Securing OT/IoT/IIoT Systems | Zenith Live 2021

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hello everyone and uh welcome again so today in this session we are going to talk about securing operational technology internet of things and industrial internet things systems along with that so it seems like a long collection of topics but you'll see through the presentation why it's actually much simpler than it looks when when we talk about extending the zero trust platform into securing the system let me start out with uh talking about safe harbor we are a public company we're talking a lot of futures here in public forward-looking statements so it comes with its risks and it comes with its potential so i would advise you to read through this whole disclaimer section with uh having completed this let's move on to the exciting part of this uh session here it's a quick intro about me and manish here at johnson's killer about nine to ten months ago leading the ot security teams making sure that we are able to take all the goodness that z-scale has developed as part of its security cloud security platforms and extending that over to the ot security side of the house i'm joined by manish here who brings in years of experience from his uh from the samsung iot staff for octa experience of identity where we work together as a team and make solutions possible for securing 40 systems industrial iot and iot here without much ado let's talk about what we are going to really cover here so we are going to talk about what are the real challenges with when it comes to ot systems iot and in this lab they're not exactly the same we'll go through the details what are the key security considerations it differs from vertical to vertical application to application and how are we envisioning extending the zero trust into ot and iot and one of the key things that we'll talk about is how one of our customers siemens is going through with the secure remote access portion of it how we are doing a joint partnership with them and last but not least we'll also talk about the security reference architectures for iot and industrial iot gateways we won't be able to get through each and every deployment model that we have we'll at least give you a flavor of all the different use cases and then we'll end the session with like the next steps what you can do what what are the takeaways what you could be doing monday morning essentially 30 days from today and 90 days from now so let's look at uh what are the key challenges right so when we talk to manish and i when we have conversations with ot security folks it's vastly different than talking to i.t security teams they always talk about plant downtime people safety even the most recent attack on this gas pipeline was was more about downtime and how it affects people and planned safety to a large extent it's less about cyber security and the subtext here is air gaps that are disappearing meaning all these systems are becoming connected new business models require these things to be connected if you're unable to connect these systems to and do data analytics and do predictive maintenance you're essentially going to get out modded and outwitted by your competition so that's that's the theme here you can't really avoid connectivity we talk to a lot of customers where they're saying ics employees or industrial control systems uh employees need internet access to to be productive so you can't completely air gap that and we'll provide architectures as to how do you protect yourself against that and the id security approach doesn't work these are unpatchable system systems have been deployed for decades these highly customized hardware and software to give you a simplified definition of what is ot security anything that is on the manufacturing plot let's say you have an ipad that's doing something with building automation that is considered as ot security anything that's in the manufacturing floor even a windows 10 workstation is considered operational technology now one of the things that's been ignored quite a bit is vpns and firewalls there are a big attack surface especially on the ot side of the house if you have a vpn if you have a firewall that's facing the internet even though it's security gear that's what's been exploited you don't have to do much just google for it and you'll find out uh vpn vulnerabilities or firewall vulnerabilities and you'll see how they're affecting factories of the world today a quick primer on what is iot industrial iot versus otr industrial controls we get this question quite a bit does an iot just mean the smart watch that i'm wearing or the smart tv in the house or smart tvs or smart appliances that are there in an in an enterprise yes that's different what we really mean by industrial iot is all the sensor data that helps make this iot systems run smoothly or increase the safety of that we're really not talking about the iot systems like your nest devices in the enterprise setup iot is your nest device and in some cases it's your point of sale systems as well the threats threat scenarios are different on the ot side it's people in plant safety it's loss of revenue on the iot or industrial iot side it's not as dire in terms of consequences yes you'll have data leaks you'll have this they become entry points for other attacks so depending upon how you look at it ot systems the threat of plant and people safety kind of trumps the car when it comes to data breaches so let's look at the ot security pain point so if you look at it this is called the purdue purdue model of security we won't go through entire sections up here so if you look at the ics which is the bottom four rung here so there's different levels of it so that's what we call as the on-prem or shop floor security but since we're talking about connectivity and connected devices we see a lot of use cases around secure remote access meaning technicians wanting access to ot systems to do remote diagnostics and maintenance this happens to be one of the big use cases today especially in the covid world the second one happens to be the secure application access this is your workstations