Zero Trust with Operational Technology #175 | Embracing Digital Transformation | Intel Business
Louis, welcome to the show. Darren, great to be here. Thank you for having me. Hey, we've talked, it's been about a year the first time that we talked, right? Yeah, you have some really cool technology, but before we get into the technology and the use space and all that, tell our listeners a little bit about yourself and how you came about being a co-founder of Veridify. And yeah, who are you? Why do I even have you on the show? Sounds like a question my wife would be asking.
Or at least some of my sons. Anyways, it's great to be here. My journey here has, I think I've shared some of it in the past, but as I tell my grown sons, I started off in the world in the Google of my day, a place called IBM. Both as a, yes, as a field engineer. and a salesperson.
So I had an interesting training post-business school. But even more interesting and it's one of these things where hopefully people will stay tuned in even though I'm that old. When I was in high school, I was part of an experiment. Could you teach computer programming to a kid? Kid defined as post 16 years of age. And of course, what did that involve is this thing called an 80-column punch card.
in IBM 026. For those of you listeners out there, take care. you're the first one I've interviewed that has admitted to programming with punch cards.
I know others that I've interviewed have, but they wouldn't admit to it. So, Louis, that's pretty brave of you. I even can remember the days of JCL. Anyways, as my kids would say, did you use wires and plug things in because then they're ready to put me in a home? So I'm not quite that old. But anyways, so fast forward, I came out of high school programming in several languages into business school, out of business school to IBM.
And so I've had a very intuitive approach, not intuitive, excuse me. I've had a very interesting curiosity about technology from a young age. And here I am.
And in fact, on exiting one of my enterprise software businesses, was introduced to my co-founders who are mathematician cryptographers, became fascinated with the work they were doing in the difficulty of securing small processors years and years ago, not realizing would move itself to the edge in small processors and intersect with really what began as a classic napkin whiteboard enterprise funded early by the National Science Foundation to develop technologies that evolved in some projects that are friends at the DoD and brought us here today. So that's really interesting. You start your career with big, big mainframes and now you've moved all the way out to the edge to the smallest processors.
In fact, in a space that it fascinates me because I'm from the IT side, operational technology, it fascinates me because it's like it's been put in this glass shell. and everything else has moved on and it has still kind of stayed true to its original mission and its original architecture. Does that make sense or am I just seeing it wrong? Yeah, you know what? You could call it the poor cousin, the shoemaker's child, what have you. Although it's interesting because I would tell you that it's probably more the acceleration of connectivity in the world as we know it today for getting all the other buzz things happening around AI and what have you that the light has finally been shone upon it.
So where you might have had a standalone OT installation, maybe doing something critical in infrastructure, SCADA building, for decades, it was never really connected to anything. It was never an issue. And now that the IoT world has shone a light on it, both for the users and for, unfortunately, those in the world of ransomware and cyber attacks, We're all thinking about it now.
Yeah, there's actually some pretty famous OT infiltrations that happened. Target, they went through an HVAC system to steal credit cards. Whoever would have thought that. And, you know, probably the most infamous is Stuxnet, right, where some centrifuges in Iran were attacked. But we're seeing more of these critical infrastructure attacks happening. And in the Ukraine, we've seen dramatic attacks on critical infrastructure that took down power grids or took over the emergency alert system in Israel.
So it's no longer in its isolated shell like it used to be. No, not at all. As a matter of fact, it's interesting because I always like to, I like to, you look at movies, you look at Hollywood when they're not on strike and the stories they produce and inevitably they sort of portend the things to come.
And you can go back probably, probably almost a decade. And I can't quote the exact movie, but there was one of the Bruce Willis movies. Oh yeah, live free or die hard. right where they take over the public infrastructure of a city to manage the lights. And lo and behold, anybody who's done anything in the OT world in the public sector knows that those that infrastructure and things that we put in place are a threat. There was another one of the fast and furious, I believe, used autonomous vehicles to block a roadway by having them shoot out a parkade as missiles.
Now, you think about it, but lo and behold, you can also go on YouTube and find where DARPA has shown taking control of an autonomous vehicle and driving it around the parking lot against its will. So you see these things in the movies and then it comes to real life. And unfortunately, what's happening today in the scenarios you just quoted is that real life is real life now. We're seeing it in real time. And that is arguably should be. a big alarm or spotlight to your point of these sleepy technologies we didn't think about until now.
I hate to call them sleepy because the more I dug into it, and it really fascinates me so much that my PhD dissertation is on IT and OT cybersecurity best practices. So obviously it's more than just a fascination, right? It's kind of a obsession right now. But what I have found is the OT side of the house is very sophisticated and their The way that they think about reliability and safety is very different than the IT side of the house.
