Name: 30 minute Live Demo - OT Security: See and Secure Every Device and Connection in the Industrial Environments
Uploaded: 2026-01-22T16:50:07.365Z
Duration: 34 min 8 s
Description: 30 minute Live Demo - OT Security: See and Secure Every Device and Connection in the Industrial Environments

Transcript for "30 minute Live Demo - OT Security: See and Secure Every Device and Connection in the Industrial Environments": Today's Armys demo. I am Antonio Gerales, one of the campaign marketing manager at Armys, and I will be your host today. In this session, we will discuss Armys Centrics for OT IoT. But before we dig in into our demo, I would like to cover some housekeeping items. This is a thirty minute demo session. This session is being recorded and it will be available for you on demand. Please submit your question in the chat and we will address them at the end of the presentation. We have provided some additional resources for you on the topic. Please check them out after the webinar. With that, I would like to introduce our speaker, Barry O'Brien, Principal Sales Engineer at Armys. Barry, I hand this off to you. Thank you. Thank you, Antonio. Hi, all. I am Barry O'Brien, principal architect for OT at Armas. And today I'm going to show you a live demo of Centrix for OT and IoT security. Before we get to the live demo, I just want to give you a quick overview of what Centrix actually is and how it works. Centrix is a cyber exposure management platform. Centrix works with all devices, regardless of whether they're manufacturing energy, ICT, health care and so on. It's every single device on the network. So that's the C part of the platform. We discover every device, we enrich that device and we profile every device. In terms of protection, Armis does security monitoring for risks, vulnerabilities, but also active exploitation. And Armis can provide protective measures when we detect these threats and integrate with existing infrastructure to actually stop attacks in their tracks. In terms of the risks and vulnerabilities that ARMS will discover, we give you the ability to manage these by establishing the workflows for risk reduction through mitigations and remediations, end to end management of those workflows to increase the effective proactive security of your environment. Armis does this or Centrix does this using three primary pillars. One is integration. So Armis Centrix has hundreds of integrations with your existing tooling in your stack, whether it's network, asset, security and so on. Very easy to deploy, typically API based. If the solution that we're integrating with doesn't have an API, it could be a service account, for example. But we have hundreds of integrations to bring together all of the data that are in disparate solutions within your environment. Centrix also does telemetry collection. This can be true span or tap or other network traffic inspection methods, as well as SNMP integrations with your network infrastructure. Smart active queries, which can use the native protocols of devices, not just the specific ICS devices, but also other IoT and IT type devices that you will still have in your OT networks. All this is combined with the asset intelligence engine. Over 6,000,000,000 unique devices under monitoring by ArmsCentryx at this moment. Essentially, just fingerprinting the behaviors and properties of each device, matching those fingerprints to this crowdsourced database for really fast and accurate reporting and categorization of devices based on their type model, but also behaviors. Getting a little bit deeper on how SentriX does this, the integrations with the existing tools can be from on premises integrations, tools like endpoint security or firewalls, but also cloud based solutions such as AWS, which we're finding very, very common now in OT environments as SCADA, historians and other telemetry solutions are actually being migrated into the cloud. The telemetry collection through passive traffic inspection. This can be through SPAN, TAP or SPAN, EOSPAN. Essentially, doesn't matter how you get the data into MS as we do the deep packet inspection to identify devices, identify characteristics, properties, analyze behaviors and also look for anomalous events in the traffic. Marked active queries where we can use those native protocols I mentioned previously, whether it's step seven, Modbus, etcetera, SIP. We actually ask the device, what is it? Give me your profile, give me your data, the essential data about what you are. And then we can use that for vulnerability matching, lifecycle management, etcetera. All that feeds into Centrix and the asset intelligence engine. And from an output perspective, ARMS can be a data source for your CMDB. If you have a CMDB, you may have the same frustrations as a lot of other organizations where it's not automatically kept up to date. You're reliant on manual efforts to update the CMDB. Armis can become that automatic data source for your CMDB to create CIs, but also update CIs when changes are detected on those devices. From a threat and activity perspective, Armis can feed into your SIM, your SOAR using the industry standard methods such as Syslog. From an enforcement point of view, we have integrations with all of the major network vendors where we can automate blocking, for example, on a North South connection. If we see suspicious activity, let's say, from an IT network trying to infiltrate into the DMZ, we can automate the block on that firewall. And then finally, from a ticketing and workflow perspective, all of the data