Danger of Prolific Cybercrime and Network DDOS from Unprotected IoT Devices — Video Text Version
Below is the text version for the Danger of Prolific Cybercrime and Network DDOS from Unprotected IoT Devices video.
>>Erfan Ibrahim: Good afternoon. This is Erfan Ibrahim of the National Renewable Energy Lab and I’m coming to you live from Syracuse, New York where we’re being hosted by the Syracuse University Center of Excellence which is an amazing facility testing out everything from smart grid to energy efficiency and all types of clean technology and forming partnerships with the private sector. Chetna here from the COE is going to be speaking in a couple of minutes. But first what I wanted to do was talk a little bit about the internet of things and why this presentation is so important and timely.
The internet of things is a concept that has been around for more than 40 years. But people didn’t know about it because most of the internet of things was industrial internet of things. So when you had programmable logical controls, remote terminal units and sensors whether in a factory or on a distribution system or on a transmission line or wherever, as long as there was command and control and you were getting data from it, from these sensors and PLCs and RTUs and you were doing something about it, you technically had an internet of things.
The reason why this is now getting a lot of attention is because thanks to Moore’s Law the prices of sensors has come down. The speed has gone up for networking. The memory is increasing. The processing speed is increasing but the cost is coming down. So we can see these same sensors that used to cost more money come into consumer devices and into customer facilities. So because of that we now have a new area for internet of things where these sensors are now in homes. They’re in shops. They’re also in commercial buildings.
Because of the customer interface, there is a lot more attention naturally. But what it will take to secure the internet of things in the commercial realm is not very different from what is going on in industrial internet of things for the last 40 years. Good network design, exchanging information on a need basis, quietening down the network, creating hierarchical networks are all best practices we’ve been doing for the last 40 years in this space.
And Richard and Scott are going to talk about some of the innovative ways in which we can secure the internet of things as it applies to devices in the home. But before we get to that I’d like to invite Chetna here from the Center of Excellence of Syracuse University to talk a little bit about what the center of excellence is as well as where they’re headed. So Chetna?
>>Chetna: Hi. Like Erfan said, my name is Chetna ______. I am the associate director of research here at the Syracuse Center of Excellence. Syracuse COE is hosted at Syracuse University so I’m going to give an overview about Syracuse University first. You can see there’s a carrier dome here in our picture. But Syracuse University is a global research university founded in 1870 in Syracuse, New York. There are about 21,000 students here and we do have an R1 Carnegie Classification. There are 11 schools and colleges here.
Relevant to IoT we have a college of engineering and computer science, Maxwell school for citizenship and public affairs, school of public communications law, the I School. We’ve got a number of schools that are really involved in IoT and smart grid as well. Syracuse COE is a New York state center of excellence in environmental and energy systems. We were designated as such by the state in 2002. It’s lead by Syracuse University but there are 200 plus collaborating firms and institutions to date.
We’ve done about $100 million in sponsored projects to date for Syracuse COE and we’re an RDD&D innovation accelerator primarily focusing on building energy efficiency and environmental quality, clean and renewable energy and water resources. Those are our primary focus areas. So I’m going to hand it back to Erfan.
>>Erfan Ibrahim: Thank you, Chetna. Now the reason why I’m here in Syracuse is – there are multiple reasons. One is that the electrical engineering and computer science department of Syracuse University is doing very innovative work in the area of power systems, in the area of microgrids from a power systems perspective, a communications perspective and a cyber security perspective. So there is tremendous overlap with what we’re doing at the National Renewable Energy Lab in my center as well as in the power systems engineering center. So we’re looking at ways in which we can collaborate with Syracuse University to help some of the initiatives of New York State. And we’re doing this exploration today and Monday to come up with some ideas on how we can help.
As you know, the New York Rev initiative is a very large initiative to modernize the grid here in New York and to help in what we’d call deep decarbonization. How do we get to those targets that have been set by the government in Albany? So we are very excited about this visit and we are enjoying the hospitality of the Syracuse Center of Excellence as well as the Syracuse University faculty. So I’m very pleased to be here and if you’re interested in learning more about what we’re doing in this collaboration, feel free to email me.
Now at this time, I would like to move to the next presenter which will be the two, Scott and Richard. I call them Scott and Scott because they’re registered as Scott and Scott. But let me just move to them and make – so who is going to go first? Is it Richard or is it Scott?
>>Richard Yim: It would be Scott Wu, panelist me, which is actually Richard Yim. So you want to have panelist me share.
>>Erfan Ibrahim: Right. So I am – ok. Go ahead and share your screen. Wonderful. And the floor is yours.
>>Richard Yim: All right. Wonderful. Well, welcome to our webinar and I’m really excited to talk about the challenges we all face as the IoT world explodes. I wanted to introduce myself. I’m VP of product management for People Power Company. And Scott Wu is also from NewSky. He’s on as well. And we’ll talk a few seconds about our companies. But really the focus of this discussion is around the challenges that both utilities and service providers as well as large companies wanting to be involved in delivering IoT solutions to the consumers and what kind of challenges do we face as a community of providers that we’re going to experience in the coming years. I wonder what happened. Ok. Here we go.
So give you a bit of background, if you look at what’s happening in the forecast about the adoption of IoT, really if you listen to Gartner and you can go in the middle ground of numbers but they believe and we believe too that the average home will have about 500 IoT devices by 2020. If you look at just the recent years in 2015 and 2016, there were 16 billion IoT devices and the growth rate was 30 percent in just a year. In fact, the opportunity is so huge for companies providing services that we believe this is bigger than the internet. And if you look at just taking the middle ground in terms of where you think it might be, even that is tremendous.
And I think one of the challenges that we all face is how are we going to manage this deluge of devices. In fact, I was at the IoT conference this week and an executive from GE said that even if you don’t plan to have IoT in your home, all of the appliances from GE today are actually IoT enabled. They just may not be turned on. So over the next couple years, that’s really going to proliferate.
And really with the opportunity comes the nightmare and the nightmare is that you need to take the middle ground of numbers. You really are having an emergence of very, very advanced hacking. And the cost really to enterprises is tremendous. So almost 70 percent of enterprises today have been attacked in some way or form by hackers today. And the typical incident costs anywhere from $12 million to $8 million for that particular company.
So where does People Power come in? And so, we actually provide a suite of solutions that we white box through utility providers. So we don’t actually sell our solutions through retail but you can actually download a free application called presence on the IoT store and the equivalent on Android. But our focus is to deliver security solutions to the home as well as energy and home care. And we use artificial intelligence on the back end.
And this is really meaningful as we talk about security going forward. What are the kinds of capabilities that the emerging solutions like People Power have to address in order to make sure we don’t get hacked or our customers, service providers don’t have a big issue. So Scott, do you want to say something about NewSky?
>>Scott Wu: Yes. So yeah. And it’s interesting Richard that you mentioned about that according to Gartner 67 percent of the companies have been hacked. I was in a panel last time in the other conference. There was a very interesting notion about it. Actually, they are – all of the companies being hacked there are really two types of companies, the companies knowing that they have been hacked and the companies that have not known yet. So NewSky is based in Redmond, Washington state. We are a cyber security research firm. We provide the IoT security solutions, IoT detection, intrusion and protection solution for our customers.
We are a bunch of researchers coming from the background of semantic Microsoft, eBay and MacAfee. In our last we also provide ongoing ping testing in hacking research. For example, the mobile payment system for Costco and how the hackers can break into the small world to achieve a big core mining activity. Such as a smart TV hacking could cause the ransomware event. Also, some other things like that needing tools for the kinetic car in OBDII interface as well. In the next few minutes, we’ll touch base and go deeper into some other events we identified in the past.
>>Richard Yim: Great, Scott. And so, you’re probably wondering why does a company like People Power and NewSky get together? Well, we believe that the complexity of managing enterprise solutions that drive IoT functionality really start, is really starting to have to pay attention to the kinds of challenges we all face together making sure that the IoT devices are secure and if an intrusion does happen, what are the things that we’re going to do? So Scott, go ahead.
