Transcript
This is the first webinar that ABB and Nozomi are hosting jointly, so we're very excited to be able to bring our story to you all. Specifically, we're going to talk about how Nozomi and ABB are partnering in order to secure process automation environments. So, this will be made available for everybody to rewatch later if you have to leave early or if you'd like to watch it again or share it with your colleagues. We will be sending out a link afterward. Of course, you can also go to our website, which is www.abb.org. Okay, so as a quick introduction, my name is Philip Page. I am the Director of OEM and Technology Alliance Partners here at Nozomi Networks. And with me is Ragnar Schuholtz. Ragnar? Yes, good afternoon, good morning, whatever time of day you have. My name is Ragnar Schuholtz. I'm the Global Cyber Security Portfolio Manager in ABB. I'd be happy to explain how we're generating additional value with the combined solution of ABB and Nozomi. All right, thanks, Ragnar. So, I wanted to quickly start by discussing the current state of OT cybersecurity. And Nozomi Networks is a global network. And we're also a global network. So, I wanted to quickly start by discussing the current state of OT cybersecurity. And Nozomi Networks has a team dedicated to looking at how security trends are evolving within the marketplace. Not just from more of a kind of an industry perspective, but also actually they're focused on, you know, what are the emerging threats, right? What are current threat actors doing? What types of malware are targeting specific systems? And twice a year, we publish a security report, which you can download off of our website. And it covers a broad range of topics from industry-specific attacks to more general trends that we're seeing across the cybersecurity space. But let's start out with a couple things that we're seeing very recently. So, the good news is that, you know, many people in the sector are investing in solutions like Nozomi and those that ABB bring to market. And of course, there's many other tools as well. This has been a benefit not just for the end users of these products, but it also means that companies like Nozomi, companies like ABB are getting a lot more real-world feedback about what's working and what's not. One of the big trends globally in all of IT has, of course, been machine learning and artificial intelligence. Now, Nozomi has used these tools for a number of years in order to power our threat detection capabilities. But we're seeing that other types of technologies and focus areas are now adopting these as well in order to make it easier for end users to understand what's happening and make sense of all the different event data they're getting in their systems. And then lastly, there's a big emphasis and increasing growing demand from the public to regulate industries that are considered critical in many different nation states. And so, you know, there's already been some legislation passed in various countries and regions globally, but we're seeing more generally there's been new cybersecurity regulations that are going to come into force very shortly. NIST 2, of course, here in Europe is the big one. But also many other regions are increasingly looking at how to mandate cybersecurity for critical infrastructure operations. And many of you work in those types of environments. So the good news is that we'll talk about how we can help address some of those concerns with today's presentation. On the bad side, we're still seeing an increase, not a slowdown, in the number of vulnerabilities as well as exploits targeting those vulnerabilities within OT. A lot of threat actors are trying to take advantage of both persistent as well as emerging vulnerabilities to anything from, you know, carry out nation state sponsored attacks to try to just make a buck, right, trying to shake down customers for ransom money. Healthcare energy and manufacturing are the most targeted sectors that we see. And we'll talk a little bit more about how Nozomi and ABB work in specific sectors to help protect customers that are operating those types of systems. But we're seeing this is only growing, right? It's been a trend for several years now, and it's only continuing upward from there. While opportunistic attacks are still very much, you know, occurring here and there, we're seeing that there's been a lot more traditional IT types of attacks that have been targeting OT specifically, everything from DDoS attacks to things like abusing credentials, so stealing credentials through phishing, as well as Trojan horses. So, again, things we would more commonly see historically in IT that are now being used in OT. We're not talking about scary Stuxnet style stuff. We're talking about more bread and butter exploits and types of attacks. Now, how are Nozomi and ABB partnering to help protect you from these types of threats? So Nozomi's core mission is to provide security and visibility for any type of device, whether it's an IT device, an OT device or an IoT device. Of course, we're the market leader in protecting critical infrastructure systems, as well as other types of industrial control systems. But, again, I want you to realize that, you know, we're not just going to stop at analyzing controllers. Any type of device you have in your environment, whether it's a security camera, a badge reader, a hand scanner, anything that you've got, Nozomi's focused on providing detection and vulnerability assessments, as well as interfacing with third party systems like we'll see here through ABB to provide security and visibility for those environments. If you're not familiar with Nozomi, we've been around for a little over a decade now. We just celebrated our 10th anniversary back in October of last year. The company was originally founded by two friends that met in graduate school, working on PhDs in artificial intelligence and machine learning, as well as cybersecurity for OT systems. And they were working in the power utilities and oil and gas sectors after they left graduate school and discovered that they were having this major challenge with seeing OT devices inside of their industrial control systems