RSAC 2023 Interview
- XONA System CEO “Leading Korea-APAC OT security market with PAGO Networks”

XONA System's protocol isolation technology expands customers to critical infrastructure and enterprise manufacturing

▲ From left, XONA Systems CEO Bill Moore and Sales Director Marc Moring

[San Francisco = DailySecu] RSAC 2023, the world's largest security conference & exhibition, was successfully held at the Moscone Center in San Francisco, USA from April 24 to 27.

In particular, as cyberattacks by malicious hackers on critical infrastructure and industrial control systems are rapidly increasing, it can be seen that OT security has emerged as a major security industry trend at this RSAC 2023 as well. 

DailySecu met CEO Bill Moore and sales director Marc Moring of XONA Systems during RSAC, which has grown into a core company of OT security, to learn about the current status of OT security and the characteristics of XONA Systems' OT security solutions. Paul Kwon (YoungMOk Kwon), CEO of PAGO Networks, who built trust by providing EDR & XDR platforms and self-developed MDR service to large manufacturing customers in Korea, also attended at this interview. PAGO Networks is in charge of XONA Systems' Korea and APAC business general partner, and plans to actively expand its OT security business in the Korean and APAC markets in the future. The following is the full text of the interview.

◆ Please introduce XONA Systems.

XONA Systems provides a secure remote user access platform for OT and critical infrastructure systems. In particular, it has been working very early with industries that have OT organizations to build technology platforms tailored to their specific needs. Although there have been many remote access solutions for enterprise IT for a long time, the applications used in the OT environment are different, and there are not many actual remote access users. OT environments require more secure and very specific techniques for securing network access in a different way than IT environments. Xona Systems provides technologies such as site-specific control and protocol isolation over network traffic in an OT environment.

◆ Recently, the need for OT/ICS security is growing in Korea as well. What is the current status of the US OT/ICS security market?

Several OT-related compliance requirements are emerging in the US market. NIST (National Institute of Security and Technology) announced "NIST Special Publication (SP) 800-82r3, Guide to Operational Technology Security" as an OT security guideline, and in the energy and power industry sector, " NERC CIP (Critical Infrastructure Protection)" standard must be followed. In addition, the ISA/IEC 62443 standard defines requirements and processes for the installation and maintenance of Industrial Automation and Control Systems (IACS). The US OT-related industries are working hard to comply with such security compliance. Based on this, XONA Systems maps technologies to each item of various compliance and applies a technology matrix to comply with regulatory requirements.

◆ What are the features of XONA Systems OT security solution? 

As for secure remote operation and remote access in the enterprise IT sector, VPN or VDI technology has been applied since 20 years ago, adding various user authentication mechanisms, multi-factor authentication, and application jump servers.

XONA Systems is taking an approach in that the IT environment and the OT environment are clearly different. In particular, it was recognized that it is very complicated and not suitable for security to apply the remote access technology that has been optimized for the IT environment for a long time to the OT environment as it is. So the XONA Systems' approach is to "simplify everything and provide a purpose-built platform."

The remote user uses a general web browser without installing a specific agent, and after going through user authentication, connects to the virtual or physical appliance of the XONA Sstems in the OT environment. After that, the appliance acts as a proxy for “RDP, VNC, SSH,” the core protocols for remote access to OT assets. However, the actual protocol runs only between the XONA Systems' appliance and OT assets, and all data processed remotely by actual remote users are encrypted in PNG pixel files and streamed in real time.

In other words, RDP, VNC, and SSH access are allowed to be used as in real life only from a general web browser to an OT system with access rights, but they are converted into PNG image files instead of real data and communicated. This part is called ‘Protocol Isolation’, and all processes are recorded and screen monitoring is provided only for real-time user browser sessions.

Even under the assumption that the remote user's endpoint system is infected by malware, the layer 3-based access method to the OT environment is fundamentally blocked, and the data itself is additionally encrypted and expressed in the PNG image file format. There is no need to think about the issue of OT data leakage itself.

◆ In Korea, IT security and OT security areas are recognized as different, so there is a tendency to be reluctant to apply IT security technology to the OT security area. What is the situation in the US and how is XONA Systems approaching the market?

In the United States, awareness of the OT security area is gradually improving, and it is entering a mature stage. Manager-level people are springing up, especially in executive positions in OT security that weren't even seen three or four years ago. In particular, recently, the efficiency of safe remote operation and secure remote user access technology provided by XONA Systems is being discussed together in accordance with their requirements.

In the United States, the average age of an experienced engineer or control systems engineer is over the mid-50s. In addition, the challenge of training inexperienced junior engineers in technology transfer and critical OT system operation is emerging. After secure remote access using XONA Systems' technology, it was confirmed that the entire process was recorded whenever OT system access, actual operation, maintenance, setting change, and troubleshooting occurred, and that it was also used for the purpose of training staff in charge. In other words, after introducing XONA Systems' technology into the OT environment, it is helping not only cyber security but also operational efficiency of OT organizations.

