This SANS webinar discusses how to secure ICS and SCADA environments using the Palo Alto Networks Security Operating Platform and CyberX’s purpose-built ICS cybersecurity platform.

Daniel Shugrue, Senior Director of Industrial Cybersecurity at CyberX, and Dharminder Debisarun, Industry Security Architect at Palo Alto Networks, describe how the Industrial Internet of Things (IIoT) is helping organizations improve safety, increase output, and maximize revenue, while at the same time digitalization is driving deployment of billions of IIoT devices and increased connectivity between IT and Operational Technology (OT) networks, increasing the attack surface and risk of cyberattacks on industrial control systems.


  • ICS/SCADA security basics
  • State of ICS Security: Findings of the CyberX “Global ICS & IIoT Risk Report”
  • How Palo Alto Networks’ Next-Generation Firewall and advanced endpoint protection technologies can be used to segment ICS networks, control ICS protocols, and block network threats as well as unknown threats on ICS hosts such as HMIs, engineering workstations, and automation servers
  • How CyberX’s out-of-the-box, API-level integration with Palo Alto Networks provides automated asset tagging, granular asset-based policies, and real-time response to ICS-specific threats
  • How CyberX’s automated ICS threat modeling can be used to prioritize and simulate mitigation of attack vectors on the organization’s crown jewel OT assets and processes

About Daniel Shugrue

Daniel Shugrue is Senior Director of Product Marketing at CyberX, an ICS Security provider. He has 20 years of experience working in software and security technology. Prior to working at CyberX, he directed Security Product Marketing at Akamai Technologies. Daniel lives in Boston, MA with his two sons.

About Dharminder Debisarun

Dharminder has extensive expertise in IIoT and manufacturing security – including connected car and airlines. He is member of ENISA’s (The European Union Agency for Network and Information Security) expert group for Industry 4.0. As the subject matter expert, he has technical expertise and direct exposure to these topics, as a leader in Palo Alto Networks. He is based in Amsterdam and works closely with customers and partners globally for understanding their pain points and needs. With over 20 years of IT experience he is bridging the gap between IT/OT and the business needs. Dharminder also speaks extensively on ICS/SCADA security across Europe and beyond.

Webinar Transcript

Carol Auth:

Hello, everyone, and welcome to today’s SANS webcast, Palo Alto Networks and CyberX Integration: Accelerating the Time Between ICS/SCADA Threat Detection and Prevention, sponsored by CyberX. My name is Carol Auth of the SANS Institute. Today’s featured speakers are Dharminder Debisarun, Industry Security Architect at Palo Alto Networks, and Dan Shugrue, Senior Director, Industrial Cyber Security at CyberX, who will also be moderating today’s webcast.

If during the webcast you have any questions for our presenters, please enter them into the question’s window located on the GoToWebinar interface at any time. Please note that this webcast is being recorded and a copy of the slides and recording of this webcast will be available for viewing later today and can be found on the SANS registration page.

With that, I’d like to hand the webcast over to Dan.

Daniel Shugrue:

Thank you very much, Carol. Welcome, everybody, to today’s webinar. I appreciate you taking the time and hope that you find it helpful and useful. As Carol said, my name is Daniel Shugrue. I’m Director of Industrial Cyber Security at CyberX and what we’re going to cover today is IT versus OT security, so what are the differences between IT and OT security. I guess by extension, why somebody like CyberX in OT security might want to integrate with an IT security provider like Palo Alto.

We’ll talk a little bit about the macro-trends or the big picture trends that are affecting business risk, especially on the OT side. Then, I’ll focus on the benefits of the integration that we’ve done with Palo Alto Networks and in addition to that, I’ll show a little bit about how we integrate, not so much in a workshop way, in order to show you how to actually integrate right now, rather just to give a flavor for the level of difficulty and what you might expect were you to try to do an integration like this. Then, we’re going to hand it over to Dharminder and he’s going to talk further about the integration from the Palo Alto perspective and then we’ll open it up for questions. We hope to have an interactive session towards the end here and with that, I’ll jump right in.

OT security, as probably many of you know if you’re here, is not the same as IT security. Some of the ways in which it is different is that OT security uses proprietary protocols, so protocols that were developed by the makers of the assets such as programmable logic controllers, and other devices that are in OT networks. They don’t use standard protocols that IT networks and information technology professionals are used to using such as TCP/IP, HTTP, and SMB, et cetera.

