As government organizations connect massive numbers of IoT/OT devices to their networks to optimize operations, cyber experts are increasingly concerned about the expanding attack surface and liability they represent. Listen to technical experts from CyberX and ClearShark as they explain the differences between IT and OT, and how to address OT risk.

In this webinar, you’ll learn about:

  • The differences between IT and IoT/OT security
  • Zero-trust and network segmentation for IoT/OT
  • Gaining continuous visibility into unmanaged IoT/OT assets, vulnerabilities, and threats
  • Integrating IT and IoT/OT security in the SOC (Splunk, Sentinel, ServiceNow, etc.)
  • How CyberX’s agentless IoT/OT security platform addresses NIST CSF

 

Our Presenters

James Cabe, Security Architect, CyberX
Beau Nuanes, Systems Engineer, ClearShark

 

Webinar Transcript

Julie Garand

Hello everyone. Thank you all for joining, and I’m going to turn it over to Mike Walsh right now to make the introductions for our panelists.

Mike Walsh

Good morning. I’m Mike Walsh with CyberX Federal. On the phone with us today is Mr. James Cabe, who is a Security Architect with CyberX and has a long history and extensive experience in the control system world. And Mr. Beau Nuanes is with ClearShark as a Systems Engineer, also a very strong supporter and intimate knowledge around control systems environments. Let’s also make sure we pay attention to a few additional pieces. We realize within the defense community as well as the civilian government, civilian agencies, the Department of Energy and Homeland Security play key and critical roles to research, development, our energy sustainment of our critical infrastructure and our defense critical infrastructure. Homeland Security, providing advisory capacity out to state and local governments all bring together a common team, and that really is the unification between the IoT world and the OT world. There are two very big threat planes and landscapes that are occurring today that have been percolating over the past 40 years, believe it or not. There was much to do in the rail industry early on. What we’ll see today from our two esteemed speakers is how to build an evidence-based approach that leads to the head end aggregation and command and control infrastructure. What that really means is how do you quantify this problem? How do you tackle the vulnerabilities and risk around IoT and OT convergence through quantified metrics and the integration capabilities? Internally, we see and share many threats and vulnerabilities that we’ve researched throughout the industry within CyberX. And we’re going to share some of that today around how to take a deeper look, make it very easy to use, very quantifiable, and integrate into your IT and OT type worlds. With that said, we’ll turn this over to our esteemed speakers. Thank you for joining today.

Beau Nuanes

Thank you, Mike. I think we’ll go ahead and jump right in. You guys are going to kind of hear back and forth between James and I through some of this. We’re going to start off with a little bit of level-setting and education and then get into a bunch of stuff for you. The first thing we want to start with is just a bit of a textbook and level-setting on OT, ICS, and SCADA. Those of you that aren’t familiar with those fields, you’re going to hear them all. You’re going to hear OT, ICS, and SCADA talked about, but I do want to mention that when we talk about OT, ICS, and SCADA, they’re different. There’s a hierarchical piece that goes into things. So when we talk about OT, that’s operational technology. That is our overarching definition. Inside of operational technology, you’re going to basically be looking to control science. I like to say science – so flow of gases, flow of electricity, all those kinds of things. Outside of the flow of electricity and gases, we have industrial control systems. So those are going to be mission critical systems, highly available. Those are going to be the key characteristics of those. Inside of that, we have SCADA systems and DCS. SCADA = supervisor control and data acquisition. DCS = distributed control systems. The main difference between those – and there will be some overlap and some of you who are control system engineers will point that out – but the big thing there is going to be geographically dispersed control for supervisory control, or SCADA systems, something like an electric utility. And then for a DCS system, that control is going to be local. It’s not going to be as dispersed. And again, there’s some overlap in these things, but we just want to level set there. We’ll have a Venn diagram that I think illustrates this a little bit better down the road.

And so, here we just want to make the point that OT security and IT security are not the same thing. The main thing here is looking at the protocols, right? We have a bunch of different protocols that we’re looking at, and they’re nonstandard protocols. The protocols on the left, if you’re an IT guy, you know what those are. The protocols on the right, you may not. Also, when you look at IT systems, we look at standard Windows and Linux. Due to the age of a lot of these control systems and things, we’re looking at older Windows platforms or nonstandard embedded platforms with really light operating systems on them. When we talk about deterministic and non-deterministic behavior – I’m going to read you a definition here. So, network traffic, SCADA systems, OT, and ICS is deterministic due to the fact that a system component communicates with other system components in a predefined manner. This contrasts with office IT systems, desktop machines, and servers that communicate based on requests in a non-deterministic way.

James Cabe

A little bit about that… did you ever see the I Love Lucy episode where they make the chocolates in the factory? They make that little bitty change inside the system, where all of a sudden they can’t wrap them fast enough. They start shoving the chocolates in their shirts, in their mouths, and everything else like that, and it ends up being a big chocolatey mess. And there’s only one small change made in the entire process, which is a belt speeds up just almost where you can’t even notice it, and that’s what the problem is with deterministic behavior. The difference is because with the non-deterministic stuff, where you’re talking about an application-based environment, if you make one small change to something, it doesn’t mean it screws up the rest of the system. Maybe DNS, but they can almost be considered deterministic. But outside of that, making a small change to a process on a Windows system isn’t going to crash the entire network, whereas if I do just something like that, you have a butterfly effect that will sometimes crash or destroying exactly what you’re doing on the deterministic side. So that’s one of the things that I always like walking out there.

