Name: 30 minute Live Demo - OT Security: See and Secure Every Device and Connection in the Industrial Environments
Uploaded: 2025-10-23T18:50:06.345Z
Duration: 34 min 12 s
Description: 30 minute Live Demo - OT Security: See and Secure Every Device and Connection in the Industrial Environments

Transcript for "30 minute Live Demo - OT Security: See and Secure Every Device and Connection in the Industrial Environments": Hello, and welcome, everyone. And thank you for joining us at today's Armys demo. I am Antonio, one of the campaign marketing manager at Armys, and I will be your host today. In this session, we will discuss Armys Centrix for OT IoT. But before we dig in into our demo, I would like to cover some housekeeping items. This is a thirty minute demo session. This session is being recorded, and it will be available for you on demand. Please submit your question in the chat, and we will address them at the end of the presentation. We have provided some additional resources for you on the topic. Please check them out after the webinar. With that, I would like to introduce our speaker, Barry O'Brien, principal sales engineer at Armys. Barry, I handed this off to you. Thank you. Thank you, Antonio. Hi, all. I am Barry O'Brien, principal architect for OT at Armas. And today, I'm going to show you a live demo of SentriX for OT and IoT security. Before we get to the live demo, I just want to give you a quick overview of what SentriX actually is and how it works. Well, SentriX is a cyber exposure management platform. SentriX works with all devices, right, regardless of whether they're manufacturing, energy, ICT, health care, and so on. It's every single device on the network. So that's the the c part of the platform. We discover every device, we enrich that device, and we profile every device. In terms of protection, Armistice does security monitoring, for risks, vulnerabilities, but also active exploitation. And Armistice can provide, protective measures to when we detect these threats and integrate with existing infrastructure to actually stop attacks in their tracks. In terms of the risks and vulnerabilities that Armand is gonna discover, we give you the ability to manage these by establishing the workflows for risk reduction through mitigations and remediations. End to end, management of those workflows to increase the effective proactive security of your environment. Armis does this or SentriX does this, using three primary pillars. One is integration. So Armis SentriX has hundreds of integrations with your existing tooling in your staff, whether it's network, asset, security, and and so on. Very easy to deploy, typically API based. If the solution that we're integrating with doesn't have any API, it could be a service account, for example, but we have hundreds of integrations to bring together all of the data that are in disparate solutions within your environment. SentriX also does telemetry collection. This can be through SPAN or TAP or other network traffic inspection methods as well as SNMP integrations with your network infrastructure, smart active queries, which can use the native protocols of devices, not just the specific ICS devices, but also other IoT and IT type devices that you will still have in your OT networks. All this is combined with the asset intelligence engine. There's over 6,000,000,000 unique devices under monitoring by Armacentrix at this moment. Essentially, that's fingerprinting the behaviors and properties of each device, matching those fingerprints to this crowdsourced database for really fast and accurate reporting and categorization of devices based on their type, model, but also behaviors. Getting a little bit deeper on how, SentriX does this, the integrations that with the existing tools can be from on premises integrations, tools like endpoint security or firewalls, but also cloud based solutions such as AWS, which we're finding very, very common now in, OT environments as SCADA, historians, and other telemetry solutions are actually being migrated into the cloud. The telemetry collection through passive traffic inspection, this can be through SPAN, TAP, RSPAN, ERSPAN. Essentially, it doesn't matter once how you, get the data into AMS as we do the deep packet inspection to identify devices, identify characteristics, properties, analyze behaviors, and also look for anomalous, events in the traffic. Mark active queries where we can use those native protocols I mentioned previously, whether it's step seven, modbus, etcetera. SIP, we actually ask the device, what is it? Give me your profile. Give me your day the essential data about what you are, and then we can use that for vulnerability matching, life cycle management, etcetera. All that feeds into SentriX and the asset intelligence engine. And from an output perspective, Armus can be a data source for your CMDB. If you have a CMDB, you may have the same frustrations out of as a lot of other organizations where it's not automatically kept up to date. You're reliant on manual efforts to update the CMDB. Armis can become that automatic data source for your CMDB to create CIs but also update CIs when changes are detected on those devices. From a threat and activity perspective, Armis can feed into your SIM, your SOAR using the industry standard method such as system from an enforcement point of view. We have integrations with all of the major network vendors where we can automate, blocking, for example, on a North South connection. If we see suspicious activity, let's say, from an IT network trying to infiltrate into the DMZ, we can automate the block on that firewall. And then finally, from a ticketing and workflow for perspective, all of the data