Interviewee: Benjamin Wald, Founder at Very, helping companies build Mobile, IoT & Data Science Solutions.
Security is a big subject, but that doesn’t mean you can’t learn a lot in a short amount of time. We know people are busy, but for those that are still hungry for better ways to approach securing their organizations or clients, we’ve created Small But Mighty.
Twice each month, hosts from Attila Security’s Sales and Marketing teams host a 15-minute coffee chat with innovators and thought leaders in the cybersecurity space to provide big insights in a bite-sized format.
Watch the video conversation here, or check out the summary or full transcript below.
Learn more about the topics discussed in this video:
- How Remote Monitoring is Changing Manufacturing
- What Engineering Leaders Need to Know About IoT Security
- IoT Security Issues: Legacy Hardware and Software
In this Episode
Meet Benjamin Wald
Benjamin, Founder, and Head of Client Strategy joins Stacy and Joe to discuss how the future of manufacturing goes remotely.
Why coffee & security have more in common than you think.
Ben out-coffees both Stacy and Joe with his in-depth and well-researched morning coffee ritual, note: it’s a 25-minute process! As Joe enjoys his Columbian 8 o’Clock and Stacy admits she prefers Folgers in her cup, Ben smoothly shares that each step of preparation he takes may only be making a statically minor impact to the overall end result, but it’s the combination of those specific, even if micro-steps that cumulate into the best dang cup of Joe. Not unlike...cybersecurity.
You're getting incremental improvements and you end up with something good at the end.
Remote monitoring, industrial IoT in manufacturing
Ben starts the chat off by reminding us all that while COVID-19 and the mass transition of on-site to remote during the first part of 2020 is certainly a headline-grabbing event, remote security has been critical since the very first time any work was completed on technology outside of the ‘office’.
Many companies have quickly shifted remote-monitoring from a Q3 2022 initiative to a right-now one.
What does that look like for a machine-builder? It’s not uncommon for a manufacturer to lose connection and communication with a completed unit once installed on location. Either intentionally or not, the piece of equipment will not have the technology to connect to a cellular backhaul. This disconnect between the unit's performance and the builder creates an expensive gap from the time the machine stops working and the client calls, eager to get a fix to mitigate loss, and having a solution in place and the machine running.
There's no black box for industrial machinery.
Physical distance from the machine is rarely to blame for the length of downtime, instead, it’s the analysis of how, what, who, where, and when the unit broke. Without a ledger of data from the unit itself, this analysis is arduous and frustrating.
“This lack of black-box problem is something that we've seen across a lot of different industries and you can solve through equipping machinery and devices with proper remote monitoring capabilities.”
The ROI of remote-monitoring for both manufacturers & machine builders
A project as deep and wide as remote-monitoring doesn’t get off the ground without a return of investment (ROI) conversation. While traditionally, ROI refers to the financial gain of an investment, in this case ROI means different things to both manufacturers and the machine builder.
For manufacturers, the ROI equation can be plotted by looking at efficiency gains, cost-reductions, and fewer scrap materials.
For the machine builder, the equation is much more about unlocking new business opportunities and potential revenue streams. For them, accessing aggregate fleet-based data on their devices out in the field provides invaluable insight.
Why is doing this right so important?
Now convinced that remote-monitoring should be an essential practice, Stacy does ask a great question:
“What are the security implications of doing this right? Because now we're asking a bunch of machines to put a bunch of information out into the world that could easily be read by someone who shouldn't be seeing it. So how, how are you guys proactively approaching the security side of that conversation?”
Ben explains that historically air gapping is traditionally the way cybersecurity has been addressed in manufacturing. The risk/reward ratio hadn’t tipped in such a direction that it was ever considered worth transmitting data via the cloud.
He suggests that the best way to mitigate the risk is to reduce your overreach. There are a number of ways an antiquated process can be improved by industrial IoT, but doing too many at once increases vulnerability. Instead, focus on a single need for data transmission and improve upon it until it’s as secure as possible.
Read the Complete IoT Security Guide
Everything you need to know about securing your IoT or IIoT deployment.
