Azure Defender for IoT IT vs OT - What is OT and How is it Different from IT

Show video

hi my name is james mccabe i'm a global black  belt for microsoft i am very specific to it   and iot and ot cyber security today we're here  to talk to you about the differences between   ot cyber security which is operational technology  and i.t or information technology cyber security   my name is anthony bartolo and i'm a  senior cloud advocate here at microsoft   and i'm going to be playing the role of  learner i'm very intrigued by what we have   to take into consideration when deploying a  cyber security solution on an iot architecture excellent so anthony have you had any kind of  experience with ot cyber security in the past   what have you done there i've done some small  scale deployments of iot so this is my first   foray into an actual ot type of implementation my  practices that i've done previous to diving into   mouse traps in terms of deploying these uh into  restaurants and understanding where the patterns   of mice are to catch the most mice so that the  traps are kept clean to catch more mice at these   restaurants i haven't really dabbled into the otps  and that's my next step in terms of where i want   to go with my career so what can you tell me in  terms of the differences that you have to take   into consideration with ot that's great you know  it's funny a lot of people conflate uh iot cyber   security with ot cyber security and they have very  different functions in the world otherwise they   wouldn't have like different three-letter acronyms  of course because that's the most important thing   um but uh operational technology has been around  uh the first plc was produced i think in 1969 by   general electric and that was really  the biggest difference between   this digital idea or zeros and ones of automation  and what came previous to that which is steam   automation and while we're not going to go that  far back um you know being in the restaurant   industry or having had some experience with  it that steam is still used in a whole lot   of operations whenever it comes to like dish  cleaning and things like that temperature of   water and all those kinds of sorts of things so so  so you know it's funny there's this bleed through   between you know what people think and it's the  the no seems they can see this thing every day   and not realize that it's actually part of  a cyber security plan or should be part of a   cyber security plan and to that point you know you  can talk about tv shows that are actually pretty   good and and fairly close to what the hacking  ethos is and they put raspberry pi's behind   uh thermostats and things along those lines as  well as uh and that that's considered an ot cyber   attack so you'll see that you know even though  you know some of the stuff at least on the hacking   side comes to it comes at us from the iot cyber  security or even from the i.t side of the house   ot um because of its soft underbelly because  of the way it's been treated over time that   things have to work and not just be secure um that  perspective is very very different uh between the   two two different types of technologies so we're  definitely going to delve into that and then we're   going to talk a little bit about industry  4.0 so you ready ready ready for this one   yeah let's let's do it all right what why is a  1969 corvette considering you know considering   it was one of the faster cars of its time slower  than a four-door four-cylinder uh commuter car   nowadays it makes less horsepower and  it's slower to make that horsepower   than your typical four-cylinder car why is  that is it a weight weight to power ratio   oh gosh i wish it was it was uh i wish it was  actually cars now tend to be heavier because   they're made out of high carbon steel which  actually survives a wreck much easier um so   it's it's bendier and gushier so it uh it actually  tends to um it tends to be able to stand a wreck   especially a frontal wreck so we're actually all  safer for it now but cars are actually heavier   than they were back in the day um but it's a  good guess it's a very good guess uh i get a   lot of people that say computers and for that i  have to ask does the computer get out and push   the car that's not really the case is it right so  um really when it boils down um there's a thousand   sensors in the motor of that four cylinder car uh  measuring you know pressure of gas the amount of   oxygen in the cylinder when it's firing in the  spark up at the temperatures and all this other   kind of stuff so you're getting over if you just  leave a car turned on and don't even press a gas   pedal you're getting about a gig of data per hour  out of that car just on the sensor data alone and   what the computer is there is to make real-time  decisions on what's happening inside that car to   make that car faster and way more efficient than  that old corvette now the old corvette may be a   little bit prettier just depends on what kind  of commuter car you you've purchased that year   uh some people's tastes you know vary so i'm not  gonna make any conjectures there but the point   is um you know uh you know if that's happening  inside of a vehicle and that's just an edge case   no pun intended um okay maybe a little bit of a  pun but uh if that's if that's happening inside   vehicles why wouldn't that happen in manufacturing  so it's coming right um we already see the bleed   through of this idea called industry 4.0 so some  people say oh it's robotic some people say it's ai  

even though that you know for people like you and  me that that you know that acronym probably makes   us cringe a little bit because we like talking  about machine learning right but um you know all   those things aside industry 4. is coming here not  because of anything else but other than the data   data data data so how since we have all this new  data and we know that when it comes to it security   data is the core of what we need to be able to  fix that's what we need to protect what is the   difference about the data in i.t cyber security  as opposed to ot and to that um i point at uh you   know differences in an i.t cyber security pyramid  and an ot cyber security pyramid and i've got a   graphic i'll show with this and essentially  what it boils down to is that i t cyber security   boils down to a three-letter acronym and if  you're a cissp you know what it is already   no i do not you don't okay cia right  confidentiality integrity and availability   and that order is really where um you know where  the important parts of an i.t cyber security  

