 Hi everybody. Welcome to the latest episode of From the Rock to the Cloud. As always, I'm Tom Hall, your host. And I know you don't tune in for me. You tune in to talk to experts. So this week, we have got a fantastic expert with us, and we're going to get to him in a second. But as always, if you've got anything you want us to talk about, or there's an exciting server, a topic, or anything that you want to talk about, please let us know. We'll make sure that we try and cover it on the show. So today, like I said, we've got a FabEx, but last time I got your origin wrong. But actually, you know, I think we're getting there now. This is the third show. So I think, you know, we're lucky again to have Mr. Anthony Botello with us again. So Anthony, just for those of us, those in the audience who maybe this is their catching their first show, just maybe tell us a little bit about yourself, what you do, and where you come from. And then we can talk about some exciting stuff to do with IoT and security. So thanks, Tom. I'm a senior cloud advocate with Microsoft, been at Microsoft just over 10 years, dabbled in everything since Windows, mobile, Windows phones, server, architecture, and now, you know, identity and security and IoT and Python, sky's the limit in terms of what you can enable with all the technologies out there. And that's why I love the topic that we're going to talk about today, because it's so easy to get in, but it's also so easy to get trapped and in trouble with it as well. So I'm very excited to talk about it today. In terms of background, so, yes, I am Maltese, which is funny because the show is from The Rock, which is awesome, and living in Canada. So Canadian Maltese and wearing a South African rugby shirt, which we were talking about earlier, in terms of the awesome rugby that they have in South Africa. Being a Brit, and, you know, I love a bit of rugby. So, yeah, I did spot it as a right. I've got the wrong country, actually. Sorry, everybody. But, yeah, no, and you corrected me anyway. But apparently that's Rick's shirt anyway. So, Rick, sorry, but Anthony's got your shirts. Sorry about that. Anyway, we're digressing completely, as always. But today, we're going to talk about IoT and IoT security. So for the next 30 minutes, I think you and I are just going to catch up. We're going to talk about this and try and give people a little bit of understanding about kind of, like you said, it's complicated, but it doesn't necessarily have to be. But I think people need to understand, like, what Microsoft are doing around, you know, the subjects. And let's find out about IoT, security, and addressing hybrid attacks. Okay. Yeah, definitely. Let's get started. Cool. So why should organizations care about securing that IoT? Like, why does it matter, Anthony? Do you know what I mean? Because, you know, surely it doesn't matter, does it? So, let's simplify things, right? The biggest thing with IoT is its ease of entry, right? I can literally go to your local retailer. There's an IoT light bulb that connects to be a Wi-Fi to your network and allows you to change it to different colors, right? So, you know, I have a couple of these around and it changes the different colors. And the other insights it gives me, though, is that, you know, for the amount of time that it's powered on, how much electricity is this using as a light bulb, right? So imagine in an organization, you deploy hundreds of these, right? So now you have this thing that you can do automation and information capture and you get insights. And from those insights, you then have actions that you would then go forth and say, okay, well, these lights are on too frequently, or the color that they're displaying is taking more electricity than it was just a normal white, making those adjustments, making that, you know, capability to, you know, affect your consumption of electricity as an example. The challenge is, like I said, it's so easy just to go to your local retailer, pick up this light bulb, put it into a light socket, and away you go. What people don't take into consideration is what are the security implications when you deploy these type of devices? Speaking at you yet, sorry, the consumer electronics show a couple years back. It was such a fever to get out there and say, oh, you got to, you know, pick up all these devices and do all this automation. And whenever somebody asked the question of security, immediately, everybody would stop and say, well, we're not worrying about security yet because we want to ensure that the innovation goes forth first, and then we'll worry about security later. And it was such a scary statement in a lot of the manufacturers at the time, we're talking five, six years ago, we're saying the same thing. And it was scary because this is an entry point into your network. This is something that can, you know, if somebody gains access to the gateway can then funnel into your information, they can, you know, okay, great. So they'll learn how much electricity your organization is using for power. But you also have the ability to go because it's connected to your network to other facets of your organization, other databases, you know, if information is the new currency, this is a possible entry point into that currency, right? And so people start to look at your data. The thing too is that it's so easy to prototype. So here's a project that I completed with a bunch of individuals here at Microsoft, where we deployed a mouse, mouse traps connected to Raspberry Pi's just to understand the pattern of mice traveling within a building