Beau Nuanes

Yeah, perfect. And I think that the point there too is when we’re talking about these things, it’s always about the process, right? So a little change to that process can be a huge problem in interrupting things, which is pretty much exactly what happened in that episode. So yeah, good point. Also looking at those systems and looking at that deterministic behavior, if you’re going to actively scan something in those systems, it’s usually a problem. We’re looking at some downtime. So if you’re looking at your traditional scanners, that’s going to be a problem. So something that isn’t something you want to do in the OT world that you can do in the IT world. And then the other thing is just patching, right? You can’t necessarily take downtime or the downtime has to be scheduled, so you’re not able to patch this frequently when you’re looking at OT systems and OT security as you would be in an IT world. So that’s just something else to consider.

Looking a little bit further here, we look at ICS network characteristics. There’s going to be a bunch of stuff on the left that you see, a bunch of words – Siemens, Emerson, Schneider – those are going to be vendors that create basically the things on the right that we’re kind of looking at in that diagram. When we talk about control units and remote terminal units – which I guess for lack of a better term, we can basically call our OT endpoints – those are the things that control our processes and those are the vendors that make them, they’re going to be obviously non-traditional IT vendors. Then you’ve got all these different protocols, some of which are vendor protocols that were created 30-40 years ago and that became industry standard. A couple other ones are kind of more general like Modbus that we’ll see, some are specific to air conditioner systems, all those kinds of things. But the key point is they’re different. They’re not what you’re used to seeing if you’re in an IT world.

James Cabe

Well, some of the people I’ve heard, they say all of these are going to go away. All of this is going to get replaced by TCP/IP. What are your thoughts on that, Beau?

Beau Nuanes

Not replaced by TCP/IP. I mean, we’re already seeing TCP/IP in the interchanging use with these protocols today when we’re talking about control, and we talked about the SCADA unit. But the fact that these things are running for 20-30 years, they’re not going to go away. You’re going to see a mix. You’re going to see this IT/OT boundary. So if we look here on this slide where you have that SCADA unit and out to those control units, you’ll see TCP/IP above that. That’s going to be where you have ethernet. Down below, a lot of serial communication. So you’re going to see a mix, but there’s no way that it’s just going to go away and be replaced by TCP/IP.

James Cabe

Yeah. I always like to talk about the fact that there’s a difference between a real-time protocol and TCP/IP, because with TCP/IP, I have to go up a TCP/IP protocol stack and back down again, and then it hits the wire, right? And then I’ve got to go up and again and then back down again to actually process the data, right? That doesn’t really sound like real-time, whereas these other protocols, maybe they might even be tunneled over TCP/IP, but they’re direct to the terminal. And something over Modbus or DNP3 is going to go direct and choose the registers and memory footprint of something, almost like a computer does to a video card when you want to play a video game. And that’s how real-time that has to be. So not everybody always gets that sort of thing. They expect something to teach the TCP/IP stack and then go to these applications on layer seven. And that’s not how this stuff works, because it has to be more real-time. You can’t have an application crash on the client server necessarily.

Beau Nuanes

And these protocols take timing into account, right? Many of them have to take time into account. So back to Lucy, who’s stuck in my head, timing’s a big deal there, right? So yeah, absolutely. So let’s just keep in mind that we’ve got to have this IT/OT boundary. That’ll be an important thing when we’re talking later on. Let’s go and jump into the next one. So my favorite Venn diagram that just basically takes what we talked about in our first slide and shows you guys the breakout of things, right? You have ICS inside of OT, you have SCADA and DCS inside of that. Just in some examples with power transmission, wastewater treatment, oil and gas pipeline, the protocols you may see there looking down at DCS – HVAC, and your airport luggage system, maybe something like HART, and oil refinery (Modbus). You’ll notice the thing that I like to point out here also is you have an oil refinery/oil and gas pipeline – that can be the same company, right? It’s very common for these big energy companies to have SCADA and DCS systems. That’s why you see some overlap there in that Venn diagram. Another thing is Internet of Things. So one of the things that drives me nuts – I don’t know how you feel about it, James – is when people refer to OT and IoT like they’re the same thing. They’re not. Internet of Things – my favorite example is your internet-connected toaster at home, CCTVs, all those kinds of things that we’re looking at. We’ll get into a little bit more detail on IoT later. There is such a thing as the Industrial Internet of Things (IIoT), and that is something that we can talk about also where there is an overlap, but they’re not the same thing. There’s a difference between OT and IoT.

James Cabe

Now, they still use real-time protocoling when you’re dealing with IIoT. It mixes the two domains and it mixes the two types of protocols, where if you’re controlling the robots, the actual physical control of the servo motors that move the robot arm or what have you, this is a real-time protocol, but then there’s all this data and telemetry coming from exactly where the robot is, what’s positioned, what’s near it, and stuff like that. And all that stuff seems to be over TCP/IP, like more of an application-type situation. So the IIoT kind of changes stuff. And even more so recently, especially on the follow-up of the smart soldier programs, there is actually the Internet of Battlefield Things (IoBT), which has even now been more progression, more real-time awareness-type situations, and those sorts of things. So yeah, it’s bleeding together, but I think that the separation is more important going forward.