i would say caught the hierarchy of needs you know  whenever it comes to those sorts of things right   um so we have confidentiality  integrity and availability   on the ot side uh where confidentiality's being  the most important on the i.t side right on the   ot side what do you think is the most important  component of their cyber security practice   i would say reliability because you would  have to have the operations of the actual   device working so we'll just say uh reliability  availability are sort of the same thing right and   and you're darn close right i can even conflate  that and say that the safety portion of it when   it comes to reliability is part of exactly  the thing that you just said right so so the   fact that you said you know say reliability safety  can be definitely part of availability and safety   you're you're dead on and you're one of the few  people to kind of guess that right because most   people you know you'll not see confidentiality  very much in the ot side at all because they don't   care um normally that's changing a bit right  with intellectual property loss but we'll get   to that in just a moment right so so safety is  the most important part of that because safety   systems actually make the whole system unreliable  sometimes on purpose right it'll take things down   it's supposed to shut things down kindly and make  sure something doesn't blow up or people don't die   so so safety is the most important part of that  well that that changes up the equation whenever   you're dealing with cyber security completely  right one has a confidentiality as being the the   kind of the mainstay of it you know and you can  say if it's a if it's a kid's game it's sort of   like um it's sort of like keep away right so one  kid in the middle i'm trying to keep my data away   from you i'm going to toss it over around you  or something else like that so that's keep away   on the ot side of the house since it's safety  and availability being the most important and you   use the the word reliability i like that one um i  would i would definitely say that that that's more   of a king of the mountain kind of game for the  kids right and so there's two different ways that   we can actually talk about the difference between  ot and i.t cyber security we boil it down to a   kid's game i think we all win a little bit because  everybody can understand it a little bit better   so um so since this is your first foray into  this sort of thing you've probably never seen   something called the purdue model right and  the purdue model is kind of a layered model   very similar to the osi model and so a lot of  people also again get them a little bit mixed up   um but purdue was originally not a cyber security  model uh which everybody tries to kind of fit it   it's sort of a roundish peg in a sort of overly  square hole type situation so uh it sort of fits   but then it sort of doesn't right um because it  was about segmentation of zones of availability   or zones of of responsibility inside the plant  well that was really more about safety than it was   about cyber security at the time or anything like  you know uh cyber security so that's that's part   of the problem so you have this levels and below  all the other levels is the safety zone and it   kind of bleeds through up all the different levels  of the purdue model level zero is is basically the   electrical model very electrical portion of  the model very similar to your osi part right   uh level one is is essentially what  you call the basic controls and that's   that's really and the electrical level the zero  one is really where your electrical motors your   actuators are um you know uh uh any kind of of  things that move uh like a wind fan or anything   that's the actual physical part of of the  actual uh process itself level one is sort of   the electrical layer and where electrical sort of  starts meeting very very basic control sets is the   switch off or is the switch on or is it off and  on and off and on so fast it's making the motor go   half speed or sort of you know and that's called  pulse width modulation right that's really that   that level one so if you look up pwm there's tons  of videos on it of people expounding about what   they like to talk about right and then level two  on that whole thing is what you refer to normally   is the real-time protocol and a lot of people  call it real-time protocols um as opposed to tcp   for one very specific reason everybody's like oh  because it's got to be fast well to some degree   it's got to always be on time so these real-time  protocols are about very precise timing for sure   and that's definitely one piece of a real-time  protocol what would you guess the other one was   what's the difference between tcp what what is  really the tcp ip model based on what's the top   of the food chain on the seven layer osi model  communication well that's application right it's   all about the app yes and what does an app do  what does an app do an app talks to humans right   machines when they talk to machines and ot stuff  they only talk on the machines they really don't   talk to the humans it doesn't talk to humans  until you get up to a human machine interface or   engineering workstation so really automation  and this operational technology is really   just about machines talking on the machines  do they care about an application layer then   no so essentially it's just you you eschew  that whole top portion of the osi model and   that's the other reason why something's called  a real-time protocol is because