Madeleine Mickeleit talks to Arne Trittelvitz, Director Europe at Asimily, and Holger Hartwig, Key Account Manager Security at A1 Digital, about securing IoT devices. The main focus is on the challenges and solutions in the field of IoT security in various sectors such as medical technology, building technology and manufacturing.
Episode 135 at a glance (and click):
Podcast episode summary
The partnership between Asimily and A1 Digital relieves the burden on IT departments in companies, hospitals and administration by providing a system that offers security without requiring additional manpower. This collaboration arose from a request from a large hospital for better protection of medical devices in its network.
Arne Trittelvitz from Asimily provides his expertise in network security and risk management for IoT devices, while Holger Hartwig from A1 Digital promotes the digitalization and security of IoT devices. Arne Trittelvitz from Asimily provides his expertise in network security and risk management for IoT devices, while Holger Hartwig from A1 Digital drives forward digitalization and security of IoT devices. In contrast to standard IT, IoT devices are often in operation for a long time and difficult to update, which makes them particularly vulnerable. An example from the healthcare sector shows that medical devices in the IT network require special security measures.
Asimily’s approach includes visibility and inventory of IoT devices, vulnerability mitigation, threat detection and risk modeling. Network segmentation is used to monitor and analyze device communication in order to minimize risks. Practical examples include surveillance cameras, medical devices and building technology.
A1 Digital plays a key role in the implementation and integration of the Asimily solution, taking care of the IoT environment, cloud services and cybersecurity services.
Legal requirements and future developments also play an important role. NIS2 and security requirements for critical infrastructures require close cooperation between IT and other areas of the company for a comprehensive security strategy.
Podcast interview
Hello Holger and hello Arne. I’m really happy to have you with me today and welcome to the IoT Use Case Podcast.
Holger
Hi Madeleine, thank you very much for the invitation.
Arne
Hello, nice to be here.
Thank you very much! Holger, I’ll start with you. How are you? Where are you right now?
Holger
I’m doing as well as ever.
That’s nice. Are you at home or in the office or where are you?
Holger
I am at home in beautiful Düsseldorf. All good.
Okay, Düsseldorf. Greetings to Düsseldorf.
I think so too, yes. Arne, how are you? Where are you at the moment?
Arne
I am also doing very well. I’m here today from central Franconia. At the gateway to Franconian Switzerland. Almost as beautiful as Düsseldorf in this respect.
Very nice. You’re not in California, but Asimily is actually from California, right?
Arne
That’s right, Asimily is now making the leap across the pond. So in Europe we still fall under the start-up category. And California is very beautiful, but Middle Franconia is even more beautiful.
Yes, I was just about to say that too. And how many employees do you actually have now?
Arne
We are 80 employees worldwide, three of them in Europe. I am currently working on the market launch for Europe together with two colleagues. You’re always well on your way.
So it is very fitting that we should come together today and talk to each other. Perhaps we can briefly introduce Asimily and then talk about A1 Digital and the partnership. As far as I understand it, Asimily is a kind of risk management platform for a wide range of IoT devices from various sectors such as medicine, diagnostics, life sciences, pharmaceuticals and industry. You are the experts when it comes to network security. Could you put it that way?
Arne
Yes, that’s quite far-reaching, but it’s definitely going in that direction. We were founded precisely for this reason, because there are a large number of devices in the corporate environment that cannot be secured as easily as the IT landscape we currently know and that are subject to special requirements. Which devices are these? Essentially, these are all non-standard IT clients and servers, i.e. everything that falls under building technology and is connected to the network, medical technology and production technology. And these devices are often very close to the value chain, but cannot be secured using standard procedures. This has also been seen frequently in the press recently. And that’s how the idea of founding Asimiliy came about. The founders themselves come from an IT security background, worked for Semantic for many years, built up an IoT business there and then took the plunge into the deep end, setting up their own business. That’s the background story. We are now four years old.
4 years, okay. You just mentioned a wide variety of devices, do you have an example of such a device? So this could be a diagnostic device in a hospital, for example?
