Welcome to CXO Talk. I'm Michael Krigsman, and we're discussing how AI can protect operational technology and critical infrastructure. We're speaking with Anand Oswal from Palo Alto Networks. Palo Alto Network is a leading cybersecurity company in the world. Our mission is to make everyday more safer than the day before. At Palo Alto Networks, I'm the SVP and general manager of Network security. Anon, we're talking about operational technology, OT and information technology IT.
Give us some background here. We think of operational technology, think of factory flows, manufacturing facilities, think of utility, oil and gas mining. These environments have high value assets and there's a big difference between IT environments and OT environments. First, IT environments typically are usually always connected. OT environments are trying to get connected now, but they're also mission critical in nature.
If an OT asset goes down, it can mean a big downtime for a factory floor, for a utility network, etcetera. At the same time, we're seeing over 70% of industrial organizations were victims of cyber attacks. Just in the last year, one in four organizations had to shut down their operations for a small amount of time. Anon there is a convergence between OT and IT systems.
What's going on there? As OT environments are getting more and more digitized, the IT and OT environments are converging so that you can have consistent visibility across the entire infrastructure. At the same time, you're seeing over 3/4 of all threats on OT networks originated from the IT side and then percolated on to the OT environments. You can have these two disjoint environments operate in silos forever. They're converging. Digitization is being all these things together.
You want to have a consistent architecture across IT and OT with all the controls you want which are unique to OT. Now digitization is amazing thing. It brings new opportunities, new capabilities for these factory floors, for these manufacturing facilities, but also brings in an increase attack surface. How does this increase the attack surface as you just mentioned? As you get more and more digitized, as more and more things get connected, the attack surface increases.
In the past, these organizations were completely air gap or not connected to the outside world. As these are getting connected now, what's happening is that the attack surface increases. Also these systems or the organizations have very legacy and complex systems, flat layer to networks. Their assets have not been patched periodically. They are very old assets. The variety of different systems and stacks that have been used from last 123 decades at times.
So modernization was not possible. Patching of these assets is not happening very frequently and now people are exploiting as these get connected. Can you give us some examples of exposed OT critical infrastructure that's therefore open to attack? Over 3/4 of these attacks the originate from the IT side. So you have infiltrated into your IT systems and then you're
going into your OT environments. And these could be things like remote code execution, command and control attacks, software exploits happening on specific old systems. A variety of different attacks are happening now. Not all attacks of course are happening from IT and going to OT. There are attacks are happening on OT alone, but a large majority of them are are initially happening on the IT side and then they are going to
move on to the OT environments. OT systems do have unique attributes as you were describing. What about traditional conventional approaches to security, firewalls and so forth? Securing the OT environments is a top, top priority. Most of the customers I talk to in the OT environments, whether the customers are manufacturing in utility, in oil and gas, in food production, etcetera, recognize the problem. They understand it's not easy because they have these legacy
environments. They're complex, they're flat layered to environments. Some of them are getting connected and the connectivity varies. Some are getting connected a traditional way, some are getting connected directly over 5G bespoke. You want to give access to these factory flows and assets from outside. You want to ensure that you're giving them the least privileged access and they can only do what you what you want them to do. So all those environments are
unique for OT environments. Now, the way to go about this holistically is on the principles of 0 trust security. There's power through AI visibility. If you think of visibility, it's not about manually understanding what your assets are in the environment. It's next to impossible to do that because you have new assets. I want to be able to understand through machine learning, what's the device, what's the type, what's the make, what's the model?
What is it talking to? What is it not doing? What is supposed to do so I can baseline those things. Second, your rules for segmentation or or should also be machine learning power or AI, AI powered because these rules will may change and you have new devices coming on, which devices have access to which group? What's the policies you set for them? They cannot be done manually. Look, majority of breaches happen when things are
configured manually. Once you do that, the third is that how do you secure all of the connections outside and coming from the outside world? That only happens to the power of what I call as precision AIA combination of machine learning, deep learning infused with large language models. Because the traditional approaches of security which are based on a signature or a database is not sufficient. Attackers are more and more sophisticated, so you cannot
rely only on that. The only way to solve problems for the new world will be AI driven through your machine learning and deep learning models. You mentioned precision AI to support security on OT devices and environments. Can you elaborate on that? So if you think of a signature, it's like, you know, I had a given device or a person infected with a given threat.
I understand what it is. I built a signature and then I give a content update on my network enforcement point so that nobody else is affected by the same threat that the first person was. In my view, that's reactive. It used to take us seven days to give a content, then 24 hours and 8 hours, and sometimes it's now it's in a matter of minutes,
but it's still reactive. If you want to stop new threats, threats that that you've seen before, but also threats that you've never seen before, what I call as day 0 threats, then you need to not depend only on the signature and databases. You got to look at things in line in real time. That happens with deep learning across both structure and unstructured data. We were able to understand what's going on and protect you from threats that you've never
seen before. And that's the power of precision AI, where we taking what we did with machine learning, we added these deep learning models and we'll infuse that in the last two years with all the variation that we can get with large language models. So combination of these three techniques is what we call precision AI. And of course, you're dealing with threat actors who have become very sophisticated in the use of AI and machine learning
on their side as well. Cyber security is the only industry that has an active adversary. Our job is to be right every single time. The attacker's job is to be right once.