that they were working with. And so they founded Nozomi with the mission of analyzing network traffic inside of OT systems, and then providing things like threat detection, asset detection, and vulnerability detection for customers operating in those environments. We're originally a Swiss company founded in the Ticino Canton of Switzerland. And so we traditionally had a very European focused presence. However, we've expanded globally. Our corporate headquarters is now located in the United States. We have field and services offices worldwide. Most importantly, we also have a follow the sun support model. So depending upon where you are, right, and if you have different language requirements or even different time zone requirements, we can still provide support for you. We have customers that range in size from very small to very large. We have small electrical cooperatives, right, and we have very large multinational companies that are operating in multiple different industries. And lastly, we have a large, large community of folks that know how to use our product. Many of them, of course, work at ABB. And so when you're thinking about how to deploy complex OT security solutions like Nozomi, rest assured that our partnership with ABB means that there's always a team of trained professionals that are capable of deploying and showing you how to use our product. One of the big problems, though, that we see is how can you respond to different types of cybersecurity attacks? And so Nozomi is increasingly working with companies like ABB to help manage this incident response lifecycle. The first piece there is, of course, visibility. And that's really what we're going to talk about today, along with detection. Right. And then lastly, response. So for today's webinar, what we're going to show you is how Nozomi integrates with ABB's products to make it easier for you, whether you're a plant operator or a cybersecurity team supporting plant operations, to see what Nozomi is seeing and detecting inside of ABB's DCS environments. This, of course, helps with this entire lifecycle of response for when an attack occurs. We've always found that the biggest challenge for OT environments is that information becomes siloed. And so today's discussion is going to be, how can we break down some of those silos and make sure that everybody is seeing what they need to see when it happens? Now, to provide you a little more context about where ABB's information is coming from, I want you to imagine that we are a product that deploys into the DCS. Right. So in this slide, we're going to show you exactly how far down in the network Nozomi can deploy. We'll actually deploy, like I said, into the DCS, as well as higher level systems, maybe SCADA systems, for example, or even into the DMZ. And we're going to monitor all of the traffic that's being exchanged between devices. It could be, example, an engineering workstation sending something down to a controller. It could be the synchronous communications between controllers. Nozomi is going to monitor all that traffic, analyze it, and then use that to detect threats, to classify assets, provide asset details and information, and detect vulnerabilities that may be associated with specific devices inside of the environment. This information is then sent up to a centralized platform where it can be federated to third party systems. For example, ABB's own cybersecurity workplace will allow you to view information from Nozomi systems contextualized against everything else that's happening in the DCS. And so the great news here is that in addition to integrating with different platforms like ABB provides, we can also work with your other cybersecurity tools that you may have in your environment. We can also work fully on premise or in the cloud or both. So if you have predominantly on premise deployment, but you also would like to leverage some of the cloud management capabilities, we can facilitate that as well. And lastly, we work with customers and partners across pretty much any type of environment that has embedded systems. For the purposes of today's conversation, we're going to be focusing predominantly on process automation environments. So for things like energy, mining and metals, pulp and paper. But just know that while ABB has a great install base there, Nozomi itself, of course, can work with other types of devices you may find, not just within the ABB environments, but also in other verticals that you may be supporting in addition to your primary process automation environments. Okay, so now I'm going to hand it over to Ragnar and he's going to tell you about ABB's cybersecurity strategy. And then he's going to show you a brief demo for how Nozomi and ABB are working together to help secure your environment. Ragnar, over to you. Yes, Phil, thank you for setting the stage. So what I'm going to show or what I will discuss is how we have integrated at ABB the Nozomi capabilities into our suite of security solutions. Namely, how we have integrated the cyber as an inventory functionality with a cybersecurity workplace. So in the next slide, when we talk about cybersecurity in ABB, we typically start talking about a risk reduction roadmap. Phil, if you could advance the slide, please. Yes, so we typically start with our risk reduction roadmap. Eventually, everything we want to do is about managing the cyber risk. That's the primary motivation why we're looking at cyber, not as a value creation in itself, but really to manage the risk to an acceptable level. So initially, we start with a plan, with assessing the situation and planning. But then very quickly, we typically get to the foundational controls like malware protection, security updates, backups, system hardening. Those are things that essentially we find in every customer security program. And more and more, we also see cyber as an inventory as the philosophy of you can't manage what you don't know that you have. And therefore, this is an optional functionality that we integrate into the cybersecurity workplace. So on the next slide, we'll talk about what exactly is cybersecurity workplace. Cybersecurity workplace is our console for