[0:00] Mr. Oliver Gruner Corporate Account Director for Mitsubishi Electric
And now I wanted to present Ben Burke with Dispel. And he's going to take us through secure remote access and new technologies that only the Department of Defense used to have access to. So, Ben, thank you very much. Appreciate it.
[0:23] Ben Burke Chief Operating Officer for Dispel
Thank you all. I’ll quickly get my computer to set up for our demonstration later, so that way, we can jump right into it.
[0:35] Ben Burke Chief Operating Officer for Dispel
Awesome, great. Well, hello, everyone. My name is Ben Burke, and in partnership with ICONICS, and Mitsubishi Electric, I'm here today to talk about Remote Connectivity. More specifically, it's the efficiency demands that more connectivity should be enabled the security risks of enabling remote connectivity, and what you can do using a next generation moving target defense posture to mitigate those risks in your networks. A bit of background about Dispel. The company was founded in 2014 came out of the broader military industrial complex. We have offices in Austin, Texas, and New York City. And it's what we do, we provide fast secure remote connectivity to industrial control networks. The industries we serve, we serve your peers. And really our core capability and our patented technology is launching these moving target defense networks. If I ever mentioned MTD, throughout this presentation, I'm referring to moving target defense. So, I'm talking about the shifting polymorphic networks that will help you protect yourself against the latest threats. Moving target defense is not a new concept. It was actually called for by the Executive Office of the President as early as 2011. So about three years before we ever showed up, and the goal was to increase complexity and cost for attackers to limit the exposure of known vulnerabilities and opportunities to exploit those vulnerabilities and thereby increase overall system resiliency. And this is against nation state level advanced persistent threats. Moving Target defense has been used to great effect over the past decade in the Department of Defense. And of course, at first it was only available to the DoD but today it is commercially available. We were the first commercial provider of moving target defense and the goal the core principles of MTD are disposability and dynamism. It's the idea that you have nodes that you can throw away. How much more resilient is your system if you can rebuild it on the fly? And how much more difficult is it to find attack your system if it's moving over time. So, who uses Dispel? We work in OT, we were purpose built for operational environments, because that's water, wastewater utilities, power, oil and gas, government sectors, you name it. So, all of your peers, anybody with operational endpoints that needs to provide secure remote access to those endpoints can and should be using Dispel. We're not just adhering to the strictest cybersecurity frameworks; we're actually helping to find them. So, we work with NIST or the National Center Cybersecurity Center of Excellence to define pragmatic implementation guides for how you can better secure your operational environments.
[3:19]
So, what do we? What are the concrete use cases for secure remote access Remote Connectivity writ large? The first is 24/7 operator access: whether you are in water quality control, and you're checking a system at 2 am. Or you're being called in an emergency situation to debug and fix a down production line. You have 24/7 access to get the best people to the job faster. If you have multiple facilities, you're now able to centralize the management of those facilities. The second use case: vendor access, we all have vendors, we all bring in vendors, in a constant refrain I hear from our customers is wanting to standardize the vendor access process. So how can you do that? How can you bring your vendor experts in, in a way that's fast and secure, in a method that you completely control? And we'll get more on that with some of our case studies today. And finally, secure data streaming: this is taking the data off the factory floor and getting it to the people that need it most. You guys all work with ICONICS. You know the efficiency gains, the importance of using your factory data. We add an extra layer to that transmission process. We add what I would call a disassociating factor. And a lot of our customers in the oil and gas space have comment to commented to us that it's not just getting it there securely, it's the content of that data can actually move markets. So, knowing that is important. So, if we can disassociate a from b, you adopt a more secure overall posture. So, what do we replace? And if you're using one of these, please talk to me.
