EP009c: IIoT Security - An Interview with WIBU's Oliver Winzenried
|Jul 05, 2017|
The recent spate of cyberattacks including the Wannacry ransomware attack that crippled numerous institutions worldwide has put cybersecurity on the top of people’s minds. WIBU-Systems is an industry leader in providing security solutions for the Industrial IoT. In the final installment of this three-part series, WIBU-systems' Oliver Winzenried performs a deep dive into some cybersecurity case studies from B&R and Rockwell Automation.
Erik: Hello, I'm Erik Walenza, founder of IoT One and this is the Industrial IoT Spotlight. Every episode I interview one expert about a project that is impacting businesses today. Visit us at Iotone.com to learn more, or email me to start a discussion.
Now we're going to deep dive into a couple case studies looking at BNR and Rockwell Automation. Oliver, let's kick off on the BNR case study. Can you give us a quick overview of what was the business challenge, or the objective that you were helping to address and then we can get more into the actual solution and the technology involved?
Oliver: So the use of protection, licensing and security technologies in industrial automation offer benefits for multiple parties. And the main benefit and the main driver for integrating protection, licensing and security PLCs and their development tools is protecting the OEMs intellectual property. So the machine maker using a PLC in his system, he wants to make sure that his USPs and his technology is protected against reverse engineering against copy, and also, that he can get new flexible license models for his products for his machine. So, selling the machine selling with the buyers not as a one-time sale, but taking the chances of the new business models is very important step.
For example, let's have a look on machines that are creating pressure air. So in the past, they have been sold at a one-time fee. And the machine maker also sells maintenance and support for that. And that is changing today to really making a pay per use model and calculate and charging the user on the amount of air that is delivered by the machine. That's one sample. And to realize that in the controlling systems in the PLCs in such a machine, there must be measurement for that, there must be integration that must be automated in the process.
And that is something that BNR is providing for their customers. So they have integrated in the automation studio, that's a development tool from BNR of the PLCs, they have integrated the option that the OEM using this PLCs can protect his software running on the PLC, and he can create many license models for that, he can enable or disable a software realized feature in the machine, he can use a paper use mechanisms really measuring the use, measuring the power and the deliverable of the machine. He can do subscription models. He can very flexible do that for his products.
So that's one of the major driver for integrating protection technology in the development tools and in the controllers that the OEM integrating these devices in his machines can benefit from this new opportunities and can also integrate it in his business process. But also, the manufacturer of the PLC itself and the development tools like he and I in that case can benefit because they can do licensing for some special development tool features in a flexible way and they can also control runtime features in their PLC like the number of Xs in X controller. Like people use models for some long time features in a PLC, they can make sure that they conform to export compliance requirements. If some sophisticated PLC features is subject to export restrictions, they can handle that so that they have control who can use it and how can it be used and they protect their IP as well. So that opens opportunities for PLC window like BNR and additionally for the OEM integrated in machines.
Erik: I think it shows how interconnected core technology providers like WIBU are now becoming with the end users in that you're now enabling new business models, two steps down the line in terms of the equipment owners and operators. What is the product development or the product consultation role then for WIBU? Are there solutions that you're providing, for example, in this case to BNR? Is this more or less a plug and play solution where you have the licensing technology and more or less what their customer requires in terms of licensing and you're able to sell through? Or does it require consultation with BNR potentially with their customers and customizing of the solution you're providing to meet the licensing needs of this end customer?
Oliver: So in fact, we need the BNR customers or some key customers with key requirements. Because we are not expert in the automation industry, we are expert in our protection, licensing and security solutions, but not in the application of our customers, so we need them to understand that, mainly BNR or work with automation needs to understand it. But we also need to understand it to help to implement it in the right way. And definitely it requires some kind of customization. Because the final solution doesn't show up to the users or to the BNR customers as a WIBU code viable solution where they have to integrate a lot of things, it shows up as a BNR solution or the Rockwell automation solution.
So they integrated with their ERP system with their SAP or whatever they are using, they integrated in their ecommerce portal, in their platform in the internet. So it requires some customization. Of course, I would say it's all based on our standard basic product and technology, which is 90% of the solution and 10% of the solution is then adopted and customized so that it's in the look and feel and is a perfect fit for the requirements.
So, one sample to that which is used on a large scale base is so-called content license portal operated by Rockwell Automation. And that is something in the past if machine maker has developed a software to control this machine, within the development tools of Rockwell, the machine maker can specify for each piece of PLC code and data used in the control equipment, who has the right to read it, who has the right to modify it and so on. And that ends up in the past with a long list of passwords that have to be transmitted to service technicians that are in a factory in India or wherever and do some maintenance and do some special things.
