The Machine Monitoring Mandate

Welcome to this Capol webinar. The topic is mandating or what the machine monitoring mandate that we are now experiencing in many geographies, particularly in Germany. My name is Graham Williamson. I'm a Analyst with CAPA Cole and I have with me today, max runner from clarity. He's the regional director for the dash and central Eastern European countries. And today what we want to talk about is the vast changes that are happening in the operational technology sphere, particularly in the area of regulation that certain countries are commencing to, to put in place.

Now for this particular webinar, I just wanted to go through just a couple of slides to make you aware of upcoming events in the calendar for KuppingerCole. If you've not been to a Casey live experience, please avail yourself of that each month. There's a Casey live. It's a non it's, a virtual activity, and it's it looks at and analyzes the particular question. We want to go into a little bit deeper question in those topics. So those topics are interest to you. Please connect to Casey live. We also have coming up next month, the European identity in cloud conference.

This is the first time it's moved to Berlin and I, for one, I'm very looking very much looking forward to that activity because it's an activity that allows us to go again into a little bit more depth in identity and access management, particularly issues relating to the cloud. So if you can be there, please, please be there. In terms of the webinar, we are muted. Unfortunately, there's too many participants for us to, to participate in, in audibly, but we do want your participation.

So we have some poll questions, two poll questions that we'll ask during the webinar, because that gives us an opportunity to understand the audience and to tailor our presentation to the audience requirement.

And then we have a question and answer session where we would really like your questions because the, the questions really help us to know that we, we have indeed, we are looking to cover, we have covered the topics that you're interested in gives you the opportunity to answer the specific questions you have in regard to, to our topic today, the, the webinars being recorded and it will be made available to you as well as the, the slide deck. So we'll start right off with a whole question, cause this is integral to our understanding of the participation at, at this event.

First question then is, are you already doing operational technology monitoring? So are you an organization that's possibly had an environment in place for, for some years? So I typically working with a mature technology or are you relatively new to this space and you are probably dealing primarily with IOT devices or are you you've tuned in for interest. You're not doing the, any OT activity or much OT at the minute. You're primarily it focused. So if you could just answer one of those three, that'll really help us understand the audience participation today. Okay. Okay.

We'll come back to that later on in the webinar, let's proceed then with the agenda. So I'm going to, to commence the webinar with an introduction to the operational technology space. This is to bring everybody up to a common understanding of what we're talking about here. And then I'm going to turn over to max and he's going to talk specifically about clarity's solution in this space. So by the end of the webinar, you'll have a very good understanding of the things that are are happening and a solution to the issues that, that arise.

And then at the end, we have a Q and a, and we do hope that you will participate and give you your specific questions for your environment that you'd like to ask. Okay, let's look then at the major trends now that are impacting the operational technology area and the things that we've gotta be ready for the first off is the growth rate. The growth rate in operational technology deployments is going through the roof. It's accelerating. And there's several reasons for that. The ability to, to monitor things has, has really gone ahead in the last little while.

We're seeing the functionality of the devices that are available to us being very powerful. We're also seeing costs coming down. So those things that weren't, weren't economically viable just a while ago now probably are. So you should be continually monitoring what, what you can be doing and, and taking, available, making, taking board those opportunities that, that are come available to you. Then there's the cybersecurity and those what the core of what we're talking about today.

If we have an operational technology environment, how do we protect and what are the sorts of things that we should be doing for that? And again, the technology is racing ahead in that space.

The, the third trend is end of isolation. In the past, we've seen that many cases, operational technology was isolated from the rest of the, the organization's environment. Several reasons for this one, a lot of companies depended upon their vendor to actually manage and support the environment.

So they, there were sort of isolated from it within the company themselves, there was not a high level of intelligence on what was happening there. The there's there's, there's also in some cases, a mandate to put in isolation, but that we now have some tools to allow us to, to isolate provide that virtual isolation, but still achieve what we need to do in terms of management. And lastly, I'm gonna just touch on the government regulation. I'm gonna use the German example, but the it's happening worldwide.