Beau Nuanes

Exactly. So now I want to talk to you about the Purdue model. The Purdue model is something that we talk about when we talk about OT security to help us segregate things and do some zoning and stuff like that. The interesting thing about the Purdue model is it’s actually a ’90s reference architecture for enterprise computing. That came about around the time that we were moving from these things called token ring networks and coax communication to ethernet, this fancy new technology. And they were defining how enterprise networks work, and functionality and availability was the key – it had absolutely nothing to do with security. That talked about five levels, inside of the segregation or segmentation, but that was it. Then we had this group called ISA 99 that came along and was tasked with looking at OT networks, OT security – and they liked the Purdue model, so they took the Purdue model, modified it a bit, took those five levels and made it six and had five zones, which you’ll see on the diagram here on the left, and said, this is a good way for us to segregate things.

We’ll get into a little more detail here in a bit on those levels, but one of the things that we like to do when we’re looking at this is – for folks who are more familiar with IT, we like to take the Purdue model on the left and say, okay, really we can break this down to three zones: an enterprise zones, a DMZ, and a manufacturing zone. Then we’ll put all of the levels that are specific to our OT networks in that manufacturing zone. It turns out that this works quite nicely with current network architecture. A lot of people have an enterprise zone. They know how to do DMZ, so they just put another DMZ internal, and then they can segregate off some of their manufacturing zone, which is really your OT, ICS, and SCADA systems.

James Cabe

And the DMZ zone is usually where you find your critical information safety controls, security controls, the CISC. Those are the sorts of things usually find the demilitarized zone. Beau, do you usually find that down in the manufacturing zone? I mean, have you seen much of firewalling between different areas themselves or the safety systems from the actual ICS or anything?

Beau Nuanes

At a high level we will and only because some of the next gen firewalls actually understand that the OT protocols that we’re talking about. So we do see it some. But yeah, you’re right. Most of it will come up in the higher levels. And we’ll actually see that in the reference architecture in a little bit where we do see some firewalling down actually in the manufacturing zone. But again, that’s going to all depend on the technologies we’re using to implement these things.

Mike Walsh

So James, on a quick note – these two slides here on the reference architecture and what a Purdue model is – why is it important when bridging the IT/IoT/OT worlds together to bring the stakeholders to the table for common reference?

James Cabe

That’s a great question. The biggest problem we’ve got is the fact that because the Purdue model has actually been around even longer than the ’90s, I think it was originally developed in 1972, but Beau’s right, it wasn’t really heavily used until the late ’80s, early ’90s. And specifically to be changed into the thing he’s done on the right here. When we started actually dealing with a lot of the more IT protocols, it became more and more prevalent. So to bring them in, the biggest problem we usually deal with, at least from ClearShark’s perspective, is the fact that typically this has been shoved in the lap of the CISO. They went to go talk to the OT people at some point in time, suggested something that was very IT-centric whenever it came to the actual solution, back to Beau’s earlier comments about the scanners. And I’ve actually had my own RPE – for everybody on the call, that’s a resume producing event – and it wasn’t a lot of fun for me. We tried to permit RPEs in the world, but I did not at that point in time, and I scanned something that shut down an entire wind farm. When I scanned a PLC, they ran home to mama. It shut down after 500 sessions, which is real quick to happen when you’re scanning 2042, 2048 ports on a poor little PLC, it shuts down pretty quickly.

And so we had a whole bunch of people climbing towers at that point in time to put the power on things, which wasn’t a lot of fun. So we try to prevent those sorts of things from happening, and that’s an extreme version of what happens usually. Going back to Beau’s comment about timing, these things are so finely timed using precise precision timing protocol (PTP), not even NTP, that if you just scan something really, really quickly, they will have a small dent in those old integrated operating systems, to where that slows them down just enough to cause an I Love Lucy event like we were talking about. This is where the IT and OT bleed together with the problematic stuff, because one of the things that happens with botnets very, very quickly, is they actually won’t even try to cause a problem. They won’t even know what’s going on. They’re just trying to scan for SMB ports on everything, especially ransomware. And all of a sudden, things will start shutting down intermittently. You won’t even realize it. And it’ll have been someone that got a really easy run rate ransomware on their machine. You had a small little breakout, and all of a sudden it’s causing events and issues across the entire organization that were unintended consequences. So yeah, this model has to be used better going forward. So Beau, what do we got next when it comes to kind of the new reference architectures that you’re talking about?

Beau Nuanes

So here we’re just talking about the levels, getting into the level pieces a little bit. So looking at level four and five, that’s going to be your corporate network. That’s where things typically – when we’re talking about ICS attacks or OT attacks in many cases – that’s where things start, right? There’s segmentation, there’s data allowed in from your enterprise network, from what we see. So that’s where things are going to start. You’ve got to have good segmentation there. That operational DMZ – we’ll see something a little bit later where there’s some shared services there. Really only want to have the stuff in there that you’re sharing with corporate to make things happen and for operational purposes down in those lower levels. Then when we get down into these lower levels, more segmentation there, like I said, we do see some firewall technology there. This is where also the monitoring pieces and the things that CyberX provides becomes really, really important – down in these level three through level zero. As we move down, we’re getting closer to that physical process. Something to look at here too that I always like to point out in level three, we have these concepts of engineering workstations and operator workstations. So engineering workstations is exactly what it sounds like, right? It’s your engineers understand the process. They’re the guys that program it. They’re the guys that have electrical engineering degrees and chemical engineering degrees, all those kinds of things. So typically you want those guys doing the stuff there in level three. Level two are going to be the guys that are actually operating things – that are when you had the thing with the wind farm, those were the guys that were going crazy and trying to figure out what the heck was going on, right? Because they were managing it and things were going down. And so those guys are sitting there in level two in many cases and with that HMI, which is what we call the human machine interface, certainly very, very intelligent folks who operate these things. Not necessarily the engineers though, right?