it never gets   there's no application there normally it's just  machines talking to machines now we're not all   neo yet um although maybe we eventually be if you  know we're allowed to have chips in our head um   so uh you know that's not happening today at  least not to me anyway uh so you know uh since   i can't talk directly to the machine i need an  application to do it and that's really where   this stuff comes in and one of the big differences  of real-time protocol versus tcp is there's just   no intention of an application ever um you know in  that particular since you're not talking to humans   right so so those are the two things that really  make up a real-time protocol and that's that level   too and that's really where we expose the soft  underbelly of this operational technology cyber   security because everything above it can  become kind of considered i t above level   three of purdue and above you're starting to talk  you're starting to bleed computers into that sort   of thing and that's where you're getting some of  the i.t stuff even though these workstations are  

behind layers of firewalls and you know we have  an air gap and you know it's different completely   from our enterprise levels way up here uh these  are you know engineering dedicated computers   that sort of thing it's still a computer which  means there's still some it associated with it   there's no way we're going to get away from that  so so when you start getting up to level 3 of the   purdue model you're getting into that tcp talking  to humans layer that's really not as the biggest   concern is the level 2 and below which is exactly  where i used to work in a company called cyberx   which was purchased by microsoft which is now  azure defender for iot that's really where that   that cyber security piece plays in and so uh when  you're talking about those sorts of level two or   real-time protocols you're really talking about  something called a distributed control system or a   dcs have you ever heard of the term before i have  not uh so when you usually talked about ot can   can i get a raised hand did you call it scada all  the time yes and that's the thing right we we yeah   well i did too um when i went first went  to work for oil and gas companies i'd come   fresh from being a internet service provider  network engineer right and i can't had come   into oil and gas and they all started laughing  at me because i really had no idea what to say   oh that's all scada stuff you know we we dealt  with that i know what that is it's building   management systems and battery backup systems and  things like that i did all that stuff it's it's   got some little corny protocol that goes with it  and it doesn't really matter well you know what's   the fastest way to shut down any data center do  something to the battery stack the generators and   or the the crack systems for the air conditioning  right so easiest side channel attack in the world   to take down a gigantic the whole data center  not just part of it right so to that point   um that's you know where we're more worried about  these sorts of things because we see more and   more side channel attacks coming in as if some  people want to call them supply chain attacks um   it depends on where you're at you know people are  attacking the thing you do as your core business   whether that be monitoring software uh for  your ip networks or if it's uh you know your   air conditioning system for your building  management system if you're a hospital   or something like that so so we we're seeing  more and more of these side channel attacks   attacking not just critical infrastructure but  you know all kinds of things that have to do   with uh our economy and maybe our health and  things along those lines so since we're seeing   it bleed down in there we're really very concerned  about these layers that classically hasn't haven't   been protected because people are like  oh nothing happens out of that layer   well if you have an engineering workstation you've  hopped around over the network and you finally   figured out how to get into that hop that air gap  because given enough time anybody can figure pick   something apart um whether it be remoting into  this workstation or something else like that   you know using vpn technology or something because  you stole someone's credentials um that's what   actually happened on the triton attack to try to  get to the safety systems of a plant right and so   when we're dealing with those distributed control  systems everybody's like oh you can't talk to   them unless you get to the engine workstation well  that's that's not true i only need three scripting   languages three script and that that means that  it's only in memory do i need this i don't need it   written to to a disk i don't need malware to get  from outside your entire infrastructure to your   ot systems and the first one is java right hop on  your browser put a little bitty resident you know   dropper on there the second one is mimi cats which  is basically essentially powershell so that's my   second scripting language is powershell powershell  empire right and the third is python and python's   loaded on so many workstations especially the  stuff in the lower layer because you can load   uh pi modbus you can load pi dmp3 or any of these  libraries allows you to talk these real-time   protocol languages directly from a computer  and if you've got that kind of control you're   reaching all the way down into layer 2 and making  some real impact uh there so and that impact is   actually with something called ladder logic have  you ever heard that term before ladder logic   i have not know have you heard of something  called determinism before a deterministic behavior   yes that's the whole aspect of you're continuing  the attack to make sure that you actually get   through and you continuously put forth effort to  try to get to the data you're trying to get to   yeah it's a stepped attack very similar to your  miter attack framework so you've probably heard   determinism associated with miter attack right  