The Marriage of IoT and the Supply Chain
Reprint from original article in SDXCentral.
Some things in life are just meant to be together and that now includes the Internet of Things (IoT) and the supply chain.
But not so long ago, few imagined such a marriage could exist. Many supply chain executives were comfortable with age-old practices and processes that had served them well for decades.
I had many conversations on this topic, but one conversation has stayed with me because of the sheer denial and close-mindedness that this individual evoked. The executive in question was a well-known 3PL professional who could not—or would not—imagine a world where the supply chain would one day live happily ever after with IoT, raising (growing) dozens of vertical markets together.
He was not alone. Not everyone is an early adopter.
It was mid-morning back in 2013 at the Interlog Conference in San Diego, California, when the conversation occurred. The following is the most telling excerpt from that exchange.
Me: What do you think of all this talk about machine to machine (M2M) and the idea that the supply chain is on a crash course to marry IoT? And that the supply chain will one day rely on the internet to survive?
3PL Executive: It will never happen.
Wrong.
The ensuing conversation took several not-so-enlightening twists and turns, but he could not be swayed. It just wasn’t going to happen. But in the end, the wedding occurred.
IoT Progesses
The now wholly symbiotic relationship between IoT (then known as M2M) and the supply chain has been going through periods of incubation, maturation and enhancement for many years now—and there is no end in sight. Fleet management systems have improved and evolved into complete, end-to-end telematics solutions.
Warehouse management systems (WMS) now organize billions of disparate parts across multiple warehouses around the world—without error. And there is a new widget or technology announced every week—all designed to better the supply chain, and all connecting to IoT in one way or another.
As a result, today’s supply chain is not only happily married to IoT, it is 100-percent reliant on 4G (soon to be 5G) technology for its very survival. While there are some individuals who are not the world’s earliest adopters, the vast majority of the supply chain world is now tapping into the power of one sensor or connectivity device or another. We have containers out at sea communicating not only location, but temperature, balance, weight, security and more. And that is just the tip of the wireless iceberg.
IoT Solutions Abound
Current supply chain IoT applications take many critical and important forms, including warehouse management and agriculture. But the list of supply chain markets touched and enhanced by IoT is truly endless.
For example, MDG Connected Solutions is one leading company that offers a number of different solutions that make it easier for companies of all sizes to connect and stay connected to IoT. Company founder and CEO Michael Ginsberg says, “MDG has always operated under the premise that IoT solutions and services do not have to be complex.”
MDG’s warehousing solution is the company’s fulfillment system and network. Each customer securely stores its products in MDG’s Chicagoland fulfillment center, and the company picks, packs, ships and provides customer service for all warehoused products. The biggest differentiator, according to Ginsberg, is the company’s custom-built, proprietary software solution, a WMS, that guarantees zero errors in package contents or destination.
“We talk to a large number of executives across a wide range of industries every day about how to easily keep them connected better, faster and more cost effectively,” continued Ginsberg. “Whether it’s an external communication need for something like a PBX-type solution or an internal need for something like a signal booster, we’ve got solutions for both and we have been able to help a lot of leading companies solve these issues.”
Another leading IoT solution provider, MultiTech, is implementing its IoT solutions across the agriculture industry, among others, and working with customers ranging from local growers to heavy equipment manufacturers to irrigation systems suppliers. The company sells and implements the connectivity devices, which can be found on farms around the world, improving both yield and efficiency by monitoring:
- Soil moisture and nutrient content
- Animal activity and location
- Building temperature, air quality and humidity monitoring systems
- Feed monitoring systems
- Water usage
- Equipment health.
Sara Brown, vice president of marketing for MultiTech, says, “The United Nations estimates that global food production needs to increase 70 percent by 2050 in order to meet the basic nutritional needs of our growing population. That’s a tall order and requires careful fine tuning of growing conditions, as well as optimal logistical operations to store, transport and deliver food while maintaining freshness and nutrients. Today’s IoT connectivity solutions offer the insights to do that by monitoring sensor data every step of the way.”
So whether you are a leading IoT product company or a provider that offers products and services to connect “things” to the internet with IoT technology, the fact is that the supply chain is a much better and functional system since the advent and advancement of IoT and all its connected solutions.
