Demystifying OT and IoT Security and FPGAs: With Veridify
For many companies, connecting IT and OT networks can be a double-edged sword. Yes, doing so delivers greater visibility and makes it possible to better utilize platforms, buildings, industrial PLCs, and more. But it also increases complexity and blurs network boundaries—resulting in vulnerabilities that provide hackers with ample opportunities to strike.
In this podcast, we review how organizations deploy Field Programmable Gate Arrays (FPGAs) to maintain performance while shielding their increasingly connected devices and data from attacks. Specifically, we take a closeup look at how FPGAs can be easily updated to protect devices at the edge and examine how this custom hardware provides a solid platform for implementing industry standards necessary for securely authenticating, updating, and sharing data across a network.
Our Guest: Intel and Veridify Security
Our guests this episode are Mark Frost, FPGA Security, Communications and Configuration Technical Marketing Manager at Intel; and Louis Parks, CEO at Veridify Security, a developer of security IP and tools.
Mark joined Intel in 2016 as a Product Marketing Manager. Previously, he was a Senior Field Application Engineer at Altera, which manufactures programmable logic devices.
Louis has been the CEO of Veridify for almost 19 years. Prior to that he was the President and CEO of Client Technologies.
Mark and Louis answer our questions about:
- (2:09) The challenge with OT security
- (4:59) Top trends and challenges in the security industry
- (6:18) How today’s security solutions need to evolve
- (10:24) What FPGAs are and why they are important
- (14:16) The state of organizations’ security strategies
- (19:26) FPGA support for industry recommendations
- (22:10) OT network security tools and technologies
- (25:18) Ongoing partnerships to address security issues
To learn more about OT security, read IoT and OT Security: Decreasing the Attack Surface. For the latest innovations from Veridify, follow them on Twitter at @Veridify and on LinkedIn.
Christina Cardoza: Hello and welcome to the IoT Chat, where we explore the latest developments in the Internet of Things. I’m your host, Christina Cardoza, Associate Editorial Director of insight.tech, and today we’ll be talking about OT and IoT security with Louis Parks from Veridify and Mark Frost from Intel®. But before we jump into our conversation, let’s get to know our guests a bit more. Mark, I’ll start with you. Please tell us more about yourself and what you do at Intel.
Mark Frost: Thank you, Christina. So, I work for Intel’s Programmable Solutions Group, which was previously Altera for those in the FPGA world. Prior to the role I’ve got now, I had a proper job as a design engineer for 15 or so years. And then the last five or so I’ve been doing some product-marketing roles, and my current role is to promote our security solutions into many markets around the world.
Christina Cardoza: Excited to dig more into the Intel Security Solutions, Mark, and for those of you who don’t know what FPGAs are yet, you’re going to find out. That’s going to relate into our OT and IoT security conversations. So we’ll get into that. But before we do, Louis, welcome to the podcast. Please tell us more about yourself and Veridify.
Louis Parks: So, I’m Louis Parks. I’m a Co-Founder of Veridify Security. Our focus is on securing very, very low-resource processors typically found at the edge of networks, IT, OT, IoT. And we’re an Intel partner and have worked for several years now in developing solutions for securing devices. And when we say security, our primary focus is on authentication and protecting data moving over these networks.
Christina Cardoza: Great. And you know, talking about your focus, I noticed that the company really has a lot of solutions based on operational technology. And today we’re talking about security and cybersecurity, and I feel like a lot of the conversations are around IT usually, so I’m curious to hear more about why Veridify focuses on OT. What brought you to this space, and what makes operational-technology security challenging or special?
Louis Parks: The short answer is OT, or operational-technology networks, have been around for decades, like IT networks. But typically these networks have been naturally air gapped, or disconnected from the outside world; they’re running buildings, industrial sites, etc. On the other side of the world, IT networks—which typically run our data, our sales systems, our HR, accounting, patient records, etc. —again, for decades have been around. But because of the value of the data perceived, always developed and done in a very secure fashion—firewalls, VPNs, malware detection. Very highly defined.