to see, can we be more proficient at catching capturing these, these mice. And even in that instance, you can see the security implications of taking this device, connecting it to Wi-Fi or connecting it hardwire to network and having this scenario of, you know, funneling information, but also opening an additional port or door for somebody to jump onto that device and then gain access to your information through that, through that gateway as well. Yeah. It's like a reverse mouse trap situation. They're trapping you. They're trapping you, right? Pretty much, pretty much. So with all this going on, right? Whose responsibility is it to secure all these devices? This is something that a lot of organizations are asking because, you know, you have developers that are building out these solutions and they'll grab these devices off the shelf or they'll grab it through OEMs and third parties and they'll deploy them inside of organizations and then they'll do it on their own or they'll do it, you know, as a, hey, if I build this out and I save the company X amount of money or enable this type of automation, it's good on me, pat on the back, get a raise. You know, it happens a lot. Yeah. And it's not just developers. I actually came across a project, I would say three years back with a large grocer that took a, took it upon themselves to work with a third party to build out a solution where they would monitor the electricity use of freezer units inside of the grocers. It was 50 chains across the country. They had these devices that would monitor the condenser inside of the freezer. Twice a day, the condenser has to be defrosted or so will overheat and explode. And they were, you know, very, very excited that they created this, this genius network, as they call it, where they had all these IoT devices monitoring the temperature of the condensers and having the ability to adjust the temperature to defrost it twice a day. And they were doing this manually. All these IoT devices were connected to, remember the old beige computer boxes? Yeah. Right now they're all fancy with lights and RGB and what have you, but back in the day was these gray beige boxes, literally sitting on the manager's desk at the grocer, sometimes with a potted plant on top that they would water the whole bed. And they would have 56k modems connected to them. And what would happen is the central office would dial in via telephone to this modem and adjust the temperatures on the condensers manually. They thought nobody has modems anymore. Nobody's using this type of technology anymore. We have this segmented network that doesn't touch the infrastructure at our organization. So IT doesn't need to be involved. Okay. And they deploy this to 50 stores, hundreds and hundreds of freezer units. And lo and behold, some hacker was out there sniffing around going through numbers. Actually, to my understanding, the hacker was actually looking for fax machines and stumbled across one of the store's dial-in numbers. Now the store themselves, do you remember PC anywhere? Yes. Yeah. Yeah. Yeah. Right. So the stores, the grocer themselves was using PC anywhere as a entry point gateway to gain access to the IoT sensors for the condensers to increase and decrease the temperature. Their plan was to do this in doing this manually, they're trying to save themselves money because the hydro companies here in Canada, for most parts of Canada have changed in increments of every five minutes up and down. And in some scenarios, there's a negative cost. So the hydro company is actually paying the grocer just to consume electricity. You come into this situation where when they're doing this manual change on the IoT devices, you know, what this hacker coming in and saying, okay, what am I connected to you? And discovering that it's a temperature gauge, the hacker went in and blew up all the condensers and I believe it was half the stores. It was $2 million worth of damage because when we blew up the condensers, they didn't have a storage area big enough to take all the freezer units, the contents of those free units and put them in storage. Also when the alarms went off, you know, a certain period of time to come in and empty out the freezers and you have to empty out all these freezers. So in this instance here, it wasn't going in and capturing information and stealing that information. It was doing harm to the organization in terms of blowing up these freezers and letting all this inventory fire and rot. Yeah, look, you've just put me off a smart fridge. So that's fine. That is pretty scary stuff. What advice would you give somebody then to make that IoT secure? Do you know what I mean? What's the obvious things in that scenario? What should have they done? So the biggest thing in this scenario is who are you having the conversation with when you want to deploy an IoT solution, right? Don't just deploy for the sake of the technology, right? And that's a challenge that a lot of organizations fall under is they see all these nifty things, all this, you know, great technology that's out there. All I want to implement this and I know when I do this, it's going to increase our business or save us money, right? I'm guilty. I do it myself. I'm too. I've got like 50 things connected to my Wi-Fi. My wife hates it and I'm like, but I just got this new thing and it just does this and she's like, but you can just use the switch. Right. I can turn my lights on and off with my phone, right? It's like, this is awesome. And then you find out that these devices are constantly having conversations with nefarious