It took a few years for the adoption of Zero Trust cybersecurity architectures to really pick up, despite the fact that the idea has existed for more than ten years.
For some, Zero Trust not only offers notable security gains but also lowers costs and complexity while giving confidence to business and everyone involved in it. However, as is the case with many technical advancements, for others, it still isn’t as obvious what Zero Trust is all about or, more importantly, how to apply it quickly and affordably.
To give some clearance to non-users, our team invited Moty Kanias, VP cyber strategy and alliances at NanoLock – a company that provides zero-trust, device-level prevention to secure industrial IoT and other connected devices.
Tell us how it all began. How did the idea of NanoLock originate?
It all began when Eran Fine, NanoLock’s CEO and co-founder consulted for the Tel Aviv University Center for Nanoscience and Nanotechnology. During his work there, Eran came across an interesting article from Professor Slava Krylov that inspired a new way to protect the critical code and data stored inside a device’s non-volatile memory from tampering. Eran and Shlomo Oren (NanoLock’s late co-founder) wrote a follow-up article and built a preliminary prototype that was presented to research centers as well as a venture capital firm that invests in technologies for US intelligence agencies like the CIA and NSA.
While these audiences all agreed that protecting edge devices from tampering is an urgent challenge, they believed the solution was too complicated and time-consuming to develop. Taking on the challenge, Eran and Shlomo returned to the drawing board and came up with a simpler solution to the problem, which became the core technology behind NanoLock’s solution. As we started marketing our solution and speaking with companies, we realized that the risks to edge devices were much wider than we originally thought.
It’s not only adversaries coming from outside an organization, but also insiders in the form of either malicious or naïve employees and trusted supply chain or service providers that can compromise devices, machines, processes, and entire manufacturing lines.
Can you introduce us to what you do? What are the main issues your solutions help solve?
As part of their digitalization and technological strategy, industrial manufacturers, utilities, and energy companies are rolling out millions of IIoT devices every year that are connected to their IT networks. They are also making considerable investments in connecting legacy devices and machines. Each of these connected devices and machines represents a potential attack vector in each organization’s network, where hackers can do a great deal of harm.
Cybersecurity postures have historically been positioned to defend against outsiders, but insiders and supply-chain sources have emerged as equally common causes of cyber problems in industrial settings where OT devices have been brought onto IT networks. A large percentage of these come from simple human error. However, they gain access, once a bad actor is inside a network they can seize customer data, affect device performance, shut down operations, and even compromise the energy grid in certain cases. This puts business continuity – and even human lives – at risk.
The primary cybersecurity challenge that industrial and mission-critical environments face is to find solutions that protect the operational integrity of new and legacy machines and devices, from a wide range of attack vectors without compromising their performance or functionality. Traditional IT cybersecurity solutions aren’t optimized for industrial environments and can have a negative impact on performance. Many IT-based detection tools simply don’t interface well with industrial systems or are impractical within this environment. That’s where NanoLock comes in.
NanoLock Security solutions protect the operational integrity of devices, machines, and manufacturing lines from outsiders, insiders, supply chain cyber events, and even human errors with no impact on performance and functionality. With NanoLock zero trust protection, all modifications of critical code, configuration, and calibration data, including those utilizing access privileges, must be authenticated and signed, before executed. Our zero trust, device level approach achieves a new protection level that was previously unavailable: safeguarding from employees, supply chain, and technician mistakes as well as from outsider adversaries.
You often emphasize the importance of the Zero Trust principle when it comes to devise security. Can you briefly describe this approach?
Cybersecurity has long been perimeter-based, with anyone inside the perimeter having some level of trusted access and anyone outside of it having to go through authorization processes. The proliferation of insider and supply chain-based attacks, as well as those that result from credential theft or human error, has shown that perimeter-based security postures are inadequate and that any level of trusted access is a vulnerability. For example, a Ponemon Institute study published in 2022 found that insider cybersecurity incidents have risen by 44% since 2020.
The average overall remuneration cost of an insider-caused breach also increased, up 34% to $15.4 million. The shift to remote work has contributed to the increased risk from these sources, as networks (and their connected devices) are now more dispersed than ever. This is particularly true when it comes to industrial machines and devices, where physical access is common and hundreds, if not thousands, of technicians have credentials. Enforcing a Zero Trust posture with all these devices is critical for maintaining operational integrity and business continuity.
