Azure Defender for IoT: IT vs. OT - What is OT and How is it Different from IT?
hi my name is james mccabe i'm a global black belt for microsoft i am very specific to it and iot and ot cyber security today we're here to talk to you about the differences between ot cyber security which is operational technology and i.t or information technology cyber security my name is anthony bartolo and i'm a senior cloud advocate here at microsoft and i'm going to be playing the role of learner i'm very intrigued by what we have to take into consideration when deploying a cyber security solution on an iot architecture excellent so anthony have you had any kind of experience with ot cyber security in the past what have you done there i've done some small scale deployments of iot so this is my first foray into an actual ot type of implementation my practices that i've done previous to diving into mouse traps in terms of deploying these uh into restaurants and understanding where the patterns of mice are to catch the most mice so that the traps are kept clean to catch more mice at these restaurants i haven't really dabbled into the otps and that's my next step in terms of where i want to go with my career so what can you tell me in terms of the differences that you have to take into consideration with ot that's great you know it's funny a lot of people conflate uh iot cyber security with ot cyber security and they have very different functions in the world otherwise they wouldn't have like different three-letter acronyms of course because that's the most important thing um but uh operational technology has been around uh the first plc was produced i think in 1969 by general electric and that was really the biggest difference between this digital idea or zeros and ones of automation and what came previous to that which is steam automation and while we're not going to go that far back um you know being in the restaurant industry or having had some experience with it that steam is still used in a whole lot of operations whenever it comes to like dish cleaning and things like that temperature of water and all those kinds of sorts of things so so so you know it's funny there's this bleed through between you know what people think and it's the the no seems they can see this thing every day and not realize that it's actually part of a cyber security plan or should be part of a cyber security plan and to that point you know you can talk about tv shows that are actually pretty good and and fairly close to what the hacking ethos is and they put raspberry pi's behind uh thermostats and things along those lines as well as uh and that that's considered an ot cyber attack so you'll see that you know even though you know some of the stuff at least on the hacking side comes to it comes at us from the iot cyber security or even from the i.t side of the house ot um because of its soft underbelly because of the way it's been treated over time that things have to work and not just be secure um that perspective is very very different uh between the two two different types of technologies so we're definitely going to delve into that and then we're going to talk a little bit about industry 4.0 so you ready ready ready for this one yeah let's let's do it all right what why is a 1969 corvette considering you know considering it was one of the faster cars of its time slower than a four-door four-cylinder uh commuter car nowadays it makes less horsepower and it's slower to make that horsepower than your typical four-cylinder car why is that is it a weight weight to power ratio oh gosh i wish it was it was uh i wish it was actually cars now tend to be heavier because they're made out of high carbon steel which actually survives a wreck much easier um so it's it's bendier and gushier so it uh it actually tends to um it tends to be able to stand a wreck especially a frontal wreck so we're actually all safer for it now but cars are actually heavier than they were back in the day um but it's a good guess it's a very good guess uh i get a lot of people that say computers and for that i have to ask does the computer get out and push the car that's not really the case is it right so um really when it boils down um there's a thousand sensors in the motor of that four cylinder car uh measuring you know pressure of gas the amount of oxygen in the cylinder when it's firing in the spark up at the temperatures and all this other kind of stuff so you're getting over if you just leave a car turned on and don't even press a gas pedal you're getting about a gig of data per hour out of that car just on the sensor data alone and what the computer is there is to make real-time decisions on what's happening inside that car to make that car faster and way more efficient than that old corvette now the old corvette may be a little bit prettier just depends on what kind of commuter car you you've purchased that year uh some people's tastes you know vary so i'm not gonna make any conjectures there but the point is um you know uh you know if that's happening inside of a vehicle and that's just an edge case no pun intended um okay maybe a little bit of a pun but uh if that's if that's happening inside vehicles why wouldn't that happen in manufacturing so it's coming right um we already see the bleed through of this idea called industry 4.0 so some people say oh it's robotic some people say it's ai
even though that you know for people like you and me that that you know that acronym probably makes us cringe a little bit because we like talking about machine learning right but um you know all those things aside industry 4. is coming here not because of anything else but other than the data data data data so how since we have all this new data and we know that when it comes to it security data is the core of what we need to be able to fix that's what we need to protect what is the difference about the data in i.t cyber security as opposed to ot and to that um i point at uh you know differences in an i.t cyber security pyramid and an ot cyber security pyramid and i've got a graphic i'll show with this and essentially what it boils down to is that i t cyber security boils down to a three-letter acronym and if you're a cissp you know what it is already no i do not you don't okay cia right confidentiality integrity and availability and that order is really where um you know where the important parts of an i.t cyber security
