 from our studios in the heart of Silicon Valley, Palo Alto, California. This is a CUBE Conversation. Hello everyone, welcome to the Palo Alto Studios of theCUBE. I'm John Furrier, host of theCUBE. We're here with a special power panel on industrial IoT, also known as IIOT, Industrial IoT, and cybersecurity, with the theme being apocalypse now or later. When will the rug be pulled out from everyone? When do people have to make a move on making sure that the network and security are all teed up and all locked down? As IOT increases the surface area of networks, industrial IoT, where critical equipment or infrastructure is being run for businesses. Got a great panel here we got Gabe Lowy, who's the founder and CEO of Tectonic Advisors and author of an upcoming research paper on this particular topic, Brian Skeen, Vice President of Product Development at Tempered Networks and Greg Ness, the CMO, who happen to be available to join us from Tempered Networks as well. Guys, thanks for spending the time to come on this power panel. Great to be here. So, convergence is a theme we've heard every wave of innovation, the convergence of this, convergence of networks and apps. Now more than ever, there's a confluence of multiple ways of convergence happening. You're seeing it right now, infrastructure turned into cloud, big data turned into machine learning and AI. You've got future infrastructure like blockchain around the corner, but in the middle of all this is security, data, networking, this is kind of the beginning of a cloud 2.0 dynamic where pure cloud is great for computed networking native born in the cloud, you scale it up, it's great, still got challenges, but if you're a large company and you want to actually operate cloud scale, anything and have instrumentation, internet of things, devices, sensors, in factories, in plants, in cars, the game is changing, it's connected to the network, it's got power and connectivity, a terrorist, a hacker, a digital terrorist can come in and do all kinds of damage, this is the topic. So, Greg, we talked about this panel, what's the motivation for this? What's your thoughts? Well, it occurred to us that as you look at all the connectivity that's underway, right? Billions of devices being connected. The level of scale complexity and the porosity of what's being connected is just really incomprehensible to the people that develop the internet and it's raising a lot of issues. All around basically the number of devices, the inability to protect and secure and update those devices and the sheer amount of money and effort that would have to be applied to protect them is beyond the scope of current IT security staff. So, Gabe, I want to- IT is not rich. Certainly, you and I talk to us all the time, but I love the hype and digital transformation. It's going to save the world. Gabe, talk about the dynamics because the title of this panel, really the subtitle is Apocalypse Now or Later. And this seems to be the modus operanas is that you know what has to hit the fan before any action is taken. You see Capital One, there isn't a day going by where there's some major breach, major hack, it's a firewall for Capital One, going to an open S3 bucket from some girl who's bragging about it on Twitter. It wasn't really a serious hacker. Then you got adversaries that are organized, whether it's state-sponsored and or real money-making underbelly activities happening. You know, there are digital terrorists out there. There are digital thieves. The surface area with IoT has absolutely opened up. We kind of know that. But industrial IoT, tell them about industrial equipment, industrial activities, whether it's critical infrastructure or plant and equipment for companies. This is a huge digital problem. What's your take? What's your thesis? Yes, it is. And building on what Greg said, there's an interesting gap from both sides. The first is that this industrial equipment or critical infrastructure, some of it goes back 20, 25 years. It was not architected to be connected to the internet, but yet with this digital transformation that you alluded to, companies want to find ways of getting that data, putting it into various analytics engines to improve cost efficiencies or decision outcomes. But how do you do that with a lot of equipment out there that runs on different operating systems and really was not built for internet connections? The other side of the gap is that traditional IT security technologies, firewalls, intrusion protection, VPNs, they in turn were not built or architected to secure this IIoT infrastructure. And that gap creates the vulnerability that opens the door for cyber criminals to come in or state sponsored cyber attackers to come in and do some serious damage. Brian, I want you to weigh in here. You're a network guy. You've been around the block. You've seen the networks evolve. The primitives are clear. The building blocks internet where the DNS ran, most of it, most of the internet right now, whether you're talking about from a marketing to routing is all DNS based as IP addresses as well under that. So you've got the IP address, you've got DNS. What else is there? What can be done? Why isn't these problems being solved by traditional firewalls and traditional players out there? Is it just the limitation of the infrastructure or is there just more cultural DNA? You could evolve. What's your take on this? Yeah, the way I think about this is that the internet that we know and we use has mostly been built for human beings. I mean, it's been built for humans to use