IIC x IoT ONE IIoT Spotlight Podcast EP041: Cybersecurity, reliability, and safety in an industrial environment - An Interview with Jesus Molina of Waterfall Security

Podcast Operations IIC x IoT ONE IIoT Spotlight Podcast EP041: Cybersecurity, reliability, and safety in an industrial environment - An Interview with Jesus Molina of Waterfall Security

	IIC x IoT ONE IIoT Spotlight Podcast EP041: Cybersecurity, reliability, and safety in an industrial environment - An Interview with Jesus Molina of Waterfall Security
Podcast Date	Oct 18, 2018
Rating
Podcast Description	*This episode of the Industrial IoT Spotlight Podcast is sponsored by the Industrial Internet Consortium We discuss the IIC's approach to security in an industrial context. What are the differences between consumer-facing and industrial applications of IoT when it comes to security? How did tinkering with a hotel lighting system evolve into securing industrial IoT systems? How should we view security and secure industrial IoT systems? Jesus Molina discusses his views of security, common misconceptions around cybersecurity, and his approach to securing IoT systems. Jesus Molina is the Director Of Business Development at Waterfall Security Solutions Ltd. He is also the co-chair of the IIC Security Working Group.


	Subscribe

IIC x IoT ONE IIoT Spotlight Podcast EP041: Cybersecurity, reliability, and safety in an industrial environment - An Interview with Jesus Molina of Waterfall Security

Podcast Date

Oct 18, 2018

Rating

Podcast Description

*This episode of the Industrial IoT Spotlight Podcast is sponsored by the Industrial Internet Consortium

We discuss the IIC's approach to security in an industrial context.

What are the differences between consumer-facing and industrial applications of IoT when it comes to security? How did tinkering with a hotel lighting system evolve into securing industrial IoT systems? How should we view security and secure industrial IoT systems?

Jesus Molina discusses his views of security, common misconceptions around cybersecurity, and his approach to securing IoT systems.

Jesus Molina is the Director Of Business Development at Waterfall Security Solutions Ltd. He is also the co-chair of the IIC Security Working Group.

