(upbeat intro) From our studios in the heart of Silicon Valley, Palo Alto California, this is a CUBE conversation. Hello everyone, welcome to the Palo Alto studios of theCUBE, I'm John Furrier host of theCUBE, we're here with a special power panel on industrial IOT, also known as IIOT, industrial IOT, and cybersecurity, with the theme being apocalypse now or later, when will the rug be pulled out from everyone, when will people have to make a move on making sure that the network and security are all teed up and all locked down, as IOT increases the surface area of networks, industrial IOT, where critical equipment or infrastructure is being run for businesses. Got a great panel here, we got Gabe Lowy who's the founder and CEO of Tectonic Advisors, and author of an upcoming research paper on this particular topic. Bryan Skene, vice president of product development at Tempered Networks, and Greg Ness, the CMO, who happened to be available to join us from Tempered Networks as well. Guys, thanks for spending the time to come on this power panel. Great to be here. So, convergence is a theme we've heard every wave of innovation, the convergence of this, the convergence of networks and apps. Now more than ever, there's a confluence of multiple waves of convergence happening, you're seeing it right now, infrastructure turned into cloud, big data turned into machine learning and AI, you've got future infrastructure like Blockchain around the corner, but in the middle of all this, the security, data, networking, this is kind of the beginning of a cloud 2.0 dynamic, where pure cloud is great for computing network, you native born in the cloud, you scale it up, it's great. Still got challenges but if you're a large company, and you want to actually operate cloud scale anything, and have instrumentation, internet of things, devices, sensors, in factory's, in plants, in cars, your game is changing, if it's connected to the network, it's got power and connectivity, a terrorist, a hacker, a digital terrorist can come in and do all kinds of damage. This is the topic. So Greg, we talked about this panel, what was the motivation for this, what's your thoughts? Well, it occurred to us that you know, as you look at all the connectivity that's you know, underway, billions of devices being connected, the level of scale, complexity, and the porosity of what's being connected, is just really incomprehensible, to the people that developed the internet, and it's raising a lot of issues. All around, basically, the number of devices the inability to protect and secure and update those devices, and the sheer amount of money and effort that would have to be applied to protect them is beyond the scope of current IT security stuff. IT's not ready. IT, certainly, you and I talk about this all the time, but you know, I love the hype and you know, digital transformation's going to save the world Gabe, talk about the dynamics because the title of this panel, really the subtitle is apocalypse now or later, and this seems to be the modus operandus is that you know, you know what has to hit the fan before any action is taken, you see Capital One, there isn't a day gone by where there's some major breach, major hack, it's a firewall for Capital One, going to an open S3 bucket from some girl whose bragging about it on Twitter, wasn't really a serious hacker, then you've got adversaries that are organized, whether it's state sponsored and or real money making underbelly activities happening, you know there are digital terrorists out there, there are digital thieves, the surface area with IOT is absolutely opened up, we kind of know that, but industrial IOT, just talking about industrial equipment, industrial activities, whether it's critical infrastructure or planting equipment for a company, this is a huge digital problem. What's your take, what's your thesis? Yes it is, and building on what Greg said, there's an interesting gap from both sides. The first is that this industrial equipment or critical infrastructure, some of it goes back 20, 25 years. It was not architected to be connected to the internet, but yet with this digital transformation that you eluded to, companies want to find ways of getting that data, putting it into various analytics engines to improve cost efficiencies or decision outcomes. But how do you do that with a lot of equipment out there that runs on different operating systems and really was not built for internet connections. The other side of the gap is that your traditional IT security technologies, firewalls, intrusion protection, VPN's, they in turn were not built or architected to secure this IIOT infrastructure. And that gap creates the vulnerability that opens the door for cyber criminals to come in, or state sponsored cyber attackers to come in and do some serious damage. Bryan, I want you to weight in here. You're a network guy, you've been around the block, you've seen the networks evolve, the primitives were clear, the building blocks internet were, the DNS ran, most of what the internet right now, whether you're talking about from the marketing to routing, it's all DNS based, it's IP addresses as well under that. So you've got the IP address, you've got DNS, what else is there? What can be done? Why aren't these problems being solved by traditional firewalls and traditional players out there, is it just the limitation of the infrastructure? Or is there just more cultural DNA, you've got to evolve, what's your take on this? Yeah, um the way I think about this is that the internet that we know and we use was