i would say caught the hierarchy of needs you know whenever it comes to those sorts of things right um so we have confidentiality integrity and availability on the ot side uh where confidentiality's being the most important on the i.t side right on the ot side what do you think is the most important component of their cyber security practice i would say reliability because you would have to have the operations of the actual device working so we'll just say uh reliability availability are sort of the same thing right and and you're darn close right i can even conflate that and say that the safety portion of it when it comes to reliability is part of exactly the thing that you just said right so so the fact that you said you know say reliability safety can be definitely part of availability and safety you're you're dead on and you're one of the few people to kind of guess that right because most people you know you'll not see confidentiality very much in the ot side at all because they don't care um normally that's changing a bit right with intellectual property loss but we'll get to that in just a moment right so so safety is the most important part of that because safety systems actually make the whole system unreliable sometimes on purpose right it'll take things down it's supposed to shut things down kindly and make sure something doesn't blow up or people don't die so so safety is the most important part of that well that that changes up the equation whenever you're dealing with cyber security completely right one has a confidentiality as being the the kind of the mainstay of it you know and you can say if it's a if it's a kid's game it's sort of like um it's sort of like keep away right so one kid in the middle i'm trying to keep my data away from you i'm going to toss it over around you or something else like that so that's keep away on the ot side of the house since it's safety and availability being the most important and you use the the word reliability i like that one um i would i would definitely say that that that's more of a king of the mountain kind of game for the kids right and so there's two different ways that we can actually talk about the difference between ot and i.t cyber security we boil it down to a kid's game i think we all win a little bit because everybody can understand it a little bit better so um so since this is your first foray into this sort of thing you've probably never seen something called the purdue model right and the purdue model is kind of a layered model very similar to the osi model and so a lot of people also again get them a little bit mixed up um but purdue was originally not a cyber security model uh which everybody tries to kind of fit it it's sort of a roundish peg in a sort of overly square hole type situation so uh it sort of fits but then it sort of doesn't right um because it was about segmentation of zones of availability or zones of of responsibility inside the plant well that was really more about safety than it was about cyber security at the time or anything like you know uh cyber security so that's that's part of the problem so you have this levels and below all the other levels is the safety zone and it kind of bleeds through up all the different levels of the purdue model level zero is is basically the electrical model very electrical portion of the model very similar to your osi part right uh level one is is essentially what you call the basic controls and that's that's really and the electrical level the zero one is really where your electrical motors your actuators are um you know uh uh any kind of of things that move uh like a wind fan or anything that's the actual physical part of of the actual uh process itself level one is sort of the electrical layer and where electrical sort of starts meeting very very basic control sets is the switch off or is the switch on or is it off and on and off and on so fast it's making the motor go half speed or sort of you know and that's called pulse width modulation right that's really that that level one so if you look up pwm there's tons of videos on it of people expounding about what they like to talk about right and then level two on that whole thing is what you refer to normally is the real-time protocol and a lot of people call it real-time protocols um as opposed to tcp for one very specific reason everybody's like oh because it's got to be fast well to some degree it's got to always be on time so these real-time protocols are about very precise timing for sure and that's definitely one piece of a real-time protocol what would you guess the other one was what's the difference between tcp what what is really the tcp ip model based on what's the top of the food chain on the seven layer osi model communication well that's application right it's all about the app yes and what does an app do what does an app do an app talks to humans right machines when they talk to machines and ot stuff they only talk on the machines they really don't talk to the humans it doesn't talk to humans until you get up to a human machine interface or engineering workstation so really automation and this operational technology is really just about machines talking on the machines do they care about an application layer then no so essentially it's just you you eschew that whole top portion of the osi model and that's the other reason why something's called a real-time protocol is because