Is Your Security Tail Wagging Your Architecture Dog? 4

tail wagging the dog

Recently, as a leader in the IIoT, I seem to get a lot of questions from insurance company executives. Their common question: where is the risk in the IIoT? Their theme seems to be: connecting things is just too risky. We don’t understand the security or safety risks, so It Can’t Be Good.

I disagree.

I do agree that the IoT is a brave new world in general, and for risk management in particular. There are all sorts of new opportunities for mischief if a machine is compromised. The hack that caused a Jeep to go off the road by getting into the tire pressure monitoring system is a classic example.

That said, intelligent machines also have more opportunity to protect themselves. The sad truth today is that most systems are very poorly protected (like that Jeep). Security gets orders of magnitude more attention today than only a short time ago. Most industrial systems didn’t even consider anything beyond “eggshell” firewalls or “air gap” offline designs until recently. That has changed 100% today; everyone is thinking security, security, security. And progress is exhilarating. Put another way, I think that everyone is installing cyber “burglar alarms” much faster than the increase in burglars. Bottom line: despite the rise in connected systems, the “likely real” risk is going down in most cases.

My insurance contacts consider this an overly optimistic view of the future. I counter that they hold a too-optimistic view of the present. You see, I claim that the situation today is unacceptably, intolerably, unbelievably high risk. Entire industries run without a whit of security. It seems scarier in the future only because the risk you don’t know seems worse than the risk you do know. That’s human nature. But anyone who looks will see that the current risks are very high, and the new designs are much better.

That said, my real optimism stems from the opportunity to change. In my experience (and this may shock security wonks), security is not a change driver. By that, I mean that industrial systems are usually not willing to implement a new architecture (just) to improve security. The power industry is my favorite example. The industry has been screaming for 20 years that security is a problem. And, imho, they will go right on screaming…unless something else drives the change.

The good news: the IIoT is that change driver. And security today is absolutely a change gate. Every application insists on security when they do implement a new architecture for other reasons. Since the IIoT is motivating many, many industrial applications to redo their architectures, security is getting better. Of course, implementing a new architecture for a major industrial application, or for that matter an entire industry, is daunting. But this is the magic of the sweeping changes offered by the IIoT. The IIoT is compelling. Change is coming, and it’s coming fast.

While we’re on the topic of change, let’s not discount improvements in technology to enable that gate. For instance, many potential IIoT systems primarily face scalability and system integration challenges. With a little thought, the architects figure out that IIoT systems are all about the data, and then that they really have a high-performance data flow and data transparency challenge. The best way to provide transparent flow is a “peer to peer” or “publish subscribe” design. This is the architecture “dog”: systems need the simplicity and performance of a communications pattern that simply sends the data where it’s needed, right now. That data transparency makes the huge future IIoT system manageable.

Of course, although data transparency is an integration dream, it’s a security nightmare.

The “dog” side of the dialog goes something like this:

Hey! Let’s just send the data right where we need it. Pervasive data availability makes systems fast, reliable, and scalable. And look how much simpler the code is!

But, then comes the security “tail”:

We can’t maintain thousands of independent secure sessions! How do we keep such a system secure?

Only last year, that was a damn good question. It blocked adoption of IIoT technologies where they are really needed. But then, the DDS standard developed a security architecture that exactly matches its data-centric data flow design. The result? The data-centric dog wags its perfectly-matched data-centric security tail. Security works seamlessly without clouding data transparency. Advances like this—that span industries—will make future IIoT systems much more secure than today’s ad-hoc industry-specific quagmire of afterthought security hacks. Security that matches the architecture is elegant and functional.

This argument leaves my insurance correspondents searching for Tao in their actuarial tables. So, I can’t resist adding that it’s not really what they should worry about.

Safety engineering will be a much bigger impact on insurance. For instance, I expect the $200b auto insurance industry to disappear in the next 10-20 yrs as ADAS and autonomous cars eliminate 90+% of accidents. Most hospital errors can also be prevented (hospital error is currently the 3rd leading cause of death in the US). In factories, and plants, and oil rigs, and mining systems, and many more applications, automated systems (somewhat obviously) don’t have humans around, thus removing a significant current risk today. Accidents, in general, are mostly the result of human folly. Machines will soon check or eliminate the opportunity for folly. I see this as an extremely positive increase in the quality and preservation of life. Insurance execs see it as an existential threat.

