Welcome to the Azure Security Podcast, where we discuss topics relating to security, privacy, reliability, and compliance on the Microsoft Cloud Platform. Hey, everybody. Welcome to Episode 61. This week, it is myself, Michael, with Sarah and Mark. Glad I still taking a little bit of time off. We also have a guest this week. We have Elizabeth Stevens.
She is a director of Cyber Risk Intel within our Cloud Operations Innovation Team, and she's here to talk to us about operational technology or OT security. But before we get to Elizabeth, let's take a quick lap around the news. Mark, why don't you kick things off? I've been trying something a little bit different out lately, and as I'm developing new slides for some of our architecture design session workshops, I'm actually posting them on LinkedIn and Twitter to get people's feedback.
It's been actually pretty helpful in getting a lot of feedback on them, focused on patch management right now. We'll pop a couple of links into the show notes so you can check those out. Just figuring out what the right model looks like that works across IT, OT, IoT, etc. And the strategy that you can put a policy behind. Some of the anti-patterns and the anti-patterns are the opposite of best practices. And so some of the common mistakes that we see organizations make.
So yeah, feel free to check those out and I'd love to get your feedback. A couple of bits of news from me. Hopefully everyone can understand my voice. I'm still a little bit hoarse from coming back from Hakusama Camp. So firstly, we've announced in our public preview that AKS or Azure Kubernetes Service, you can now use a confidential VM node pool. So what that means is that we're actually supporting using basically confidential computing in AKS.
So if you've got some really super secret squirrel important things that need to have a protective memory space, you should go and check that out. And next up another AKS thing. AKS is now supporting key management system or KMS, plug-in integration. So that means that you can do encryption at rest in your Kubernetes data using Key Vault. So of course that's important. So we store our secrets. Of course you can use your bring your own key.
So again, another one to have a look at if you're using AKS. Another thing we've just announced is that Azure Firewall Premium is now ICSA lab certified. So that is an addition to some of our other firewall certificates that we've got. That is actually specifically for our IPS, our intrusion prevention system. So of course if that's something that you need, maybe for your regulatory requirements or just something that it's good to know that we've got certified in, you can also go check that out.
And then one other piece of news that is from a part of the world that I love, and Michael, I know you do too. We've also announced, we're always announcing new regions as you, as everybody knows, new data center regions. But in New Zealand, we have announced that our new data center region in New Zealand is going to be basically carbon neutral. So the whole data center region will be 100% powered by carbon free energy from the point that we open it. I think that's really cool.
And I'm sure you know, if you look at Microsoft's sustainability things, we're always trying to make everything we do as sustainable as possible. But it's really cool to see that a brand new data center is going to be completely carbon free from the word go. And then last but not least, we are in application gateway. We've just opened our public preview for TLS 1.3 support. So of course, as we know, we're always moving up our TLS version numbers.
And of course, using TLS 1.3 is preferable if you are able to. And so go check that out as well. That's me done with my news for today. I can't believe you stole that TLS 1.3 news item from me. I'm sorry. You know, that's my thing. Anyway, that's really huge to see though. SSL 2, SSL 3, TLS 1.0, 1.1 are well and truly relegated to the midst of history. TLS 1.2 is generally the default across the whole of Azure. So it's good to see us adding TLS 1.3 in there as well.
And no doubt over time, we will see even more instances where TLS 1.3 will be selectable, especially for PAS services like Azure SQL DB or Azure Functions and so on. So that's really good to see. And also really happy to see that AKS using confidential VM node pools using the new AMD VM images. So Sarah said protected images or protected memory. Remember, it goes beyond that, right? It goes way beyond that. It's not just protected memory.
It's encrypted and it's tamper detection controls on there using HMAX. And the keys are actually managed by the CPU. They're actually not managed by Azure at all. So they're designed in such a way that we assume, basically, we don't trust anything outside of the VM. So the trusted execution environment is actually the entire VM's memory space. And anything outside of that, we do not trust. And that includes Azure. We don't trust Azure admins or the Azure environment.