The problem is, or, should I say, the challenge that has come up is, that we all are looking to better utilize platforms, buildings, industrial PLCs, etc. So they’re now being connected to IT and OT networks for better visibility. I want to look at my building in Chicago from San Francisco or from New York. So what happens now is you’re connecting a very secure platform, your IT network, to a very insecure platform, your OT network. And that’s all a hacker really needs. You’re increasing the attack surface. So that is the challenge.
And the other challenge is—unlike IT, which is a very homogenous environment, and this is one of the issues in securing OT networks, so we have a Windows, a Linux, an Apple environment—in the building world, there are many different protocols that can be brought to bear—Modbus, PROFIBUS, BACnet, on it goes—by different vendors. So in a single building you could have multiple operating systems, no operating system, etc. And also working on 32-bit or smaller devices that have little or no room for security and yet are gateways into the system now.
So these are the challenges in why suddenly this has become an issue, and I will actually add and not stage, two and a half, or a little over two and a half years ago, the IoT division, one of the sister divisions to Mark’s group, came to us and said this was an issue and thought we had a platform—we’ll talk about it a little bit more later—that could solve this issue. And that’s how we got to OT networks.
Christina Cardoza: Yeah, absolutely. And hearing some of the challenges you just mentioned, I can see why there’s been an ongoing trend to converge the OT and IT worlds together. But before we get into more of those complexities, I want to take a step back a little bit. Mark, if you will, help us set the stage of the security landscape today. What are the trends and challenges you see on your side when it relates to OT network, cybersecurity, and security in general?
Mark Frost: I guess one of the nice things about working within Intel is we get a global view and we get to see customers and partners and what they’re working on, which is the really exciting thing about the job actually. You get to see all the cool stuff that people are working on. And it is clear that there’s been such a rapid expansion of connected devices. And, as Louis says, we’re seeing OT and IT networks’ boundaries are blurring, and I think many people have just not really considered the implications of this, the security implications—these older networks connected to these newer networks. “Oh, it seems to be working; it’s okay.” And many people are getting away with it, I think, absolutely.
But with the increase of connected devices I think the attack surface, as Louis says, just increases, and we’re seeing more and more and more of these cyberattacks going on today. So it’s something that people need to be paying attention to now.
Christina Cardoza: Absolutely. And there are so many different security, cybersecurity solutions out there, and Louis, like you’re mentioning, some of them are now connecting to the OT world, which isn’t as secure. Or some of them have been more focused in IT. So I’m wondering if you can expand a little bit about the current solutions available out there today. How do they need to evolve, or why do they fall short when it comes to OT?
Louis Parks: Sure. I want to start with a disclaimer that anything you’re doing to secure your network, OT or IT, is a good thing. So this is not meant to be either an evaluation or a ranking, but rather just the challenges, really, of how we are currently, or at least to date have approached OT security. And as I gave in my introduction the overview, IT security—pretty mature market space. So, guess what? A lot of the OT cybersecurity solutions we see come from the IT market space.
But what are the problems? So, first of all, at a very high level you could have really two different goals. In the IT space, the goal of your cybersecurity is to protect your data and keep the devices on the system, your devices. In the OT world it might be more to keep things functioning. Think of a hospital, think of a utility operating in an OT world, and it could be safety. So the goals could be different. And right there you begin to have this divergence of what the IT products that are entering the OT space do, versus maybe what the OT world needs.
So, the typical tools we see, first of all, are primarily network based. So, these are tools that have been developed for monitoring a network. Because in the IT world it’s pretty important that an IT director or CESO knows if you brought a device from home and plugged it into the network. Big no-no in a lot of operations. In the OT world they’re not really thinking about people bringing thermostats from home and plugging them in. However, you have other issues in the OT world in terms of protecting the data. And in the IT world the tools now being used typically, then, give you visibility—a good thing still. They give you monitoring.