James Cabe

Carhartt jacket-wearing and steel toed boot-wearing people that will put that boot on your neck if you do something that causes the safety issues that can pop up because of these sorts of things, because it’s not exactly safe to crawl up a 15-story wind turbine in the middle of winter in New York, right? It’s not exactly a safe thing to do. So yeah, they didn’t really like me very much after that. So it’s those sorts of issues that can be caused. And it what may be even worse now for those level three people is one of the things I noticed that popped up on open research platforms, like Shodan.io, is that RDP became more and more prevalent. All of a sudden, all this RDP started showing up all over the world about being opened. And because of the pandemic, because of COVID-19, lots of people were opening up remote access all of a sudden. And they were the engineers doing it, because they had to do their job, they had to run home. You couldn’t stop the work. And then all of a sudden, they didn’t have that direct access. Normally what would have been closed off. Now you need to secure all that access to, but not everybody was ready for that. People haven’t provisioned their VPNs big enough, because that’s expensive, and they haven’t done the amount of lockdown, because those workers were typically not remote. And so all of a sudden, you had all these changes really, really quickly because of the virus, and it opened a gigantic amount of holes in something that would normally be nearly bulletproof.

Beau Nuanes

And not only an enormous amount of holes, right? But if we’re going to talk about the kill chain here in a little bit, the MITRE kill chain for ICS and all that stuff, and when you look at all of those attacks, guess where things happen? Right there on that workstation. And those are the crown jewels that the attackers are trying to get to. So now that we’re open and RDP and stuff, we need a way to kind of look at that and say, okay, what’s happened? And it’s out of the norm here. So we’ll get into that a little bit more here in a while to kind of point that out. I think one other thing I want to put on this slide that I think we slid in is if you look at Purdue, ISA 99, we talked about that – there’s also these IEC 62443 standards that we’re talking about, which are a new set of standards that came out, I guess complimentary to Purdue on how we should secure these networks. And one of the cool things about them too is they’ve started to push vendors, so the Siemens and the Rockwells and other folks we’re talking about, to produce devices that are a little bit more secure and that are compliant and have some modern security features built in. And so that’s something that we’ve started to see in the industry and also CyberX in particular is starting to do some interesting things with.

James Cabe

We definitely helped out on that whole thing. We’ve actually produced a lot of security CERTs with CISA, which is formerly called US-CERT.

Beau Nuanes

So let’s jump to the next one. Now that we’ve gotten an overview, we want to look at security technology characteristics and features. What are things that we should be doing to secure these things? We have the Purdue model, what kind of technologies do we apply to that? What are the characteristics of those technologies? So first and foremost, we don’t want to break stuff. We don’t want to hurt people. People can die. The guys that we were just talking about with the boots and the hard hats – if things go really wrong and they happen to be somewhere and your process mixed the wrong chemicals and things explode, that’s really, really bad, and we could be talking about loss of life. So first and foremost, that’s what we have to think about here. Number two is you need to be able to identify assets. You’ve got to know what are on these networks or on these systems. And I don’t know, maybe some of you are surprised by this. Maybe you’re not. It turns out when people start looking at these systems, they really don’t understand. How many CyberX engagements do you guys have where you come on and then the customer goes, “Oh really? We really have those? I didn’t know we had a Rockwell PLC.” Or something like that.

James Cabe

The differential is about 20% of their devices. So there’ll be about 20% over the number that they thought they had, and some of the stuff will be safety systems that don’t talk ever unless there’s a problem. So that’s where some of that stuff comes in, and then the other side of it is organically connected stuff that has happened over time and fallen off because it’s not readily evident by someone carrying a clipboard walking around a plant. And the big difference is that kind of visibility is definitely required, because just walking around with a clipboard with a plan doesn’t get you everything that’s actually connected to that network. Sometimes it’s more remote than you think it is. That’s a good comment though.

Beau Nuanes

Yeah. And for me, if there’s one thing that the viewers take from this, it’s that you really, really need to identify your assets on these networks – outside of don’t break stuff and don’t hurt people. So next one, we’ve got to understand the protocols and we’ve talked about how they’re different. You’ve got to have technology that can understand those. Next, encryption. Somewhat counterintuitive to what we’ve talked about because of timing and things. So you have to know what you’re doing. But many of these protocols are in clear text, so you can gain some security by encrypting things. Specifically when we’re talking about maybe some of this TCPI communication, where it’s from – from an operator workstation or an HMI or a SCADA workstation or an engineering workstation out in the field – there are some cases where you can use encryption. Five, direct and limit the traffic. So there’s some next gen firewalls that we’ve talked about. There’s some other technologies as well where we can limit things, and we know how these processes are supposed to work. So why not only allow the processes to work the way they should?