So this is really, really great to see. And you'll see more of this over the coming months as well as we add more support for this. Other news items. We talked about this a couple of weeks ago. Windows authentication for Azure AD principles for SQL managed instance is now generally available. We talked to Sravani about this a few weeks ago. So that is now GA. And she actually did a fantastic job of explaining how it all hangs together.
Also in GA, and this really caught my eye, generally available now is network security group support for private endpoints. When we first released private endpoints, they had neither network security group support nor did they have user defined routes. So both of those are now available in general availability. In public preview, Microsoft Azure load testing now supports private endpoints. I know I've mentioned this in multiple times in various podcasts.
I said, hey, you're going to see more and more support over the years for better support for private endpoints. And this is just another example. It's not just a service adopting private endpoints. It's also other services being able to take advantage of services that are using private endpoints. So this is another good thing that's great to see. And I was going to finish off with a TL as one dot three support thing, but I guess Sarah stole that from me.
So with that, that's the news out the way. All right. Let's turn our attention to our guest. This week it is Elizabeth Stevens and she's here to talk to us about basically OT security, so operational technology security. Elizabeth, thank you for joining us this week. Would you care to take a moment and just sort of explain what you do? My name is Elizabeth Stevens. And as you said before, I am a director of cyber risk intelligence for Microsoft.
Our mission is to provide seamless, actionable and timely data center risk information that's integrated into the data center design and operational planning across all of our operations. We do this because of the current threat and the current escalation of threat. So from the, so I mean, it sounds like we're seeing not just the sophisticated nation states that are actually crossing that IoT, excuse me, the IT OT and probably IoT as well, environment lines kind of with ease over IP networks.
It sounds like it's really spreading to all of the different criminal gangs and activists and whatnot as well. Would that be correct? Well, we've seen like the criminals and criminal organizations leverage the path of least resistance into any organization. They exploit the suppliers as we saw last year. They exploit embedded devices. They've even exploit physical security.
Typically all of those things fall outside of, you know, what would be considered traditional security, but now as we move into the information age or we propel ourselves through the information age, all of those things are critical vulnerabilities that we need to think about.
Like more recently, we've seen some of the cyber criminals continue to like improve the sophistication of their attacks, exponentially adopting capabilities and tactics and techniques that the nation state actors are using it as well.
The problem for us is if we have a strong front, if we defend in the way that we are with our Azure tools and the the mark, Symos architectures and the way that we're sharing the information across across the globe, which is truly the right way to do it, then what's left the area of operational technology, the area that traditionally IT has not needed to protect because it wasn't really a high value target.
Now as we continue to shift to the cloud, as the world continues to shift to the cloud, new customers are looking to Microsoft and to Azure service offerings, which means all of the little pieces that make up and the components that make up our tech organizations, the government organizations, even the defense contractors and our equipment manufacturers, as well as operators and integrators, all of those things are now becoming connected
and in a way that doesn't traditionally align to the best practices nor the capabilities of our IT systems. So you have the advanced adversaries that are targeting both cloud customers to steal money data, IP, and then you have those same adversaries, those same threat vectors, trying to figure out ways to exploit the low tech OT in this case areas in order to do the exact same thing. You can break into secure networks and systems from any number of different things.
We've seen that in the past and we're seeing it now in current state. And so whether it's the adversarial or even criminal organizations using persistence and aggressively monitoring systems and networks for the smallest opening or if it's the nation-state attackers or advanced persistent threat, those sophisticated attacks come even through our targeting, even our suppliers to gain access to the areas of our infrastructure and the world's infrastructure to complete their missions.
They're not just looking at us to attack us. They're looking at all of the connected tissue that aligns to both our customers, our suppliers, and any open door to include the insider threat to access those high value targets and the high value resources. So I got a question for you. Say I'm an IT security professional and I've been protecting IT networks and patching and firewalls and learning the cloud and all the cool tools there and all that kind of stuff.