And monitoring typically is looking for anomalies, and there’s a couple of different technologies brought to bear from the IT world. Again, I’m looking for data anomalies. That data packet doesn’t look right; we don’t recognize that IP address—there could be a variety of things. Some of these systems even now use AI and they learn, which is really great. The problem with that is, as you’ll see in some of the demonstrations, it could take 30, 60, 90 days to get to a suitable level of learning to actually protect. And, again, learning means you’re never fully covered.
Finally in the end, if you do learn of an attack—and this is just, again, the reality of the world that we operate in—in the IT world you have network people, IT people, sitting there ready to respond. In the OT world you may be calling a plant or building manager and saying, “Hey, on the 23rd floor we see unidentified data traffic on your HVAC system.” Not really actionable by them.
So, again, the tools that are suitable and now being used and providing monitoring, detection, and alerts I would keep, but it’s not protecting the data. Nobody would think of transmitting open text on an IT network—patient data, credit card data. And it’s not stopping attacks. And so that’s what we see as the tools that are there, and the issues of the cybersecurity to date.
Christina Cardoza: Yeah, those are some great concerns and issues you bring up. And I think when it comes to security, everybody knows that it’s important to secure your systems and your assets, but not everybody knows exactly how to, or what it all entails. And I want to go back to something Mark brought up in his introduction, which is this: the idea of FPGAs, which is, I think, an important aspect when it comes to all these devices being connected, and IoT and OT security.
So, Mark, I would love if you could explain a little bit more about what FPGAs are, and the role that it plays in addressing some of these issues and challenges that Louis has mentioned.
Mark Frost: Okay. Well, I’ll try. So, we’ve had FPGA technology around for, I don’t know, 30-plus years, and it stands for Field-Programmable Gate Array. So, it’s a bit of custom hardware that you can program and set up in certain ways. We see use cases often in very high-speed applications where people have got super high-speed data they want to process, or in applications where you need very low latency or some high determinism. Often a lot of industrial applications will have those particular requirements.
Also, FPGA is really good if you have custom IO. So, for example, you want to interface to, I don’t know, this MRI machine over here and this motor drive over there—you can’t buy something off the shelf to do that. You need some custom hardware to do that kind of interfacing application. And that’s where FPGAs really shine.
And we see them all across all the applications, but particularly in the industrial space. We see them in—Louis mentioned PLCs, motor drives, networking solutions, all the Modbus TCP—all that kind of stuff, will often have FPGAs supporting that. And we’ve tried to think about how the FPGA can be suitable in this application.
So, some of our solutions will have an industrial bent to them. We’ll think about things like functional-safety applications, and also things like longevity. OT networks are often installed for—designed and to install for—20 years. We’ve got some customers still buying devices 25 years later; they’ve been in production for 25 years with the same things, and they want to know that their product is safe and secure for that thing. And the nice thing about the FPGA is that you can update it in the field. So should some security hole be found, you can update that in the FPGA as well. So they’re really nice for industrial applications.
Louis Parks: That’s a great point, Mark, that you make, is the legacy devices and length of time in the field. We’re looking at public sector projects with Intel, to his point, that are out there for decades. On the IT side: patch, firmware updates—weekly events. In the OT world, in some cases nonexistent. So the ability to move the processing to the edge with an FPGA is huge, which is one of the reasons why we focus on them, the ability to update.
So we are doing what we call legacy protocols now, NST-approved protocols for protecting devices at the edge. But in the next few years we’re going to move those to what we call future proof protocols for an issue around quantum computers to make sure we continue to provide protection to these things that get protected, get installed, for decades. And that was a great point, Mark, and that’s one of the powers of an Intel FPGA, is we don’t have to guess at everything today and just hope we’re good for the next 10, 15 years. We can address it.
Mark Frost: Yeah, a hundred percent on the postquantum stuff. So, you know, things like the AES 256 looks to be postquantum okay, we think. But things like some of the public/private key signature schemes, like elliptic curves—we know that that needs updating for postquantum. And so devices we’re designing today have to think about that. Can they be patched or updated in 10 years’ time when we know where we are with the postquantum standards? So, yeah, totally important.