Keeping remote-monitoring functions and devices passive is another way to reduce risk. While there is still a possibility for data-siphoning, keeping the functions of a device as passive as possible increases your cybersecurity.
Lastly, Ben suggests monitoring devices that are operating outside of their known thresholds. An early and easy indicator that a device is potentially compromised is that functions and behaves differently than expected.
To make edges more or less intelligent?
Joe asks, “In terms of the AI aspect - is collecting all this data and then understanding how that particular piece of equipment works and pulling out anomalies, is this something that is becoming more and more popular in manufacturing? If so, a lot of that stuff is in the cloud. Are some of the manufacturers doing that on-prem too, because of the threat of security?”
Ben’s reply really should be read in its entirety:
“..it's funny because there's this tension that we see across projects, you know, where there's this push to make the edges dumber and then there's this totally opposite push to make the edges a lot smarter. When we're thinking about building a system, for example, a consumer electronic device, you typically want to keep the edges as dumb as possible, right? Which means that edge computer, that device has just as much computed power as it needs to function.
But, then you're doing all the heavy lifting in the cloud in terms of like a machine learning algorithm, predictive modeling, things that require heavy computation happens in the cloud, then sends a particular model may be back to the edge.
Then there's this other tension which is when you have situations where you're dealing with high-frequency data or huge amounts of data or you have advice that is sitting in a mesh network and that device might not have connectivity and it needs to connect to other devices in order to send packets. There's this push to make the edge as much smarter to where they can actually run algorithms that will compress data or that will do things that are computationally intensive.
I'm seeing both moving forward. The best that I can come up with is that it's on a case by case basis.
I would think over time the edges are going to get smarter and are going to be able to hold intelligence and hold you know, security parameters to trigger, you know, from themselves versus having to call home or having to wait for the data to go back to the cloud to be analyzed and then, you know, some indicators start flashing red."
Read the Case Study: Securing IoT Surveillance Cameras
A Fortune-100 enterprise with thousands of retail locations found themselves with security cameras with a weak security posture.
Virtually every industry has gone ‘remote’ and manufacturing is no exception. While it might be a few years off for organizations to implement industrial IoT solutions to allow engineers and machine operators to work from their homes, manufacturers are beginning to use remote-monitoring for varying beneficial reasons.
As with any IoT application, security is the top priority. Ben, shares where he sees companies benefitting the most from industrial IoT and how he would approach building device connectivity.
Stacy: Welcome to the second episode of Small But Mighty security might be a big subject, but that doesn't mean people can't learn a lot in a short amount of time. We know people are busy, but they are still hungry for better ways to approach securing their organizations.
So twice each month we'll be hosting 15 minute coffee chats with innovators and thought leaders in the cybersecurity space to provide big insights in a bite size format. I'm Stacy, and this is Joe. We are your hosts from Attila security. And today we are here with Benjamin Wald, founder and head of client strategy, at Very. Hi Ben, tell us a little bit about yourself and what you've been working on lately.
Ben: Goodness. Well, let's see a little bit about myself. I've been doing this for eight years now and, so founded the company and you know, started as a small group of web and mobile application developers. And now we've grown into the company we are today with a heavy focus on IOT, and that kind of splits between consumer wearable devices.
And then industrial IOT is kind of the trendy term which really just means working with either machine builders or manufacturers or things, internet connected, things that are more industrial in nature. And so obviously in both applications, security is a huge consideration, both during the development and engineering process. And then also when you have product live in the field. So happy to be here and happy to share whatever I can.
Stacy: Well, thanks for joining us and I hear coming into today's conversation, you have quite a few opinions about this, so this should be very interesting. We're gonna start out and talk about what everybody's drinking today. So what is your, your coffee of choice?
Ben: I have Ethiopian microlot from a local roaster. I think Ethiopian is my favorite. I think it's from the Yirgacheffe region, probably not pronouncing that right. And and this brew is using a Chemex process this morning.
Stacy: I think most of what you just said was in a different language. I'm drinking tea from trader Joe's. So I love learning about new beverages when I'm on the show for sure.
Joe: And I'm drinking a boring old Columbian eight o'clock coffee. So I'm not a super high high tech coffee like you are bad. Well, no problem to each his own. Yeah.
