How to Manage Security for Operational Technology (OT), with Palo Alto Networks

Michael Krigsman: Security around operational technology (OT) has become a crucial part of critical infrastructure planning. We're speaking with Anand Oswal of Pala Alto Networks about how to secure your OT systems.

Anand, tell us about your role at Palo Alto Networks.

Anand Oswal: I lead the network security product portfolio, so engineering and product management for all of network security, which includes our firewalls, our cloud-delivered security services, RSD WAN business, and SASE (secure access service edge).

About operational technology (OT) and security

Michael Krigsman: Anand, we're discussing operational technology and security. For folks who are not familiar with that, can you give us some background?

Anand Oswal: Digital technology has impacted every single industry, enabling us to have new use cases, new outcomes, new experiences for consumers as well as for businesses. One of the interesting aspects of digital technology for me has always been the rise of connected devices.

If you think of operational technology, these are part of what we call critical infrastructure. OT systems are a combination of hardware and software, but they're used to automate a bunch of stuff (whether it's in manufacturing, oil and gas, or mining). As these devices get connected, securing them and thinking about the architecture holistically becomes very important.

Operational technology presents a broad attack surface

Michael Krigsman: OT security then primarily focuses on devices. Is that correct?

Anand Oswal: It's the infrastructure that they have. If you think of a manufacturing plant, it's securing all of these operational devices.

In the pandemic – and it's been happening even before the pandemic – more and more devices started getting connected because you couldn't have somebody go to the manufacturing plant. And, in many cases, you don't have people always being able to go to a remote oil dig, et cetera.

Now, there's a lot of efficiency that you get when all of these devices are connected. But as you connect more and more devices, the attack surface increases, which means that you now think about how you secure your infrastructure very holistically.

Key challenges in OT security

Michael Krigsman: A primary issue with OT security as opposed to traditional IT (information technology) security is this very broad attack surface, as you were just describing.

Ensuring visibility

Anand Oswal: I would put them as four key challenges, Michael.

The first is visibility. Now, you can only secure what you see. So, understanding what is in your network is extremely important. And you cannot do this in a manual fashion.

The traditional way of doing it through a database or through a signature to understand exactly what the devices are is very cumbersome. There are many legacy devices.

You want to understand what the device is. You want to understand the make. You want to understand the model. You want to understand the version of software runs. You want to understand the vulnerabilities that it may have.

You've got to think about visibility very holistically. It needs to be powered through machine learning. It needs to get better every time you do it, and it cannot be done statically.

Now, if you tell me, "We got that done," I'll say that's good. Visibility is the first step because, like I said, if you don't know, you can't secure.

Having visibility is not good enough. Now what do you do with that?

Segmentation and zero trust

If you look at traditional OT security vendors, they only focus on visibility. That's only a part of the problem.

Once you understand all the devices that you have in a network, how they're connected, the next step is what I call segmentation. In very simple terms, segmentation means who should talk to whom, and you do that on the principles of least privilege, the principles of zero-trust.

By default, you talk to nobody. Then you allow what connections you want to allow based on what you need.

If you have, in your manufacturing plant, a lathe machine that is connected, does it need to talk to the camera in your manufacturing plant? Maybe not. So, you need to decide what policies you set.

Now again, these rules and policies cannot be done manually. The majority of issues that we see in cybersecurity are because of manual ways of doing things.

We want to be able to understand the intent. We want to be able to understand who should be talking to whom, templatize that, automate that based on comfort levels of the plant owner so that you can get into an automated fashion there. You can get these policies set up. That's the second step.

Machine learning 

The third step is, as these devices get more and more connected to the outside world for a variety of different reasons – because they want new patches of software, they want vulnerabilities, they have maintenance issues – that you don't want to send somebody always in person. The attackers are getting more and more sophisticated.

The traditional way of using signatures and database to help prevent you against these threats is not going to work, and that's why you have new technology which are machine learning powered in a way in which you're able to detect threats that you have never seen before. Not just threats that have happened in the past. And you want to do that inline and in real-time to help protect the most evasive threats that we have seen.

Simplify operations, especially with legacy architectures

The fourth challenge that we have in OT environments come from many of the OT environments are built using legacy architectures. As you can imagine, they've been built many, many years ago.

How do you ensure that you can simplify the operations? Many of these OT environments have heavy requirements for compliance. How do you ensure that you simplify and make these environments more audit ready in terms of what devices are there, who is talking to whom, how you're protecting them that makes the life of the plant owner much easier, so they can focus on what their business needs versus other things?

Consequences of OT security breaches

Michael Krigsman: Anand, as you mentioned, this is critical infrastructure. These are manufacturing plants. So, the consequences of an attack are particularly severe.