it. Humans have discriminating tastes. They decide what to click on. For the most part, they are skeptical. They learn through trial and error, what happens if they visit something when people try to fool other people or machines or, you know, you've got a web page and it's got something misleading. You learn that, you don't click on that anymore. And the infrastructure we have today is built to help people avoid these problems as well as drop packets when they can detect that something is just absolutely wrong. But machines, they don't know any of that. They're not discriminating. They've been built to, if they're gonna be on a network, to trust everything that's talking to them and to send data and assume that the other side is also trusting them and just acting on the data. So it's just a fundamentally different problem and, you know, what traditionally those machine networks have had air gap. They've been air gapped away from any other kind of data or potential threat. And those air gaps are gone. So air gaps were supposed to save us, but they're not, are they? Well, they kept us going for, as Gabe alluded to, 20, 25 years, those machines have been operating, operating critical infrastructure, but, you know, with the digitalization, with the opportunities to look at that data in the cloud and do machine learning. And by the way, machine learning is not being done in the cloud, just for scale. So the problem of getting the data from the machine or the thing up into the cloud is a huge issue. And if there was an air gap between, say, a cloud and the thing, we might, we might be somewhere. So a lot of incompatible architecture is relative to what everyone's doing with cloud and, say, hybrid or multi-cloud. Gabe, you know, the two worlds of information technology are IT people and operational technology people that tend to run the IoT world. You know, you hear sensors, you know, factory floors to whatever called OT people, operational technologies. I've always said that's a trainwreck between those two cultures. I mean, they all, they kind of don't like each other, right? Like you got IT guys, they're stacking and racking equipment, OT guys stay out of my world. I run proprietary stacks, it's locked down, pretty locked down from a security standpoint. IT pretty promiscuous just in the nature of it. As those two worlds collide, is that the thesis of the catastrophe model? Is you seeing that world coming together? What's your thoughts on this? That, yes, good question. That world has to come together. And I'll give you an analogy to this. About 10, 12 years ago, a lot of people were doubtful that DevOps would ever take off because development guys really didn't like operations guys that didn't like dealing with them. Here we are 10 years or so later and everyone's pretty much adopted it and they're seeing the benefits of it. This OT IT convergence takes it to a much higher level because the stakes are so much higher because the cyber attack can cause catastrophic damage. And as a result, these two teams are not only gonna have to work together in harmony, but they're gonna have to learn each other's stacks. In the case of the OT guys, it's your traditional OSI networking stack for IT networks. And for the IT guys, they're gonna have to learn the Purdue model, which is the model that's principally used in architecting these OT systems. And unless these two teams do work together, the vulnerabilities and probabilities for a catastrophic event increase significantly. That's a great example. DevOps was poo pooed on early on. I mean, Greg, we were back in 2008 griffing on this. Now it's the mainstream, agilities come from it, the lean start up, all kinds of cool things people are talking about. We love cloud, great. Now when you bring the OT world together and IT world together, Gabe, what is the benefit? What's the key ethos around operating technology and IT guys coming in? DevOps was simply abstract away the complexity. So developers don't have to do configuration and management for all that provisioning stuff and still have the reliability. They call the infrastructure as code. So DevOps was infrastructure as code. What's the ethos of the two worlds coming together on IT and OT? I think the ethos is at a very high level. It's risk management because the stakes are so high that the types of losses that can be incurred, you mentioned Capital One at the top of the program, yes, those are financial losses, but imagine if the losses resulted in thousands or tens of thousands of people getting infected or perhaps dying. So the need for these two teams to work together is absolutely critical. And so I'd say the key strategic approach to this, both from the IT and the OT side is to go into strategy or cyber strategy with the premise that the company has already been compromised. And so that starts to get your thinking away from legacy types of technologies that were not architected to prevent these new threats or defend against them. And now these teams have to start working together from a totally different standpoint to try and prevent the risks of those catastrophic losses. Greg, I want to get your thoughts. You've been in the IT business for a long time. You've been a major player in it, historian as well as us in IT. What do you see this contrast between the two cultures of IT and OT because you got to lock down these networks. You got to have the team work between the two because the surface area with IoT and industrial IoT is so massive. It's so complicated yet it's an opportunity at the same time it's an