it never gets there's no application there normally it's just machines talking to machines now we're not all neo yet um although maybe we eventually be if you know we're allowed to have chips in our head um so uh you know that's not happening today at least not to me anyway uh so you know uh since i can't talk directly to the machine i need an application to do it and that's really where this stuff comes in and one of the big differences of real-time protocol versus tcp is there's just no intention of an application ever um you know in that particular since you're not talking to humans right so so those are the two things that really make up a real-time protocol and that's that level too and that's really where we expose the soft underbelly of this operational technology cyber security because everything above it can become kind of considered i t above level three of purdue and above you're starting to talk you're starting to bleed computers into that sort of thing and that's where you're getting some of the i.t stuff even though these workstations are
behind layers of firewalls and you know we have an air gap and you know it's different completely from our enterprise levels way up here uh these are you know engineering dedicated computers that sort of thing it's still a computer which means there's still some it associated with it there's no way we're going to get away from that so so when you start getting up to level 3 of the purdue model you're getting into that tcp talking to humans layer that's really not as the biggest concern is the level 2 and below which is exactly where i used to work in a company called cyberx which was purchased by microsoft which is now azure defender for iot that's really where that that cyber security piece plays in and so uh when you're talking about those sorts of level two or real-time protocols you're really talking about something called a distributed control system or a dcs have you ever heard of the term before i have not uh so when you usually talked about ot can can i get a raised hand did you call it scada all the time yes and that's the thing right we we yeah well i did too um when i went first went to work for oil and gas companies i'd come fresh from being a internet service provider network engineer right and i can't had come into oil and gas and they all started laughing at me because i really had no idea what to say oh that's all scada stuff you know we we dealt with that i know what that is it's building management systems and battery backup systems and things like that i did all that stuff it's it's got some little corny protocol that goes with it and it doesn't really matter well you know what's the fastest way to shut down any data center do something to the battery stack the generators and or the the crack systems for the air conditioning right so easiest side channel attack in the world to take down a gigantic the whole data center not just part of it right so to that point um that's you know where we're more worried about these sorts of things because we see more and more side channel attacks coming in as if some people want to call them supply chain attacks um it depends on where you're at you know people are attacking the thing you do as your core business whether that be monitoring software uh for your ip networks or if it's uh you know your air conditioning system for your building management system if you're a hospital or something like that so so we we're seeing more and more of these side channel attacks attacking not just critical infrastructure but you know all kinds of things that have to do with uh our economy and maybe our health and things along those lines so since we're seeing it bleed down in there we're really very concerned about these layers that classically hasn't haven't been protected because people are like oh nothing happens out of that layer well if you have an engineering workstation you've hopped around over the network and you finally figured out how to get into that hop that air gap because given enough time anybody can figure pick something apart um whether it be remoting into this workstation or something else like that you know using vpn technology or something because you stole someone's credentials um that's what actually happened on the triton attack to try to get to the safety systems of a plant right and so when we're dealing with those distributed control systems everybody's like oh you can't talk to them unless you get to the engine workstation well that's that's not true i only need three scripting languages three script and that that means that it's only in memory do i need this i don't need it written to to a disk i don't need malware to get from outside your entire infrastructure to your ot systems and the first one is java right hop on your browser put a little bitty resident you know dropper on there the second one is mimi cats which is basically essentially powershell so that's my second scripting language is powershell powershell empire right and the third is python and python's loaded on so many workstations especially the stuff in the lower layer because you can load uh pi modbus you can load pi dmp3 or any of these libraries allows you to talk these real-time protocol languages directly from a computer and if you've got that kind of control you're reaching all the way down into layer 2 and making some real impact uh there so and that impact is actually with something called ladder logic have you ever heard that term before ladder logic i have not know have you heard of something called determinism before a deterministic behavior yes that's the whole aspect of you're continuing the attack to make sure that you actually get through and you continuously put forth effort to try to get to the data you're trying to get to yeah it's a stepped attack very similar to your miter attack framework so you've probably heard determinism associated with miter attack