Anand Oswal: One hundred percent agree, Michael. This is all what we call critical infrastructure.

We saw in the past; we had the Colonial Pipeline incident that happened. Look. We were not able to have 2.5 million barrels of oil ship. It resulted in increases of prices. It was a ransomware attack that happened.

When attacks happen on critical infrastructure, the effects are catastrophic – if I may call it. So, securing critical infrastructure cannot be an afterthought.

You need to ensure that you're thinking security first and ensuring that you're building a zero-trust architecture across your OT environment to help protect [against] these highly evasive threats. So, you get the benefits of all the things that you get with connected devices, but you are staying ahead of the attackers.

Product strategy for OT security

Michael Krigsman: You've described this very complex landscape where the consequences of an attack can be particularly severe. How has this informed your product strategy at Palo Alto Networks?

Anand Oswal: Our mission at Palo Alto Networks is to make sure that every day is more secure than the day before. If you think about critical infrastructure, if you think of OT networks, it's very important to think about it from security first principles.

When we talk to an OT customer on how can they go about it, we say, "Look. I understand the challenges that you have. You have no visibility into your devices. You don't have the right policies of segmentation. You want to protect yourself from threats. You have legacy architectures that need a lot of compliance."

The way to approach it is to have zero-trust architecture across your entire OT infrastructure. That's one. The second: manage the lifecycle of all your devices on the critical infrastructure – step two. And the last step is really around simplifying your operations.

Let me talk to you on all the three points I mentioned.

You think about the first point, which is helping OT customers adopt a zero-trust architecture. Zero-trust, in my view, is (in very simple ways) no notion of implied trust.

How do you ensure that the right user, the right device is accessing the right data, the right application, the right infrastructure components? You do those things on a continuous basis. You have no notion of implied trust.

Just because I am in a factory floor and I am able to plug in, get onto the OT network, I don't have any different rights than somebody else because, in OT environments, you have people coming into the floor. You have people remotely accessing a bunch of equipment. You have machines talking to machines. You've got to think about all of this very holistically from a zero-trust perspective. That's the first thing.

The second, you have a lot of devices which may be running end-of-life software. You have a lot of devices that may need vulnerability patching and management.

Now if you think about the person on the plant floor or even if you think about other environments, they may not be the experts. Understanding all the intricacies of this. So, how do you make it easy? How do you make it simple for them to be able to get their job done and taking the load off of them?

The third is really on simplifying their operations. Look, as OT vendors have built their networks, they have not thought through security first.

How do you simplify the operations? Adding additional point products, adding additional point solutions to the infrastructure is only going to increase the operational complexity.

When I talked to a plant operating officer recently, he said, "My job is to basically ensure that I can make more money, I can save money, and I want to stay out of trouble," so three simple things, and that's exactly what the business owner will think about.

They can make more money when their equipment is working. There are no issues. There are no stops.

They want to save money, so reduce their operational complexity. Reduce their operational costs. Simplify their architecture.

And stay out of trouble, which means keeping them secure all the time.

Best practices for deploying OT security

Michael Krigsman: Given all of this, how can organizations ensure that their OT systems are actually secure?

Anand Oswal: It's a multi-step process. First, they need to understand; get full visibility into their network. Like I said, I can only secure something if I have visibility into what it is.

We make it very easy. No need for additional sensors or additional equipment for you to install in your environment for you to get visibility.

You enable the OT security service, and, within 24 to 48 hours, we will learn the majority of your OT devices on your network. We'll tell you which of them have what vulnerabilities we need to patch, et cetera.

Once you do that, we'll help you automatically create policy rules and constructs that you can help define who should talk to whom and set the right policies on the principles of least privilege. Getting you on the path of building a zero-trust network.

Michael Krigsman: What are some of the best practices for deploying OT security?

Anand Oswal: We think about having a thought through zero-trust architecture, and that comes down from having the right enforcement points in the right places, deciding who should talk to whom, identifying the user, identifying the device, making sure that as these devices and users are accessing applications infrastructure outside, they're fully secure, and doing this not one and done.

It's very important that we do this on a continuous basis because the threats are not happening only when you set up the connection. They can happen at any time on a continuous basis, and you need to watch for that.

You also need to watch for lateral movement of threats in case you get attacked. So, you want to basically minimize the attack surface always, and that comes with the right level of policies that you enable on your infrastructure to the constructs of zero-trust.

Michael Krigsman: Anand, you've described some industrial applications of OT security. What about medical and enterprise?

Anand Oswal: If you think about connected devices in the medical industry, Michael, they've transformed the healthcare we receive. In the pandemic, I was able to even go to a hospital with almost no interaction with anybody except the doctor.