I tell them not to feel bad; most industries will be greatly disrupted by smart machines. Navigating that transition well will make or break companies. Insurers certainly understand that losses are easier to grasp than gains; that principal underwrites their industry. But, that perception is not reality. The IIoT’s impact on the economy as a whole will be hugely positive; the analysts measure it in multiple trillions of dollars in only a few years. So, there will be many, many places to seek and achieve growth. The challenge to find those paths is no less or greater for insurance than for any other industry. But, fundamentally, the IIoT will drive a greener, safer, better future. It Is Good.

To learn more about our security solutions, visit http://www.rti.com/products/secure.html.

Why I Joined RTI Reply

With a fresh perspective, I thought I could write about this small company in Silicon Valley that you probably haven’t heard of: Real-Time Innovations, Inc. (RTI). RTI has been quietly working on a technology called DDS that could be one of the most important and fundamental tools for the industrial internet revolution. If you haven’t heard, the industrial internet, or Industrial Internet of Things (IIoT), is going to change the world in ways we haven’t seen since the industrial revolution. My grandparents saw communications technology change from horse and cart, to the proliferation of the automobile and internet. This next revolution is going to be a much bigger deal.

next revolution

I worked with RTI for 3 years while running LocalGrid technologies. I can’t take the credit for selecting RTI as a vendor. However, I think our CTO did his homework and chose RTI and Connext DDS for the technical benefits and also because of the company’s dedication to the quality and reliability of their product. That level of product care, I’m sure, comes in part from their long history working with the hardest problems like the US DoD. You can read a bit more about this here.

So why did I join RTI? The initial motivation was the relationship I had with the company, and the product. With RTI’s Connext™ DDS toolkit, and Connext DDS Secure, it was clear that DDS would be a fundamental and critically important technology for LocalGrid’s efforts in the Smart Grid market. Having worked on many system integration projects where we struggled to create scalable, simple to use, and robust communications solutions, I knew how important this middleware would be. But it was the influence and leadership of this small company that really attracted me, first to working with them as a partner, and then as an employer.

So when I found myself looking for my next career opportunity, I knew I wanted a company growing in an exciting technology space. The product and the company seemed like a great fit. However, when I started interviewing, what really struck me was how much everyone seemed to be working together. The stories about the company strengths, benefits, and motivation were consistent across all groups in the company, and included everyone. Everyone was ‘pulling together’. Instead of telling me how great their team was, each group in the company talked about how good sales, or engineering, or marketing was doing. The company is small, about 100 people, but clearly punching above their weight in multiple industries. It has a culture of service: “we won’t let our customers fail” is a phrase I heard many times in the interview process. This can only be evidence of the teamwork and a sense of ownership.

2016 RTI Company Photo CKO

My first week on the job happened to coincide with the Company Kick-off week. During this week, every RTI employee from all over the world meets in person at our HQ in Sunnyvale, CA – definitely a good time to join; I got to meet a lot of people at the company in person. This is important in a company where 50% of the staff work remotely. The most important thing I took away from that first week was a great look at the company culture, which I would describe principally as an immense amount of trust between everyone. That translates into a lot of questions and a lot of feedback. Of course there are growing pains as with any small company. And they don’t have unlimited resources or funds. But, clearly with this teamwork, and especially in a new a undefined market, RTI is successfully ‘failing towards success’. That’s great, because they aren’t afraid to try, to put the company and product out in front, and learn about their customers and markets as they go. With teamwork, this works.

As an engineering company with a complex product, I can confirm that they have a very ‘geek’ friendly culture. But more than that, it is a culture where people communicate and express themselves freely. I’ve run my own meetings and attended many others where, when the question is inevitably asked, “are there any questions” and then there is only silence. At RTI, there is never silence. There is always a question or a comment and it comes from all departments in the company: Engineering, Sales, Marketing, Operations, no matter what the topic is. Everyone seems to understand the importance of what RTI is doing and everyone cares. Add the clear respect and trust that exists in the company, and this translates into lots of questions, feedback and collaboration. This is how such a small group can be the most influential company in their space, beating out companies like Google and GE.

