To secure operational technology (OT) environments, Federal agencies need cybersecurity solutions that comply with Zero Trust and CMMC requirements. Trout’s Access Gate solution seamlessly integrates with existing OT systems to prevent cyber threats and reduce risk. Access the Zero Trust for Operations podcast to discover how to close network security gaps with insights from SCOOP Cyber and Trout. Learn how your agency can seamlessly deploy Zero Trust frameworks that secure devices, reduce threats and achieve CMMC standards for your current systems.
Steven Cooperman
Welcome everyone to another Scoop Cyber podcast here in the Carahsoft studio in Reston, Virginia. Just a little bit about Scoop Cyber. We're a value-added reseller in the Carahsoft ecosystem focused on emerging and disruptive technologies and that brings us to our podcast today with Trout Software.
Very interesting topic, an important topic about operations or operational technology. As we all know the threat landscape is increasing exponentially especially with AI and AI bots and everything in the speed of just the cyber threat. When most people think of operation or of technology and zero trust we think of laptops, networks, the traditional IT infrastructure, but what about everything else in an industrial environment?
The industrial control systems, the cameras that protect the buildings, the sensors, all the systems within the industrial operational environment are under huge threat yet traditional zero trust models don't really help with that and that brings us to you know why Trout is here which is purpose-built technology to focus on this problem domain. I'm Steve Cooperman the host today and again delighted to be here and joining us again as I mentioned is Trout Software to do some introductions so if you guys don't mind you know saying your name and where you fit into Trout and then we'll take it away from there so again welcome everyone. So tell us a little bit about yourself and your role a little bit about your background and then we'll take it from there so why don't we start with with Mark.
Marc Hoover
Sure thanks Steve thanks for having us so yes I'm Mark Hoover thanks for all of this. I'm in business development here at Trout and prior to Trout most of my time was in the military. Majority of that time was in special forces where one of my main roles was in communications which encompassed secure you know communication security and cyber as well.
Steven Cooperman
Well first you know thank you for your service you know we're all appreciative of everything everybody does in the military to protect us and I think your perspectives are important because you were actually a practitioner in this space what gives you tremendous insights. Our next guest is Florian so Florian if you don't mind.
Florian Doumenc
Yeah I'd be happy to be here and chat about all of this today. My background is more in the civil space I worked for 10 years in data science and security especially my last experience was at Google where I worked on the model of zero trust on CM systems and a lot of great technology that lived in the IT world in the traditional computer world and we started really Trout to bring these advanced technology great solutions to more the real physical world to the OT environments to everything you described before. So really excited to talk about this today.
Steven Cooperman
So I always love digging deeper you know you left a career at Google to start this so obviously a passion for this but you saw a gap in the in the cyber posture organizations have that's critical to solve. So you know what was what were you thinking why decide to start a company just focused on that and sort of what is the mission of Trout?
Florian Doumenc
I think we saw different gaps in the cyber security ecosystem there's a lot of companies that try to tackle but it's also fast moving and so you have a lot of different holes. For us it's been really an iterative process we started more in the same space and try to to reinvent some of the technology there and it's a really challenging market and then we started to work with physical companies with ski resorts in the Alps for example so yeah this is a great station if ever someone wants to go there and we started to realize that in the physical world you have some constraints you have some lack of maturity that makes it a really interesting and prime segment to focus on and so over that period of time said that iteration that fine tuning and we identified both OT physical elements as well as the technology we'll build as the perfect fit and so that's when we started to accelerate and and grow the team and and pursue this as fast as we can.
Steven Cooperman
Perfect I didn't know when we were going to do this but we have a trout I wanted to show the audience what we're talking about so if you guys could unless it's just a plant.
Florian Doumenc
This is a demo box or something we use mostly for large or small environments and then we have like larger appliances also so far.
Steven Cooperman
So what we're talking about and we're going to get into a lot more detail is a box that goes on the network that now protects your IT infrastructure so we'll talk in detail what this really does but I wanted to give everybody an understanding you know implementation times are quick and just to put it in context what Trout does and also they do all the manufacturing U.S. based so really cool and we'll talk more about these they make a great stocking stuffer for those that are getting ready for the holidays. Okay so over to you Mark you know again define a little more OT and then why these environments are so different and you know the traditional playbooks you have using workflow whether it's service now or elsewhere to protect your network really don't apply perfectly to OT environments and again why Trout so important.