What are the things as I am looking at this OT space that I need to do or not do to make sure that I'm doing it right? Because I know OT is different, but I don't know how. So how would you explain that to someone like that? Part of the concern in the industry is that cybersecurity has long been championed by our developers, our software designers, the people that have been architecting information technology systems for decades.
Operational technology is built in sometimes systems that are 20 to 30 years old. These systems have been around for a very long time. They are excuse the phrase dumb devices in a lot of different ways. And then to complicate things, we're adding on pieces of information technology that allow these dumb systems to be monitored and controlled.
A lot of what I would say if you're thinking from an architectural safety or even a zero trust perspective is don't treat the OT systems as if they are new and there's no way to protect them because there's been no attacks or there's been no information on them. Think about them as an IT component or an IT system that you just haven't the expertise on.
So the key from a perspective of an OT professional being asked, how do you treat an OT system in a way that allows for you to do the same thing you would do for an IT system? The value and the truth about it is, is recognize that OT system protection aligns to the same best practices that IT system protection does as well. You want to ensure that you segment as much as you can. You want to protect the crown jewels.
You want to make sure that you look at the type of, both the type of organizations, so whether they're national, organizational or individual, both from a perspective of who the threat is as well as what you're trying to protect. And then go through the list of the type of impacts just as if you were doing an attack vector or a kill chain, talk about the harm to operations, the harm to the assets, the harm to the individual.
And never, ever, ever think because you've protected something with a firewall that there is not a physical and what I say is a logical way to attack it. And remember, just because you need to see, monitor or control an OT asset, your piece of equipment that you're connecting to that component may very well be the attack vector that is the easiest way for the entire organization to be exploited. So treat the entire system and this is the key, right?
No one has the right answers to anything, right? Everyone has a lot of answers and everyone's trying to do their best. But the benefit of being here at Microsoft is that I get to work with Mark Simos and Sarah and Michael. And what that means is I get to bring my expertise and go, hey, do you know that that thing that you're calling a little black box can take down an entire data system?
And you would go, oh, so putting that sensor there that's connected to an IP that's broadcasting so that someone can remote access may be a bad idea. And as long as we remember, and this is what we're doing across the industry, you've got OT professionals talking to IT professionals all under the umbrella of cybersecurity and cyber defense. You've got Microsoft talking to partners to include lessers.
So our least data center partners, our utility partners and CISA and our partners overseas in Australia. The key is shared data, shared information and talking about all of these things at the level of not just let's talk about the MITRE attack framework. Let's not just talk about the NIST standards. We need to bring all of the competencies together in a way that allows for us to talk to each other and say, hey, this is my area of expertise. This is what that box does.
We can't protect it that way. And here's why. And then allow for our IT partners or OT partners in this case or utility partners to say, hey, that doesn't work for us because it affects our customers, our data or organizational capabilities. The truth is, we learned all of this because we've gone to the cloud. We've learned all of this from the way that we operate in and around Azure and our other partners. That's what we need to do. We have to remember that the pieces are all there.
And I know I'm a Marine. And so if you put something in front of me, I'm either going to go through it or over it or blow it up. But again, this is the hill that we've got to take. And if you don't think you've already been compromised by now, then you might want to get a new job. Did that answer the question, Mark? I think so.
I mean, the big things I got from there is that it's universally the same principles, even though the implementation, whether or not you can patch a system might be different. And then just relationship and learning and mutual respect and asking questions, it seems to be a really key thing, that partnership element. I think it absolutely is.
When we're talking about your area of expertise, the domains, when we're talking about zero trust, when we're talking about what a SISO needs to do, it all comes down to understanding how the system's pieces and components operate together. And so if you know a thing, because there's so many smart people out there, it's absolutely essential that you leverage what you know, but also recognize what you don't know.
