This article appeared in Evaluation Engineering and has been published here with permission.
What you’ll learn:
- Cybersecurity issues.
- What is NanoLock Security?
- Thoughts on cybersecurity solutions.
Security is an issue of relatives. At its most basic level, a lock is there primarily to keep honest people honest, as no lock will protect you from a sufficiently motivated intrusion. This also applies to cybersecurity, to a degree, because it is also true in cyberspace that no system is inviolate. Even the most secure system can be bypassed by a phishing attack. This only underscores the importance of having the most sophisticated security suite available.
Among the solutions being offered to the industry, NanoLock Security is a device-level protection and management solution that addresses IoT device security within the cloud. Offering protection against outside, inside, and supply-chain cyberattacks by securing the chain of vulnerability, NanoLock provides secured and managed firmware updates, status reports and alerts, along with forensic data (see figure).
Presented as a lightweight solution with a zero-power, processing, and memory footprint, NanoLock’s robust protection and device-level visibility and control targets application spaces like smart cities, utilities, automotive, industrial, and more. The company is working with utilities, industrial companies, and large ecosystem partners worldwide. NanoLock is headquartered in Israel with offices in the US, Europe and Japan. We recently spoke to Yanir Laubshtein, VP of cybersecurity solutions at NanoLock, to talk about the current threat environment and how they are addressing it.
EE: Glad to be able to chat with you, Yanir. Security isn’t a new issue, is it? Cybersecurity is just what we call it now.
Yanir Laubshtein: Glad to be here. I have a background in governmental agencies, mostly. I was the head of the cybersecurity operations for the Ministry of Energy in Israel, regulating most of the privately owned critical infrastructure, starting with power plants, going through gas distribution facilities, and ending with water treatment facilities. I originally came from the prime minister’s office, mostly from the cyberdefense domain.
EE: When it comes to security, some feel that it’s in an evangelical phase right now, where the solutions exist, and they’re slowly propagating out. But some people need to be educated on why they need it, and the others need to be educated on how to use it, and what solutions are available to them. What’s your take on that?
Laubshtein: I totally agree with you. The solutions are out there, but people are having difficulty knowing and mitigating the risks. When you talk to engineers, they care mostly about maintaining the functional continuity of the device, system, facility, or whatever. When you talk with cybersecurity professionals, they care about securing things, not necessarily keeping them up and running. You need to bring these two opinions to one table, and to introduce them one to another, and to make them understand that they can operate alongside one another without disrupting one another.
There is, of course, the management side of things, which wants to maintain the facility and keep it up and running, regardless of cybersecurity issues or whatever. So, the solutions are all there, the different stakeholders just need to get to know the different risks, and how to mitigate them with the right and proper solutions without interfering with the business continuity of the process itself.
EE: What sector do you feel is the most aware and advanced? Some organizations could be more aware and not as advanced, and some could be less "aware" but more advanced. Then, of course, there are those that don't even know what they don’t know. What areas do you feel are the most sophisticated in this right now, and what areas do you feel really need help?
Laubshtein: It’s a combination of many things. Is it coming from regulation, or not? Are the local regulations coming from the government tasking the different facilities industries to take care of the cyber risk? This is one thing. The second thing is the maturity of the organization itself. Is the management fully aware of the cyber risk, and how it can influence their business? Last, but not least, it also involves the people who are dealing with the process or with the organization itself.
When regarding industries, as far as I know, the most mature one is what we call the critical infrastructure domain. Because they are heavily regulated, the outcomes of a cyber event are the most severe, but yet again, we do see some other industries like the manufacturing industry, the pharmaceutical industry, that are quite mature, well aware of the risk, and taking a lot of efforts in order to mitigate it. So, it’s a combination of a few elements: culture, regulation, maturity, and so on.
EE: So why don’t you explain to us how NanoLock fits into this cybersecurity ecosystem? Where do you insert value?
Laubshtein: I think that NanoLock introduces a fresh and unique approach to things. First of all, we're providing device-level protection against outsider and insider supply-chain attacks, regardless of the network or physical access they have to the device itself. Why we think it's unique and fresh is because nowadays, you will find solutions approaching or taking care of the network level or the application level, but you won’t find them defending the core itself, the crown jewel, the device itself.
Why? Because it’s a new domain, and people think that by protecting the peripheral area of the device, they are well-protected. But from the other end, we do see an increase or rise of attacks and events, not necessarily cyberattacks, occurring at the device level itself. So we are solving the problem of insider and supply-chain ability to conduct a cyberattack or event on the device itself. This is the problem that NanoLock is solving, by creating a platform that is able to monitor and control whoever wants to do critical changes to the device itself.