Sixty percent of medical devices today in hospitals are connected. We have research from our Unit 42 which talks about a large number of infusion pumps or the healthcare devices running end-of-life operating systems.

If you remember in 2017 when WannaCry happened, it was running an end-of-life operating system. So, medical is very similar in terms of the problems we solve because we want to ensure that you have all the right constructs of your IoMT. In this case it's called medical device security available for the healthcare providers from visibility into what's onto the network, to right segmentation, to ensuring that you have the right access to infrastructure applications securely and do that on a continuous basis.

Michael Krigsman: You're embedding the security knowledge into the software thereby lightening the expertise load to some extent of the folks who are working in the organization.

Anand Oswal: We're using the power of technology for them to basically identify all devices on the network, understand the asset utilization of the variety of devices and how many you have. Then automate the creation of segmentation rules and policies that they can deploy to hopefully simplify their operations and keep them more secure.

Michael Krigsman: What are some of the key technologies that go into play to ensure that an organization has the right kind of OT security?

Anand Oswal: Most OT devices will have firewalls when they talk to the outside world. The firewall can act as a sensor. It can have ruggedized firewalls deeper into your ICS network, and these all are test sensors.

The idea that we have in terms of visibility for these is really powered by machine learning, both supervised and unsupervised learning to identify all of your OT devices on your network to understand not just the device, the device type, the device make, the device model, et cetera. Then once you have that, we're really trying to automate everything else: your segmentation rules, your policies, et cetera.

If you think about how you protect these devices from threat and ransom and malware, 95% of all malware in the world today is morphed malware. It's variations of existing malware.

We stop those inline, in real-time, on the enforcement point that the customer has. It could be a hardware firewall. It could be a software firewall. It could be a cloud-delivered network security SASE. For malware that needs additional static analysis, we're able to do that inline real-time.

Really, our goal, Michael, is to protect all threats. We want to be able to use the power of machine learning and AI to stop all threats inline real-time, including threats that you have never seen before.

Michael Krigsman: Can you describe any enterprise examples?

Anand Oswal: There are many examples in the enterprise as well. There's research that shows that over a billion devices will be connected by 2030.

Now many of these will be in enterprises. Of course, many will be in the home, in medical, in OT environments as well.

Now the same rules apply. If you think about, in the enterprises, most enterprises don't know what's on the network.

They turn on our IOT security for the enterprise. They're, in many cases, surprised at the number of devices that they have.

They're like, "Oh, my God. I didn't know I had all these devices, and now I know what I have."

Then they can use that information to set the right policies based on least privilege and zero-trust to make sure that they don't have any lateral movement of threats and they're really having it secure.

Michael Krigsman: Again, this concept of the visibility, the analysis, and overall, the full lifecycle.

Anand Oswal: We want to make sure that we don't give our customers just part of the solution. Like I said, visibility is really important because if you can't see something, you can't secure it. But giving me only visibility is not good enough.

I want to take that visibility and then help you automatically create rules for your policy. I want to enforce those policy constructs. I want to secure your connection that goes out to protect you from ransomware, from threats, from malware. And I want to simplify your operations.

In many cases, at least in medical and infrastructure, you want to help them understand more about their asset utilization, et cetera. In medical, it's very important that there's a shelf life of devices, but that there's also a cyber life of devices because if devices run end-of-life operating systems, it's unsafe to use them.

Getting started with OT security

Michael Krigsman: What's the best way for folks to begin?

Anand Oswal: First, don't go with another point product or solution that adds more operational complexity to your existing environment. Use the infrastructure you already have.

In cases that we have with our customers at Palo Alto, it's very easy for them to turn on any of these devices. The first is to get visibility.

In 24 to 48 hours, you can get visibility into all of your connected devices. But then use that to embark on how you get zero-trust access policies, segmentation rules, threat risk inspection, visibility into all of that to simplify your entire operations.

Michael Krigsman: Anand, are there resources or can you share advice or final thoughts for folks who are listening?

Anand Oswal: Yes. There are a lot of resources that we have on paloaltonetworks.com on how you can secure enterprises, how you can secure your medical environments, and how you can secure critical infrastructure, which includes things like manufacturing plants, oil and gas, mining, both for networks which are connected but also networks which are semi-air-gapped, because it's a journey for many of these customers, as they start connecting their devices.

It'll start with the same construct of zero-trust. The consistent architecture that we have, visibility, segmentation, rules and policies, application of those policies, continuous inspection for any threats that you have, and simplifying your operations. Those are the constructs that we have in terms of how we secure IoT devices in the enterprise, medical devices in hospitals, and OT devices in critical infrastructure environments.

Michael Krigsman: Anand Oswal, thank you so much for taking time to speak with us today.

Anand Oswal: Thank you, Michael.