◆ Unlike the IT environment, the industrial control system uses a separate OT protocol. Is there any part that can be collaborated with other OT security solutions?

XONA Systems works with vendors such as Nozomi. For example, if the Nozomi product identifies an OT asset based on OT traffic, the XONA Systems supports linkage that imports the identified asset and registers it as a system object that external users can access remotely. In addition, when a Nozomi product detects a vulnerability in a specific OT asset or sends a signal that determines that it has been infiltrated by a threat, XONA Systems interlocks to apply a policy that does not allow remote access from external users to that system.

◆ The existing IT environment threats are similarly coming to the OT environment. From the standpoint of OT security, if you could give some advice to Korean OT security managers on what parts to pay more attention to?

Recently, in the US OT security sector, there is a big movement surrounding the Software Bill of Materials (SBOM). Identifies all information such as source code, binary, open source type, metadata, certificate information, package, copyright, and license for all firmware software actually running in the OT/ICS environment, and further identifies which vulnerability information is linked. It includes the process of gathering visibility on all information and processing it appropriately. A secure remote access methodology to the OT environment is, of course, important. In addition, what is important to consider is to newly establish all visibility even in the internal OT environment that is already trusted, actively identify which areas are vulnerable, and predict the relevance of security incidents in advance.

◆OT systems still use a lot of old legacy OS. There are many vulnerabilities and performance issues in terms of availability as well. What are the strengths of XONA Systems when applying remote access technology to these OT systems?

The key to the XONA Systems solution is the simplicity of its architecture. Between external users who must have remote access and the OT internal system, the XONA Systems' appliance that applies security policies related to access is located.

XONA Systems' technology does not require any configuration changes on the remote user's system. Even if the final destination system located inside the OT environment is an old legacy system such as Windows XP or Windows 7, it does not request any configuration changes in the system itself. Systems running on Purdue model level 3 or level 3.5 can use the legacy OS, and even these systems support “RDP, VNC, SSH” remote access without changing settings. As a result, when accessing a destination system with weak security from the outside, one of its features is to provide a safe and secure remote access method very simply, without violating availability or changing the settings of the system itself.

There are other real manufacturing customer use case as well. A large number of Windows XP in the OT environment of this customer were infected with ransomware. At this time, remote access was required to investigate all infected systems and perform forensic work. For this purpose, when using RDP using an existing VPN, all RDP protocol data was eventually exposed to the user's PC on the external Internet network. .

At this time, customer who used XONA systems' technology did not transmit actual RDP protocol data between the XONA system appliiance and the user's PC on the external Internet network, but only pixels converted into PNG images. However, it was possible to remotely connect and conduct forensic investigations, just like using RDP. They can also run any command they wanted. This case is documented as a success story of secure OT environment access.

◆ Who are the major customer industries of XONA Systems?

Large enterprise OEM companies that directly applied XONA Systems' technology include General Electric (GE) and gas power plant companies. The main customer group started from the energy sector. Renewable energy, wind power, solar power and oil/gas industries are included here. Since then, it has been expanding into the OT security access sector of general enterprise manufacturers and expanding its customers to transportation and airport refueling system industries. In the United States, the XONA Systems is used by the federal government and the Department of Defense as a remote secure access solution for critical systems.

Being adopted as a remote secure access solution for not only the OT environment but also critical systems in the IT area has another meaning. It's not just about which industry you have customer references for, it's that it's being applied to secure access to a lot of critical systems, regardless of industry.

Recently, the technology of the XONA Systems is being applied to industries with microprocessor technology and industries classified as high-tech. This proves that it is not a technology applied only to the OT environment.

Recently, as a technology for connecting operating equipment connected to the critical infrastructure supply chain for maintenance by partners, there are many cases in which XONA Systems' technology is used instead of IPSec / SSL VPN technology, which was widely used in the IT area.

◆ In terms of maintaining availability without business interruption when deploying or maintaining a security system in an OT environment, how can XONA Systems' technology support it?

As in the IT area, maintenance in the OT area requires accurate schedule and time management. It supports vendor management functions, such as providing time-based access control for vendors accessing maintenance from remote locations and applying appropriate authentication processes and recording technologies. It also provides a policy that allows access only to a specific protocol to a specific system and a function to forcibly terminate an existing connected session. In addition, when access is attempted from outside with a function called 'Virtual Waiting Lobby', final access is allowed only under real-time approval of the administrator, and system access is supported based on the correct approval procedure. Even when a script file for patching, updating, or changing settings is uploaded, it supports a function that works on an approval basis or is uploaded after going through security checks in the middle. All of these are cases in which functions required by market industries related to maintaining the availability of the target system are implemented.