well it's been in distributed control systems   forever because usually if you're a big fan of  nick at night i guess that's probably our age if   you're talking about i love lucy um there's  a very famous i love lucy episode with her   on a chocolate bon-bon line and she's there  with ethel and they're wrapping the little   bitty candies and they're doing just fine until  somebody changes something right you watch it   and it's not the fact that they change the speed  of the belt the number of bon bons coming out is   really the thing that kind of messes them up  so they're stuffing it down their shirts and   you know eating the bon bons and trying to  get rid of many which way they can just so   they can catch back up again well very small  changes in ot systems which deterministic if   this happens then this thing happens right if i  speed up the belt i've got to speed up my wrapper   as well right and if i don't do that if i put the  number of bon bons on there that's way too many   you know some of them don't get wrapped they  gum up the works and you know all of a sudden   you have this this cascading effect and that's  what determinism is essentially is once i've done   this little bitty thing i can have this butterfly  effect where it increases automatically in a wave   right and so this deterministic behavior is which  creates these sorts of problems and this all comes   from the lateral logic that's usually built into  these programmable logic controllers which take   this digital i o piece well what they really  do is they take this real-time protocol   where you're just loading stuff in red  memory registers with this little bitty   super thin operating system i just you know  load something in this memory cell here   that means that this thing's got to blink  at this certain speed right that's all that   programmable logic controller does regardless  of what protocol it talks right and then that   turns the digital i o which turns little bitty  switches on and off at electrical level for that   on off on off digital piece which then you know  has an effect on motor speeds and all kinds of   stuff like so that that that thing that translates  all that stuff is a programmable logic controller   that thing depends upon the latter logic of this  architecture and so if you're not directly seeing   what that thing's doing and seeing the determinism  has been changed on the network you can't really   see what's going on and that's that's really what  the big key difference is here everybody's like oh   you know we've got this behavior analytics for the  endpoints and stuff like that but does it track   this idea behind determinism if the changes happen  here what happens on that cyber physical side and   the cyber physical side is weird you and i  were talking previous to the recording and we   we said hey um have you ever shut your faucet  off really really quickly before and you said   sure right yeah what happens in the what happens  what do you hear you hear the pipes rival right   well the you and the you know turn off really  really quick all of a sudden you hear it in the   in the ceiling right that's because the pipe just  goes it smacks because the compression wave of you   stopping that valve very very quickly and it hits  the rafters well that's what you're hearing well   you know you hit the rafter hard enough and your  pipes aren't gonna last very long so you probably   shouldn't be doing that too many times right but  if you do it on and off and off you're gonna make   the thing you know and essentially the same sort  of cyber attack cyber physical attack can happen   to things naturally right if if i take that and  shut off the valve to a you know 1 000 gallon   oil per minute pipeline that's about as big  around as my house is large right um and i do   the same thing to it you know you know metal  doesn't really do very well and that sort of   thing so things can tend to blow up uh you know  uh so so that's that's part of the problem so   understanding that that's the cyber physical  aspect means you have to deploy at very very low   layers of this architecture to be able to see  that sort of stuff and that that is that is   actually one of our biggest challenges in ot cyber  security are we seeing the things that actually   matter in the ecosystem so so knowing that you  have to have a couple different questions about   maybe a tax or where to deploy or something else  like that if so if you have a question ask away   so my biggest question right now is understanding  from the i.t perspective and the information   technology information of things you're you're  securing the the information is being passed   through in ot you're doing operational things  and you're securing the operations of that aspect   and we're not worrying about the application layer  as you said we're worrying about the device itself   uh and it working reliably how are we managing  that device to ensure that you know somebody   isn't just going on and turning off and off on  off a switch and understanding that it is actually   operating properly or based on the mandate of  what's required of it you made mention of that   you know the the tank of oil that is pushing out  at a certain psi that's lubricating machinery how   are we ensuring that you know if we're not looking  at it from the perspective of the application   layer how are we getting into in essence the  bias of these devices to ensure that it's   actually operating as required and are there any  outside factors like you mentioned earlier power   if i can't attack that oil pressure uh jug  can i just cut the power uh and what do i   have to know in that respect in terms of the  environment that these devices actually sit in   yeah it's those are great questions so there's  a couple things i want to take it and split   it up a bit right so one of the things that we  mentioned already was the deterministic behavior   of something so if you have your little oil can on  the side of your robot that has to feed the robot   you know oil at a certain speed or maybe it's a  wind farm right that