Operational technology and device management

McKinsey & Company
Action required

McKinsey's Main Points:

Heavy industrials face unique cybersecurity challenges, given their distributed, decentralized governance structures and large operational technology (OT) environment.

qbee.io is a cloud based security solution for OT technology gathering distributed decentralised devices in one environment introducing governance structures (like event and audit logs).

The electricity, oil-and-gas, and mining sectors have been rapidly digitizing their operational value chains. While this has brought them great value from analysis, process optimization, and automation, it has also broadened access to previously isolated ICS and SCADA devices by users of the IT network and third parties with physical and/or remote access to the OT network. In many cases, this digitization has allowed access to these OT devices from the wider internet, as well.

qbee.io secures new and legacy ICS, SCADA , controller or gateway devices running Linux or embedded Linux and hardens them towards the wider internet without making it more difficult to operate them.

Moreover, heavy industrials have the dual challenge of protecting against new digital threats while maintaining a largely legacy OT environment.

qbee.io can be used on a plethora of old OT equipment without impacting performance. No software development is needed. The qbee agent is compiled for the specific OS.

Most of today’s OT networks consist of legacy equipment originally designed to be perimeter protected (“air gapped”) from unsecure networks.

qbee.io secures and protects these devices with proper firewall configuration while maintaining the possibility to manage and operate them as before.

The proprietary nature of OT equipment means that companies rely on the OEM to maintain it and make changes. This equipment is often a “black box” to its owner, who has no visibility into security features or levels of vulnerability.

qbee.io exposes the whole device including configuration. All libraries are queried and an inventory is build. This inventory is compared against the CVE and NIST security database. Security issues are reported. The automation part of the tool allows basic OTA firmware updates but also pin point replacement of libraries if a device is outside of its maintenance window (ref. Heartbleed and Openssl vulnerability). This can also happen after a device has left its official support window.

Furthermore, companies are increasingly outsourcing maintenance and operation of OT, or adopting build-operate-transfer contracts. These types of relationships require third parties to gain physical access to OT networks. Where remote maintenance is required, the owner needs to establish connections to the OEM networks. These remote connections are mostly unsupervised by the owner organizations, introducing a blind spot.

qbee.io has a full audit log of who has done what as long as automation is used. We are working on other security features to address this blind spot.

Unified identity and access management.

qbee.io allows centralised user management for groups of devices. Users can be added, removed and passwords changed. SSH keys can be updated remotely and therefore also rotated.

Asset inventory and device authorization.

We build a full inventory of users, ports, libraries or even running processes. In addition metrics can be processed and anomalies detected.