As a result, historically, because OT protocols are not uniform, they’ve been somewhat protected. I’d say, it’s sort of security by obscurity because the protocols weren’t well-known and because they’re not ubiquitous. It’s a little bit more difficult for a hacker or, I should say, a malicious actor to learn the protocol and then exploit it in order to get the system to do something it wasn’t meant to do. For that reason, OT security wasn’t necessary for years. Now that it is necessary, it requires specialized skill in order to implement.

Another difference between IT and OT: OT tends to use older Windows machines and it can use non-standard or embedded platforms. I mentioned PLCs or programmable logic controllers. That’s not by choice, it’s really more by necessity. The nature of an OT system is that it’s running 24×7. There are fewer opportunities to take a system offline and to upgrade it. As a result, once the machine gets put in place, often times it’s expected to just stay in place without necessarily putting in a patch or upgrading the operating system.

Now, there are ways around this and there are factories or oil and gas facilities or operators of ICS/SCADA networks who have figured out how to solve this problem, but generally speaking, it’s more difficult to do and sometimes it requires some sort of mitigating factor in order to keep an older Windows system safe. By that, I mean something other than upgrading it. Dharminder’s going to speak about that towards the end of the presentation when he takes the mic.

Another major difference between IT and OT: OT is deterministic. It’s machines talking to machines in most cases, whereas IT is non-deterministic. The behavior is largely defined by or driven by humans. Then, a result of these four differences or in some ways, part and parcel to these four differences is the fact that active scanning in OT environments is generally avoided and that’s because active scanning could result in system failure and could result in downtime. Downtime in an OT environment means at best, loss of revenue, at worst, some sort of catastrophic environmental damage or even loss of human life.

An OT system is designed to be up all the time. It has to stay up all the time and for that reason, scanning of networks that is active or actually either has an agent or is, let’s say, querying a device is generally speaking has been avoided historically. Whereas in IT systems, we actively scan all the time to look for malicious behavior or malware.

Then, I mentioned regular patching and OS upgrades. Those happen on a fairly regular basis. It’s not easy in IT, but we make time for it. We have historically made time for it and as a result, most of the systems in IT are relatively up-to-date. Whereas, it’s not uncommon, as I’ll show you in a minute, to find older Windows systems or unpatched Windows systems or proprietary systems in OT.

Big differences between the two and that has led to the founding of companies like CyberX that specialize in OT security and then, in turn, it’s led to the partnerships between companies like CyberX and companies like Palo Alto in order to tackle both of these problems at the same time.

What are the trends that are driving risk and business risks specifically in OT security? I think there are three on a large scale. The first one is monetization. By that I mean the rise of Bitcoin and anonymous currency in the last few years that have made payoff for attacks easier for cybercriminals. Before Bitcoin and before anonymous currency were around, really the most difficult part of any malicious cyber scheme was essentially cashing out.

That’s why in the early days of hacking we saw people who were more interested in proving that they could hack something than they were in actually doing harm or making money. Because cashing out was difficult. We had to have a money mule at one end. You have to have somebody who was full-time on eBay selling goods or some other auction site and converting digital manipulation into cash. That’s different now. With Bitcoin, one can and you see malicious actors often do, create software that will demand payment in order to unencrypt your hard drive, for example, or to grant access to particular files. That’s contributed to a rise in attacks.

The other major trend and this has been going on for over 10 years, I’d say is the industrialization of hacking. In other words, it’s no longer necessary for a malicious actor to know how to code in order to do damage. They can buy tools or toolkits on the dark web. In some cases, they can find open source kits that will allow them to take a website offline or encrypt a hard drive or perform any other number of exploits using tools such as Mimikatz in order to wreak havoc. The hackers don’t need skills anymore. They only need a motive.

Then, the third trend is nationalization. Whereas before we saw in some cases a young kid in their mom’s basement wreaking havoc, today we have orders of magnitude of larger budgets behind attacks. We began to see this with some of the attacks, arguably, as early as Stuxnet and then later on attacks on banking systems, DDOS attacks on the banking system in the U.S., later in Europe. More recently we’ve seen examples like the Sony attack or like the Triton attack ostensibly in Saudi Arabia.

The risk has really evolved from one of potential loss of money to potential loss of human life. In the case of Triton, this was an attack on a petrochemical plant. Had it been successful, we would have seen catastrophic environmental damage possibly even loss of life. That’s where the risk is coming from. That’s why we’re interested in these things. That’s why we are looking to protect OT environments.

