- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Today we are excited to announce the general availability of the capability to extend our Zero Trust OT Security solution to air gapped environments. As part of that solution, our cloud-delivered service — Industrial OT Security — delivers comprehensive visibility, risk monitoring and security for OT assets and networks. This is a significant step forward for the industry as it allows customers that prefer to use air gaps to continue meeting their regulatory and other cyber security requirements. They can also leverage the power of the cloud to get the best possible security so they can accelerate their OT digital transformations with confidence.
With these new capabilities, organizations can deploy Industrial OT Security utilizing a telemetry gateway. This forwards low-risk security telemetry data, such as Enhanced Application Logs (EAL), from isolated OT networks, to Industrial OT Security, our cloud-delivered service that delivers comprehensive visibility, risk monitoring and security for OT assets and networks. This process is all completed without a direct Internet connection to OT NGFWs, meaning that Zero Trust OT Security can deliver the best of both worlds.
In this blog post we want to dive a little deeper on how these capabilities work.
Most customers we talk to who are looking to extend Zero Trust OT Security to their air gap environments want to realize the benefits of cloud based cyber security solutions to enable real-time and enterprise wide experiences and visibility. Real-time security in OT networks requires real-time streaming of security telemetry data to our Industrial OT Security and Advanced Threat Prevention security services. We provide a secure telemetry data streaming architecture to deliver NGFW security telemetry data, such as EAL logs, to our security cloud services from air-gapped OT environments without direct Internet connections.
The Palo Alto Networks NGFWs deployed in the OT environment send security telemetry data to one or more cascaded telemetry gateways. These telemetry gateways are a single path of egress out of the OT network and forward the required logs to Palo Alto Networks’ cloud security solutions such as Industrial OT Security. Cloud delivered security solutions from Palo Alto Networks utilize cloud scale compute to power AI/ML models enabling secure OT asset discovery, identification, risk and behavior insights, and advanced threat detections; this is something that cannot be done cost effectively with on-premise solutions. Customers can leverage existing iDMZ and IT NGFWs or deploy purpose-built NGFWs as telemetry gateways.
Here are some key takeaways of Industrial OT Security capabilities and how we ensure a secure stack is being delivered:
The telemetry gateways are hardened Palo Alto Network NGFWs that have already been certified in OT and IT environments, and are familiar to network security teams. Security policies typically implemented by NGFWs can be leveraged to control and secure the traffic traversing through the telemetry gateway. Common examples of these security measures are zone and Device-ID based policies, security profiles for threat prevention and URL filtering. Additionally, telemetry gateways eliminate direct, inbound Internet connections to the OT NGFW. Customers can increase the depth of their logical OT air gap between OT and IT networks by implementing cascading OT and IT gateways to provide further segmentation of control and ensure that no inbound traffic hits the OT telemetry gateway.
The telemetry gateway allows secure outbound mTLS connections between the OT NGFWs and the Industrial OT Security cloud without any need for decryption while allowing OT NGFWs to get Device-ID policies and device verdicts from Industrial OT Security. This allows customers to maintain a logical air gap between their OT network and other external or IT networks to adhere to strict OT compliance requirements all while realizing the benefits of cloud scale cyber security solutions. NGFW functions such as policy enforcement, threat detection and prevention will continue to operate even if the upstream telemetry connection goes down.
Industrial OT Security receives security logs from the telemetry gateways where that data is processed and stored in a region of the customer’s choosing (e.g. US-West, UK, Singapore, etc.). Any data stored on, or processed by Palo Alto Networks systems is secured with rigorous technical and organizational security controls. Palo Alto Networks has achieved SOC 2 Type II Plus certification for IoT/OT Security to demonstrate its strong security policies and internal controls. For more information please see the IoT/OT Security Privacy Data Sheet.
Telemetry gateways require 4th generation NGFW (PA-1400 series, PA-3400 series, vm-300, vm-500, vm-700) running PAN-OS version 11.0.1-h2 or later and a web proxy license.
Prerequisites for installing the Industrial OT Security subscription on OT NGFWs can be found HERE.
We hope you find the new deployment model for air gap capabilities using a telemetry gateway helpful! We are glad our customers can now extend Zero Trust Security capabilities to meet their air gap requirements.
To learn more, check out our Zero Trust OT Security and Industrial OT Security pages. You can contact us here.
As always, we welcome all comments and feedback in the comments section below.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Subject | Likes |
---|---|
5 Likes | |
3 Likes | |
2 Likes | |
1 Like | |
1 Like |