Now we're seeing most countries taking a look at what do they need to do to manage operational technology within their, their geographic region because of the social impact it might indeed have. So let's look a little bit in more detail at these growth by sector.

Now, I, I do quite a bit of research in this area and there's no one piece of research I can point to that has a good coverage of all of this sectors that we have in operational technology. And it's very broad. It's very broad sec, a section of the technology of technology all the way from manufacturing. There's a lot of that happening now, and that's the biggest growth sector. So if you are looking at where most deployments are going to be happening in the next year or so, it's going to be in, in, in manufacturing. This is by volume, okay, then there's healthcare.

The hospitals don't want you in hospital. They want you at home, but they want to monitor you. Even within the hospital. The capability of the monitoring systems are very significant.

So a, a burgeoning area in terms of OT, then there's the building information management. If you're in a building management and you don't have sensors everywhere, you're missing the vote. Typically HVAC is big. You want to manage your energy usage within your buildings, but there's also the security aspect of it. There's the opportunity to, to manage your, your buildings remotely.

Now, a lot happening in that space, smart homes, homes are going through the roof in terms of deploying devices. You know, year on year, the growth rate is pretty significant and what, what people are putting in to, to manage their physical security, to manage their technical infrastructure, to man, turn on lights and, and, and, and environmental controls and things like that.

Transport another big, big space, but typically big installations in, in transport, not so many, but they're big agriculture in, in, if you're in a, an agricultural community, you will now have sensors throughout the, the, across a farm. You'll have sensors on your equipment.

You, the, the ability to, to manage your, your agricultural environment is, has gone ahead, gone ahead and leaps and bounds in the last little while. Smart cities, parking waste management, monitoring, water delivery. All of that now has gone ahead very fast because of the potential, just in water. We're finding that local councils are able to save a lot of money by monitoring water usage and alerting their, their constituents.

If, if water usage goes up and then utilities. So these are the, the electrical oil, the refineries, the utilities that are actually have very large installations, often remote installations. They're using, you know, data acquisition systems and control systems, and there's environmental controls that need to be put in place there.

So my reading is, is according to this graph, the biggest areas you that, that the deployments are happening, and you need to take, if you're in manufacturing industry 4.0, you need to understand all of the things you can do in that space, healthcare building information management, the big three, but in all areas, the technologies is moving ahead in leaps and bounds. In terms of the OT infrastructure, you basically need to do four things.

You, you must be protecting it. You must be monitoring it. You must have some detection capabilities in place, and you must have your response mechanisms already mapped out. Okay? Now you can't do anything of that until you know what your assets are. So you need to make sure you've got a discovery capability so that you have your, your assets properly identified many legacy OT systems. The asset register is a spreadsheet that's possibly 10 years old. That's no longer any, any good.

You have to know what the assets are in order to, to be, to be able to monitor them the monitoring capabilities vary. But generally speaking, the OT, the facilities now in an OT environment to monitor your, your devices is, are very good. You have the ability to, to, to know exactly what's happening on, on the OT network, simply because an OT network is so predictable. Okay.

You, you know what happens day in, day out when it happens, any anomalies, you can then identify. I just want to, to also call out the, the detection capabilities that are now available for us, they are second to none. There there's, there's lots happening in that space, but most importantly, it's your response. There's no point in doing the monitoring. There's no point in, in, in doing the detection, unless you have good response capabilities. And we do recommend that you have your response plan planned out. Okay.

So having, having a, a response plan that says, okay, what's likely to happen, what could happen on our environment, if it does, what do we do? And then have the agreement of what that will be and the approval to move into take action.

When, when it does happen, you don't want to be in a circumstance that when you have a potential intrusion or, or, or, or some other activity happening on, on your network, that you then have to think through and plan out and have meetings about what, what do we do, and then seek approval to have, to, to take that action. So, so those are important areas. Okay.

In, in, in, in, in the situation of, of what do we now do? There's, there's lots available for us in the, in the terms of the end of isolation, the network integration is an important aspect of it, because if you haven't integrated your OT environment with the it environment, it means you still have to do manual things in the OT environment that you don't really want to. So think access control. If you've got a good access control regimen in your it environment, like the HR system feeds the entitlement database and, and allows that access control to happen.