Contents

Erik: Welcome back to the IoT spotlight Podcast. I'm joined today by Jesus Molina. Jesus is the Director of Business Development at Waterfalls Security Solutions. He's also the co-chair of the security working group for the Industrial Internet Consortium or the IIC. And today with Jesus, we'll be discussing cybersecurity, and how you can in practical terms, whether you're a device manufacturer or a system integrator or an end user, approach security in an industrial environment where it's closely linked also to the reliability of critical systems and to the safety of people. Jesus, thank you so much for taking the time to talk with us today. Jesus: Okay, thank you for having me. Erik: So, Jesus, before we kick off the discussion, can you just give a brief introduction of Waterfall Security, and then why is Waterfall and why are you involved in the security working Group at the IIC? Jesus: Well, let's start with my company, Waterfall Security Solutions. Waterfall Security Solutions is a company that has been around for quite a bit of time. We were founded in 2007. And at the beginning, Waterfall, what we did is to secure nuclear power plants. After some time, the company continued developing its products, and we protect the energy sector. So we went to all the substations etc, to protect that vertical. In the last 10 years, we have been moving to other verticals. Lately, we are working quite a bit in transportation in [inaudible 13:45] and also in Cigna in systems. But in general, what we always focus here is systems that are not only about the data but are about reliability and safety. So my company works with the premise of protecting systems is more about understanding what you have in your premise and able to send only the information that you require in order to be evaluated rather than having a company [inaudible 14:16]. As you mentioned, I am the chair of the Industrial Internet Consortium in the security working group, and my path to get there, it's a little bit interesting, I believe. So I started this security when I was very young, when I was 18. I did some penetration testing and hacking when I was younger. And at some point, I was so interested that I decided to do a PhD about computer security and computer engineering. So I did my PhD and I did quite a bit of hardware security. I created the intrusion detection system in hardware and also for my PhD dissertation. I read a waste to evaluate intrusion detection systems, which I think right now is after 15 years, and now it's much rarer than ever because we are seeing all these artificial intelligence, all these companies saying their intrusion detection systems are better than the others because they use machine learning, etc. And that is something that is very good to evaluate. So back then, that's what [inaudible 15:51] evaluate how these work. As you see this happened writing my dissertation, I was still young, I was like 25. And now, we're back to square one, same thing, how we evaluate these [inaudible 16:13], etc. These things we used to do back then about hardware, about how to defend systems, there’re things come back again to the same place that we were doing so. So in this path, when I started doing that, research and work first with Fujitsu, for a while I started doing prediction testing of systems such as smart meters. Smart meters were hot, like 10 years ago of one of the first devices that got connected. You have all these Smart meters [inaudible 16:47] your house so they start receiving information wireless. And interestingly enough, I found a lot of box, the first iteration of IoT of how [inaudible 16:58]. One of the box they found is a way to fill the electricity of your house remotely. So I was able to find the code that really did the kill switch, [inaudible 17:14] the smart meter. That is interesting because I didn't even know that could be done. So that is interesting, and this little device, the idea here was to receive the data from the smart meter. As it turns out, there was some functionality. So if you don't pay your bills, it can done remotely and pay your electricity. So it's a consequence of [inaudible 17:41]. Now, I knew that I could like set up smart meters if I knew there was the brands mentioned, or say exactly what happened there. But that also got me interested on all these IoT, industrial IoT, and I did put a bit of research on it. And one, I would say main stories that appear in the media [inaudible 18:06], the day I was able to take control of a hotel, I was in a room of a hotel in China, [inaudible 18:12]. And this hotel which was very high tech, every feature of the room was controlled by an iPad. You can, with the iPads, switch on the light, switch of the lights, you can [inaudible 18:30], you can change the outside light, you can change uses the remote control for [inaudible 18:35]. So while I was staying there, Erik, I decided because I'm the nerd I am, and this is a five star hotel is in the top 20 floors of our 100 storey building, is amazing. It's stunning views. And even the bathroom, when you sit down to do whatever you need to do in the bathroom, you were looking down to this huge floor to ceiling windows looking out… Anyway, so I was there in this beautiful room, and I want to see if I can replicate the functionality of the iPad using my MAC. And so I started doing it and like working on it, and after one day of heavy drinking and fun, I was actually able to replicate the functionality of the iPad and control and make little like light movements and put channels in certain patterns and do little things like that. Well, first, the protocol that this hotel used was K&X which is an industrial protocol. So I just say that they were using an iPad which is [inaudible 19:58] consumer electronic to control a building using an industrial protocol. And the industrial protocols, as it turns out, don't have any authentication, and you don't have any cryptography whatsoever, it has no crypto, no authentication of the devices. So once I was able to control my room, what I did is I start going downstairs to the upstairs to the reception desk, and I asked them to change rooms. So I think, I said oh, can you change another room, I don’t like this room. So I went to the room and I did the same experiment and I did that in four rooms until things happen. First thing, I discover so I can controller 200 rooms of the hotel and the second thing that happened is that they upgrade me to the best room of the hotel… Erik: So by moving between rooms, you were able to hack in each room individually and then understand what were the variables that were room specific and that allowed you to understand the pattern for the hotel as a whole? Jesus: Exactly. And with that, I create that program that I say what to raise every line of the hotel to have the same time, the 200 rooms of the hotel cool like I could raise all the blinds like Magneto style. So it was nice I got the best room of the hotel, first, I was in the duplex in China because I did that. And second, I learned that the security of the current systems as they were was really bad. And I have to put that as an aside saying that the star route which is the company that has some ridges were incredible on their approach to that. Instead of blaming me or anything, they were very open to understanding why they have failed and I was able to present my work with their help. So this is how I started with [inaudible 22:17] they take precaution so that incident doesn't happen again. Erik: And then in this case, the hotel case, I think a lot of people might consider that to be an IoT situation, but from your standpoint, the technology used there was industrial IoT. Within these three different tiers, how would you look at that particular case? Jesus: Actually, my point here, and that's interesting that you mentioned that about, you are saying that technology was industrial IoT and that what makes it industrial IoT. I believe what makes something industrial IoT or IoT is the characteristics of your project. For example, if you are trying to connect a Barbie to the cloud, but you are more interested to in terms of security, is that you conserve the privacy of the person that they trade in the Barbie today. But your main focus here is usability. You want this person to have fun with the Barbie, right? You want this person to be able to use the Barbie and buy the Barbie because it's fun. You don't want to make them like put certificates in the Barbie or know that stuff. You have to conserve privacy, obviously, is very important. But your main focus to be that the Barbie is usable. So that's a consumer IoT, because you have a tactic making sure the person with the Barbie is happy that you're using it. When you go into the industrial IoT, the characteristics are very clear. Usually, it's about readability, it's about making the thing working, because you are going to lose money if your manufacturing plant stops working. And from our case, it’s about safety. That you are touching systems or you are connecting systems that have implication that can affect human life. Now going back to the building, when you connect a building to the internet, and he is able to remotely control the building, what do you think, Eric, what are the main characteristics that you have to conserve in that property in that building? Would you say it's making the building usable or making sure that elevator for example doesn't harm human life? Erik: Or of course, privacy of the individuals staying in these rooms if you do have sensors that are able to record their activities to some extent. Jesus: I did that, and I presented in conferences. What every reporter asked me was, would you get into the locks? Why? Because that changes the perspective. It is if you can get into the locks, it's not IoT anymore, the QED, because the more handy to have done there is like to say, just annoy people. [inaudible 30:25]. But the moment that you get the locks out, and you can harm people, you can make or steal things from people, so they are affected, their safety is affected. And hence that changes the whole perspective of the situation. I don't want to go into details about the locks of that particular building. But what I mean is that that, for me, there is no question that even whatever technology they use, this is industrial IoT. Because you are connecting a network which may affect the safety and reliability of the network is important too. The locks need to work correctly in order for you to experience that thing. But that is a little bit of a gray area, because our devices, and lights are [inaudible 31:12]. But they're like things that we protect at Waterfall, that is more much more clear. When you go to a nuclear power plant, or you go to an oil and gas refinery, you really don't want a bad guy there to be able to access the bytes and be able to change a setting which makes the owner still; durability and safety are paramount. So we're talking about the industrial IoT system. And the way we treat security is much different or way different than the way we treat security in our world, which is all about the data. Don't lose the data. Encrypt the data. Make sure the data is safe. I don't want my records to be in the internet. So there is a big difference here. What we are trying to do at Waterfall is to make understand that where we're coming from is a war which is not about the data, but about the physical system, making the decision system be reliable, making it useful system be safe to use. So that is the difference for me in what an internet system a system that has specific requirements of secularism that needs to be preserved when you are connecting the system to an IT or cloud system versus trying to preserve data, which is what we are used to. So it's a very different how securities will be taken into account there. Erik: Jesus, can you just talk for a minute about who the bad actors are here? Because I imagine if we're talking about an IT system for banking, we might be talking about criminal elements and their motivation would be to hack into a system in order to access money. But if we're talking about a power plant, are we talking more than around military bad actors, around potentially other corporates that might be trying to interfere in operations? Who would be the bad actors in these because it seems like there's not, in this case, a direct financial benefit for somebody from hacking in? It would be more somewhat of a strategic objective to hack or just potentially to cause some sort of anarchy which might also be an objective? Jesus: Yes, there is a big difference on trying to get into like the system and trying to get into an industrial system. The difference is it can be easy to get into the industrial system, but the payload is very difficult to build, because no one has been [inaudible 33:59] payload before. When you go to 90 systems, you know you have to find the credit cards and put them in somewhere or the Bitcoin, you have to find data and it steal it and put it somewhere but is the concept. You have ransomware, you find the data and then you encrypt it so they cannot find it. So it's all about finding the data, you want to do something with it. You either steal it, or encrypt it or that. When you go into nuclear power plants and you're able to get in, 99.999999% of the hackers in the world don't know what to do with it. What did you do when you look at power plant? In order to do any harm, you actually happen to stand very well the physical process underlying. So it's only while attacking and maybe entering the system may have a certain like level. And we know now that lots of energy power plants in the US have been hacked already. But there is no payload dead, and this payload can only be created today by nation and states or people with a lot of power. I don’t know if you know about Triton, do you know Triton? Erik: No, I haven't heard about it. Jesus: Okay. So Triton is a payload that affected safety systems. Safety system is the last line of defense of the industrial side, in this case, with an oil gas place. And these safety relays are the last line of defense. When everything goes wrong, you have to stop the process from continuing, like that's it. And we know now, the people that created this malware, Triton, were able to get into the safety devices, meaning that they will have been able to stop the Triton from working. And with that, you have made able to make out of money because if they were able to get there, and they will have to sabotage it, and like make it work for days. However, rather than trying to sabotage it, so like the safety systems actually like blow and like basically, they are enforced, so they stop working. They wanted to have the safety systems themselves. So they wanted to learn how to upload firmware to these safety systems. Because obviously, they were people that they weren't that interested about money. They were interested about creating harm to people. They wanted to make sure the safety systems, they didn't make their work. And so you were able to release oil or do whatever this safety system prevent you to do. So to make sure I'm clear about it, these people were obviously not nation and states, like somebody who’s not interest about money, but interest about making damage. So it's interesting that these actors right now are powerful actors that are trying to do bad things. That says, what happens always, and I remember I wrote a white paper more than nine years ago about ransomware. I said, why I cannot create a virus with use private and public key cryptography in order to profit and people thought I was crazy. And people thought that only like the military would do that, because probably pin parity previously, because cryptography is complicated to use in the settings. But guess what, now every Russian mafia is doing