exposure. I mean, just people working at home in IT. I mean, the home is a great place to target people because all you got to do is get that light bulb from Nest and you're at a fully threaded processor. You can go malware and get all the passwords and the person working at home. So again, from home to industrial, does IT even have the chops to get there? Not the way they're architected today around the TCP IP stack and that's the challenge, right? So from the 90s to this era, whether it's the mainframes, to the networks, to the internet, to the enterprise web, et cetera. Compared to this, we've had relatively incremental change. As surprising as that sounds, devices being added and every year, every other year, every three years, people are upgrading those end points or adding more sophisticated security. But this world that you referred to, right? The world's in collision was not evolving at all in parallel. So you've got devices with no security in mind they're being connected. And calling it the industrial internet of things almost underwhelms what the risk is. It should be the internet of places or spaces because with these devices come control, control of the factory, the hospital, et cetera. And you think back, yes, we've got a historical perspective. You don't have to go back very far when the Russians were attacking Ukraine, wanna cry, not pet ya. They spread all over the place in a matter of weeks. UK hospitals were running on carbon paper postponing procedures. Maersk shipping had their shipping, they lost control of their ships at sea. And now we've got VX works coming along saying, up you're going to have to update that because there's some serious vulnerabilities here. VX works is deployed across billions of devices. So I don't think historically there's really a precedent. I mean, look, if you want to tap into our common interest of military history, we don't even have the semblance of imagine a line here. And that was a pretty imperfect protection scheme. I mean, the opportunity to infect governments, take them down with misinformation to actually harming people, say through hospital hacks, for instance, you know, people could, lives are a danger. And there's also other threats. I mean, you mentioned, you know, places, devices. It takes one device to be penetrated at home or at work. I saw an article came across my desk. I saw IBM did some research, this concept of war shipping, where hackers ship their exploits directly on Wi-Fi devices. So people, you know, get these devices, hey, free, you know, nest light bulb or whatever's going on. They install in their home. Oh, it's got, I got free Wi-Fi router. Uh-uh, it's got built-in malware. It's just got Wi-Fi connectivity. So again, the exploits are getting more complicated. Brian, the network has to be smart. At the end of the day, this cloud 2.0 theme is beyond compute and storage. Networking and security are two underdeveloped areas that need to evolve very quickly to solve these problems. What's your take on this? Well, my take on that is that our approach is that the network has to be so smart that it can watch everything and understand what's good and bad, then we're doomed. So we're gonna need to also combine watching packets, the traditional methods, the packet inspection with divide and conquer. Frankly, it's the common I said before that the air gap is gone for OT. I think we need to figure out a way to divide up these networks of things and give them clean networks if possible and try to segment them away from the networks that the rest of the things are on. So, we don't have enough computing power, we don't have enough memory and resources, but that's not really just it. We just don't understand what is good traffic versus bad traffic. I mean, we talk about day zero attacks and we talk about trying to chase that down with signatures and you can inspect things, you can watch transactions. People say AI, there's machine learning, but machine learning means learning good and bad from people. How do companies fix this? What's the answer to all of this? Or is there one? Or it's just gonna take catastrophic loss to wake people up. Well, we can't react to the problem. That's one thing that we all can probably, we all know that if we wait for this catastrophe and then we try to react to that and solve it, that it's already gone, it's too late. I mean, this is a geometric expansion in complexity of the problem. I don't think there's a silver bullet. I think that there's going to be several things that need to be done. One is keep inspecting the traffic, but another one is again segmenting things that should be talking to each other away from things that they should not be talking to and trying to control the peers in the network for things. And you know, I don't know, Greg, something you said reminded me fundamentally with networking, with DCPIC, we're using the IP address to mean the location. Greg was talking about places. We're talking about the location of something and the identity of that thing. And most of our security policies are spelled out in terms of something, an IP address, that is not under our control. I mean, the network has become so complex as it is grown with math, proxies, you know, motion, mobility, things are moving. A lot of this was interesting. So Gabe and Greg, so do we have to build new software, a new naming system? Do we have to kind of level up and put an abstraction layer on top of the existing systems? What's the answer? The answer is a layered approach because to try and do a complete rebuild or