And the amount of effort that we put into researching all of these various threats, models, new techniques in AI is to always stay ahead of the adversary and that's what we do with position AI. We are now stopping at Palo Alto Networks over 12 billion attacks every single day, and two and a half million of those are net new attacks that nobody has ever
seen before. That's only possible because we have 4400 machine learning deep learning models running on the platform that is looking at these things in line in real time, protecting you from threats that you've seen in the past and threats that you've never seen before. Now, many of these OT systems are in legacy environments. They're not patched, they're a whole host of issues.
How do you manage that? You need to have something where you can do what I call virtual patching where you can. You can build signatures of what you want, what is happening on the endpoints and block them on the network side because they're easier to patch it centrally because it's hard to update these devices periodically and in some cases it's not possible. Why is virtual patching so important?
See Virtual Patching helps us now solve the problem where I'm not able to patch my endpoints with vulnerability and CVS that I see, but I'm having a network solution to to still make sure that I'm not affected by that situation. So I'm I'm basically solving it more creatively. These environments are mission critical and very often must run continuously. How can organizations integrate these kinds of solutions without causing disruption to their
environment? If you're using OT, stick it in a factory floor. You can't stop production in a factory floor. If you're using in a utility or oil and gas environment, you can't stop what's happening with your utility and your oil and gas environment. So it's very important that you build your OT solutions keeping in mind high availability, keeping in mind how do you ensure that from an operational perspective they continue to run. Remote access is critical for
these kinds of environments. How do you enable remote access while providing security? Over 50% of organizations today, Michael, are having technicians, contractors or employees access these high value critical assets remotely. And for that, you want to make sure that a, you're using the right privileges for what they have access to. When they get access to the system.
They are accessed ideally from a secure enterprise browser where you can do just in time recording, you can look at the activity, you can log all things that they are doing because these are very critical assets. So you want to make sure that you are designing the solutions with least privilege of what the contractor, the employee, the technician accesses. But also ensure that you have a full ordered log of every single activity done by the user. Anon, you've mentioned zero
trust several times. How does that come into play in this remote access scenario? It is one of the most abuse words in cybersecurity. You think of 0 trust. It means no notion of implied trust. So I want to understand in this case who the device or the asset is. Is this something that I understand and it's assigned to my OT environment? Then you want to know who is this asset talking to, talking to systems inside the organization and talking to
things in the outside world? Who can access these systems from the outside for the example we talked about for remote access? And when you allow this connection, how do you ensure that this connection, whether it is from the asset to the outside world or the reverse is monitored for all threats, vulnerabilities, command control connections and so on, so forth? And four, how do you manage the entire life cycle of this assets?
All this in construct helps us define zero trust for OT environments where we have no notion implied trust, we have least privilege access and I'm monitoring every single connection and flow from the asset or to the asset. I know in factory floors and other OT environments are very harsh. There's humidity issues, there's temperature. How do you handle that aspect?
They are harsh environments. Sometimes these environments have vibration temperature control and you think of other OT environments, they could be outdoor Michael, like like your utility, your mining, your oil and gas which could have you know have to operate in temperatures which are very hot or really, really cold. So for those environments we have what we call ruggedized firewalls.
These are network enforcement points which have all of the all of the ability to wither all the harsh environments, whether it's temperature, whether it is rain, whether it is vibration, whether it is sand and so on and so forth. And these are enforcement points. These are enforcement point, or these are sensors on the network that help identify who the devices are on the environment, but also help protect from threats, command control connections, software exploits, so on and so forth.
And on the regulations around cybersecurity reporting are evolving. Can you tell us about that? What's going on there? Within 72 hours if you are having a attack you got to have you have to report that. For ransomware you have 24 hours to report that. So these are environment that are happening and this is quite broad. It affects large sector of organizations, including OT environments and that is what
the rules and regulations are. The best thing that we are advising our customers is that make sure that you're building these systems which are highly secure so that you have the capability then to protect yourself from these threats. Do you have advice on how organizations can maintain operational efficiency while maintaining compliance with these new regulations? Most of these environments are
highly regulated. Most of these environments have to do have a lot of things around audits and trails and logs and a lot of time is spent including this audit log reports. What we do with our solution of OT security in addition to the things I talked about which is visibility, segmentation and policy control, zero trust access and security on an ongoing basis, we also help them automate all the audit information because now we have full visibility into every individual asset in the
organization. We know the make the model, the version, the vulnerabilities associated with it and we can now automate so as report creation from audit perspective and help them be more proactive in how you remediate form these vulnerabilities either by patching the endpoints, by having solutions like guided virtual patching or support on the network enforcement point for security threats.
So given the complexity around these OT environments and the ever evolving nature of security threats, automation is the key. Automation and your security and your visibility needs to be powered by AI. You cannot do these things manually. AI and machine learning have been core themes you've touched on during our discussion. Why is it so important in these converged OTIT environments? We're talking of OT environments and IT enviros merging. You're talking of two systems coming together.
We're talking of complexity, of variety of different things on the OT environment, many of them that can't be patched, many of them having vulnerabilities. And then you have to have all the segmentation rules and policies. All of this has to be powered through AI and machine learning. You got to be able to have full visibility. You got to do it on structure unstructured data. You got to have your segmentation rules and policies
automatically created. But now as these assets get connected, you have to use the power of machine learning, deep learning, LLMS, what we call precision AI to secure every single connection across every single possible threat vector with this command control connections and software exploits and phishing attacks or malware or OT specific threats.
All of this needs to be done to the power of AI so you can stop and prevent both known as well as unknown threats in real time, reducing any of the downtime of the assets and have full life cycle manageability across the entire life cycle of the OT assets for the factory floor of the plant. Anon, great talking with you. Thank you so much. Michael, always a pleasure. Thank you so much.