EP009b: IIoT Security - An Interview with WIBU's Oliver Winzenried
|Jul 05, 2017|
The recent spate of cyberattacks including the Wannacry ransomware attack that crippled numerous institutions worldwide has put cybersecurity on the top of people’s minds. In the second installment of this three-part series, WIBU-systems' Oliver Winzenried elaborates on the use cases and market developments for cybersecurity in the Industrial IoT space.
Erik: Hello, I'm Erik Walenza, founder of IoT One and this is the Industrial IoT Spotlight. Every episode I interview one expert about a project that is impacting businesses today. Visit us at Iotone.com to learn more, or email me to start a discussion.
Okay, welcome back to the Industrial IoT Spotlight. I'm joined again by Oliver Winzenried, who previously gave a detailed introduction to his company WIBUs Systems. We're now going to move to the topic of use cases and market developments for cybersecurity in the industrial IoT space. Oliver, within the industrial IoT space, how would you segment out the most important use cases?
Oliver: Today, use cases are really in all kinds of industries because digitization and connectivity can be seen everywhere. It's in terms of actuators in applications in industrial automation and healthcare, transportation, smart building. It's in detail and banking, gaming, you have applications in face recognition and so on. So lots of things and everywhere, monetization of these features and functionality was that where software licensing is possible.
Erik: So if I look at your solution portfolio, so number one, licensing, how would you segment out the market? I think we've talked previously about licensing, we've talked about protection, we've talked about security, are those the three segments that you divide your market into? Would you fragment them more? Or do you use a different map to visualize what the cybersecurity market looks like?
Oliver: The three topics you have mentioned: protection, licensing and security are three different tasks. All of them can be solved with cryptographic technology and with our solutions. And the security is the one, so tamper protection, cybersecurity is the one. I would say it's a must to benefit from digitization with new business models. And without having security in place, reliable operation of any kind of system will not be possible.
So it makes it more like a Russian Roulette instead of reliable operation, which is in some areas, it's really critical if you are thinking on critical infrastructure like power or water supply, if you are thinking on manufacturing processes, not on these three processes, but in the process industry where you cannot simply shut off something to reach the safe state or in aerospace airplanes, you cannot simply shut off if something is going wrong; you need to operate to keep the system in a secure state.
So security is really something that is a must. And the protection against counterfeiting, the protection against the various engineering is something that improves the security implementation and also stands for the business success of the manufacturers. And licensing, of course, is the most important mechanism to monetize the data and the software. And that is not only benefit of the manufacturer, it also offers users a lot of benefits.
Erik: So if I were to summarize, I would say that security is protecting against cyberattacks and so it's a fundamental requirement to protect your users, also to protect yourself from lawsuits. Protection is about protecting your business from reverse engineering, counterfeiting and so forth. And then licensing is about enabling new business models or allowing yourself to monetize your technology. Is that a fair summarization of those three uses are those three ways to use your technology?
Oliver: Yes, Erik, that's a perfect summary. And let's have a look on the user benefits for that. So with licensing, the user can purchase tailored products. So he needs to pay only for the required features. Nevertheless, having his investment in a product future proof because if you know that he can purchase the product in a modular way, he can upgrade functions required at a later time easily. So that is something for the user is a big benefit. And having this security and protection mechanisms implemented in the product is also an important user benefit that makes sure that the device or the system at all is working reliable and secure.
And for the device manufacturer, that's a benefit as well. So if he can develop his products in a modular way, he can go to the market much earlier because he was this concept. He can start to go to the market with a product with the basic functionality and so have a faster return of invest. Because he's going to the market earlier, you can collect market feedback at an earlier time. Then at a later time, he can create the carbon revenues with selling features at a later time. And these features he can also sell in different licensing models. He can sell for a one-time payment.
But like in the past, physical devices are always sold some one-time payment, but with software realized features he can offer to his customers, to his users pay per use models, he can offer subscription models. So he's very flexible in that and so that gives benefits for the users and the manufacturers.