that RMSCs can be used in your ITSM solutions, we can create the tickets automatically, assign the owners, track the workflows, track the remediations, and do full reporting on those as well. This approach has been validated by Gartner. You may have seen the recent Gartner Magic Quadrant report for CPS protections where Armus is seen as a leader. It's important to note that after this magic quadrant was released, Armus actually acquired Artorio with bringing on premises CPS protection as well as secure remote access into the Armus portfolio. And I'll just jump to the demo. When you log in to Centrix for OT slash IoT, your initial view is around dashboards. These dashboards are intended to present to you the useful and most critical information that you need according to your own use cases. If your use cases are around asset visibility, you can look at all the asset data that Artemis has collected broken down based on a per site basis. So So if you could have a global view, you can drill down based onto an individual site, or you can have groups of sites. Likewise, you can do it based on boundaries. Just another term for a zone. So you can within the site or even spanning multiple sites, you can have all this data presented back to you on a per site or a per zone basis. If your, use case is around activities, for example, PLC activities, what's happening with the PLC, what's hap what user is doing these activities, who is creating, who is making changes on the PLCs, but, also, is there any errors on the PLCs, etcetera. And if your use cases are more around security or risk vulnerabilities, dashboards for this as well. Now the dashboards are easily configurable by you, the user, but arms also has hundreds of prebuilt dashboards, which can be added with just a click. I'm gonna drill down now into the devices because SentriX, at its heart, is device centric in that the devices are at the heart of everything within within SentriX. We tried to show you all the data that's, available about devices. For example, what is the device? Where is the device? What is it doing? Who is using it? All this data is collected in the in the inventory page. So whether it's network data, for example, profile data, even security attributes, if these are available, where is the device on the network, but also deep deep data around the OS, firmware, etcetera. What is installed on the device? Now the critical use case for understanding what's installed on device is also related to risk. What is the risk that this device poses to my network? Why is applications and patch level important on that is understanding the vulnerabilities of the device as well. So ARAMstack gives you deep data into all of the vulnerabilities plus prioritization according to a risk score. What is the most critical vulnerability that you need to fix on this device based on different metrics, not just CVSS, but based also on things like exposure and explosibility? These vulnerabilities can also feed into risks, but there are other risks, not just vulnerabilities. For example, life cycle. Understanding the life cycle of a a software, understanding the life cycle of the device itself and its operating system. Armis also looks at the activities of on the of these devices. What is the device doing on the network? In this case, for example, we can see there are configuration changes being made on the device, but also even online edits. So now I'm going to give you a look at the OTE devices in this demo. Armis would, profile and categorize every device that it sees on the network aside in the type and collect it and present back the data about what that device is, where it is, what it's doing on the network, who was using the device, what risks are associated with that device, including vulnerabilities and life cycle information. From a profiling perspective, Armis picks up the data from the integrations. As you can see from this device, we're seeing, actually, we're seeing this device in multiple different integrations, active directory, SCCM, Tanium, NVIDIA, and even from the traffic inspection on the network. When the device was first seen on the network, when the device was last seen, what boundaries, what zones. An armistice can actually track this data across multiple sites and multiple zones. So if the device is transient, like in this case, this engineering workstation is actually this software is installed on a laptop, and that laptop can move across networks. It can go from an IT network to an OT network. It can go from site to site with the engineer that actually owns this device connecting into multiple zones. SentriX will actually track this device across all the networks that are being monitored by SentriX and reports on that. SentriX collects the network information, profile information, any other information that's available through the integrations, OS versions, bills, down to patch levels, security attributes, if they're available through the network traffic, if they're available through in, through traffic inspection. As an example here, if this if this device does not require a password to log on, Armis can report on that as well. Armis will look at the network traffic of the device to see, is this breaking your segmentation. So for as as an example, here we can see the engineering workstation is connecting to a number of different other devices, but we can see here it's also connecting to the Internet. So external. This is we can report on, for example, in a set breaking segmentation where the this restricted device is connecting to the Internet, which is, should be against policy from an OT network. Within the network traffic, Armus also looks for activities. So in this