Zero Trust is a security concept built on the idea that organizations should not automatically trust anything inside or outside their perimeters but instead must verify anything and everything trying to connect to their systems before granting any level of access and privilege. Essentially, it means that employees, service providers, and supply chain sources should all receive the same level of automated trust – none at all.
In practice, Zero Trust requires all users, even those inside the organization’s enterprise network, to be authenticated and authorized before granting access, while still continuously validating security configuration and posture. There are just too many potential loose ends to allow for anything else. A Zero Trust posture is a logical approach once organizations accept the fact that breaching their current security controls will occur eventually, in some form or another.
Have the recent global events altered your field of work in any way?
As government agencies like CISA have warned, there has been a dramatic increase in both the volume and sophistication of both private and state-sponsored cyberattacks on the US and international critical infrastructure in recent years, especially in the energy sector. The war in Ukraine has featured many examples of these types of attacks and has been cited by experts as perhaps the first where the cyber conflict started before any kinetic fighting.
Russia has actually been specifically targeting Ukraine’s critical infrastructure for years, dating back to when they temporarily took down the country’s power grid in 2015. The Colonial Pipeline hack was another example of critical infrastructure being hit by cyberattacks, as was the hack into JBS, the world’s largest beef supplier, the Lion hack, one of Australia's largest milk and beer processors, as well as the Molson Coors “cybersecurity incident" that disrupted the Chicago-based brewing operations.
Hackers understand that hitting these targets is a highly effective and cost-efficient way to cause maximum chaos, as critical and industrial infrastructures have strategic positions within their immediate and extended communities and little to no leverage to withstand interruptions in service. These are the organizations and infrastructure that NanoLock is protecting, using Zero Trust, device-level solutions for manufacturing, utilities, energy companies, and other IIoT applications.
What are the most common challenges that come up when securing industrial IoT environments?
The industrial market is predicted to reach $110 billion by 2025 with millions, if not billions, of new devices, added per year, driven by a push towards the enhanced productivity, flexibility, and agility promised by Industry 4.0. Countless legacy devices are being brought onto organizations’ networks as part of the continued IT/OT convergence as well. This has made life harder for industrial companies and their cybersecurity stakeholders.
The interconnected nature of Industry 4.0-driven operations has vastly expanded the potential attack surface for bad actors. Examples of recent attacks on industrial and manufacturing targets include the Colonial Pipeline hack and the breach into Norsk Hydro, a large Norwegian metals producer, as well as H.P Hood Dairy, which temporarily shut down 13 dairy plants due to a cyber security event, and many others. The FBI also issued a warning document for the food and agriculture sectors in response to hacks like the one into the beef supplier JBS.
Though these hacks have made major news, there are countless more that are never reported due to a lack of transparency from the targets themselves. This is a major challenge. Companies want to avoid embarrassment, but hiding their hacks only makes things easier for hackers, who can then try the same tactics against other targets. Cybersecurity companies and policy-makers need to know where problems are coming from a lack of transparency from the very targets they are trying to help make this job a lot harder.
Insider cyber events are another notable challenge. Post Covid-19 anger and frustration from the growing social and economic gaps coupled with remote work, has made access easier and retaliation more appealing. Harmful insider cyber events can be unleashed by a disgruntled or negligent employee or through a supply chain vendor - they all know the organization’s weaknesses and can more easily exploit them. According to the 2022 Cost of Insider Threats Global Report by Ponemon Institute, 67% of companies are experiencing between 21 and more than 40 insider incidents per year, and it takes an average of 85 days to contain such an incident.
Manufacturers and their supply chain networks are not prepared to mitigate these risks. The chaotic reality of the cybersecurity landscape is that there is no way to know where the next attack will come from. As this happens, origins will grow more confusing, and it will become more difficult to distinguish between an insider event and a nation-state-backed attack. Therein lies the beauty of Zero Trust, however, as it doesn’t matter where the attack comes from or who is trying to affect outcomes.
As the world gets more connected, what threats associated with connected devices do you think can become a common occurrence in the near future?
We see an increase in the volume and severity of cyberattacks on connected devices and machines. This is what geopolitical conflict may look like in the near future as state-backed actors embrace cybercrime against industrial targets as a cleaner and more cost-efficient method to create chaos. We are currently witnessing this materializing in the Ukrainian war. Looking forward, by 2025, cyber attackers will be able to weaponize operational technology (OT) environments to harm or kill humans, but this timeline is accelerating quickly, according to Gartner.