But then in the OT space, they don't get that information. So they have to do it manually themselves. You are asking for trouble. If you maintain that sort of operation isolation gives us the capability of, of bringing things together. It also brings you the capability of taking information that's happening in the OT network and plugging it into your governance tools on the it network. So we need to, to have a, a level of, of integration.

Now, obviously you've gotta, still protect it, and we'll come back to that in a minute. Common access control. We've talked about having a common mechanism there, edge computing, edge computing is becoming exceedingly important. And if you've got an OT environment and you don't have a, some, some mechanism to get that information from the, the, that environment without interrupting that environment, and this is typically what an edge computing device will do, it, it does the data collection and provides that to you.

That also gives you the ability to, to, to provide security to your OT environment. Particularly with 5g.

5g is, is giving us some amazing capabilities in this space network slicing within the environment. We've got a private 5g capability. You can control your, your, the, the, the, the, the isolation and event in effect through the various it subgroups. And then lastly, unified governance. We do need to make sure that we, if we've got this governance mechanism in place, and we know from a strategic point of view, what we want to do within our company, we want to plug in the O environment into, to, to those controls. Okay.

The last trend I wanted to just talk, talk about was the re regulatory environment and Germanys ahead here. And, but other other countries now we're seeing most, most, at least Western nations having some controls in place. And the government's realizing, I think the colonial pipelines issue last year really caught people, the government's attention to say, look, this is a, a source of social unrest. We need to do something about it. So in Germany, they updated last year, the control system, the it security now 2.0.

And it, it does some, some significant, there was some significant changes there. So, so basically the requirement unders 2.0 is you must, if you're a critical indu critical infrastructure industry, you must report to the, the BSI every two years, what your monitoring mechanisms are. You might say, well, that's a real impulse, so I don't want to do that, but it's good practice. So even if you're not nominated as a critical infrastructure company, this is good, good activities to, to do in order to control your OT environment.

So let's document what we're doing in terms of monitoring our environment. It, it, it does come with some, some potentially draconian controls too, B I can come in and they can intervene in, in a response to a compromise situation. They can disconnect a company from the public internet. So there's, there's these, these controls in there too, again, if you've got your response plan done and you know what, you're gonna follow, that's going to make it a lot easier.

There's, there's other pieces of the, the legislation. And if you, if you are involved in this space, please look it up and, and, and look through what, what could potentially be done, because it, it, it does give you the guidelines that you need for an OT environment. Okay.

We have a, another poll now. So we would just like to know if you could please indicate that if you do you, within your company, do you consider that you have good visibility over your OT environment? Have you got that a one way or another? Do you know what's happening in that space, or are you in a situation where you have a manual visibility and, and ability to maintain your devices is very manual, or, or do you potentially have a dashboard that gives you that information? So if you dunno, either of those, maybe just click that. I'm not sure. Okay. Very good. Okay.

Wanted to, just before I turn over to, to max, the, the most slides one is some, some, just a comment on the bigger picture when it comes to OT management, edge computing, as I've mentioned earlier, is very important. And please consider what that might, how you might use edge computing in your particular environment. Make sure you, you do have the security controls in place, and that you do have a continuous monitoring capability within your, your environment. That's very important. Look at the tools that are available.

And when next will be talking about one, look at what the user interface is, is able to provide you and see how that matches your requirements. And lastly, when you are considering what to do in your OT environment, focus on reducing complexity. What we need to do is make things easier for us to, and make it, make it easy for us to get the information that we need. Having said that with this in including OT within your environment, it just might be necessary to change the org chart a little bit. Okay.

As I said before, in some circumstances, companies are just not set up for integrating OT into it. So address that if it needs to be addressed, okay. Before turning over to max, I just want to go through one more slide here because it'll help in understanding what max is going to present. Okay. The perview model is been used for many years in terms of understanding OT. And when you're putting together your monitoring solution, look at each level, okay? So it nominates six levels level.