right well it's been in distributed control systems forever because usually if you're a big fan of nick at night i guess that's probably our age if you're talking about i love lucy um there's a very famous i love lucy episode with her on a chocolate bon-bon line and she's there with ethel and they're wrapping the little bitty candies and they're doing just fine until somebody changes something right you watch it and it's not the fact that they change the speed of the belt the number of bon bons coming out is really the thing that kind of messes them up so they're stuffing it down their shirts and you know eating the bon bons and trying to get rid of many which way they can just so they can catch back up again well very small changes in ot systems which deterministic if this happens then this thing happens right if i speed up the belt i've got to speed up my wrapper as well right and if i don't do that if i put the number of bon bons on there that's way too many you know some of them don't get wrapped they gum up the works and you know all of a sudden you have this this cascading effect and that's what determinism is essentially is once i've done this little bitty thing i can have this butterfly effect where it increases automatically in a wave right and so this deterministic behavior is which creates these sorts of problems and this all comes from the lateral logic that's usually built into these programmable logic controllers which take this digital i o piece well what they really do is they take this real-time protocol where you're just loading stuff in red memory registers with this little bitty super thin operating system i just you know load something in this memory cell here that means that this thing's got to blink at this certain speed right that's all that programmable logic controller does regardless of what protocol it talks right and then that turns the digital i o which turns little bitty switches on and off at electrical level for that on off on off digital piece which then you know has an effect on motor speeds and all kinds of stuff like so that that that thing that translates all that stuff is a programmable logic controller that thing depends upon the latter logic of this architecture and so if you're not directly seeing what that thing's doing and seeing the determinism has been changed on the network you can't really see what's going on and that's that's really what the big key difference is here everybody's like oh you know we've got this behavior analytics for the endpoints and stuff like that but does it track this idea behind determinism if the changes happen here what happens on that cyber physical side and the cyber physical side is weird you and i were talking previous to the recording and we we said hey um have you ever shut your faucet off really really quickly before and you said sure right yeah what happens in the what happens what do you hear you hear the pipes rival right well the you and the you know turn off really really quick all of a sudden you hear it in the in the ceiling right that's because the pipe just goes it smacks because the compression wave of you stopping that valve very very quickly and it hits the rafters well that's what you're hearing well you know you hit the rafter hard enough and your pipes aren't gonna last very long so you probably shouldn't be doing that too many times right but if you do it on and off and off you're gonna make the thing you know and essentially the same sort of cyber attack cyber physical attack can happen to things naturally right if if i take that and shut off the valve to a you know 1 000 gallon oil per minute pipeline that's about as big around as my house is large right um and i do the same thing to it you know you know metal doesn't really do very well and that sort of thing so things can tend to blow up uh you know uh so so that's that's part of the problem so understanding that that's the cyber physical aspect means you have to deploy at very very low layers of this architecture to be able to see that sort of stuff and that that is that is actually one of our biggest challenges in ot cyber security are we seeing the things that actually matter in the ecosystem so so knowing that you have to have a couple different questions about maybe a tax or where to deploy or something else like that if so if you have a question ask away so my biggest question right now is understanding from the i.t perspective and the information technology information of things you're you're securing the the information is being passed through in ot you're doing operational things and you're securing the operations of that aspect and we're not worrying about the application layer as you said we're worrying about the device itself uh and it working reliably how are we managing that device to ensure that you know somebody isn't just going on and turning off and off on off a switch and understanding that it is actually operating properly or based on the mandate of what's required of it you made mention of that you know the the tank of oil that is pushing out at a certain psi that's lubricating machinery how are we ensuring that you know if we're not looking at it from the perspective of the application layer how are we getting into in essence the bias of these devices to ensure that it's actually operating as required and are there any outside factors like you mentioned earlier power if i can't attack that oil pressure uh jug can i just cut the power uh and what do i have to know in that respect in terms of the environment that these devices actually sit in yeah it's those are great questions so there's a couple things i want to take it and split it up a bit right so one of the things that we mentioned already was the deterministic behavior of something so if you have your little oil can on the side of your robot that has to feed the robot you know oil at a certain speed or maybe it's a wind farm