Marc Hoover
Yeah absolutely so these environments in the industrial space you know they're built for the worker to be you know to optimize working and so it's not necessarily always ideal for setting up a secure network or meeting compliance requirements these systems have been in place a long time it's definitely something you know that drew me to Trout with this type of when I started working here of that I could relate to from the military perspective having to meet some kind of compliance requirements and a less than ideal situation and a lot of these systems they're you know they have a wide range of lifespans that they are able to keep them functioning for they might have that workhorse that's been going for a long time they don't want to get rid of it they don't want to replace it but it's still in it's still connected and they might not be able to install security agents on it itself and so you got to find creative solutions to work around that and so that's that's really what you're working with in this type of space where also there's a cultural aspect that they're maybe not necessarily used to this you know the cyber and ot security especially in like a manufacturing type environment is a somewhat of a recent history type thing these businesses have been in place for you know 30 years family-owned no issues but now more and more things are connected they get a new machine and it's got they got to tie it in and or an old machine that they got to keep up so it's a
Steven Cooperman
for a business to maintain yeah so interesting these you know cultural shift of people that may have been doing traditional it for 30 years in the manufacturing plant do you see you know some training and enablement or you know so that people appreciate what they're doing or is there resistance to doing this or you know who usually is the the champion or who's you know taking the
Florian Doumenc
agenda for to yeah I think there is both it depends you have some companies that are really leaning in this and understanding that this is the next wave of attacks and if we want to be around in 50 years in 100 years we need to tackle that really seriously so and the other ones are like we've we've been doing this for 20 years we didn't have a problem so let's continue as is so i think the realities in between or across all of that shade of nuances yeah i think if you look at cyber security at the end of the day it also needs to be in the background it doesn't need to be blocking systems slowing down the team and so that's where you really have a challenge to make it happen on the shop floor or an ot environment if people need to go through hoops or bring a laptop to do two-factor authentication when they have gloves and masks and stuff like it's not going to work so you need to put the solutions that are right for the environment so that they can then deploy them and then scale them so it's it's a bit of yes the company need to prioritize this but we also need to have custom solution and that's why i think we're here today that fits the environment that that requires them
Steven Cooperman
so mark um a lot of organizations not really understand how many ot devices that are out there and just for the audience again i might be you know new to this you know definitely it you know we're all comfortable with but give us some examples of devices or workflows
Marc Hoover
of ot that are in an operational environment so a lot of times it's it's it's pretty common that they won't even be entirely sure what all is connected uh on their network or be able to see all those connections or if they can they might not know what's what um so that's really one of the first things that we prioritize is getting that good asset inventory of everything that's on the shop floor so hiding that network visibility is is typically a major obstacle for a lot of these businesses so and with our access gate that's that's what we the first thing we do
Florian Doumenc
maybe in terms of definition really we see as it everything that's a laptop phone or kind of a desktop and everything else is ot so that can range from a camera from a like a production machine from sensors from hmi control system so it's yeah everything that is not pretty much a
Steven Cooperman
desktop or phone i would think uh you know the new data center is being driven by ai would be you know really need something like trial with all the ocean they have this is a great example
Florian Doumenc
because you can think about that centers of like this is just servers that are stacked and that's typical it there's a lot of solution there but there's a lot of systems around that monitor temperature that monitor the doors access the cameras and and all of this is typical ot that doesn't have the same level of security or same of level of controls that you have in the it space so
Marc Hoover
this is a great example and a lot of those they don't necessarily think of as a potential cyber threat that right that they is an exposure that they have yeah we'll we'll talk a little bit later
Steven Cooperman
about the exact threat and the implications of those are compromised but moving on to zero trust which is um not only a buzzword it's a necessity right and it's even propagating in my opinion to everything we do in life you can't trust the phone call you can't trust the picture yeah not sure i trust you we're here we're here um so but given that ot i mean uh zero trust is a priority and we talked earlier how traditional approaches don't exactly apply to um operational technology environments you know talk a little bit about if uh you know a key priority of an organization is zero trust how you help where you would fit in and how you fit in with that you
