Future-Proof Cybersecurity for Smart Buildings and the Industrial IoT

This video is part of a webinar on cybersecurity for Smart Buildings, Smart Cities, and Industrial IoT. This segment is the part specific to providing cyber protection for smart buildings, building automation, operational technology (OT) networks, and industrial IoT with DOME by Veridify Security.

DOME stops cyber attacks before they can happen and is based on a NIST-compliant zero trust framework that provides protection to every device on an IoT or OT network. All devices must be mutually authenticated, and all traffic between devices is encrypted. DOME provides security to new and existing networks, and can be embedded into OEM devices for built-in security.

 

Here’s a link to the original full-length webinar.

Video Transcript

00:00:00
We’re here today to talk about DOME, which is our device management SaaS platform for securing devices in industrial IoT, smart cities, and smart buildings. I’m just to two quick slides for some of you who may not be familiar with Veridify. What I have here is sort of a very simplistic topology of what many of us would be familiar with in the outside world and again on the right-hand side very familiar with securing many applications and platforms that run on

00:00:35
gateway hubs and more powerful processors up to the user whether it’s over a network or a cloud. Veridify is focused on the left-hand side of this diagram which is the small devices that connect at the edge that might be sensors, actuators, again in the IoT world that also need to be secured and when we say security what we’re referring to is authentication. Is that my device, is this my owner, or a hub, and then protecting the data that moves between it so in essence complementary to some of the security cyber security

00:01:14
that Jared mentioned in their products which is monitoring platforms with their NICS and identifying intrusions our technology and our goal is to prevent those things from happening. So very, very simple introduction for Veridify and what we do. And again just there’s a one more slide on us, we’ve been involved in a variety of complementary areas throughout the industry recognized by some of our partners, and of course certified in this particular case ISO 26262 for those of you familiar with the

00:01:47
automotive market. Safety certified with our tools and PSA Certified in this particular case for the DOME client which we’ll talk about in a few minutes. So that’s who we are as a company, and an Intel partner for many years, showing here a solution that is part of our DOME platform on display at Intel’s center of excellence in China. So just getting to the solutions that I wanted to talk about today, we really solve two problems when it comes to security in the IoT. One is device to device – many of the platforms you’ll be

00:02:23
working with in particular, FPGAs, will come with very, very good tools to protect firmware and software that you have on it ensure that the firmware or software that you use is in fact correct. We find that challenges come when that hub or gateway is now going to talk to an edge device and you need to authenticate, much like we do on a browser when we’re doing our banking or purchasing. But of course now, at the edge of the industrial IoT in a building, you don’t necessarily have a person there to negotiate that handshake.

00:02:55
So we’ve developed tools that will fit on very small 8-, 16- or low resource 32-bit processors and talk to your hubs and gateways, perhaps powered by an Intel FPGA or in some cases even low resource Intel FPGAs like the MAX10 at the edge. We support both legacy tools as well as our own quantum resistant tools so we’re crypto agile. And the second thing which I want to focus on for today’s talk is DOME which is our SaaS IoT device management platform. We recognize there are a lot of device management platforms out there and

00:03:29
typically they start with the device powers up, it has a URL, and it calls home that’s great. But we recognized, again going to the low, low resource devices that we typically operate with, that the device may not in fact connect to the cloud ever only to its owner and the owner in turn may connect to the cloud. So how do you address that? So we’ve developed a solution that allows you to onboard those devices easily and quickly. We have built in, as part of our cloud component, a block chain credentialing capability to ensure that

00:04:01
you’re only working with authentic parts that you may be using or enabling, again an Intel FPGA, to authenticate any edge device that it’s either collecting data from or sending commands to. So I’m going to talk a few minutes more about DOME in this presentation, let’s look at some of its use case and applications for today in addition to industrial IoT. We see smart cities so our focus again is on the actual authentication and identification of devices in the IoT and then protecting the data moving between those devices.

00:04:37
Complementing many of the solutions out there that are monitoring networks, measuring and identifying intrusions and anomalies on a network in the world of cybersecurity. We recognize that there’s a significant cost when you’re deploying a large number of devices so we’ve created tools that allow scripting and zero touch on boarding of those devices when they power up, challenging the network and or owner to prove their who is the rightful management owner and managing the entire lifetime of each

00:05:09 device in the platform in a blockchain. This allows us to scale to significant volumes and of course as I mentioned in the introduction to the tools that we use our tools are quantum-resistant to all known current attacks and we do support legacy methods for certification purposes and other needs. The platform is crypto-agile and will also support various tools in the future. All key components to arguably rolling out a scalable model for example to a smart city, but I’d like to drill down now in a use case to wrap up