right that that oiling can then feeds the motor so it can keep spinning and producing electricity for everybody right so regardless of what that is um can i maybe go cut the power to it well that goes back to the deterministic nature of these things if if i'm cutting my power then i've got to send a signal to some part of that framework which would be the programmable logic controller for that thing right if i'm going to go reprogram that on a day inside a day or send a stop command to it that's going to be very different from what usually happens on an operational level anyway so i have to have this idea of a of a baseline of what came before it and what things happen on this network so everybody talks about baselining when it comes to ai and ml type of cyber security and that's one of the reasons why i started doing ot to begin with is because i love dealing with ml and and doing stuff in in ai research i absolutely love that stuff but i already recognized that uh application levels cyber security the it side of the house is so chaotic and non-deterministic right application based essentially that baselining doesn't always work that well as a matter of fact it could be quite noisy when you do that in the ot environments it is a very very different uh aspect and takes a different perspective so i know i don't ever see s7 stop commands in the middle of the day to a pump or a valve right so me sending a stop command to it in the middle of the day during production would definitely raise a few alarms so understanding that baseline for that ecosystem or that that network uh helps me understand how to protect it right the other thing too is um it's one thing to be anomaly detection or anomaly detection you know from a baseline right it's quite a different thing to already be pre-trained on what current attack patterns look like right and everybody calls these if you're going to use mitre attack framework ttps tactics techniques and what is the third one it is a procedures thank you so sorry about that right so understanding an attack from to ttp angle is very different from understanding it from like an ips or av signature type situation right i am understanding partially my portion of the attack which looks very similar to these sets of attacks over here so if i can actually start training that machine model with something that has come before it i'll shore up that machine model with hey this looks a little bit like this attack on the tactics techniques and procedures not just the actual signature itself and so i'm not playing signature whack-a-mole afterwards i'm actually bubbling up stuff and then being able to filter out false positives a little bit better i stack that with something that's been pre-trained to know how a specific process control system works may whether it be on modbus or dnp3 or ethernet ip and i know this ecosystem because i've pre-trained it with what a normal system already looks like it's it comes pre-trained so as soon as you shove the thing in i don't need a month of baseline learning to let to give you some insights i know immediately hey that thing's you know authentication's messed up that thing over there keeps rebooting and it shouldn't be that thing keeps asking for an ip address that's probably bad this thing's over here is spraying a lot of traffic that's probably not good either because most of that traffic is usually you know a couple kilobits per day not even megabits right because we're not dealing with applications again we're not transiting large amounts of packets well here's where bringing the data up out of just the sensor level that layer two up into a greater set of analytics would really help you right because you have to be able to correlate what one sensor is seeing to what another sensor is seeing over here and then not overwhelm with too much signal coming out bound so this resultant set has to be very very smart uh and only give maybe 50 to you know 100 signals per month but that data so if you cut that and you start seeing a lot of signal coming out of this side you can automatically know that there is a change that was made in the operational side that could affect the entirety of everything and start alerting to that sort of thing so so so there is a lot that you can do as an overall architecture placement of those that sensing mechanism to features that may not be part of that particular system so building management systems are usually handled by third-party companies so putting a sensor on that network even though it's the third-party network is extremely efficacious for you right putting on your own to manage your own there is also very very important and if you can dealing with your power from the outside and knowing where that's coming from and putting the sensors in that area as well so so what you're getting here is an information framework that would be able to feed uh you on side channel attacks right there and know what kind of impact it's going to make on your business so good question so it's capturing the information from the environmentals not just from the equipment itself understanding the scenario that's at play and then when something fails or when it detects that there is a something that would affect what the operations of the plant in essence it would then you know make an alert or make notification that this is occurring well that's the reason why we have the iot hub bleed together not just what we have from the cyber x side of the house and the sensor right but also from green field sensors that you would deploy also from other brownfield technologies that you can overlay like azure sphere so you can know these changes that are happening the operational side so there's just this entire ecosystem from greenfield to brownfield which is essentially already deployed stuff that you can actually pull that sensor data in make some sense of it using a few algorithms and give you basically