On the IT side of the house, they want, hey, if I have four nines uptime, meaning 99.99% uptime per year, that's incredible. But you talk to OT guys and they go, my stuff can't go down for 40 years. And it's been running for 40 years, never been down. So, completely different mentality. And I think Part of that is because on the OT side, you're dealing with physical world.
People can die or get injured very, very badly if things go wrong. So it's a very different mentality. But that has caused some problems now that business wants to know more about what's going on the OT side and they wanna connect it. Absolutely, and don't forget, that is also now being compounded in a positive sense, because I will tell you that most of us, most of the listeners, I assume, are operating in a free market economy, and we all get to vote through purchasing and whatever what we think is a good automobile, or what is a safe building, or a good factory device. But I think that to your point, the need, operational need for 100%, the concept of safety versus on the IT side, a lot of it is data integrity, data protection.
And it's not the end of the world. If I say that the server in the accounting department looks infected, please log off. We're sending somebody up to replace it. Something running a critical element of infrastructure in a hospital or elsewhere. may not have that luxury. And the extra element I was gonna add is that our government has recognized it in that you are now seeing in headlines, CISOs being taken to court, being prosecuted, being, yes, that should be a big wake-up call.
I think it was a year or two ago, that by 2024, 26, it's always good. It's always good to project the future. I can't tell you what it will be tomorrow, but I will tell you in 10 years, how you'll be getting to work anyways. But they did project that CEOs would become liable for many of the data and or cyber issues of their companies. And that seems to be evolving there, good or bad. I mean, I leave that to your audience to decide if it's a good or bad thing, but.
Yeah, so on top of needing that uptime, needing that security, you now have the additional pressure or reminder that you better do it right and put some effort into doing it right, which has not been the case as we started this discussion. Yeah, no, absolutely. Now I understood something really interesting in the operational technology, OTE space. It is fundamentally different because every single device that is controlling a machine or sensor, there isn't a common language that they all speak.
Unlike on the IT side, everyone speaks TCP, IP, UDP. the traditional internet protocol stack, right? That's not the case on the operational technology side. Why is that? Why is it so different on the operational technology side? What's the history behind that? So there's a couple of elements to it. And it's funny, because I've often been places, and I said, you know, if Apple was responsible for this, we wouldn't be talking about anything, because they would have locked it all down, good or bad, whatever the incentive was for doing that.
But we wouldn't be worried about all these different, or lack of OS. Sometimes you say a different OS. Many of these industrial platforms, there is no OS. So that makes it a challenge to secure. But if you look at the nature of this environment, it is different than the IT world. And the IT world, to your point, it's homogenous.
I have a Linux world. I live in a Microsoft world. I live in whatever. And hence, you buy the market tools, the platforms, what have you, for that IP platform. And by the way, the life cycle there tends to be significantly accelerated.
are listening to us on a 10-year-old platform. But a 10-year-old platform is the minimum targeted platform for one of our partners for their industrial devices to be in the field. And I think, as you know from some of your work, you have decades of products in place and untouched. And was shocked. I was working in a shipyard, helping shipyards modernize.
And they brought me into this huge warehouse and showed me a brake, which bends steel. That's what it does. It's a press brake. Almost 100 years old.
I'm like, and you're still using it? It's the best in the world. Why would I not use it? I'm like, how do I... How do I secure that thing and do I hook it up to the internet? You know, it's crazy when you think about how long some of these systems have to be running. Right. So if you take that scenario and now you talk about the evolution of either a business process, a business operationally, even a public sector entity, as new things come into being and you want to take advantage of them and they don't necessarily replace what's there, you now tend to accumulate these additional technologies in place. And by the way, I think it would be really great if we were using, you know, transportation tools from Studebaker, but they're not in business anymore.
And so, whatever that equivalent is in the industrial world, and or in the building automation world or whatever OT world we go to, so now you tend to have a mix of vendors in a situation with a mix of technologies, because pre-IP, there are non-IP networks. One of the big revelations for us working in the building space. was we developed our initial tools to address building automation, OT networks running on IP platforms. Well, guess what? In the technology space, particularly something called BACnet, one of the industrial protocols, there's a method called MSTP.
It's a token passing network topology. And so this predates IP. It's the old stuff. And you know what? It's a predominantly used technology today. Why? Because it's less expensive and you can do longer wire runs.
So if the building owner says, well, will the thermostat work? Will the access controls work? Will the HVAC work? Well, yeah, use the lower cost thing. So many people who visit New York City and see this big shiny thing at the bottom of the city, the Liberty, you know, the replacement, you know, our great tower at the Freedom Tower at the bottom of the city, that brand new shiny thing. has an IP backbone, but all the devices and all the floors are running on this multi-decade old technology called MSTP. That is fascinating. So.
just to see the buck. So in these older protocols, was security even thought about, cybersecurity? Or are they, because the IP stack cybersecurity was at least thought about. And there's hooks that I can plug in, I can encrypt my data across. There's all the things that we got on the IT side and that have become mature because IT has been under attack from hackers for decades. On the OT side, they really haven't.