So from certain areas, like if we talk about the critical infrastructure bill in the US or the critical infrastructure bill in Australia, there's some specific components and specific guiding principles that we all align to, we define what our critical infrastructure is. And in some of our terms, that's the crown jewels, right? And so what's the difference between the crown jewels that we pick and the crown jewels that someone else might pick? There's very little difference.
We have, at some point, we had 10. Australia now started with six and now has 14. They all outline and define domains that we should be paying attention to. Some of those domains happen to be things that are very IT specific. They may sound familiar to you.
If I were to list them off, and you know I hate doing this, but if I were to list off some of the top level cybersecurity domains, these may not sound like OT to you, but access control, program management, awareness and training, security assessment and authorization, situational awareness, risk assessments, incident response, media protection, physical and environmental protection, supply chain risk management. Now that all sounds exactly, oh, don't forget PII, processing and transparency.
That's a familiar list. So I would like to say that that's, hey, that's the cybersecurity domains, but guess what? Those are all on the OT cybersecurity domains list as well.
So I think a big part of what's going to be facing outside of the threat itself, all of our organizations in the future, and a thing that I'm proud to be a part of Microsoft about, is the fact that people are going to say, like they often do when a new threat arises, we don't know what to do here because there's no past history.
And the truth is, everything that we've done from a tactical perspective, from a strategic perspective and even down to how we develop our software and how we produce our products, is the right way to also protect our OT assets.
And now, as we push forward and enable the entire world to have connectivity, or to even be able to control their systems that don't traditionally align to the things that we would consider IT because they're not their OT, their environmental protection systems, they're building automation systems, and in some cases, they're analog dials that open or close water. And let's not even forget the fact that cameras are now considered OT in many different places. Can you patch them? Don't know.
We're going to try to. How do you access them? Don't know. We're going to try to. But the fact is, on one level, either you're accessing them physically with physical resources, which means your threat is insider threat or access threats, which we're good at stopping and we're good at educating about, or they're remote threats, which means they fall very squarely into the space of, yes, IT cybersecurity. So our power is combined just like Voltron. We can make this happen.
We just got to remember that we're all in the same team. Yeah. And I know the culture is often different at different organizations between the OT teams that are used to pretty much running on their own, working with the factory folks that, you know, uptime and availability are the number one requirement, whereas in the IT world, the security folks tend to be more biased towards confidentiality with integrity and availability, of course, being in the triad.
And so, you know, we tend to see some different cultures, different thinking that I've seen as these teams come together need to sort of, you know, kind of harmonize a little bit. Love to kind of hear your thoughts on that as well. Oh, I think it's my favorite thing to say, but I'll try to steer clear of the Marine Corps language, which is full of expletives. Obviously, the first thing we need to do is share a common language.
I believe we all have the same mission, whether it's like I said, to protect life, critical infrastructure, facilities and resources, or to protect life or to protect revenue. What we need to do is, one, align on the mission that we're protecting whatever our crown jewels are, whatever our best resources are, in my case, it's the people from those threat actors. And if we align on the language, post aligning on the mission, then everything else will fall away.
So, instead of using IT specific language and talking about your firewalls as if everyone knows what they are, or TLS, or SSL, or SQL, or whatever we want to talk about, even saying PII is problematic at this point for those that are in the military and those that are not. So, in the language, we align on what we consider our top domains, which we already are in silos.
And then we start acting as a single system instead of compartmentalized pieces of the system who could potentially be working against each other. And that's where the synergies will be. That's why we work together with our partners. That's why we share the information. I mean, the CISO workshop that you guys delivered and are publicizing right now is a perfectly good example.
Even on our side of the fence in CloudOps and innovation, we're running sessions with our top leaseers from the data centers to have conferences about what their biggest issues are and what we think we can do together to figure those things out. Whether it's about what the things that need to be defined, like for a factory, a factory in this case for me would be a data center or the pieces that make it up.
