server or Linux server who documentation for compliance reasons.
And there are also windows server at UX server who help the OT systems communicate with, with the EEG, the SAP system of the company with the other way of analyzing data and so on. And this is something which at the moment grows and grow and cross because through digitization, there is more and more interest in looking directly on what happens during for this server. This is something we should look at for a moment.
And again, when we are doing so, we are, for some reason, run into something which is normally thought to be very, very special problems of the OT itself. So in OT, the robots, the old very, very oil machines, which running and for, we have sometimes situations where you can't patch them. So one of the rate measures of it, security doesn't apply to these systems, either the supplier for bids to do patching, or these systems are built in a way that is simply impossible.
This especially applies for the long running systems who today may perhaps still run on windows XP or even older operation systems. These are the ITD dinosaur, which only can be put in some kind of capsule who secure them, but can't be updated in a secure way. And the interesting thing is you would think those servers, those windows servers around them and those learning servers who simply do support the sometimes run SQL databases.
Sometimes they run Oracle databases for those servers, which are simple windows server sometimes set up by the customers themselves shouldn't apply those restric, but this isn't the case because in many cases, the software running on those things on those server is very much related to the OT systems themselves. And so we have the same situation. Sometimes it's forbidden to update them.
Sometimes the software delivered by the supplier can only run with one special windows, windows, server version, and only gets updates after years and years and years, which Brexits really impossible to integrate the server into the well management, which is done for the normal windows systems in the office environment. So we have servers which are very similar to what we have in it, but which are still somehow restricted in dealing with them in a secure way. Yeah. I might have my, let have a look at, see, there only there are only a few left, but there's no problem.
We have talked about some much of the things which are on these picture already. So we have the problem that availability is one of the most important factors of OT security. We can't use many measures of the it security also for OT security, because for example, ways of prohibiting unauthorized access, maybe can't be applied to machines because in a place of danger, immediate safety danger, but people immediately must be able to rush to the machine and do something to it, to shut it down or bring it in a better status. So this is possible.
And this means that especially privileged assess success management doesn't work in this area. Okay? All these problems are well known. And at the moment I see that companies are very much focusing, focusing on those specialty specialties, which are only around OT systems. Okay. Maintenance we've already talked about. We have already talked about the other aspects.
What I would like to talk about in the last few minutes is have a closer look at those supporting servers and having a closer look is something I address to the customers themselves who runs the systems because in many cases they have done same thing, which is normally good. They have integrated those servers, running a database or running a communication system, supporting OT into their it security management, but they can't do it completely because of the restrictions and with that. So you have opened a direct connection from the it environment into the edge of the OT environment.
And this means if you get harassment bad, this is what we have experienced. Not we, we haven't experienced it, but looking at several companies around us during the last month, we have seen that often ransomware attacks take away those supporting systems for us. For example, this means that if any time something happens like this, there is a backup and recovery system, which allows to immediately restart the systems, but don't many companies don't have it. So why do they forget to look at those very, very vulnerability systems at the edge of the production environments for an attacker?
This is very, very attractive because it doesn't need to more to know much about OT security about the protocols, about the specialties of the systems. He can issue his well known his or well known attack tools, which is used for it security normally for something which directly influences OT security. And to illustrate it a little bit, think about a production line where a huge automated stock system is placed in the middle of the whole line.
This stock automatically takes part which are reduced, puts them into the stock and for the following production steps, they are taken out of the stock system. There are robots connected to that conveyor base and many different OTC systems.
And well, if you take away a server, which holds the data about what is start on, what place in this awesome often very, very huge stocks, you can put the whole production line immediately to stop without even touching any native OT system. And, but this is a very, very simple message I wanted to put at the end, this track, have a look at what is placed directly around your OT system and strongly related to it.
Look, if there are, which are based on standard windows systems and standard cleanup systems, but somehow not so well managed and find out if these servers or these systems can be reached by ransomware attack. If it hit, if it hits your system, we have experienced from other companies that it can happen very, very fast that ransomware tech puts the system out of service. And it takes companies a long time to recover from that, especially because many of the catastrophic of the plants catastrophic plants, which are made to do so have been designed before the COVID nine time.
And suddenly they find out that this is so easy these days to get a lot of consultants into rebuild the networks, to rebuild systems, which are in the auto environment, it takes much longer. You have to have a specific plan to secure those, call them extra server in the environment to have a special eye on them, because it's most likely that the next attack not does a very, very difficult and complicated attack on the machines itself. If they can.
So attack us will focus on these things, which can, which they can easily, easily reach from the it environment and where they have already all the tools to, to their, this is what I wanted to talk about this day. Thank you very much for listening. Perhaps someone, if someone goes back to its factory and looks at those special assets would be good if I have initiated that. Thank you very.