IoT Security
We’d be remiss if we did not talk about the absolute criticality of implementing a top-notch security solution to protect not only your communications, but all of your assets domestically and abroad.
The McKinsey Global Institute conservatively estimates that over $1 trillion in value is being created by IoT. Yet, in spite of the size and growth in the market, security continues to be an afterthought. Many innovative security companies are attempting to mitigate attacks, but hacking continues to explode—even in cloud data centers, where millions of dollars are spent on security.
The need is in preventing an attack before it happens.
One company that has proven its ability to do just that is Mountain View, California-based BlastWave. The company has eliminated entire classes of vulnerabilities where blockchain can’t, and this was done specifically by design with the company’s virtual air-gapped mesh network. The BlastWave solution redefines how computation and communication occur for IoT applications.
BlastWave CEO Tom Sego says, “In the case of high-value assets, the traditional model of detect and patch is not good enough. BlastWave’s holistic and proactive solution gives users the security of an air-gapped network with the benefits of connectivity,” he says. “For example, we completely eliminate phishing with our multi-authentication process that does not require usernames or passwords.
“We also eliminate configuration errors with our zero-configuration nodes that self-authenticate to join the network. If we are serious about protecting our electric grid, critical infrastructure, global shipping processes and self-driving vehicles, we must start with a secure hardware root of trust with an encrypted chain of custody from the processor all the way to the human layer, across the supply chain, and beyond.”
Thus, for those who always believed, as well as for those that were a little late to the party, it cannot be denied that the supply chain’s marriage to IoT has created a fast and major opportunity for IoT-savvy supply chain executives to tap into some great technologies and significantly impact the bottom line.
Peter Nilsson is a marketing executive and writer with more than 25 years of experience working with global supply chain and IoT companies. He is currently the president of Performance Public Relations.
Although tickets are sold out, you can still sign up to be notified when the movie is released to the public, as well as get a recording of the panel discussion by entering your info here:
Our friend, Alissa Valentina Knight, Award-winning Filmmaker (Cannes Independent Film Festival Selection), said,
I’m so blessed and humbled by the achievements of our team at Knight Studios so early in our growth! I grew up watching my favorite superheros on the silver screen and to watch AMC put up our first movie poster for our premiere brought back every great childhood memory I had at AMC Theatres.
Today, I want to talk about persistent threats. By now, I'm assuming that most of you have either heard about the recent persistent threat attacks - one being the sunburst attack on solar winds, secondarily the happening of attack on Microsoft exchange, or perhaps unfortunately your organization has been a part of those as a victim. As a result of all of those attacks, we've seen a tremendous amount of noise from the cybersecurity community, talking about strategies for prevention, mitigation, etc.
But the real question is, is anyone really doing anything to attempt to create a line of defense against these attacks? And at BlastWave, we would argue that for the most part, they're not. Yesterday, a colleague of mine, Paul Gracie put out an article. It was a short cheeky article entitled, “Is it just me or does the emperor have no clothes?”
If you want to read it, let me give you the link. Hold on. That's not the link here. It is. So this is the QR link. So you can just snap a picture of this with your phone and you should be able to connect to it. But as I said, it's a short article. It was a little bit cheeky and effectively. What it did is it kind of called out the establishment cybersecurity vendors on the fact that they're selling you security products that aren't actually securing your network.
It called out some burning problems that we have in the cybersecurity space today. And specifically around the questions of, are we creating this first line of defense and specifically beyond that in the event that someone may be able to penetrate your network and get on the inside. Do we have anything to mitigate the impact of those?
And so I want to walk through this and I'm going to use a combination of a PowerPoint and some information off the web to go through the disk. So let's begin by taking a look at how our networks are protected today, and this is going to be familiar probably to everyone. So it's usually a combination of three technologies in the wide area network.
You're leveraging some type of SSL, VPN technology. So a virtual private network at the remote client, you're using hopefully some type of multi-factor authentication that is hopefully passwordless. To be able to protect your client's identity, and then within your local area network, where your protected systems and applications lie, you attempt to protect those through access control and segmentation.