Whether we're using CMMI maturity levels or a different type of maturity level, we're still going to do conduct the assessment, which means identify our threats and the sources and the events, identify our shared vulnerabilities, figure out the likelihood, obviously figuring out the risk and the easiest targets for our enemies, and then figure out what those impacts are and then share across the teams to decide where we've protected the best, the right
responder for the right event, and make the right decisions at the right level with the right resources. That's what we're trying to do. One of my favorite expressions increasingly is security is a team spork. I mean, it's without all of us winning, none of us win. I feel like we've been in conversations before. I guess my question, Elizabeth, is, I mean, we've talked about a million things there.
Yeah, as you said, we may have had this conversation before, but what would you say to some, because a lot of the people who listen to the podcast will be coming more security from an IT perspective, what would you want those people to know who may have not had much exposure to OT security? What would you want them to know and consider? Maybe where can they go to learn some more?
Because I know that the first time I talked to you about OT security, I was like, wow, there's a whole load of stuff that I did not think about and have an awareness of. It definitely made me want to go and learn some more in my own time. I would suggest, so there's so many different places. Some of the frameworks, some of the frameworks like consequence-driven cyber-informed engineering, which were IT, that's a great start. I would go to the NIST standards, go to CISA.
There's a lot of good education coming out there. Check out some of the Azure podcasts, as that's some of the things that are happening right now. The national, from the US perspective, the National Safety and Transportation Board has partnered with Microsoft to talk through some of the huge issues that the entire industry is looking at.
A lot of the work and a lot of the safety places, the places that will be a strength, like pivotal for us, they're going to be places like OSHA, so Occupational Safety and Health Association, or MITRE. MITRE has their new MITRE attack framework for IoT devices. A lot of the information is there if you're thinking about what is OT, what is operational technology. If you work for an organization or a company that builds software, go to your data center operators.
Go to the people that build the foundation on which your cloud operates. For the developers, if they're the muscle for our critical business units and the future of how we enable the world to do the work, talk to the people that, yes, may used to be server huggers that understand the backbone of how a data center or the building or that component is built. For me, talk to your environmental protection people. Talk to your electrical engineers. Talk to your building automation systems engineers.
Talk to your data center construction engineers. These are the people that will be able to tell you what the components are almost literally from memory because they've been here for 20 to 30 years while you guys are treatment about code and in the matrix out there moving rocks and bricks to make things happen. You can also reach out to some of the people, like a large component of this information does in fact come from open source defense areas.
If you know someone that flies an airplane, you all three might know someone that flies an airplane. This is key. This type of protection is key. Operational risk management out of the Naval Safety Organization covers a lot of this as well as some of the supply chains. So if you go Lean Six Sigma or you go into areas such as the NIST framework, you'll see a large amount of content that's there just for you to learn.
Even Sysa has started putting out shorts on what exactly is OT and what exactly does it mean in the new cyber arena where there are advanced persistence threats and this is now your lowest hanging fruit, although it may be one of your most critical assets. The other key is if you don't go to NIST or you don't want to go to MITRE or you don't want to talk to your server hug and OT operator types, the guide to industrial control systems and security is pretty good.
But what you could also try to do is sit down with your threats, so your physical threat intelligence teams, and they can walk you through the literal physical pieces and touchpoints around all of the data centers and all of your key physical space, so logical space, that will allow you to understand where all of these pieces touch. So I wanted to say out loud, look at the Purdue model, but that doesn't translate to anybody other than me and a bunch of OT geeks.
But the truth is what you need to do is go to a table, get in a room with all of the people you know, your operational people, your tech people, the people that are supposed to be enabling and empowering these assets, and do a tabletop exercise, literally war game it. And do an operational simulation on insider threat with a USB. Now most of the IT people will be like, that's boring, we know not to do that.