organizations and I'm like, oh, that's a problem, right? It's, you know, it's something that we don't think about. We run with the technology because it's so cool. It's so fascinating. And then when something comes up, wow, and this is a, you know, a big problem like what the grocer had, you know, it's a scenario that, oh shoot, I should have taken this in consideration before doing this deployment. In any organization, when you're looking at implementing a solution, you have to start with a question, why? Why are you doing this type of deployment? Why is this going to be impactful for the organization? When you can answer that question, why? Then it's an open conversation with the organization itself. That includes the business decision makers, the developers of the organization, and the IT professionals of the organization. And now I'm being, you know, I'm taking it back, you know, a lot of steps in terms of who you talk to, but those are instances are the groups that you want to reach out to when you're deploying these types of solutions so that everybody's on board. Everybody has their input in terms of what's important for the organization. Why should we do this? And then security considerations are also taken into effect in terms of if this is deployed, what is the attack factor that could occur? What is the, you know, implications of the risks even out with the reward in terms of this implementation being put forth? And so taking that into consideration and after having that conversation, then you have to understand how. So let's take it to the grocer again in terms of what they accomplished. So with the IoT devices that they had out there, and yes, you know, the revamped the entire solution, it's actually cloud based now, which is really, really fascinating. This scenario in terms of the understanding of the temperature cages and the consumption of these devices at the condenser level for the freezers is actually what we call OT, right? So OT stands for of things. And of things is a scenario where it's okay. Well, so what's the difference between IoT and OT, right? You can't just drop that in there. Like, like, what's the difference between IoT and OT? So, so perfect question. And I apologize for jumping in too quickly. I'm not as smart as you, Anthony. So you have to slow down for me, right? I wouldn't say smart. I'd just say passionate. Just passionate. It's really cool. There's a lot of more people smarter than me. You know, Paul DeCarlo, Olivier Boucher, there's a lot of people that are out there that are smarter than me on this. I'm just passionate about this. And I want to make sure that people are aware of the security risks of IoT. So the big thing with this is IoT is information of, sorry, Internet of Things, right? Now we are taking that and that's the overall term in terms of the automation of all these devices. Then you take the scenario where it's OT of things. And of things usually refer to legacy devices. So like machinery, putting cars together or manufacturing plants or what have you, that don't really have the smarts and would require connection to a gateway to do specific tasks. So when you're doing an OT implementation, it's more of an automation implementation, right? It's something where for the condensers inside of the freezer units, making sure that there are the appropriate temperature so that the organization is saving money on their hydro rates, right? And it's something where it's automating the temperature up and down as required. In IoT, instead of Internet of Things, think of it as information of things. The information that's being captured at the gateway, at the IoT device itself with the sensors that it has. So back to the mousetrap solution. The mousetrap was capturing information in terms of how quickly would it catch mice. And when it caught the mouse, where was it placed inside the building? Was it bright or was it dark? Was it warm or was it cold? All this information is being captured in this funneled back for processing in terms of whatever automation you want to create or whatever insights you want to have, right? So those are the two main differences of the implementation between OT of Things and IoT information of Things. Both instances require security. And both instances have this need to ensure that if somebody goes and attacks that device. Because remember, these are rudimentary devices. Even though they run their own onboard system on chip, it's still something that can be attacked. And it's no different from having an implementation or VM on premises or in cloud, right? It's another attack vector that somebody can come in from. I think this is a fascinating point, right? Because we've talked a lot on other episodes about what Microsoft's doing with Server 2022 and secure core technology. And then also, I was talking to Orin Thomas and he was talking about secure server and all of these kind of things, which is great. If you're protecting those bits, great. But then if these devices are then connecting through an application into that server estate, they're that root of entry. And that's really scary. That's like, you know what I mean? Like generally, I'm not just saying it, like it's, you know, but you don't think of it. And that's exactly the point that you're getting across to, well, I'm hearing it loud and clear. You have to think that all of these potential points of entry could bring down your network. That's, you know, that's quite scary. And actually, that's, sorry, that's just really resonating for me. So I just had to kind of call that out. Well, and