case, we can see that there's a number of configuration changes being made from this engineering workstation to different PLCs. These can be online edits, for example, tracking that and time stamping that so you can see what user brought the device into online edit mode and at what exact time. So as this is a workstation, we can also see what applications are installed on this device. A typical example here is to see if TeamViewer or other unapproved remote access software is installed on the device and reports on that as well. This also feeds into the risks and the risk scoring for this device. We can see that this device actually has 322 vulnerabilities. Now these may be software based vulnerabilities through the applications that are installed, but also OS level vulnerabilities, based on whether device has been patched or not. And ours will actually also tell you what are the most critical vulnerabilities that need to be remediated. It's not just about CVSS. CVSS is a measure of impact, but Armis also uses exposure and explosibility information to tell you what devices or what vulnerabilities are the most critical and what devices. So as you can see here, there is a CVSS with a 5.5, but based on the Armis centric information about exploitability and exposure, we can see that this actually is at 10. Now these vulnerabilities are risks that need to be mitigated or remediated, but there are also other risks that Armus will detect about devices. For example, life cycle information. SentriX has integrations with all the major vendors for life cycle information. We can report on applications, operating systems, etcetera, but also hardware. If it's a if it's a server, for example, running on outdated hardware, if it's a PLC with a card that is end of life and the support, Citrix can report on all these as well, and these can be factored into your risks. And it's also about behaviors. SMB v one is a is a risky protocol, very difficult to eradicate from an OT environment based on, you know, legacy systems, but at least we you can report in it. You can control it. You can put countermeasures in place or mitigations in place as well when ARMS reports on these risks. So this is a an engineering workstation, typically the kind of, OT device that is based on IT infrastructure. But, also, what about PLCs, for example? So the SentriX will still look at the network traffic, still find data about these through integrations. As an example, SentriX here integrates with the Rockwell engineering workstation software to profile this device, find data about about serial number, model, operating system, or firmware versions as well. It goes a bit deeper when it gets to a PLC or controller because we can see all the different modules that are installed and also report on the individual properties of these. For example, as I mentioned earlier, life cycle information or firmware information, and this can feed into individual risks for this PLC as well. Likewise, you can see the activities for the PLCs, which devices are making changes, but, also, is there any errors? Partial transfer error here seen in the network traffic. This these activities are seen in the net in the network traffic. As we look at this PLC, we can see a lot of SIP traffic. That's to be expected for a Rockwell PLC. We can see there's 20 different IP connections, sessions here that we're tracking. Looks pretty typical. Engineering workstation to PLC, PLC to PLC, SCADA to PLC, all you know, sensor PLC to sensor, all pretty typical except for this last one here. As you can see, the IP address actually is not one of the OT IP addresses. This is an external network, and we can see ten dot two zero one external network using UDP one six one for SNMP to connect to this device. You can create alerts based on this as well for a new violation, for example. Here, we can see that actually this device is a think ThinkCentre, m nine one zero s. And, actually, not only that, it's also tried to attempt to reset the Ethernet module of that device. Again, this all feeds into risks, vulnerabilities on the TLC. Again, we we can see here there's a CVSS five with a higher risk score based on exposure and exploitability and also risk factors. We can see this device actually here is running end of support hardware from 02/2017. Now this may mean that may may mean that you need to replace it, but it also may mean that you just need to ensure that you have appropriate spares in place in case it fails and you can't get support. So that's the device view. We also can represent all of these devices on the Purdue model. This is a pretty, common, feature for, our OT customers where they want to understand their segmentation and breaks in this segmentation. Now we're showing all of the OT devices here on the Purdue model. We can expand this so you can see engineering workstation talking to engineering workstation. You can see engineering workstation talking to a PLC. This actually looks fine. It's level one to level two. But when you show the non OT devices here, you can see, actually, there is a vulnerability scanner that is in the IT network, which is talking to a PLC in the level one, breaking your segmentation. So this Purdue model gives you a good visual representation of your network segmentation and cross traffic crossing multiple boundaries. There's also a view from, IT connection point of view to understand your segmentation and if there's any breaks in your segmentation. As an example, here you can see there's the ICS zone talking to the corporate zone. We can see that there is ICS devices, corporate devices, with protocols such as HTTP traffic coming over. And you can see those connections here where you