But once you see how far you can get with a single USB or hey, you want to patch all the time, you want to get your patches done, how are you going to do that in a hybrid workplace kind of space? Yeah, we should just throw a device on the network that will connect to the OT environment. But what does that mean?
That means you just opened up, literally opened up access to services like generators, doors, ACs, which could very well be the difference between someone going home in the afternoon and not. So those are the kind of things that I would say do. I mean, we consider from an OT perspective, you consider like denial of service, and I say that to you, but like denial of service for an OT system could mean that you can't turn off a heater.
You can't turn off a water flow, which means someone trapped in a compartment may not be able to get out of there. Operations subversion, which is exactly the same thing, sounds like what it means to me is what it means to you. You can't disengage, something that needs to be disengaged.
Tampering is the same, manipulation is the same, and then safety can take on so many different angles, all of which could just be the difference between a bad day because of our availability zones or a bad day because an entire data center just got destroyed because something exploded that wasn't supposed to explode. That's how serious we are. It's not just a digital space where we're talking about revenue. It's literally in the OT space.
We are talking about physical spaces that affect not just people's lives, but entire infrastructures, entire ecosystems. On a slightly lighter note, I can definitely tell that you are a marine because you talk about things that are supposed to explode, which is pretty much nothing in the IT space. I guess it depends on how you look at it, right? Yeah, I've never heard someone say something explode that wasn't supposed to explode. That's for the podcast, I'll tell you that.
I think part of the reason that I'm here is because of people like you. If it wasn't a welcome space to be in, if we all didn't want to defend in the same space, Marines like me would be stuck behind closets somewhere so no one would actually let us out of our boxes. Mark, going deeper, part of what I'm saying is we have to understand our equipment and the capabilities to understand the attack surface area. I know that you work in this area at Microsoft.
What are some of the capabilities, not necessarily OT, that Microsoft have to enable and empower the OT space? Yeah, so there's a couple of things that we've got in that space. One of the ones I think you alluded to earlier is that external attack surface management, which is very much taking an outside in, like what do you look like from the internet as an environment, your IT, your OT, et cetera, environment? And taking a look at that and what does that risk look like?
What is an attacker's eye view of your assets? And so we recently announced the Microsoft Defender Thread Intelligence, which is pretty slick capability. It's based on our acquisition of risk IQ. And then the other piece that we have for the OT environments that organizations can look at is from our CyberX acquisition about a year and a half, two years ago, if I recall correctly, Defender for IoT.
And that basically really is built for the OT environment as an XGR capability there, passive network scanning. And this is a word to the wise, don't ever do active scanning in OT. For those IT people that are used to that, it will take systems down. And sometimes they are 200 yards up in the air, up a long, cold, lonely ladder, and 200 miles away from the nearest IT support facility. In a windmill or something like that. So very, very important to always be passive on those networks.
And that's exactly how the Defender for IoT piece is built and has threat detection, inventory detection, et cetera, in OT environments. So those are the two main ones that pop into my head for OT. Let's bring this podcast to a close. Elizabeth, so one thing we always ask our guests is if you had one final thought to leave our listeners with, what would it be?
So I would say whether you're IT or OT or a business decision maker, now is the time for us to band together as a committed group of professionals to figure out the best, fastest way to defeat our shared enemy. And that enemy doesn't care whether we're American, Australian, IBM, Microsoft, or Google, they're coming for us. We have the ability to make a difference. We need to do it together. Take the investment. Well, thanks, Elizabeth. And thank you so much for joining us this week.
I'll be honest with you. This was one of those examples where I learned a lot of stuff I didn't know I didn't know. So that's always a good thing. So again, thank you so much for joining us. And to our listeners out there, thank you also for joining us this week. We hope you found this episode useful. Stay safe and we'll see you next time. Thanks for listening to the Azure Security Podcast. You can find show notes and other resources at our website azsecuritypodcast.net.
If you have any questions, please find us on Twitter at azuresecpod. Background music is from ccmixter.com and licensed under the Creative Commons license.