Dean Weber, CTO of Mocana, was kind enough to sit for an interview with Safety Detective’s Aviva Zacks. She found out how his company protects people’s IoT and IIoT devices.
Safety Detective: How did you get into cybersecurity?
Dean Weber: I’ve been in physical and logical (cyber) security for about 45 years, starting in electronics and branching out into computers, as computers became more prevalent throughout the Eighties and Nineties. Before we had a desktop computer, we had minis and super micros and mainframes with green screens, and all of them came with different forms and types of security. I’ve been interested in this since the first day I stuck my toe in the security water.
SD: What are some industries that use Mocana’s technology and why specifically those industries?
DW: Mocana builds a security platform for critical environments — DHS defines “16 critical infrastructure sectors” here in the US, and we’re in 15 of them. And this environment is largely replicated around the world. So, our target customers are large multinational industrial companies like ABB and Schneider. We also have a significant interest in the Telco (telecommunications) world, as the Telcos (e.g. AT&T, Deutsche-Telecom, Verizon, etc.) are branching out into areas like last-mile connections, endpoint validation, and device security. Ultimately, anyone in the industrial world who has an embedded system, virtual machine (VM) system, or Linux system is a potential customer for us.
SD: How can Mocana help protect us against cyberattacks?
DW: Mocana is changing the security paradigm from the standard “detect and respond” (e.g. EDR – endpoint detection + response) to “protect and respond.” Protect means that you have explicit knowledge as to the trustworthiness of the platform, the device, the system, or the service, and you can convey that through a mechanism that is appropriately strong for the environment. And this is why standards like ISA/IEC 62443 exist in the industrial space because they encourage the organization to look at risk by device. Not all devices are created equal and not all device processes are created equal. If you’re going to protect, for example, the Infotainment system on an airliner used for public access, you want to make sure that it’s walled off from the airplane critical controls. That’s a different level of protection for what you do with the airline pilots’ systems that are protected by other controls including greater physical security. The same thing has to happen across a much broader swath of our industrial security environments, and personally I don’t think the IT industry has done a great job of demonstrating such efforts.
SD: Your company is involved with protecting people who have IoT devices. Can you talk a little bit about that?
DW: We are involved in protecting the internet of things for both IoT, which is very consumer-oriented, and IIoT, which is the industrial internet of things. Too often people are still not always making the connection that security is extremely relevant on their devices. So, the majority of our efforts are targeted at the industrial internet of things (IIoT), not the internet of things IoT). However, the internet of things is certainly relevant and becoming more so on a daily basis as people are learning that their wearable, their consumable, their ingestible, and their implantable devices, etc. are all at risk at some level and need to be secured in some fashion.
SD: What do you feel is the number one threat in cybersecurity today?
DW: I would say the number one threat is the carbon-based life form. There are a lot of people who mean other people harm for various reasons but at the end of the day, most cybersecurity starts and ends with people. Let’s say you were using a platform that was vulnerable, but you elected to make a trade-off between security and convenience, going with something for convenience even though it was less secure, rather than something that was more secure but less convenient—these are all people problems that have nothing to do with the actual cybersecurity aspect of the device. So, the majority of the problem is in the human interface element. Even in the industrial space that’s the case because the industrial design manufacturers are looking at safety and resiliency. For many years in the IIoT space, safety and resiliency were the answer to everything, but now we need to put security front and center.
SD: What do you think is a good solution for that problem? How can we educate people?
DW: The biggest thing is applied knowledge. It’s knowing not to click on that suspicious link. It’s knowing that the CEO would not email you and ask you for a copy of yesterday’s financials. From a technology standpoint, we can certainly assist with a lot of that. We can make platforms much more secure, but somebody has to write the check to do that.
I do a little presentation with my Blackberry when I’m at speaking engagements where I hold up my Blackberry and say, “Who in the room’s got a Blackberry?” And usually, there are very few. And then the next question is, “Does anybody in the room think that their device is more secure than the Blackberry?” And usually, unless somebody is trying to make a point, I don’t get any answers. So, I remind them that what they’re doing is making exactly the trade-off I just talked about – they’re choosing convenience over security. If the Blackberry device is more secure then what they have in their hands, what is the reason that they bought what they had in their hands? And the answer is convenience, and that manifests itself not just in the consumer space but also in the industrial spaces. So, the idea is that you have to be willing to make the platforms and the network secure and that means writing the check for security.
SD: How do you feel that the cyberthreat landscape is going to be changing in the next few years?
DW: Well, I don’t think the threat is going to diminish. What generally happens is that a new threat, the latest “state of the art” hack if you like, is developed by state-sponsored (e.g. a sovereign state) actors. Those new threats are then deployed by peer nation (e.g. China vs. USA) states against one another. Then, generally, what happens next is that this new technical knowledge escapes the confined, controlled circles of the nation-state environments. It enters the public domain and immediately you have a trickledown effect, where the new threats are able to be used by more and more people—and as the knowledge spreads, the technical skill you need to deploy these new exploits becomes less and less.
Ultimately even the newest, most complex exploits end up in the hands of script kiddies that just replicate what others have done, where people can basically just press a button and have something bad happen. So, over time as the industry progresses, we continue to get larger and larger exploits. I think that it’s only going to get worse before we finally decide that enough is enough. And we make a stand to make things better, to make things safer, to make it as difficult as possible for new exploits to threaten us.