it. And that is what's going to happen in industrial system. Now people are doing Triton and doing the payloads that are able to upload firmware scheme to the safety systems. Once this is done, once somebody is going to copy it, and he's going to copy it again and again and again, and in eight years, the mafia guys will be doing it. So that's why we need to rethink because now we're not talking about data or money, we're talking about safety and human life. The thing, it's a little bit more imperative for us not wait till these guys have this knowledge of the payloads that they can do to make harm and to make ransomware which will just make the current ransomwares of data be like the easy life we used to have. So we need to be a little bit aware of that. Erik: And then certainly one of the challenges with IoT or industrial IoT systems is that the attack surface or the number of attack vectors is quite broad. So you can attack the hardware directly, you can go into the cloud, or through basically a lot of different endpoints. What is the role of cryptography authentication systems? You mentioned that in this hotel, they were more or less non-existent in securing the system. And then if you can talk a little bit on this concept of securing the full stack or designing in software. For most, it's a most people's experience is that you buy a piece of hardware, and then you slap a security system on top and my laptop has enough computing power that I can then install a nice a nice heavy piece of security software, and that will do a pretty good job. But if you're talking about a small endpoint somewhere, you probably not going to be able to even if you had the insight to install proper security on that, correct me if I'm wrong. But I think a lot of people also will just not think to install a security system on top of their IoT devices because if you think about routers and so forth or connected cameras, all of these devices, it's not something that people typically think is required. Jesus: Well, I want to quote one of my fellow workers [inaudible 40:18] which has a great book about SCADA security and how to fix it, that's the name of the book by Andrew. His point here, and I want to make it very clear is no system is secure. Because in computer security, and you go to RSA, or any of these big conferences, you will see full security, vast security, security like foolproof. That's not true. No system that you can create can make a system secure. Security is an overused words. Like no system is secure, and there is always a way to go into that system. It is the way it is. In particular, and I will say that people believe that data, which is software competent becoming more secure in general. And the truth of the matter is that every software that you create has back and every back is a vulnerability. And vulnerability can be exploited to take over your system. So any bit of data that you let your device consumes may be a vulnerability or maybe a hack. So you have to change this mentality of I put a firewall which is software or antivirus, which is software and I will be more secure. And you probably will be as secure as before or maybe less, because firewall mainly has like a lot of bugs, a lot of vulnerabilities in some position to enter all your system. I want to explain that to you first because other people ask me about cryptography. Can cryptography is safer? Can access control safer? And most attacks just doesn't appear because of the lack of this kind of traffic. Most attacks in the current [inaudible 42:15] chain, so where you are in the stack and how low you want to go in order to achieve your targets in a hacker comes with [inaudible 42:27]. You know mails, you should be able to read your mail, right, and then you open something which should not open, they get your certificates which are very good and encrypted and all good, but they already have your password because they can protect keylogger, you have the certificate on the keylogger. And then the channel from the house or the VPN that the guy has is encrypted to it. This is all also encrypted. And you arrive to the place where you're supposed to be, everything there works as expected. However, if you are going to which is linked to a system which has safety considerations, then you can stop it and then you can stop the system from working. Again, it is this is how this works today in the current world, people being not attacked from one network to the other network because they create credentials and the credentials are cryptography and we are all good, everything is good. But what is lacking here, a little bit of understanding that every bit of information that you let into your computer, in this case, a mail can be a vulnerability and you can get hacked and then you cannot find the [inaudible 43:33]. So, having ton more encryption cryptography and all these things will not resolve the current problem we have with acuity, which is hackers are abusing, not cracking, but abusing the system of credentials. So we need to be very careful with somebody telling us that no, I'm sending you these credential system and it's going to be great, because usually, it's not going to be great. Our approach at Waterfall, how we protect systems for places which are requires this kind of reliability and safety that no one else can provide is to allow only data to flow out of the system. We use [inaudible 44:20] gateways, what they do is they collect the information that you want to share in the nuclear power plant, in their signaling systems to measure out your POCs or your historians. And we have a protocell that only sender and receives, not only receives, you cannot do reverse, it’s physics, this light goes only one way. These are fiber optic cables. And what we do is through that one way link, we replicate from the industrial site information, whatever information you want to replicate to the other sites. So the IT system or the cloud system can use this information without having network or any kind of access to industrial sites. That's how we live in Waterfall. That is the core concepts of information. You have to prevent information to go in your perimeter if your perimeter requires safety and reliability regulations. Now, that said, there is obviously ways you can do that too. For example, Google that has full control of every device that exists in their perimeter, they can insert a cheap, a TPM chip-like, a Trusted Platform Module for people that doesn't know or trust hardware cheap, that is able to authenticate between the keyboards on the rack [inaudible 45:48] to authenticate between the different hardware they have been in the warehouses, wherever they are, and that way, they can get rid of every firewall or anything that they want to put in the middle. You can do that because they can control every device that they have in their network. So they can communicate using strong a crypto, use a strong authentication, and all that. So if you can create a system, which you control different elements of the system, and then you can try to use credentials, all that. Now when it comes to the systems that require reliability, and safety, our approach is to say, what things do you want to share? The internet was built on the concept that everything has to be bi-directional all the time, things need to talk because we are humans, and we want to chat and we want to receive a chat back and send an email. And machines are not like that. A machine is not like a human. They send things at certain intervals, and we know the intervals. They usually send information. They can receive information to change in particular these machines to control the behavior. But usually, that comes from the perimeter, it doesn't come from like a remote place in the cloud. But you can send this information to a very, very restricted telco. So depends on your application, obviously, you need application that needs data back and forth all the time. Then obviously, you have to use what Google does, or whoever, or the company that does use a very hardened system, maybe use a [inaudible 47:35] module, or use certification, obviously, credentials, CTI, the whole mile, that is great. But in many, many, many, many industrial sites, you want to send information out, so you know the status, and you can move into maintenance of your PLCs and of your valves and of your train. But you don't require that much data to go in your system because that changes, and you have the controls in colleges like changes your calculations for the system. Any data that goes to the system makes it different. And if these system that requires several physical configurations, then you need to restrict as much as possible data coming in, because that will change safety and reliability. Erik: So, Jesus, how would you approach a use case like the connected vehicle? Because there you have basically weapons that are millions of them on the road driving around that can be used to hurt people inside or outside, whether it's a truck or a consumer vehicle, and you have potentially devices that have to communicate not only with other devices. Let's say Google has their Google taxi, and they have 10,000 of those in a particular city, but then you might also have city infrastructure that needs to communicate with Google system, you might have other maybe Ubers system that also needs to communicate. So you might have different companies that are putting these fleets of vehicles on the road, and in order for them to operate, they need to communicate across fleet, and also with city infrastructure. And so it's probably, on the one hand, you need data I would imagine in input and output. And it's probably more challenging than this Google example that you gave previously and that it's not necessarily just one constraint system that one company owns but data is flowing across systems. What would your approach be for this type of? Jesus: And the answer here is first, you have to know when data affects data. What part of your network is about exchanging data information? What kind of network in your system controls the cyber physical system? And of those, what are control things that can affect your life like brakes? As it turns out, what they told you about in cars, people are using similar systems as I described that we use nuclear power plants, or are thinking about using that, but in the car. As you know, cars have been hacked, they very well seen [inaudible 50:23] now in the TV, you know these guys that remotely were able to stop the car crease, is something that they knew they could do it. We all knew because the way things were connected or cars or being connected is reckless. You put like a system which has like brakes and speed up and can kill somebody and connected to the internet. And that happens because you are assuming that people cannot [inaudible 50:51] with their network. So these guys increased, fortunate, they were able to pivot their network easily because this always flows, software has flows, and you can go from the CD ROM in this case and hack it and then the CD ROM is connected to the canvas and the canvas use the breaks. Now let's go to something that I am much more familiar than a car but the cost is the same. A train rolling a stock, they want to call it in that cannot [inaudible 51:23], a train has basically three networks. The three networks they have in train is that great control management system, which is what affects the brakes, affects the speed, the computing capacity, which is where the onboard computer of the train is. Train are made for infotainment, the infotainment is where you see like the alarms, saying like, oh, next station is nice, and you see all these TV streams and stuff. Now, it's clear the infotainment, which is also where you have the WiFi, this network is connected to the internet, because you want WiFi, so you want to go to internet. Now should the infotainment be connected directly to the computing capacity of the train, the part of the train that makes things like opening and closing the doors of the train, for example? These are computer that does that. Should you be able to access for infotainment that? And the answer is no, like no because users will be able to go into the WiFi, and have all the protect and be able to open the door of the train while somebody is leaning on it? Well, make sense for you to maybe send things from the computing capacity of the train to the infotainment because you want to say, for example, the malfunction of the train or you want to tell people where are the station or if the train is late, you want to let them know directly hey, you know the train is late, it will be like five minutes late, nobody has to go there; human has to go and tell people what’s going on. So it makes sense to connect the computing capacity one way to the infotainment, but the infotainment will never be able to access directly the computing capacity. Now when you go to the computing capacity to [inaudible 51:16] system or in car maker where the brakes are and the wheel are and everything to the computer, there has to be an exchange between these two systems, obviously. You have to be able to break the computing capacity to be able to break. Now, the new regulations of the US, for example, they have to install what is called Positive Train Control, that means that if the train receives information that suggests that the train is speeding or not stopping where it should be able to stop, the competing capacity of the train automatically will break the train. So a computer now has much more access to the [inaudible 53:57] information system that we used to have. That’s something that only the guy there could do. But now because there was this accidents, people accidents in US, it was an accident that at the end of this year, every train in the US needs to have Positive Train Control. Now, what US doing though now is they’re having the computing capacity, the computer of the train connected to the outside because they need the information or the GPSs, about [inaudible 54:23] in the ground to know the speed and stuff like that. So, you have a lot of communications that go into a train and they have access to the thing [inaudible 54:30] operating system. When I talk to people about Positive Train Control, everybody says safety will be improved because we will not have these accidents that they use to have. However, we know for a fact this idea of security of the system has reduced enormously. We have open so many holes there. So obviously, this information, but this is going to be changed this computing capacity and the train which right now is kind of unrestricted to be more restricted. How do you do that? So again, you are going to do some work to protect that. You need to use ways to regulate the information flow between these two systems, send information out, whenever you want, because it's going to affect the system. By the flow of information into these different intervals to be well understood, what can be sent, and it's something you send that it’s going to send, then is to be prevented. So that is how I will resolve that. This part of the systems that’s infotainment, or in the cars, information they received for entertainment of the use of the car, like music, again, to be connected, and seems to be exchanged between cars, yes. But when you go down the stack, you will more and more and more to a place where somebody can die in the process of a computer being hacked, you have to be more careful about information exchange about what kind of thing or processor you have about all these things. So that is how things work. Erik: So if we use this train example, this is two questions. One is, where should security be implemented? And two, is where is it actually implemented today in terms of who your customers are? So if we think of the device manufacturers or