that RMCs can be used in your ITSM solutions, we can create the tickets automatically, assign the owners, track the workflows, track the remediations and do full reporting on those as well. This approach has been validated by Gartner. You may have seen the recent Gartner Magic Quadrant report for CPS protections where ARMS is seen as a leader. It's important to note that after this Magic Quadrant was released, ARMS actually acquired Ortorial. We're bringing on premises CPS protection as well as secure remote access into the ARMS portfolio. Allow to jump to the demo. When you log into Centric for OTIoT, your initial view is around dashboards. These dashboards are intended to present to you the useful and most critical information that you need according to your own use cases. If your use cases are around asset visibility, you can look at all the asset data that Armas has collected broken down based on a per site basis. So if you can have a global view, you can drill down based onto an individual site, or you can have groups of sites. Likewise, you can do it based on boundaries, just another term for a zone. So you can within the site or even spanning multiple sites, you can have all this data presented back to you on a per site or a per zone basis. If your use case is around activities, for example, PLC activities, what's happening with the PLC, what user is doing these activities, who is creating or who is making changes on the PLC, but also is there any errors on the PLC, etcetera. And if your use cases are more around security or risk vulnerabilities, dashboards for this as well. Now the dashboards are easily configurable by you, the user. But ARMS also has hundreds of pre built dashboards, which can be added with just a click. I'm going to drill down now into the devices because SentriX at its heart is device centric in that the devices are at the heart of everything within SentriX. We tried to show you all the data that's available about devices. For example, what is the device? Where is the device? What is it doing? Who is using it? All this data is collected in the inventory page. So whether it's network data, for example, profile data, even security attributes, if these are available. Where is the device on the network? But also deep, deep data around the OS, firmware, etc. What is installed on the device? Now, the critical use case for understanding what's installed on device is also related to risk. What is the risk that this device poses to my network? Why is applications and patch level important on that is understanding the vulnerabilities of the device as well. So ARM gives you deep data into all of the vulnerabilities plus prioritization according to a risk score. What is the most critical vulnerability that you need to fix on this device based on different metrics, not just CVSS, but based also on things like exposure and exploits ability. These vulnerabilities can also feed into risks, but there are other risks, not just vulnerabilities. For example, lifecycle, understanding the lifecycle of a software, understanding the lifecycle of the device itself and its operating system. ARMS also looks at the activities of these devices. What is the device doing on the network? In this case, for example, we can see there are configuration changes being made on the device, but also even online edits. So now I'm going to give you a look at the OT devices in this demo. ARMS will profile and categorize every device that it sees on the network, assign it a type and collect it and present back the data about what that device is, where it is, what it's doing on the network, who was using the device, what risks are associated with that device, including vulnerabilities and lifecycle information. From a profiling perspective, Armis picks up the data from the integrations. As you can see from this device, we're seeing actually we're seeing this device in multiple different integrations, Active Directory, SCCM, Tanium, Nvidia, and even from the traffic inspection on the network. When the device was first seen on the network, when the device was last seen, what boundaries, what zones. An artist can actually track this data across multiple sites and multiple zones. So if the device is transient, like in this case, this engineering workstation is actually this software is installed on a laptop and that laptop can move across networks. It can go from an IT network to an OT network. It can go from site to site with the engineer that actually owns this device connecting into multiple zones. SentriX will actually track this device across all the networks that are being monitored by SentriX and reports on that. SentriX collects the network information, profile information, any other information that's available through the integrations, OS versions, builds down to patch levels, security attributes, if they're available through the network traffic, if they're available through traffic inspection. As an example here, if this device does not require a password to log on, Armis can report on that as well. Armis will look at the network traffic of the device to see is this breaking your segmentation. So for as an example, here we can see the engineering workstation is connecting to a number of different other devices. But we can see here it's also connecting to the Internet. So external, this is we can report on, for example, in a breaking segmentation where this restricted device is connecting to the Internet, which is should be against policy from an OT network. Within the network traffic, ARMS also looks