New generation centralized cyber intelligence collection and cyber security analysis in OT and IT critical infrastructures.

Coşkunoz Holding Success Story

New generation centralized cyber intelligence collection and cyber security analysis in OT and IT critical infrastructures.


And now I would like to invite OTD Bilişim CTO Mr. Eray Atlas and Coşkunöz Group IT Systems Service Manager Mr. Vedat Davarcıoğlu. Welcome. Hello. You look gorgeous. They will make presentations on new generation central cyber intelligence collection and cyber security analysis in IT & OT critical infrastructures. Which is quite difficult, so I wish you good luck. The floor is yours. Let me also give you this. Okay...  

Hi, my name is Eray Atlas. I'm the CTO of OTD Bilişim. Today I welcome you to our panel on the success story of our new generation centralized cyber intelligence collection solution and cyber security analysis in OCS, OT and IT critical infrastructures. Mr. Vedat, welcome. Coşkunöz Group's IT Systems Service Manager is also with us today. Thank you, and welcome again. Our presentation will consist of two parts. In the first part, I will briefly talk about Garland Technology and the SCADAfence solution. There will be videos playing in the background. In the second part, Mr. Vedat will tell us about the before and after of the OT security project we carried out at Coşkunöz Group, as well as the experience we gained during the project and its success outcomes. In this sense, Garland Technology is a global manufacturer that provides visibility in IT and OT critical infrastructures and works to collect traffic and achieve visibility in important points in critical infrastructures. It offers services with over 100 sales companies worldwide. As OTD Bilişim, we work as an authorized distributor in Turkey.  In this sense, Garland Technology is actually a package for capturing and analyzing sensitive traffic that we previously did not know and could not see in critical IT infrastructures such as industrial control systems. It's a visibility technology. Your OT traffic on that side consists of significant traffic patterns. It is very important to monitor these systems which used to be closed for years. A solution was needed to achieve visibility in this traffic and these infrastructures, which were enriched with IoTs in Industry 4.0. We take the traffic out using a simple mirroring technology provided by TAP solutions at these points where we cannot monitor or use switches. By sending the traffic patterns from here to higher level network package brokers, we provide enriched cyber intelligence to some of the security and monitoring devices that you already use.

 

You may be interested in :

Garland video : IACS / OT -OT Kritik Ortamlarda 360 ° Paket Görünürlüğü

Garland video : IT & OT Kritik Altyapı Görünürlülük

Garland video :  Why Garland

In fact, we are a TAP solution manufacturer that allows you to carry out faster in-depth package analyses without interrupting any traffic or disrupting workflows at points where you could not get traffic patterns from the field before. As a global manufacturer, we boast over 3000 customers around the world. We have another important aspect in this sense: It is necessary to avoid creating security vulnerabilities while monitoring this traffic. Because it aims to take out some traffic and spam from the switches in the network. When you consider that there is a two-way flow of traffic,  some reverse traffic may come through such security devices if they are somehow captured.