>>Scott Wu: Yes. So just to add some of the voices from our customers and our partners, why does the world need a new IoT approach, security approach for IoT? When it comes to the traditional solution such as anti-malware we tend to solve the problem for malware and Trojans while in the IoT space, hackers tend to use the vulnerabilities and explore into those issues. At the same time, antivirals, anti-malware tend to be solving the file based detection in the IoT device. Often times they are nonparticipants and they are the activities from the network layer. And more importantly anti-malware is designed in a way to have a heavy engine to, the anti-malware engine persistent in the device. And when you have all of these light weight devices on the IoT system it’s not a – it’s not a sound solution.
>>Richard Yim: Great.
>>Scott Wu: And let’s look at another comparison as well. If you look at a conventional firewall it’s having the similar issue as well. A firewall has been designed for homogenous environment. For example, if you are defining some blacklisting to protect your internet it works for the firewall. When it goes through the IoT it has so much more complicated devices and systems targeting for N2N, N2I and more contextual functionality. It’s not the game for firewall. And more so into that firewall is designed to protect traditional wired systems. When you are in the IoT environment there are so many types of the Wi-Fi, Bluetooth, ZigBee, _____ or even the proprietary protocols to work in that environment. So it really calls for a new approach for the IoT system.
>>Richard Yim: Great. So we are going to give you some examples of threatening events. But everyone’s been watching the news about ransomware but I think there are much broader issues that are ongoing. And interestingly enough as Scott mentioned both of us actually worked on antivirus. I actually built one of the first antivirus products at Semantic a long time ago. And in many ways, it’s always been an arms race against cybercrime and hackers to make sure that your systems are secure.
So if you look at Dyn’s denial of service attack, just recently many of the Fortune 500 companies went online, CNN, Netflix, they went offline and really caused a really big disturbance and a wakeup call for a lot of companies realizing that we can’t just sit back and watch and see what happens. So if you think about the number of IoT devices – and this was actually a bot that went through the IoT devices, replicate it and actually started attacking the Dyn DNS services. So for the average consumer that’s a huge, huge experience loss but also for the enterprises that face that kind of business loss that was really tremendous. Scott?
>>Scott Wu: Yeah. So to add to what Richard was saying, we have observed a tremendous demand after that Dyn DDOS attacks last October. I would even call it a tipping point for the industry to turn attention into ITO because of this event. In our lab, we do our own data mining and we concluded that this Dyn DDOS, the 300,000 of the zombies were really just a tip of the iceberg. According to the data there are much, much bigger scope from that easily to be over 300 million of the zombies out there just on the internet. And this is really the internet. IoT is the internet in the coming years. If the industry is standing still without doing anything, I will predict that the size of the botnet in the zombies can easily grow to over a billion just in two years.
So unless you are hiding in a cave, I’m sure you must have known about this infamous ransomware in the last few days. Without getting in too much detail because we all know about the issue, it was interesting that I was interviewed by Wall Street Journal on Monday having some discussion about whether or not Korea was behind the event. A lot of discussion about collusion but that’s a different topic. So in a very high level, this event has caused over 200,000 of Windows computers to be infected by this ransomware within 48 hours. And it was so rapid thanks to the propagation leverage and the vulnerability of MS17-010 using that to propagate quickly from one machine to the other. But thanks to the accidental hero who identified the domain and triggered a kill switch and the propagation has been stopped.
So you may wonder why we are talking about the Windows ransomware in this IoT topic because it’s very relevant. Just now, we have observed a lot of the pack from the attackers leveraged the same Dyn DDOS attack approach, the malware threat to cause the flood to that kill switch domain. What that means is that if that kill switch domain had been shut down then that propagation would come back. So that’s one relation to this.
The second one is that you may have heard about it. The reason that this guy was able to get to the type of the propagation it was because it used the toll, the hacking tool leaked from the NSA, the exploit kit from the NSA and this really lowers the bar for the attackers. They don’t really need to know all. They can quickly learn all by leveraging the exploring tool from the internet and they can achieve the propagation and infection across the internet.
>>Richard Yim: Great. I’m going to show you guys a video in a moment and I don’t know how many of you have Philips Hue in your home. And this is one thing where it certainly hasn’t happened in the wild but what’s really interesting about the Philips Hue attack is that is a hacker comes in and can get their intrusion into one of the light bulbs the propagation happens not just across one light bulb but it actually spreads across the entire room and hypothetically across the entire city. And you don’t actually have to even be in the location of the home.
The video I’m going to show you is actually a drone setting off the videos. So let’s pop that for a second. So I don’t think you can hear the sound. But if you look at this, here you have an experiment that’s being done here. So if you think about these, these are what we call white hackers and they want to demonstrate that it’s very possible to actually infiltrate a system from the outside so you don’t actually have to be in there. Because a lot of people say well, if you don’t have access to my rooms how can you adjust the lights.
So if you look at the Philips lights going on and off here, winking back and forth, the drone is actually controlling those lights. So if you think about what happens here, this is just a very isolated thing. Multiple lightbulbs across a city, one thing is to blink on and off. The other thing to do is to actually turn off all the lights. And so therein lies the challenges which is how do you avoid things like that? And the – yes.
I apologize. I think we had an interesting thing here. I thought there was a question from the audience. That was really cool actually. But yeah, so coming back to that interruption about ZigBee, the other thing is she actually in the Google video brought up a good point about the fact that IoT standards are evolving. The manufacturers are getting involved in trying to minimize the changes in standards so that you actually have a standard across all devices. Today, that’s not the case.
The smart meter hack which is really again something that actually occurred in Puerto Rico where with magnets and where consumers actually prompted hackers to go around and adjust the smart meters with magnets and computers. For about $1,000.00 they would reduce the usage of the meter by 75 percent which cost the Puerto Rico power services about $400 million in revenue. So if you look at the meters that we have in our homes – and I have one outside of my house. This is a picture of one of those. It’s quite frightening to think that all of the devices in your home could be hacked in by someone that just walks by your house on the outside. Scott?
>>Scott Wu: Yeah. So Richard showed the scary attack event in the ZigBee environment, ZigBee devices and opened a can of worms of all these small meters, the potential attacks. So in the next few minutes we are going to talk about a couple of events identified by my lab, NewSky security labs. This one, the Kevo smart lock, the issue was identified by my colleague beginning of last year reporting to the security event in ______ which is one of the most influential cyber security confluences, similar to Black Hat.
The issue is that the Kevo smart lock uses something called touch to unlock. Once you place your finger on the lock you can unlock the door and open the door. It’s based on the Bluetooth low power, the BLE signal sensing approach to achieve that. The vulnerability that we identified had been reported and Kevo had already addressed the issues. That’s why we are able to discuss it here. But the impact is really that now that there’s an intruder they can enter into your smart building or your smart office without being authorized.
The underlying of the vulnerability are from the two angles. One is that because of the communication erasing or because of the battery draining backup that you can approach a denial of service so that the intruder can prevent you from getting into your own building, your own home. But in a much more scary scenario is that now they can hijack and control a lock so any time they can enter the building as they wish. There’s more information about this that you can read and get back to us whether you can find it from our research blog or you can find our information that someone presented at ______ conference last year.
>>Richard Yim: It’s interesting. There are actually a lot of websites on IoT hacking. Some of them are driven by what we call white hackers. So their job is to go in there and demonstrate to companies the intrusion thing similar to NewSky. And here’s a download from one of the sites. It’s become actually a hobby for some of them. If you look at some of the sites, they’ll even show you how to hack a Bluetooth lock. And watching some of the videos, they have competitions on how fast you can unlock one of these locks. And four minutes is kind of the record. So if you think about not just locks but other IoT devices in your home that are not secured properly that really is a huge threat to the consumer.
>>Scott Wu: So Richard, don’t blame us for this smart lock hacking content by the way.
>>Richard Yim: Absolutely.
>>Scott Wu: Yeah. So the next few slides I’m going to talk another security event we identified, reported two CVE to ______ the organization which handles the cyber security management for the government agencies such as DOD. These two vulnerabilities that common vulnerability interest has been reported to the vendor Netgear and they have since addressed that and allowed us to talk publicly. The issue for the first CVE, the 2016-10115, it’s related to the issue that –
So let’s take one step back about what Netgear webcam is. It has the webcam in conjunction with the Wi-Fi station. They call it net base station. It has a very beautiful application that can run on your phone so that when you are at work or you are on vacation in Hawaii you can monitor and control your home nicely. On the right-hand side, you see the circuit board of the system which is what we are going to talk about on the next slide about how we are hacking this Netgear webcam system.