Erik: And what is the technology suite behind each of these of these users? Is it a very similar suite of technologies but we're just using different software to provide different results? Or are they using fundamentally different hardware, for example, or fundamentally different software models? For example, if I'm looking at protecting against reverse engineering and protecting against a cyberattack, to me as a non-expert, those seem like very similar things. Now, the intent of the criminal or the actor is different. But from a protection standpoint, intuitively, I would think that those are similar. Am I right? Or are they fundamentally different in some aspects in terms of the technology involved?
Oliver: It's a little bit different in terms of the technology involved. So the licensing and IP protection is done by symmetric encryption. So for example, ES an encryption algorithm is used to encrypt the data, while integrity protection and tamper protection has many different aspects. But one major technology is digitally signing the data, digitally signing the software so that the receiving device can evaluate signature and make sure that it's not changed, not tampered. And it's really coming from an authorized party, that's also important for medical equipment. If you do a software or firmware update, the device must make sure that it's not coming from like a virus from somebody who is not authorized, but it's coming only from the manufacturer itself and that is correctly. So that is the basic mechanisms.
But to for device manufacturers to realize these security by design into his products, it's of course much, much easier if it's already provided by the tools they are using. So for example, if somebody is using PLCs in his machines, it makes it much, much easier if the development tools for the PLC which are in many cases proprietary solutions, if they already have foreseen this protection and licensing technology so that it can be easily used by the machine maker or if you are developing IoT device, cyber physical system, so mostly it's based on operating systems and on some standard platforms with for example, ARM-based CPUs or Intel-based CPUs on the one side and standard operating systems. And then the integration is much, much easier if this operating system workbenches and development tools have foreseen the technologies already.
And the other platforms when using standard hardware platforms, some hardware platforms already include secure elements like coordinators embedded in all control, embedded computing technology devices, CPU models and ports or TPM is integrated in many things. So these standards are coming compared to the past where people have developed all their software from the scratch from each and buy it directly to the CPU and have built completely individualized hardware.
Today, most devices starting from a standard hardware platform and they are starting from this standard operating systems or development tools, so that makes it much easier for the manufacturers to integrate all the complex mechanisms without becoming specialists in all different topics.
Erik: If I look at the news lately, because it may be because of the rise of startups as a basically an R&D model for larger companies are to an extent reducing internal innovation efforts because of the success in acquiring startups who are often quite efficient at validating a product. But then you're seeing that the startups are, they don't have a brand behind them, they might rush a product to market. And we're seeing some fairly significant security lapses.
In the B2B space, you haven't seen necessarily as many of these product launch security lapses. But you have seen a lot of delays in terms of expectation, delays in terms of adoption by industrial end users because of concerns. And you've also seen some fairly high profile industrial espionage cases which looked like they might have a government actor behind them. Where are we in terms of forward or backward progress in terms of overall security? Are we moving into a world where because of the rapid change and rapid entry of new technologies to the market we're somewhat less secure overall in terms of our infrastructure? Or is that maybe a bit of overhyped by the media a preference for identifying worst cases and failures and not an accurate representation? Where would you say we are in terms of overall security and the direction that we're moving in the industrial IoT market today?
Oliver: I think we are in the middle. So in some cases, what you can read in the press and what it's published, it's really the truth because people and companies are not taking enough care about the security issues, in other issues they really already do. So I think we are in the middle and there will be never a 100% security. But also, the governments take the responsibility and role in creating rules for systems that are really used in particularly infrastructures.
The awareness for security is highly increasing. So all the accidents that are happening, of course, they take their role. It's not only technical. And the technology is available. The technology needs to be implemented in all the systems. And also, the awareness of the people need to increase the people need to be trained specially also in the consumer area that they are a little bit aware of what they should do and what they should not do.
So we see that the implementation of security mechanisms into products will be much faster if the result is not only security. It’s the same mechanisms can be used for securing the device, but also to do some licensing and realize new business models, which immediately is seen as a benefit and can create new revenues and new business opportunities, then the speed of adaptation and the speed of integration is much, much higher.