simplified security management. So you can monitor all your foundational security controls from a single dashboard. You can see the status of various security controls. For example, endpoint hardening, Windows GPOs, for example, endpoint protection, anti-malware solutions. You can see the backup status. You can see your Windows patch status. Those are things of the foundational security controls that you can observe. And you can get a notification of increased risks. And then take actions to protect your assets to bring them back in line. And all of that in one single console. And it simplifies security. It simplifies the user interface and the user interactions to a point that you don't need a cybersecurity expert on your site in your DCS environment every time, every day. But your regular, for example, DCS administrator can take the responsibility here and take the basic actions, the routine actions like deploying patches, making sure that computers are rebooted, and those kind of things with a very simplified user interface that doesn't require a lot of training. And that helps normal people to speak, to take these actions in a timely fashion. And therefore, it reduces risk and minimizes the effort. So if we take a little look at what the security workplace looks like. Again, it's the single console, the single management dashboard that shows you an overview. You can customize that dashboard. You can move widgets around. You can decide which level of details and whether you want to hide certain widgets. You can set up notifications that alert you on increased risks. You can see a status indicator of the data collectors that are providing the status information. So if there's a disconnect, you can take action on that as well. But most importantly, you see KPIs like the number of nodes that have a heightened risk because of, for example, policy settings not being the way they are supposed to be, or KPIs around software patching, security updates. So in this example, we see that there are 12 nodes that have an issue with security updates. But also, we've added additional functionality beyond the very basics. And as I mentioned before, one of the examples that we see here on the next slide is the cyber asset inventory, where we're actually combining passive and active data collection options. One of the strengths of the ZOMI solution is that it is very uninvasive. It just collects network traffic and generates information about your assets based on what they communicate on the network. However, there are also some limitations to that. You can only see the things that are actually being communicated over the network. On the other end, there are also strengths because some things that you only see on the network may be hidden from the active querying on the node, for example, if you're using Windows WMI capabilities. So in our cyber asset inventory, we have integrated best of both worlds. So we have used the information or we're using the information that is coming from the ZOMI solution as a passively collected network inventory. And we're complementing that with synthesizing that information with the active collection options that we have in our control system instrumentation. So in a nutshell, what you need to know, cyber asset inventory and cybersecurity workplace helps you to get visibility of your OT cyber risk in the business context of the DCS. It therefore helps you to improve your security posture with reducing the complexity and reducing the effort that it takes to maintain the foundational security controls. And all of that is moving towards a data driven automated way to manage security. So the cybersecurity workplace consists of essentially four basic functionalities. It's first of all, the collection of information, again, passively and actively collected information. It simplifies the information digestion of the cognitive load of the user by automatically merging asset information to address unique ICS infrastructure capabilities and characteristics. So what is an example of that? For example, in an 800XA network in the ADB DCS, you may have redundant networks with RNRP as a redundancy network protocol. While on the raw network data coming from the switches collected, for example, through the Nozomi guardian sensors, you would see two IP address and MAC address pairs for each of those redundantly network hosts. However, with the active data collection that we have with the 800XA tools, we have the context that two network interfaces are belonging to the same host just to facilitate the redundant network communication. So we can automatically merge all of that information, both the actively collected information as well as the two passively connected sets of information about both network interfaces. And we can combine this information to give you a more contextualized view of your asset inventory. That is then the basis for an asset manager or for a cybersecurity responsible to review to see KPI information related to those assets. For example, if there are services that are not supposed to be there that can be viewed on that asset detail. And you can set alerts to notify you about changes in your assets or about issues in your assets or about added assets that are added to the system and start communicating. So with that, I'd like to move over and instead of showing just a random still slide, let me take over my screen share and we will be looking at real software in action. So right now, what we're seeing is the starting dashboard of cybersecurity workplace, as it shows when you first log on. As shown already and as discussed before, you see the summary of the situation of the current system status with various widgets that are summarizing KPIs about the security and the status of your system. Over here, we can look at the asset inventory. And for example, we can immediately filter on all of the assets that have a security issue. In the details of the asset inventory, we see a couple of different things. First of all, we see a device name for each of the assets. Typically, that is pre-populated by default with the host name. Where there's no host name available, then this will be the IP address, but