the operational impact of any given change on your on your ecosystem so it's a good question understanding the logic in terms of the protection piece what is defender's role in all of this so as your defender for iot the the the role that it actually plays is sort of a so lots of people like to call it an ids or ips or which is an intrusion prevention system or an intrusion detection system that's there are bits of that in in the product itself but it's really falls into this area called an nbad nbad which is network behavioral and analytics detection right and so what is the attempt of it well it's the attempt to take the playbooks or sorry the workbooks that you have in the core maybe that usually associated with your stem and push them down to the severe edge remember that computer and that car that i talked about before that sensor data that you were getting there it was able to make the real-time decisions out of the edge actually inside the car as it was getting real-time data you can think of that that sensor as the ecu in your car you know it's making real-time decisions right there now does that mean that the car might call back home one day and get service and know when to get serviced and things like that and tell your the the computer in your car that hey you can make these little adjustments until you're able to get you know to the to the dealership or to the car service center absolutely 100 that's you know that day is coming both on the car side and it's pretty much already here in the manufacturing side if you use azure defender for iot so there's definitely those pieces that if you deploy azure defender you can start making intelligent decisions all the way out at your edge really help out your operations not even your cyber security but the operations of your plants whether you're in manufacturing or your power production that sort of thing you can start getting that kind of resultant set of information way way down at the edge so that's that's part of the part and parcel to it and what's it's role at the helm of this you may mention in terms of the security piece and even the operations piece what would be the id professionals then responsibility or do they are they reporting back to the plant in regards to where the deficiencies lie or the possible security vectors are what are the reporting mechanisms that are available how does it relay what's being captured back to the organization so that they can be part of the decisions of how the organization will move forward to address threats or optimization so we're going to cover that in a little bit of a different talk coming up here in just a minute on a separate talk but let's take a ticket from the top and give you the 30 000 foot view and then we'll cover it a little bit deeper and in a different discussion so the sensor is split brained it is on the operations side where you have operational errors and it has security for security errors right so the operations people aren't going to care on a day-to-day basis i'm sorry for all you i.t cyber security people they just don't care because you know their answer to quite a few things is turn it off and turn it back on again we are probably not going to change that in our lifetimes so um but the fight we can fight is giving those same people a new visibility of that part of the organization where they may not see those operational errors you're basically giving them a monitor for the stuff that the the third-party companies they work with they they won't give them that visibility so you're giving them almost a deck of exactly what they do on a daily basis you can make that visible inside the plant for them that they can go and take a look at when everything else fails we had a very expensive glass manufacturer come to us and and say hey your system has been in here for about a month and our plant's been down for a day and a half now what did you guys do to make a change because none of us made a change right and so they've done a plan turn around that weekend they made some changes in the logics of some of their you know they upgraded the firmware and upgraded the logic of some of their plcs and you know uh it was working fine during the weekend when they did change management acceptance testing they got outside their change management window uh they come back in monday all of a sudden everything starts shutting down automatically so they're at the that stage of troubleshooting which is the pointing of the fingers right we've all been there that stage of troubleshooting before and um they called us up and asked us what was going on we said well we're this this thing is 100 passive it does nothing on your network it's it's all passive analytics so all we're doing is taking a copy of your traffic and making some really cool decisions on it telling you what's going on so have you got to go take a look at the console because there's literally nothing we can do to your your infrastructure um to to do the things that you described and they said no they hadn't so we go you know remote in and we took a look at the screen with them and within about two or three minutes we find out the problem what had happened was that a a laptop the one that did the firmware updates had gone and updated the firmware and then it said successful update successful well it hadn't also sent the new ladder logic down to the plc's as well right um it came in monday morning i guess it failed or something on the network uh it came back in monday morning re-attempted the brand the update of the lateral logic at that point in time outside the change management window when it did and it was successful it shut everything down well they didn't see the change and they hadn't expected to change because you know they had already thought it was successful because you know no what software or application usually has problems you know so so that's what happened we saw it happen we