Erik: Blockchain, some people, there's a certain following of blockchain, which are extremely passionate, and see it somewhat as the missing puzzle piece that's going to address security concerns when adequately implemented. Others see it as one technology in a suite of solutions that will help in some specific areas. In the security frame, do you see blockchain as a game changer in terms of enabling a higher level of security? Or are you more and more skeptical in terms of its broad applicability to the challenges of securing systems?
Oliver: I would say it depends on the application. The blockchain is an excellent technology. Bitcoin is only one sample that blockchain technology is used. And if you're doing something like smart contracts or if you want to automate these things by really have a chain, then blockchain is good technology for making that secure. Especially if you have a lot of transactions that are in follow, and you can make sure that not most of the transactions are recorded through systems that belong to one party.
So if one party has the majority of systems that all the transactions are recorded, then of course the security will be weakened. Because the basic principle is that you have in that chain many different parties that do the recording that cannot be manipulated individually and so that makes it secure. And there are many applications blockchain is really excellent technology and that's an excellent new opportunity. I'm quite sure that we will see blockchain applications in the future in many areas.
Now, in the area of IoT, I would say that there must be something like hood of trust. And that is something that needs to be in every device. So there might be a combination of some basic cryptographic secure key storage applications and blockchain. But this hood of trust is in the IoT market, always necessary. So blockchain alone, in my opinion, cannot solve this issue.
Erik: Is that the concept of having basically a physically embedded component that contains the keys in every device? So can you explain a bit more that that concept?
Oliver: Yeah. So having a unique identity can be can be a unique identity that is inside of the CPU and IoT devices, all you having a secure element like a TPM module or code metal chip on the device, that's the trust of security value that you build on
Erik: So you'd mentioned in our previous discussion that you have a three year product development pipeline that in terms of your vision, you're looking more out into 6-10 years? What are you planning for in the future? Where do you see WIBUs market going? Are there particular new technologies that you're personally excited about developing solutions around? Or are there new problems or new markets that your team is expecting to develop in the coming five year horizon?
Oliver: Well, we are working for the next five years is more sophisticated, cloud-based tracking of software realized features connected devices, so not only the license deployment, which is already available in cloud-based solutions from our side today. Having the tracking that you can create flexible billing and solutions for the manufacturers, that's one step. The other step is keeping track with the security requirements and updating the security mechanisms so that they keep a high level of security against the better attack methods.
And we want to supply our secure elements in a more and more flexible way besides the support of technologies that are coming from the CPU vendors and are integrated in all the CPUs, like I mentioned before the trust zone from ARM or XGL from Intel. So for mass products in sensors and actuators in high volumes, low cost products, or maybe in bicycles from Ofo and Mobike, this security mechanisms can be implemented in a very cost efficient way.
Erik: Oliver, thanks so much for this follow up conversation on use cases and the market. Our next conversation is going to dig a bit more into your specific case studies looking at what an actual implementation looks like from your perspective and your customer’s perspective. Before we move on, I know you've recently published a white paper on IoT security and licensing, can you please share that with our audience? Because as you noted, this is as much as a technical issue. It's also a behavioral and an organizational issue when it comes to securing technologies for your customers and for your own operations.
Oliver: Yes, I'm very happy to do that. So we have a white paper about IoT security and licensing, that can be downloaded from the following short link. It's s.wibu.com/iotwp. That covers most of the requirements and topics in detail that we have discussed in the last 10 minutes. Thank you very much.
Erik: Thank you, Oliver.
Thanks for tuning in to another edition of the Industrial IoT spotlight. Don't forget to follow us on Twitter at IoTONEHQ and to check out our database of case studies on IoT one.com. We help to accelerate digital transformation by advising business leaders on how to integrate IoT technologies into their operations and products. We appreciate your thoughts, suggestions, and of course, your reviews. And if you have an interesting project, we would love to feature you on a future edition. Write me at erik.walenza@IoTone.com.