Florian Doumenc
know zero trust architecture yeah um so for anyone that's not familiar with zero trust is is a principle of saying once you're inside a network you still shouldn't be trusted by default and that's something that was kind of built at google around 2008 after they had a cyber attack and that started to say like the perimeter defense is not enough in our modern world because there's so many connections and so really you need to build doors you need protection within your building so that if someone goes in the capacity of lateral movements or blast radius is um managed and so you you that's kind of the principle of zero trust when you apply that to an lt environment often the way the ot environment have been built is like okay it's air gaps we have our machines that are talking to each other but they're in the corner so there's no risk there and what we see is that there is more and more connections to the outside world due to remote maintenance you push data to the cloud to do some ml and stuff and so this model of it's a gap is just getting pierced and exploding and so everything that you need to do is now apply the same principle of zero trust which is how within my ot environment um i still make sure there is those doors and i control who's doing what at what time and and really be granular about this um so that's the principle of zero trust how it's applied on ot one of the core challenge that you have with traditional solution is that they are what's called agent based it's like you install a small piece of software on all your equipment and that's how you make encryptions authentication zone in the ot world it's impossible you don't have the the hands on the machines on the system you kind of bought them like this you plug them to your network and you can't really manage the software per se and so that's why you need a unique methodology and what we build is kind of the ability to build a bubble around each of your critical systems what we call enclave and that's really how we tackle zero trust in this
Steven Cooperman
specific ot environment great and more coming from the government i would assume this helps government organization meet lots of different mandates and directives from the government
Marc Hoover
um you know any examples of things that helps out with so um cmmc is a huge topic nowadays um that um is one of those examples of a cultural shift that that was essentially you had no choice that now it's like okay we have to meet these uh compliance requirements and it's not just um with manufacturing and cmmc if you're in health care you have your HIPAA and requirements and anywhere that there's um sensitive data in any uh space there's going to be some level of compliance
Florian Doumenc
required yeah to piggyback on this one cmmc is a is a compliance framework that the um dow has been pushing to all of the defense industrial base because there was this acknowledgement that kind of chinese planes were starting to look a lot like the american planes and so there was probably some leaking happening and so you had to really raise the bar and cmmc is how they're looking at the whole entire defense industrial base we see 300 000 companies so it's a lot of companies which work with the government and says like now you need to really up your grade and up your game in terms of cyber security um and that's kind of like the background on cmmc which is super interesting but also happening really fast for a lot of people
Steven Cooperman
yeah that you know it's key um certainly to government organizations uh to be compliant and have that zero trust architecture and that propagates obviously to the commercial environment so this is a universal threat that everybody's experiencing and anything to do with physical plant physical infrastructure um really needs something like this or their their threat is wide open so can we talk about you know kind of the threat landscape out there are there organized threat actors foreign entities where this is part of their mission um
Florian Doumenc
yeah so i think if you look about threats there is a different uh type of of attackers they really like the state sponsor the advanced one and this is what we discussed a bit before there is a perception that ot is a great door to gain access to a system because they're less protected they kind of forward and on the side and so for those state-sponsored actor this is usually what they look for because they are a prime entry door and then there's also the rest of cyber um offenders which are more like obese or just ransomware groups and they're really going for what door is open and i'm going to get in there um there was a great example of an attack on a space laboratory in chile um there is no attacker that would say like this is a prime target that has a lot of money to pay but it's just like it is open i get in and i and i trigger my ransomware attack so you have that spectrum um that look at ot as kind of this is a an unprotected door this is a door that's kind of wide open and so let's get in there i think i think with that too part of it is
Marc Hoover
just um those folks that have those systems in place not realizing that they are a target and and that's part of the shift that i think is happening so let's let's you know now focus on
Steven Cooperman