So the reason we go with this Netgear webcam system is it’s actually much more secure than the average system in the market. It has some very well thought level of the protection. The factory default key is not always there. When you purchase the webcam and install it at home it has a very complicated password. But the issue that we found out is that once you perform a factory reset or hard reset the password would go back to 12345678. Then you would never be able to get it back to the configured password.
And how do we find out this vulnerability? It works from two approaches. The first one at the bottom, at the top of the screen you would see that we call the, in the industry we call the white boxing approach. You take the firmware. You conduct the reverse engineering and you can find out the source code. And it became so obvious here that the hard-coded password of 12345678 is returning essentially. The bottom half of the screen shows that black boxing approach. As we look at the concept, we look at the traffic we can find out that it’s indeed happening, that the password of 12345678 has been sent to the console.
So the reason we go to this is just to have, for the audience to have a takeaway. The white hackers’ researchers like us in NewSky are able to do this and the bad guys in the underground economy, they have the similar skill set. They will be doing something to attack the all smart home, to attack our utility grid as well. So let’s look at the impact out of this vulnerability. The way that the very secure home security webcam to protect your home can be used for the intruder to approach the webcam.
If a robber wants to go into your home, now they can compromise your security webcam to make sure that nobody is at home before they come in. And even more so now they can feed a fake video into your webcam system so that when you are in Hawaii you are having a very false safety thinking that no one is in your home when the very robber is starting to move your property away.
Now let’s look at the second vulnerability for this very same Netgear webcam, the code cracking GPU. Even without the factory default reset, when the webcam has a very sophisticated password there’s still an approach, a low-cost approach for the attackers to achieve cracking the password. As you can see here, once you get the configured system from Best Buy, this Netgear web cam uses a pattern to create a password, an adjective plus a noun plus three digits. For example, mistylake940.
And if we go to the next slide, you can see that how easy an attacked can break into your system by using some very common code cracking. $100.00 - $150.00 of a GPU can allow you to crack into this complicated password within two and five hours. So if there’s an intruder you see wanting to break into Bill Gates’ mansion, spending $150.00 and they can achieve that type of security target attack within two and a half hours.
>>Richard Yim: So yeah. Thanks, Scott. I think one of the challenges when you hear about all of these things is to say ok. Well, what are we going to do about this? We’re going to have proliferation of IoT devices. That’s happening. It’s a flood. We can’t stop that. So if you are an enterprise company and you’re trying to figure out how to deliver a safe, secure solution so that you yourself don’t get hacked, what are some of the things that companies are starting to do like People Power and NewSky to prevent hackers from really going beyond managing say a fridge or so on? And we have a framework. And Scott you want to talk about at the high level from the security side but also from the applications that are being delivered to the marketplace, the different steps that we’re taking as well. So go ahead, Scott.
>>Scott Wu: Yeah. So we talk about that these anti-malware as a solution not designed for the IoT architecture. We talk about firewall tends to be protecting your intranet when all of these IoT devices are all over the map. And like Richard mentioned earlier, now it’s the wave of the new internet, the internet of things pumping all of the big data, all of the, enable all types of the productivity functionality for the industry, for the society. We are supposing a very new approach for the security framework that you can use the big data, leveraging the AI based approach, fully leveraging that AI to have a full security cycle to detect and protect and monitor your environment.
However, from the device level to detect the surrounding Wi-Fi environment, whether to achieve the automation of the vulnerability detection like the use case we mentioned earlier or to protect the whole traffic and network so that the very same big data not only to be used to power your functionality and your productivity but can also be used to prevent the cyber-attacks as well. Without getting into much detail of all the technical and the flavors, let’s look at a short video about the approach that we ae proposing for the industry, the AI based IoT intrusion protection.
So because we cannot hear the voice here I’m going to just talk through here. Over here you see the two small lights, the smart devices. One of them is in the architecture of being protected by our secure ______. The other is going to go through to the internet directly. And so, we are using the, a known vulnerability to cause the exportation to attack both of these lights, these two devices. You can see the left one is starting to blink meaning that the attack has been approached. But the right one stays working properly. From the, from our dashboard you can see that we were able to successfully block and protect the one that has been adapting our approach, the security framework. That’s why you were able to correctly.
>>Richard Yim: Great. And so, in some ways People Power is certainly a case study for how these new security solutions can be implemented. And we have a home security system that really manages not just a security but also utilities as well as home care. And what’s really driving sort of the change in the way these devices are being managed is solutions like People Power have a Cloud based solution on the back end. And we have taken steps even within the application – and this is a really critical distinction because you can go to Fry’s Electronics or Amazon and you can assemble all of the components yourself. Even IKEA is coming out with a gateway that then drives all your lights in the home. That will happen.
But when you have mission critical solutions like your home security, you want to go to a vendor who actually manages those devices from the Cloud from the back end. And the reason why that’s the case – I’ll give you some examples of what we do is we actually isolate the front end of our service from the applicator service in the database. So being an IT person, that’s a huge difference in the way that we can secure our database. And being able to access the database you have to have specific rights to white listed IP addresses. And the same time really all of data is 128 bit encrypted with really encryption key methods like KEK.
And so, one of the things that we really try to do is that not only blocking any attacks with partners like NewSky but the Cloud application itself is very, very hardened by things that we do within our servers. So you have the double protection but both Scott and I believe that more has to happen in the space out there in the market to protect consumers from hacks. The other thing that I think is really important is that this is an ongoing thing. It is like in the virus world an arms race between hackers and people that want to provide valuable solutions to the marketplace.
And the big difference that we’ve seen really in malware prevention or antivirus is the ability to add artificial intelligence so that you’re actually looking at patterns of behavior as opposed to individual attacks. And that way if you have a smart system, your system is actually flexible and stays a step ahead of the folks that are actually trying to attack your environment.
So one of the things that we talk about in terms of utility service providers because People Power does solve solutions through service provides is really trying to manage that huge amount of data that is processed locally using intelligent bots. And how do we make sure that data identity theft, falsification, device manipulation or even IP theft doesn’t happen? Well, there are a couple of things that we can do today is to make sure that we understand the edge of the network. How do you segment? How do you make sure that as a management early on your Cloud based system is hardened against attacks? And then if attack does occur locally within a home or an environment, how do you isolate that so that it doesn’t spread? Right?
The other thing that we really have to think about is for our customers we have a continuous assessment in our systems where we actually have companies like NewSky come in and look at our security threats and make sure that we’re keeping up to date as we develop our solutions. And so, there are many other vendors like People Power out there delivering IoT solutions. What are the steps that those companies and ourselves have to take to make sure that we’re ahead of the game?
The other thing that really want to say is if you look at the gateways that control the devices, that is really something that we have to think about carefully. Does the gateway have the ability to manage any of the security locally? Likely not. So if you have a gateway from driving your devices, they’re usually very low computing power, very minimal amount of memory. So it’s likely something that has to happen in the Cloud. And being able to do that on the back end is really critical to making sure that the solution is secure and safe.
The other thing that I wanted to say if you look at architectures is how – we are not experts in security. We are doing the best practices we can in terms of our Cloud capabilities. And I think the big challenge just like if you go out and hire a doctor or lawyer who specializes in this field, it’s really important for companies like People Power to find partners like NewSky to actually do the specialized work. And that’s really the only way that we can stay ahead of attackers. And then also, in some ways within our own solutions begin to solve some of the bigger challenges that we want to do to ensure that our systems are secure.
So as we expand out to different devices, today we support Alexa from Amazon, different thermostats. What are we doing as a company? And then as our colleagues out there in the marketplace as they build their solutions, what are we doing to make sure that the consumers and the providers of those solutions, our customers, the service providers, are actually secure and managing their security options? Scott, do you want to mention anything else about this slide before we move on?
>>Scott Wu: Yeah. So we really like this approach. And this is really a call for action in the approach for the industry. With all of the direct adoption of the IoT and it’s becoming an inevitable wave that we need to keep an eye on about how we can protect our customers, our environment. In this loose integration allows all of the IoT vendors to be able to identify their security vended or security provided. And it allows the cyber security companies to make contribution across the vendor, across the community.