the component manufacturers, I guess, ideally, security would be built into every component that's put into this. But that's probably not often the case. The second, it could be the system integrators, it could be Siemens that's kind of building the engine, and they could be trying to build security into that, or it could be the end user, the actual operator of the train system. And they're probably the organization that should be ideally least involved here because they have the least insight into the securing these components. But maybe they're the ones that actually have to do it because they're responsible for the safe operations of the system in the end. What does it look like today in terms of where security actually is being implemented? And where do you think there should be in a more ideal environment? Jesus: I think Positive Train Control is like an absolute example of where security and whose entire security. Everybody doesn’t [inaudible 57:24] kind of thing is you do it. Because what Congress has told me to do is to enact a system that is able to break when they benefit. They have not told me anything about trying to do a system that does that, but also has in consideration the fact that now I can go to the 220 megahertz frequency that these guys work in and is able to send information there that may affect the train in other ways, and open up a bigger hole that is trying to protect. Nobody has told them anybody that, so nobody does anything about it. Everybody, that's a little bit obviously, I'm not saying the people that provide the qualifications and do due diligence and try to make the system as high as possible, or at least make sure that various tools in order for whoever comes down the stack has the tools to make it secure, if they want, to add like a chip there or like adds more certificates, the truth of the matter is that I am not going to go, this is my case, I'm sure that some of the people that have implemented Position Train Control have done a great job securing it. I'm certain that there are people that they have not. So who is in charge? In charge is always the operator, the user, the guys that put things together. We are in the case of the train operators. That's where the guys that are at the end are going to implement this. So they are the guys that have to say we want this. If they don't want this, they’re not going to sell it. It is because they have a tight budget, they know that they will do what they can you know what they have. The guys that can enable them to do that are the providers of the product, like a computer provide something that has a TPM or something that has a security there, so they kind of build on top of it. And obviously, as the security providers, which are conducted and we are [inaudible 59:35] by them saying like, hey, we have a problem here that is you have a problem, we know we have a problem, can you help? And in our case, we help wherever we can. So there is a lit bit of everything. However, I have to say that when it comes to industrial security, as people work with a budget and they have not seen the payload, they have not seen anybody get blowing up a train… Again, I'm a person who hates this fear of like things that are not easy for hackers. Hackers will have to do a lot, and it's complicated and most likely will be the same. Maybe my last time I will never [inaudible 01:00:14] any physical disaster because of several hubs. However, I have to say that, again, the person that has to take care of things are the operators, the people that build the cars, the people that operate the rail, the networks, or near the guys that had to at the end, yes, I care about these. The easy way to do that is by regulation. Nobody likes regulation. But for example, nuclear power plants are heavily regulated in how they can connect to the world. And that's why we are big there too, because they understand we’re the best security in that space. And they are regulated, so their choice is easy. Others that have more difficult choices because there's no regulation, then they may implement better security or worse security. However, I think at the end of the day, there has to be like a bit of common sense. But also in certain industries, regulation is necessary. When it comes to human lives, and when it comes to safety and systems that are putting out there and controlled by computers and data can be hacked with certain type of simplicity, not somebody has to say that there has to be some regulation, how was it built. Erik: One last question on regulation. So, certainly regulate in particular industries, and what are the levels of security there is one approach that this is very important, and probably will happen in specific cases. Another concern is that you have a lot of IoT devices that are maybe in themselves not particularly important, so a security camera, a connected DVD player, anything like this. I know this is not necessarily your domain of expertise. But do you see at any point in the future, there being regulation that would actually hold the manufacturers of IoT devices responsible if their devices are packed and used in botnets? Do you see this regulation to basically enforce device manufacturers to secure their devices so that they cannot become weapons? Jesus: Yes. I actually see that happening. Again, it depends on if somebody finds a payload, which is important enough for people to care. But in the last meeting of the industrial cybersecurity working group, I said, and that's like either my company doesn't work with these small devices, but my personal opinion is there is no reason why a camera to be able to send FTPs or send mail to go spamming. There's no reason why user electronic has the same access to the internet as a human, makes absolutely no sense. I understand that these are computers that are based from computers that the humans use, meaning that thing they believe that they have all these ports open, 21, 27, who knows what kind of protocol is in the port. But usually, what happens is these cameras that were used probably somewhere is used for mail servers, they reuse it to put it there and then now this camera is actually a multipurpose computer that does mail, sends in mail, you can run anything you want and connect to any website or any IP address or any person in the world. That is absurd. It is something which is we're using it because we use it 10 years ago when the internet was not connecting people through machines, but not about connecting machines to machines. Machines to machines, they don’t need 25 ports open. There is no reason to have all these ports open like connecting all these different protocols. You only need like one communication, machine to machine and [inaudible 01:04:50] back, and the machines will not be able to go to the internet and browse or this is like it is makes no sense a camera browsing for while. So at some point, we should get on our senses and make devices to us definite purpose. So a camera will be able only to do this. And if you find a camera and you have some kind of cheap or module that tells identification number for that camera, because a camera is not a user, it doesn't have privacy, if that camera is connected to a website, means that something is going wrong and this will prevent this camera to come to our website, it is very easy actually, you say, well, this is terrible, like what you're doing here because you're just like have some crack before doing this podcast. But the truth of the matter is that any person that puts out a device that doesn't have some sort of identity or hardware identity is making a mistake, and needs to be regulated. Every device that connects to the internet that has not to be manned by a human, like a laptop or anything else, like a camera or anything that is like a light in the streets or whatever, to have some sort of identification, so these cameras only talk with other cameras or cameras will talk only with our servers, they are supposed to see that. I mean, this is easy. It’s not a difficult thing to do, [inaudible 01:06:12] because we are lazy and we want to reuse what we are using before. And what happens is that people create boldness with cameras or is running in a fish ponds, which has lights, is running Bitcoin rig. Again, this is because we are not using correctly these new IoT devices. Again, this is not like in my personal opinion, as using the same Ethernet rules, and we use because we wanted to have all these different things for a human to communicate for devices, which should be very simple, you send information about the video stream, and you receive deals on [inaudible 01:06:49] send or receive anything, for me it’s quite straightforward. Erik: It's kind of a pure tragedy of the commons situation, where the manufacturer of the camera that gets hacked doesn't necessarily suffer anything, they maybe have a potentially a hit to their brand equity but if they're a Chinese manufacturer, maybe even not. But it's whoever is getting hit by that botnet that suffers. So you can say it's society at large that's getting hacked more frequently. So those are situation from regulator stepping. Jesus: And again, when you make regulation, you have to be careful, because I heard people saying, like, oh, we are going to make this regulation that forces all IoT devices to do XYZ. Well, again, you should differentiate what is the purpose of the IoT device you're talking about. Because if you're telling me that you require encryption and whatever in the IoT device, that really depends on what kind of purpose that you might have, and what devices is communicating with. If it's a device that is going to be set up to a place where safety is involved, so not have this device being the same place and a Barbie, again, Barbie needs to be usable, but that we need to understand that. So, you don't also cannot put like there and they have to cheap because it's a toy. So you need to put IoT devices in different spectrum of responsibility. But the minimal responsibility that we take care of this is, again, devices that have a task to only be able to use the creativity that we provide them to do the task, not a multipurpose task that anybody can abuse. That is problematic. Erik: Well, that I hope is the direction that we are going. I guess, this is a challenging topic for regulators. But I know that you and the folks at the IIC are doing your best also the communicate out from the industry to the different regulating bodies. So hopefully, we can get a good meeting... Jesus: In the security working group with IIC, we already have put the documents. We started with the security framework, now 2016 we released it. That was an informative document, provide a lot of good information about understanding that there were the industrial IoT is. Lately, we have built the best practices for endpoints, which is our document which explains how you should create an endpoint which will be in industrial IoT with the different levels of security. We obviously described how to [inaudible 01:09:43] identity and device things that are common. We are going to release, hopefully at the end of the year or maybe early next year, the industrial Internet 3D security maturity model. The security maturity model is a way for create targets that our system to have and be able to achieve them by following different maturity levels. So you have achieved like your little one or two, etc, and increase your visibility on what is your status. Because at the end, the most complicated part when you are given a big project is how to start, is what do I do now? I have all these cameras that are connected to the elevator and the elevator is connected now to the cloud and they connect, you need to understand what are your targets here, what is your focus and be able to achieve them. Again, nothing is secure, you will always make mistakes. But you have to be able to understand the risk you're taking and the maturity model is going to be, I think, a game changer in the way we understand risk, understand the maturity of our system when directs to security in industrial internet because we are focusing in, again, industrial internet, not the IT side of things, but the industrial side of things. So I think with that and hopefully also next year, we will release a new version of the security framework which takes into account things, availability, safety, the [inaudible 01:11:20] interacted with security. And in this podcast in the last minutes we have discussed a little bit about it of how a train is different than a Barbie and about [inaudible 01:11:31] and is different than a connected life, which probably has different requirements. So this is something that should be intertwine in security. Security cannot be seen anymore as a data thing. It has to be how to provide cybersecurity so safety is not impacted and how to provide [inaudible 01:11:54] impacted, data can be lost. But we are talking about other things in here when we talked about industrial. Erik: We will definitely link to these IIC documents in the show notes. Jesus, how is the best method for people to follow up with you whether it's to learn more about the IIC or about Waterfall security? Jesus: Well, like my email, which is Jesus@waterfall-security.com, that is my email for Waterfall. Also, if you want to connect to the IIC, we are [inaudible 01:12:37] one is me. So just send me an email and I will be able to better connect you to anybody. The website of the Industrial Internet Consortium, which hopefully will have a link below in this podcast and the website of Waterfall Security which also hopefully it will be there. And again, I would encourage anybody that is interested on joining the IIC, I think it's a great place right now in particular for end users people, and I've been now working with industrial Internet systems for a while now for years. And I understand that things are slower than people thought, and there's a reason for that, is because what I'm saying, people don't want to in particular in systems with you care like manufacturing for example, you prefer to do things at the edge, that doesn’t makes sense. But the truth is also these things will trickle down slowly, but you can wait for some point: the benefits of having your systems more connected will increase. Joining the Industrial Internet Consortium, which we have been working on this for years will be a great help. We have tested, which you can join in order to evaluate your products or understand how others have done it. And also, we have great talents and great understanding of how this works. I think during the Industrial coprocessor is great. If you are in a vertical where like safety and [inaudible 01:14:18] are critical such as rail or airports or oil and gas, if you have something you want to connect, I think Waterfall security my company it will be great to have you on that. So that is the two places that I believe it will be good for the listeners to get more information. Erik: Let me just do a final repeat for anybody who's just maybe listening to this while you're on the road. So Industrial Internet Consortium that's www.iiconsortium.org, and then Waterfall Security, www.waterfall-security.com. Jesus, thank you so much for taking the time to talk with us today. Jesus: Well, thank you very much, Erik, for your great job. I think this podcast is great to get more information about everything, IoT and industrial IoT. And thank you for having me. I hope I did a good job trying to explain my view. Maybe I’ve shared by a lot of information security professionals because I come from another place. But I hope that helps the people understanding why we care in a different way about security when it comes to industrial IoT. Erik: Super valuable perspective. And I really encourage people to follow up with you if they have deeper questions. Jesus: Thank you.