Zero is, is, are your device, that's the sensors, your actuators. It's not a lot you can do with those, but they are all plugged into some sort of control device at level one. And that's where your management begins, understanding what, what that is. Of course, the, the project program, logic controllers and the human machine interface devices. They're the ones that give you the capability of saying what you're gonna do with this sensor. How are you going to operate this actuator? Okay. So they're, they're the, the devices that provide that, that control capability.

And so you need to be able to understand what they are and the capabilities they have. Level two is the process. So this is where the, the, the control is happening. So if you've got a continuous process installation where you need to be monitoring things on a regular basis and taking action, when certain things happen, typically using a data acquisition and control devices get device, then you need to tie that into your, your monitoring capability and the control capability at the plant level.

You probably have multiple sites within your plant that are pulled together in some sort of administrative center. And that, and at the center is also where you would do the engineering work.

You know, how we, we, when you going to update the devices, are you gonna do a patch for your particular devices that you have level four's a corporate level, and this is what we were talking about, plugging into the corporate devices that's happening at that space level six is if you have external requirements to connect people in externally or publish externally, if that's the level five, the sixth level. So with that in, in mind, I will turn over now to, to max. And he's going to talk, talk about the clarity solution. Great. Thank you very much, Graham.

Thanks for having me today in this webinar to introduce myself very quickly. My name is max. I am Southwestern German, and I am located close to F and Brisco in the wonderful black forest by training on my career, started in mechanical engineering. So I have a background in developing actually current interiors and spent some time in the semiconductor industry afterwards. And about 10 years ago, I somehow ended up in cybersecurity. Cybersecurity is a fantastic place and is something that we all should be taking care of.

And I want to discuss with you today a bit, how exactly can we as companies or as users of operational technology deal with the new regulations that Graham just mentioned and explained a bit about when looking into these regulations and considering what we are doing there, it is apparent that within the next probably 17, 18, 20 months, most of the companies in the European union, not only in Germany will be bound to regulations, demanding them to monitor their operational technology usage.

And not only for one specific regulation that Graham mentioned, the EU N S two, which Germany is transferred into the it cybersecurity act two zero. It that's five point oil, but there are other regulations and they're being imposed with having it while having in mind that the cyber risk is increasing due to several reasons. We've seen it with the pandemic that has led to more remote work or hybrid work models that of course increase this piece. So called the tech surface. We now have the Ukraine conflict, which in turn also is increasing the trend to cyber attacks.

And even if we would not have this terrible situation in, in the Ukraine, and it definitely shows that there is a trend towards cyber warfare. So regulations that are in place already are, will be coming in place besides the, it are the three directive, the control of major accident hazards involving dangerous substances. What we here in Germany probably best know as for, but also the directive on resilience of critical entities.

So depending on the criticality of your company, if you would be a provider of critical infrastructure, if you would be using substances that might pose harm to, to, to the environment or people in case it would be spilled, there might be different regulations coming up in the future. And also the timing might be different. So you see there is a lot of mights and could be still because it's in transposition. And for many of these regulations, it is not yet 100% clear how exactly the requirements will be looking like, but for one regulation, it actually is already clear.

So let's focus on what we know today, and that's the major accident ordinance that, and for, for this, there actually is for example, here in Germany, the guideline 51 of the commission for plan safety, and then NX two measures against interference by unauthorized persons, it is very precisely described what has to be done to make sure that you will not fall, fall off a cyber attack in your operational technology environment. And exterior is quite a lengthy document. So let's summarize it to the most important things and asset inventory for all relevant components.

That sentence alone that makes it already clear. Monitoring is not enough. You need to be able to create a comprehensive inventory describing all components in your network and not only once, but of course, you also have to monitor changes on this monitoring of traffic and communication. This is what most people think about when they're hearing OT monitoring or OT, cyber security. But again, here's the caveat monitoring of traffic is not enough. You also need to monitor communication.

Meaning do you have full control of, for example, remote access sessions into your networks and what are people doing in these sessions? That's unfortunately something that is very often forgotten in an OT cybersecurity concept. Can I control access to the networks? And the third point is vulnerability management because obviously for every attack, very likely there must be unex exploited and sorry, a vulnerability that's being exploited to make this attack possible. So you see there's a bit more to it than just monitoring what is happening in my networks.