mostly built for human beings, I mean, it's been built for humans to use it, humans have discriminating tastes, they decide what to click on, for the most part they are skeptical, they learn through trial and error what's happened with- when people try to fool other people, a machine or you know, you've got a webpage and it's got something misleading, you learn that, you don't click on that any more. And the infrastructure we have today is built to help people avoid these problems, as well as drop packets when they can detect that something is just absolutely wrong. But machines, they don't know any of that, they're not discriminating, they've been built to, well if it's going to be on a network, to trust everything that's talking to them, and to send data and assume that the other side is also trusting them and just acting on the data. So it's just a fundamentally different problem, you know what traditionally the machine networks have had air gaps, they've been air gapped away from any other kinds of data or potential threat. And those air gaps are gone. So air gaps were supposed to save us, weren't they? But they're not are they? Well, they kept us going as Gabe alluded, for 20 -25 years, machines have been operating, operating critical infrastructure, but you know, with digitalization, with the opportunity to look at that data in the cloud, and do machine learning, and by the way machine learning's being done in the cloud just for scale, so the problem with getting the data from machines, or other things back into the cloud is a huge issue, and if there's an air gap between say the cloud and the thing, we might be somewhere. So a lot of incompatible architectures relative to what everyone's doing with cloud, and say hybrid and multi cloud. Gabe, you know the two worlds of information technology or IT people, and operational technology people, that tend to run the IOT world, you know you do sensors to factory floors to whatever, called OT people, operational technologies. I've always said that's a train wreck between those two cultures, they kind of don't like each other. You got IT guys, they're stacking and racking equipment, OT guys, stay out of my world I run propietary stacks, it's lockdown. Pretty locked down from a security standpoint, IT are pretty promiscuous just in the nature of it. As those two worlds collide, is that the thesis of the catastrophe model, as you see that world coming together, what's your thoughts on this? Yes, good question. That world has to come together, and I'll give you an analogy to this. About 10, 12 years ago, a lot of people were doubtful that Devops would ever take off, 'cause development guys really didn't like operations guys, they didn't like dealing with them. Here we are 10 years or so later, and everyone's pretty much adopted it, and they're seeing the benefits of it. This OT IT convergence takes it to a much higher level, because the stakes are so much higher, because a cyber attack can cause catastrophic damage. And as a result, these two teams are not only going to have to work together in harmony, but they're going to have to learn each other's stacks in the case of the OT guys, it's their traditional OSI networking stack for IT networks. And for the IT guys, they're going to have to learn the Purdue model, which was the model that's principally used in architecting these OT systems. And unless these two teams do work together, the vulnerabilities and probabilities for a catastrophic event increases significantly. That's a great example, Devops was poo-pooed on earlier on, I mean Greg, we were back in 2008 riffing on this, now it's the mainstream. Agilities come from it, the Lean startup, all kinds of cool things, people are talking about, we love cloud, great. Now we bring the OT world together, and IT world together, Gabe, what is the benefit, what is the key ethos around operating technologies and IT guys coming together? Because you know, dev ops would simply abstract away the complexity so developers don't have to do configuration and management, all that provisioning stuff, and still have the reliability. They called it infrastructure as code, so Devops was infrastructure as code, what's the ethos of the two worlds coming together from IT and OT? I think the ethos is at a very high level, it's risk management. Because the stakes are so high that the types of losses that could be incurred, you know you mentioned Capital One at the top of the program, yes those are financial losses, but imagine if the losses resulted in thousands or tens of thousands of people getting infected, or perhaps dying. So the need for these two teams to work together is absolutely critical, and so I'd say the key strategic approach to this, both from the IT and the OT side, is to go into it- into strategy or cyber strategy with the premise that the company has already been compromised. And so that starts to get your thinking away from legacy types of technologies that were not architected to prevent these new threats, or defend against them, and now these teams have to start working together from a totally different standpoint, to try and prevent the risks of those catastrophic losses. Greg, I want to get your thoughts, you've been in the IT businesses for a long time, you've been a major player in it, historian as well as us in IT, what do you see as contrast between the two cultures of IT and OT, because you got to lock down these networks, you got to have the teamwork between the two, because the surface area with IOT and industrial IOT is so massive, it's so complicated