Christina Cardoza: So, given that some industries or organizations may be dealing with this legacy equipment and legacy technology, I’m just wondering what the security strategies or practices look to you guys out there for organizations, given that FPGAs are also are like, 30-plus-year technology. Are you finding that organizations really have a strong security strategy? Or is this something that we’re still trying to figure out? Mark, I’ll start with you on that one.
Mark Frost: Yeah, it’s kind of mixed. I think we have some people who I’ve seen have taken it, have gone to town, and they have really big security teams who look at this in great depth. And we have other customers who are really small teams of people. Maybe they just have one engineer who has got to do everything, and they just don’t have the time to really focus on security. It’s really hard for them.
So, how do we make it easier for those guys to start implementing some basic security features? And I looked at some—this is a bit UK specific—but I looked at some kind of UK government stats, and there was a cost of cybercrime in 2019 of something like £27 billion, or $27 billion, something like that, in that year. And it’s not so much the number, but it’s where you see the high points in the data. So the two high points in the data are IP theft, i.e., people’s designs being stolen—and we’ve actually seen some customers recently who turned up at a factory and seen their design implemented when they hadn’t sold that design to somebody. So somebody had cloned their complete machine with their FPGA design and everything inside it. So they were quite shocked. So, that is a growing threat.
And the other one is what we call espionage, I guess, where people have maliciously put something into the firmware to make it do something unintended, or tried to steal the firmware, or do something that’s going to upset the system in some way. So the security strategy is a big thing.
FPGA guys have tended to rely on this security-through-obscurity security concept in the past. FPGA is quite a niche product. We don’t need to worry too much about it. There’s no real published data out there about how, say, for example, the devices get configured properly—no one really knows about it. But actually there’s been a massive growth in FPGAs recently; it’s been exponential. And we’re finding the devices are now found everywhere. It’s no longer a niche kind of product, and guys using these FPGA devices now need to really start considering their security policies.
Louis Parks: That’s great. I would—so, as an Intel partner and FPGA user, I would take upon that and Mark’s answer, and just sort of extend it a bit further. So, when we look at our people looking to address it, they are. So, the first hurdle or issue we see is the two entities you’re typically dealing with—the, again, the building or plant manager who may be responsible for that system who does not have the security background for protecting data that the ITs have, the IT side may have, and the IT side may not see it as their purview to protect the HVAC system, for example. So you have issues there, but people are aware of this.
The problem is just starting and extending that sort of split in who you’re talking to and the different people you need to satisfy. Then you go to, well, how do you satisfy it? So you have standards for industrial and industrial controls that could be applied for security purposes, and then you have guidance from entities like NST. But how they get applied, and, again, the old joke: once you have more than one standard, you have no standard. So there is some work in the field to do this, but, again, it’s really left to these organizations to figure out what do they do, and how do they protect their systems and platforms? That becomes a challenge.
So, one of the things that we look to do in helping answer that and, again, network segmentation—which is a common response from these network tools—works in the IT world: I’ve got a bad data situation on a server here; I can isolate it till I go and either replace the server, or move the operations over. If it’s operating a portion of a hospital, I may not be able to isolate it the same way. So our focus has been to take things like an Intel FPGA and provide security at the edge and protect the devices. So that’s been the role that we’ve given.
So, we’re not replacing any of the security somebody may have already invested in, we’re not replacing any of these observational or monitoring-only solutions. But we are trying to give a proactive solution that doesn’t require the replacement of installed technology, where an Intel FPGA running our technology can be placed in front of a device as a gateway and act as a security gateway, providing all of the authentication and data encryption you’d expect on an IT network, but running it almost like a VPN over an OT network. So that takes away some of the hurdles in arriving at: so, we know we have a problem; what are we going to do? Because, again, there are many answers, none of them necessarily wrong, but there can be some paralysis as a result.
Christina Cardoza: Absolutely. And, given the industry and industrial standards that you mentioned are out there, Mark, I’m wondering how Intel FPGAs help support those industry recommendations or support IoT security efforts?