I need to be able, if I would be an operator of, of an industrial control systems network to describe what do I have, what vulnerabilities are associated with, what I am having in my network, who is accessing the network? Can I control this? And am I under attack is then acute threat to the safety, stability and reliability of my networks. Clarity has a solution to this. We have come up with something how we would approach these problems.

And I think looking at the major accident ordinance and what is the ask around, this is a good indication of what to expect for the future, for the other regulations that are now coming up from a clarity perspective. First thing, as Graham already mentioned, understand your assets, what assets do you have? How is your environment structured? Are there vulnerabilities is something really, really risky. And I need to take care of that.

Of course, you have to be able to detect and respond to threats by the way, this is something that is already in the it. Cause it's where it says companies need to be able to detect and respond to threats. That's of course, legal German. It's quite a vague definition. You can interpret a lot into detecting and responding to threats, but it is obvious just monitoring then will not be enough. And this third point I already gave it away. People often forget about it is controlling access.

How do I provide internal as well as third party, personal remote access into my operational technology network. And this is a very, very important topic because it is not only about cybersecurity and making sure that you have full control of your networks. It is also about reducing the meantime to repair so that you can reduce the, the unplanned downtime in your networks. Worst thing out of my own experience when I still was in production planning in an automotive supplier factory, worst thing you can experience in operational technology is that you need immediately help.

Now, otherwise there will be downtime. And unfortunately, the first thing you have to do is raising a ticket in your it service management system. And hopefully in the next business day, somebody who is sitting 500, 600, 800 kilometers away will be helping you with a set of credentials that you would have needed in 30 seconds. That is really, really frustrating and very, very costly to the company. How is our solution looking like, what are we doing here?

So the first and probably for most companies, most difficult task is creating visibility on the assets that you're having in your network, what we are doing here. And it is not con to be confused with edge computing, I'm sorry for the name. I'm also not happy with it. Clarity edge, it's a product clarity edge is you imagine basically an emulation of the engineering stations that you are already using in your operational technology networks.

What we are doing here is playing engineering station, discovering all the devices in the network and creating a full list of all assets that we can see in the network. So I'm already hearing people, Hey, this is an active technology and we don't want it. My answer is done very, we've checked it with tons of different ICS vendors. And it is exactly the same discovery method that you are already using in your networks with your engineering stations. It's tried and tested. There's nothing to be afraid of with active technology and operational technology.

And it is offering tons of tons of benefits for the company that is using it. Because with passive monitoring, to create this ability to create a full, comprehensive asset inventory, you will very likely need a big amount of sensors. You will need sensors in every segment, and then still, you can only detect assets that are visible in your communication. If there's no communication, because an asset is very sparse in your communication behavior, you won't see it in passive monitoring with clarity edge. It will be visible. And when I say here, average time to value below 10 minutes, contact me.

If you're interested, we have a video showing the installation of this product to full results in our dashboard in four minutes and 30 seconds in a network with several hundred ICS assets, it's really that fast. And it is really that easy to roll out. The second thing, what most people again think of when it comes to OT, cybersecurity, threat detection, monitoring of the network, the basis, or the, the, the base technology obviously is passive monitoring as it is with so many of these solutions, but we can do something differently here.

Not only can we use passive monitoring, but we can, of course also integrate it with the results that we are getting from clarity edge. We can extend it for typical, let's say it related assets like HMIS service engineering stations with active queries against these devices to perform, for example, a WM Bioscan so that you really have a full picture of these assets including installed software. And we can also connect the continuous threat detection to a versioning system. You might ask, why should I do that? The answer is very simple.

Not only can we detect if there is a configuration up or download the network, but in case we are connected to a versioning system, we can even give you the deviation of that downloaded configuration on code level. So not only alert there's something happening with the configuration, but also alert. There is someone changing a value from, for example, from three to 200, and you should think about the consequences that this would have.

And that, that part of the clarity solution is clarity, secure mode access. It is some, a secure mode access solution that is specifically designed for the priorities of operational technology. So it's not destroying the model that Graham described. It is highly secure. It is zero trust. And most importantly, from a and customer perspective, it allows you to delegate access to devices to the actual machine owner.