retrofit, particularly with different operating systems, different versions, incompatible systems, billions of devices and various types of security solutions that were not built for this, that's not a practical solution. So you've really got to go with an overlay strategy. People are always going to be the vulnerability. They'll fall for phishing attacks. That's why the strategy is that we're already compromised. So if the attacker is already in our network, how do we contain them from doing serious damage? So one strategy for this is micro-segmentation, which is a much more granular approach to prevent that lateral movement once the attacker is inside the network. And then when you go from there, you can pair that with host identity protocol, which has been around for a while, but that was architected specifically to address the networking and security requirements for IIoT environments, because it addresses that gap that we were talking about between traditional security solutions that lack this functionality, and it only allows whitelisted communications between hosts or devices that are already approved and only approved to communicate with one another. So you can effectively do a lockdown even if the attacker is already inside your network. I want to get back to some of the criteria on this, and I want to also put a plug in for the tectonic advisors report that's coming out that you're the author of. It's called securing critical infrastructure against cyber attacks. I read it with a great paper. It was a line that I read and I want to get your thoughts. I'm going to read it out loud. I'd love to get your thoughts on this Gabe or anyone else who wants to chime in. It says, industrial IIoT cybersecurity is beyond the scope of traditional firewall and VPN solutions which struggle to keep up with the scale and variety of modern attacks. What do you mean by that? Give an example, describe, tell me what you mean by that sentence, and what examples can you give? Well, I'd say the most important thing is that firewalls were initially built to protect what we call North-South traffic. In other words, traffic that's coming in from the internet to the organization and back. But now with network expansion, cloud adoption, and more and more devices, industrial devices being connected, these firewalls cannot defend against that. They simply were not architected for it. They cannot scale to those proportions. And even if you're using software-only versions, those aren't effective either because they do not protect against East-West or in other words, lateral traffic. So if you're an organization moving IIoT data from your OT systems across your network into IP analytics systems or software, that's lateral movement. Your firewall is traditional firewall, just not gonna be able to handle that and protect against it. So in simple terms, we need a new overlay, not to say that firewalls are going away anytime soon, they can still protect North-South traffic, but we need a new type of overlay that can protect this type of traffic. Microsegmentation is a strategy to do that and using host identity protocol or HIP protocol is what fills that gap that the traditional security tools were not designed to protect against. Greg, I want you to weigh in on this because you're in this business now, but you know the IT world. The criticality of what he just said is super critical to the nature of business, the catastrophic example is there, but IT does not move that fast. You know IT, IT is like molasses. I mean, they move slow. What is going to light a fire under IT to get them to be sensitive? I mean, obviously it's pretty obvious. Can they get there? Do they have to restructure? What has to happen in the IT world? Because it is a catastrophic end game here if they don't nail down this traffic protection. Well, part of it is education because we've seen wave and wave of incremental innovation in the network. And when it happened, it seemed so big and it was such a big, it produced huge market cap growth with a lot of companies play this guessing game of who is really connecting to the network. And it's evolved kind of gradually relative to this big leap we have ahead of us. And IT is going to have to become aware that IIoT is a fundamentally different problem and challenge to solve. And it's going to require new thinking, new purpose built, like Gabe said, approaches. Anything like the traditional firewall segmentation is just not going to address what we talked about, right? The scale issues, the resilience, right? So some of these devices, you don't want them off for one or 2% of the time. And the implications of them, it's much more serious. So I think that more types of attacks are inevitable and they're going to be even more catastrophic. And you were all aware that not Petch and WannaCry raised a lot of eyebrows just for how quick it spread and the damage it caused. And we've just seen VxWorks vulnerabilities being announced. So it's a matter of time. Worms are still popular, we need to prepare now. Malware worms. What's that? Malware and worms are still popular, it's a problem. Well, guys, thanks so much for spending the time in this panel. I'll give you the final word here, you guys. Share what you think is going to happen over the next 24 months, 12 months. Is it going to take catastrophic failure? What's going to happen in your mind? What's going to end up being the trajectory of the next, you know, say year? Well, unfortunately, sometimes it might take a catastrophic event to get things moving, hopefully not. But