how trout helps with that that issue so talk a little bit about you know a real example or a general um scenario of a plant let's say it's manufacturing a key component in a defense a weapon system you know they're under attack obviously there's a critical endeavor going on we have that all around the world if anything happens to these the manufacturing it could shut the whole mission down so they call they call trout we have this problem talk about you know how you would implement this and what are the steps um and from what i understand it's you know again we have a physical box that we need to put on the network there's not a lot of implementation that but you know walk us through that so the audience uh gets an understanding of you know the complexities of doing this and how you know what are the logical steps that i i am that manufacturing plant you know what would i need to do and how would i work with trout to
Marc Hoover
make that happen yeah so from uh i'll give an example from one manufacturing plant um elna magnetics in upstate new york the uh defense uh industrial base supplier um and a lot of obviously critical infrastructure that goes with that they've been in business for um i think what 30 years probably it'd be more i think yeah t7 generation yeah so shoot out to them yeah good people and they uh essentially had to meet a cmfc requirement and um even though they had solid it people and a good baseline um they were they couldn't just completely rewire their their physical infrastructure their network um they had secure servers that they needed to maintain access to to uh control uh cui controlled and classified information and they needed a means to do it without having to rewire their whole network and move machines around which are massive you can't do that and they have some legacy equipment that they need to secure so we're able to deploy the trout access gate get them set up and create these secure enclaves or the bubbles that florian mentioned around each individual device and uh set up the access control network visibility and all the log collection that they need um to one priority being to just be have a good cyber footprint but also to meet the requirements for cmfc so that's one
Florian Doumenc
example of manufacturing i think yeah i think even to make it more palpable like really the device is installed inside it's connected to with like one ethernet cable to their existing network so that can be a firewall router or switch and then there's a bit of configuration to create those bubbles so it's really a lightweight kind of as plug and play as we can each factory each uh system is a bit different so that's why you have this configuration that needs to happen but it's usually done by the it team or the partner doing their it uh and it's usually like it's pretty lightweight it's a couple of buttons to click and do the enclaves to create but that's plug and play as we can um is what we're aiming for one other example that that we have is is with one of the uh a navy that has ships and thinking about the same kind of dynamic is like those ships were built to be air gap they're on the water they're not connected to the network but starting to realize now you have unmade systems that are connected to them or you're going for maintenance and so you have people that are gaining access and so the risk for these extremely expensive boats uh is also cyber today and so they need to solutions to do that and the country wire they can't pierce holes in the in the boat to just like push cables around so that's another example kind of more at the high end of the spectrum about those really really expensive systems that they need to be secured um because this is just a shift that we have in the market
Steven Cooperman
so i do i just need one box let's say it's a ship or do i need multiple you know how does that work
Florian Doumenc
so it's usually one appliance so this is a small appliance for smaller sites and then there's a larger one for larger sites that have like redundancies and stuff like that uh it's also a network equipment so the same way as like firewall and switches you're usually looking at an architecture with redundancy so that if someone fails there's like failover systems um so it's like between one or two it depends on kind of the architecture work that we can do um
Marc Hoover
yeah and all this is is managed through um a very easy to use user interface and that's uh so for that that manufacturing example that small it team that's you know sitting in a server room that's got plenty of help desk tickets that they're answering um that it's they're not overburdened with this this extra work it makes it much more streamlined for them to can do all their uh controls that they need to and then same for for that bigger whether it's enterprise or on a navy vessel to be able to use that same interface but um with way more system so i think
Steven Cooperman
that's key just to reiterate the trout appliances never talk to the outside world yeah the box itself could not be compromised right um it's under the control of the enterprise with regards to even maintaining you know firmware upgrades so there's no risk of of appliance itself being
Florian Doumenc
being compromised there's always a risk in cyber days they can when i walk into the room and hammer the things down so it's not a zero there is less risk and that's why we built it really for critical infrastructure for different systems so it's on premise there is no cloud connectivity the hardware is physical the upgrade is physical upgrade you have dedicated port for admin so we build a lot of security in it is risk zero doesn't exist in in cyber and that that's the way we should all think about it but i think we did a pretty good job together as close as we can so uh there's an
Steven Cooperman
organization uh that wanted to do a proof of value a proof of concept um is that possible with trout
Florian Doumenc