And so if we look at that, we begin to ask the question, well, are these networks, and are these technologies that are designed to protect our critical systems today, are they actually doing what they're supposed to do to protect them? Well, Let's take a look at the statistics. So let's go and let's start with an interesting stat.
So this year we, as a globe, a global economy spent $25 billion in VPN. It looks like it's going to be all $76B by 2027. So we know we are continuing to invest in this technology. If we look at the leading vendors in this space, and we're not gonna mention any names, but you could see them. Number one, number two.
Number three and this may change, but in general, over time, they're all kind of the same list of vendors. If we were to look at them and ask ourselves, well, how secure are these particular vendor solutions? Well, let's, we could look at number one, so we could go over to NIST and do a quick search on this particular vendor.
And we can see that right now, there are roughly 20 known vulnerabilities that range from pretty severe to maybe reasonably severe. And that's 20 doors of entry for a malicious actor. If we were to take that same approach and look at number two then if we look at their statistics, they're doing a little bit better less, but it looks like at least one, if not more of their vulnerabilities are highly critical.
So there are multiple paths of entry for, it would be actor as well. Then finally, if we look at number three, which is a very well-known name, and we look at theirs - 70. 70 known vulnerabilities from companies who are the leaders in providing virtual, private networking technology. Now, why do we care about this?
Well, we care because these vendors, these solutions that are supposed to be our first line of defense against these persistent threats are the very technologies that are being bypassed, being bypassed in many of these attacks. And so if we think about that, it makes sense. Right. And let's walk through this.
So if we're deploying VPN within our wide area network, then for the most part, we're using technology that's 20 years old, that as we've seen a moment ago, has hundreds of known vulnerabilities. And each time a vulnerability is reported, those vendors have to go and create a patch. That patch has to then be rolled out into their customer community and then be propagated across the customer's networks.
So in many cases it could be weeks or months before the door is closed effectively for malicious actors. Now, if we move over to the left and look at the remote user, I think we're, beginning to do a good job by applying multi-factor authentication. Hopefully most of those that are being leveraged now are passwordless, so that's good.
But many of them are single surface based, which means that you can steal something. You can steal a single thing, and once you've stolen that single thing, a key fob, etcetera, then now they can take that and pretend to be you anywhere else in the world. So they're usually highly vulnerable to theft, but more importantly, they're not policy-aware. And what we mean by that is that the devices that sit down here that perform the authentication process are largely unaware of what policies for access you might be granted or not granted.
And so by that fact, that puts them in a position where this network is kind of a set of disparate parts. They're not all one acting in unison. Now, when we get to your LAN most companies good old fashioned segmentation, right? So through access control lists, etc., they're segmenting the network.
It's a very time consuming process for network engineers. Usually it is well, not usually it is in fact, very prone to human error, more than 90% of all vulnerabilities and outages within networks today, come from human error. Somebody made a configuration change that caused either an outage or a gap and created an opportunity.
And so while it's a great attempt, these are really complicated, prone to human error. And so as a result, they're really vulnerable to insider threats. And if we take a look at these attacks, we can see that that's the case. So, we need to ask ourselves, why do we care about this? And in asking that we want to look at the behavior for how these persistent threats break into your network and there's no magic to it.
While they all may look unique in their approach, they all use a very common pattern. And the first portion of the pattern is reconnaissance. So effectively, what they want to do is they want to identify a system somewhere inside of your network that they can somehow connect to or get to, and then use that to match up a vulnerability doubt.
That may be a publicly known vulnerability as the list that we just went through a moment ago, or it might be a personal or a private vulnerability that they have discovered. But in either case, their goal is to find a system on the inside of your network, which leads to the next step, which is to create a piece of malicious code that they can then drop down into that system, that’s sitting inside your network.
Once the code's there then now, what do they want to do? Now they want to poke around. So they want to use the inherent vulnerabilities of your segmented LAN to scan around and find other systems that they can get to. And then once they've done that, they'll try to propagate or replicate that particular piece of code to another system.
And then finally, what they want to do is call back home, right? So connect back home for the purpose of creating a command and control channel for that malicious actor. And if we take a look at that, then there's really no magic. Right? They're coming into your network via one of a couple of methods.