What is the state of security today? That’s something that’s of great interest to CyberX and to our customers and prospects. We’re in a unique position as a provider of cybersecurity in that we are doing proof of concepts all over the world in six different continents. In fact, in the last year, we’ve installed and had access to over 850 networks. We aggregated what we saw across those networks into the 2019 Global ICS and IIoT Risk Report.

This is a report that’s free. It’s available to download. You can Google it. I’ll give you a link also at the end of the presentation. That will basically show you the state of vulnerability and the state of threats as well as some ideas for mitigation of threats over the course of the past year.

I just wanted to give you a few of the highlights from it. There are many data points in the report. I’m going to share with you about six of them. The first one is just about the air gap. This is coming back to what I was saying about to a certain extent, OT used to rely upon security via security. There was the argument, “Well, the protocols are proprietary therefore we don’t necessarily need to actively protect them.” Then, the other argument was, “Well, these systems are air-gapped. We don’t need to protect them.”

Well, whether or not that was once true, it seems to be true less and less often these days. That’s probably because of digitization as a key business driver. The OT networks are increasingly connected to corporate IT networks, which makes them easier to manage in some ways, makes them more efficient. Unfortunately, it also increases your ads and attack path for attackers. We found that 40% of industrial sites have at least one direct connection to the public internet, which, of course, makes them more easily accessible to adversaries and malware.

The other thing we found was that 16% of sites have at least one wireless access point. I guess probably seeing the obvious that a wireless access point essentially, it increases the attack surface. That’s another way in for an attacker. We know one specific way could be used as a way in is through the cracked WPA2 vulnerability. That’s if the wireless access point has not been upgraded or updated.

As I mentioned earlier, it’s more difficult in an OT environment to actually upgrade one of these things. Access points such as routers and VPN gateways are also exposed to malware such as VPNfilter. That enables attackers to capture MODBUS, one of the protocols in OT network’s traffic and allows the malicious actor to perform network mapping, destroy router firmware, launch attacks on OT endpoints, and compromise routers. For that reason, the routers themselves should be regularly inventoried and patched to prevent these attacks.

As I mentioned earlier, it’s often times easier said than done. An owner of an asset or an OT network or someone in charge of protecting an OT network might want to take other mitigating actions into consideration. We’ll talk about some of those between myself and Dharminder.

Coming onto just what did we find here, we found that 84% of industrial sites had at least one remotely accessible device. Now, we know that remote management and access protocols such as RDP, VNC, and SSH make is easier for administrators to remotely configure devices. Then, we also know that remote management and access make it easier for attackers with stolen credentials, especially stolen credentials we emphasized here, to learn exactly how equipment is configured and eventually manipulate it.

The remotely accessible devices are often used to perform reconnaissance, in other words, to figure out more about the topology of the network in order to facilitate a later attack. If pays or behooves someone in charge of OT security to at least be aware of where the remotely accessible devices are, and then as I’ll talk about in a minute, in case it’s possible to actually shut off remote access to those devices.

We found that 57% are not getting automatic anti-virus updates. Now, this can cut both ways. I know there are some people in charge of OT security who will say, “Well, yeah. It’s not automatic because we don’t want to have a connection to the internet and that’s how antivirus works.” That’s fair. In some cases, you might have antivirus updated via what we call Sneakernet or through just actually bringing the antivirus software physically to a machine and then loading it. On the other hand, viruses are moving quickly. Antivirus especially is already sort of behind the eight ball in terms of relying on signatures to find attacks.

Really the automatic nature of it is almost a hygiene issue for antivirus. It almost has to be updated automatically in order for it to be effective. When and if an antivirus vendor finds a zero-day, if you’re in charge of security, you want that vulnerability to be patched as soon as possible or the antivirus software to be upgraded as soon as possible in order to recognize the zero-day. If you can’t do that, however, you might want to do something like whitelist your applications, whitelist which applications are allowed to talk to others, because the truth of the matter is it’s not always possible to have a connection to the internet and to have your antivirus downloaded automatically.

Next thing we found was that 69% of us the sites that we monitor had passwords traversing in plain-text. This is a problem because plain-text passwords can be easily sniffed by anyone who’s performing cyber reconnaissance. Once stolen, the passwords are used to compromise critical industrial devices. The plain-text passwords are typically associated with legacy devices that don’t support modern, secure protocols such as SNMP, v3, or SFTP.