Erik: Welcome back to the IoT spotlight Podcast. I'm joined today by Jesus Molina. Jesus is the Director of Business Development at Waterfalls Security Solutions. He's also the co-chair of the security working group for the Industrial Internet Consortium or the IIC. And today with Jesus, we'll be discussing cybersecurity, and how you can in practical terms, whether you're a device manufacturer or a system integrator or an end user, approach security in an industrial environment where it's closely linked also to the reliability of critical systems and to the safety of people. Jesus, thank you so much for taking the time to talk with us today.

Jesus: Okay, thank you for having me.

Erik: So, Jesus, before we kick off the discussion, can you just give a brief introduction of Waterfall Security, and then why is Waterfall and why are you involved in the security working Group at the IIC?

Jesus: Well, let's start with my company, Waterfall Security Solutions. Waterfall Security Solutions is a company that has been around for quite a bit of time. We were founded in 2007. And at the beginning, Waterfall, what we did is to secure nuclear power plants. After some time, the company continued developing its products, and we protect the energy sector. So we went to all the substations etc, to protect that vertical.

In the last 10 years, we have been moving to other verticals. Lately, we are working quite a bit in transportation in [inaudible 13:45] and also in Cigna in systems. But in general, what we always focus here is systems that are not only about the data but are about reliability and safety. So my company works with the premise of protecting systems is more about understanding what you have in your premise and able to send only the information that you require in order to be evaluated rather than having a company [inaudible 14:16].

As you mentioned, I am the chair of the Industrial Internet Consortium in the security working group, and my path to get there, it's a little bit interesting, I believe. So I started this security when I was very young, when I was 18. I did some penetration testing and hacking when I was younger. And at some point, I was so interested that I decided to do a PhD about computer security and computer engineering.

So I did my PhD and I did quite a bit of hardware security. I created the intrusion detection system in hardware and also for my PhD dissertation. I read a waste to evaluate intrusion detection systems, which I think right now is after 15 years, and now it's much rarer than ever because we are seeing all these artificial intelligence, all these companies saying their intrusion detection systems are better than the others because they use machine learning, etc. And that is something that is very good to evaluate. So back then, that's what [inaudible 15:51] evaluate how these work.

As you see this happened writing my dissertation, I was still young, I was like 25. And now, we're back to square one, same thing, how we evaluate these [inaudible 16:13], etc. These things we used to do back then about hardware, about how to defend systems, there’re things come back again to the same place that we were doing so.

So in this path, when I started doing that, research and work first with Fujitsu, for a while I started doing prediction testing of systems such as smart meters. Smart meters were hot, like 10 years ago of one of the first devices that got connected. You have all these Smart meters [inaudible 16:47] your house so they start receiving information wireless. And interestingly enough, I found a lot of box, the first iteration of IoT of how [inaudible 16:58].

One of the box they found is a way to fill the electricity of your house remotely. So I was able to find the code that really did the kill switch, [inaudible 17:14] the smart meter. That is interesting because I didn't even know that could be done. So that is interesting, and this little device, the idea here was to receive the data from the smart meter. As it turns out, there was some functionality. So if you don't pay your bills, it can done remotely and pay your electricity. So it's a consequence of [inaudible 17:41]. Now, I knew that I could like set up smart meters if I knew there was the brands mentioned, or say exactly what happened there.

But that also got me interested on all these IoT, industrial IoT, and I did put a bit of research on it. And one, I would say main stories that appear in the media [inaudible 18:06], the day I was able to take control of a hotel, I was in a room of a hotel in China, [inaudible 18:12]. And this hotel which was very high tech, every feature of the room was controlled by an iPad. You can, with the iPads, switch on the light, switch of the lights, you can [inaudible 18:30], you can change the outside light, you can change uses the remote control for [inaudible 18:35].

So while I was staying there, Erik, I decided because I'm the nerd I am, and this is a five star hotel is in the top 20 floors of our 100 storey building, is amazing. It's stunning views. And even the bathroom, when you sit down to do whatever you need to do in the bathroom, you were looking down to this huge floor to ceiling windows looking out…

Anyway, so I was there in this beautiful room, and I want to see if I can replicate the functionality of the iPad using my MAC. And so I started doing it and like working on it, and after one day of heavy drinking and fun, I was actually able to replicate the functionality of the iPad and control and make little like light movements and put channels in certain patterns and do little things like that.

Well, first, the protocol that this hotel used was K&X which is an industrial protocol. So I just say that they were using an iPad which is [inaudible 19:58] consumer electronic to control a building using an industrial protocol. And the industrial protocols, as it turns out, don't have any authentication, and you don't have any cryptography whatsoever, it has no crypto, no authentication of the devices.

So once I was able to control my room, what I did is I start going downstairs to the upstairs to the reception desk, and I asked them to change rooms. So I think, I said oh, can you change another room, I don’t like this room. So I went to the room and I did the same experiment and I did that in four rooms until things happen. First thing, I discover so I can controller 200 rooms of the hotel and the second thing that happened is that they upgrade me to the best room of the hotel…

Erik: So by moving between rooms, you were able to hack in each room individually and then understand what were the variables that were room specific and that allowed you to understand the pattern for the hotel as a whole?

Jesus: Exactly. And with that, I create that program that I say what to raise every line of the hotel to have the same time, the 200 rooms of the hotel cool like I could raise all the blinds like Magneto style. So it was nice I got the best room of the hotel, first, I was in the duplex in China because I did that. And second, I learned that the security of the current systems as they were was really bad. And I have to put that as an aside saying that the star route which is the company that has some ridges were incredible on their approach to that. Instead of blaming me or anything, they were very open to understanding why they have failed and I was able to present my work with their help. So this is how I started with [inaudible 22:17] they take precaution so that incident doesn't happen again.

Erik: And then in this case, the hotel case, I think a lot of people might consider that to be an IoT situation, but from your standpoint, the technology used there was industrial IoT. Within these three different tiers, how would you look at that particular case?

Jesus: Actually, my point here, and that's interesting that you mentioned that about, you are saying that technology was industrial IoT and that what makes it industrial IoT. I believe what makes something industrial IoT or IoT is the characteristics of your project. For example, if you are trying to connect a Barbie to the cloud, but you are more interested to in terms of security, is that you conserve the privacy of the person that they trade in the Barbie today. But your main focus here is usability.

You want this person to have fun with the Barbie, right? You want this person to be able to use the Barbie and buy the Barbie because it's fun. You don't want to make them like put certificates in the Barbie or know that stuff. You have to conserve privacy, obviously, is very important. But your main focus to be that the Barbie is usable. So that's a consumer IoT, because you have a tactic making sure the person with the Barbie is happy that you're using it.

When you go into the industrial IoT, the characteristics are very clear. Usually, it's about readability, it's about making the thing working, because you are going to lose money if your manufacturing plant stops working. And from our case, it’s about safety. That you are touching systems or you are connecting systems that have implication that can affect human life. Now going back to the building, when you connect a building to the internet, and he is able to remotely control the building, what do you think, Eric, what are the main characteristics that you have to conserve in that property in that building? Would you say it's making the building usable or making sure that elevator for example doesn't harm human life?

Erik: Or of course, privacy of the individuals staying in these rooms if you do have sensors that are able to record their activities to some extent.

Jesus: I did that, and I presented in conferences. What every reporter asked me was, would you get into the locks? Why? Because that changes the perspective. It is if you can get into the locks, it's not IoT anymore, the QED, because the more handy to have done there is like to say, just annoy people. [inaudible 30:25]. But the moment that you get the locks out, and you can harm people, you can make or steal things from people, so they are affected, their safety is affected. And hence that changes the whole perspective of the situation.

I don't want to go into details about the locks of that particular building. But what I mean is that that, for me, there is no question that even whatever technology they use, this is industrial IoT. Because you are connecting a network which may affect the safety and reliability of the network is important too. The locks need to work correctly in order for you to experience that thing.