James Cabe

Right, because with four and five, there’s a reason for operational technology cybersecurity companies to have come in. As well as some of these other ones that you see as secure enclave. Outside of traffic analytics, I’ve always been very skeptical of how traffic analytics works right up until it was applied to OT traffic, almost like a web application firewall but for OT communications. And the light dawned on Marblehead, because I’m not always the most intelligent person in the facility. But that being said, the two places where I think that secure enclave technology, as well as the traffic analytics, really make sense even more than they do in the IT world, just because of the amount of chaos, the differential between the two of them. Very chaotic here, very ordered down here, because anomaly detection is much easier in the OT world, as well as secure enclave and things staying fairly standard and not having a large amount of changes that go on. I think those two types of technologies really help out the OT world even more than they do the IT world. And that especially goes to your number six, which I think you’re going to mention next.

Beau Nuanes

So perfectly to number six, right? Identify bad behavior – anomaly detection, like you just referred to it, is another way to look at that. Attacker behavior is attacker behavior. If you have ways to identify that, if you have a way to identify normal and know what’s outside of it, it applies to IoT networks very well. Seven, connect the dots. So connect the dots is traditional kind of IT technology, right? To connect the dots, to bring things together. So now when we’re looking at our traditional technologies, it’s really network TAPs and packet brokers are going to give us that visibility just like you talked about, right? That network traffic analysis is going to allow us to do that in many cases. And when we’re talking about these networks, I always tend to lead towards network TAPs, not necessarily SPAN ports. If you have to do SPAN ports, then some visibility is better than none, but SPAN ports come from switches. Switches are meant to do other things, not necessarily mirror traffic for you. If the switch is overloaded, you’re going to lose some of some of the packets there and you’re not going to get full visibility. So something to keep in mind when you’re looking at, when you’re talking about network packet brokers.

James Cabe

Well, that doesn’t make a lot of sense on the core because there’s so much traffic on it already, right? And it doesn’t really even make a lot of sense at the leaf or the closet or the branch. It makes way more sense where you’re only passing telemetry – the problem you have there that you deal with older switches. So you have to use network TAPs in a precise or prescriptive manner, because maybe they’re older switches, they may not have been changed out – that the amount of traffic is still very, very low on this telemetry thing. So when you’re doing the PCAP analysis before you even bring in sensor-type technology or traffic analytics technology, it’s taking a packet capture and just analyzing how they did it. I’ve seen traffic analysis for an entire hour of PCAP of just telemetry data be less than a meg – less than a megabyte for an entire hour of traffic capture on a telemetry network. And that’s really the size that you’re dealing with there. So when you’re trying to mirror that size of traffic, it makes sense. The problem, as you mentioned it, some of the switches I run into still run DetNet.

Beau Nuanes

So we’re good there. I think we’ve talked about asset ID, next gen firewalls. Encryption – IPsec and SSL are going to be your options there. We’re going to use some behavioral tools. We’re going to have some asset ID with behavioral tools in some cases – there’s a tool called CyberX that actually has both built in, right? And then SIEM and SOAR. So SIEM, and it’s not going to be your single pane of glass, but it’s going to be a way for you to bring some of that data together. And then SOAR to automate things – security, orchestration, automation, and response. All of these things apply to OT networks and securing these networks.

So we’d like to bring this slide up, because we tend to have a bunch of civilian folks on our calls. We have NIST, that is the National Institute of Standards and Technology. NIST has this cybersecurity framework. That framework is what the Cybersecurity Infrastructure Security Agency (CISA), that is a part of DHS, likes to point to. And then we have the ICS joint working group – they kind of promote, and those guys use that. Basically all this slide is telling you guys is everything we’ve talked about applies to that framework. We’ve got identify, protect, detect, respond, recover – this all applies to there. Just something else to mention there is when you’re looking for procurement and everything there, DHS has this program called CDM.

They can pay for stuff for two years. So CDM kind of applies to this stuff as well, right? So just something to look at and something for you to keep in your toolbox. Now here’s our architecture slide, somewhat high level, showing how this whole thing works out. So if we talk about our three Purdue model zones that we mentioned earlier, to simplify things, we’ve got those here, right? We have our corporate zone at the top, we’ve got our DMZ there in the middle, and then we’ve got our manufacturing zone on the bottom. In this case, the DMZ, we’re saying, “Hey, maybe we need some name resolution and some time.” In this case it would be NTP, right? Not the time protocol we were talking about earlier from the corporate network. That’s really all we’re going to be pulling from there. We shouldn’t be allowing that RDP stuff in. Then down below we’ve got a couple of different firewalls. So earlier we were just talking a bit about what firewalls we’d see there. We’d have an OT border firewall here. Notice the word cluster everywhere. Use clusters where you can, that helps you with that recovery piece that we just referenced in the NIST framework. Then you have these interior firewalls. You may want to do some encryption here. This is where your IPsec encryption can come into play between those. To James’s point earlier about TAPs, if you look down into our process zone – so think of these as different processes – the TAP is sitting right there in front of that process zone with the packet broker reporting back out to that bigger packet broker, and in this case, I like PCAP, so we’re suggesting PCAP. Any other tools that you can have on your tool wheel can fit in there as well. And then CyberX actually gives you behavioral and asset identification, so really nice feature there as well. You have your data storing sitting up here in your control zone too, just always like to point out that that’s your reliability information. You should be looking at that in addition to all these security telemetry that you’re getting here as well.