Stacy: If I'm drinking coffee. It's usually Folgers. I almost am embarrassed to admit that.
Ben: So, so I'm going to throw my one coffee opinion out here. So I there's, there's like my coffee ritual in the morning, it's like a 25 minute process. And you know, and it involves heating the water to the right temperature.
I've got a scale, I measure the beans grind the beans, you know, and then the Chemex process is like, you know, several different stages, right? And you know, there are all these like nuances, you know, how you pour the water into the coffee. And I was thinking about it and I was thinking, you know, like, what, what impact does this really have on, on the, the out, you know, the output, right? The taste.
And what I realized and this may be correct or incorrect, but, but all of these things contribute like marginally, you know, like heating the water up to the right temp has maybe like a 5% improvement on, on end flavor.
You know, how you grind the beans is maybe like a 15%, you know, the freshness of the coffee beans is probably like a 40%. And anyways, long story short, when you stack all these things together then I think you end up with like a great tasting coffee. And so I say that to say...
Stacy: Leave it to a developer to go and like break down the percentage improvement every step has in the coffee making process.
Ben: Well, well I'm going to tie, I'm going to tie it together to this conversation, which is, this is, this is, we're going to go for it. I think I think about security in the same way that it's not about doing one thing, right.
It's about taking account of all of the little steps along the way and the like incremental improvement that you can make to your security framework. And like, at the end of the day, you never get to a hundred percent. Nothing is nothing, things built by humans can be taken apart and destroyed and hacked by humans.
Right? So you never get a hundred percent with coffee. We're probably not ever like extracting a hundred percent of the possible flavor there, but all of these little steps along the way, you're getting incremental improvements and you know, you end up with something good at the end.
Stacy: Just, just wow. Like, I don't even think we need to have the conversation now. Well, let's dive into why we're here today and what we really want to talk about is the importance of remote monitoring and manufacturing and looking into what the future of industrial IOT really looks like. So tell us your opinions there. I'm sure you've got plenty given how many you have about coffee.
Ben: Let's see. So you know, remote monitoring is a big topic. And you know, anything remote, you know, as a first word is, is a topic of interest right now because of COVID-19.
Everybody is thinking about, you know, how can we, how can we optimize process and in a situation where we can't send physical bodies to a particular place how are we going to do our business? How are we going to secure things? How are we going to manufacture? How are we going to develop?
And so the importance of remote monitoring is something that is definitely not a new concept. But I think it's, it's, you know, one of the areas that is under a spotlight right now and we've had, we've seen in our line of business, a lot of companies reach out to us, you know, now that maybe remote monitoring was on, you know, 2022 roadmap.
Ben: You know, something out in the future that has now been shifted up in priority. And the remote monitoring aspect is I think takes, you know, a handful of different avenues for a machine builder, extremely relevant to build in that capability. Because as they are sending their machines onto customer sites, they usually lose all contact, right?
Once they send it they have no more visibility. Whether that's because the facility that it's in is intentionally air gapped, you know, or for whatever reason they don't have, they don't send the piece of equipment with the technology to connect to a cellular backhaul. You know, if they're, if they can't, for whatever reason, get on the wireless network, they don't you know, so what, what that results in is, is that the only time that the company is contacted is when something is broken, you know, and then their customers, you know, shoe banging and downtime, expensive, frustrated.
Ben: Yeah. And then, and then the the thing that we've seen over and over again is as like a, maybe we'll call this a paradigm is that there's no black box for typical, typically for like industrial machinery.
And what I mean by that is that when the machine builder gets a call, says this thing is broken, very hard for them in a lot of situations across industries, for them to be able to go backwards in time and run like a thorough analysis of like what happened that led to that part breaking.
Stacy: So the forensics side of it. Like there's not really a way to go.
Ben: Exactly. So this lack of black box problem is something that we've seen across a lot of different industries that, that you can solve through equipping machinery and devices with, you know, proper remote monitoring capabilities.
Stacy: It's like microchipping your dog, right? All of a sudden, you know, everywhere it's been. Okay.
Ben: So that's the intro to remote monitoring and why it's important.