But that is a little bit of a gray area, because our devices, and lights are [inaudible 31:12]. But they're like things that we protect at Waterfall, that is more much more clear. When you go to a nuclear power plant, or you go to an oil and gas refinery, you really don't want a bad guy there to be able to access the bytes and be able to change a setting which makes the owner still; durability and safety are paramount.

So we're talking about the industrial IoT system. And the way we treat security is much different or way different than the way we treat security in our world, which is all about the data. Don't lose the data. Encrypt the data. Make sure the data is safe. I don't want my records to be in the internet. So there is a big difference here. What we are trying to do at Waterfall is to make understand that where we're coming from is a war which is not about the data, but about the physical system, making the decision system be reliable, making it useful system be safe to use. So that is the difference for me in what an internet system a system that has specific requirements of secularism that needs to be preserved when you are connecting the system to an IT or cloud system versus trying to preserve data, which is what we are used to. So it's a very different how securities will be taken into account there.

Erik: Jesus, can you just talk for a minute about who the bad actors are here? Because I imagine if we're talking about an IT system for banking, we might be talking about criminal elements and their motivation would be to hack into a system in order to access money. But if we're talking about a power plant, are we talking more than around military bad actors, around potentially other corporates that might be trying to interfere in operations? Who would be the bad actors in these because it seems like there's not, in this case, a direct financial benefit for somebody from hacking in? It would be more somewhat of a strategic objective to hack or just potentially to cause some sort of anarchy which might also be an objective?

Jesus: Yes, there is a big difference on trying to get into like the system and trying to get into an industrial system. The difference is it can be easy to get into the industrial system, but the payload is very difficult to build, because no one has been [inaudible 33:59] payload before. When you go to 90 systems, you know you have to find the credit cards and put them in somewhere or the Bitcoin, you have to find data and it steal it and put it somewhere but is the concept. You have ransomware, you find the data and then you encrypt it so they cannot find it. So it's all about finding the data, you want to do something with it. You either steal it, or encrypt it or that.

When you go into nuclear power plants and you're able to get in, 99.999999% of the hackers in the world don't know what to do with it. What did you do when you look at power plant? In order to do any harm, you actually happen to stand very well the physical process underlying. So it's only while attacking and maybe entering the system may have a certain like level. And we know now that lots of energy power plants in the US have been hacked already. But there is no payload dead, and this payload can only be created today by nation and states or people with a lot of power.

I don’t know if you know about Triton, do you know Triton?

Erik: No, I haven't heard about it.

Jesus: Okay. So Triton is a payload that affected safety systems. Safety system is the last line of defense of the industrial side, in this case, with an oil gas place. And these safety relays are the last line of defense. When everything goes wrong, you have to stop the process from continuing, like that's it. And we know now, the people that created this malware, Triton, were able to get into the safety devices, meaning that they will have been able to stop the Triton from working. And with that, you have made able to make out of money because if they were able to get there, and they will have to sabotage it, and like make it work for days.

However, rather than trying to sabotage it, so like the safety systems actually like blow and like basically, they are enforced, so they stop working. They wanted to have the safety systems themselves. So they wanted to learn how to upload firmware to these safety systems. Because obviously, they were people that they weren't that interested about money. They were interested about creating harm to people. They wanted to make sure the safety systems, they didn't make their work. And so you were able to release oil or do whatever this safety system prevent you to do.

So to make sure I'm clear about it, these people were obviously not nation and states, like somebody who’s not interest about money, but interest about making damage. So it's interesting that these actors right now are powerful actors that are trying to do bad things. That says, what happens always, and I remember I wrote a white paper more than nine years ago about ransomware. I said, why I cannot create a virus with use private and public key cryptography in order to profit and people thought I was crazy. And people thought that only like the military would do that, because probably pin parity previously, because cryptography is complicated to use in the settings.

But guess what, now every Russian mafia is doing it. And that is what's going to happen in industrial system. Now people are doing Triton and doing the payloads that are able to upload firmware scheme to the safety systems. Once this is done, once somebody is going to copy it, and he's going to copy it again and again and again, and in eight years, the mafia guys will be doing it. So that's why we need to rethink because now we're not talking about data or money, we're talking about safety and human life.

The thing, it's a little bit more imperative for us not wait till these guys have this knowledge of the payloads that they can do to make harm and to make ransomware which will just make the current ransomwares of data be like the easy life we used to have. So we need to be a little bit aware of that.

Erik: And then certainly one of the challenges with IoT or industrial IoT systems is that the attack surface or the number of attack vectors is quite broad. So you can attack the hardware directly, you can go into the cloud, or through basically a lot of different endpoints. What is the role of cryptography authentication systems? You mentioned that in this hotel, they were more or less non-existent in securing the system.

And then if you can talk a little bit on this concept of securing the full stack or designing in software. For most, it's a most people's experience is that you buy a piece of hardware, and then you slap a security system on top and my laptop has enough computing power that I can then install a nice a nice heavy piece of security software, and that will do a pretty good job. But if you're talking about a small endpoint somewhere, you probably not going to be able to even if you had the insight to install proper security on that, correct me if I'm wrong. But I think a lot of people also will just not think to install a security system on top of their IoT devices because if you think about routers and so forth or connected cameras, all of these devices, it's not something that people typically think is required.

Jesus: Well, I want to quote one of my fellow workers [inaudible 40:18] which has a great book about SCADA security and how to fix it, that's the name of the book by Andrew. His point here, and I want to make it very clear is no system is secure. Because in computer security, and you go to RSA, or any of these big conferences, you will see full security, vast security, security like foolproof. That's not true. No system that you can create can make a system secure.

Security is an overused words. Like no system is secure, and there is always a way to go into that system. It is the way it is. In particular, and I will say that people believe that data, which is software competent becoming more secure in general. And the truth of the matter is that every software that you create has back and every back is a vulnerability. And vulnerability can be exploited to take over your system.

So any bit of data that you let your device consumes may be a vulnerability or maybe a hack. So you have to change this mentality of I put a firewall which is software or antivirus, which is software and I will be more secure. And you probably will be as secure as before or maybe less, because firewall mainly has like a lot of bugs, a lot of vulnerabilities in some position to enter all your system.

I want to explain that to you first because other people ask me about cryptography. Can cryptography is safer? Can access control safer? And most attacks just doesn't appear because of the lack of this kind of traffic. Most attacks in the current [inaudible 42:15] chain, so where you are in the stack and how low you want to go in order to achieve your targets in a hacker comes with [inaudible 42:27]. You know mails, you should be able to read your mail, right, and then you open something which should not open, they get your certificates which are very good and encrypted and all good, but they already have your password because they can protect keylogger, you have the certificate on the keylogger.

And then the channel from the house or the VPN that the guy has is encrypted to it. This is all also encrypted. And you arrive to the place where you're supposed to be, everything there works as expected. However, if you are going to which is linked to a system which has safety considerations, then you can stop it and then you can stop the system from working. Again, it is this is how this works today in the current world, people being not attacked from one network to the other network because they create credentials and the credentials are cryptography and we are all good, everything is good.

But what is lacking here, a little bit of understanding that every bit of information that you let into your computer, in this case, a mail can be a vulnerability and you can get hacked and then you cannot find the [inaudible 43:33].

So, having ton more encryption cryptography and all these things will not resolve the current problem we have with acuity, which is hackers are abusing, not cracking, but abusing the system of credentials. So we need to be very careful with somebody telling us that no, I'm sending you these credential system and it's going to be great, because usually, it's not going to be great.

Our approach at Waterfall, how we protect systems for places which are requires this kind of reliability and safety that no one else can provide is to allow only data to flow out of the system. We use [inaudible 44:20] gateways, what they do is they collect the information that you want to share in the nuclear power plant, in their signaling systems to measure out your POCs or your historians. And we have a protocell that only sender and receives, not only receives, you cannot do reverse, it’s physics, this light goes only one way. These are fiber optic cables.

And what we do is through that one way link, we replicate from the industrial site information, whatever information you want to replicate to the other sites. So the IT system or the cloud system can use this information without having network or any kind of access to industrial sites. That's how we live in Waterfall. That is the core concepts of information. You have to prevent information to go in your perimeter if your perimeter requires safety and reliability regulations.

Now, that said, there is obviously ways you can do that too. For example, Google that has full control of every device that exists in their perimeter, they can insert a cheap, a TPM chip-like, a Trusted Platform Module for people that doesn't know or trust hardware cheap, that is able to authenticate between the keyboards on the rack [inaudible 45:48] to authenticate between the different hardware they have been in the warehouses, wherever they are, and that way, they can get rid of every firewall or anything that they want to put in the middle.

You can do that because they can control every device that they have in their network. So they can communicate using strong a crypto, use a strong authentication, and all that. So if you can create a system, which you control different elements of the system, and then you can try to use credentials, all that.