this, that's just the thing, right? Like this light bulb sitting on your network is a point of entry. So somebody gains access to this. And remember, this light bulb is connected via Wi-Fi, and it's going outwards to the internet to update, right? It's constantly looking for updates, which I've actually stopped. I've actually had this on a segmented network. It has actually its own SSID that it doesn't touch any of the networks. It does have internet access out. So, you know, security is a perception, right? There's always going to be a way that somebody's going to try to gain hack, hack your, your information. Because like I said, data is currency. It's, it's very valuable. And, you know, in any time you deploy these, any of these devices that are off the shelf, you run the risk of increasing the security risks inside of your, your household or your organization. And so, you know, even best practices that you put forth to have these types of devices implemented, you're still providing that security hole so that somebody can come and possibly attack. So what you do is you make it as safe as possible. And when you're doing an IoT deployment, if your security module, your security plan should be from a modular approach. It should be the micro co-processors that are on this device being secured, should also be the hardware that's being secured, the network that this device resides on should be also secured, and the provisioning. And this is one that a lot of people forget about. When these devices are deployed, it's running an OS, it's running an application to do a specific task. The application on the OS that's on this device can also be attacked. And that's in essence injecting code into IoT device. So having a plan to secure the OS and the applications that are running on these devices is equally as important as all the other things that we talked about, you know, in terms of the security practice. From an opportunity with IoT, specifically on Azure, there's three levels that we talk about in terms of the security. There's, you know, the good, better, best scenario. In the good scenario, out of the gate, and this is, you know, inclusive of any IoT solution that you deploy with Azure, the IoT suite and specifically IoT Hub has the inherent security capabilities to at least have that authentication key that would be passed between the device and the cloud for the authentication of this device to actually have interaction, right? So out of the gate itself, you have this capability from IoT Hub that provides that gateway, the secure gateway and passing a key from the device to the cloud and to ensure that authentication occurs. Once that occurs, then information can flow freely. Now, should the device itself be hacked, right? There is still the possibility that this device, you know, could still be communicating back information to the cloud. However, it's much more difficult to then extrapolate information from the cloud because of the key requirement. And if the instance is acting differently than what it was before, this will, you know, provide some notification, very rudimentary, but hey, there's a problem with this device that you need to check into because of what it's trying to access into the cloud. The other thing too is that you'll also have the ability to do the mapping of the software that's running on the device itself, so in this case, the light bulb, to say, is this the version that this is supposed to be running? If it's not, push out the proper version. This is available through IoT Hub, the IoT Suite offering as well, so that it always makes sure that it constantly updates that device as required to the latest version that's been permitted by the organization. Okay, that makes sense. Cool. So, well, you go. You go. Sorry. No, no, you go. You go. No, no, no. I was going to say, so when you think about IoT security threats and how they affect businesses and organizations, it's not just necessarily where they attack that they affect. So they maybe affect other parts of the org. What does that, you know, how can they manifest themselves? Excellent question. And I was, you know, that was my next point I was going to jump into. So we talked about the IoT device, right? It's your entryway in terms of, you know, possible attacks that can happen to your organization. We all know, especially from an IT perspective, it's only one piece of the pie in terms of network that's available, right? What these devices connected to the network, you know, a hacker can come in from that entry point and then hop around within an organization. Then it becomes a little bit trickier because now you have to not only detect the hack that's occurred on the IoT device, you also have to detect where has the hacker gone within your organization. There are plethora of tools that are out there that can monitor the IoT devices specifically to understand at the entry point, have you been attacked? Is there somebody trying to get into that door to gain access to your gateway? Well, Microsoft has a great solution in Microsoft Defender that's available that allows for this ability to not only see IoT devices, but also see how this IoT device affects the rest of the organization should an attacker come in. So this scenario here, as a security professional, you have the availability to see the entire gamut of your network and how the hacker is coming in from an IoT device to gain access to the rest of your information. This is important, right? Because like I said, it's not, this is seamless in terms of its access. You have this IoT device that's