Stacy: One of the other interesting things and Joe, this might be where you were headed, so feel free to...
Joe: Yeah, I was, I was just going to ask, that's interesting that you're looking at it from the manufacturer of the equipment's perspective as opposed to the, the client that's using the equipment, you know in the plant or on the factory floor.
So are do you find that you're working with more of the manufacturers to, to solve these problems or are there no, sort of, providers that, you know, the clients that are coming to you and saying, "Hey, I wanna I want to do something here and learn more about my internal you know, what's happening on the floor and from a remote standpoint?"
Ben: Yeah. both, so we do work with manufacturers and with manufacturers. The ROI part of the equation is, is you know, efficiency is, you know, optimizing throughput, you know, is is implementing things that can, you know, like make small incremental improvements to, you know, cost or like, you know, reducing scrap, those types of things with machine builders.
It's a very different type of an ROI equation. And, and so manufacturers it's more about saving machine builders, it's more about unlocking new business opportunities and potential revenue streams. And so we, I think we end up working more with machine and device builders than manufacturers. Even though we have had some of those discussions.
The question though is, is in a manufacturer setting, like how much are you actually moving the needle by providing better dashboards, you know, or by providing better visibility and like some needle movement but not as significant as, you know, with potentially the machine builder who has an SLA for that piece of machinery, you know, or who is the creator of a device that is out in the field that, you know, wants to know about aggregate fleet based data.
Joe: Right. No, that makes sense. That does. And I can see it as a real differentiator for that builder for sure.
Ben: Yep. Thanks.
Stacy: So let's look at then, what are the security implications of doing this right? Because now we're asking a bunch of machines to put a bunch of information out into the world that could easily be read by someone who shouldn't be seeing it. So how, how are you guys proactively approaching the security side of that conversation?
Ben: Yeah, it's a huge concern. And, and frankly you know, the main reason why a lot of manufacturing facilities are air gap to begin with is just because the, you know, even though it is well known, well-established that, you know, putting data in the cloud or creating that connection, you know, has huge benefits.
You know, there are tons of machine learning models that you can apply to specific machines and, and do predictive maintenance out of the box. But you know, the reason why I think people have pulled back is, is that the risk reward you know, equation wasn't there. Right? So you, you keep everything totally air gapped because it's just not worth it if, if there's some type of hack. So I say that to say security is a huge concern. Security is, is something that we think a lot about.
Ben: And if I were to I don't know, throw like two starting points of, you know, advice or things to think about number one would be not to overreach.
And what I mean by that is that when we are thinking about you know, retrofitting machinery with, you know, intelligence and sensors or cloud connectivity capabilities there, there is a tendency to want to try to do everything or build this to be extensible and build this to do, you know, to do both, you know, pulling data out into the cloud and also then, you know, automatically sending new orders or corrections or optimizations back into the machine.
And the thing that we pull back on and we say, you know, every time you reach a little bit more, you create a new vulnerability. And so for example, with remote monitoring, if you keep that device purely passive, all it can do is read, can't do any writing, right?
Ben: It can't, it can't issue any orders. All it can do is read. You've dramatically cut down on a vector of vulnerability. So number one is, is, you know, don't, don't overreach. When you are building device connectivity. I would say number two is when even in a passive device there's, there's risk of, you know, something like data siphoning.
And one of the things that, that we think about is pattern of life for devices, for equipment. And pattern of life is more or less that I guess, you know, put in, in simple words. This machine should be doing these things consistently within this threshold, right? It is running this number of cycles. It's sending and receiving this amount of data. And even, you know, you can look at it from the operator perspective, like operators are typically doing these actions and over a long period of time you can you can assess what a typical pattern of life for that piece of equipment would be.
You know, and then when you have fleet wide data, right, that becomes a richer data set, you know, and when, you know, we can look across industries it becomes a much richer data set. And so you can start to use some of those indicators that can monitor, you know, if a machine is acting unusually or operating out of threshold and is you know, an indication that to jump in and see what's going on. Yeah.