00:05:40
looking at the building marketplace as an example. Although today we often refer to buildings as smart, smart buildings in fact buildings for years arguably even decades have had processors in them managing the HVAC systems lighting access controls elevators fire control systems etc. Today for convenience we’re seeing those OT or operational technologies being connected to the IT systems because many building owners want to take advantage of accessing their management system or control systems through the internet,

00:06:16
through the IT side – look on an iPad see what my power consumption is. By that connection it’s creating exposures and threats to the building and so if a bad actor can gain access to the system they can do things to the building or inverted use the building as a tool to gain access to the IT network. This actually creates a significant issue because it creates a threat to the occupants of the building and it may in fact create both a reputational and financial risk to the owner. I want to point out that this

00:06:53
is not something that we’re planning to have to deal with in the future, this is something that’s happening today. There are reports on an ongoing basis, one of my favorites is on the upper right hand corner where hackers used the connected OT elements of a fish tank cleaning apparatus in the lobby of a casino to access the IT system go to the back office and steal the data on high net worth individuals. There are many other famous hacks of a similar nature. This is a something that we see that needs to be addressed today – how do you

00:07:26 protect the interconnectivity between OT and IT? In the building use case what we’re looking to do is create a cyber-safe space, in other words make the building fully cyber-safe. As you can see on the left hand side we expect to find controls for access control, HVAC, lighting, fire sensors, in parking lots and in rooms. All the various things that are being added to buildings today to make them better, smart and more efficient. In this particular case we’re using a security gateway that enables us to connect to those controllers via TLS or

00:08:00
another secure platform to create a secure connection and out the right hand side put in what we call S-Link, our secure tunnel, over the building automation protocols that may be in place to connect to the edge devices. I want to mention quickly the DOME does not replace anything you may currently have in place today, it complements it much like the way a VPN complements your existing network or platform. At the very edge on the right hand side we have tools that can be embedded directly in a device so for example in

00:08:35
the case here of these room monitors or thermostats they can have a DOME client embedded in them. We are set up to manage coming protocols and we also have a very compelling technology developed in conjunction with Intel and supported by their FPGAs, in this case the MAX10. called a bump in the wire. You may have a pre-existing infrastructure, as many buildings are including industrial IoT, but you need to add security. The challenges and the hacks today were not contemplated five or ten years ago when you put the system

00:09:08
in. So you can actually retrofit DOME to a pre-existing system by using these bump in the wire devices. Very simply, they have all the security client components on them needed to protect the network right up into that point. On the right hand side in this particular case again you may have a building device by the thermostat or what have you installed and it will operate oblivious to the fact that right beside it is a bump in the wire and everything going from that point up to the security gateway is now

00:09:38
running over a secure tunnel and encrypted. So a lot of different features and functionalities to complement not only pre-existing, but again, with the availability of our solutions all in software we can be implemented directly in products you may be shipping today so no need for the bump in the wire. In summary, the DOME solution that we’ve developed is software-based so we find that it very, very nicely complements Intel’s FPGA world and how you leverage as you need the various platforms and capabilities of Intel’s

00:10:12
FPGAs whether it’s at a hub or gateway or at an edge computing device. The zero touch onboarding allows you to scale the addition of these very sophisticated products that are doing a lot of computing at the edge today. The infield owner management and the credentialing via blockchain ensures that your supply chain is not only secure but the devices you’re putting on your system and network are in fact the ones that you ship to your customers. And the mutual authentication once a device boots up and ensures that

00:10:40
it’s talking to the owner and the owner knows it’s talking to a device allows the delivery of additional features like over-the-air or over-the-network firmware updates, in-field provisioning, and other types of solutions. And by the way you do not always want to be connected to the cloud so many solutions that say great dial home connect to the cloud and now you’re ready to run. We know that many buildings, and in particular many federal buildings, do not want to be connected to the cloud because that in fact creates the tunnel

00:11:09
or avenue for the hacker. Our system is designed to work totally encased within the building and only connect to the cloud when it needs to either get new credentials or provide data from the operational elements. Again, we’re crypto agile so long-term solutions, again, buildings get installed with equipment for decades need to be thinking about quantum resistance and there are laws coming out today particularly in the U.S. about cyber security. In particular a recent federal guideline for cyber security 2020 that the federal

00:11:39
government’s meant to be following and DOME enables the compliance to that particular law. Again everything we’ve talked about today is available in software and software libraries so they can be applied to your solution and in fact the DOME client which is a very edge component runs roughly 15 to 24k of ROM at the edge device so it will probably fit in most of the devices you have there now, and in fact has been PSA Certified Level One at this point. So that is the DOME solution.

 

You can learn more about Future-Proof Security for Building Automation Systems by reading our whitepaper.