We take this into account to provide a secure package visibility service by improving the data diode logic in our diode solutions and TAP solutions. Our TAP solutions have diverse portfolios in terms of seeing both your private cloud-based and on-premise traffic patterns, as well as your practical traffic in level 0, level 1 and level 2 infrastructures in your OT traffic, suitable for all kinds of speeds and all kinds of media. We have virtual TAPs. You can capture your horizontal networks with these virtual TAPs. You achieve 100% visibility without losing any packages. Because we say that visibility comes first, with the motto "you can't secure what you can't see". Once you achieve visibility, you can feed those devices based on the desired traffic pattern by sending the traffic simultaneously to your IDS solutions and different security solutions. In doing so, you start to enrich your cyber intelligence network. And after we achieve visibility, our skills become even more useful. In this sense, we need to carry out an analysis after collecting the traffic from the field. We carry out this cyber intelligence analysis with SCADAfence. SCADAfence is defined as a cybersecurity platform. You can monitor your critical traffic in both OT and IT infrastructures in real time on the SCADAfence platform. You can get real-time cyber intelligence to examine your traffic in detail in real time. We first take your inventory there. Once we have your inventory, we start to show you the risks. These risks can be very diverse. You have the chance to see your immediate risks as well as the ability to make these risks more visible in the future through constant monitoring. Just like we use physical camera systems everywhere to monitor our facilities 24/6, we also use TAP solutions like cameras to monitor our OT networks or IT critical infrastructure traffic, transferring these solutions to the IDS systems up above. So you can monitor them in real time 24/7. We don't interrupt anything, we don't have that ability. Because in such critical environments, you cannot clearly understand whether the traffic pattern there is an actual suspicious activity without going into the details of the process chain. For this reason, we use advanced algorithms to evaluate this traffic in real time and score the risk. You make a decision based on these risk patterns, and your relevant security devices start to integrate these rules and start carrying out interruptions. We started to use both SCADAfence and Garland technologies in an integrated way in our projects. We have carried out great projects this way since 2018. We carried out our first project with VESTEL. We carried out another project with the Coşkunöz Group after VESTEL. Today, Mr. Vedat will share the outputs of this project with us. Mr. Vedat, welcome again. I'll sit here and we can start the second part.

Can you tell us a little about your position and your company? Hello, I'm Vedat Davarcıoğlu. I have been working at the Coşkunöz Group for many years. The Coşkunöz Group is a company established in Bursa over 70 years ago. It has companies mostly in the production industries, and is currently offering services in 7 sectors with 12 companies and 3000 employees. For the last 5 years, I have been working at CITS, the group's technology and information technology company. My duty is to undertake system and service management. We have IT infrastructures as well as an R&D center. We develop solutions and carry out projects on digital transformation, especially for industrial organizations. We try to add value to the IT sector and our own group this way.

Okay, Mr. Vedat, let's move on to the second question. In the industry 4.0 digitalization process, you considered the problems and risks in your OT and IT critical infrastructures and reached out to SCADAfence and Garland Technology. What problems has SCADAfence focused on in your company? What problem has Garland focused on in your company?

You may be interested in :  5G Causing Attack Vulnerability Global Industries & Utilities?

As an IT manager, we can manage and monitor our data centers, cloud environments and user networks end-to-end. We plan them. Cyber security is challenging on the IT side as well. It is getting harder every year. We can only manage it end-to-end. Or we have backup solutions for when there is an incident. We have occupational safety solutions. We have redundancy. This makes us confident. But when we look at the OT side, there's a different picture and it's much scarier. We had a strategy in the past, and it worked until a certain point. What was it? Separate OT and IT with a firewall, set very strict rules, and carry out segmentation. Segment the OT networks. Therefore reducing risks. But then, what happened? Needs for integration increased. Let's externally access these OT devices or integrate them with ERP. Let's add new sensors there, collect data, create our Big Data infrastructure. Let's turn to different projects. Managers should be able to connect to their own equipment for maintenance. Demands such as these gradually led to a necessity to loosen these rules. This led to an increase in the risks. Some IT managers ask us: We did not install or manage the equipment in the OT networks, but are we responsible for it? And here's how I respond: Who will they call when there's a cyber incident? Is there anyone else? No. Then, you have to be responsible. This may be considered unjust, but it is reality, unfortunately. Therefore, the priority is to determine a strategy for looking at the OT side and to determine the roles and responsibilities here. Yes, there are different vendors here. There are hundreds of network devices in our network on the IT side, and you only see two brands there. However, when you look at the OT side, we identified 8-10 different brands of industrial switches in only one of our facilities. But we didn't even know before that because it wasn't in our inventory. There was no visibility. You have to monitor it before you can manage it. We couldn't provide that. We thought about how we could achieve that. Coşkunöz Group started a visionary digital transformation movement called Code 2025 in all its facilities and companies. The projects that will create value here are mostly in the fields of production. What does this mean? More IoT devices, more integration, more traffic. So, the volume of traffic was also low in the past. While industrial traffic did not take up a lot of space, bringing together a large amount of data to make sense of it  with correlation is now very important for data analytics. How will we achieve that? Sometimes even video footage means a lot in production. Being able to stream videos online also required improvement in a new infrastructure. So we made progress in this regard as well. But on the cyber security side, we first met SCADAfence. SCADAfence especially helped us with discovering OT network. Then Garland somehow got involved in the project.