We’re also seeing hackers take aim at the food and manufacturing industries. These attacks can paralyze production temporarily, like the JBS meat processing plant ransomware attack and the Schreiber Foods dairy processing cyberattack, or for longer periods because they can easily migrate to the operational side and damage machines and manufacturing processes. This has a major impact on the economy, but it also means food production must stop. This can lead to shortages, as it did in the HP Hood Dairy Farms hack earlier this year. We expect these attacks to become more prevalent.
In terms of emerging attack styles, ML/AI-assisted attacks represent a more resilient opponent than wholly human-designed programs and the further obsolete hack-and-patch approaches. Plugging holes as they arise is a backward-looking strategy against an opponent who will relentlessly search for new holes in increasingly creative ways.
What security tools and practices should every company and individual have in place to protect their devices?
Awareness and attentiveness play significant roles in deterring hacks, as many attacks are the result of an opportunistic hacker compromising an unchanged default password or a credentialed insider forgetting to log out, or simple credentials theft. From a policy perspective, organizations and individuals can take easy steps to remedy these risks by enforcing multi-factor authentication, instituting a policy of least privilege, and running regular cyber hygiene courses to keep everyone updated with what they can and cannot do. From a product perspective, organizations need to include device-level security as part of a defense-in-depth strategy. Device manufacturers and the industries they serve are failing to address the escalating insider and supply chain cyber events and the fact that uncontrolled access privileges are therefore no longer realistic.
The traditional reactive response (after an attack has already occurred) is much more expensive in the long run. Organizations should assume they will eventually be hacked and that access is going to be achieved – it’s a matter of when not if. Preventing outcomes borne from that access needs to be the new priority. Now that Zero Trust security solutions are available at the device/machine level, with no impact on performance and functionality, there is no forced choice between security and performance. That means there’s no longer any operational justification for waiting on security.
What aspects of our daily lives do you hope to see enhanced by IoT devices in the next few years?
The IIoT is really just an extension of the IoT, and at its core, it allows manufacturers to make decisions based on data rather than on assumptions. Though connected IIoT devices give hackers a wider attack surface to poke and prod, this connectivity also makes the administration of IIoT networks a lot more efficient. Utilities can monitor, measure, and manage their distribution more effectively will help adapt to changing
As we move into industry 4.0, businesses will rely on IIoT technologies to remain competitive in the new landscape, ensuring customers receive the best possible quality product. For businesses in industries such as food, pharmaceuticals, and chemicals, speed, and quality of shipping are especially important as goods are often highly perishable and subject to stringent standards for refrigeration while being transported. Automation processes can not only help reduce operational costs but also improve customer satisfaction as businesses can assure them that goods are of the highest quality and proactively communicate when planned delivery times are unlikely to be met.
By harnessing IIoT technologies, manufacturers can generate end-to-end operational visibility and digital intelligence across the entire value chain to enhance productivity and operational efficiency through real-time data anytime and anywhere, while reducing unplanned asset downtime, unforeseen bottlenecks, and labor shortages. IIoT in manufacturing creates smarter environments, helping companies to improve product quality, better prepare for future demand, and accelerate innovation for the benefit of their customers.
What does the future hold for NanoLock?
We have set our sights on protecting industrial machinery and smart factory production lines with the commercial availability of the first device-level industrial cybersecurity protection solutions for legacy and new devices and machines. We recently announced a partnership with Bystronic, a global leader of sheet metal processing systems, to co-develop machine-level protection to ensure the operational integrity of its smart machines as well as a partnership with Renesas, a prominent global semiconductor manufacturer, to introduce a new platform that will further secure Renesas’ customers’ smart meters from cyber-attacks. These solutions are already in trials in European and American versions and are available in the US through our partners, such as World Wide Technology (WWT), a major American professional services integrator.
We’ve recently added Tamir Pardo, former director of Israel’s national intelligence agency, Mossad, to the NanoLock Advisory Board. We are driving toward continued growth in the US and Europe, where we have recently signed new deals with customers and partners with a focus on protecting critical infrastructures, such as utilities, industrial companies, and food manufacturers. We recently also announced the availability of our industrial product suite as well as industrial manufacturing partners like Bystronic. Many more announcements of this nature are slated for the coming quarters.
We are currently in the process of raising a new round of funding, as part of our Series C financing to support our fast-growing deployments worldwide. We are also investing an immense level of time and effort into promoting awareness and education about device-level cybersecurity and its global importance in supporting our critical infrastructure needs and food supply.