>>Richard Yim: Great. And so IoT innovations are incredible fantastic. So if you have one of your thermostats in your homes, we now have demand response so being able to manage the temperature in your home so that it’s comfortable. If you look at even entry sensors we eliminate false alarms, things that typically are very expensive for security systems where after the third call and the police show up in your house, you get a huge bill and a hug fine. How do you prevent things like that? Well, you have to use AI to recognize patterns.
And then if you look again at how lights in the video I showed earlier on. If the lights start flashing like that in some weird way in a building, that’s something that should not happen. And so, the Cloud based learning systems on the back end need to stop that and realize that they’re being – there’s an intrusion into the system. Right? And so, as we really move forward in sort of this great revolution of technology with the internet of things is we have to be able to be agile and be able to catch cybercrime and what we call cybercrime sensing.
So secure IoT traffic that’s going up to the ______ key. Making sure that as we move forward as a community and building great solutions to the marketplace we actually really have and pay attention to what’s happening out there. So what we’d like to do here is open up the session for Q&A. And Scott if you wanted to add anything there before we jump into Q&A.
>>Scott Wu: Yeah. So before we jump into the Q&A so maybe we can call for an action for all of the audience that even with all of the scary attacking events happening and even with all of this IoT wares coming we don’t need to be pessimistic. We can – we challenge all of the audience to be the avengers, make the awareness of the IoT security. So together we can out innovate and out invest with the bad guys so that we can have a very sound security infrastructure for this new space.
>>Richard Yim: Thank you. Erfan would you like to open up the floor for questions?
>>Erfan Ibrahim: Yes. So thank you both Scott and Richard for this very informative webinar on the internet of things. I think in addition to the standard security services there’s also need to do good network design so that data doesn’t move freely from one segment to another when there’s no reason for it to. So in internet of things what’s very important is to document use cases. And the use cases have a set of transactions that occur between very distinct nodes. And so there needs to be very tight control for transactions that support the use case.
And if the transaction doesn’t support the use case, the network design including access control list and firewall policies and all of those things need to be in sync with that so that data doesn’t move around. When data doesn’t move around, then hackers are also frustrated because they – just because they go one pivot doesn’t mean they can go everywhere. So I appreciate in your architecture the listing of all of the security services, but those services are like red carpets for the advanced persistent threat that has compromised a trusted system. Only good network design then becomes your final frontier that frustrates the hacker and doesn’t allow them to get around.
One other comment I’d like to make is in addition to the MQTT protocol that you listed, you should also look at the XMPP protocol which is being promoted through iTripoli, through various working groups. And William Miller who I’m sure is on the call will be happy to provide you information. What you don’t want to do is get limited to groups within the industry that are promoting a particular standard. You need to be cross cutting. You need to be agnostic to that. I know MQTT has its supporters. XMPP has its supporters and there are other also protocol security protocols in that level.
But application like layer security only gives you so much security. You have to actually protect all of the logical layers, the seven layers of the OSI stack, the semantic layer where the data fuzzing occurs and the business process layer where your use cases are being supported. And it requires purpose built cyber security technologies to do that. And we have demonstrated this at the National Renewable Energy Lab. There are today off the shelf products available that can secure multi-site networks like the ones you showed. So just wanted to share some of the thoughts to inspire the people on the call and that’s why I was deliberately being provocative because that makes people ask questions. So any comments from Richard or Scott on what I just shared?
>>Richard Yim: I’ll go first and Scott can jump in. I totally agree with you Erfan. I mean talking about standards I think one of the challenges for commercial companies is which standard do you go for? The thing about standards is they don’t become standard until everyone is using that standard. And so very often it’s managing the maze and then trying to understand the major trends as to what’s emerging in which industry. Right? So if you want to work in the utilities industry, what are the emerging standards that are really being adopted and which ones should you promote? And so, we do agree with you that looking at all those standards and trying to identify them is key.
The other thing that you mentioned about network design is absolutely true. But I think the other thing that you have to consider is that as you go down to less sophisticated environments where internet of things – in other words the home or even small businesses or in larger businesses, network design kind of does not always get to be where you want it to be. So there’s some accountability to solution providers to actually design the network for the consumers and to make sure that if a rogue device is introduced that that behavior is recognized. And now being able to recognize rogue behavior means that you either have a heuristic that you understand all of the options or you have to have some artificial intelligence on the back end to be able to work dynamically with different changes.
So I think that’s the challenge for industry which is how to labyrinth some of the new AI solutions out there to actually something that’s more dynamic and stays ahead of the hackers and the criminals that want to actually get in there. So if there’s a way to drive the level of security within applications, that’s our goal as a company. But also, as I mentioned earlier on, working with companies like NewSky to actually understand what are the emerging threats and to move ahead as fast as possible. Scott, do you want to respond?
>>Scott Wu: Yeah. Yeah. So totally agree with you Richard and Erfan. So we are working in a nonhomogeneous environment when it comes to IoT. And the security needs to be there in the ground up from the architecture design phase as well. And we are talking about like different layers of the different impacts. You need to have the sound protection for your data, for your network, for your application. You want to go even further to protect all of the sort of vectors for your business logic. And the data that has been powering the internet of things can be used to help you to identify the anomaly, to identify the suspicious event so that you can use that to trigger the alert to build a very sound incident with response practice.
And last like what Erfan was mentioning that standard is important. But when we are in this early stage of standardization, we need to embrace all of the MQTT as well as other protocols so that eventually we get to the type of essential, the common grounds of standards.
>>Erfan Ibrahim: Yes. So a couple of things in this area. One is that context based intrusion detection is really important. And the reason is that if there are professional hackers that have physical access to one or more of these IoT devices, they can get past any cryptography that you’re going to introduce in the network because they can put MS485, twisted pair on the clear text portion of the motherboard and shove bits. And your crypto engine will actually work to their favor. So while all of these XMPP and MQTT are great in protecting against men in the middle type of attacks what they don’t do is block against physical access to devices that hackers have.
And most hackers are not homeless people. So they will have homes. They will have access to IoT devices. This is why I say that network design is really important. A simple 252 mask, IP mask that creates subnets with pairs can isolate and can protect you from going from one subnet to another. So the merge unit up in the Cloud becomes the place where all of this subnetting is done. So each home has its own subnet with that first data point in the Cloud.
If you do that and set up access control lists at that switch where the merge unit is, you can stop the pivoting. So even though someone has physically compromised a device, the most they can do is get to the merge unit and they can’t get beyond that. They don’t take on administrator rights so that merge unit, they can’t do anything. So they get frustrated. If you have large mass where you have multiple hosts in a single subnet, then the ability to get around from one node to another goes up.
Now there are two types of business models for IoT and homes. One is they go to Best Buy or Lowes or wherever and they buy stuff and they put it in their homes. I consider that untrusted territory. From a utility perspective or an aggregator perspective, I will not trust any data coming from them. It’s their business. They can do whatever they like with it. I have a logical firewall. I don’t talk to it. I will publish information to it but I won’t trust anything from it. If you’re going to trust something from a home then you better have an aggregator type model like an _____ or Converge or Tendril type of company that can actually enforce the security controls at that edge. So there – depending on the business model you can design networks and trust or not trust information based on what you’ve got out there.
But what is not good is to have a Cloud based model where the edge is vulnerable. And when I say it’s vulnerable I don’t mean against man in the middle attack. I’m talking about the advanced persistent threat that can compromise the edge and then use all the credentials of her trusted system to attack the Cloud. So that’s the part Scott and Richard that I really would like you to think about and develop mitigations for the use cases that I described. Otherwise for man in the middle type attack your controls are amazing.
>>Richard Yim: Well, I think you’re right, Erfan. And I think it’s an evolving challenge and I think we work with our hosting providers to make sure that as you say at the end point on the Cloud side that you have all of your security set up. And I think – selfishly to say I think it’s really come to the point where to manage a Cloud solution you have to have the infrastructure whether you’re doing it on Amazon or whether you’re doing it with other providers. You have to work with those providers to make sure that you’re leveraging all of their security capabilities.