And of course, that's not convenient to have all this maybe 50 passwords for doing service on one machine or one factory. On the other side, password is the same service technicians are doing often to the same factory, it's hard for them to hide it against the technicians of the customer and other service people in the factory itself.
So, they have changed in a way that this rights to access the content have been stored in our code made licensing system that can be software-based development PC or it can be in a token like a USB token from your online banking that the service technician takes and these rights to access and to use the content they are distributed over a cloud based solution. So the service technician somewhere in the world when they get the service, they automatically get the necessary rights for the content, they need to read or need to modify. And they can get these rights in a time limited way.
So for example, after one week or two weeks, they expire automatically again. And this cloud based content license portal simplifies the usage and increases the security for the success. And that is a very good sample that will be coming more and more because more and more data and content is a very high value in the production process that is handled by this control equipment. Looking again into the, for example, additive manufacturing models 3D printing, well, most of the product definition is contained in the data.
Erik: I was speaking recently in China with a rather large German software company, they have a cloud based solution. They've been having a very difficult time getting into adopted in China because of some of China's cybersecurity regulations. But I would say even globally, also, especially public cloud solutions have had an upward battle because of perhaps the misperception but in any case the perception of their security concerns. Let's handle this at the global rate? So if you could also address the market in China specifically, what are you seeing globally first in terms of the adoption rate for cloud-based solutions, as opposed to your more typical solutions? And then if you'd also apply that question to China?
Oliver: I see increasing acceptance of cloud-based solutions. Sometimes people don't like to use a cloud-based solution, but sometimes it only the data protection argument is, in many cases, in my opinion, it's said because they are not ready to use cloud-based solution and they want to have a good argument why they are not doing that.
So I see increasing acceptance and I see also a decreasing risk when security mechanisms are implemented in the right way. Because then what's most important for the cloud and for the cloud operators is that they are very reliable so they must be up 24 hours a day and continuously all the time so that from every location, you can reliable access to your data anytime. But if you're using security mechanisms and storing data in the cloud in a protected way, keeping the keys for the data and for the content at your site, then you are no risk in case of data privacy or data protection. So that is something that is technically possible.
Looking specially to China with the cybersecurity law, I'm not completely sure if I understood what's the impact for the future. But even cloud solution, at some point, comes to a data center where the data is stored and where the data access is done. And if I'm looking at WIBU systems, we have, for example, our content management system and our system for our customers for technical support for the website for downloading the software. We have locally hosted that in China. We have a master system based in our headquarters in Germany, so synchronizing the data regularly, but having the solution for the Chinese market hosted in China so that we have a very reliable and very high speed quality for our customers that access the system.
And that might apply for many other systems as well. If there's personal data involved, there might be the data protection requirements from the governments in Europe, in Germany, in the US, in China. And that is understandable if it's going to licensing system so industrial control or IoT management systems, it's not only a question of this legal requirements for personal data but it's also question for reliability and performance that makes sense to have a cloud based solution distributed in several areas and synchronize some hours because synchronization as necessary.
Erik: Actually, I've had two conversations with companies really $40 billion plus a year companies recently who are launching cloud based solutions. And neither of them had a partner in China, but they were trying to enter the market. And the question for me was why? You have the resources, you have operations in China for the past 20 plus years, but you don't have a cloud partner in China. So I'm wondering whether there is a dissonance where the executives at headquarters simply don't understand the implications of the regulation and aren't working with their local teams to quickly set up a solution? It seems odd, I would say. But I know, this is a bit outside of your expertise. You have your local operations, you're thinking with headquarters that certainly best practice.
Oliver, can you give me a high level estimate of where we are today in terms of cloud security adoption? Are we looking at 3% or 5%? or 8% or we're looking up at 20%, 30%, 40% of the global market meaning is there still kind of a niche technology that's being adopted? Or are we already reaching the point where this is very widely adopted by companies for security specifically?
Oliver: Yeah, that's very hard to say. And it very much depends on the use case. So there are consumer use cases that are very much cloud based. Of course, there are industrial use cases, some maybe as well. But I think we are still in the beginning. So I cannot tell you a percentage if it's 2%, or 5%, if you're looking to our business with protection and licensing and license entitlement with our [inaudible 17:12] license center.