If I, for example, would be still in the automotive industry and I would be running injection molding machines and several of them in a production site. And I would need help from my, for example, cause Mafi service technician. I would not need to ask my it colleagues to ground access and provide a set of credentials.

I could, I could create the set of credentials myself and allow a third party service provider access to the network where I now need immediate help. This is reducing the meantime to repair. It's helping me to keep the production up and running and all that is done in a secure auditable monetarized way so that you have full control from a security standpoint, looking into the architecture, just beginning with the basic monitoring, what most people do first.

I hope you can see my cursor you'll have the clarity CTD, continuous threat detection server at for example, the cross, which some central point where you can monitor ingress Andres data in case you would want to monitor the traffic of a segment of the network. You can extend the passive monitoring capabilities of clarity CTD with using sensors that would then transmit the results of the monitoring back to the CTD server.

And in case you wanted to do that over several sites, several production sites, you can aggregate this, all this data from the monitoring with clarity, EMC, the enterprise management console for the secure mode access, we would use a concept that is different from what you would usually see in a production network with a VPN solution or a jump post solution. We have our secure remote access central. This is where would people would, would ask for an approval or would dial in.

But then it's not that the Sri central is establishing a connection to the site component that then in a typical jump post fashion would allow access to a device. For example, this historian here. Now we do it differently. The central component will be asking the site to establish a connection. And then the site will establish an SS H west, sorry to the central component.

So the site is basically acting as a filter so that we can have full control over the assets that are visible to the third party user and make sure that only the right asset to the right time is visible to the right person for clarity edge. You just need some windows machine windows. Host could be an HMI, could be an engineering station, could be any other windows based device to run clarity edge on. And from there, we'll collect all the information. How does clarity edge work? It's a run, it's a standalone executable that you would run on.

And let's say interesting host something where you can see the devices that you want to get some information on. It would collect the information on the host and the surrounding devices. So for example, the host information was software is installed, but also are there ICS project files? Can I do something with this? Can I extract information out of project files? And it would, of course also provide a subnet discovery with all the devices in that subnet. How do I get clarity edged on a windows device, somewhere in my production sites you might ask now also that is relatively easy.

You can use the software distribution method that you're probably already using. Like Microsoft SCCM, many EDR solutions are offering to have something like this. And in the very near future, there will also be an installable version version of clarity yet, so that you do not need an a third party automation layer to, to run clarity edge for the secure mode access. I just want to show you here dashboard. I hope it's big enough.

You could, this is here. The, the admin view, you can assign user rights or a role based access model rights to, to other users in your company to grant access to sites, to certain machines, to devices, to control also what are working hours and what are non-productive hours that perform maintenance could be performed, but something that I need to point out with any secure amount access solution, regardless of it being clarity or anything else, imagine your monitoring your network and someone is dialing in your network. What will happen?

Inevitably you will see in anomaly in your monitoring product, because someone from external is of course, dialing into your network causing traffic and a new external connection. If you monitoring solution would not detect that you might have a big problem, but on the other hand, if it does, you will run quickly into a situation where you have tons of false positives, just from your secure remote access solution or your VPN solution that you're using.

If you combine clarity, secure, remote access with clarity, CTD for the monitoring, we can see, and we can, of course, then also show you in your session that you have here, a remote access session running this is causing an alert because someone is performing work in your networks, causing traffic in your network, and you can then even directly view what is going on in that session with live screen video, the view over the shoulder of the, that party technician.

And unfortunately, in my screenshot here, I did not have rights, but if you would have rights would have grounded rights before, obviously you could even disconnect this session in case something is going wrong. So this will allow you full control over both the remote access session, but also seen in life with a full, comprehensive security concept behind it. What are people doing using secure mode access in the networks, as well as what are is my typical communication behavior in the networks are the deviations from it. What are my vulnerabilities?