[4:55]
The first thing is static VPN. This is kind of the industry standard and how most everybody has always gotten to their target networks. We're going to dig it on static VPNS a lot in today's conversation. The second is built for IT road access tools. The truth is they weren't built for operational environments; they weren't built to help your people get to problems faster. Your teams, your operational teams, are judged by how quickly they solve problems, not by how quickly they jump through IT access loops. Vendor install backdoors; there are some vendors like ICONICS that care deeply about your security. We've gone over a number of the different ways in which they're helping improve your security posture. Other vendors just don't care; they'll drop a cellular backdrop into your network, and that's now a pivot point through which someone can move laterally to deploy ransomware or other remote code execution. For shadow IT: I encourage all of you to take a walk through your factory floors and just take note of the applications on some of those workstations. It's, “Well geez, we needed access fast, so we installed this free licensed software”. And now the guy got in; well great: them and everybody else. And then finally, the last two is really the cost sinkholes, so shipping laptops to vendors. Static VPNs: we know that they don't really work. Some use jump hosts; others will ship you a laptop because you do not trust the person connected to your network. You want to control that as much as possible. So, you wind up being not only a chemicals manufacturing company, but also a laptop inventory warehouse. It doesn't really work at scale. And then finally, obviously driving/lying on site. That just means that your turnaround time on maintenance, debugging, or even patching and updating might extend weeks when it should only take hours. How are we different? Next generation moving target defense; we're going to talk about that. Next, we align with the frameworks that you work with whether that's NIST 853 800 Dash 160. Volume Two is the latest one. The CSF, if you're in Europe, IEC 62443. So, you name it, we work with it. We help you align to those frameworks, so that way you can feel more confident about your profile. Zero trust networking access: Zero trust does not just mean that you only gain access to things you're supposed to. It also means when you're not supposed to be there, you don't get to be there. You get kicked out. So proactively deactivating accounts. Disposable single tenant infrastructure: I mentioned disposability as a key concept in moving target defense. It's the idea that you don't trust a device, an endpoint connected to your network after one day. Let's throw it away. And let's build a new one with the latest security patches and updates. Let's not worry about “Did you remember to patch it?” Let me take care of that for you. Full segmentation between corporate and OT environments: this is going to be a huge point in the Colonial Pipeline case study. But your OT network is where you make all your money. It builds your systems; you should give it its own access point. And then finally, visibility and auditability. We hear from so many customers that there are blind spots in remote access. How do I know what somebody did when they were there? We help you eliminate those blind spots and gain full accountability over everybody's actions.
[8:05]
Static defense: the best way I can describe it to you is a sandcastle. You and your team, you're constantly building taller, thicker walls. But there are waves of attacks coming at you from all sides all the time. The problem is your sandcastle never moves. So, one of these days, one of those waves is going to find a way to break down the core integrity of your defenses and ruin your day. A traditional method for this is static VPNs, is that static VPN concentrator is sitting there. Everyone else is connecting to it. So, you're painting a target profile. And remember, we're not just dealing with your run of the mill attackers; we are dealing with advanced persistent threats. You guys are running critical infrastructure. These are very valuable targets. So, they're going to take the time to figure out what kind of VPN you're using and where it exists. What are the patterns of life that people are going to use to connect to it? And they're going to say, “Great. Well, I know it's a pretty big month for you. Maybe Christmas coming up to produce a lot of widgets. And so, I'm going to then pick that one time to ransom, to find the way in you didn't patch it yet. And I'm going to find a way and in and ransomware your networks.” Moving Target Defense takes the idea of a sandcastle and turns it into a submarine. We have that hardened, airtight shell. We push the perimeter out though and make it dynamic. So now it's going to proactively evade enemy reconnaissance, and reconnaissance is about 90% of any attack against any network.