They're either coming through your secure network or they're walking in the front door. And in most cases, it's through your secure network that they're using to get there. In the case of SolarWinds, if we look at that real quickly, SolarWinds was a perfect example of that.
Effectively, what they did is the malicious entity had a malicious payload. They had identified through surveillance and reconnaissance, a system that was vulnerable inside the SolarWinds build servers. So they dropped it down there and they simply let it use its own secure communication channels to be able to propagate that update across to their SolarWinds Orion instances that are sitting inside of the customer. From there, that instance replicated itself up to other systems and then created a command and control channel back home, using the security technologies that we spent 20 some odd billion dollars on this year or not using them effectively bypassing them.
In the case of the Hafnium attack, it was a very similar scenario. So in this case, they were able to identify a vulnerability that allowed them effectively to bypass the exchange authentication process. So they were able to connect into exchange. And then from there deliver a piece of malicious payload onto that. That allowed them to execute a script from there in an Alec web access and basically drag a bunch of exchange emails back into wherever their servers are and who knows what? I don't even think we know what yet, yet how much impact that's going to have.
So those technologies that were used to protect the network to create that first line of defense were exploited in both of these attacks. And I think many in the community would argue that as it pertains to advanced persistent threats, this is just the beginning. So we've got to create that line of defense.
And let's talk about that. I want to introduce you to BlastWave. BlastShield is our product. BlastShield is a software-defined private network overlay that can be deployed over any packet based network. When it's deployed, it renders your protected systems, applications mechanical systems and industrial settings, it could be sensors, etc. - it renders those systems invisible. So the network itself, the BlastShield network and all protected systems are effectively invisible. You can't scan it. You can't see it. You can't talk to it.
Remote user access into a BlastShield network is performed via a very convenient, but highly secure three surface multi-factor authentication process. And the reason that we use that model is it makes it immune to your common phishing exploits, but also reduces the risk of theft because of the requirement of multiple surfaces. And then more importantly, within that multi-factor authentication process, your users, access and visibility are bound to each other by policy.
This inhibits the ability for, let's say an actor pretending to be one of your remote users that connected into your network to now poke around because they can't see other systems, unless they're granted a specific access to this. BlastShield is built on a proprietary transport methodology that is immune to SSL, BP, and exploits. So all of those hundred plus exploits we just saw today, it is immune to those.
Effectively it delivers this encrypted edge to edge network that runs across the entirety from your edge user, into your application. And it's all manageable from a single policy orchestrator.
And so how does this relate to the attack vectors that we looked at before? Well, if you start with reconnaissance since this network and the assets that are protected behind it are invisible, then it makes it really difficult for reconnaissance to be performed because you can't identify those assets. And if you can't identify them, then it removes the ability for you to begin to identify what exploits might be associated with those assets, which really leads to the second step, which is in terms of weaponization and delivery.
If you can't find systems protected by that particular network, then it makes it really difficult for you to deliver those systems into a protected system or protected system. And so in terms of delivery, it really inhibits the malicious actor’s ability to get their payload down inside your network.
Now we all recognize we don't live in a perfect world. And so if in fact, a malicious payload is dropped into your network, this is where BlastShield’s ability to provide granular visibility bound to access control together, and inhibits the ability for a piece of code to move laterally. And so you can envision a scenario where in the event that maybe somebody walked through the door and dropped a piece of code onto a server. Well, if that server is protected behind a BlastShield network even if that code were dropped in via a USB stick or something like that, then it makes it really difficult for that malicious code to propagate because it can't scan, because it's scaning ability and its ability to connect to other systems is controlled by policy. So it can't see or connect. So it really inhibits that.
And then finally since BlastShield effectively creates this air gap around these assets, it's effectively air-gapping the malware as well. So that prevents the ability for it to beacon back to its home base and prevents the ability for command and control channels to be built.
So thank you for your time. I wanted to walk through this. As you can see, we are very serious about the subject of creating a first line of defense against these persistent threats. We would enjoy a conversation if you're interested in learning more, I'm going to put two links up real quickly.