for activities. So in this case, we can see that there is a number of configuration changes being made from this engineering workstation to different PLCs. These can be online edits, for example, tracking that and timestamping that so you can see what user brought the device into online edit mode and at what exact time. So as this is a workstation, we can also see what applications are installed on this device. A typical example here is to see if TeamViewer or other unapproved remote access software is installed on the device and reports on that as well. This also feeds into the risks and the risk scoring for this device. We can see that this device actually has three twenty two vulnerabilities. Now these may be software based vulnerabilities through the applications that are installed, but also OS level vulnerabilities based on whether device has been patched or not. And ours will actually also tell you what are the most critical vulnerabilities that need to be remediated. It's not just about CVSS. CVSS is a measure of impact, but ARMS also uses exposure and exploisability information to tell you what devices or what vulnerabilities are the most critical on what devices. So as you can see here, there is a CVSS with a 5.5, but based on the ARMS centric information about exploitability and exposure, we can see that this actually is at 10. Now, vulnerabilities are risks that need to be mitigated or remediated, but there are also other risks that ARMS will detect about devices. For example, lifecycle information. Centrix has integrations with all the major vendors for lifecycle information. We can report on applications, operating systems, etcetera, but also hardware. If a server, for example, running on outdated hardware, if it's a PLC with a card that is end of life in the support, Citrix can report on all these as well. And these can be factored into your risks. And it's also about behaviors. SMB V1 is a risky protocol, very difficult to eradicate from an OT environment based on legacy systems, but at least you can report on it, you can control it, you can put countermeasures in place or mitigations in place as well when ARMS reports on these risks. So this is an engineering workstation, typically the kind of OT device that is based on IT infrastructure. But also, what about PLCs, for example? So SentriX will still look at the network traffic, still find data about these true integrations. As an example, SentriX here integrates with the Rockwell Engineering Workstation software to profile this device, find data about serial number, model, operating system or firmware versions as well. It goes a bit deeper when it gets to a PLC or controller because we can see all the different modules that are installed and also report on the individual properties of these. For example, as I mentioned earlier, lifecycle information or firmware information, and this can feed into individual risks for this PLC as well. Likewise, you can see the activities for the PLCs, which devices are making changes, but also is there any errors? Partial transfer error here seen in the network traffic. These activities are seen in network traffic. As we look at this PLC, we can see a lot of SIP traffic. That's to be expected for a Rockwell PLC. We can see there's 20 different IP connections, sections here that we're tracking. Looks pretty typical engineering workstation to PLC, PLC to PLC, SCADA to PLC, all PLC to sensor, all pretty typical, except for this last one here. As you can see, the IP address actually is not one of the OT IP addresses. This is an external network and we can see ten point two zero one external network using UDP 161 for SNMP to connect to this device. You can create alerts based on this as well. Purdue violation, for example. Here we can see that actually this device, it's a ThinkCentre N910S and actually not only that, it's also tried to attempt to reset the Ethernet module of that device. Again, this all feeds into risks, vulnerabilities on the PLC. Again, we can see here there's a CVSS five with a higher risk score based on exposure and exploitability and also risk factors. We can see this device actually here is running end of support hardware from 2017. Now, may mean that you need to replace it, but it also may mean that you just need to ensure that you have appropriate spares in place in case it fails and you can't get support. So that's the device view. We also can represent all of these devices on the Purdue model. This is a pretty common feature for our OT customers where they want to understand their segmentation and breaks in these segmentation. Now we're showing all of the OT devices here on the Purdue model. We can expand this so you can see engineering workstation talking to engineering workstation. You can see engineering workstation talking to a PLC. This actually looks fine. It's level one to level two. But when you show the non OT devices here, you can see actually there is a vulnerability scanner that is in the IT network, which is talking to a PLC in the level one, breaking your segmentation. So this Purdue model gives you a good visual representation of your network segmentation and traffic crossing multiple boundaries. There's also a view from IP connection point of view to understand your segmentation and if there's any breaks in your segmentation. As an example, here you can see there's the ICS zone talking to the corporate zone. We can see that there is ICS devices, corporate devices with protocols such as HTTP traffic coming over. And you can see those connections here where