You may be interested in :

SCADAfence video : Why SCADAfence

SCADAfence video : OT Güvenliği SCADA Protokollerini Anlamakla Başlar!

SCADAfence video : SCADAfence; Hizmet Verilen Sektörler

Actually, can we say that Garland technology got involved as follows? You will experience difficulties when you want to go further down after receiving the TC/PIP communications in Level 3 and Level 2 via the switch. This is not a network that we can manage normally. Garland is the right choice because it is an environment with very different protocols at work. In previous years, these industrial protocols were outside of our initiative in terms of management. We only met the support needs of our friends at OT. That is the truth, too. There are cyber threats here. They also have vulnerabilities. The whole thing becomes even bigger and more serious as we explore these. In this sense, in Garland, we see topologies in lower-level devices, we see different protocols. It also made it possible for us to monitor them horizontally. The L2 network is very wide in this sense. Not all traffic is beneficial in factory automation. In fact, in order to catch up with the traffic patterns here...

Exactly. Sometimes, a file that is transferred via USB for a specific piece of equipment. We even noticed this in a facility: A company left a GSM router for maintenance. They did not let anybody know about it. When we question what it is, they may tell us that they were not aware that it may be a backdoor or a security risk. Another problem is that it is more difficult to update the OT network. Sometimes when you want to upgrade an operating system, you need tens of thousands of dollars worth of software upgrades on top of a few thousand dollars worth of hardware investments. You may run into these issues. Sometimes it is possible, sometimes it is not. How are you going to live with those risks, then? You can live with them by observing, monitoring and taking timely measures.

You may be interested in : Cyber Security Intelligence in Critical Industrial Infrastructures

Okay, Mr. Vedat, I have one more question. How many of your facilities does your project cover? What preparations have you made in this sense? You mentioned them earlier, but let's hear them again. And finally, how many years have you been collaborating with SCADAfence and Garland?

We activated our project simultaneously in 6 of our facilities: 4 in Bursa, 1 in Eskişehir, and 1 in Russia. This actually required a process. We can manage all of them centrally. Of course, when we look at these processes, our achievement in the first day was this: What's really going on in the world of OT? We acquired the online inventory of this equipment and were able to monitor vertical traffic immediately. Then, by deploying Garland products, we gradually achieved lower levels of horizontal monitorability. 


You may be interested in 
: 
Securing Food & Beverage Industries With Precision & Fidelity

Can we complete it with this sentence? You achieved your goal by making the blind spots in Coşkunöz Group facilities more clear, using real-time detections, seeing your traffic patterns clearly, and using this product on both the IT and the OT sides. At the end of the day, you manage these locations centrally, collect cyber intelligence, and significantly increase proactivity by monitoring in real time with SCADAfence. Can we say that?

Absolutely. In fact, if we didn't have this kind of product, it could have taken us even years to discover it. Moreover, you constantly have an online inventory of CVSS codes and vulnerabilities, or an artificial intelligence algorithm monitors you for a certain period of time and extracts a baseline of the normal operation in production, and then informs you immediately in case it detects any anomalies This is a very important feature. Because incidents on the OT side can be much more harmful. Imagine a CNC workbench. It's an investment of millions of lira. When the software inside an embedded device is kicked, it can halt production for days, and if you are carrying out mass production... As you know, we are a big name in the automotive industry. Our contracts include very severe sanctions for stopping a line. We have to take the necessary precautions to prevent that from happening. But since the structure in OT networks is not redundant, SCADAfence and Garland have helped us provide a strong cyber security solution.

Video