that's the identifier that is humanly recognized typically. Then we see data collector. This actually shows the power where multiple data collectors have contributed to this record of this asset. So in this case, particularly, we see the MyControlSystem data collector. That's an active collection agent running in ABB control systems. We see the passive network monitoring from the Nozomi solution, and we see the system utilities from the 800XA system. What that has led to is that we see a list of roles that this asset has in the system. So we see an AC800M, so it's running a software version of the AC800M controller. We see that it's the primary aspect server. It has the central licensing services. It is identified as a DCS component by the Nozomi solution. It has the information management server. It's a master for a certain protocol. It is a member of a Windows domain. All of these roles have been collectively identified by the different parts of the data collection tools. So for example, again, the Nozomi solution for the passive network monitoring, or ABB's DCS data collector from the MyControlSystem suite. Also, we see that it has already been merged, that these two IP addresses are belonging to the same asset. You'll see there's a pattern. 17216 and 17217 are the subnetworks, and the other two octets are the same across both. Some of you will be familiar with the 800XA network administration manual. This is what you typically would see there, and that's actually a pattern that many of our customers are using. We also see when this data has been last updated. So this is in European time zones, so you can see it's relatively fresh data from today's afternoon. We can see a summary of findings in the performance category. We see that the software category is actually a green checkmark, so there are no findings in here. And we see 15 findings summarized from the security domain. So we can look at the details of this asset. And again, we see now the next level of detail of the synthesized data coming from the Windows host, as well as the network traffic. So we see, for example, at the Purdue level where we have identified this asset, we see that this asset is running a Windows server. We see that tags have been associated, and we can actually edit this information. So we can go in and add another tag. So this is a human readable tag that we can then later on use to, for example, group or classify and search for assets. We also see different information from the host. For example, the Windows firewall rules that are configured in the Windows firewall. We see open ports that are currently listening. So there is a software process that is listening to a certain port. Those are listed here. We can look at the startup items that are started automatically when the system comes up, when the node is booted. And we also see the network data. And as I explained already, this is automatically synthesized, automatically merged data from the Nozomi Guardian solution, from the passive network monitoring, where we see that view of the host, where we see, for example, the protocols, client and server protocols that are listed. And we see the network links, the currently active network connections. You may believe or you may think that this is redundant to the open ports, but it's not necessarily. There may be open ports listening with currently no connections, but there may also be open ports that are missing because there's malware active on the host that has been evading the detection by the Netstat and the Windows tools. But as soon as that malware is actually communicating on the network, Nozomi will see these packets and it will end up in the asset inventory. So again, you have here the full visibility of all of the network traffic that is being communicated by this asset. You see who it is communicating with, which protocol is used, how much data has been already exchanged over which ports. And again, also here, what was last updated. So here you have the complete view of this asset. And in the asset list, of course, you have the complete view of all of your assets in the solution. All of the assets that are known to the DCS and all of the assets that are detected as communicating on the network. With all of that information synthesized, merged into a consistent view of all of these assets with a single pane of glass, with a single dashboard that shows you the ultimate source of truth of your network inventory. With that said, this enables a security responsible person for the DCS to really know what's going on in their system with all of the detailed assets, information about each of their assets and their communication, their dynamic communication relationships, in order, for example, to identify issues quickly and rectify them and also to serve as a starting point, for example, for the investigation of incidents that you may have seen. With that, I would conclude my demo here and I would hand it back to questions and answers. All right. Thanks, Ragnar. So we have two questions. So the first one, how do you detect when or how do you determine when to deploy a sensor or a collector? So I'm going to assume that you mean Nozomi's remote collectors. And so the sensors themselves can also, of course, collect data. The difference is that a Guardian sensor has all of the processing power locally. So you deploy a Guardian sensor, all of the traffic is analyzed there on that device. The remote collector is kind of like a sort of a dumb device that's used to gather information from smaller networks and then send it back to a Guardian for analysis. So it kind of extends the Guardian's view. And so when to deploy a collector? Generally, it's going to be a smaller environment where, again, maybe there's not too many devices, there's not a lot of traffic, and it might be difficult to monitor that normally, you know, through a SPAN port or maybe R-SPAN or something. And so this is a way to, on a very cost effective basis, extend the Guardian's visibility without having to purchase a full Guardian system. And then the second question was, how is the cybersecurity workplace different from the Nozomi Guardian web console? I think that Ragnar