You can see there’s sort of a pattern emerging here. If you aren’t able to upgrade your devices or upgrade your protocols or patch vulnerabilities, the fact that you’re using plain-text passwords becomes even more problematic and vice versa. If you’re using plain-text passwords, the urgency of updating becomes even more acute. Again, you may not be able to for a variety of reasons so you’re probably best off looking at other mitigating controls.

We talked at the very beginning about legacy Windows boxes being sort of a feature or a bug of OT systems. In our survey … Actually not a survey, in our findings of actual networks, 53% of the sites we looked at had obsolete Windows systems such as Windows XP. Basically, we count obsolete as a Windows system that Microsoft is no longer issuing patches for. It probably goes without saying, but legacy Windows systems can easily be compromised by new forms of ransomware, destructive malware. EternalBlue, I believe, is one such example.

The truth of the matter is, it’s not always possible to patch, but if you can’t patch then you need some sort of compensating controls such as continuous monitoring to spot cyber attackers in early phases of a breach. Other compensating controls could be segmentation or better segmentation between IT and OT networks and then, of course, granular segmentation between different layers of OT networks. That’s something that Dharminder and I will also discuss later on.

So, things are bad, but there is still hope. In fact, there may be more than one hope as Yoda should have told Luke, but that did end tragically. The other hopes are … What can you do? Well, you can identify the crown jewels. You can illuminate most likely attach paths. You can practice cyber hygiene. We’ll talk a little bit about what that means. Or, you can integrate with existing IT security tools or all of the above. I’ll take a couple minutes just to talk about each of these points and then pass it on to Dharminder.

What do we mean by crown jewel processes? Well, crown jewel processes are the ones that if they were to fail would threaten your company’s survival. That could mean it could threaten your survival through just simply loss of revenue. If you’re operating a just-in-time delivery system and your manufacturing plant goes down for seven days, you lose seven days worth of revenue, that could threaten the survival of your company. A lawsuit could threaten the survival of your company. Probably more likely, a lawsuit would.

A loss of brand reputation, something like a major oil spill or an explosion could severely damage your brand. A failure of processes that results in theft of intellectual property would also mean that that was a crown jewel process. Then, any process failure which would result in a major compliance violation could also be termed a crown jewel process. Identifying these, I think it seems relatively easy in theory. In practice, I think it’s usually more difficult or that’s what I find when I talk to customers is that figuring out what are actually crown jewel processes requires conversations between business owners and OT personnel.

Those two groups are typically fairly siloed. OT engineers are not typically in positions of making business decisions and business owners are not typically in conversations with people on the factory floor or even people managing individual factories or plants. Having the conversation is important in order to determine what are the crown jewel processes. A few examples like a safety system, a critical manufacturing production line, a transformer or compressor station, or in the case of pharma, a historian.

So, that’s the crown jewel processes. Once you’ve identified them, then you basically want to map your digital terrain and that starts with asset discovery and network topology mapping. This, I would say, far and away is the greatest concern for customers of OT security, including CyberX customers. The first thing they want to do is just figure out what the heck is in their network. Then, they want to map it and then by doing that, they can figure out how information moves through the network and who touches what piece of equipment and how they connect.

Now, this is something that CyberX and other vendors do. This is not meant to be a commercial but rather it’s supposed to be informative for people who are listening. The asset discovery and network topology mapping is best done by a firm that specializes in OT security and that’s because firms that specialize in OT security know the proprietary protocols and thus can discover the most assets the most quickly.

Once the terrain is mapped, then you need to illuminate your most likely attack paths. That can be done through tabletop exercises. It can be done by pen testers. Those are both useful and highly recommended. They’re also time-consuming and difficult. There are also tools, including one that CyberX makes, that will automate your threat modeling. It will map the topology. It will identify vulnerabilities and then it will calculate the most likely attack paths.

Now, what do I mean by that? If we take an example from a previous screenshot that shows the assets that have been discovered and then as a user of this system, if you were to right click on the connection between the assets and then just select ‘simulate attack vectors’, you could then see, okay, for that particular asset … Let’s look at the bottom right here, we’ll call it PLC#11, we’ll show how someone might come in from the open internet through an internet connection, through one PLC called Control Center #1 to a known CVE that we’ve already discovered is present in that particular asset to Control Center #3 to a different CVE to the infrastructure server and then through yet another CVE to PLC#11.