It’s not ever going to be completely secure. You’re right. There’s always something that we have to keep ahead of. But I think you’re right also in saying that the cybercrime folks are really trying to get ahead of the game. The concern I have really too is if you look at – if you look at the statistics and the typical home is going to have multiple gateways and those gateways are going to be talking to each other in some form. If you’re a smart hacker you’ll get them to do that. And how do you insure that all of the solutions you have say in your home actually support those security standards that you feel comfortable with?
And I think that’s going to be the differentiator between solutions in the future when you go out and purchase things if you’re not a hobbyist and run off to Fry’s and build everything yourself. Does this version you have, how well does it protect it? How well is it taking care of my personal information? Do you have two factor authentication? What are the things that I expect as a minimum consumer to implement something like that in my home because in some ways you’re opening the door up to the public. And if you’re going to buy a lock, are you sure that no one can open it up?
And so, I think that’s – those are all great questions. And from a network design I think you’re absolutely right and I think that’s a constant evolution. And just as we try to harden the system, so do the hackers try to find a new way in and they’re always going to be smart and like I said earlier on in the conversation, it’s definitely an arms race as to who can stay ahead of the game.
>>Erfan Ibrahim: Yeah. And there are very good organizations like ViaSat and Cyrus Tech and others, Mandiant that you can contract and give them challenges to say ok. I want you to compromise the systems and tell us how you did it and you pay them. And we’ve done that at NREL and quite effectively and it’s an eye opener because all that hackers are are developers of use cases that you did not think of. That’s all it is. Every hack is a use case. And as you do those use cases, you find out the residual risk. So now we’re go to the questions here. Milan Silanky asks is bit coin not trackable? Wouldn’t it be a physical currency?
>>Scott Wu: I can take that question. So bit coin and the ______ are based on the uncentralized system. However, when it comes to bit coin and just what happened in the last event, there’s a system that’s allowing you to track the transaction about what money goes from this pocket to the other pocket. What you cannot track is the owner, who is behind this. But from the last event, we also learned that you can see that how much money that attacker has made out of this, out of this mess. It was about $30,000.00 he was able to profit from this event. And that was because – the number came from the bit coin tracking to give a number.
But the more, the deeper question is that if the attackers are using bit coin for the transaction if you want to go through the lateral movement. If you want to do the threat hunting and APT research it does pose a bigger challenge of how do you find out who and where and why. But at the same time the _______ technology can be used for a security, for the authentication purpose as well to prevent DDOS for example. But that’s kind of a different topic.
>>Erfan Ibrahim: Ok. Next question was from Milan Silanky again. Which according to you is the most vulnerable entity of the utility smart grid ecosystem generation, transmission, distribution? I’m looking for an asset name. So I don’t know what the last sentence means but I’ll share with you my perspective. It is not a question of whether it’s generation transmission or distribution. It has to do with access. So if you have assets where there’s physical access by hackers, it’s vulnerable. So the reason why transmission and generation are more secure than distribution generally is because of lack of physical access.
Generation most of the brains sit under arm guards in fenced areas. If you look at big hydro plants. You look at coal, nuclear, you see that. You see physical and their NERC CIP guidelines for that. I think it’s NERC CIP 004 that gets into physical security. Now in addition you, when you have physical access it will be vulnerable. The other thing to look at is the organization itself and how does it manage the cyber security posture? How consistent are they in applying the cyber security controls across their fabric? Results will vary depending on how many people they have, how well trained are they.
So I don’t like generalizing and saying one is more vulnerable or more secure. It’s a multidimensional thing and if you want to really ask about security you’ve got to look at the management style, the workforce development, the cyber security awareness training of the employees and then also ask about physical access to sensitive devices. If there is, no amount of controls will protect you. Monitoring and responding to hacks will. But just putting up a big fence will not. So Scott and Richard?
>>Richard Yim: Yeah. Actually, Erfan I think you hit the nail on the head which is we talk about homes for example but certainly even in the homes you have devices that are more obscure. Maybe it’s a garage opener or maybe it’s some other device that isn’t something that you see. And the example I used earlier on about power meters, those are things that you don’t normally check into. And so obviously in the industry and you have a pipeline monitoring device that’s out I the middle of nowhere, you have different kinds of challenges versus say a consumer.
But I think the proliferation both in the business side as well as the home really needs to be addressed by understanding what kinds of data – and going back to the data question, what kind of data do you expect to get in your system. Right? And how are the normal patterns that are coming in and what’s the anomaly and being able to detect that. And so, similar to the way that antivirus vendors are really moving aggressively to not just heuristics but being able to understand patterns of threat, being able to proactively look at those kinds of anomalies. Then you’re going to catch that coming in before it actually does damage. And so, I think that’s going to be the big challenge for vendors.
I think you made a good point which is how can you secure everything all the time? And I think that’s really the big challenge for the industry is to say well, we have to move away from your traditional what if then else kind of solutions to ones that are smarter. And if we have to do machine learning on the back end to make sure that we understand where you look at big data. What are the common patterns of activity that you see from your IoT devices? And when there are anomalies how do you react to those proactively? And so, I think that’s the big challenge for industry to be ahead of the game. Otherwise you’re just chasing your tail from one end to the other every time a new cyber threat comes out.
>>Erfan Ibrahim: Thank you. The next question, it’s actually more of a comment from Isiah Jones who says devices shouldn’t depend on the network for their security. Also, don’t choose between protocols. Just do all of them, especially the most used globally so you’re seeing at least 80 percent of them. Start with the most widespread and work from there. I would just like to say that network design is a foundation for security. Ultimately no matter what fence you’re going to put up, people are going to cross it. So the more important thing is to monitor and understand the difference between a desired state and an actual state. And based on that deviation between the two take appropriate steps to mitigate the risk that you’re seeing developing. And that is what you have to do.
But the reason why I call good network designers the foundation for security, if you don’t do that and you have a noisy network and you have traffic moving everywhere, it’s very hard to secure. Encryption is good for man in the middle type attacks. But increasingly we’re finding insider threats. So encryption does not work for insider threats. And the management of keys and the authentication scheme and its ability with digital certificates to do it in a distributed way especially with IoT where the cost is coming way down into a few dollars, it’s not scalable. So I’m all about putting fences in the right places. But let’s make sure that we don’t put up a fence that’s easily crossed by an advanced persistent threat and then we give all of the crown jewels to them.
>>Richard Yim: Yeah. I think Scott, I think it would be an interesting comment in terms of the observations you’ve made around being able to recognize those patterns and inappropriate intrusions. What do you think Scott in terms of how NewSky for example is starting to address those challenges? Because if you assume that the device is compromised – and if you look at the gateways out there in most homes they’re 64 gigabytes if you’re lucky. They’re running a version of Linux and have very little memory. So the ability to protect those devices locally is very, very difficult. So Scott, I’m wondering if you might make some comments on that because ultimately if you assume that a device is compromised and data is coming through to the Cloud and to the network, what are some of the things that you’ve observed and you think might be – how do we counter those things?
>>Scott Wu: Yes. So the quick answer is that the Cloud approach, that your intrusion detection and protection fit them, your AI model is in the Cloud so that you leverage the very big data used for all your productivity. But I want to echo what Erfan mentioned earlier that encryption for example can only do so much for you from the edge, from the end point. You have an insider trade or even if you have an infected system, what good is it for you to encrypt the infected data? It’s already happening. The hacker has already compromised the system from the inside out.
So visibility and monitoring is the key to allow you to stay ahead or keep up with the attacks. So this Cloud based solution leveraging the patterns of behavior is the way that you should design for your IoT environment from the beginning in infrastructure. Now we go further into all these types of detection and mechanism which is incremental. Once you have your baselining of your environment in the data, you go into the stack of the TCPIP from the IP or even from link layer going up to your application layer.
Going back to what Erfan mentioned earlier that content – and I would also go further from not only just the content but also the context of your big data. Your Device A of microwave versus a refrigerator versus the door opener and the smart meter. These data as a service provider you have the key, you have the crown jewelry to correlate the data to identify the anomalies, to identify the suspicious behaviors so that you can provide the real-time visibility for the IT environment.