This contractor zone is something I like to throw into this presentation when we talk about the Target hack from a few years ago. That was their HVAC system. They actually got in here and went out the other way, went back up into their enterprise network. If you’re doing things right and you have things segmented in the firewall, you should protect both ways. You protect your enterprise zone from your OT and your OT from your enterprise – so something else to kind of think about when we’re looking at this.

James Cabe

Our user ID can definitely help you out quite a bit and not everybody bleeds that into it, because next generation firewall that deep down into some of these things don’t always make everybody comfortable, which is one of the reasons why CyberX is really important to actually kind of lead the way whenever it comes to these sorts of things. Because we can actually take stuff, like devices and gateways and that sort of thing, and tell you exactly how they’re talking. So later on, you can then go and take the cyber controls and place them in places that won’t interrupt operations, but it will give you that extra bit of visibility and control that you’ve never had before.

Beau Nuanes

Let’s forge ahead here. So these are some of the protocols you’ll be looking at for IoT, here on the left. And when we’re talking IoT, it’s very common to see the architecture on the right where we have devices, gateways, and data systems. Devices we’ve already talked about. That gateway is out to the internet where you’re going to control things. You also hear the word edge IT for data system out on the right, or internet gateway for the stuff in the middle. But in many cases, you’re looking at HTTP/HTTPS management for these non-traditional things that didn’t used to have those, like CCTV and stuff. The beauty of CyberX is we kind of talked about OT to this point, CyberX looks into IoT as well.

CyberX is able to look at those IoT devices, which we pointed out were different, the OT devices as well, and the IoT devices, which we referenced earlier by using smart sensors, collectors, VMs. You have your central manager taking all that stuff up using the threat intel that you have from Section 52, your M2M analytics – so that’s the behavior stuff that we talked about earlier – and then your IoT device profile, and give you that full look into things. If you look at the piece here with native integrations, there’s our other technologies.

James Cabe

I definitely want to point out that we don’t use the same sensor. You said smart sensors and you’re dead on. That was one of our claims to fame is all our analytics engines are directly on the sensor, as well as most of the reporting that you can actually pull off a sensor, which is one of the great reasons why you can actually take the CyberX sensor platform and actually use it in IRT or digital forensics and incident response (DFIR), and incident response teams can take those and then run with just the tool to help you do some triage. But the sensor between the OT side and the IoT side are completely different from one another. They’re not even the same sensor. They report to the same CNC or C2 and reporting piece up on the chain, but they are not the same sensor. And that’s because of all the things that you mentioned before, as well as the types of traffic analytics you could do. You could do deep packet inspection on OT devices, where IoT, because of the use of HTTPs, TLS type of protocols, it’s much harder to do it on because essentially TLS 1.3 where everybody’s moved to very, very quickly creates those sorts of problems. So that unified dashboard here is what a lot of people like to take a look at, and they’re even editable and auditable too, where you can actually have an NERC-CIP dashboard, you can have IEC 62443 dashboard and have all the audit reporting be instantaneous to you, as well.

And that provides a lot of actual information that you can do right there. If you haven’t already set up the automation between that and a next generation firewall or a NAC system or even one of these platforms that do secure enclave – Stealth is one of them I know that’s been used in the military, as well as some of the DOD. There’s quite a few others – Gardicore is another one that gets thrown around quite a bit. So there’s a bunch of that sort of thing. And part of it is that top visibility piece, right? You want to be able to have actionable information right then and there and be able to do something about it. You’ll see in the bottom right hand side is the IoT portion. On the top left hand side is the OT. Two different sensors, different types of data coming out of each one, because the behaviors are going to be different between the two of them. Beau, was there something that you wanted to go ahead and talk about on this one?

Beau Nuanes

No, I think we hit it right. The only point I was going to make is if OT and IoT were the same, you wouldn’t need two different sensors. So just to our point earlier, you’re right.

James Cabe

Well, I think a lot of it has to do with exactly how they act and react, right? So even in NERC-CIP, you’re going to have stuff that’s actually in scope and not in scope. And some of that stuff that will be not in scope, maybe some of those IoT devices, but it will actually be on location in the facility where you have stuff that’s there and there are shifts in scope, which will basically the control systems pieces, billing, maybe some high data systems and telemetry data that’s going to be pulled back as this part of your data acquisition process. And then being able to build the dashboards where you can actually not just do the audits because we all know that audit tends to be somewhat of a low bar when you’re dealing with actual cybersecurity. The IRT people, the red teams, and the active blue teamers will tell you it’s just a low bar to go over, and they’re not wrong, but it’s always nice to have a hygiene that you’re looking forward to. And a lot of these standards are actually that hygiene piece, and so it helps knowing how good your hygiene is on a day-to-day basis, not just a monthly or quarterly or yearly situation, but on a day-to-day basis and be able to actually do that kind of advanced reporting directly out of it.

Beau Nuanes

I think the only thing I’d like to kind of point out here is you do see at the top with the IEC 62443. So if that is something you’re concerned with and if you have the luxury of replacing your control system endpoints with IEC 62443 compliant devices, you don’t necessarily know what you have out there. And that’s where this comes into play. CyberX can tell you, here’s what’s out there and these are not IEC 62443 compliant or they indeed are. So when you’re going down that path, it’s that check for those things as well, not just looking at NERC-CIP.