In this particular case, by just selecting this one choice here which is ‘simulate attack vectors’, you can see here’s one of the likely attack paths. Once you’ve done that, you can take steps to mitigate. You can either take one of those four assets offline, you can patch one of those four devices, or you can simply eliminate that path altogether if it’s not as critical to your firm’s survival as an attack through that vector would be.

This is another way of saying that. Once you’ve done that for all of your crown jewel assets, you have options for mitigation and protection. One is to just simply reduce the number of digital pathways. You might have some that are not absolutely, positively necessary. You can just turn them off. For the ones that are absolutely, positively necessary, you can address vulnerabilities such as weak passwords. You can close down open ports. Again, an ICS security vendor will help you discover those open ports and then you can patch where possible.

Finally, when you can do neither of those things or in some cases, where you still have a few crown jewels that are still exposed, you can implement compensating controls. The best of which that I know is continuous monitoring with behavioral anomaly detection. In other words, establish a baseline for what normal communication looks like between these devices and then when and if abnormal communication takes place, alert on it. Finally, and this is where Palo Alto comes in, once you’ve done that, integrate with firewall infrastructures so that you’re in a position to do something about that anomalous behavior.

Okay, you want to find the devices. You want to figure out when the connections have been established. You want to alert on them, also that you can do better investigations and threat hunting. Ideally, you can see along a timeline when these alerts are taking place so that you could perform some sort of correlation between the alerts possibly. Then, ultimately, you want to feed the information that you’re seeing or you want the product that you’ve bought to feed information that it’s seeing into a policy that can be implemented by a firewall such as the firewall from Palo Alto in order to block that malicious traffic.

All of that is essentially in this first sub-bullet on this slide. Basically, everything that I said to date or to this point in the webinar is enabling the generation of a next-generation firewall policy so that the administrator of that firewall can rapidly block malicious traffic. Another way of saying that is, this is one way in which CyberX can help you with your blacklist to block unwanted or malicious traffic.

As they say in the TV ads, that’s not all. We also help you whitelist, if you will, by allowing you to tag assets in your ICS network with ICS properties. This is information that you can use within the next-generation firewall to develop policies to communicate what is allowed, what types of communication are allowed, what types of assets are allowed to communicate with each other. We auto-discover those properties like the protocols, like the asset type, et cetera, and we make that information available to Palo Alto so that you can have more effective policies. That’s the second bullet there.

The third thing we do is we allow for asset-based policies to be built using dynamic access groups, which is a feature of Palo Alto that makes tagging and grouping the DAG assets much more intuitive, much easier, much faster. We’ve recognized that that’s a feature that Palo Alto customers liked and we developed a feature that helps take advantage of it.

Daniel Shugrue:

The last thing that we do, and this is actually a little bit of paradigm shift and it’s, in some ways, if you’re just getting your feet wet in protecting your OT network, in some ways, this is the easiest route to go in terms of integration with Palo Alto, is you could use an application that we have created for the PAN application framework. The application framework is something that was just announced at Ignite ’18 this past year.

We created an app for it that basically allows the technology that CyberX has developed to analyze data that’s connected by the PAN sensors that are already in your network. This is a means of deriving intelligence that requires no appliance, relatively easy to implement. I’m going to show a quick video from Lee Klarich at the PAN Ignite conference that talks about how we do that and what the benefit of it is in just a second.

Before I do that, I want to dig a little further into the first sub-bullet in this slide. When we’re talking about loosely defined blacklisting malicious traffic, what types of traffic are we alerting the NGFW of and allowing the administrator of NGFW to block? Well, there’s basically five types. These are the types of activities that we make it easier for Palo Alto to block.

One would be unauthorized PLC changes. If we see an update to ladder logic or a firmware device, we’ll alert on it and allow that to be blocked. If we see a protocol violation such as an unpermitted packet structure or field value that violates a specification, we’ll send that information up to the NGFW. If we see a PLC stop command, basically, a command that would cause a device to stop functioning and thereby risking the physical process controlled by the PLC, we’ll alert on it via policy.

If we see malware that manipulates ICS devices using their native protocols—again, it’s important to be able to speak these protocols—we can alert on that. Finally, if we see malware that’s scanning, that’s looking to collect data about system configurations such as the Havex Trojan does, we’ll alert on that.