Looking two or three years ago, Chinese manufacturers doesn't matter. If it's medical devices, if it's camera vision systems for supervision, or if it's game machines, nearly nobody asked for integration of this license deployment in the business process into the ERP system and to a cloud based system. And today, every large company in China we are talking to, the integration into the business process is becoming the most important part. And these solutions are always going into open public cloud or they are operated by the large ISV or intelligent device manufacturer by themselves.
But everything is they want to have automated, they want to have it integrated in the business process. Nobody wants to do that manually or ship something needs to be done over the internet. And that's a clear shift that we see. So the percentage of cloud based solutions will for sure increase continuously in the next years.
Erik: You've dealt with companies across every sector. As a last question, can you take a few minutes and share some of the lessons learned? What are some of the mistakes that you've seen customers make in terms of technology adoption and implementation? And what are the lessons that other companies can take away to try to avoid and simplify the implementation of security solutions as they digitalize their products?
Oliver: It has been different requirements maybe in the past. When we are coming from PC based office based software licensing, in the past, it really has been a strict license enforcement. So if the user has purchased 10 floating licenses for usage in the company, for example, if 11 people need to work with the software simply has not been possible, it's strictly stopped. And it's a lot like protecting against piracy while today it's changing; so changing in the way that the license models are much, much more flexible. And device manufacturers, independent software vendors, they don't want to stop their customers using their products.
So even if they are using more than they have agreed on in advance, normally today, they want to allow the customer to use the product whenever necessary to the grade they need to use it, but they want to have the option to measure that use so that later this additional usage can be billed to the customer. So important is keeping it easy, making it flexible so that they can offer tailor products to the customers, they can be easily upgraded and creating really benefits for all the sides.
In the past, security is not a big issue because the systems are not connected to each other, they are running isolated. So if you have a fence around your factory, that's all what you need in security. And maybe you have some people taking care that, nobody who is not authorized can come in and then your machine is operating secure. Today with Industry 4.0, and with connected automated production process, security is necessary so that the systems are running the variable and open.
Another changed over the past years, I would say is that we have been coming from proprietary solutions. Sometimes in the beginning of security, people did something like security by obscurity; so doing something complicated, keeping it secret. But that doesn't work. And in the past it has always been shown that security by obscurity is not working and it can be much easier broken than it's developed. So, relying on open standards, relying on evaluated mechanisms, publicly known principles, that's a very basic principle.
One sample I need to tell at the end is that we have developed with KIT Cultural Institute of Technology two years ago and applied for the German security Award, the highest award in Germany with 200,000 euro in total awards from [inaudible 22:39] doing about a mechanism that we call it priority box cryptography. But software protection mechanism by all mechanisms are published and nevertheless, under certain requirements, we claim that the protection is secure and that due to the protection, there are no additional fault integrated into the product.
And that is something we have started the Hackers’ contests or public contests to break the security that has been ended on last Friday. So it runs from May. And we have about a 50,000 euro to break small protected software application on Windows. And now by 20th of June, the theory will publish the results of the contest. We are very eager to see if somebody has been able to break it or not. But nevertheless, how the result is if we get no breaks, we will integrate this new technologies in our standard products; if we get some breaks, we need to understand them improve it and integrate them later in our standard product.
But what I want to say, open and published mechanisms that is the kind of security that is required for the future so that auditors have a chance to understand the mechanisms and to audit the whole security solution.
Erik: Oliver, I think that's a great stopping point actually. Very appreciative of your approach to open source security. Maybe as a final point, you said in June 20th tow can our listeners learn about the results when these are published? Where will these be published?
Oliver: They can have a look on our website for the hacker’s competition, that's www. Plurybox.com, PLURYBOX.com, of course, they can have a look on www.wibu.com on our company website where we will be publish the results of the contest as well.
Erik: Oliver, thank you so much for sharing. I think, fascinating topic. I would say certainly top three topics for industrial IoT is securing these solutions as they come to market. I think you're doing excellent work there. So thank you for sharing your expertise. It's very much appreciated.
Oliver: Yeah, thank you for the discussion and the opportunity. Thanks a lot.
Erik: Thanks for tuning in to another edition of the Industrial IoT spotlight. Don't forget to follow us on Twitter at IoTONEHQ and to check out our database of case studies on IoT one.com. We help to accelerate digital transformation by advising business leaders on how to integrate IoT technologies into their operations and products. We appreciate your thoughts, suggestions, and of course, your reviews. And if you have an interesting project, we would love to feature you on a future edition. Write me at erik.walenza@IoTone.com.