that oiling can then feeds   the motor so it can keep spinning and producing  electricity for everybody right so regardless   of what that is um can i maybe go cut the power  to it well that goes back to the deterministic   nature of these things if if i'm cutting my power  then i've got to send a signal to some part of   that framework which would be the programmable  logic controller for that thing right if i'm   going to go reprogram that on a day inside a day  or send a stop command to it that's going to be   very different from what usually happens on an  operational level anyway so i have to have this   idea of a of a baseline of what came before  it and what things happen on this network so   everybody talks about baselining when it comes  to ai and ml type of cyber security and that's   one of the reasons why i started doing ot to  begin with is because i love dealing with ml   and and doing stuff in in ai research i absolutely  love that stuff but i already recognized that   uh application levels cyber security the it side  of the house is so chaotic and non-deterministic   right application based essentially that  baselining doesn't always work that well as   a matter of fact it could be quite noisy when you  do that in the ot environments it is a very very   different uh aspect and takes a different  perspective so i know i don't ever see s7 stop   commands in the middle of the day to a pump or a  valve right so me sending a stop command to it in   the middle of the day during production would  definitely raise a few alarms so understanding   that baseline for that ecosystem or that that  network uh helps me understand how to protect it   right the other thing too is um it's one thing to  be anomaly detection or anomaly detection you know   from a baseline right it's quite a different thing  to already be pre-trained on what current attack   patterns look like right and everybody calls these  if you're going to use mitre attack framework ttps   tactics techniques and what is the third one it is  a procedures thank you so sorry about that right   so understanding an attack from to ttp angle is  very different from understanding it from like   an ips or av signature type situation right i am  understanding partially my portion of the attack   which looks very similar to these sets of attacks  over here so if i can actually start training   that machine model with something that has come  before it i'll shore up that machine model with   hey this looks a little bit like this attack on  the tactics techniques and procedures not just the   actual signature itself and so i'm not playing  signature whack-a-mole afterwards i'm actually   bubbling up stuff and then being able to filter  out false positives a little bit better i stack   that with something that's been pre-trained to  know how a specific process control system works   may whether it be on modbus or dnp3 or ethernet ip  and i know this ecosystem because i've pre-trained   it with what a normal system already looks  like it's it comes pre-trained so as soon   as you shove the thing in i don't need a month of  baseline learning to let to give you some insights   i know immediately hey that thing's you know  authentication's messed up that thing over there   keeps rebooting and it shouldn't be that thing  keeps asking for an ip address that's probably   bad this thing's over here is spraying a lot of  traffic that's probably not good either because   most of that traffic is usually you know a couple  kilobits per day not even megabits right because   we're not dealing with applications again  we're not transiting large amounts of packets   well here's where bringing the data up out of just  the sensor level that layer two up into a greater   set of analytics would really help you right  because you have to be able to correlate what one   sensor is seeing to what another sensor is seeing  over here and then not overwhelm with too much   signal coming out bound so this resultant set has  to be very very smart uh and only give maybe 50 to   you know 100 signals per month but that data so if  you cut that and you start seeing a lot of signal   coming out of this side you can automatically  know that there is a change that was made in the   operational side that could affect the entirety  of everything and start alerting to that sort of   thing so so so there is a lot that you can do as  an overall architecture placement of those that   sensing mechanism to features that may not be part  of that particular system so building management   systems are usually handled by third-party  companies so putting a sensor on that network even   though it's the third-party network is extremely  efficacious for you right putting on your own to   manage your own there is also very very important  and if you can dealing with your power from the   outside and knowing where that's coming from  and putting the sensors in that area as well so   so what you're getting here is an information  framework that would be able to feed uh you   on side channel attacks right there and know what  kind of impact it's going to make on your business   so good question so it's capturing the  information from the environmentals not   just from the equipment itself understanding the  scenario that's at play and then when something   fails or when it detects that there is a something  that would affect what the operations of the plant   in essence it would then you know make an alert  or make notification that this is occurring well   that's the reason why we have the iot hub bleed  together not just what we have from the cyber x   side of the house and the sensor right but also  from green field sensors that you would deploy   also from other brownfield technologies that you  can overlay like azure sphere so you can know   these changes that are happening the operational  side so there's just this entire ecosystem from   greenfield to brownfield which is essentially  already deployed stuff that you can actually   pull that sensor data in make some sense of it  using a few algorithms and give you basically   the operational