Unlike many Silicon Valley companies, people stay here for a long time. I’ve met engineers that have been here for 15+ years as the company’s technology has changed, evolved, and matured. They move from engineering to sales or marketing and to management along the way. The people make a huge impact on the sense of ownership and the culture. I am very happy to be part of this amazing little company, and I suggest that everyone keeps their eye on RTI. The impact on our society, businesses and the economy will be huge, even if you will never know it.

Connect to Protect: A Few Highlights from the RSA Conference 2016 1

The theme of the RSA Conference 2016 is “Connect to Protect.” According to RSA, “One of the major drivers of the evolution of technology has been our desire to connect with new people and new ideas.” This year’s theme also resonates really well with the RTI’s mission and values, so it inspired me to attend. In this blog post I still would like to offer a few of my personal impressions of the conference. Because I had attended the conference many times before joining RTI, my perspective may be a little biased, but I will try to be as objective as I can.

The Most Inspiring Thing: Kids Cyber Safety  Expo Hall

One of the most important things for me, as a security professional of many years, was to see a large exhibit dedicated to the cyber safety of kids and teens.

photo 2 (7)

There was an interesting mix of non-profits and commercial exhibitors there with great technical innovations and educational content regarding cybersecurity and young people.

photo 3 (2)

It was good to see the esteemed RSA Conference getting behind this noble effort and giving it special attention…

photo 1 (9)

I truly hope it will help build public awareness and attract investment to this much needed area of security. The effort is long overdue. Good job, RSA!

The Most Controversial Thing: A Roundtable with Three Cyber-Wiseman

Cybersecurity was the dominating theme for the conference this year. The session featured three sought-after panelists: Alex Dewdney, Director, Cyber Security, CESG; Michael Daniel, Special Assistant to the President and Cybersecurity Coordinator, The White House; and Dr. Tal Steinherz, CTO of the Israel National Cyber Bureau, Prime Minister’s Office. They explored some of the hottest issues facing us today and discussed ways Israel and the US government view and approach these challenges.

photo (27)

Dr. Steinherz created some controversy by expressing his non-traditional views on the issues around cybersecurity policy-making and the effectiveness of current government programs. He thinks the most important issue for security professionals is protecting Industrial Control Systems (ICS) – the place where the cyber world meets the physical world. Dr. Steinherz believes that needed technology is available, but the lack of global collaboration is a real issue that needs to be resolved. “Sometimes you know who your adversary is but you cannot make them responsible for the harm because of the issues with the lack of global collaboration or international law enforcement.”
“Defining cybersecurity is the most difficult thing I’ve been dealing with in the last three years,” said Dr. Steinherz. “We should look at [cybersecurity government programs] like the brake system of an automobile. If we want to move fast, we should have the best break system we can get.”

The Most Innovative Thing on Expo Floor: Deep Learning Cybersecurity

On a related note, Israel definitely has an impressive number of cybersecurity startups, and they are highly visible on the Expo floor this year! Deep Instinct, the first company to apply deep learning to cybersecurity, emerged form stealth mode four months before the RSA show. They have their own booth at the conference, which is somewhat unusual for a player of such a small size (there are just 40 employees).

Deep Instinct was chosen by Venture Beat as one of the top five “deep learning” startups to follow in 2016. They are still very secretive about their technology, which promises unmatched accuracy in detecting even the most evasive zero-day threats and APT attacks in real-time, blocking them before any harm occurs. According to Deep Instincts, they are very busy with proof-of-concepts right now. Looking forward to seeing this young company making a name for themselves in the highly competitive security market and maybe even taking business away from some big players!

The Most Anticipated Thing: RTI Learning Lab

And last, but not least… On Wednesday we celebrated our debut at the RSA Conference as a team of presenters. Our fabulous facilitators, Rose, Hamed, and Gerardo, led a session on security in the IIoT. The name of the session was “Securing the Industrial Internet of Things: A Deep Dive into the Future.” It introduced participants to the Industrial Internet and its growing impact on Industrial Control Systems. The session was for an advanced audience. It was designed as a crash course on fundamentals of DDS security, followed by a progressive series of self-guided exercises on how to use Connext DDS Secure for medical application – specifically, for monitoring a patient’s vital signs and controlling medical devices.

photo (26)

This lab was hugely popular. There was a long line to get in!

photo (25)

The RSA Conference organizers went out of their way to accommodate as many people as they could, but some people still could not get in. Bummer!

But wait, here is the best part: if you could not attend RSA or missed our session, you can still download the session slides. Enjoy!