Now when it comes to the systems that require reliability, and safety, our approach is to say, what things do you want to share? The internet was built on the concept that everything has to be bi-directional all the time, things need to talk because we are humans, and we want to chat and we want to receive a chat back and send an email. And machines are not like that. A machine is not like a human. They send things at certain intervals, and we know the intervals. They usually send information. They can receive information to change in particular these machines to control the behavior. But usually, that comes from the perimeter, it doesn't come from like a remote place in the cloud. But you can send this information to a very, very restricted telco. So depends on your application, obviously, you need application that needs data back and forth all the time. Then obviously, you have to use what Google does, or whoever, or the company that does use a very hardened system, maybe use a [inaudible 47:35] module, or use certification, obviously, credentials, CTI, the whole mile, that is great.

But in many, many, many, many industrial sites, you want to send information out, so you know the status, and you can move into maintenance of your PLCs and of your valves and of your train. But you don't require that much data to go in your system because that changes, and you have the controls in colleges like changes your calculations for the system. Any data that goes to the system makes it different. And if these system that requires several physical configurations, then you need to restrict as much as possible data coming in, because that will change safety and reliability.

Erik: So, Jesus, how would you approach a use case like the connected vehicle? Because there you have basically weapons that are millions of them on the road driving around that can be used to hurt people inside or outside, whether it's a truck or a consumer vehicle, and you have potentially devices that have to communicate not only with other devices.

Let's say Google has their Google taxi, and they have 10,000 of those in a particular city, but then you might also have city infrastructure that needs to communicate with Google system, you might have other maybe Ubers system that also needs to communicate. So you might have different companies that are putting these fleets of vehicles on the road, and in order for them to operate, they need to communicate across fleet, and also with city infrastructure. And so it's probably, on the one hand, you need data I would imagine in input and output. And it's probably more challenging than this Google example that you gave previously and that it's not necessarily just one constraint system that one company owns but data is flowing across systems. What would your approach be for this type of?

Jesus: And the answer here is first, you have to know when data affects data. What part of your network is about exchanging data information? What kind of network in your system controls the cyber physical system? And of those, what are control things that can affect your life like brakes?

As it turns out, what they told you about in cars, people are using similar systems as I described that we use nuclear power plants, or are thinking about using that, but in the car. As you know, cars have been hacked, they very well seen [inaudible 50:23] now in the TV, you know these guys that remotely were able to stop the car crease, is something that they knew they could do it. We all knew because the way things were connected or cars or being connected is reckless. You put like a system which has like brakes and speed up and can kill somebody and connected to the internet. And that happens because you are assuming that people cannot [inaudible 50:51] with their network. So these guys increased, fortunate, they were able to pivot their network easily because this always flows, software has flows, and you can go from the CD ROM in this case and hack it and then the CD ROM is connected to the canvas and the canvas use the breaks.

Now let's go to something that I am much more familiar than a car but the cost is the same. A train rolling a stock, they want to call it in that cannot [inaudible 51:23], a train has basically three networks. The three networks they have in train is that great control management system, which is what affects the brakes, affects the speed, the computing capacity, which is where the onboard computer of the train is. Train are made for infotainment, the infotainment is where you see like the alarms, saying like, oh, next station is nice, and you see all these TV streams and stuff.

Now, it's clear the infotainment, which is also where you have the WiFi, this network is connected to the internet, because you want WiFi, so you want to go to internet. Now should the infotainment be connected directly to the computing capacity of the train, the part of the train that makes things like opening and closing the doors of the train, for example? These are computer that does that. Should you be able to access for infotainment that? And the answer is no, like no because users will be able to go into the WiFi, and have all the protect and be able to open the door of the train while somebody is leaning on it?

Well, make sense for you to maybe send things from the computing capacity of the train to the infotainment because you want to say, for example, the malfunction of the train or you want to tell people where are the station or if the train is late, you want to let them know directly hey, you know the train is late, it will be like five minutes late, nobody has to go there; human has to go and tell people what’s going on. So it makes sense to connect the computing capacity one way to the infotainment, but the infotainment will never be able to access directly the computing capacity.

Now when you go to the computing capacity to [inaudible 51:16] system or in car maker where the brakes are and the wheel are and everything to the computer, there has to be an exchange between these two systems, obviously. You have to be able to break the computing capacity to be able to break. Now, the new regulations of the US, for example, they have to install what is called Positive Train Control, that means that if the train receives information that suggests that the train is speeding or not stopping where it should be able to stop, the competing capacity of the train automatically will break the train. So a computer now has much more access to the [inaudible 53:57] information system that we used to have. That’s something that only the guy there could do. But now because there was this accidents, people accidents in US, it was an accident that at the end of this year, every train in the US needs to have Positive Train Control.

Now, what US doing though now is they’re having the computing capacity, the computer of the train connected to the outside because they need the information or the GPSs, about [inaudible 54:23] in the ground to know the speed and stuff like that. So, you have a lot of communications that go into a train and they have access to the thing [inaudible 54:30] operating system.

When I talk to people about Positive Train Control, everybody says safety will be improved because we will not have these accidents that they use to have. However, we know for a fact this idea of security of the system has reduced enormously. We have open so many holes there. So obviously, this information, but this is going to be changed this computing capacity and the train which right now is kind of unrestricted to be more restricted. How do you do that?

So again, you are going to do some work to protect that. You need to use ways to regulate the information flow between these two systems, send information out, whenever you want, because it's going to affect the system. By the flow of information into these different intervals to be well understood, what can be sent, and it's something you send that it’s going to send, then is to be prevented. So that is how I will resolve that.

This part of the systems that’s infotainment, or in the cars, information they received for entertainment of the use of the car, like music, again, to be connected, and seems to be exchanged between cars, yes. But when you go down the stack, you will more and more and more to a place where somebody can die in the process of a computer being hacked, you have to be more careful about information exchange about what kind of thing or processor you have about all these things. So that is how things work.

Erik: So if we use this train example, this is two questions. One is, where should security be implemented? And two, is where is it actually implemented today in terms of who your customers are? So if we think of the device manufacturers or the component manufacturers, I guess, ideally, security would be built into every component that's put into this. But that's probably not often the case.

The second, it could be the system integrators, it could be Siemens that's kind of building the engine, and they could be trying to build security into that, or it could be the end user, the actual operator of the train system. And they're probably the organization that should be ideally least involved here because they have the least insight into the securing these components. But maybe they're the ones that actually have to do it because they're responsible for the safe operations of the system in the end. What does it look like today in terms of where security actually is being implemented? And where do you think there should be in a more ideal environment?

Jesus: I think Positive Train Control is like an absolute example of where security and whose entire security. Everybody doesn’t [inaudible 57:24] kind of thing is you do it. Because what Congress has told me to do is to enact a system that is able to break when they benefit. They have not told me anything about trying to do a system that does that, but also has in consideration the fact that now I can go to the 220 megahertz frequency that these guys work in and is able to send information there that may affect the train in other ways, and open up a bigger hole that is trying to protect. Nobody has told them anybody that, so nobody does anything about it.

Everybody, that's a little bit obviously, I'm not saying the people that provide the qualifications and do due diligence and try to make the system as high as possible, or at least make sure that various tools in order for whoever comes down the stack has the tools to make it secure, if they want, to add like a chip there or like adds more certificates, the truth of the matter is that I am not going to go, this is my case, I'm sure that some of the people that have implemented Position Train Control have done a great job securing it. I'm certain that there are people that they have not.

So who is in charge? In charge is always the operator, the user, the guys that put things together. We are in the case of the train operators. That's where the guys that are at the end are going to implement this. So they are the guys that have to say we want this. If they don't want this, they’re not going to sell it. It is because they have a tight budget, they know that they will do what they can you know what they have. The guys that can enable them to do that are the providers of the product, like a computer provide something that has a TPM or something that has a security there, so they kind of build on top of it.

And obviously, as the security providers, which are conducted and we are [inaudible 59:35] by them saying like, hey, we have a problem here that is you have a problem, we know we have a problem, can you help? And in our case, we help wherever we can. So there is a lit bit of everything. However, I have to say that when it comes to industrial security, as people work with a budget and they have not seen the payload, they have not seen anybody get blowing up a train…

Again, I'm a person who hates this fear of like things that are not easy for hackers. Hackers will have to do a lot, and it's complicated and most likely will be the same. Maybe my last time I will never [inaudible 01:00:14] any physical disaster because of several hubs. However, I have to say that, again, the person that has to take care of things are the operators, the people that build the cars, the people that operate the rail, the networks, or near the guys that had to at the end, yes, I care about these.