>>Erfan Ibrahim: Great. So let’s continue. We have a few more questions and I’d like to get through them for the sake of those who asked the questions. Ritway Jane asked you mentioned about smart meter hacks. So are there any solutions for smart meters of bar infrastructure as well? How do you see IoT vulnerability in a country like India?
>>Richard Yim: I think that’s a good question. And I was doing some research on smart meters and certainly manufacturers are looking at how to avoid that. And energy theft in India particularly I believe is one of the reasons why you get a lot of power outages. And so how does the network or the government be able to track these things. And I think it’s one of the big challenges that we face not just for smart meters but any device unless – to Scott’s point unless you’re tracking the behavior of that device you don’t know when anomaly is happening.
So I’ll talk about a little bit about what companies like People Power are doing. We’re not the only ones. We actually have a bar architecture where rather than just have a synchronous activity between the device and whatever is running in the Cloud to instruct the device, we’re actually running local activity where a bot who has, that has a learning capability can actually mange those devices. And so, in the case of us, we can track the temperature settings in the house. We can track to see if the battery is low on a sensor. And when those things are out of the required range how do you detect that.?
So if you look at a typical household for example say in India and you expect that based on your big data analysis that that household should be using a certain amount of energy. And just like in the case of Puerto Rico if they hack that smart meter, suddenly it drops by x percentage, something strange. Right? Or if suddenly someone’s hacking into the grid and you’re stealing energy from the grid itself in some shape or form, those are patterns that are unusual.
And so, to Scott’s point earlier on monitoring that on the back end, being able to recognize those things not in a tactical way but really in a more proactive way where you understand and you train your system to actually track that, that’s going to be the big benefit of artificial intelligence and big data going forward because otherwise you’re just running around from meter to meter and make sure everything is working correctly and they haven’t stuck some magnets on a meter.
>>Erfan Ibrahim: Yeah. A couple of things on smart meters. There are security standards in smart meters. The ANSI, the American National Standards Institute, yes, has a protocol called C12-22 and those smart meter companies that did not go to IP route for mesh networks are using that. Initially it was I believe Landis and Gyr and Itron. And the IP based AMI solutions like from Silver Spring use standard IP security protocols like IP sec and TLS. The challenge is not so much the security in the pipes because these standards are addressing that. The issue is much more how do you do intrusion detection on TMI in a scalable and an affordable way? And that is the challenge because there’s so many paths and so much mesh going on before it gets to the access. For many cases there may be two, three hubs before you get to an access point.
So the merge unit or the access point is a very good place to make some investments in intrusion detection. Now there are methods that smart meter vendors are providing of deciding whether a node is bogus or real. And so, if you add a new node in the mesh network and pretend to be a meter, there are authentication mechanisms at work that say no, I’m not going to trust you. But if you take a trusted meter and you change the firmware on it, now all of a sudden, it’s doing all of the legitimate transactions but it can be a pivot. So that’s why intrusion detection is so important.
And I don’t mean signature based intrusion detection which there are plenty of tools out there. Context based intrusion detection that understands the transactions in the AMI protocol. So that if data is being fuzzed not necessarily for theft but for affecting command and control of the entire area – because if you have information about smart meters, you can change the way planning is done at a distribution level. And that can throw off an entire grid. So it’s much more than theft. So for that you need intrusion detection, context based that understands the protocol. Scott and Richard?
>>Scott Wu: So there are a couple of words discussed in use cases about a smart meter. Let’s talk about the victims. One is that you as a residence as the victim. If your neighbor wants to revenge on you – excuse me – they can jack up your bill by tampering your usage of your power. And the next victim is the service provider. If there’s a malicious user, they can change the usage by spoofing the data reporting to the service provider so that I as a malicious user can get the free electricity.
Now from that based on who you are as a decision maker, if you are the resident wanting to choose that type, the smart meter, if you are allowed to choose that you want to protect the scenario that I want to make sure that I choose the right maybe the Bluetooth device or Netgear device or Wi-Fi device so that I can make sure that my utility bill will not be jacked up or tampered in this sense. But it all goes back to the content detection, this intrusion detection. Someone has the control, has the visibility to own up with their own, the pinpoint.
>>Erfan Ibrahim: Very good. I always tell people that when you’re using smart meter and you use wireless protocols to control EV charging it’s kind of like State Farm, like a good neighbor. So the meter of your neighbor is right next to your car and so that’s why I use my State Farm analogy there. So we have to be careful that we are sending the signals to the right place. Because chimneys in homes have metal lining in them many times and that creates reflectants.
So if you have a wireless protocol, the DV loses are incredible behind the chimney. And if you do a straight line from the smart meter through the chimney you usually end up at where you want the swimming pool and that’s where they have the pool pump. So if you want to use wireless networking, you’ve got to have a pretty rich mesh to get past that fire, the chimney and the metal lining to get to the pool pump which is one of your biggest energy hoggers. And this is why it’s really important to have a mixed media in the home because not all places of interest are accessible wireless.
>>Richard Yim: That’s interesting Erfan and you can imagine what happens when we’re around 2020 when you have 500 devices in your home whether you know it or not.
>>Erfan Ibrahim: Yeah.
>>Richard Yim: And that’s going to be certainly a challenge. And even the 2.4 gigahertz frequency is just overloaded. And other frequencies are short range. And so, what do we do as a community where you have all of these interferences? And I think that comes back to your network design which you think about – if you assume for a moment that all of – it’s out of control in the home in terms of point of access. And so, how do you make sure that the network on the back end is able to disseminate and has the right context for the data it needs to analyze.
And that’s going to be the challenge for us to come up with the correct data patterns and the streams and the bots to manage things like that so that it is not a bunch of people sitting there on screens wondering what’s going on in their network. It has to be automatic. It has to be broad scale because it’s really going to be a tsunami of devices coming up to the world.
>>Erfan Ibrahim: Yes. So there are going to be some time sensitive applications, some not so. And that’s why it’s very important to have a very good architectural perspective of your infrastructure if you’re going to have 500 connected devices. And make sure that there is appropriate bandwidth and the signal to noise ratio is reasonable for the bandwidth to carry the bits. It’s a logarithmic relationship with signal to noise ratio. So when you take care of all of those and get that architectural perspective, it is possible to support 500 devices. But if you just go with the idea that it’s going to run on reputation because you got some big company brand name, electromagnetic rules don’t follow brand names.
>>Richard Yim: That is so right. That is so right.
>>Erfan Ibrahim: Yeah. All right. Next, we have a question from Milan who says when we talk about offerings which class of customers are your solutions targeted at, enterprise or individual customers?
>>Richard Yim: So I’ll answer People Power. So we don’t actually sell products to retail. We actually white box products to service providers and they’ll actually brand themselves into the solution as opposed to selling some other brand name, reselling it during the calls. What we allow them to then do is to actually create solutions within the home that are branded by themselves. And what we found with our customer base – we have customers in the US and Europe and Asia. China Mobile is one of our clients. Is that we really are increasing the touch points for the large enterprise and helping them in their digital transformation and ultimately reducing churn.
So particularly for the deregulated service providers where they’re now having to fight to keep their customer base close to them. So that’s been sort of our target audience and it’s been a very attractive thing for us because we realize not ever service provider has the capacity or the interest in building up a software company, sourcing all of the devices and so on. So this is a great way for us to do that and Scott you can answer from yours.
>>Scott Wu: We have a similar approach when we offer our intrusion detection and protection technology. We are, we target the enterprise. But there are really two aspects of this. One is that after that after that Dyn DDOS event where a lot of the device vendors being so concerned about their reputation and their brand name. So the example that we are working with People Power, it’s an approach about integrating the intrusion detection module or technology into the whole IoT solution. There’s a second demand from the vendor, from the enterprise who have already deployed all types of devices. They don’t want to take those out. They don’t want to throw those away. So our secure gateway approach has the capability to protect these existing invulnerable environments.
>>Erfan Ibrahim: Very good. Next question from Michael Shay says how could the cost for the security gears – of before that there’s another question here. Oh yeah. How does open source software impact cyber security of the IoT? Is open source a benefit or obstacle or is it a complicated issue? Open source gives you many pairs of eyes to look at things. They’re usually quite bright and they work the kinks out.