From an architectural standpoint, here’s what’s happening. Your OT network is on the two layers on the bottom here, CyberX is performing asset discovery in that OT network and is doing continuous network monitoring looking for anomalies. If it finds an anomaly, it sends alert to your SIM in your IT network and presumably in your security operation center or your PNC, somebody looks at that alert and can either okay the creation of a policy or CyberX can be configured to automatically create a policy that’s sent to PANORAMA.

Someone then, a human in the middle, would look at the newly created policy and if they approve it, they would commit the policy to the firewall itself or the firewalls in some cases depending on the nature of the alert, and thus you sort of bridge the gap from OT into IT. Now, at the same time that the policy is created, CyberX can be configured to send an email to the administrator letting them know that a new policy has been created so that they know that there’s something waiting for them to take action on.

Now, I want to show a quick video so that you can get a sense. I mentioned I was going to show how to make this integration happen. The video goes fast. It’s less than two minutes and it is subtitled, so I’m going to speak a little bit less, let you read, and if it induces panic because it’s going to fast, don’t worry. First of all, the video is available online on our website and on YouTube and second of all, should you choose to go down this path and integrate CyberX with Palo Alto, we would not only give you the video to help you with integration, but we’d also have people available to do it with you or even for you.

I just wanted to give people a taste for one, how far along we are, and two, I do think it’s relatively easy even though it does quickly. So, here it goes. Basically, two use cases. Why would you do this? One would be to streamline detection to prevention. We talked about that and then two would be to create asset-based policies. Those two bullets that I showed earlier.

Here’s editing the forwarding rule. Here’s some of the alerts. A little more detail on the alert. CyberX decides to block the alert. That means create a policy and then we jump over to Palo Alto. Here’s the policy for the human in the middle to look at. Then, I just simply click ‘commit’ and push to devices.

Lee Klarich:

So, CyberX, also IoT focused, but in the ICS space. Similar dashboard in terms of getting broad visibility, but they automatically build this chart of all the different devices in the ICS space and how they’re communicating. They allow you to drill into a specific device to better understand it, as well as to look at alerts if the device is doing something that wasn’t expected.

In this case, this device was speaking with another device on an application never been seen before. Now, you can drill into that in order to further understand the connection between these two devices. In analyzing that connection, you get a better understanding of whether or not this new communication was something that was supposed to happen or not.

We see the information about this device and what it’s designed to do and as we drill down, you now get to see across the entire infrastructure the bandwidth utilization across different kinds of devices, different segments of the environment. You get to identify anomalies that are probably indicative of something strange happening. It might be new devices, but it might be malicious traffic. In a lot of ICS environments, Modbus is the application of choice, so being able to understand how that is being used, but then interestingly, through the integration of the application framework, also understand any other applications that are running in that environment as well. It also might be indicative of something behaving the way that it’s not supposed to. Very cool examples in the IoT space. Now, I want to give one more example for you.

Daniel Shugrue:

All right, so I’m jumping back in. There’s our endorsement from Lee Klarich, Head of Product over at Palo Alto. Let me just jump back into PowerPoint here. That was an illustration of the third bullet on my integration slide, in other words, CyberX integration with the Palo Alto Networks application framework.

Hopefully, that made a certain amount of sense and gave you a feel for why OT is different from IT and how or I guess what the benefits are of integration with Palo Alto. I want to hand over at this point to Dharminder to talk about these topics from the Palo Alto perspective. So, Dharminder, over to you.

Dharminder Debisarun:

Thank you, Dan, for having us explaining what the capabilities are as partners to make OT more safer than it already is. What we like to introduce is the capabilities. If you don’t know your asset, how are you going to protect your environment? That’s why we seek out this relation that we have built with CyberX is to protect, you have to know your assets. You have to know what from where it’s running.

If you look at this Purdue model that we have over here and in the best practices, where should your firewall be landed is pretty well described between layer four and three and a half and three and a half and beneath. So, CyberX fits in exactly in these two levels where I described. The capabilities are, besides having a beautiful API that we can communicate and automate a lot of interesting enforcements, is if we look a closer look to our next-generation firewall, the capabilities are tremendous especially when an OT package, an ICS package, arrive at the firewall. We immediately know that this package is meant to be for OT environments.