First, this again is the link to Paul's article that he wrote. Along with that. If you want to speak to Paul live, this is a QR link to his LinkedIn profile. Additionally, you can reach us at www.blastwave.io, and we would love to have communication with you. Thank you for your time. I appreciate it.
Tom Field
Hey, welcome back. Again, I'm Tom Field with Information security Media Group. We are at RSA conference 2021 topic I'm speaking about in this segment is defending entry points. Really pleased to welcome to the studio Tom Sego is the founder and CEO of BlastWave Inc. Tom, thanks so much for taking time to speak with me.
Tom Sego
Thanks again, Tom. It's good to see you.
Tom Field
So let's start our conversation here. In what ways do you now see security requirements getting so complex, that they're exceeding the capabilities of current protection solutions?
Tom Sego
Yeah, I think in terms of the requirements, the requirements are kind of going like this, they're going kind of straight up. And the security protection solutions are almost flatline, there's very little innovation that's occurred in those, there's been a lot more focus around the detection and remediation areas. So if we look at the security requirements that are driving that, we're seeing like the device level, there's a lot of smart sensors for everything. We're also seeing at the data level 90% of the world's data has been created in the last two years. And then there's a lot going on at the network level. networks in devices and factories used to be air gapped and immune from network borne malware. But now while those can no longer function in a world in which everything is connected, the global supply chain industrial operations, everything needs to be connected, for remote access for people working from home. Furthermore, the corporate network used to be this castle moat situation. And now you have public cloud hybrid cloud on prem, and even the employees home as part of that corporate network now. And then there's this complexity around provisioning, and setting control access and almost an infinite number of combinations of human to application human to machine, machine to machine and machine to application. And the past, we could just tack up VPN client server solutions, but those days are gone. There's the VPN technology itself is 25 years old, and almost no innovations are occurring. The majority of VPN vendors also use the exact same SSL VPN stack, which makes it trivial for malicious actors to identify their products. In recent years, they tried to put together these SD LAN products Software Defined wide area networks in response to the dilemma. But if you peek under the hood, you see the same basic SSL VPN stack with the same old vulnerabilities and a new wrapper.
Tom Field
So Tom talked a little bit more about that. Where do you see some of the current protection technologies most obviously failing?
Tom Sego
Yeah, well, really, there's no magic to this, whether it's carried out in applications data, mechanical industrial systems, attacks really only come through two sources, either physical or through the network. And statistically speaking, most of it comes through the network. In fact, there's an entire framework that describes is called the cyber Kill Chain. This is really important because it basically maps out the pattern that every attacker follows, to perpetrate whatever they're trying to do. And if you can interrupt or break that chain, you can make a huge impact on protecting your critical assets. So let me just kind of walk through a couple steps in this common pattern. First of all, malicious actors perform reconnaissance or recon try to scan and see what assets and vulnerabilities exist. From there, they try to gain access to the network through the weakest link. Typically, it's credential theft, phishing or using an SSL VPN exploit. Next, they perform internal reconnaissance to identify the high value asset servers and data within that land. And then they try to use the same secure connection to deliver a payload and establish the back door.
Tom Field 03:56
So Tom give us some context, what evidence do you see as some of the latest attacks that have been getting our attention and news is full of them?