yet it's an opportunity at the same time it's an exposure, I mean just people working at home in IT, I mean the home is a great place to target people because all you got to do is get that light bulb from nest and you're at a fully threaded processor, you could run malware and get all the passwords from the person working at home. So again, from home to industrial, does IT even have the chops to get there? Not the way they're architected today around the TCP- IP stack, and that's the challenge, right? So from the 90's to this era, whether it's the mainframes to the networks to the internet to the enterprise web et cetera, compared to this we've had relatively incremental change, as surprising as that sounds. You know, devices being added and every year, every other year, every three years, people are upgrading those endpoints, they're adding more sophisticated security. But this world that you referred to, the world's in collision. It's not evolving at all in parallel. So, you've got devices with no security in mind they're being connected, and you know, calling it the industrial internet of things almost underwhelms what the risk is, it should be the internet of places or spaces, because what these devices can control, control of a factory, a hospital, et cetera, and you think back you know, yes you've got historical perspective, you don't have to go back very far when the Russians were attacking Ukraine, you know, WannaCry, NotPetya, you know they spread all over the place in a matter of weeks, UK hospitals were running on carbon paper, postponing procedures, Maersk shipping had they're shipping- they lost control of their ships at sea, and now you've got VxWorks coming along, saying you know, you're going to have to update that, because there's some serious vulnerabilities here, VxWorks is deployed to cross billions of devices, so I don't think historically there's really a precedent, I mean, if you want to tap into a common interest with military history, you don't even have the semblance of a Maginot Line, and that was a pretty imperfect protection scheme. I mean, the opportunity to infect governments, take 'em down within misinformation to actually harming people say through hospital hacks for instance, you know, people could- lives were in danger. And there's also other threats, I mean, you mentioned, it takes one device to be penetrated, at home or at work, I saw an article, came across my desk I saw IBM did some research, this concept of war shipping, where hackers ship their exploits directly on WiFi devices, so people get these devices, hey, free you know, nest light bulb or whatever's going on, they install in their home, oh it's got, I got a free WiFi router, uh-uh, it's got built in malware. It's just got WiFi connectivity. So again, the exploits are getting more complicated, Bryan, the network has to be smart. At the end of the day, this cloud 2.0 theme is beyond compute and storage, networking and security are two underdeveloped areas that need to evolve very quickly to solve these problems, what's your take on this. Well, my take on that is that our approach is that if the network has to be so smart that it can watch everything and understand what's good and bad, then we're doomed, so we're going to need to also combine watching packets, the traditional method, deep packet inspection, with divide and conquer. Frankly, it's-as Tom and I said before, the air gaps are gone for OT. I think we need to figure out a way to divide up the networks of things, and give them clean networks if possible, and try to segment them away from the network that the rest of the things are on. So, you know, we don't have enough compute power, we don't have enough memory and resources, but that's not really the fit. We just don't understand what is good traffic versus bad traffic, and we talk about Day Zero attack, and we talk about, try to chase that down with signatures, and you know the- you can watch transactions, people say AI and machine learning, but machine learning means learning good and bad from people. How do companies fix this, what's the answer to all this, or is there one? Or it's just going to take catastrophic loss to wake people up? Well we can't react to the problem, that's one thing that we all can probably- we all know that if we wait for the catastrophe, and then we try to react to that and solve it, that it's already gone, it's too late. I mean, this is a geometric expansion in complexity of the problem, I don't think there's a silver bullet, I think that there's going to be several things that need to be done, one is to keep inspecting traffic, but another one is again segmenting things that should be talking to each other, away from things that they should not be talking to. And trying to control the peers in the network of things. And you know, Greg something you said reminded me, fundamentally with networking, the TCP-IP, we are using the IP address, to mean the location say if we're talking about places, we're talking about the location of something and the identity of that thing, and most of our security policies, are spelled out in terms of something, an IP address, that is not under our control, and the network has to be kind of so complex as it is growing, with mass proxies, you know, motion, mobility, things are moving. A lot of this wasn't foreseen. So, Gabe and Greg, do we have to build new software, a new naming system? Do we have to kind of level up and put an extraction layer on top of the existing systems? What's the answer? The answer is a layered approach. Because to try