on the edge, it's capturing information, or providing automation that's doing a specific task and is reporting back through your network. And your network could be on-premises, it could be in cloud, it's the hybrid model of both being accessed through your organization. How is it, you know, IoT, then see this attack vector and what they're traveling through in terms of your network? This is where Defender comes into play, and what I love about this is it's that seamless one pane of glass that gives you an entire view to your organization's infrastructure. Again, on-premises, in-cloud, hybrid model, whatever that may be, inclusive of the IoT devices that you've deployed. Not only that, it even shows the touch points in terms of, in some scenarios, especially in OT and legacy manufacturing plants, you have these computers that are the gateway that manages these devices that are doing the specific automation. And, you know, that's where the scenario where you have those computers being attacked to affect those OT devices. There was attack on Triton, which is a big manufacturing plant that had this scenario where their computers were attacked to create havoc amidst the automation that's going on to stop production. And there was a possibility of an explosion that would have occurred that would have decimated the entire plant that they were implementing. And it showed, in terms of Defender, how the attack occurred, where they went through, where the attack vectors were, and how many of the systems were affected by the attack itself. Such a great tool to have when understanding, in terms of the entry point of where the hacker is coming in and what they're trying to affect, emits your organization. Wow. I mean, use Defender, people. That's what I just heard. But it's true because these threats, and it's in the subject matter of what we're talking about today. But like IoT is fundamentally, it is hybrid. Because there's always going to be a physical element to, you know, that access point that then is, you know, is going to work, you know, to maybe an on-prem scenario. But that on-prem scenario is going to be connected to the internet. And, you know, I kind of almost can't see a scenario where that doesn't occur at some stage of that solution. There's going to be, you know, even if the entry point or, you know, or that IoT sensor is not directly connected to the internet, it will be connected to a network which is then connected to the internet. So, you know, it's going to be hybrid. So, you know, I don't think there's any way around that. So you just have to kind of be smart about how you protect yourself and how you monitor it. In terms of, you know, I suppose advice from, maybe a Microsoft perspective, but, you know, what would organizations, businesses, what, you know, what do they need to invest in in terms of additional tools to protect themselves from these types of attacks? What would you recommend? So that big piece that comes in terms of the conversation with the organization as a whole and understanding what they're actually trying to accomplish, right? Again, not deploying technology for the sake of deploying technology. And once you have that understanding, your business plan, your technology plan for your current implementation should be a such that covers all gamuts in terms of everybody's concerns. There might be ISO standards that have to be addressed. You know, the whole piece of the organization that you have to safeguard against this possible risk of the IoT devices being deployed. Defender is a great solution because it provides that, you know, reporting mechanism to understand where attack vectors may lie and does a detection. But in a lot of instances, you know, there might not be a security specialist at that organization. I'm not a security specialist. Are you, do you have a security background? No, no, no, I'm not a security specialist. I think it was my wife. So no, that's the same way. So the beauty of using a solution like Defender means that you also have the ability to add on solutions like Sentinel. So Azure Sentinel is the next step in terms of what you can do with Defender, which would actually go through and automate your rules. So for your ISO standards, there's a set of rules that you have to abide by. It can actually do the detection limits to your network to understand. So you have these IoT devices that are deployed and based on your rules, these are actually out of compliance and causing an issue in terms of your implementation and provide you with the next course of action in terms of, well, maybe these devices need to be segmented on their own network with a secure connection back might require access point nodes from a cellular network, it might require VPN from gateway to gateway, whatever that may be. But provide you with that instance of understanding, hey, what's next for your implementation that you put forth now for your security constraints that you have to adhere to amidst your certs or ISO standards to ensure that you stay compliant. Sentinel bolting on top of Defender, it does again that whole look at your organization as opposed to just IoT devices to ensure that this, you know, and it shouldn't attack occur, what would be affecting the midst of your systems and what would have to be remediated to ensure that attack would be minimized because I'll never say completely thwarted because as we know, security is a perception. And so, you know, it's to make it a lot more difficult for hackers to try to gain access to your information. Perfect. Well, I think we learned quite a lot