So do these protocols, are they precluded to do encryption or is that just not even there? And your audience will excuse me, this is a great opening for a plug. But the short answer is no, there is no security. It wasn't contemplated then. There's many things that we have today that the technology was not contemplated or the need for that in the space. And that was one of them. So these were...
They were networks, but they were standalone. Again, running on 485, what have you, twisted pair, who would ever thunk it? And arguably, it may be somewhat more challenging or limited, but it is still a door or an access point to a network or to a environment, much like you referenced a little ways back target. And again, it was... And again, there's always a human element.
We're not going to say they broke whatever, but not quite as sophisticated as the Stuxnet and the multi-layered zero-day protocols that were combined together to in fact deliver that attack. But these networks have been unprotected and that really frankly is one of those head scratchers. And so we are a company of Vertify because we're focused on protocols and primitives to protect edge devices, we've actually developed an element that will protect a non-IP network, because we can operate on this token passing.
Again, it's still data. It's still elements of data moving on a network to support a zero trust is the topic of today is. But it's challenging.
And this goes, and so now you've compiled multiple decades of an operation in place with changing topologies, with vendors coming and going. So you end up walking into a commercial office building, you end up walking into a large factory production environment with your basic spaghetti what have you of technologies, and somebody says, well, make it secure. So can you explain some of the tenants of zero trust in this space that we need to leverage that are difficult where you guys have found, hey, this is something we can bring to the table. You found a niche, a problem space, specifically around security and zero trust.
So what are those principles of zero trust that you're really addressing in the OT space? So it's a great question and it's actually going to take a little poetic license in it to step back for a minute because everything I look at down to the food store I shop at seems to put, hey, and we're zero trust, you know. It's low fat and zero trust. And that seems to be, you know, in the world today what's going on. And people don't realize there's several components or layers.
to zero trust. So everybody says we're zero trust. And in often cases they are. In the IT world, oftentimes it's about identity management, network segmentation. You know, there's different components.
There's arguably five or six components to zero trust, if you were to be zero trust. Technically, few things do all of them because frankly they don't touch all those technologies. You know, maybe a network tool. does not actually have specific device on device agent components. So it's not going to deal with the endpoint security. It will assist with endpoint security by maybe validating a certificate, what have you.
But it's not actually securing an edge device. It may be providing some sort of monitoring or protection. So I think in answering the question of what we're doing, so we're we. as a company are focused on the edge or device, the security of that edge device, independent of the network. So most of what we see in the OT world, and logically so, comes from the IT world, because it's more mature. And frankly, yes, and there's still a network involved, so a lot of the network tools can be applied.
And it's all good. Some things which I will leave to your readers, and maybe some of your listeners have done it, so they could actually call us or maybe do a show on it, how you do network segmentation as a security tool, which is one of the pillars of Zero Trust, and a good tool in the data where you want to minimize. God forbid you find an anomaly on your network.
You want to minimize exposure, what have you. But going back to an OT world, if you're running a critical operational infrastructure, How do you now digitally fence off a controlling or critical PLC or something managing that function to your earlier comment? It needs to be up not only 100% of the day, but of the year of the whatever. So. need, so let me understand.
You need isolation. That's a key tenant of zero trust, micro segmentation, encryption of data. These are all key elements. But in that isolation, if I do have an infiltration, something's infected. I, in the OT world, what I have learned is they don't shut the machine down.
So instead I need to isolate it where data can come in, but nothing can come out, right? Is that kind of the philosophy behind it? So that's the philosophy in general. And so how do you do it? Well, then you come up with something called micro-segmentation. So we really segment down to very little pieces, optimally to each device, which, frankly, in large environments, I would say, becomes highly impractical.
It's not. Yeah. And I read some time ago, an Intel partner who Did a project at a university location and I think they when they were finished with some building OT network Updates claimed 300,000 endpoints in which Not a lot for that world, but that gives you an idea if you were to do, you know micro supplementation So that's been the general approach We have a we take a subset of that and we very specifically we have a device level approach so arguably we are because of the technology we apply doing the endpoint at device protection because we're not taking a network approach. And by the way, I'm saying that network may approach, it may be more practical and better in some cases.
So in me saying this, what I won't be so bold as saying our approach is better. It may be more practical in situations. It may provide the protection you're really seeking. But again, it's... As we all know, it's many layers of things in the hopes of being protected.
There's no one thing. So as much as I want to say, our one thing, we'll do it. You know, we're designed actually, and this is a secondary point. The network tools that are typically providing zero trust, which are monitoring invisibility focused, do not do anything to the network. So the other tenant, which you raised, which is encryption authentication, you know, the protection of the data. which no IT person would think of, you know, sending patient data, credit card data, anything out unencrypted, travels in plain text in the OT world.