and do a complete rebuild or a retrofit particularly with different operating systems, different versions, incompatible systems, billions of devices, and various types of security solutions that were not built for this, that's not a practical solution. So you've really got to go with an overlay strategy, people are always going to be the vulnerability, they'll fall for fishing attacks, that's why the strategy is that we're already compromised. So if the attacker is already in our network, how do we contain them from doing serious damage? So one strategy for this is micro-segmentation, which is a much more granular approach, to prevent that lateral movement once the attacker is inside the network. And then when you go from there, you can pair that with host identity protocol which has been around for a while, but that was architected specifically to address the networking and security requirements for IIOT environment, because it addresses that gap that we were talking about between traditional security solutions that lack this functionality, and it only allows white-listed communications between hosts or devices that are already approved and only approved to communicate with one another. So you could effectively do a lockdown even if the attacker is already inside your network. I want to get back to some of the criteria on this, and I want to also put the plug in for the TechTonic advisors report that's coming out that you are the author of, called securing critical infrastructure against cyber attacks, I read it, great paper. The line that I read, I want to get your thoughts I'm going to read it out loud, I'd love to get your thoughts on this Gabe or anyone else who wants to chime in, it says industrial IOT cybersecurity is beyond the scope of traditional firewall and VPN solutions would struggle to keep up with the scale and variety of modern attacks. What do you mean by that? Give an example, tell me what you mean by that sentence, and what examples can you give? Well, I'd say the most important thing is that firewalls were initially built to protect what we call north-south traffic. In other words, traffic that's coming in from the internet into the organization and back out. But now with network expansion, cloud adoption and more and more devices, industrial devices being connected, these firewalls cannot defend against that. They simply were not architected for it, they cannot scale to those proportions, and even if you're using software only versions, those aren't effective either because they do not protect against east-west or in other words lateral traffic. So if you're an organization moving IIOT data from your OT systems across your network into IP analytics systems or software, that's lateral movement. Your firewall- traditional firewall, just not going to be able to handle that and protect against it, so in simple terms, we need a new overlay not to say that firewalls are going away any time soon, they can still protect north-south traffic, but we need a new type of overlay that can protect this type of traffic, micro-segmentation is the strategy to do that and using host identity protocol or HIP protocol is what fills that gap that your traditional security tools were not designed to protect against. Greg, I want you to weigh in on this, because you're in this business now, you know the IT world, the criticality of what you just said is super critical to the nature of business, you know the catastrophic example's there, but IT does not move that fast, you know IT, IT'S like molasses, I mean they're slow. What is going to light a fire under IT to get them to be sensitive, I mean it's pretty obvious, can they get there, do they have to re-structure what has to happen in the IT world, because you know, it is a catastrophic end game here if they don't nail down this traffic protection. Well a part of the- you know, part of it is education. Because we've been- we've seen wave and wave of incremental innovation in the network, and when it happened it seemed so big and and it produced huge market cap growth with a lot of companies, you know play this guessing game of who is really connecting to the network. And it's evolved kind of gradually, to this big leap we have ahead of us, and IT is going to have to become aware that IIOT is a fundamentally different problem and challenge to solve, and that's going to require new thinking, new purpose built, like Gabe said, approaches, anything like the traditional firewall segmentation is just not going to address what we talked about, the scale issues, the resilience right? So, some of these devices, you don't want them off for one or two percent of the time. And the implications are that it's much more serious. So I think that, you know, more types of attacks are inevitable, and they're going to be even more catastrophic, and we're all aware that NotPetya and WannaCry raised a lot of eyebrows just for how quick it spread and the damage it caused. And we've just seen VxWorks vulnerabilities being announced. We need to prepare now. Malware and worms are still popular, it's a problem. Well guys, thanks so much for spending the time on this panel, I'll give you the final word here, share what you think is going to happen over the next 24 months, 12 months, is it going to take catastrophic failure, what's going to happen in your mind, what's going to end up being the trajectory over the next, you know say year. Well, unfortunately, sometimes it might take a catastrophic event to get things moving, hopefully not, but I think there's growing recognition as IIOT