Ms. Melissa Topp ICONICS Senior Director of Global Marketing hosts the Safeguarding Against Cybersecurity Threats with Data Connectivity Q&A session with panel members: Mr. Oliver Gruner Corporate Account Executive Mitsubishi Electric, Mr. Ben Burke Dispel Chief Operating Officer, Mr. Tom Burke ICONICS Global Director of Industry Partnerships, and Mr. Yuki Shimizu Engineering Manager at Mitsubishi Electric Automation, North American Development Center.

Video Transcript

[0:00] Mr. Oliver Gruner Corporate Account Director for Mitsubishi Electric

Hey, thank you very much, Melissa, for joining us. I think we're moving into the Q&A session. You got all your panel members lined up, Melissa, so let's hear some of the questions coming in from the online community.

[0:18] Ms. Melissa Topp ICONICS Senior Director of Global Marketing

Sure, absolutely. So, we’ve got a number of great questions here. Thank you everyone for submitting them through Attendee Hub. I think have a pretty good idea to whom each question should be posed to. Let's start with this one. Sounds like a good one for Ben, ”Is it possible to deploy the cloud infrastructure in our own cloud accounts?”

[0:44] Mr. Ben Burke Chief Operating Officer for Dispel

Yes, absolutely. We can deploy again, across cloud providers in over 200 global data centers. And we can use your cloud accounts, your Cloud credentials to deploy. And actually, we offer a discount for doing so. So totally.

[1:00] Melissa Topp

Sounds good. Thank you. Another one for Ben, “You mentioned this should be used instead of a static VPN, but that's been the standard for so long. Why is moving target defense more secure?”

[1:17] Ben Burke 

Yeah, it really kind of breaks down to three components. The first is that sandcastle mentality. So it's not painting a target profile on your back in your organization's networks back. The second is really the direct access to your operational environment. If you then don't trust the endpoint coming into your network, giving them direct network level access is opening the door for whatever they have on their computer to come in alongside it. And then the third is just the administrative overhead. Right? So, it's, how much effort does it take to grant someone access? Is that a one-hour process, a one day process, a one month process? I've heard it can get hairy out there. So, it's how do you simplify and standardize that process? So that way IT security is already on board with what you're doing? And you can get, you can process things much more quickly. And then in the backend, you're automatically removing people when their job is done.

[2:12] Melissa Topp

Very cool. Thanks, Ben. This sounds like a good one for Oliver. “Is ICONICS working on IEC 62 443 certification?” I know Ben mentioned some other types of standards but didn't hear that one. So yeah, the audience would like to know.

[2:31] Oliver Gruner 

That's a good question. And ICONICS is working on that. And there are multiple phases that go with it. Our parent company, Mitsubishi Electric at the Nagoya works location, they have gone through an IEC certification which is basically the process of how you code and how you handle secure data transfer. So that's how Nagoya Works has done, and we are following that. And we are planning on finishing this up by the spring of next year. And once we have this first phase done, then we are going to look into how do we apply the certification for our actually the products that we release? That is going to come out a second step later after that.

[3:21] Melissa Topp

Furnace. Thanks, Oliver. Next question. Oh, this was an interesting one. “So you described pretty well, Ben, how the system worked for controlling operator access? Could it work in a similar way for controlling vendor access as well? And how's the process different for vendors?”

[3:42] Ben Burke

Yeah, I would say that our goal is to standardize how both operators and vendors are going to enter a network. So that way, you're not thinking of too many different processes, and you're applying the strictest controls you can to both parties. So, the vendor process would work exactly the same way. You saw my operator access work; it's just that there are some operator accounts that either don't need the same level session recording. But it's really up to whatever the balance of security that you want to enact. I recommend everyone be recorded. But that that's really up to you.

[4:18] Melissa Topp

Fair enough. Thanks, Ben. Another one for you. I was curious about this one, too. “Can you explain what you mean by disposable when talking about virtual desktops? Why does that help from a security standpoint?”

[4:32] Ben Burke

Yeah, so the key component of disposable infrastructure, like the virtual desktop I connected to, that one will be destroyed at the end of today. And a fresh new virtual desktop will be built. We do provide full customization of our virtual desktop so that way, whether it's GENESIS64 are other tools you need on the virtual desktop. A lot of common ones would be SSH or RDP itself. We’ll make sure those applications are on a golden template of the virtual desktop, so that way each time it's been built, all the tools you need are there. But by throwing away that desktop each day, think of it like the submarine. I've now moved that submarine on a daily basis. So, anybody who thought someone was connected to your network through IP address XYZ now has no idea where you are today. So that's really the idea of disposability. I would also add that it allows us to build from a known clean, golden image, so that way, there is no chance for any kind of latent malware or anything else to be there. And we also are automatically applying the latest security patches and updates all throughout that process. So, we're taking care of all that. You don't have to think about it.

[5:36] Melissa Topp 

That makes perfect sense. Thanks, Ben. We got one for you, Tom, “You talked about talk Takebishi and OPC servers; someone wants to know what makes OPC UA a secure piece of the puzzle?”

[5:50] Mr. Tom Burke Global Director of Industry Partnerships for ICONICS

Well, and it's so important. We also have Dispel, and we have everything built in the architecture because OPC UA is secure by design. But that's only one small part of the interaction between the client and server, the publish subscriber. In order to do remote access, you need Dispel so you know, it's just part of it. But OPC UA is essentially monitoring all the certs all the time, basically, and making sure that they're addressing the different things that go on. Security, by definition is a moving target; you've got to constantly be looking at the different things that you need to address. And the whole concept of being virtual and things like that and swapping that thing out at the end. The whole concept is eliminating access where people shouldn't have access. So OPC is very conscious of this; they're working with all the industry standards from an international perspective. But you still need a complete infrastructure, and things like Dispel play a very integral part into the solution to address the cyber security flaws of today and tomorrow.

[6:53] Melissa Topp

Absolutely. One more for Ben. We'll see if we have time for any others after that. “What does a normal installation look like? That made me chuckle what's normal anyway?

[7:06] Ben Burke

Yeah. No network is ever normal. I guess I'll start with that. But as you can see, even with the EMI 2000, we can deploy as a piece of hardware or virtual appliance. So, in this case, is a virtual appliance living inside the EMI 2000. That’s the only local on-premises requirement. We will need one outbound firewall rule. So again, that's an outbound only connection. There are no inbound firewall rules. And from there, it will proactively connect out to a moving target defense network and then act as a gateway at the edge of your network to provide access to downstream endpoints. We will require a bit of knowledge about some of the routing in your manufacturing network. So, you'll have to come equipped with that. But for most of our customers, the process takes about an hour and a half. And then another hour of training. And you're on your way.

[7:59] Melissa Topp

Nice. You mentioned the word downstream there in your last response. Funny because the next question this person wants to know, “Do you work in Downstream oil?

[8:11] Ben Burke

Yes, yes. So, we work by across a number of industry verticals, oil and gas downstream, upstream, midstream, all the streams, but we also work in water & wastewater, basically, anybody with a critical environment. Specifically in downstream, we've had a lot more interest in the idea of remote data connectivity. So, it's getting historian data; it's getting data off the factory floor to the people that need it. How do you do that in a secure manner and also in a way that disassociate the parties?

[8:42] Melissa Topp

Thank you very much.