Joe: Yeah. I've been seeing a lot of that as well. Ben, in terms of the AI aspect, right? Is collecting all this data and then making understanding how that particular piece of equipment works and then you know, being able to pull out anomalies as you say. Yeah, I see that becoming more and more popular. A lot of that stuff is in the cloud though. Are they, are some of the manufacturers doing that, you know, on-prem too, you know, because of the threat of security?
Ben: Good question. The, it's funny because there's this tension that we see across projects, you know, where there's this push to make the edges dumber and then there's this totally opposite push to make the edges a lot smarter. Right, and, and so when we're thinking about building a system you know, for I dun't know some type of, you know, consumer electronic device, you, you typically want to keep the edges as dumb as possible, right?
Which means that that edge computer, that device has just as much compute power as it needs to function. But then you're doing all the heavy lifting in the cloud in terms of like a machine learning algorithm or you know, some type of you know, predictive modeling or you know, whatever, whatever, like heavy computation happens in the cloud, then sends, you know, a, a particular model maybe back to the edge.
Ben: Then there's this other tension which is when you have situations where you're dealing with like high frequency data or huge amounts of data, you know, or you have advice that is sitting in a mesh network that is, you know, that device might not have connectivity and it needs to connect to other devices in order to send packets. You know, home.
Then there's this push to make the edge as much smarter to where they can actually run algorithms that will compress data or that will do things that are computationally intensive. And so, so anyways I, I'm seeing both moving forward. And the best that I can come up with is that, you know, it's on a case by case basis.
I would think though that over time the edges are going to get smarter and are going to be able to hold intelligence and hold you know, security parameters to trigger, you know, from themselves. Versus, you know, having to call home or, or having to wait for the data to go back to the cloud to be analyzed and then, you know, some indicators starts flashing red. Yep. That makes sense.
Stacy: Yep. One of the other really interesting like coven related things we've seen with this that's, that's newer has been the opposite direction, right? We're talking a lot about receiving information from these edge devices, but all of a sudden there's people who can't go in to the plant to work, but they still want to get the plant working. Right? So remote access to control and tell these devices what to do is a completely new look for IOT essentially. Yep.
Ben: Yup. Yeah, it is. And I, you know, I, I put that in the bucket of something that we care a lot about, which is just working remotely and, and being a high functioning distributed team. You know, and we have a lot of, a lot of thoughts on that. We've been remote first as a company since inception.
So we we, we had an office for a while. I had a thought that we needed like a fancy office to bring clients to, you know, and impress them with like a nice conference room. But it turns out that we just use the office so little that and we've been able to, you know, we've been three years now without an office.
And like there's no reason to carry that overhead. So anyways, point me in a direction and I'm happy to talk about, you know, remote collaboration, distributed teams.
Stacy: That's probably a whole chat in and of itself. As is the topic of coffee, most likely this has been incredibly useful as we look towards what the future of you know, IOT in the industrial space looks like. If there's, you know, a parting thought you leave with anybody who's thinking about going in that direction for the first time, what would it be.
Ben: Hm. My parting thought would be that thinking through the, I don't know if Justin touched on this, but one of the things that I think about a lot is over the air firmware updates and it's an area that we are like really passionate about. And it's like totally nerdy topic but over there for more updates.
And there are a lot of gotchas in that process and it is so important when you start to get into the world of resumption and binary DIFs and deltas and how you are managing that from where life cycle and how you are updating, you know, devices that are out in the world.
And when I think about, you know, industrial IOT and consumer IOT and what a future looks like with billions of devices coming online and intelligence all around us one of the key pieces of infrastructure to make that a reality is that we can communicate over the air reliably and be able to update the firmware on all of these devices. And so my parting thought is to think through that.
We typically lean on a framework called Nerves. Which you know, is, is an open source platform and project that we contribute to and is a, is a great solution for that. But again, that's probably a whole other topic of conversation.
Stacy: So it's perfect segue into reminding people that they can go watch an entire coffee chat with Justin about exactly that subject which we'll link to right in the show notes. So you're just to get people deeper into, into coffee chats. So it was perfect.
We should, we should pay you for marketing. Happy to help. It's been great. Well, thank you so much for joining us and make sure that you come back and join us twice a month for our 15 minute security chats. Learn more about different ways to secure your organization. Thanks. Bye.