there. And, you know, like always have protection. Good advice from Anthony, from life there, I think. Sorry, that's just a bad sense to you. Anyway, that's fine. We're moving on to Talking of Sense and Humor. We're moving on to that part of the show where we talk about memes and the meme review. The producers, they always have a few funny memes up their sleeves. And, you know, audience out there, you know, we love it when you rate them, we love it when you tell us whether they're just rubbish or we could do a better job. And, you know, certainly send them through your thoughts. And if you've got any examples or any memes that you would like us to talk about the show, let us know. But Anthony, as always, I'm going to look silly. You're going to look clever. And we are going to look at what the memes, what memes have we got today? So, meme one, here we go. Sorry, you're pretty new to the cloud storage, aren't you? That's me. I'm that guy. That was me. I was going to say, sorry. No, no, no, you go, you go. I was going to say that's Pierre Romain, right there. That's initially Pierre. You know, see, he's got, he's just missing the goatee. That's all. And it's like, yep, let's put stuff in the cloud. Let's go. I love it. That could be Pierre. Yeah. Can we, like, producers, can we get a goatee on that cartoon next time, please? Thank you. I love it. And to be fair, sometimes story things in the cloud, it does feel a bit like that. But, you know, like, I haven't seen one of those file cabinets in I Can't Tell You When. Do they even make those anymore? Surely not. Surely not. I hope not. I hope the cloud has solved the, you know, the amount of metal that's gone into those, those filing cabinets. They're probably just turned them into servers, but that's fine. Okay, right. So, let's do mean number two. This is the third one. Yes, really. Do not close the lid. I mean, you've seen that before, right? You've seen this a hundred times. I've seen this, you know, I've seen laptops like sitting like that on top of shells. I've seen the gray beige boxes underneath desks with the same label that, you know, this is a server. Do not shut this off. Do not close it. It's, it's scary when you see these, because most times IT has no idea that this exists. And it's, you know, sitting there as it's running a specific operation. And when somebody goes by and closes the lid, wow, you know, everything starts to fail. And, you know, what's going on in my organization? Yeah. This is, when I see that, I cringe immediately. This is literally what we were talking about. This is like, this is like, this is like entry point one-on-one right there. Like, this is like, perfect. Attackers like rubbing their hands together with each other. Like, yeah, you know, I won't shut the lid. Like, I'll open the lid right up and I'll just get straight into that. That's, that's ridiculous. Well, okay. Well, absolutely. Thank you so much for teaching us a little bit more today about IoT and OT and hybrid attacks. And I hope everybody paying attention, get protection, use Windows Defender. And I suppose the advice that I would have for people is make sure you're considering why you're implementing the technology that you want to implement. What are the outcomes? What is the business benefit? And ultimately, is everybody in the business on board with this? Because it's actually going to make things better, save money. Like, what, there's got to be a practical reason for you doing these things, not just because it's cool, like the lighting in my garden, or, you know, the lighting in my hall or any of that kind of stuff. Like, it's not just because, you know, you need to, you need to really think about it and you need to make sure you're talking to the right people. And see, is there anything that you would say I've missed from that summary or anything that you would add? Well, always ask the question, why? Why are you implementing the technology? Why are you working through these implementations? What does it solve amidst your organization when you deploy this? The how is just as important, but the how shouldn't be first, right? Although with the how, there are a ton of resources that are available to you. And I've shared a couple of the links that are available. We'll put them into the description of the video itself. Yeah, it's important to know the how because you then know the capabilities and limitations that are out there and are able to choose, based on the why, what you should implement from your technology standpoint. Again, once you've had the conversation with the business decision maker, the developers and the IT professionals, amidst your organization. Cool. Thank you, Anthony. It was a pleasure having you. It was very enjoyable. I always learned these, I must admit, the IOT chats that we have, like I love talking like hardcore Windows over 2022, but actually, this stuff is kind of really interesting as well. Like, it's really, and it's exciting, it's all joined together. And yeah, like, you know, I always learn a lot of stuff from you. So thank you very much. Everybody, thank you. Oh, well, may anytime, anytime you want to come and talk IOT, we are here for you. Thank you very much for watching. As always, if you've got anything you want to say, anything you want to find out, if you want to talk to an expert in detail about a thing to do with server hybrid cloud, IOT, you name it, we will go and find an expert and talk to somebody for you and have a lovely rest of the day, everybody. And yeah, we look forward to talking to you on the next episode. Cheers. Bye.