Because I have a full asset inventory and are that automatically? So this is really a security concept that is not leaving anything open to give you a brief background on clarity, who we are as an organization. Clarity is now roughly seven years old. We still consider ourselves a startup. When I joined clarity two and a half years ago, I think I was employed number 95. In the meantime, we have probably the slightest already outdated. And in the meantime, it's probably more like 450 employees globally.

Our headquarter is in New York city, but most of our employees reside in, in Tel Aviv in Australia. There's also deploy our development and research. What clarity is doing is not only the cybersecurity site for the industrial space, but we are also caring about enterprise. For example, building management systems and healthcare for healthcare, you would probably know that the, the company named mitigate mitigate was acquired by clarity in the, is dedicated for the use in the medical devices field.

Why can, as things like that better than others, big part of that is are our investors. You see investors here, those are the venture capitalists. They are not important, but three investors that are really, really important for us is Rockwell automation, Schneider, electric, and Siemens. So the European and American leading ICS vendors, and then, and service providers in the operational technology space have invested in clarity to together create a solution that is helping their end customers securing the operational technology space. We have won a few prices for that.

I don't want to go in, in depth about that, but to mention too, that are important. The Forester wave report from last autumn named as leader in the industrial control system security solution space. And another one that is important is the us department of Homeland security safety act. The safety act is not directly comparable to what is going on with your new regulations in Europe.

However, it is really interesting for European companies as well to consider the results from the safety act reviews because clarity so far is the only solution that was basically deemed up to the job for OT cybersecurity under the safety act and that by the department department of Homeland security, an Analyst that you cannot just pay for good review, not saying that any of the Analyst would take money for good reviews, but obviously the department of Homeland security is not interested in winning us as a customer.

What does that mean that we have deeper capabilities just to give you an example, clarity has created an own brand for our research team team 82, because actually we are doing quite a bit of research for our investors, but also other ICS equipment vendors in the market. And to show you how deep our expertise, how, how, how, how far our capabilities go in the space of 779 vulnerabilities published for industrial control systems by N and the second half of 10 were disclosed by team two. So clarity team, 82 is the single largest contributor to knowledge about ICS vulnerabilities. Globally.

Think that showcases that we know a thing or two about operational technology and how to secure these systems. And I would definitely be looking forward to speaking with you more in depth about it.

Of course, we can also do more in depth product demonstration and show you how you could benefit from using our solutions. Thank you very much. We're now going to be moving to the question and answer session. And as I mentioned, we really would like you to enter your questions into the question dialogue box so that we can address them specifically.

Now, as you do that, I just wanted to show you the results of the poll. So we had full three quarters of the participants have an, an existing infrastructure in OT environments. So in a mature environment, so fully three quarters of you have the, the other quarter said, no, you are primarily in the, the involving IOT space and, and that you are so you're deeply embedded as participants in this activity because the, there was nobody said we are primarily an it company. Okay. There was also just to go into the next one.

So the, in terms of monitoring, yes, you report that you do have visibility over the, your, your environment is about 17%. So nearly one in five have that visibility. None of you are saying that you have good visibility across all of the environments, and, but there was, there was a full 80% of you that was saying you're, you're not quite sure which indicates to me there's some work to be done in, in, in this space. So thanks for that in, in terms of, of, of questions now.

Okay, max, maybe you can comment on how can monitoring tools accommodate different protocols and in, in an OT environment. So that's definitely something that is very, very important, and that when choosing a solution, you should really, really care about that you have full coverage of the protocols that you're using. Unfortunately, in the OT space, we don't have, like in the it space, a very limited number of protocols. The OT space lives from proprietary protocols that very often are much older than I am. I'm born in 1984.

And we are still seeing, for example, Siemens S five, which was introduced in 1979 in, in many operational technology networks, even though Siemens S five went out of sale, I think in 1996 and for probably 15, 17 years now, there are no spare parts available anymore, but that makes clear as an example, how important it is that you have a very, very deep protocol coverage. Unfortunately, for us as a vendor, that means that we really, really need to invest a lot of money into research on these protocols.

And it is important that we have not only the capability to dissect and analyze these protocols, but we have to be able to automate this process. So this is something that automatically needs to happen in the product so that we can analyze the protocol what's happening. What is content, what is metadata, and then derives actions from this?