Arne
Criticality is particularly wide-ranging in the healthcare sector. If a device breaks down, for example a device for coronary angiography with a contrast medium examination, core services can no longer be provided. However, we must also take into account that these devices often cannot be properly maintained. For example, if a software update is required to fix vulnerabilities in the operating system, these updates are often not available or are only provided with considerable delays because the device has to be relicensed or recertified. There are many hospital-specific issues that stand in the way of IT security. But we also have to develop different strategies for production facilities or building technology equipment to which an IT department does not have direct access and which may be managed by facility management or production.
I see. And Holger, you at A1 are now also part of the Telekom Austria Group and therefore also part of América Móvil, making you part of the world’s largest mobile operator. That was a little bit about your background, but you also do a lot more. If you follow the podcast, you may have already listened to an episode. You are also a technology service provider for IoT, cloud, networks and security. That’s the issue now. How did you two get together? So this is a partnership?
Holger
Yes, exactly as you say. A1 Digital’s mission is to drive digitalization forward. And when I talk about digitalization, I always talk about IoT. And we essentially do three things: We take care of the IoT environment, we are a cloud service provider and we are a cybersecurity service provider. And so it makes sense to move the topic of cybersecurity towards IoT and think about how I can actually secure IoT systems properly. And in this context, I then have to think about how I can identify vulnerabilities, how I can recognize attack vectors, how I can then deal with them and how I can ultimately secure this issue. From the outset, it was important to us not to simply come up with yet another security system, but instead we wanted to deliver something that would relieve the burden on IT departments in companies, hospitals and administration. In other words, something that gives them security without the need for additional workers. And Asimily is just such a system. So basically early warning and assistance in one.
As you have just said, weak points or even faulty devices can cause massive damage to companies. We want to talk about that. You just mentioned the topic of vulnerability management. Perhaps we can briefly explain which use cases we are talking about today. You might have to categorize it a bit, as I have different topics in the podcast. Today we are talking about the more technological security use cases, which also have a very clear business impact behind them.
Holger, can you explain what use cases you have? Vulnerability management is probably one of them, right?
Holger
Yes, there are many subtypes of IoT. IIoT, IoMT. I would perhaps take the CIoT, i.e. the consumer IoT, out of the equation a little. So basically, we’re talking about IoT systems that are used somewhere in the business environment. These are devices that serve a specific purpose, that generally cannot really be changed, that are only slightly configurable, that communicate with the IT network in some way, but that are not protected by the security measures in the IT network. That is our focus now. We don’t have to limit ourselves to any specific IoT sub-sector. That’s why we can talk about IoT in relatively general terms.
Okay. This means that today’s use case is to a certain extent about recognizing weak points. What are they? We also talk a little about the threat posed by the topic of security or corresponding attacks. But also about risk modeling – the keyword monitoring has already been mentioned. What does it look like?
Arne you just got a bit technical about these non-standard IT protocols and so on. First of all, we need to differentiate between IT, IoT and IIoT.
Holger, can you briefly explain what classic IT devices are and where exactly the topic of IIoT begins for a better understanding?
Holger
Typical IT systems are servers, clients, everything we know from the IT sector. In terms of security, there are vulnerability scanners in IT that can use active scans of servers and clients to check which vulnerabilities exist. If I tried this with IoT devices, I would probably get no response at all in the best-case scenario. In the worst case, the IoT device breaks down. If this happens in a hospital, there’s probably at least one person who wouldn’t think it’s cool at the time. And this is precisely the problem that we are tackling and solving with Asimily. I can’t use IT systems to record the security status of my IoT devices, so I can’t say what risk there is and what measures I need to take to eliminate, mitigate or reduce this risk, whatever I want to do. So I need a specialized system and this system is Asimily, because Asimily deals with IoT systems differently than the normal IT security scanner.
[09:39] Challenges, potentials and status quo – This is what the use case looks like in practice
Now you’ve just said that, in the worst case, it might even paralyze the system. Maybe we can talk a bit about this business use case of your customers and what challenges they have in this area.
Arne, I’ll just hand over the floor to you. Can you explain the business case behind your product?