The issue is when you try to sell open source to enterprise customers it’s an uphill battle because they are compliance oriented. So they would like to see licensed stuff just so that they can hang their hat on it. It doesn’t mean it’s more secure. It’s just that they need to protect their jobs. So this is the world we live in where the best solutions kind of like beta max don’t always make it. Go ahead, Scott or Richard.
>>Richard Yim: Well, let me answer that because I was supporting manager for Oracle when they launched Oracle Linux and it’s really become the top selling enterprise database solution today. Yes, you have Red Hat and Susa and guys that actually support open source. But I think the discussion about whether enterprise should adopt open source solutions, I wouldn’t say it’s over. I think it depends on the solution that you’re looking at. The thing that we think about now as you look at open source and you look at tools that people use in open source whether it’s Hadoop or whatever have you is what is the implementation and what kinds of trust factors are behind that solution?
So if you look at most gateways today for IoT they’re running Linux, some version of Linux because it’s more stable than other operating systems that you have for smaller devices. And that’s really just a matter of trying to understand what is your exposure to that. And so yes, the Linux operating system could be in a way compromised in that device because like I said earlier on a lot of IoT devices have very little memory, very little CPU power. So you can’t run intrusion protection to really any degree of enterprise standards on those devices. And what you have to do is think about how you’re going to support that in the Cloud.
When you talk about open source, I think in the case of People Power we are actually creating a platform for bot developers. And so, in terms of the way the platform is structured all of the security, the data access, the APIs that we deliver, those are hardened for enterprise capabilities and ultimately bots that our partners or the open community develops will then have to pass through certification before they’re actually rolled out to our customers. But we have a unique situation where within our Cloud structure we can recognize every single device that is in our system by user or by numbers. And even though there’s some potential for something being replicated or hacked, we’re always watching for anomalies in that space and the most granular level we can actually look at a single device and see how it’s behaving. So from the open source answer it really depends on what part of the infrastructure you’re looking at.
>>Erfan Ibrahim: Yeah. We received hors d'oeuvres here and lunch here from Syracuse University so out of deference for an academic institution I had to do a shout out to open source because universities live by open source and it’s a thriving community and developing community in the open source platform. Wonderful.
>>Scott Wu: That’s _____ open source.
>>Erfan Ibrahim: Yes.
>>Scott Wu: It’s really that distinction between two overt solutions. Use open source as a tool and you decide who is the owner for the solution. Whether you build it in house you can never – it’s all kind of open source. Whether you use a third-party solution that’s allowing them to leverage all types of tools, open source tools so that they can give the best ROI.
>>Erfan Ibrahim: Great. So we just have a few more questions left. I’ll try to go through them quickly. How could the cost for the security gears at a smart grid – I mean as a smart and connected home being kept at a level so that the still coherent and also connected senior citizens would not be locked out of touch with their millennial grandchildren. I think Michael is speaking from experience here. I’ve known Michael for many years.
>>Richard Yim: No, that’s a really – that’s a really interesting question and that’s actually been People Power’s long-term goal which is to provide home care and assisted care for elders. And a lot of folks think about elders as being helpless but that’s not really true. And we found that if you look at a lot of research it’s the challenge of loneliness. How do you stay in touch with your friends and family? And what we’ve introduced and slowly starting to roll this out as part of a security solution is the ability for family to actually either manage your security environment but also to have a constant touch with their elderly parents.
And elderly don’t like to have cameras monitoring their every move in the house. But if you look at IoT devices we can detect whether or not the elder person has actually got up when they normally get up. Right? Is it time to call in and find out how they’re doing? Should we push some pictures to a touch pad that people probably use this for entry and exit.
And so how do you do it so that it’s price effective so that the elderly person can afford it? Well, if you look at price points for even our systems, you’re talking about a couple hundred dollars really to get started and the way the utility provider is actually providing, monitoring service where like if an alarm goes off they can actually contact the police for you, you’re talking about maybe $20.00 or $30.00 a month. And so, the costs are really really coming down. You don’t have to spend $2,000.00 on a big traditional security system and have someone coming to your house every day to check on you.
And that’s the beauty about IoT. These great devices are going to make our lives easier. You don’t have to watch to see that your fridge is open all the time or whether you’ve forgotten to turn off the lights when you go on vacation. And that’s the ultimate goal for providers like ourselves is to make the lifestyle easier for consumers.
>>Erfan Ibrahim: Right. I think if you limit the degrees of freedom and use automation and use artificial intelligence for business analytics and take advantage of Moore’s Law and allow private sector to compete, the cost will come down and the millennials and the grandpas and grandmas can live peacefully together. Ok.
>>Richard Yim: Absolutely.
>>Erfan Ibrahim: Yeah. But I just don’t understand why they text each other when they’re sitting right next to each other. That part I haven’t figured out yet.
>>Richard Yim: If you’re like me that has a 14-year-old, we’re last century and we don’t recognize why they do that.
>>Erfan Ibrahim: Yeah.
>>Richard Yim: But if you think about when you were young and you did certain things and your parents didn’t understand it, it happens in every generation. So the younger people adopt technology as part of their lifestyle. It’s not an if then question. It’s just part of their lifestyle. And it’s hard for manufacturers and providers like us to recognize that. And so, that is a transformation in terms of technology usage.
>>Erfan Ibrahim: I still insist on a paper boarding pass and I like going to a teller at a bank just so that they have a job.
>>Richard Yim: I have to show one more slide for fun. I have to show this slide. And this happened yesterday and some of you may have read this about this young 11-year-old walking into a security expert conference with his teddy bear that tracks Bluetooth devices and downloaded all the phone calls, all the phone numbers from the devices automatically.
>>Erfan Ibrahim: Wow.
>>Richard Yim: So to Scott’s point earlier on, we have to make these young whiz kids, bring them to the white hat side instead of going to the dark side.
>>Erfan Ibrahim: So this teddy bear is actually Ted from that movie. Ok. Next question is so Isiah Jones says agreed about the network comment I made. But system security design and hardware security design should not be totally dependent on the network or users. Yes, agreed. Next Milan Silanky says most of the infrastructure in India is unprotected and Indian utilities. Why is isolated from attacks? I didn’t quite understand the question but I will say that in India, most of the infrastructure has security by obscurity.
>>Richard Yim: Ok. Well, I mean if someone can explain why the power keeps going out. But I think the suspect answer as I said earlier on is because everyone is tapping into the grid and then it’s being overwhelmed.
>>Erfan Ibrahim: Yes.
>>Richard Yim: So security is the answer for that.
>>Erfan Ibrahim: Provincial governments in India deliberately allow for theft to occur to get votes. And that is why like for instance in ______, the nontechnical losses better known as theft are as high as 44 percent because a lot of the agricultural people provide the votes and they want the power to run their pumps and other things. So it’s like a very interesting relationship. So it’s not all accidental. Some of it is deliberate.
>>Richard Yim: Yeah. I think it’s a reflection in Philippines in Brazil.
>>Erfan Ibrahim: Yeah.
>>Richard Yim: The political parties go around and actually wire up your house.
>>Erfan Ibrahim: But check this out. So with the advent of smart meters, now they can disproportionately turn off their electricity, the ones that are stealing, during the times of brown outs and black outs and say sorry. And what are they going to say? We’re stealing power. So it’s a very interesting advantage now with smart meters. Next question – so we’re going to go up to like 40 after the hour. So because there’s so many questions here. Next question is IoT is mainly unstructured data. How do you view the unstructured data? Does your AI use neural networks or other machine learning methodologies? That’s from Lawrence Kerisnick.
>>Richard Yim: I’ll let Scott answer that one.
>>Scott Wu: Yeah. Yeah. So when people talk about machine learning in the current, in the recent months, it’s a myth about supervised model and unsupervised model. The deep learning is really good to the hidden features. So there are two aspects about your capability of doing AI because the model, building a model is no longer the challenge. With the rapid computing powering, modeling it’s actually easier. The harder part is your feature extraction. Deep learning goes about that you had the first layer of the features you can harvest. It goes the automation about the hidden ______ features you can eventually harvest and self-learning.
And the supervised versus unsupervised model, it’s no longer an issue. When you talk about a KNN or unsupervised model in this unstructured data, yes, you can go out and identify the _______. So that you use that tool to find out the norm and eventually when we talk about APT and for example you can start to trim down your hay stack so that when you have to look for the needle, it becomes more efficient.