I think there's growing recognition as IIOT is growing that they need new ways to secure this movement of data between OT and IT. And in order to facilitate that securing a data, you're going to have to have that OT and IT convergence occur because the risk, as you sort of alluded to earlier, John, we hear in the headlines about massive data breaches and all this data that's stolen. But the risk in IIOT is not only the exfiltration of the data, the risk is that the attacker has the capacity to take over the infrastructure. And if that happens in a hospital, if it happens with a water treatment facility or a government type of defense installation, the outcomes can be disastrous. So the first thing that has to happen is OT, IT convergence. Second, they have to start thinking strategically from a standpoint that they have already been breached. And so that changes their viewpoint about the technologies that they have to deploy and where they have to move to, to efficiently get to what I call the itties. And that's the, you still need the availability. You've got to have visibility into this traffic. You need reliability of this network. Obviously, it's got to be at scale. It's got to be manageable and you need security. Well, we'd like to have you on again, Gabe, because we've talked about this from a national security perspective. Not only the hackers potentially risking the business risk there, there's a national security overlay because if a government's attacking our businesses, that's like showing up on the shores of our country. It's the government's job to protect the freedoms and safety of the citizens. That includes companies. So why are companies defending themselves with all this capability? What's the role of government all this? That's a very important, I think, a longer conversation. So let's pick that one up, a separate one. My favorite topic these days. Critical infrastructure is business. It's the grid. It's the plants that run our country. And John, what I'd like to add to that is, I was talking to a friend of mine who's a CIO down here in California yesterday, and we were talking about the ransomware, right, that was taking down all these cities. And he goes, well, the difference between what you guys are talking about and that is that you can back up your IT systems, right, into the cloud and that's a growing business to kind of protect and then replicate game over. And he goes, can you back up a hospital? Can you back up a manufacturing plant? Can you back up a fleet of ships? You know, can you back up a, you know, control center? Not really. When you lose physical control, it's game over. And people, I think that really needs to sink in. And that was, I think, when Gabe's paper, when I first read it, that's what really struck me about it. This is a different ballgame. Well, I mean, there's just as many points. There's the technical point there and there's also the societal point of, you imagine things being taken over by hackers that are physically could harm people and that's, again, the societal side. Technically, the incompatible architectures is coming home to roost now because there's the problem right there. That's the collision that's happened. I think in a lot of education, it needs to happen fast. Gabe, thanks for writing that paper, critical infrastructure against cyber tech, securing it. Brian, thanks for coming on. Appreciate it. You want to say you get the final word, Brian? Go ahead. Great. I think that it's our future. Our future depends on OT and IT coming together and a lot of education, a lot of change. I don't think we're going to get there. I think that what's going to happen in the next 24 months is that there are lots of innovative teams and companies and people working on this and what we need to do is lay down infrastructure that allows OT and IT to keep operating and not have to do a forkless upgrade in everything that they do, their processes, or teach the things how to protect themselves. Again, I'm going to go back to air gas the network, make a logical air gas. If you imagine driverless cars driving around, they're not going to, you know, imagine them sharing the same network that we're using to do Snapchat and look at cities sitting on the internet and looking at Facebook. We're not going to want that. So we need to figure out a way, separate the location of a thing from the identity, create policies in terms of the identity, manage that at a new layer, and do it in such a way that doesn't change IT. To me, that's the key because as we said here, IT doesn't move that fast. It's not a matter of willpower. It's a matter of momentum in there. Well, I think the forcing function on this is going to be catastrophic event, the title of this, subtitle this panel, Apocalypse Now or Later. And, you know, my opinion, Greg's been, you know, I'm in on this Jedi Department of Defense story. I believe this is one of the most important stories in the technology industry in a long, long time. It really highlights the confluence and convergence of two differently designed infrastructure technologies that have to, in a very short time, be re-platformed at high speed in a very fast, short time frame because the stakes are so high. So guys, thanks so much for spending the time here on this power panel, IOT, Industrial IOT, and cybersecurity. Apocalypse Now or Later, something's going to have to happen. It has to happen fast. Gabe, Brian, Greg, thanks for taking the time. This is a CUBE conversation here in Palo Alto, power panel, I'm John Furrier, thanks for watching.