So this is something that is unfortunately involving a lot of manual work, a lot of development, and a lot of research on our side, which also lets led us to, to creating team 82 as a separate brand for our clarity research team, they're running large lab environments, doing nothing the whole day, then dissecting protocols and finding new protocols, how to deal with these, what information can we derive from these protocols and things like that.

So if a potential came to you with a specific installation, would team 82 participate in determining what sort of monitoring capabilities and, and incorporating into thes. Absolutely. If you have a device in your network that another vendor or our competition cannot deal with or analyze the traffic from, if we do not have it on our protocol support list already, we are very, very happy to help you with that because we are always looking for chances to improve our protocol coverage.

And very likely we would even send you a little present for giving us a few key caps so that we can play with the traffic from these protocols. Very good. Okay. Another question here, what threat databases are available for OT environments? Okay.

Well, you mentioned in your presentation, threat detection is a database of known threats that you can access. So the, the question is, unfortunately it has several answers. There is not this one database for ICS vulnerabilities or threats we are using, for example, a mixture of own threat intelligence, the nest vulnerability. So the so-called the, the CVE numbers and the information around the CVE numbers, Yara rules, not rules, but, but also typical signatures. Like we like, like it would have been used in an, in an it antivirus scenario.

So it's a mixture of, of different technologies that is needed to cover for the specifics of an OT environment. Cause we cannot install an agent on a device and detect what's happening on that device. So we need to combine knowledge about the assets describing vulnerabilities that could be applying to these assets as well as the communication behavior and the network behavior. And is that played back through the UI?

Like can, can people Absolutely Like, can you provide guidance on vulnerabilities? Absolutely. So for everything that we find the vulnerability on in our product, you will not only see that there is a vulnerability applying to this vendor, for example, or this type of machine, but we'll give you indication on how precise is the hit, for example, match by FEMBA version by software version by in case of a Siemens device, for example, the ML FP number.

And then we'll give you also information on what does that vulnerability mean even with links to the N database, how to mitigate these vulnerabilities. Very good. Thank you. So what is coming out of our product in the end will be kind of a to-do list, even prioritized by criticality. What do I do?

What do I, as an operator? What do I have to do next? So that I'm doing the next most important thing to make my network more secure and improve the security posture of my operations. Very good. Thank you. The question licensing, can you comment on the license model that clarity uses and, and how a customer would typically calculate the cost for a deployment? So at the moment we are switching our licensing model a bit in the past, we have licensed by component. For example, one CTD server would be one licensed, one sensor would be another license in the future.

We plan to do that a bit different because for many companies, when you're not knowing what you have in your networks, it is really difficult to determine what do I need to create a proper monitoring concept. So in the future, we'll only ask you, what do you want to do? Do you want to create visibility? Do you want to control access to the networks? Do you want to detect threats or maybe all three of these and just roughly as a really, really only a ballpark number plus minus a few thousand assets, how many assets would you expect to have in your network? That's enough.

That's all we need to know for licensing. And then the licensing will be based on the average asset count, just as a ballpark number we don't need. That's very, very important. We don't need a precise number of assets for licensing because obviously you're buying a solution to find out what assets do you have on your network. So we can't ask you before, how many assets will you have in your network? Okay. So it's it's is based on, on deployed server in terms of you've got your STD CTD server, you've got your, your, your clarity sensor is, is another device.

Is it it's based on the number of, of those devices that you've deployed It's yeah. At the moment in the future, it will be mostly based on the use case that you are covering and the number of assets that we are monitoring in the network. Understood. Understood. Okay.

Well, look, that's been a fascinating presentation, max really appreciate you taking the time to, to help us understand that. And we wish that you, we will be able to assist in, in, in how things proceed.

There, just a couple of other advertising slides. If I may, the pinnacle masterclass is something that you might want to as an organization make, take advantage of in terms of training. And we also have the digital advisory service too, that we can, that we can provide you. And with that, thank you very much for your participation. And please advise us if there's particular questions or issues that you'd like to address. Thank you. Thank you all. And thank you very much, Graham.