have the these IT devices connecting over to the OT network, talking to the OT devices, helping you understand your segmentation gaps. We discussed risks already when we looked at the, two devices, but just wanna show you that there is a much bigger view around risk factors. Right? So it's not just about the end of support, but also behaviors such as perimeter evasion. Again, setting up a a risk that your IT device or your OT device is talking to an IT device when perhaps it shouldn't be. Also, threat detection. For example, we could see the threat detection engine, which is based it has I signature based IDS also has anomalies. Enormous behavioral detection, integrated threat intelligence can detect actual attacks in inflow and report on those. Unencrypted traffic is another example, more common in the OT. But pretend what you really want to look at from an point of view is where this traffic is unencrypted. So if you have your zones and conduit set up and you have encryption requirements for that conduit, Armistice Centrix can actually tell you that connection this conduit between these zones has unencrypted traffic going through when your policy say you should that traffic should all always be encrypted. So putting all this together from a risk point of view, from a device point of view, from a network point of view, so Armacentrix actually can bring this all together into compliance dashboards. So to help you understand where you where the gaps are in your compliance. Now in OT, the typical standard being used is IEC six two four four three. Parvis can report on all of the different security, controls that are in six two four four three, whether in different FRs, SRs, and so on, and actually align them back to the security levels as well. So as a a good example here is protection from malicious code, understanding is endpoint protection installed across the estate where it can be for your Windows devices in the OT. But not just also is it installed, but what is the gap. Right? Is it even configured? And as you just click in and you can see here, these are devices without properly configured. So that's a a very high level quick demo of Armacentrix for OT and IoT. I hope this has been helpful. Antonio, I'd like to hand it back over to you to see if there's been any questions during the demo. Yes, Barry. We have actually a couple of questions from the audience. The first one is from someone working with a lot of legacy equipment in their network. They're asking, could the Sentry solution impact the operation or uptime of older systems? That's a great question. It's it's, a pretty common concern, about pulling any sort of solution additional solution into an OT network, especially the on the ICS side where, you know, if a machine is perfectly functioning and it's not broken and you want to change something, is there a potential to actually break it and have an effect on production? So the simple answer with Armacentrics for OT and IoT is that no. You won't break it by doing passive traffic inspection because it's out of band. The passive traffic inspection gets a copy of traffic. It does not speak back onto the network, and it's only doing this analysis out of band. So it can't have an impact on those legacy devices. Now with the, say, smart active queries, if you run some of those queries on devices where it's unsupported, then, yes, there could be an impact. So our Armis would always recommend doing your your passive traffic inspection first to build a profile, understand what those devices are, and then you can do the enrichment using the smart active queries. You have to understand that device first. So if that device is a 20 year old controller, don't do your smart active queries. If that device is a quite recent PLC, which has, you know, uses Step seven and can handle that protocol, without any issues, then short use that smart active query. Well, from a legacy point of view, Armst will always recommend passive inspection first just to understand what data state of devices looks like. Any other questions, Antonio? Alright. Thank you. Yes. We have another, question. The second one is, they mentioned that while they are focuses on OT, they are manufacturing setup also include a significant number of IT assets supporting OT functions. The question is, is SentriX also geared to handle IT devices alongside OT? Great question. By its nature, SentriX does handle IT assets because SentriX cover can cover all verticals, IT, OT, and health care. I do feel it's important to point, though, that OT as a term does encompass a lot of IT type devices and IT type infrastructure that may not be part of an industrial control system. An industrial control system is made up of PLCs and controllers, sensors, actuators, scatters, workstations, and so on. But there is a lot of other supporting infrastructure that exists in a plant, whether it's a factory, could be a utility, could be could be a a distribution center. All of those different types of environments will have a lot of supporting infrastructure that is actually IT type equipment even if it's not managed by central IT. So SentriX actually does understand these, devices. It profiles these devices. It understands the the protocols that these devices use, but also understands the risks and vulnerabilities in these devices. So the answer to the question is yes. And as there's no more questions, I'll hand it back to you, Antonio. Thank you, everybody. We are currently nearing the end of the session. I want to thank everyone for joining us today. Thank you, Barry, for your amazing presentation. For more information about armies, please visit armies.com. Have a great day, everybody. Thank you.