did a great job of showing that in the demo. So I would consider that one answered. But Ragnar, if there's anything else you'd like to add to that end, please feel free. I would actually emphasize that these are complementary. With the cybersecurity workplace, we've integrated primarily the asset inventory aspect. And it's a very simplified user interface. It really focuses on the non-cybersecurity experts. So if you have operator staff or a system administrator, that will be the type of audience that will also be able to use this user interface. If you look at the Nozomi Guardian, that is more for the sophisticated users. That has much more security information that can do anomaly detection, that can do a detection whether there are communication relationships that are unusual. That level of investigation that you can do with the Nozomi Guardian web interface. And that requires the necessary skills. You probably should have trained people that are familiar with the Nozomi platform. But you may not need that kind of skill 24-7 or every day. But that may be the skill that can be called up if the user of the cybersecurity workplace sees that there is something going on that is beyond their capability to resolve. And then they can call in the cybersecurity expert, for example, from a remote team that's supporting multiple sites. All right. Thanks. Great answer. All right. So another one. Will Nozomi Guardian be able to inspect the packets if they are encrypted? So the answer is it depends. We can make use of private keys in order to provide the decryption on box. So if you have the private key from the server, then we can import that and use that to provide decryption. For high throughput environments, it may make sense, for example, to use an intermediary decryption device, something like an F5 or another device that's meant for bulk decryption. Lastly, we are working with companies like ABB, right, that are building encryption into their control systems to provide key management, built-in key management capabilities that will cycle the keys through the device automatically, provide that inspection. So that's kind of the longer term approach there. A lot of great questions today, by the way. Usually we don't get this number of questions. So thanks, folks. Another good one here. So will RNRP from ABB work alongside Nozomi at the same level two? So Ragnar, I think that one's for you. Yes, of course. As I mentioned, the RNRP, for those who may not be as familiar with that, the RNRP is a protocol for network redundancy. And if you have firewalls at the controller network level, those firewalls will need also be supportive of that protocol. But that is the advantage of a solution like Nozomi's Guardian that passively collects the network traffic. It doesn't matter what level of firewalling you have, what level of network devices you have, as long as there is the possibility to get a copy of the network traffic. So, yes, I would say the ABB RNRP firewalls are perfectly suited to work alongside with a Nozomi solution. And Nozomi Guardian will be able to see the network traffic both on the south side as well as on the north side of the firewall. And as long as the firewall rules allow the Nozomi data collectors, the sensors, to communicate with the console, that obviously is a requirement that has to be done. But that can be very much in line with a Purdue model and 62443 compliant zoning, because it's only outbound connectivity. I think that is a clear yes that can be go hand in hand. Okay, great. We have two more questions. I know we're out of time, but I think they're good questions, so I'd like to answer them. So the first one is how much integration is currently planned for the future between Nozomi and the cybersecurity workplace? Well, obviously, the answer to that is a very typical one. We can't make any statements about the future. There are plans. We are working on more advanced capabilities and more added value from having Nozomi and ABB solutions in tandem. But we cannot yet publicly disclose any of that. That will be a subject of a further webinar in the future, as well as further announcements about releases of features and capabilities and new solutions. So more great things to come. And then lastly, can we use cybersecurity workplace as the Nozomi CMC? And the answer to that is no. So the cybersecurity workplace aggregates some of the information that Nozomi provides, but the CMC provides a lot more on top of that. It's going to aggregate sensor information from all of your Nozomi deployment. And that includes, of course, maybe non-sensors that are not running within the ABB control system. So those would not be part of cybersecurity workplace. Additionally, the CMC can provide firmware updates and threat intelligence signature updates to managed devices. So cybersecurity workplace does not do that either. So you still need a CMC if you're managing a bunch of guardians. But of course, having that information from those guardians centralized in the cybersecurity workplace provides quite a bit in the way of benefits. And I think we cannot overly emphasize that these are complementary solutions. They're addressing different target audiences. The cybersecurity workplace is really for simplified user interface for the day-to-day routine tasks. And the Nozomi Guardian web console is really for a security expert to do in-depth analysis and forensic analysis. To me, that's really mostly separate use cases and target users, but based on the same fundamental information. Okay. So I think that's all the time that we have for questions right now. If you have any further questions that we didn't answer or if you think of something later, please feel free to reach out to us. I think there should be a way to get in touch with us in the link that we'll send afterwards. Otherwise, thank you very much for joining everybody. And again, we will be back in the future, maybe the next couple of months, with a brand new topic. So might have some further updates there in the way of integrations, but also we'll explore some other ways that ABB and Nozomi are collaborating. So thank you very much and have a good day. Yep. Thank you.