connecting back to erp systems this is your industrial iot sensors connecting back to data analytics that's what it is when you talk about secure introductions this is the ics employees of users from the manufacturing floor wanting to connect to the internet or there's a couple of workstations that needs internet access for let's say downloading updates downloading software so it's it's highly controlled access across the board when it comes to remote access app access or internet access then there's a whole section of challenges that come along with the asset discovery risk and vulnerability management but as a cloud-first security company we focus on the secure remote access wherever there's an intersection of internet with the factory floor so let's talk about the zero trust exchange why is it relevant in the ot in the ot security or the iot security context we're not talking just about users connecting to their apps so this whole concept of brokering two connections together making sure that there's no network level access is extremely important when it comes to the factory context right we do not want to enable focal car appliance network access it always has to be least privilege based this is where the zero trust exchange shines think of this like it's proven itself in the id space for 10 years it's now ready for ot security it's ready it's now ready for industrial iot so how does this work we're all about reducing the attack surface right we want to reduce the attacks that face down to nothing if your firewall is exposed to the internet and it's exposing all your factory locations that's what that's antagonistic to what you want in terms of security so that's what zero trust brings to play right there's no attack surface whatsoever even on watch of connectivity replacing vpns and firewalls is all about reducing the attack surface last but not least is making sure that there's no there's no pass-through connections so any internet access that happens any application access that's happening has to be inspected that's so keeping in mind these three tenants you can see how it's really applicable to the factory context to the industry context that we're talking about so let's examine the secure secure application access of the secure remote access use case here so how does it work you have third parties or you have employees who have to connect to your ot systems and they need privileged access coming into your factory floor so if you look at the zero trust components we are talking about what we call as a client connector which runs on the client devices and in a short period of time maneesh here will demo that when he's demoing it keep in mind he's he's going to show you the client connector running from his uh from his devices from an emulator so you need the client connector you also need an id provider which is not shown in the diagram here that allows you to establish the user identity and then the last component there is the app connector portion of it all of this is achieved making sure that there's no inbound ports either on the client devices or on the on the factory side this is how your ics or your ot systems remain invisible that's the important part here and it's zero trust exchange where is brokering this connection a lot of times you get the question of if i don't want to connect to the internet or hairpin across from the internet can i make my xero trust exchange run locally the answer is yes you can deploy it as a private service edge and make it happen that's you can have a deeper session regarding this but this is in effect at a high level how this works and then internally once the connections come to your app connector we're advising to use some level of vlan segmentation or some segmented networks within which you'll have rdp or ssh-based systems to to segregate and connect to each of these ot systems here all of this is cloud delivered so that's the beauty of it so there are multiple customer deployments that we can talk about this is the other use case of internet access so when your ot systems want to have internet access to securely so we have enhanced this even further now that an ics employee can actually just have internet access either through our secure web gateway and you can actually enhance it with browser isolation making sure that there's a look but don't download it don't touch policy there so these are the two main use cases now let me get into the most interesting one which is a variation of the secure remote access this is what we have been working with one of our partners as siemens largely and they have this industrial edge platform called the the skills platform which is essentially running the a docker container platform on db and linux this is where they require access from their field engineers remote administrations business users they want to get access to applications running on that initialized platform and since these industries platforms are running in different customer environments it makes it quite challenging to run vpns and open up firewall ports and and such the solution here was to make our one of our zero trust components the app connector run in a container form factor and that's exactly what we're doing here there are quite a few benefits of doing this and one of the key things here is only the authorized users even get to see these the existence of these systems so without much talking let me switch it over to manish who's gonna do a product demo here regarding this exact secure remote access use case into ot systems which is widely applicable not just in the industrial context but in the industrial iot gateway context as well let me stop share here and have uh monies to the demo thanks leepak i'm going to give you a demo of our secure remote access solution since we are all working from home lately i'm going to show you access to my home lab rather than an actual ot environment and all of this via the z-scaler zero truss exchange here you can see my home network it has a bunch of laptops mobile devices and also a bunch of servers running on my intel mooc what i'm going to show you now is by introducing a z-scaler app connector