impact of any given change on  your on your ecosystem so it's a good question   understanding the logic in terms of the protection  piece what is defender's role in all of this   so as your defender for iot the the the  role that it actually plays is sort of a   so lots of people like to call it an ids or ips  or which is an intrusion prevention system or an   intrusion detection system that's there are  bits of that in in the product itself but   it's really falls into this area called an nbad  nbad which is network behavioral and analytics   detection right and so what is the attempt of  it well it's the attempt to take the playbooks   or sorry the workbooks that you have in the core  maybe that usually associated with your stem and   push them down to the severe edge remember that  computer and that car that i talked about before   that sensor data that you were getting there  it was able to make the real-time decisions   out of the edge actually inside the car as it was  getting real-time data you can think of that that   sensor as the ecu in your car you know it's making  real-time decisions right there now does that mean   that the car might call back home one day and get  service and know when to get serviced and things   like that and tell your the the computer in your  car that hey you can make these little adjustments   until you're able to get you know to the to the  dealership or to the car service center absolutely   100 that's you know that day is coming both on  the car side and it's pretty much already here in   the manufacturing side if you use azure defender  for iot so there's definitely those pieces that   if you deploy azure defender you can start making  intelligent decisions all the way out at your edge   really help out your operations not even your  cyber security but the operations of your plants   whether you're in manufacturing or your power  production that sort of thing you can start   getting that kind of resultant set of information  way way down at the edge so that's that's part of   the part and parcel to it and what's it's role  at the helm of this you may mention in terms   of the security piece and even the operations  piece what would be the id professionals then   responsibility or do they are they reporting back  to the plant in regards to where the deficiencies   lie or the possible security vectors are what  are the reporting mechanisms that are available   how does it relay what's being captured back  to the organization so that they can be part   of the decisions of how the organization will  move forward to address threats or optimization   so we're going to cover that in a little bit of  a different talk coming up here in just a minute   on a separate talk but let's take a ticket from  the top and give you the 30 000 foot view and   then we'll cover it a little bit deeper and in  a different discussion so the sensor is split   brained it is on the operations side where you  have operational errors and it has security for   security errors right so the operations people  aren't going to care on a day-to-day basis i'm   sorry for all you i.t cyber security people they  just don't care because you know their answer   to quite a few things is turn it off and turn  it back on again we are probably not going to   change that in our lifetimes so um but the fight  we can fight is giving those same people a new   visibility of that part of the organization where  they may not see those operational errors you're   basically giving them a monitor for the stuff that  the the third-party companies they work with they   they won't give them that visibility so you're  giving them almost a deck of exactly what they   do on a daily basis you can make that visible  inside the plant for them that they can go and   take a look at when everything else fails we had  a very expensive glass manufacturer come to us and   and say hey your system has been in here for about  a month and our plant's been down for a day and a   half now what did you guys do to make a change  because none of us made a change right and so   they've done a plan turn around that weekend  they made some changes in the logics of some   of their you know they upgraded the firmware  and upgraded the logic of some of their plcs   and you know uh it was working fine during  the weekend when they did change management   acceptance testing they got outside their change  management window uh they come back in monday all   of a sudden everything starts shutting down  automatically so they're at the that stage   of troubleshooting which is the pointing of the  fingers right we've all been there that stage of   troubleshooting before and um they called us up  and asked us what was going on we said well we're   this this thing is 100 passive it does nothing on  your network it's it's all passive analytics so   all we're doing is taking a copy of your traffic  and making some really cool decisions on it   telling you what's going on so have you got to  go take a look at the console because there's   literally nothing we can do to your your  infrastructure um to to do the things that   you described and they said no they hadn't so  we go you know remote in and we took a look at   the screen with them and within about two or three  minutes we find out the problem what had happened   was that a a laptop the one that did the firmware  updates had gone and updated the firmware and   then it said successful update successful well it  hadn't also sent the new ladder logic down to the   plc's as well right um it came in monday morning i  guess it failed or something on the network uh it   came back in monday morning re-attempted the brand  the update of the lateral logic at that point in   time outside the change management window when  it did and it was successful it shut everything   down well they didn't see the change and they  hadn't expected to change because you know they   had already thought it was successful because you  know no what software or application usually has   problems you know so so that's what happened we  saw it happen we were able to cut and