CRN IoT Roundtable: Closing The Door On The 'Open Invitation' To Hackers
Securing IoT Devices?
Customers looking at Internet of Things applications all cite a similar concern – security. Security is also top of mind for solution providers interested in applying their own skill sets to generate revenue from IoT.
Executives from Hewlett Packard Enterprise, Cisco Systems and Forescout Technologies discussed the challenges – and opportunities – surrounding IoT security during a CRN-hosted roundtable, which took place during the XChange Solution Provider 2017 conference in March. The roundtable included Tom Bradicich, vice president and general manager of servers, converged edge and IoT systems at HPE; Bryan Tantzen, general manager of Cisco's connected industry and manufacturing business unit; and Todd DeBell, vice president of worldwide channel sales at Forescout.
Following are excerpts of the discussion around IoT security from the roundtable.
How are you approaching the IoT security market as a whole? What is your strategy for IoT security?
Todd DeBell: The piece we really transcend over [with IoT] is the security piece. It's going back and saying, 'Look, we're going to be a focused, nimble, small organization that is tackling a large problem in this order.'
No matter if it's oil and gas, no matter if it's shop floor and you're worried about the cost of a piece of equipment failing or providing defective output, it is a situation that, at the end of the day, if it's not secure and that's hacked, or used in an attack similar to what we had back in the third quarter and fourth quarter, where cameras were used in the network. And that's a great way to get to other spots of internal attacks as well as external attacks. So it's an agentless, very simple process on our side that our network or customers or channel partners are seeing. But it's a scenario that's an important and critical step in the process. If it's not secure and it's out there, it becomes an open invitation for hackers or open invitation for stuff that you don't want to happen.
How are you approaching the IoT security market as a whole? What is your strategy for IoT security?
Tom Bradicich: Todd is correct. Security is essential. … I think it's not led with in many ways, it's a lot like air, food, and water. It's absolutely essential, but it's not the essence of what you're doing. It's a way to manage what you're doing in a way that it doesn't get messed up, either by an anomaly or a hostile attack, and that's why we [HPE] recently purchased Niara, a company that has anomaly detection and analytics. So, I want to underscore the importance – and no one product does it all – there's a ton of opportunity out there of different types of anomaly, whether it be hostile or just failures, to be detected and acted upon, as well. When you take yourself out and away from home, you're more vulnerable. So this idea that we send data way back to the cloud, we send it across the states, across the ocean, combined with the fact that we're connecting more and more things, the vulnerability goes up and the risk goes up. And it's absolutely crucial.
How are you approaching the IoT security market as a whole? What is your strategy for IoT security?
Bryan Tantzen: Here's what I would say on security. … I think we're all in agreement on the need. Security is the No. 1 barrier to IoT. And, as we deploy and connect to everything with Jasper, one of the reasons they're using Cisco Jasper is to connect everything securely. ... To your point of, 'What's being done that's not secure,' the legacy environments that we're connecting into, are in many cases completely unsecure, with no security built in to those environments. It's not the IoT that's not secure.
What does the challenge of security mean for potential IoT customers?
DeBell: Well, if you look at a hockey stick of the new devices that are coming online, and they talk about industries and areas of the business that have new devices every day coming online, and there are areas tracking or targeting a problem, they're going to put that on the actual manufacturing floor and actually go through the process and the steps to go there.
The challenge that you run into is the manufacturers are not necessarily thinking about security when they go to that. If you're thinking home automation for audio/visual, or just the stuff in a normal conference room, that's not usually the primary focus. The primary focus has been, in the past, 'Let's get a good product out that actually delivers.' We're seeing a lot of those manufacturers come back to us and say, "We want to get on your list. We want to know.' So, I can't put a number on it. But what I will tell you is the amount and the explosiveness of the new devices that are coming online, it's going to continue to be a problem, and it continues to grow faster. It's horrible.
What does the challenge of security mean for potential IoT customers?
Bradicich: We are selling tremendous amounts of servers into clouds that are taking on IoT data. So in many ways, this is a business-as-usual approach. We literally don't have to invent new security, we don't have to invent new opportunities. We just have to get the correct assets together to make that investment. That doesn't mean that anything we've said is invalidated by that, but this idea that it's way in the future is totally contrary [to what I] personally, and my team, are in right now. And I think the biggest risk to IoT is taking the risk of not employing IoT in your business. That's the biggest risk. There's great security products, even from my competitors as well as my colleagues, as well as my own company out there. We can handle that. It has to be done. So the whole idea that leveraging existing assets and the strategies that we put together for my company, one of the points was leverage it, if not take a page out of our colleagues' and competitors' book, and just call it IoT. Because IoT has achieved celebrity status. And there's nothing wrong with that, because it applies to IoT.
What does the challenge of security mean for potential IoT customers?
Tantzen: It's what's you're connecting into that has the problem. The car is not secure, the factory is not secure. And the reason for that is when they built these real-time control networks, many of them were using 30-year-old technology that is still in place today. You'll see it in the car, you'll see it in a factory. Those systems have low-data paths, low-data rates, but they're also not secure. There's no security built in to those capabilities.
If you go into a factory, I think people don't know this, but all the robot automation cells and the control that works and all that, they're all separate from the IT network. And they're not secure, but they're separate. But as you want to enable IoT, and you want to actually connect to these machines and get data for predictive maintenance and drive these billions and billions of dollars, that doesn't work anymore. So we now have to connect these legacy OT environments to the rest of the enterprise to get the value from IoT. And that requires, not just security on the IoT connection, but to now make those OT legacy environments secure.
What's the opportunity in IoT security for your channel partners? Can partners make money from securing IoT devices?
DeBell: [IoT security] is the scenario, where partners step back and say, 'We're going to see it first and identify what it is, and after we see it, help you control it and orchestrate the policies.' And from an integration standpoint look across all the vendors, whether it's Cisco or HPE, or any of the other 70 or so vendors that we align with. We're in a spot that we help those products become better and help those situations that you're describing in the IoT space become more secure.
What's the opportunity in IoT security for your channel partners? Can partners make money from securing IoT devices?
Bradicich: So the technology partner helps us to fill in gaps and create the end-to-end solution, if you will. … So, we need technologies to help us there from security like a startup, Spark Cognition, they do anomaly and fraud, and also hostile security detection. And that's a startup, as an example. All the way to very large partners, with products and services that help us with that area. Recently we just did a press release that Tata Consultancy Services in India, we're going to build smart cities with them, so they are a systems integrator and a channel partner. And we have the Universal IoT Platform, which is a software product that runs primarily in the cloud, and it manages cellular and mobile networks, and does device configuration and does analytics on those devices and employs security on those devices. So that will be a smart city initiative that will start with India, because it's the obvious location.
What's the opportunity in IoT security for your channel partners? Can partners make money from securing IoT devices?
Tantzen: I would argue that you have a security channel and you have a networking channel today, and there is some overlap, but I wouldn't suggest that they could both do each other's job well. And we're in the same spot right now because I have vendors that are very security-specific, but they may not know how to do servers. And they've been around long enough that they could do servers, but they've gone in a different direction.