James Cabe

Well, and this advanced reporting piece, which is an engine that’s behind what we’re looking at right now is actually the central manager, and advanced reporting is actually a data engine that’s kind of off to the side that can actually blend in third party data to actually give you a lot of these reports. So it doesn’t even have to be something directly from us. It can actually be from other data feeds that you’re already doing other projects on. So if you have Maximo or some other type of asset management system that you were already using, like Archer from RSA or anything else like that, you can actually bleed that data directly in here and get reporting directly out of it and then not move somebody else’s cheese for them.

Because all of this is already going to disrupt organizations anyway. Moving as few cheeses as possible is sometimes one of the most important things that you can actually do for the organization. So asset management, as you said, is extremely important. Simplifying stuff when it comes to the segmentation processes and the delivery of something that’s zero trust – zero trust is a promise. It’s not an actual technology. It is a promise that I will consistently check something’s identity, either that’d be machine-based identity or user-based identity and exactly what their role is on the network to actually give you exactly what the original units people wanted for security on systems is that least privileged piece. So we’re trying to return least privileged back to the network again, which is networks were originally built not to be anything having to do with least privileged, networks were built to be open originally on TCP/IP.

So actually, blending that idea is kind of the promise of zero trust. It’s not a real technology. So it’s an ideal that could hopefully be attained with a blend of technologies, but you’re never going to get there unless you know what’s already talking with each other. And nobody will ever accept it as part of your program if you’re going to go in and try to stop work or disrupt a process that’s been in place for 20 years and people consider secure because I’ve already got a safety system for that. That is a reason why you have this divide between OT and IT people sometimes, because when IT people talk security, what is the first word that usually comes to their head? It has to do with what CISSP usually think. Confidentiality, right? CIA, right? CISSP is confidentiality, integrity, and availability, when you’re dealing with security. But confidentiality is that that that basis of the hierarchy of needs, it’s the big one. And in an OT person’s world, you put safety at the bottom of everything – it’s always a requirement. Everybody’s always like availability or resilience, that means that you get to make the widgets that day, or you continue making money or something else like that. Availability is just part of safety. The safety systems make sure that it’s still available, but it’s still underpins that availability too. And availability is definitely part of that structure for OT people, as well as integrity. But it’s not the thing that underpins anything. Having safety systems there means everybody gets to go home. Anyways, SOC integration – tying all the old systems that you’ve had together before is sometimes what we’ve actually dealt with on CyberX, just having an audit platform to know on a daily basis what’s going on with your operations and then trying to centralize a lot of those use cases as well. As we’ve said before, the CyberX platform is really simple.

You already ran through what to deal with if you can use TAPs or if you can actually use SPAN ports. There’s a bunch of different ways to get this, but the specific thing is, I see a lot of companies – we first get connected directly at the core switch, “Oh we’ll give you a SPAN port, right here on the core.” And then we get all this noise, and I’m like, “Wait, we don’t see this control traffic.” Well, we’ve already said the reason why we don’t get the control traffic. What are serial protocols usually doing? What level on the OSI model are you usually at, Beau?

Beau Nuanes

All the way down at the bottom.

James Cabe

Yeah, they’re serial. So sometimes they’re even electrical, right? So unless we’re getting that data, we’re not getting the right stuff. And then having a smart sensor, which could be disaggregated or disconnected from some sort of CNC or C2 system where he can continue to operate, even if it’s miles down a pipeline, and not getting hundreds of megabits of IPS signature updates on a day-to-day basis.

So it’s very, very tough to make a platform that can do something like that. Diode friendly architectures – I know that’s part of your ecosystem, and definitely part of the program is that unit directional traffic and being able to still know what’s going on, still get all your analysts and data and behavior, and then still be able to utilize that in a very great, interesting kind of way. One of the things that I talk about in the classroom – I teach for Cyber Certified Operator – is what the difference is between just regular machine learning analytics are and actually expert systems. And everybody’s always like, “What’s an expert system over something like this?”

And the expert system is something that’s already been pre-trained, right? Because I may have dealt with Honeywell my whole life, I may have been dealing with Rockwell – that doesn’t mean that I know how Yokagawa works, or Emerson DeltaV, or any of these other process control systems. So can I have something that’s already been pre-trained with a lot of analytics to know how it behaves, and then once I get this tool, I’m now automatically an expert in that new system, the DeltaV system or Yokagawa or something else, even though I’ve been previously trained some other way? And that’s where that neural network defense piece kind of bleeds in. It doesn’t just need to be machine learning or analytics, it needs to be an expert system that’s already been somewhat pre-trained, so you can start getting results out of it very, very quickly.

Also, the idea that taking a diode and actually make the secure gateway and be able to push it even deeper into those secure architectures, and then also being able to address these cut and paste networks, everybody laughs about them like the 10.10.10.X is the same network across 25 different plants, because nobody ever intended them to talk to a centralized network before that. They just wanted this process control to work. That was the network they worked on. So they took that and the name of lean architecture where you want to have some sort of repeatable process and cut and pasted that same network so many times down. Having to deal with asset management, especially on a network and dealing with those sorts of things is really, really hard. And that makes it very hard to deal with the brand new architectures and deployments, especially when you’re dealing with SD-WAN and high availability pieces whenever people want to have that telemetry and data coming back.