you have these IT devices connecting over to the OT network talking to the OT devices, helping you understand your segmentation gaps. We discussed risks already when we looked at the two devices, but just want to show you that there is a much bigger view around risk factors, right? So it's not just about the end of support, but also behaviors such as perimeter evasion. Again, setting up a risk that your IT device or your OT device is talking to an IT device when perhaps it shouldn't be. Also threat detection. For example, the threat detection engine, which is based it has signature based IDS, also has anomalies, anomalous behavioral detection, integrated threat intelligence can detect actual attacks in inflow and report on those. Unencrypted traffic is another example, more common in the OT, but what you really want to look at from an point of view is where this traffic is unencrypted. So if you have your zones and conduits set up and you have encryption requirements for that conduit, Armis Centrix can actually tell you that connection, this conduit between these zones has unencrypted traffic going through when your policies say you should, that traffic should always be encrypted. So putting all this together from a risk point of view, from a device point of view, from a network point of view, Articetrics actually can bring this all together into compliance dashboards to help you understand where you where the gaps are in your compliance. Now in OT, the typical standard being used is IEC 62,443. Harvest can report on all of the different security controls that are in 62,443, whether in different FRs, SRs and so on, and actually align them back to the security levels as well. So a good example here is protection from malicious code, understanding is endpoint protection installed across the estate where it can be for your Windows devices in the OT, but not just also is it installed, but what is the gap, right? Is it even configured? And as you just click in and you can see here, these are devices without properly configured. So that's a very high level quick demo of Armisentrics for OT and IoT. I hope this has been helpful. Antonio, I'd like to hand it back over to you to see if there's been any questions during the demo. Yes, Barry. We have actually a couple of questions from the audience. The first one is from someone working with a lot of legacy equipment in their network. They're asking, could the Sentri solution impact the operation or uptime of older systems? That's a great question. It's a pretty common concern about putting any sort of solution, additional solution into an OT network, especially on the ICS side where, you know, if a machine is perfectly functioning and it's not broken and you want to change something, is there a potential to actually break it and have an effect on production? So the simple answer with ArmisCentrix for OT and IoT is that no, you won't break it by doing passive traffic inspection because it's out of band. The passive traffic inspection gets a copy of traffic. It does not speak back onto the network and it's only doing this analysis out of band. So it can't have an impact on those legacy devices. Now, with the smart active queries, if you run some of those queries on devices where it's unsupported, then yes, there could be an impact. So arms would always recommend doing your passive traffic inspection first to build a profile, understand what those devices are, and then you can do the enrichment using the smart active queries. You have to understand that device first. So if that device is a 20 year old controller, don't do your smart active queries. If that device is a quite recent PLC, which has, you know, uses a step seven and can handle that protocol without any issues, short use that smart active query. Well, from a legacy point of view, ARM's would always recommend passive inspection first just to understand what data state of devices looks like. Any other questions, Antonio? All right. Thank you. Yes, we have another question. The second one is, they mentioned that while they are focuses on OT, their manufacturing setup also include a significant number of IT assets supporting OT functions. The question is, is Centrix also geared to handle IT devices alongside OT? Great question. By its nature, Centrix does handle IT assets because Centrix can cover all verticals: IT, OT and healthcare. I do feel it's important to point out that OT as a term does encompass a lot of IT type devices and IT type infrastructure that may not be part of an industrial control system. An industrial control system is made up of PLCs and controllers, sensors, actuators, SCADAs, workstations and so on. But there is a lot of other supporting infrastructure that exists in a plant, whether it's a factory, could be a utility, could a distribution center. All of those different types of environments will have a lot of supporting infrastructure that is actually IT type equipment, even if it's not managed by central IT. So SentriX actually does understand these devices. It profiles these devices and understands the protocols that these devices use, but also understands the risks and vulnerabilities in these devices. So the answer to the question is yes. Unless there's no more questions, I'll hand it back to you, Antonio. Thank you, everybody. We are currently nearing the end of the session. I want to thank everyone for joining us today. Thank you, Barry, for your amazing presentation. For more information about ARMS, please visit armys.com. Have a great day, everybody. Thank you.