We don’t have to send a package to different engines to analyze it. That’s why we have a such a low latency. Other stuff is that we are tremendous is have a huge library of app IDs, fingerprinting the ICS environment with the protocols like MODBUS. It gives you that granular enforcement capabilities on that protocol. Also, knowing who’s doing what on your network is very important. So, identify the user and, of course, the content that’s traversing the network is also good.

Besides that, if you are having a SOC, you want to have your SOC analyst be aware of what’s going on in your OT environment, so we give you the capabilities also within our products. If you have several next-generation firewalls over what is 100 sites, you want to be managing it very well and you want to have one management plan. That’s what PANORAMA gives you, one management play to manage all your firewalls with it. If that’s not good enough, we have a database like you all know, WildFire, with all these indicators to turn the unknown to known by machine learning. It also has a bare metal capabilities.

Let’s see what questions that we also have addressed is how you handle remote access with the next-generation firewall. What we usually intend to do is make use of a jump server or a remote desktop session, and it has always passed the firewall. On the firewall, you can have multi-factor authentication. From the firewall, you can jump towards the environment that you need to be doing for maintenance in that case.

Also looking further, if you have some business-side access towards your server zone or your engineering zone or your SCADA zone, we only give the use of that capability and he’s not allowed for the jump towards otherwise in that environment.

Looking from layer zero toward to layer four, we give you with our security operating platform in the next generation, next-generation firewall’s only one part of it, the complete, end-to-end visibility to act upon it to take the right decision.

Let’s give you a little bit of an overview how easy it is for the interface within Palo Alto next-generation firewalls. If you look at the first rule that we have over here, it says for ICS vendors. It’s very easy source and destination and what actually should be done and what security profile is being used. If you take the remote access as we discussed from the business zone where we have the workstation and if the user and the destination were going to in-house allowed.

We will give you all this type of information and the capabilities to really easily handle policies and define it in zones. It gives you really a simplified overview of our capabilities and gives you the contextual information that’s needed for you.

We already discussed what about legacies. Within Palo Alto Networks, we are able to protect endpoints, and we are using our product traps for endpoint protection. It’s a really lightweight agent with low CPU resources. It wouldn’t interfere in your operations, and we have automatic prevention. If you’re in an air-gapped environment, traps can be used because we have local analyzers and local machine learning. It will scan for malware and exploits and we are supporting legacy operating systems, including Linux. We give you the ability to control unapproved software. Of course, that will be a part of your image.

What I like to refer to is that we at NSS Labs, it’s recent research, and if you look at that we have zero false positives. That’s something I’d really like to focus on because you don’t want to spend a lot of time if you have a lot of false positives to investigating what’s happening. It’s like seeking for a needle in a haystack.

Where can we put our traps agents in an overview if we look at these use cases? Every server, if you have Windows implemented, is capable of that. Traps can be installed. For example, your historian database is your HMI, your engineering workstations. Questions that we often get is, “Okay, what about certification if I want to install it on certified environments?” Usually, we work together with vendors like Honeywell, Siemens to do the implementation together. That’s one of the options that is available for you within conjunction of these manufacturers.

We talked about our security operating platform. It’s not just only the next-generation firewall or our endpoint protection, it’s a whole integration of a platform that will give you an end-to-end overview of your network outside your parameter and inside your parameter to what’s happening so you can take the correct measurements. For example, if you are using SaaS applications, you need to protect your data on that. We are capable of helping you over there.

If you have cloud environments, we have our VM series that can be utilized. A lot of OT traffic is east/west traffic. With the VM series of virtualized, next-generation firewall, you have the capabilities to inspect the east/west traffic. Another thing is we have our focus for really SOC operators. If you have the capabilities to find compromised indicators and give you more context on it just to say, for example, this indicator belongs to a financial industry or ICS industry so you can take the correct measurements on your firewall.

This is one of our case studies that we did together with First Quality. Dan, could you elaborate a little bit more on this one?

Daniel Shugrue:

Sure, yeah. Ariel Litvin is a CISO for First Quality Enterprises, which is a consumer goods manufacturer with 5,000 employees. They are a Palo Alto shop and Ariel comes from the IT side of the world but recognized that as his company operates many manufacturing plants around the world, that he needed to implement some OT security.

In order to do so, he evaluated five, let’s call them pure play ICS security vendors. I think the first evaluation was based on giving pcaps to each of the vendors. Based on the analysis, if I’ve understood, he selected two. Those two did a proof of concept in their plant and CyberX was one of the two that immediately discovered vulnerabilities in their network.