I’ve been seeing these big data management things when it comes to industrial control systems for a long time. C3 was one of those particular companies that opened up maybe five years ago, even coming out in the main stage. I know Microsoft, who’s a very close partner of CyberX has their own data pool management system for business intelligence. Power BI is a very big deal. So really, really cool stuff whenever it comes to that sort of thing, and it helps us close down a lot of these problems whenever you’ve got this network, it’s starting to become more and more open and you need to be able to trust communications, but you also need to be able to verify them very quickly as well.

And you don’t have enough human beings in the world to be able to do that with. So you can actually adopt this particular type of high end architecture deployment where you have a hybrid LAN and it’s open and you’re using a cloud-type SaaS services to do that data processing. How do you do it? Well, you put in the sensor system that acts like a different set of hands and eyes to where you see the changes going on the network with regards to whether their security side or the operational side. And that’s one of the differences that we bring to the table at CyberX, it’s the bleeding end of some of those operational issues. And one of the architectures I’d like to talk about that actually employed that previous architecture nowadays is automated meter infrastructure.

This is extremely critical. Some people call it smart metering. In the past, it’s been fairly insecure and a couple of times we’ve heard that it’s actually been utilized to attack organizations, like utility districts and municipalities, to try to get in behind the curtain using what was normally an open network, because it had to scale to tens of thousands or hundreds of thousands of homes. So this is where it’s hard to go back and forklift these types of architectures. How can I get monitoring and information out of them very, very quickly about what’s going on so that we can come back in over the top of it and place new security controls that are so needed? And that’s where we actually bleed in to doing this stuff as a sort of architecture.

Then that was the meter reading side, where you’re dealing with the physical plants directly connected to the meters that might go to each one of these houses, and then the head end or concentration side of the house, it can be done as well. And this is where you have the problems with those third parties that you were talking about before, Beau, where you have different types of companies coming in, servicing these types of head ends, and and doing the meter reading – lots and lots and lots of third parties where they bring in a laptop unintentionally. It has a dropper on it. They got there that morning because somebody was reading their news or got an email that they didn’t think was suspicious. And we’re seeing more of this, especially with a lot of the remote access stuff going on, more and more spearfishing that’s become more and more intelligent.

My friends at Palo Alto and my friends Fortinet, they’ve all been talking about this stuff and exactly how it’s created the problems. And we talked about those artificial intelligence engines that help you out. You’ll notice that each one of them of an expert system overlay each other, almost like the loaves of a human brain, right? A protocol violation being different from a policy violation. And the nuance is almost a little bit different between each one of them, but having them overlay each other and knowing that he wants between them, help them give you much better detection, especially when it comes to anomaly and things like that that have happened before. So you’ll notice as we see with MITRE ICS ATT&CK technique frameworks, which we were going to get into a little bit more, but we’re running into kind of a time issue right now. The MITRE ATT&CK platform is extremely important – they came out just this past year with ICS ATT&CK. We’ve got friends over at a different operational technology and cybersecurity company that have done a great job helping out MITRE with producing the attack framework that has been popped out. Being able to actually provide analytics based directly on that attack matrix is extremely important to make this thing actionable, and that’s exactly where we like to actually be, is how the actual intelligence based directly on those industrial protocols and exactly when things should or should not be happening on them. And me, not knowing on a day-to-day basis that S7 network from Siemens shouldn’t have had a PLC stop sent to it may be extremely important for me to know whenever I have a hunt or something that I actually have to respond to on the IRT side of the house.

We have solution briefs. There’s a bunch of this data. This is our starter pack, for everybody listening on the call, when it comes to traffic analytics and what it’s going to do. There’s more and more of these solution briefs that will take you farther down that rabbit hole. So if you want to take the blue pill, this is exactly where to go, further down the rabbit hole, especially when it comes to MITRE ATT&CK and zero trust and the brand new cyber security maturity model certifications that are coming out from the DOD and DOE.

Beau Nuanes

I think the only thing that I want to add to that is, because I work for value-added reseller, we have access to a lot of these technologies. So the architecture we talked about before, we actually have stood up and are adding to in a demo environment. So if anybody has particular things they would like to look at, any particular technologies you’ve talked about this on the webinar and would like to see it in action, definitely reach out. My email is [email protected] CyberX is obviously a big part of that for us, but there’s kind of a lot that fits into this ecosystem. CyberX partners with other vendors. We partner with vendors. So just here to help for anything. Anything that you guys would maybe need some help with.

Mike Walsh

Thank you guys. I really appreciate everyone’s time. We will be following up, sending out some additional information to summarize what we’ve seen. Consistency – it’s rinse and repeat. Why is it rinse and repeat? Because visualization of this problem, of this threat landscape that enables organizations to address big problems, minimal effort, but using machine learning and behavioral analytics to drive this type of capability. What does that equal? Automation. It automates the collections, the threat intelligence, which delivers everyone actionable remediation and mitigation strategies. What it does is it embraces risk management at a much bigger scale from the core all the way out to the edge. So we know that in these types of environments, the edge is always hardest part when we look at scale and automation to deal with threat conditionings and protections, especially where we talk about national security. CyberX brings that scale to the table to address the IoT/OT world and dovetail that into the IT frameworks.

If you have any additional requests, you can reach out Beau at ClearShark, as well as reach out to us at CyberX Federal at cyberx-labs.com. Plenty of information on our website. If there are any questions, please feel free to drop them in – happy to answer any and all questions. So thank you everyone. Have a great day.