The XONA Systems appliance itself also supports H.A (High Availability) configurations and a load balancing architecture with Layer 4 switches. If all of the ZonaSystem appliances go down, there is no loss of availability to the target system.

◆ Why is XONA Systems' Protocol Isolation necessary and why is it important?

Common VPN technologies today use the additional feature of jump servers to partition applications again after the final VPN access. Of course, it is true that OT systems and protocols such as RDP, VNC, and SSH are used inside the VPN equipment, but those protocols reach the end external user's system (desktop, laptop, mobile) through VPN tunneling, and ultimately The final data is decrypted and the data itself is inevitably exposed. At this time, if the system of the end external user is infected with a malicious code or compromised by an external attacker, the data may be subject to threats. In addition, if credentials are provided to access the OT internal system through the tunneled layer 3 communication network, malicious codes or external attackers can also access the internal network through tunneling.

XONA Systems communicates RDP, VNC, and SSH on the internal network based on the appliance, but the user sees the PNG pixel image displayed instead of the actual protocol data inside the web browser. That is, even if a malicious code or an external attacker penetrates, only the PNG pixels displayed on the web browser are viewed, not the protocol data itself, and the data itself is not exposed. In other words, internal and external protocol conversion is surely performed on an appliance basis, and this is called protocol isolation technology. The SSH command displayed on the web browser screen and the result value returned are all PNG pixel images.

◆ When some security solutions update engines or functions in an OT environment, there are cases where the updated files are infected with malicious files and cause problems. What is the update mechanism of XONA Systems?

XONA Systems' update method does not directly download from the Internet, etc., but directly provides update files and hash information to the customer. The customer goes through the process of verifying the integrity of the update file, inspecting whether or not it is infected with malicious code, and disassembling the update at the scheduled maintenance time.

◆ What expectations does XONA Systems have in the Korean market, and how will it establish a cooperative relationship with PAGO Networks as a partner?

XONA Systems presents a partner cooperation business model, not a direct sales system. In particular, in regions other than the United States, we intend to expand the market through unique partners such as PAGO Networks, which understands the region. In the case of the Korean market, the enterprise manufacturing company market is considered as a customer industry group to apply XONA Systems, and huge markets such as automobile manufacturing and electronic product manufacturing are emerging as large markets for the XONA Systems this year. In fact, it is expected that collaboration with enterprise manufacturing companies will grow more significantly in terms of technology in Korea than in the energy industry sector, which was first started in the United States. PAGO Networks is also presenting a similar opinion and sharing the situation.

PAGO Networks understands the differentiated aspects of how to enter the Korean market and has insight into which industries to approach and how to approach them. We believe that we will implement a win-win strategy both in terms of securing the market and strengthening the security of our customers.

◆ Generally, from the customer's point of view, OT security is a costly issue. What kind of strategy does XONA Systems has?

The situation is similar in the US market. Investment in the OT security sector tends to be undervalued or undervalued in the investment target until an actual security incident occurs. Even network security equipment, which is actually the most basic investment, is not often operated appropriately for the OT environment in preparation for the high cost of investment, and it is a really unfortunate reality. In addition, it is also true that when a maintenance-related issue occurs for the OT transmission system, it is locked-in to the vendor and pays a lot of money for remote technical support.

XONA Systems applies technology to the maintenance methodology of existing vendors and partners to support the infrastructure so that vendors can access it much faster, increase security, and at the same time suggest ways to lower the cost of technology application. In other words, XONA Systems does not discuss the cost itself, but presents a safe and secure access methodology for accessing OT systems. We would like to discuss the perspective of reducing costs in terms of establishing a framework and process that safely manages OT systems by multiple supply chains and customers themselves and reduces maintenance costs compared to existing ones.

◆ It has not yet been established in Korea, so is it correct for CISO to cover both IT/OT at the same time? Who or what team does XONA Systems talk to for OT security?

From a technical standpoint, SCADA operations engineers have been dealing with the IT complexities of the past, so when they come across XONA Systems, they respond quite well. However, XONA Systems ultimately hopes to discuss the overall OT security process with a higher-level manager in charge of OT.

Indeed, even in the United States, a CISO role for the OT sector does not exist. The CISO is in charge of both the IT and OT domains. Fortunately, the United States is developing a dedicated OT security team, working alongside the IT security team. If there is no dedicated OT security team, it is common to use the VPN technology used in the existing IT infrastructure as it is in the OT area. . However, most companies have a CISO, and after enhancing the understanding of OT security between the CISO and the IT security team, they are proceeding with joint projects while integrating the opinions of end users who actually use this technology sequentially.

​o Link to the original article --> ​DailySecu - [RSAC 2023 Interview] XONA System CEO “Leading Korea-APAC OT security market with PAGO Networks”