Mark Frost: I guess our main task here is as an enabler. So, you know, our devices are designed for many markets. We’re trying to be a jack-of-all-trades across all these different vertical markets. But we do consider industrial, particularly, as a very important marketplace. For us, it’s a very long-term stable market that we have a lot of customers in. So we try and think about basic device features that will support security, that then guys like Louis and the team can plug into.
So we rely really heavily on partners like Veridify, who do this stuff day in and day out, to offer the solution to the customer. If we can just build that foundational base, those guys then go and build upon that. But we have to do the right thing in the foundational base. We have to have the right hooks into the device. We have to be doing things like, for example, thinking about functional safety-data packages. We have to be thinking about specific silicon features, real-time processing, and all this kind of other stuff that the guys at Veridify can then build upon.
Christina Cardoza: Is there anything you wanted to add, Louis, to that?
Louis Parks: Sure. Only I was going to say that Intel, and in particular why we look to FPGAs for certain parts of our solution, is because there is a focus on security and securing firmware data—things running on the FPGA—where then we extend that by, how does that device interact with devices around it, which is our focus; the communication between devices, which in essence, creates what we often think of the IoT. But in any of these networks, it’s device-to-device communication. So we look for those critical foundational blocks, because, again, any corner where you don’t have protection the bad guys will find that corner of the neighborhood and enter. So it’s critical that we pick a solid platform to then implement industry standards for authenticating, securely updating, and sharing data across the network.
Christina Cardoza: Great. And talking about platforms, we’ve mentioned a couple of best practices—being more aware of the OT security side of things, connecting OT and IT together—as well as just things that you should keep top in mind in your security strategies. So I’m wondering, now, how can organizations actually be successful at this? What are the tools and the technologies out there that are helping address OT networks, especially ones connected to IT and IoT networks? Louis, if you want to start with that.
Louis Parks: Sure. So, being the level, even-handed response, there are a range of tools out there, again, for monitoring, from a variety of companies that will give you the ability to look at your network and see what’s happening. So, again, if you’re using those, they’re good. A network-level strategy will give you some capability.
Some of the protocols out there in the industrial world are trying to add, or do add security. I will comment that some of them are difficult to implement because they don’t see implementation or management of those things as being their priority. If they can put an encryption or authentication protocol in the device they in some cases perceive their job as done. And then when you go to the field and you have that integrator who knows how to put things on the wall, wire things up, and may even know about things like Wireshark to look at the network, are not people who can key, provision, handle data certificates, go to third parties—all the things that might be required to provision correctly a security solution.
Again, our focus is device level. What we’ve done with Intel is we’ve basically packaged cybersecurity in a box. So when you take one of our edge devices and plug it in, it auto-onboards. We’ve done a zero-touch process, recognizing that IT and cyber skills are at a limited availability, particularly in the field or at the edge. So, with Intel as a partner, that has been our focus. And I think there could be—and I say this knowing that we monitor the market pretty closely—there aren’t a lot, if any, other device level, but one should keep looking for them, not that they won’t appear. And there are things that you could do right now. Like, do you have a backup of your OT network? Nobody would ever think of not having an IT-network backup, but is your building system, is your plant-factory system, backed up? Do you have current network mappings of it?
So, there are some noncost things you can do today to just start thinking about. So, where are my risks? And even understanding, what would be the risk if somebody entered this part of my network? Is that critical or not? Can they get to a critical IT server, or could they stop a critical operation in my building or facility? So, an evaluation. There are some things in terms of the risk evaluation that don’t involve buying anything that people should think about doing now, if they haven’t already done it, to make themselves safer going forward.
Christina Cardoza: Absolutely. And you mentioned a couple of times how the company is an Intel partner, and how you’re working with Intel, using Intel FPGAs. I should mention that the IoT Chat and insight.tech as a whole are sponsored by Intel. But I’m curious—the value of that relationship and partnership. Why are you working with Intel on FPGAs and IoT security, and how you guys continue to work with each other to address some of these issues and challenges?