The easy way to do that is by regulation. Nobody likes regulation. But for example, nuclear power plants are heavily regulated in how they can connect to the world. And that's why we are big there too, because they understand we’re the best security in that space. And they are regulated, so their choice is easy. Others that have more difficult choices because there's no regulation, then they may implement better security or worse security. However, I think at the end of the day, there has to be like a bit of common sense. But also in certain industries, regulation is necessary. When it comes to human lives, and when it comes to safety and systems that are putting out there and controlled by computers and data can be hacked with certain type of simplicity, not somebody has to say that there has to be some regulation, how was it built.

Erik: One last question on regulation. So, certainly regulate in particular industries, and what are the levels of security there is one approach that this is very important, and probably will happen in specific cases. Another concern is that you have a lot of IoT devices that are maybe in themselves not particularly important, so a security camera, a connected DVD player, anything like this. I know this is not necessarily your domain of expertise. But do you see at any point in the future, there being regulation that would actually hold the manufacturers of IoT devices responsible if their devices are packed and used in botnets? Do you see this regulation to basically enforce device manufacturers to secure their devices so that they cannot become weapons?

Jesus: Yes. I actually see that happening. Again, it depends on if somebody finds a payload, which is important enough for people to care. But in the last meeting of the industrial cybersecurity working group, I said, and that's like either my company doesn't work with these small devices, but my personal opinion is there is no reason why a camera to be able to send FTPs or send mail to go spamming. There's no reason why user electronic has the same access to the internet as a human, makes absolutely no sense.

I understand that these are computers that are based from computers that the humans use, meaning that thing they believe that they have all these ports open, 21, 27, who knows what kind of protocol is in the port. But usually, what happens is these cameras that were used probably somewhere is used for mail servers, they reuse it to put it there and then now this camera is actually a multipurpose computer that does mail, sends in mail, you can run anything you want and connect to any website or any IP address or any person in the world.

That is absurd. It is something which is we're using it because we use it 10 years ago when the internet was not connecting people through machines, but not about connecting machines to machines. Machines to machines, they don’t need 25 ports open. There is no reason to have all these ports open like connecting all these different protocols. You only need like one communication, machine to machine and [inaudible 01:04:50] back, and the machines will not be able to go to the internet and browse or this is like it is makes no sense a camera browsing for while.

So at some point, we should get on our senses and make devices to us definite purpose. So a camera will be able only to do this. And if you find a camera and you have some kind of cheap or module that tells identification number for that camera, because a camera is not a user, it doesn't have privacy, if that camera is connected to a website, means that something is going wrong and this will prevent this camera to come to our website, it is very easy actually, you say, well, this is terrible, like what you're doing here because you're just like have some crack before doing this podcast.

But the truth of the matter is that any person that puts out a device that doesn't have some sort of identity or hardware identity is making a mistake, and needs to be regulated. Every device that connects to the internet that has not to be manned by a human, like a laptop or anything else, like a camera or anything that is like a light in the streets or whatever, to have some sort of identification, so these cameras only talk with other cameras or cameras will talk only with our servers, they are supposed to see that. I mean, this is easy. It’s not a difficult thing to do, [inaudible 01:06:12] because we are lazy and we want to reuse what we are using before. And what happens is that people create boldness with cameras or is running in a fish ponds, which has lights, is running Bitcoin rig.

Again, this is because we are not using correctly these new IoT devices. Again, this is not like in my personal opinion, as using the same Ethernet rules, and we use because we wanted to have all these different things for a human to communicate for devices, which should be very simple, you send information about the video stream, and you receive deals on [inaudible 01:06:49] send or receive anything, for me it’s quite straightforward.

Erik: It's kind of a pure tragedy of the commons situation, where the manufacturer of the camera that gets hacked doesn't necessarily suffer anything, they maybe have a potentially a hit to their brand equity but if they're a Chinese manufacturer, maybe even not. But it's whoever is getting hit by that botnet that suffers. So you can say it's society at large that's getting hacked more frequently. So those are situation from regulator stepping.

Jesus: And again, when you make regulation, you have to be careful, because I heard people saying, like, oh, we are going to make this regulation that forces all IoT devices to do XYZ. Well, again, you should differentiate what is the purpose of the IoT device you're talking about. Because if you're telling me that you require encryption and whatever in the IoT device, that really depends on what kind of purpose that you might have, and what devices is communicating with. If it's a device that is going to be set up to a place where safety is involved, so not have this device being the same place and a Barbie, again, Barbie needs to be usable, but that we need to understand that. So, you don't also cannot put like there and they have to cheap because it's a toy.

So you need to put IoT devices in different spectrum of responsibility. But the minimal responsibility that we take care of this is, again, devices that have a task to only be able to use the creativity that we provide them to do the task, not a multipurpose task that anybody can abuse. That is problematic.

Erik: Well, that I hope is the direction that we are going. I guess, this is a challenging topic for regulators. But I know that you and the folks at the IIC are doing your best also the communicate out from the industry to the different regulating bodies. So hopefully, we can get a good meeting...

Jesus: In the security working group with IIC, we already have put the documents. We started with the security framework, now 2016 we released it. That was an informative document, provide a lot of good information about understanding that there were the industrial IoT is. Lately, we have built the best practices for endpoints, which is our document which explains how you should create an endpoint which will be in industrial IoT with the different levels of security.

We obviously described how to [inaudible 01:09:43] identity and device things that are common. We are going to release, hopefully at the end of the year or maybe early next year, the industrial Internet 3D security maturity model. The security maturity model is a way for create targets that our system to have and be able to achieve them by following different maturity levels. So you have achieved like your little one or two, etc, and increase your visibility on what is your status.

Because at the end, the most complicated part when you are given a big project is how to start, is what do I do now? I have all these cameras that are connected to the elevator and the elevator is connected now to the cloud and they connect, you need to understand what are your targets here, what is your focus and be able to achieve them. Again, nothing is secure, you will always make mistakes. But you have to be able to understand the risk you're taking and the maturity model is going to be, I think, a game changer in the way we understand risk, understand the maturity of our system when directs to security in industrial internet because we are focusing in, again, industrial internet, not the IT side of things, but the industrial side of things.

So I think with that and hopefully also next year, we will release a new version of the security framework which takes into account things, availability, safety, the [inaudible 01:11:20] interacted with security. And in this podcast in the last minutes we have discussed a little bit about it of how a train is different than a Barbie and about [inaudible 01:11:31] and is different than a connected life, which probably has different requirements. So this is something that should be intertwine in security. Security cannot be seen anymore as a data thing. It has to be how to provide cybersecurity so safety is not impacted and how to provide [inaudible 01:11:54] impacted, data can be lost. But we are talking about other things in here when we talked about industrial.

Erik: We will definitely link to these IIC documents in the show notes. Jesus, how is the best method for people to follow up with you whether it's to learn more about the IIC or about Waterfall security?

Jesus: Well, like my email, which is Jesus@waterfall-security.com, that is my email for Waterfall. Also, if you want to connect to the IIC, we are [inaudible 01:12:37] one is me. So just send me an email and I will be able to better connect you to anybody. The website of the Industrial Internet Consortium, which hopefully will have a link below in this podcast and the website of Waterfall Security which also hopefully it will be there.

And again, I would encourage anybody that is interested on joining the IIC, I think it's a great place right now in particular for end users people, and I've been now working with industrial Internet systems for a while now for years. And I understand that things are slower than people thought, and there's a reason for that, is because what I'm saying, people don't want to in particular in systems with you care like manufacturing for example, you prefer to do things at the edge, that doesn’t makes sense.

But the truth is also these things will trickle down slowly, but you can wait for some point: the benefits of having your systems more connected will increase. Joining the Industrial Internet Consortium, which we have been working on this for years will be a great help. We have tested, which you can join in order to evaluate your products or understand how others have done it. And also, we have great talents and great understanding of how this works. I think during the Industrial coprocessor is great.

If you are in a vertical where like safety and [inaudible 01:14:18] are critical such as rail or airports or oil and gas, if you have something you want to connect, I think Waterfall security my company it will be great to have you on that. So that is the two places that I believe it will be good for the listeners to get more information.

Erik: Let me just do a final repeat for anybody who's just maybe listening to this while you're on the road. So Industrial Internet Consortium that's www.iiconsortium.org, and then Waterfall Security, www.waterfall-security.com. Jesus, thank you so much for taking the time to talk with us today.

Jesus: Well, thank you very much, Erik, for your great job. I think this podcast is great to get more information about everything, IoT and industrial IoT. And thank you for having me. I hope I did a good job trying to explain my view. Maybe I’ve shared by a lot of information security professionals because I come from another place. But I hope that helps the people understanding why we care in a different way about security when it comes to industrial IoT.

Erik: Super valuable perspective. And I really encourage people to follow up with you if they have deeper questions.

Jesus: Thank you.

Overview

IIC x IoT ONE IIoT Spotlight Podcast EP041: Cybersecurity, reliability, and safety in an industrial environment - An Interview with Jesus Molina of Waterfall Security

Transcript