[9:34]
What does that look like? It's a much more complicated slide. But I can tell you that that entire purple box you see here, that's all handled by Dispel or another moving target defense provider. We're taking care of the complexity of bouncing that information around for you, so that you don't have to think about it. I know you see a lot of different cloud providers in this slide. I want to just quickly comment on that. That's because we deploy in over 200 global data centers across a number of different cloud providers. We can build your infrastructure where you need it to be, so it's the most performant for you. And then we also have, and you'll see on my right side, the virtual desktop, so we have disposable virtual desktops that your users will connect to, your vendors will connect to ahead of getting to your endpoints. Think of them like a doctor walking into the OR: they're going to put on their disposable gloves before working with a patient. That way, you know at the end of it, it can be taken off and thrown away. So that's kind of the idea of mood or defense.
[10:37]
Let's look now at the cost of an unsecure remote access platform. And I want to look at three case studies. But first I want to talk about in 2020, about 50% of organizations reported a data breach caused by a vendor at an average of seven and a half million dollars to remediate. My point in telling you that number is not to have you say, “Great, I'm going stick my head in the sand. That's it, no Remote Connectivity, anywhere.” That would be tantamount to your running 100-meter race, and you're going to run it with a potato sack on your legs and watch your competitors speed on by, because they're doing all the right things. They're getting all that information, all the benefits of Remote Connectivity, where you've decided to just turn it off. The thing is, Remote Connectivity is here to stay, we have to be thoughtful about how we can best secure that process while taking advantage of those efficiency gains. So, looking at our use cases, let's jump into the first one, a large automation vendor, the attack was called multiple, the cost, it did require direct level access. So, it may have been exploited amongst different organizations, but I do not know the method. So, Tom mentioned earlier the idea of message spoofing. That's exactly what happened in this case. Attackers were sending unauthorized commands to a chipset, to the Modicon chipset. And that then leaked hashed information. They then took that hashed information and applied it to gain command and control over the chip itself. So that way they could perform remote code execution. They could install their own sets of malware, and they can then move laterally from there and spread across the entire network because of course, that chip is probably trusted amongst its peers.
[12:10]”
So, what could you do different? And that's what that acronym spells out? It's “what could you do different”? The first is, remember, automation tools weren't built for security. Many of them are, if not 5, then 15, and I'm not going say 50 but they're old. And they're still useful. They're still being used. So, you need to create a layer around those vulnerable devices. Back to our DOD side of things. They're saying, “Well, listen, we know there are some known exploits. How can you limit the attack surface that somebody can use against it?” So, the answer is you have to strictly control access, not just at a per user level, at a port and protocol level, because I can then see if you're sending unauthorized commands over a certain protocol that you really shouldn't be sending. And I'll reiterate that moving target defense allows you to push the edge of this perimeter into the cloud. We're able to then proactively defend, so that way malicious data never actually gets to your network. Remember, an important concept in this attack being utilized was direct network access.
[13:12]
Our second case study: JBS food group; the attack was ransomware. The cost was $11 million in ransom. So, what I want to talk about here is remember that your attackers are taking time. They are patient, and they will find a way in. Before this attack ever took place, an Attacker spent about two or three months scoping it out, performing reconnaissance. And how does one perform reconnaissance? Well, we're looking for exploitable nodes on the open Internet. Common nodes are the ones that you're using, right? If you've ever Remote Desktop to a different windows server, if you're using VNC, virtual network connection, to connect to different downstream servers, you name it. And of course, the Hallmark static VPN 's, the static virtual private networks. The first step is always reconnaissance. That's what happened here. And in Australia, and in Brazil, they found a few nodes that they could exploit. The exact attack profile is not known, but they found some exploitable nodes. They downloaded a whole bunch of data. And when they were ready, once they had taken what they wanted, they then put in a ransomware attack and shut down food production or meat production in Australia and Brazil.
[14:24]
So, what could you do different? First, if you do have any OT devices that have external access, please stop. Please take them offline. And that will include different backdoors. Those sell chips, make sure that if your vendors are connecting to your network that you control that process, and you've talked to them about security. The second is adopt more access tools that are proactively patching themselves. You can't keep up with patching every single node in your infrastructure, so you need to have somebody that does that for you without sacrificing uptime. And then three the whole point of reconnaissance is to frustrate attackers. Again, nation state level attacks are at the reconnaissance phase, making it very, very expensive and time consuming to find you.