Louis Parks: Well for us—so, we have a lot of expertise. My partners are mathematician cryptographers—so, some of the world-leading people, which is all great. So we bring that, plus engineering, in our labs for how we apply it to physical devices. But there’s no substitution for the reach and the depth of the Intel team. Both, as I’ve mentioned already, from Mark’s group, the PSG Programmable Systems group; and the IoT group, who we work with. They not only bring us to opportunities and sectors, but more importantly expose us to the challenges, expose us to the issues that we then have to address.
Our product DOME, which I’ve been talking about indirectly—I’ll give it a name here—came into being because Intel came to us and said there is a challenge in how you manage devices at the edge of a network. And our design started with: well, not all these devices talk to the cloud. In the real world a lot of solutions always go, “Well, you power it up and it goes to the cloud.” A lot of devices deep in a building or an industrial network never talk to the cloud, but they still need to be secured and managed.
So, again, with the support of Intel in developing protocols, in developing solutions, and helping us bring it and pilot them in the market space—invaluable. So that when somebody then sees our solutions—and two of them are listed on what Intel calls RRKs, and these are RFP-ready kits—so these are solutions that are tested and done. So, a lot of the vetting that would not be available to the industrial or building manager still wanting security has, in essence, been done by Intel. So not only have they given us the resources and some of the direction, but they’ve then vetted the solution on behalf of the end customer. So, really, irreplaceable as a partner. Thank you, Mark.
Mark Frost: You’re welcome. And, you know, we rely totally on partners like Veridify to—our primary aim really is to—is to sell silicon. And we can’t do that without some kind of really cool solutions that appeal to the marketplace. That’s what drives the silicon sales; it’s the partner solutions. So we do what we can to try and help extend the reach of the Veridify guys into these global markets through our sales networks and our channel networks. But it’s the work of these guys and their solution—it’s the most exciting part, really.
Christina Cardoza: It’s great hearing how companies are getting together to solve real-world challenges. And I hope everybody listening to this podcast is thinking about their OT network security, and leaving this conversation going to make sure that they have everything secure.
It’s been a great conversation with both of you. Unfortunately we are running out of time, but before we go I just want to throw it back to each of you. Any final thoughts or key takeaways you want to leave our listeners with today? Louis, I’ll start with you.
Louis Parks: Sure. I think everybody should be thinking about security. Unfortunately, the world we live in today, the security threats are not only potential within your organization, within your city, town, state, but could be from outside the country, unfortunately, as we’ve all been learning. So everybody should be thinking about the role they play. I think that you should look for solutions and understand not only what they can do for you—and you do not need to be a cybersecurity expert to have it explained to you—but then understand your ability to use them and manage them, and what it will take. So you should see, arguably, a demonstration or something for your environment to make sure that they will actually deliver value. And no one solution is going to do it all. So even when you’re successful, please keep working, keep looking; this is an ongoing process.
Mark Frost: Yeah. And to follow up on that, really, don’t ignore security stuff. Many of the most high-profile security breaches we’ve seen over the past are quite innocuous at the start, and still many people are thinking, “Oh it doesn’t—it’s not going to happen to me.” But, you know, these things could happen. So do think about it.
Our new devices, particularly our new family of FPGAs, have got some really cool security features in them. And if you can just start thinking about things like, as simple as authenticating and encrypting the configuration data for your FPGA—those two are very simple things to do, but it makes a huge difference on the security of your implementation with FPGA. So go take a look at our website, look at Intel FPGA security. There’s a load of cool new stuff going up on there, and we’re here to help.
Christina Cardoza: Well, with that, I just want to thank you both again for joining the podcast, and for the insightful conversation. And thanks to our listeners for tuning in. If you liked this episode, please like, subscribe, rate, review, all of the above, on your favorite streaming platform. Until next time, this has been the IoT Chat.
This transcript was edited by Erin Noble, copy editor.
The preceding transcript is provided to ensure accessibility and is intended to accurately capture an informal conversation. The transcript may contain improper uses of trademarked terms and as such should not be used for any other purposes. For more information, please see the Intel® trademark information.