Now going to the other part of the supervised model that it’s very important for the cyber security because we are dealing with an adversary. Whenever you have a model you always the bad guys try to bypass the detection really ongoing basis. So you need to have your white hat hackers and experts to be able to think and act like the hackers so that they can go back to identify that whatever model the detection, the accuracy, the detection rate can be addressed in this ongoing learning. So it’s not that one is just off the learning. It’s an ongoing pruning and increasing or the _______.
>>Richard Yim: Yeah. The only other thing I want to add – and I think that’s a really good answer, Scott, is that like for People Power we’re trying to localize the AI and the learning, not just have it in the Cloud but with the bot technology and now there’s the smart bots, you can actually have smart bots learning the behavior for example of say someone in the house. Are they expecting to use lights in a certain way? Do they have requirements when they go on vacation? Do they have a pet that’s setting off false alarms as the pet runs around? What are the kinds of things you expect that device to do within that house?
And then you also have the notion of some people call it brain bot. We call it a genie bot where that bot actually looks at an outcome and says what are all of the devices that have to react in a particular way to achieve that outcome. So the example that I used was when you go on vacation you want your lights to be on at a certain time. You want your temperatures to be appropriate for your house. You want to make sure your door locks and so on and your appliance are working in the right manner while you’re away.
And how do you make sure that if a rogue device or a rogue bot behaves inappropriately? Well, that’s when the alarm bells go off in the system that says this is not correct. The data stream isn’t right. So a lot of companies now are thinking that you have to be proactive. You can’t just do predictive analytics. You really have to start having a system that learns.
>>Erfan Ibrahim: Yes. And this is why an energy management system at the home that can check those rules would be very helpful. And the reason is because the response time can be very fast. If you take it back to the Cloud and you crunch it and you try to figure things out, there may be some delay in that because of the volumes of data you’re dealing with. So some level of intelligence at the home level is really recommended. And that’s why I believe in a tiered architecture, not just taking everything back to the mother ship.
>>Richard Yim: Absolutely.
>>Erfan Ibrahim: Ok. Next Ritway Jane asks if using a mixed media for data exchange, won’t that affect my project costs so virtually an increased cost to the end user? I would like to say that if there is significant holds in the RF space that doesn’t allow the wireless to work, your reliability issues and the cost associated with that will exceed the investment you’re going to make in a mixed media environment. Today we have concentrators that can do both home plug and ZigBee or home plug and Wi-Fi. So even though you have a mixed media, the actual electronics cost increment is very little. So and the market will accept that in large volumes the cost will come down. But if you don’t cover certain areas and they’re critical for supporting the IoT network, then you’re leaving money on the table because people will stop using you and they’ll go to the one who has that mixed media. So it’s really important to support the use cases.
Ok. Next question, Milan Silanky. He says question, when we talk about offerings, which class of customers are your solutions targeting? We already answered that. If you build solutions for companies who then go to the market wouldn’t it add to the final price of the product and with the onset of tsunami of IoT devices how much budget can a home consumer or small-scale utility actually afford to assign to IPS or IDS products or solutions?
In this country, in the United States we have people who buy Teslas. So they can spend that kind of money and claim they have zero emissions. And then there are people who look at the price of a compact car and say oh, it’s too expensive. So I think the issue about price is a relative one. The question is what are you supporting for the price. People pay when they find value in things. If you’re going to just provide information about how many eggs are in your refrigerator when you’re at a grocery store, maybe that price is not going to be very high. But if it’s something to do with your comfort and convenience and safety then you may put more money in it. So I don’t think that we should be driven by price so much as much as we should be driven by value. And then the price should support that value that we have created. Scott and Richard?
>>Richard Yim: I think you’re right Erfan. I mean if you look at the smart phone, just a few years ago that was a luxury. Now it’s like every young person must have one because otherwise they’re not using the phone. They’re texting and they’re browsing the internet constantly and streaming music. So as things get more commonplace the price goes down. So I’ll give you an example of price points. Right now, we anticipate that selling through our utilities – and the reason why utilities as I mentioned earlier on want to do this is they want rather than just reselling Comcast or some other providers’ solution and just throwing the ball and getting commission, they want to actually have some sticky solution for the consumers that they can then add additional capabilities and not be _____ by some other provider. They don’t want to be Uber-ized. Let’s put it that way.
And so, if you look at the price point $200.00 - $300.00 gets you into a pretty sophisticated home security system. Now you go out to Fry’s or Amazon and you put it all together, that will be about the same price. What you have with like People Power, you have the benefit that it’s all managed. And like I said in the past just a few years ago that same system would have cost your $500.00 - $600.00 for base equipment, another $300.00 to install it and then $35.00 - $40.00 a month bill to have someone monitor your system.
So the price has really come down and so the question then I think for the service providers is what does it mean for you as a business to be able to touch your customer every day and to be able to have some kind of way to reduce churn and to reduce the way that you lose customers along the way. And so, when they call in to change their utility bill or something else you have something interesting to talk about and sell. So I don’t know Scott, if that’s sort of a similar story to you.
>>Scott Wu: Yes. But also add to that, I also want to echo the concern from this equation, from the end user perspective. When I go to Best Buy to purchase a smart device or subscribe a service from a service provider, I expect this cyber security has been taken care of. In no way as an end user I should be concerning going out to purchase another antimalware or antivirus equivalent protection for my home devices. So we as a service provider, device vendor need to find a way to integrate that security as part of the solution. So it all goes back to what we had been discussing in the last one and a half hours that security needs to be from the infrastructure. It needs to be from the beginning so that we solved the problem of the usability versus the cyber security.
>>Erfan Ibrahim: Very good. Now the questions keep coming. What I would suggest is to Milan and Ritway is to take it up directly with Scott and Richard because we have gone way past our time. The final question is a short one about block chain whether it helps or hinders smart grid security. I’d say that if block chain which helps in maintaining trusted set of transactions from source to destination if you may, if block chain is used for that it will definitely help smart grid security. But you have to be very careful how you manage the block chain implementation because that could become the Achilles heel if the hacker gets access to that. So the answer is yes, it helps if managed properly. Ok. Are we good Scott and Richard?
>>Richard Yim: Yeah, we are. It’s been a really great session and I do also really appreciate your insights on adding to the questions. And I think for someone who listens to this webinar and you’ve gone through this and you say, well, should I not invest in IoT? Should I wait till the future till it gets more stable? I don’t think so. I think right now it’s getting there. It’s a bustling industry. For those people that invest late on the internet well, you know why they didn’t benefit from that. This is a great time. The things that consumers will appreciate is it’s just going to make their life easier. They just have to start making some choices and be a little educated and I think that’s up to the universities and up to vendors like ourselves to make it easy for consumers to understand what they’re getting.
>>Erfan Ibrahim: Thank you very much Richard and Scott.
>>Scott Wu: I want to save my long answer to that block chain question to have a separate discussion with the person who raised the question and look forward to having the connection, further discussion of that with all of you.
>>Erfan Ibrahim: Thank you very much and thank you to the audience here at the Syracuse University Center of Excellence for participating in the webinar. I didn’t see anyone raise their hands. Were all your questions addressed sufficiently? Good. And I will come back next week by email and let you know about our next webinar and you’ll get all of the details for that. I just as a parting note I’d like to say that about nine years ago when we started this forum I was at the electric power research institute and we had about 15 people in our total distribution. And as a result of referrals and people writing and asking to be put on the distribution we just crossed the 5,000 mark across ten countries. And many of those people, more than a third of those people, have actually sat on one or more webinars. And others watch it on YouTube.
So I’m really happy. And it’s always been free. There’s never an agenda except to promote information, knowledge and learn from each other. And this is why people from different backgrounds are coming and listening and learning from it and using in their livelihoods. And I’m very happy that I’ve been able to moderate this forum for the last nine years. And I will continue as long as I’m able to and host, kind hosts like Syracuse University and IBM and many others have provided me forums in which I’ve been able to bring this webinar. So thank you very much. And at this time, I’m going to stop the recording and I’m going to end the webinar. So thank you, Richard and Scott.
>>Richard Yim: Thank you everybody.