paste back   in the changes that were made and then within 15  minutes they were back up and operational again   those are the sorts of things you can help  those operations people and the plants   fix that particular set of problems so if you're  giving them value while you're there to also do   the cyber security stuff which they can't really  care about too much until they shut the plant down   for ransomware for the entire week or something  like that and everything has to go get reimaged   which happens still right so they do care about  that part but but you know not until it usually   happens right because they have they have a job  to do and we have to all recognize that that's   that's really where that sort of thing comes  into it um understanding you know how they   do work and how they get paid helps us do  our own work and and and help them stay up   so good question so so in regards to first  steps right we've gone through a bunch of   scenarios we've gone through the definitions of  ot and i.t and you know environmental is being   protected not just the machinery itself  and understanding what it could occur   first steps for an organization that now wants to  put forth the security effort where do they start   that's great uh so they start off with  visibility that is the one thing that uh   you know we were built to do first because  a lot of these technologies have been black   boxed in the past because you hire a third-party  manufacturer to come in and put it in for you   because those process control engineers  and automation engineers are very rare   um usually very expensive so they're usually a  third-party company that comes in maybe even the   manufacturer itself that brings their consultants  consultancy services in to do the work right   so a lot of the technologies a black box and and  then once they hit it off the key's off to you   you're just supposed to run it and then call them  if there's any problems right so that's the reason   why most people don't work on their cars anymore  is because it's so complicated to work on the car   i just want the keys because i got to go drive  that car to work right you're not going to sit   there every day and delve into the the car to  see how it's working that day right so the same   could be said for your manufacturing plants the  analogy just kind of holds up across all of it so   um so knowing that these are black box things  and having something new that attaches to   your car or your manufacturing plant that then can  give you a resultant set of changes that are being   made within it helps you maybe make some decisions  that prevent some outages in the future right   um see what you can't see before so we always  start with visibility the behavior of that thing   how it gets mapped out what assets you own um and  everything else and then you can start making some   really intelligent decisions after you know  something behaves what you have what it costs   and what the vulnerabilities of those things  are once you understand that sort of visibility   everybody can start making some intelligence  decisions given the right kind of data and that's   that's really always the first step thanks james  this has been awesome it's been so informative   so much information thrown at me here i've been  taking copious notes i'm i'm wondering in regards   to defender where do i start grabbing information  in regards to that specifically for iot   you know this is really something having  come over to microsoft i asked for forever   when i was with the previous company um and  now it's here and i'm i'm dumbfounded by it   anybody with a credit card and a browser can  go to the azure portal today when you go there   you can actually get azure defender for iot as an  app which is very different for for the ot world   right i i'm pretty sure nobody else does this you  can download the sensor um even have it to where   you can play pcaps offline you don't even have  to connect it to your network yet if you have   have to do some acceptance testing or talk to  your or you know talk to your service providers   or whatever for your manufacturing plants or for  electrical plants um or what have you whatever   you're going to be connecting it to um you  can play the pcaps that you get from those   particular networks at it and get some very real  information out of it today with some very decent   risk analysis just from a packet capture and  that's kind of the power of the tool that it   can see so much within deep packet inspection the  longer you get it obviously the the the bigger the   p cap or the longer the p cap the better you you  know result instead of information you get out   of it of course but um that's really where you  start so today you can go to portal.azure.com   uh you know feed in your credit card to  get a get a uh you know get a subscription   put the sensor either in a vm um or you can  even order a physical appliance if you'd like   and then uh even start dropping pcaps before you  even deployed on the network once you've done that   you can actually plug it in into a tap or  span port or mirror uh into your that your   network where you've got the important stuff  where you've decided that you want to plug it   in at to get better visibility and then you can  actually go from there on monitoring and real-time   uh uh discovery of things that are going on  once that happens you can start tying it into   the uh enforcement portions of your  network you probably already invested in   your next generation firewalls your knack systems  your content filtering your i could keep going   on your zero trust networking architectures it  can be plugged into all of that um to give you   that ot muscle uh and iot muscle that you may be  missing now so james this has been awesome thank   you very much for your time and if you want to  learn more navigate to portal.azure.com uh bring  

up defender and not only will the service be  there but the full documentation made available   specifically covering operations in iot  and sir thanks so much appreciate it

2021-04-08

Show video