Kutoa is a newly formed company whose purpose is to help clients with cyber-physical environments “build cybersecurity capacity”, as explained by Dave Cullen, one of their four founding partners. “Our approach is that we don’t have only ‘an OT environment to secure’, but rather, ‘a connected organization to serve.’”
While they officially launched in January of 2024, they had already been at work on technical development for some time — an important part of which included becoming a TXOne Certified Partner.
To serve their customers, Kutoa focuses on three primary areas: OT Assessment, Advisory Services, and Managed Services.
OT assessments include compliance, network, and maturity assessments. “We provide a clear picture of a customer’s environment and assets,” Dave said. “Many of the companies we help are just starting out on their security journey, and the results of these assessments are helpful to inform their next steps.”
“Many customers have also asked us to provide secure network architecture, secure product development guidance, and project expertise. Those are all areas we serve with our Advisory Services. We recognize each customer is unique and tailor these appropriately to wherever the customer is in their security journey.”
Kutoa’s Managed Services go a step further. “Many companies seek visibility into asset inventory, vulnerabilities, and so forth, but they struggle to deploy the tools.” Dave is referring to any number of tools that are well-established but not fully operationalized. “Our knowledge and expertise encompass both OT and IT. We have deep IT background on our team and know how to manage the unique aspects of both these areas.”
The Kutoa team brings wide-ranging industry expertise, including global manufacturing, transportation, smart buildings, national security infrastructure, product development, and SCADA infrastructure in various applications. The founders of the firm have both technical and leadership backgrounds, spanning multiple engineering disciplines and verticals.
Focused on the Intersection of People, Process, and Technology
“We listen to our customers and focus on the intersection where people, process, and technology meet. That’s where our services create tremendous value and impact,” Dave said.
“OT has many legacy processes,” he added, explaining that people have many preconceptions of how OT security is supposed to look. “We’ve seen too many times that OT security is treated as a technology-first discussion, rather than considering the intersection of people, process, and technology to achieve the desired security posture in a cohesive and efficient way.”
TXOne Technology Accelerates Kutoa’s Impact
Dave first learned about TXOne while exploring partnership opportunities in a previous role, and he came to a fast realization: “TXOne’s technology has a unique ability to make a positive impact, and very quickly.”
“I had enough initial exposure to TXOne technology through those first interactions that I kept following the organization. I got to know the people, and as soon as we started building Kutoa, TXOne was one of the first calls I made,” Dave explained.
“Things tend to move slowly in OT security,” Dave said. “The evaluation and procurement process, the deployment cycle and update cycle. Environments that have existed for a very long time are the organization’s profit center and must run 24/7. ‘Don’t tamper. Don’t change. Don’t whatever’”. This posture inevitably leaves large security gaps.
“These gaps aren’t getting addressed quickly enough to secure the environment. That’s where TXOne is unique. We can deploy the technology, make a meaningful improvement in the security posture, and reduce risk very quickly,” he said. “We recognize the importance of Safety and Availability and focus on a collaborative approach to improve the security posture.”
By deploying TXOne technology, his team can make a meaningful impact on OT security in as little as 90 days. “Ninety days is still quite a feat in these environments, but once it’s up and running, we can make iterative improvements and build a strategic plan to mature the program from there,” he said.
TXOne Is Purpose-Built for OT
“Often, organizations still have cyber defenses that came from IT or are built with IT underpinnings. They don’t have OT-native awareness,” he explained. “These IT defenses can be difficult to operationalize in the OT environment. They are overly complicated and often have difficulty dealing with the unique aspects and different priorities of OT.” Because TXOne is purpose-built for OT, it has none of those shortcomings.
Dave cites TXOne’s “OT protocol awareness while not sacrificing IT-specific capabilities” as a key feature. “It can handle both,” he said. “It has the awareness of the network and blends in well with all the core network functions you would expect if you were the IT person. But it also has OT protocol awareness and knows how things interact,” he added. TXOne’s ability to keep learning is equally important. “You can be cautious, iterative, and intentional in how you deploy the equipment, gaining visibility into the environment and enabling functionality as you’re comfortable. That has a lot of value,” he said.
“I really love Portable Inspector,” Dave mentioned, “especially from an assessor point of view, because the installation-free USB device allows us to quickly scan any Windows or Linux device, safely encrypt and quarantine any malware for further analysis, collect asset information, and consolidate the results into a central dashboard.” In addition to facilitating assessments, the USB devices can be used for rapid scanning and certification of air-gapped devices or any equipment entering the security envelope of the organization, in an auditable manner.
Detection Plus Protection
One of Dave’s concerns is that many systems are detection-focused, and once a threat has been detected in the cyber-physical environment, it’s difficult to eradicate.
In fact, Dave finds that one of the biggest misconceptions in OT security is that “a passive-only approach is what works”. This approach uses an IDS (intrusion detection system) to monitor network traffic and provide alerts about possible threats, but it doesn’t take action to prevent threats from being realized. Kutoa can work with passive-only methods but is always clear on the limitations of such an approach.
“It’s better to protect,” he believes. “It’s better to prevent threats from entering the system and migrating.” That’s where Dave finds the protection of TXOne’s Edge and Edge Fire IPS-based (intrusion prevention system) product line is stronger than the more passive IDS-based solutions that observe but aren’t often configured to step in and protect.
Change Happens
“Networks are constantly changing, and people connect devices with a field-it-fast, fix-it-later approach”, says Dave. TXOne’s EdgeIPS and Edge Fire have auto-learning capabilities that listen and learn ICS protocols and the functions from the actual cyber-physical environment, providing ongoing baseline protection that lets users focus on core business operations instead of on complex security processes or configurations.
Endpoints must be protected, too, and Dave finds TXOne’s Stellar very effective for that.
“With Stellar, we can lock down ports. We lock down USB devices and have centralized visibility into the security state of each endpoint. It’s not difficult to do,” he said, “But organizations still aren’t doing it, often because a vendor or an OEM provided an engineer with a new asset that needs to perform a function, but the engineer didn’t have the context or simply wasn’t collaborating with the necessary people to appropriately secure the device.”
The focus on protecting cyber-physical systems, providing security and visibility of endpoints, and managing change while maintaining operational resilience is another example of how TXOne’s solutions provide value to Kutoa’s customers.
A Call to Action for OT Security
“Who owns the risk? ” Dave likes to ask. If there was a cyber event impacting your DCS or SCADA systems or stopping your production line, who owns that risk? The question often goes unanswered in an organization as people assume, “It must be somebody else”.
Dave believes the risk question should spark important discussions between Plant Managers, Safety Leaders, Process Automation Teams, IT Security, and other stakeholders to understand the risk, take ownership, and mitigate the risk to an acceptable level for the organization.”
“TXOne’s Edge, Stellar, and Portable Inspector solutions allow us to secure an environment safely and quickly. Then, we continue to refine the security posture and address all the issues we found during the initial assessment,” he concluded.
Learn more about Kutoa and its implementation services for TXOne solutions at www.kutoatech.com.