Yeah. our tools specifically encrypt at the packet level the data over the existing network. So I use this term loosely because you'll have some very technical people that challenge me on it, but we do create a VPN-like platform because we create a tunnel over the existing public OT network and we encrypt the packets running through it. So that's pretty cool.
So if someone has, and how does that protect? That could protect people from having physical access to your network, which in the OT space could be very, I mean, think about a smart city. There's OT network all over the place or even in a building, right? We've all seen the spy novels, right? Where they sneak into the building and then they put something on the wires and now they can have access and control the whole building. Oh, yeah.
And listen, it well, it's not far fetched. I think it was Richard Clark's book about seven, eight years ago, maybe a little longer. He opens it describing a specific attack in the Middle East where the country, Israel in this case, basically, it's like the old time bank robberies where they put up a picture of the lobby in front of the camera.
So the security would be looking at it while behind the scenes they were hacking the whole. And basically to take what was going to be whatever the classified site was, Israel posted a picture of a clear sky to the radar systems of Syria, I believe it was Syria, while they flew in, did what they did and flew out, nobody seeing anyway. So this is all happening real and it's kind of, I'm not going to say it's all hat, I can never claim to do it, but yes. So that is. that is an issue. And so we're encrypting today.
and you're connecting the two sides, meaning you prevent the man in the middle attack, right? Okay. fact, if you were to see a demonstration at a trade show we were at, one of the very specific demonstration we do is we have a tablet that we actually plug into the switch between two of our devices. So this is the person who doesn't like your entity anymore, who comes back with their laptop, goes into the basement, the back closet, what have you, and decides that they're now going to wreak havoc.
And so we show that. a tablet plugged into the network switch, trying to relaunch commands to edge devices on that OT network. And that's what we show protecting against because again, if every packet needs to be authenticated before it's decrypted and either as a command passed in or as a log file passed out, this device plugged in will need that same credentials.
And again, people who are familiar with asymmetric or public key methods and what have you know that in... You can't do replays because of the layering and of non-sys, every packet again is different. So replay attacks are protected against. So that is the attack we demonstrate because that is the most nefarious in terms of physically gaining access to the network.
Well, and that's something unique in OT that the IT guys don't worry about, right? The IT guys, I just, everything's in a closed, locked down data center. In the IT space, I've got devices out in the public that are easily accessible. You might have to climb on top of a ladder to get to a smart camera or a light.
but typically they're pretty accessible and very accessible by several of your employees in the manufacturing space, for example. Absolutely. Yeah, I mean and people don't even realize and it's an interesting concept which is gaining traction in the OT world Which is very big in the IT world, which is visibility as a matter of fact There are literally just products that do nothing but you know that are cyber security products They're not and again a lot of what we call Is monitoring exactly because again the IT what is the CTO worried about? Yeah brought something from home You picked up that thumb drive in the parking lot and you wanna see what's on it.
And I always say, in the OT world, we're not really worried that somebody is bringing a thermostat from home. Or, you know, that's not the driving thing. So, but. But you may be worried about a vendor that you gave access to remotely to work on a device that's gone down, that they have to, and now your network is wide open.
That's a discussion for another day on that. So if my listeners wanna learn more, Lewis, about your company, where do they go to find out more? And if they have these issues in, well. anyone that has OT has these types of issues they're trying to deal with now.
How do they find out more about you and your company? Well, the prime source would be you're welcome to come to our website at Veridify.com. The product we've been talking about indirectly, and again, I appreciate the opportunity to have this conversation, but for the extension is called Dome, is the platform we've developed, which is a fairly extensive SaaS OT platform. And in fact, you can go to the Intel. website and you'll find Dome there with some of our OEM partners, both in the building control sector and in the industrial distribution sector, people like Advantek, KMC controls in various places on the Intel site. But our site, Vertify.com, and anybody has any questions, you can send them to info
at Vertify.com. In the subject line, please put for Louis. And it will get to me and we will make sure that we answer any additional questions that we may have raised In talking about these things we may have raised more questions than answers. I'll also put this on our blog site. So there'll be links from embracingdigital.org. Check out the episode there and we'll put all the links on there.
And maybe even, we might even find a white paper we can put up there as well for people. So Louis, the time went so quick. I can't believe it. Thanks for coming on the show. I really appreciate this. We for sure are gonna have you come back and talk about some other things.
Well, you're a great guest, so most of it will have you back. Super, yeah, now there's some cool stuff coming around the corner, unfortunately, because there's some cool stuff happening for the bad guys, but happy to come back and talk. I appreciate the time, Darren, and great to see you again.
2023-12-02 19:58