it's possible with us and our partners and that's what we like in this building also today so there is really the ability to bring a box inside connect it to the network and then start to create these enclaves one of the key strengths of this technology is that this is not a rip and replace you don't need to shut your production down and then install the new system so it's really elegant to let it plug it aside see the network create your bubbles and then start to use them and evaluate if it's a fit and if it's a fit then you move from this proof of value to a deployment and that's what we do with every company and the proof of value can be a couple of weeks that's usually a good time to create an inventory create those enclaves and test the system or stress test the
Steven Cooperman
system which is there so that's another key point that you're not installing any agents or anything on other on those operational environments so there's no impact uh uptime or that's correct their functionality um you're just detecting you know threats or uh mitigating or blocking
Florian Doumenc
threats before they even get in exactly so we there's two kind of technology pillar there is the one that's called software defined networking and that's how we allow to have no agents and no rip and replace and then the second set of technology that we have is proxy security which is with this bubble we kind of look at everything that happens or that try to move on the network and allow them or not and that's really how we allow this level of protection that usually you
Marc Hoover
need an agent for but we don't need in this case and it's it's still and by doing that it's it's preventing any lateral movement across the network we talked about though there's always a risk in in cyber so if they could always somebody could get their hands on something um but in the event that a piece of ot equipment or it equipment was compromised that hacker isn't able to move laterally across the network because they're not going to be able to get out of that secure bubble
Steven Cooperman
surrounding it yeah i don't know if you guys have seen this but you know perhaps in organizations their cyber insurance could go down because this makes their posture even that much stronger so probably something we should think about as we go forward which leads to another question so this is it's not emerging technology this works today but what is the future for zero trust and operational i mean how do you see this progressing how do you see trout progressing um you know what is the ultimate state of protecting ot environments yeah yeah i think it's a there's a lot of work and
Florian Doumenc
i think that's the realization come from from this is like there's way more connected systems that we think and they're all an entry door and the notion of lateral movement that mark had was like it's perfect like their entry door for the rest of the system so i think the goal for us is that we can cover a lot of the ot footprints um and and secure them and having thousands of sites that are powered by by access gate and our technology would be really the goal of what
Marc Hoover
and uh the department of war has really pushed an initiative of zero trust and part of where we fit into that uh that puzzle is that zero trust in the cloud has been established for quite some time it's effective um but they're still on-premise and a lot of times there's a hybrid situation where they they have some cloud uh security but they still have these on-premise systems that need so that's a major gap that we're trying there's a lot of work to do there so
Florian Doumenc
enough to do for the next 20 years i think yeah yeah so you know one of the things we
Steven Cooperman
do at scoop cyber is that a lot of the solutions um obviously you're here with scoop today because we we've seen it in action it works and you know it can be deployed and we're also seeing the topic of protecting zero trust for ot increasing every day it's it's something it's not a nice to have it's a must-have and i think you know working with trout uh would be you know recommended for any organization again it could be start out with just some education around this topic we're happy to do lunch and learns webinars uh potentially pilots uh to move this forward on very accessible team as you can see so before we wrap up anything we haven't covered or just you know closing thoughts from you guys i just say that you know uh things i think
Marc Hoover
as a culture and a community in this space i think this is becoming more common and people are going to start getting used to it these things take time to be uh part of your everyday life um but i definitely think that that's happening um especially as these pushes for zero trust and compliance become the norm um i think uh solutions like trout are going to be more and more relevant
Florian Doumenc
yeah and more and more relevant because i think we're seeing digitalization and ai kind of like impacting everything yeah and so you will have more and more access to the cloud and like different systems that interact with each other with or without humans in the middle which is a big like risk and and things that can change so i think this notion of zero trust building bubbles around your key systems um is definitely present and super exciting to work on so
Steven Cooperman
happy to be here that's awesome guys so i'd like to thank you know everybody out there that listened to this podcast i know every time i talk to you guys i learn a lot and hopefully everybody felt the same um i'd like to thank Carahsoft and the whole team here and you know thank you guys for a very engaging interesting conversation