i can now access both the systems as well as applications running on these systems from outside the home network for this demo i'll be running the app connector on a raspberry pi 4 running ubuntu the app connector is deployed as a docker container in the ot side we are seeing docker as a way to introduce functionality and so we really see this as a very valuable addition these docker containers could be installed on devices not only on factory flow but lately we having customers who want them deployed on ships on sea oil rigs in the ocean ambulances on the road or even drones in the sky all i have done to provision this is install ubuntu on the raspberry pi and have it connect to my wifi access point there are other traditional home networking gear like a switch a router and obviously my cable modem but these are very typical networking gear uh without opening any of the boats i'm now going to securely access any of the systems on my network securely um and these applications could either be queries dashboard running on my ubuntu server or actually access any of the systems here via ssh or rdp when i install this zpa app connector on the raspberry pi it opens an outbound tls connection to the z-scale of private access cloud all access to the app connector is brokered by the zpa cloud from authenticated users out here i have my own tenant where i have provisioned the app connector you can see here there's one instance of app connector the pi one and it shows that it's connected and it has been upgraded recently and i've also configured an identity provider to authenticate users in order for them to access any of the applications or systems via that app connect in in my zpa connect a tenant i'm using an octa instance you can use any of the supported idps like azure ad ads ping and more i'm now going to switch and show you what an actual end user flow looks like this is a web page that contains emulated android tablet from our friend appetize when i click on tap to play it launches a virtual device which is actually spun up in one of the many data centers that appetize operates out of when i launch a device it spins up from an available data center and renders the output on this html5 page canvas when i click on this button open kubernetes a k8s dashboard it opens his site which is actually running on my on one of the servers in my home lab which is open to service house local as you can see you get an http error saying that this height cannot be reached and that's normal because this emulated session is running outside of my network now i'm going to show you how we can i can enable secure remote access by utilizing another core component of z-scale or private access which is a scale of client connect so i'm going to launch an android app which is available on the google play store and i'm going to log in using a user which is provisioned in my oct tenant with this cnit at sahu dot huts now i've done an additional configuration to let my tenant know that any user which has the email suffix of sahoo.house will now utilize that octa tenant to authenticate end user so when i actually click on login it determines that this is a user coming from a domain which is a registered g-scaler and asked me to log in with my awkward tenant um after forwarding me to the octa login page so i've entered my username and now i'm gonna enter in my password and click verify so right now it's just a simple credential but based on the policies configured in identity provider you could have a second factor multiple factor you could have um a password list of web authen or any of the factors configured in identity provider at this point um the z-scale client connector begins the enrollment process and and connects and begins process of connecting to zpa cloud what it's essentially doing is having uh certificates deployed to the device and creating that security outbound tls channel to the gpa cloud when i click on this button which says open url ipsec.com it shows me some information which is very specific to z-scale it tells you additionally which particular instance of zp cloud it is accessing here you can see it's using z-scale beta and also the location that is coming from in this case washington dc and that is an important feature of the scala because um g-scaler connects the user to a point of presence which is the provides the best experience to the end user in this case this particular virtual image of android tablet was actually running from the washington dc data center and that's why when the user authenticated and began the process of enrolling with the cloud it ended up choosing the closest location versus washington dc um so this is very useful especially more if users are dispersed around the globe we have almost 150 data centers or sorry points of presence so it provides a very optimal experience for end users and provides the fastest path to the location which you're trying to access at this point if i were to click on this button again which is open kts kubernetes dashboard you can see that this time instead of returning an error is actually showing me the kubernetes dashboard and this is a server running on the ubuntu server on my network and now you can access the site just like you would do if you were running this locally or accessing this locally in your network gpa can broker the connection with specific access policies so you can make the policies as permissive or restrictive as you want it to be you can specify a policy which says that this user is only allowed this particular app running on this particular server or you can tell it it can access any of the ports uh either tcp or udp or you can deny access to ssh or rdp all of this is configured out here as part of the application segments and the server groups and in this scenario i've specified that any any user which is authenticated with the octa identity provider can access any application in this tcp port ranges you can have all the diagnostics and the live logs you can either access them here or send it off to your sim for more fine-grained analysis so you seem very quickly but by leveraging an app connective which is very easily