were able to cut and paste back in the changes that were made and then within 15 minutes they were back up and operational again those are the sorts of things you can help those operations people and the plants fix that particular set of problems so if you're giving them value while you're there to also do the cyber security stuff which they can't really care about too much until they shut the plant down for ransomware for the entire week or something like that and everything has to go get reimaged which happens still right so they do care about that part but but you know not until it usually happens right because they have they have a job to do and we have to all recognize that that's that's really where that sort of thing comes into it um understanding you know how they do work and how they get paid helps us do our own work and and and help them stay up so good question so so in regards to first steps right we've gone through a bunch of scenarios we've gone through the definitions of ot and i.t and you know environmental is being protected not just the machinery itself and understanding what it could occur first steps for an organization that now wants to put forth the security effort where do they start that's great uh so they start off with visibility that is the one thing that uh you know we were built to do first because a lot of these technologies have been black boxed in the past because you hire a third-party manufacturer to come in and put it in for you because those process control engineers and automation engineers are very rare um usually very expensive so they're usually a third-party company that comes in maybe even the manufacturer itself that brings their consultants consultancy services in to do the work right so a lot of the technologies a black box and and then once they hit it off the key's off to you you're just supposed to run it and then call them if there's any problems right so that's the reason why most people don't work on their cars anymore is because it's so complicated to work on the car i just want the keys because i got to go drive that car to work right you're not going to sit there every day and delve into the the car to see how it's working that day right so the same could be said for your manufacturing plants the analogy just kind of holds up across all of it so um so knowing that these are black box things and having something new that attaches to your car or your manufacturing plant that then can give you a resultant set of changes that are being made within it helps you maybe make some decisions that prevent some outages in the future right um see what you can't see before so we always start with visibility the behavior of that thing how it gets mapped out what assets you own um and everything else and then you can start making some really intelligent decisions after you know something behaves what you have what it costs and what the vulnerabilities of those things are once you understand that sort of visibility everybody can start making some intelligence decisions given the right kind of data and that's that's really always the first step thanks james this has been awesome it's been so informative so much information thrown at me here i've been taking copious notes i'm i'm wondering in regards to defender where do i start grabbing information in regards to that specifically for iot you know this is really something having come over to microsoft i asked for forever when i was with the previous company um and now it's here and i'm i'm dumbfounded by it anybody with a credit card and a browser can go to the azure portal today when you go there you can actually get azure defender for iot as an app which is very different for for the ot world right i i'm pretty sure nobody else does this you can download the sensor um even have it to where you can play pcaps offline you don't even have to connect it to your network yet if you have have to do some acceptance testing or talk to your or you know talk to your service providers or whatever for your manufacturing plants or for electrical plants um or what have you whatever you're going to be connecting it to um you can play the pcaps that you get from those particular networks at it and get some very real information out of it today with some very decent risk analysis just from a packet capture and that's kind of the power of the tool that it can see so much within deep packet inspection the longer you get it obviously the the the bigger the p cap or the longer the p cap the better you you know result instead of information you get out of it of course but um that's really where you start so today you can go to portal.azure.com uh you know feed in your credit card to get a get a uh you know get a subscription put the sensor either in a vm um or you can even order a physical appliance if you'd like and then uh even start dropping pcaps before you even deployed on the network once you've done that you can actually plug it in into a tap or span port or mirror uh into your that your network where you've got the important stuff where you've decided that you want to plug it in at to get better visibility and then you can actually go from there on monitoring and real-time uh uh discovery of things that are going on once that happens you can start tying it into the uh enforcement portions of your network you probably already invested in your next generation firewalls your knack systems your content filtering your i could keep going on your zero trust networking architectures it can be plugged into all of that um to give you that ot muscle uh and iot muscle that you may be missing now so james this has been awesome thank you very much for your time and if you want to learn more navigate to portal.azure.com uh bring
up defender and not only will the service be there but the full documentation made available specifically covering operations in iot and sir thanks so much appreciate it