Ariel implemented CyberX. He integrated with Palo Alto. He had very positive results almost immediately. As a result, he agreed to speak at Ignite ’18 about the success that he had with Palo Alto and CyberX. The talk that he gave was interesting for a couple of reasons. First, from a technical perspective in terms of how did they do the integration and why, but also, Ariel has what I would say is an important perspective to share in terms of how he integrated the OT personnel with the IT personnel in their SOC.

He has, I would say, a very human approach to breaking down the silos that existed at his company and encouraging communication between the OT and IT personnel. I recommend taking a look at the YouTube video that’s linked at the bottom here if indeed you’re trying to do something similar at your company and integrate the IT and OT people within your company.

Dharminder Debisarun:

Interesting in this case also was that I think the visibility that he created on the OT environment was not only for security, but the engineers were able also to detect latencies on the network because of program errors. I think instead of looking only from a security perspective, visibility can add more than only security.

We discussed the integration. Palo Alto Networks is having a rich API. It’s really easy to use and CyberX is a good example how they utilize the capabilities of our API. We can share this also with other vendors, the API can be shared, but looking at what we have now in an advanced way saying that CyberX in this partnership with Palo Alto Networks really gives you the capability for end-to-end visibility and gives you the right information so you can automate and make use of the next-generation firewall as an enforcement point.

When you have Palo Alto Networks, you’ve got a lot of capabilities, standard capabilities there’s already in. For example, our security lifecycle really gives you an overview of your environment and security. On the other hand, on the ICS part, we have the ICS hands-on workshop to help you better understand the next-generation firewall and the integration of CyberX. You will be making use of our virtual PLCs and how to protect them and how to break them of course, because that’s also needed to be known. We are doing hands-on workshops in upcoming months. Keep checking our websites for our hands-on workshops.

On the Palo Alto Networks side, we have several whitepapers, best use cases, case studies, how the next-generation firewall can be implemented in your environment and also looking at the free risk report that CyberX is making available to us.

Daniel Shugrue:

We have six minutes left, so I want to leave the ways to contact myself and Dharminder on the screen while I open up the questions here. Let’s see how many we can get through. The first question, do you automatically create the policy and compliance? I suppose that’s meant for CyberX.

Yes, CyberX creates the policy. We do not commit it. We send it to Palo Alto then we allow the human in the middle at Palo Alto to choose to commit or not commit the policy.

Dharminder Debisarun:

Yeah, so what we could add there. You can already use ServiceNow or other ticketing system where a firewall administrator will look to the tickets and say, “Execute”.

Daniel Shugrue:

We have a large PAN environment with many firewalls all managed by PANORAMA. Do you integrate with PANORAMA? Yes, CyberX does integrate with PANORAMA. That’s a relatively easy one.

Dharminder Debisarun:

Yeah, that’s why we have the API.

Daniel Shugrue:

Right. It can be difficult to create all the objects in a security policy. Is there an easy way to create the objects? Not the objects, but the policy. Yes, CyberX simplified the process. I mentioned this briefly on one of the slides, but we automatically create objects in the security policy. We tag the objects with PAN’s dynamic asset groups big feature on … This allows the firewall administrator to easily create simplified but effective security policies such as engineering workstations talk to PLCs or no one programs PLCs as they have been blocked or PLCs talk to historians, something of that nature.

I’d like to pass this one to you, Dharminder. How can PAN provide micro-segmentation in the OT environment without having to change the IP addresses of the OT devices?

Dharminder Debisarun:

What we do is we have something called a virtual wire. We install our firewall with binding of two firewall ports on one network. We create a seamless topology. Let’s say the firewall could see that there’s a bump into the wire. What we have to realize is you don’t have to assign MAC address or IP address, but this will only work if you are not routing or switching the firewall.

Daniel Shugrue:

I appreciate any questions I did not get to. We will answer either through our website, or through email follow-up. Yeah, I also extend my appreciation and thanks to everyone for listening. We hope to see you in a couple months or hear you in a couple months in our next SANS webinar. Back to you, Carol.

Carol Auth:

All right, thank you so much, Dharminder and Daniel for your great presentation and to CyberX for sponsoring this webcast which helps bring this content to the SANS community. To our audience, we greatly appreciate you listening in.

For our schedule of all upcoming and archived SANS webcasts including this one, please visit Until next time, take care and we hope to have you back again for the next SANS webcast.