deployed in any kind of form factor um in conjunction with the z-scale or client connector which the end user is accessing the z-scaler private access cloud has broken secure remote access into any of the systems in a network we feel this is a big game changer for ot network and security and we look forward for you to utilize this in your own environment that's it for me over to you deepak thanks manish for that uh fantastic demo there we hope to see more of such demos but let's continue some of the use cases here right so we talked about how this exact same secure remote access can be used in the context of industrial iot games we have multiple engagements regarding the same the use case remains the same here there's uh there's a technician somebody from the factory somebody that's authorized to look into this iot gateways it's about remote access right so a lot of times these industrial iot gateways are deployed on like on like a remote locations like an oil drag or on a ship or somewhere you can't just fly over somebody to just do to do diagnostics on at the same time you want secure access you don't want a always on vpn kind of connectivity so all those benefits are exactly available here and the form factor in which our product is running allows you to do that it's taking very little cpu very little network usage and it works really well over high latency low bandwidth connections here and this is one of my other interesting use cases which is about the secure internet access so here we we have a different section where we talk about securing point of sale systems securing handhelds it's very similar so if you have an iot gateway that is linux based or it's based on one of the operating systems where you can run the client connector you can think about the use case here is authenticating the device using some kind of machine authentication or there could be a user behind it as well and using that to connect to the application or to connect to the engine so we are bringing about consistency whether it's devices or whether it's users connecting to the internet you can now have consistent access typically what happens your iot devices are reaching out to the internet for software updates or they're they're reaching out to the internet to update data in a database or some from iot platform they're not doing the same exact things as a user is doing so you can get extreme control when you're able to bring in internet access through the z-scaler platform let's look at another way of doing this right so a lot of times you can't deploy agents on these devices so we have a new product upcoming called the branch connector and if you go back to the cf fiber statement this is we're talking about futures here so the branch connector effectively operates as a as a default gateway so now it takes over the user the device identity it's able to use both the z-scale and internal axis of the z-scale private access to achieve the same functionality as the z-scale client connector not much different here but it extremely simplifies your deployment model because you could have literally have hundreds of devices behind the branch connector as long as that that ip segment is protected through the branch connector all the same policies will apply let's let's talk about next steps right so we talked a lot about these use cases one of the key things you you need to understand here is like how do you bring in how do you know where to start so the first thing you need to do is you need to get an attack surface analysis which will cover all your manufacturing locations as well and don't be afraid we're not going to go and start discovering these things by sending packets to your systems we're looking at publicly available information like shortened like dns like like just simply googling for it to be honest with you right so this is a very interesting report that you'll get based on that you can start prioritizing which of these locations you need to go and go and look at first then i would suggest doing like a virtual architecture workshop because a lot of times what happens here is your business side is the one that's that's managing these factories they need to hear from other customers what they're doing so doing a virtual architecture workshop helps you figure out whether you can actually go and do like on-floor shop segmentation at all like can you actually do that segmentation piece of it do you have enough down time for it so it brings out a lot of these details that's required and you could effectively do protect protect i'm not saying all your locations we understand the ot world is not as simple as the id side of the house so at least one of your factories one of your locations you should be able to pilot and see how well this protection works i've had customers who have removed their their industrial firewalls because it is actually creating downtime they're creating downtime to a large extent so think about it plan for this you need to to make partners on your ot side of the house as well but we feel very confident about making this happen we are here to answer any questions if you're if you're able to find the chat window regarding these questions i know we covered through a lot during today's session we talked about security more access we talked about secure introduction secure application access we talked about ot systems and segmentation brought in new concepts about extending zero trust so we know it's a lot we are we are happy to have one-on-one conversations to assist you through this journey of zero trust with that we'll leave you with our z-scale manifesto regarding how we help you manage your risk reduce it and help you drive your digital transformation thank you thank you [Music] you

Info

Channel: Zscaler Inc.

Views: 364

Rating: 5 out of 5

Keywords: security as a service, cloud security, zscaler, sase, secure access service edge, digital transformation, secure cloud transformation, zero trust security, zero trust exchange, zscaler private access, zscaler internet access, data protection

Id: vOxpx6dRFQQ

Channel Id: undefined

Length: 28min 23sec (1703 seconds)

Published: Fri Sep 17 2021