[15:08]
The final case study Colonial Pipeline. The attack again was ransomware at a cost of for almost four and a half million dollars. They did recoup a lot of that though about two and a half million dollars, the FBI got back. But of course, all of us felt that at the gas pump. When for the first time in four years, the National Gas average rose above $3. I don't know about you guys, but in Massachusetts, it's still above $3. So still feeling the effects of that. So, what happened? Well, this is kind of the clear case study and what not to do. Attackers found a dark web password on an unused but still enabled VPN account. And that VPN account did not have multi-factor authentication. They then use that brute force password to get into the network, at which point, they simply just deployed ransomware everywhere they could find because Colonial had a very flat network hierarchy. Even worse, they had a network that the corporate and OT networks meshed a little too closely. Semi permeable is not even the right word to describe it. And so, at which point you don't have somebody in the operations room say, “There is ransomware in our corporate network. We can't afford to recover from that, so we're going to, as a precaution, shut down the pipeline.” And that's what they did. And then they went and paid the ransom to then turn things back on.
[16:26]
So, what can you do different? The first strict segmentation of IT and OT networks; we talked about that a bit. The second is MFA, that's multi-factor authentication: enable it, and enforce it. we heard Oliver talk earlier about how ICONICS has MFA. So do things to turn on that second level of access requirement. And then finally, use a remote access tool that deactivates accounts once they're done. We have project specific windows during which people can access your network. Turn it off after that; don't have these lingering accounts that might come back to bite you. So, at this stage, I've talked a lot about cybersecurity, all the things that could go wrong, what you could do different. But I want to remember something in the IT OT space; you need a remote access tool that prioritizes operational efficiency. Because at the end of the day, the guy at the front-line cares about how quickly he gets to the problem, to get his manufacturing line back up and running. So, we say his remote access systems, they're not cybersecurity tools. They are efficiency tools with cybersecurity requirements. So, when we think about this from a connection time perspective, you can have that unsecure RDP connection, Remote Desktop Connection. It might take you three to five seconds. You can have a secure connection, jumping through jump hosts, what have you, that might take you 7 to 12 minutes. Neither one of those is an acceptable outcome. What you want is a solution that aligns to the most secure frameworks but gets you to the problem, gets your best people to the problem in less than 30 seconds. So that way, they can actually recover from any other events. Because what we're trying to do is reduce your mean time to recovery. How quickly can you recover from an incident? And how do you know you're doing that in a as secure manner as possible? You're limiting windshield time, right? People aren't driving or flying to the site; people aren't spending too much time jumping through those 7 to 12 minutes of hoops. You're taking advantage of production data; you're able to get data more competently off your system, and then get the right people in. And finally, we talk about getting the best people to the problem faster, whether that's a vendor, or whether that's an operations team and engineering team halfway around the world. You get your best people there as quickly as possible. To put this in real dollars and cents. This is just a made-up numbers. If you work at a 24/7 facility, and you make $125 million a year, you're producing about $238 per minute. That's how that math works out. If you're wasting that 12-minute downtime plus three minutes fixing the problem, that 15-minute downtime incident or delay will cost your organization over $3,500. So that that time that those seconds matter, in OT environments.
[19:17]
In terms of developing and building out real ROI for this, one of our customer case studies, Connecticut water, they improve the efficiency of their connections by 87%. That's their service delivery guys. That's their water control guys at 2 am connecting into the network and figuring out what's going on. And between that and eliminating the other remote access tools that they had previously put in place. They spun down some 150 or 200 jump hosts in the process, saving them almost a million dollars between FTE time because it's like $24 an hour for service delivery employee in Connecticut. And so that investment ROI then speaks for itself.