is growing, that they need new ways to secure this movement of data between OT and IT, and in order to facilitate that securing of data, you're going to have to have that OT and IT convergence occur, because the risk, as you sort of eluded to earlier John, we hear in the headlines about massive data breaches and all this data that's stolen. But the risk in IIOT is not only the exfiltration of the data, the risk is that the attacker has the capacity to take over the infrastructure. And if that happens in a hospital, if it happens with a water treatment facility or government type of defense installation, the outcomes can be disastrous. So the first thing that has to happen is OT IT convergence. Second, they have to start thinking strategically from a standpoint that they have already been breached, and so that changes their viewpoint about the technologies that they have to deploy, and where they have to move to to efficiently get to what I call the iddies, and that's the- you still need the availability, you've got to have visibility into this traffic, you need reliability of this network, obviously it's got to be at scale, it's got to be manageable, and you need security. Well, we'd like to have you on again Gabe, because we've talked about this from a national security perspective, not only the hackers potentially risking the business risk there, there's a national security overlay because you know, if the government's attacking our businesses, that's like showing up on the shores of our country, its the government's job to protect the freedom's and safety of the citizens, that includes companies. So why are companies defending themselves with all this capability, what's the role of government in all of this, that's a very important, I think a longer conversation. So, let's pick that one up, a separate one, my favorite topic these days. Critical infrastructure even if it's just business it's the grid, it's the plants that run our country. And John, what I'd like to add to that is, I was talking to a friend of mine who's a CIO down here in California yesterday, and we were talking about the ransomware right, that was taking down all these cities. And you know, he goes well the difference between what you guys are talking about and that, is that you can back up your IT systems, right, into the cloud, and that's a growing business to kind of protect and then replicate game over, and he goes, can you back up a hospital? Can you back up a manufacturing plant? Can you back up a fleet of ships? You know, can you back up a control center? Not really, when you lose physical control, it's game over. And people, I think that really needs to sink in. And that was, I think in Gabe's paper when I first read it, that's what really struck me about it, this is a different ballgame. Well, I mean, there's many points, there's the technical point there, and there's also the societal point of- you imagine things being taken over by hackers that physically can harm people, and that's again the societal side, technically the incompatible architecture's coming home to roost now, because there's the problem right there, that's the collision that's happened I think, and a lot of education needs to happen fast, Gabe, thanks for writing that paper critical infrastructure against cyber and securing it, Bryan thanks for coming on appreciate it, you want to say, get the final word Bryan, go ahead. Your thoughts, next 12 months. I think that if our future, it depends on OT and IT coming together and a lot of education, a lot of change, I don't think we're going to get there, I think that what's going to happen in the next 24 months is that you know, there are lots of innovative schemes and companies and people, working on this and what we need to do is lay down infrastructure that allows OT and IT to keep operating, and not have to do a forklift upgrade and everything that they do, their processes or teach the things how to protect themselves, and again I'm going to go back to air gaps in network, make a logical air gap, if you imagine driverless cars driving around they're not going to, imagine them sharing the same network that we're using to use Snapchat and look at cities and you know, sitting on the internet and looking at Facebook. We're not going to want that. So we need to try and figure out a way to separate the location of the thing from the identity, create policies in terms of the identity, manage that a new layer, and do it in such a way that doesn't change IT. To me that's the key, 'cause I- we've said it here, IT's doesn't move that fast, they can't. It's not a matter of willpower, it's a matter of momentum and intertia. Well, I think the forcing function on this is going to be catastrophic event, the subtitle of this panel, apocalypse now or later. And in my opinion, Greg's been, you know, on this JetEye department of defense story. I believe this is one of the most important stories in the technology industry in a long long time, it really highlights the confluence and convergence of two differently designed infrastructure technologies, that have to in a very short time, be re-platformed at high speed, in a very fast short time frame, because the stakes are so high. So guys, thanks so much for spending the time here on this power panel, IIOT, industrial IOT and cyber security apocalypse now or later, something's going to have to happen, it has to happen fast. Gabe, Bryan, Greg thanks for taking the time. This is a cube conversation here in Palo Alto power panel, I'm John Furrier, thanks for watching. (upbeat music)