Tom Sego 04:04
If you're not kidding, I think in the last two quarters, we've witnessed at least five major ones with one last week. Starting with the solar winds attack, which was the supply chain attack, state actors perform reconnaissance on the solar winds network. They then use compromised credentials to locate and gain access to the Orion build server. Then they use that same channel to deploy a payload that went to the update build. And then they simply let the server update itself to all of its customers. Once the malware was inside the customers network, it again scanned and moved laterally, and then created a control back channel for future nefarious capabilities. The next big one was the half name attack on Microsoft Exchange. And again, actors were able to get inside the secure network most likely through compromised credit. Then they performed recon to identify the Exchange servers. From there, there was a publicly known vulnerability that bypass the authentication process. And they downloaded a payload, ran a script, created a remote command control back channel and exfiltrated email database. The next one was the Oldsmar water treatment plant in Pinellas County, Florida. And they're a hacker performed, guess what reconnaissance to the plant to discover how best to gain remote access through the TeamViewer. app. They then obtained a set of compromised credentials to connect to the command console. Have you heard this before? That Yeah, and then the next last week, the colonial pipeline attack was really bad. It brought down 45% of the fuel supply on the east coast. And guess how they started, they perform recon, they gained network access through compromised credentials or through a VPN exploit. They perform lateral movement to do recon within the network, deploy a payload, establish a backdoor, etc. So most of what you described isn't particularly sophisticated, but I haven't met anyone yet that said, they fell victim to an unsophisticated attack. In what ways would you say our adversaries are upping their sophistication? Yeah, well, I think there's three trends that are enabling that sophistication. And the first is just around monetizing anonymously, the ability to get paid through cryptocurrency. I think the second though, is there's this blurring of lines between cyber criminal groups and state actors to conduct political espionage or cyber warfare. And cyber criminals are almost like a well paid some subcontractor for these state actors. And finally, there's these explosion of tools ransomware as a service, we'd never heard of that before. And today, kids can learn how to hack into networks simply by watching YouTube videos, and downloading kits running these things from the dark web or internet. So really, there's kind of never been a better time to be a cyber criminal. It's easier and cheaper than ever. And plus, it's hard to get caught. Because attribution is really tricky in cyberspace, much more so than in the real world.
Tom Field
Well, good news is that there's job security and cyber security. So what new approach Do we need to take now to defending these entry points to the network?
Tom Sego
Yeah, now we're getting down to the most important part in terms of what do we do about it? Well, I think we fundamentally need to rethink network security. We can't just secure networks by cobbling together these disparate tools and widgets, such as VPN segmentation policies, firewall rules, and hope to secure our assets. This is a game of whack a mole that the industry stuck in. So in order to create a dramatically more secure protective solution, it must be engineered from the ground up to eliminate massive classes of vulnerabilities. So we've got to break that cyber Kill Chain I talked about. So let me give you some specifics. So number one, we have to stop both external and internal reconnaissance by making those networks invisible and unresponsive to network scanning. Number 290 percent of network access as a result of phishing or credential theft, we need a better identity mechanism, this 50 year old approach of usernames and passwords, we need to get rid of them all together, so there's nothing to steal. Number three, we need to ensure that the connection is truly edge to edge. And it's impenetrable by combining remote user authentication when encryption land protection into a single layer, so you can't sniff the VPN tunnel, you can't use an SSL VPN exploit, you eliminate lateral movement within the land by binding access and visibility through policy. Number four, make it easy to deploy, provision and configure. Number five make it easy to use without requiring extensive training or changes to the network underlay. This takes a huge burden off the network team as segmentation and access control changes are massively time consuming, and fraught with human error. And the last thing I would do is make the product very lightweight and software base so you could effectively run it anywhere. And that's our team's vision for network protection in the modern world.
Tom Field
Well, that's exactly what I asked you about. Talk to me about BlastWave. How are you addressing these issues we've just talked about?
Tom Sego
Well, everything I just described to you are the pillars of our flagship product blast shield, so deploys over any packet based network. It's built on self organizing patented peer to peer architecture and it deploys in minutes. Once it's deployed. Blast shield is itself invisible and renders your critical system and applications invisible to both outsiders and insiders. You can't do reconnaissance if you can't see it. The icing on the cake for my 10 years at Apple in terms of making things easy to use is to make remote access Dirt simple and use a multi factor authentication process that's similar to Apple Pay. And then lastly, you put the entire network provisioning and management console in an orchestrator that's hosted within the blashill network. So there's no exposed web services. And this last points a very big deal and a high point of differentiation because if you look at the specific CV ease for existing VPN vendors, a large portion of the vendors and vulnerabilities are in the web services, and we eliminate this entire class and greatly reduced the surface of the process.
Tom Field 10:41
Well said, Tom, I appreciate your time today. Thanks so much for taking time to speak with me and to shed some light on blast play.
Tom Sego
Thank you, Tom.
Tom Field
You've just heard about defending entry points you've heard from Tom Sego. He is the founder and CEO of BlastWave Inc., for Information Security Media Group at RSA conference 2021 I’m Tom Field, and as always, I'm grateful you gave us your time and attention. Thank you so much.
Tom Sego
Thank you, Tom.