EE: That relates to something that we see here at Evaluation Engineering, the whole aspect of device telemetry, as it were. The way we see it expressed, is once upon a time, test and measurement and pinging the device to find out things about it was a task to be done at a discrete point in time, or as a discrete step.
Today, however, you’re designing in a software simulation environment, so you're literally testing in real-time there. You assemble your prototypes from modules that you've ordered from distributors in most cases, or you’re working closely with the distributor, and depending on if you're a Tier 1, you could be making 500 prototypes, which for a smaller company, could be their entire run.
So, when you’re talking about that level, those prototypes are already being manufactured in a Six-Sigma facility. By the time they actually go to full production, they are definitely being manufactured in an automated process under full observation. Also, today, modern devices are being monitored in the field, with over-the-air updates and the like. Since this constant awareness now exists with electronic devices, one could say that cybersecurity should be interwoven with the core fundamental infrastructures at every step of the process. What are your thoughts on that?
Laubshtein: Spot on. This is the reason that NanoLock is here, to protect against those kinds of potential attacks, coming from third parties, coming from the supply chain, or even coming from vendors maintaining or monitoring the device itself. We are providing a mechanism to protect the critical area, a software-based solution, to protect the critical areas of the device from being manipulated or modified by an unauthorized system, machine, or human being by locking down the critical area that enables you to change the configuration without permission.
I’m so glad that you mentioned that. This is exactly the reason that we believe that our approach is a bit different. Until recently, it was almost a forbidden word to say “prevent things” in the industrial or engineering world, but we came to understand that if we are there, and we know what the critical areas are, we can just block things from being changed or modified.
EE: You’re not saying that because you provide a software solution that you look at cybersecurity as a software-only situation, correct? I mean what are your thoughts on, for example, embedded code blocks, protected sectors on hardware-oriented solutions that work with the software?
Laubshtein: I do believe that we are not the only solution out there, but based on our experience, we know that we’re much easier to deploy, especially when it comes to legacy systems on existing devices. And it’s much easier to convince the different stakeholders—and I’m referring to the device makers, the operators of the process, or the system itself—to deploy a software-based solution than a hardware-based solution. Although we do think that it’s equivalent when it comes to the level of the protection, and the process to deploy a hardware-based solution, it’s much more exhausting and demanding than a software-based solution.
EE: Code requires a lot of imagination, brains, intelligence, and skill, but then you throw in a wafer fab and you’ve added another level of complexity, you have a point there. The problem is that there are a lot of designs being created that are going to be networked, and it could be something as simple as a modern cloud-enabled toothbrush. How do I ensure it’s secure?
Laubshtein: That’s a good example of how things are becoming more and more digital, and how the exposure of our daily life is being introduced to the world itself. We at NanoLock do think that, before addressing the functionality of private wearable digital things, like the toothbrush, or something like smart lighting, and so on, we should address more critical elements.
We are working closely with smart-meter manufacturers in order to prevent those devices from being modified by, again, third parties, unauthorized technicians, and so on. There were quite interesting examples in the last year when it comes to smart meters being attacked or modified unintentionally. But I do agree with you, the digital era that we are making right now, your smart toothbrush example shows how we should consider security in our daily operations.
EE: Now, let’s say I walk in your front door, hat in hand, saying I’ve got ideas for this device and all, how would you walk me through my development, what support do you provide an engineer to insert your IP into their solution?
Laubshtein: I think the most critical and fundamental thing is that we work alongside engineers. We totally understand and respect their kingdom, and we discussed it earlier about the different domains of kingdoms: the engineers, the cybersecurity people, and the management. We do understand the different constraints coming from each side, and we do know how to negotiate between the three kingdoms, or three domains.
So, first thing, I would sit together with the engineers and have a talk with them regarding what they care about the most. What are those critical elements that they want to secure and maintain at full functionality without being disturbed, regardless of what kind of credentials you have? This is the basic thing that we do. We sit with the engineering department, we sit with the management, and we try with them to understand what are the crucial elements in their process, in their daily operation, and what are the problems they’re having.
What are they facing? How can we support them and help them to solve it? How do we cover and protect those critical elements, and how can we help them to solve the problems they are facing? Our utmost agenda in NanoLock is to know and to hear the voice of the client, to hear the voice of the engineer itself, to learn what are the problems that they are facing, and to help them to solve them.
NanoLock is providing a pure software solution to different IoT devices, like smart meters, EV charging stations, and other industrial machines. We are easily deployed software, operation system and CPU agnostic, without a huge consumption of CPU. We can be deployed on battery-operated devices as well. I believe that we are the only solution that can work on different operating systems, whether it’s Linux-based, Microsoft, an RTOS, or others. And I do believe that operators and engineers need to be introduced to device-level cyber-risk evaluation, starting from their own internal stuff and ending with the supply chain. I think these are the final words that come to mind.