Arne
Yes, the issue is indeed one of paralysis, although this must be viewed from the perspective of different types of risk and the respective risk affinity of the individual companies. If a production line breaks down somewhere, companies can usually quantify very precisely the damage they incur. However, there are also companies where nothing is allowed to fail. If a blast furnace in steel production has to be taken offline due to a cyberattack, the building can be rebuilt. If an OR comes to a standstill because the air conditioning system breaks down or is not working properly, the OR can be taken out of service. The point is that in these areas, and we see this time and again in the case of breaches that have become known, damage occurs and services can no longer be provided. And at the end of the day, there is an economic value chain attached to it. But especially in the area of critical infrastructure, core services for citizens are also provided to a high degree. And companies have already gone bankrupt because of it. In recent years, legislators have made the requirements in the area of critical infrastructure much more demanding. We are also noticing this massively in the market in this area.
On the other hand, adjustments are now being made through NIS-2, for which the draft bill was recently published. In this case, NIS-2 stands for increased cyber security requirements in the EU. This will affect a number of companies that have not previously been in the spotlight. Here, too, the BSI takes its checks very seriously and comes up with demanding measures that companies must comply with. We assume that IoT is the largest interconnected attack surface in corporate networks. There are classic interface problems, as network security is usually the responsibility of IT, but the devices are often not operated by IT. For example, if I have a kind of building management for building technology or if I have medical technology in the healthcare sector or even production with the equipment, then they are responsible for this equipment. However, they are generally not aware of the problems that these devices bring to the network. This means that IT does not necessarily receive the necessary information from these areas alone. A very succinct example: IT departments think in terms of IP addresses, MAC addresses, ports and protocols, while medical technology thinks in terms of device numbers, user instructions and security checks, i.e. a kind of device MOT. If these departments cannot talk to each other because they lack common ground and transparency, this creates a risk. And this risk is difficult to define, measure and reduce.
Perhaps a brief follow-up note. If you would like to find out more about NIS-2, I can highly recommend episode 107. We have also broken down the topic in practice there. And I find it interesting that you mention steel production. We had an episode with the company ALD Vacuum Technologies, which manufactures just such systems. This also touches on this topic a little.
And could you come back to what you said? This awareness of the problems and in particular the interface problem. Could you explain this in more detail and talk about the technical challenges your customers face? They are probably doing this at the moment without your solution. But what technical challenges do they face if they want to solve such problems independently?
Arne
The main challenge from an IT security perspective is that they often do not know what communication is taking place in their network and how it is taking place. Although they can see the data traffic and assign it to individual devices, they often lack information about how these devices are supposed to communicate according to plan. There are many intransparent network elements, especially in long-standing infrastructures.
What exactly does planned communication mean?
Arne
Well, the manufacturer had something in mind during development, take the video camera for example. This camera has to send the data somewhere and possibly also store it and so on. The problem is that when the software is created, regular checks are required to ensure that outdated protocols are deactivated or removed and that it is adapted to more modern forms of communication. However, sometimes people forget to do this, whether it’s switching off outdated and error-prone protocols or updating due to security concerns. Because these are air conditioning manufacturers, for example, and not IT companies, even if they connect their devices to the network. It’s similar with medical technology, and in many other areas too, and you can’t really blame them. The point is, just because there is communication doesn’t mean that this communication is needed
I see. It is therefore a different way of thinking about IoT data, what these interfaces look like and how protocols that may be vulnerable to attack are designed. These are new use cases that IT now has to deal with. Could you put it that way?
Arne
Absolutely.
Ok. Perhaps we will concretize the whole thing a little, especially in cooperation with A1 Digital. The fact is that very specific data or data types are now emerging from a wide variety of devices. Could you tell us a bit about what IoT data is today? You have already mentioned the video camera, perhaps another example. And what about interfaces to other systems? That often plays a role too. Can you elaborate on this a little more?
Arne
With pleasure. The issue is that, at the end of the day, we work with exactly the data that is already available in the company. Take, for example, a large imaging device in a hospital, such as a CT or MRI. Most people have already heard of them; these devices are immensely expensive and have to run at full capacity. This device now communicates on the network, usually using a special protocol called DICOM.
And this is how image data is transmitted. This is a protocol that is incredibly well documented. Many IT systems recognize it, but they do not understand these protocols. This means that the first problem begins with the fact that a firewall cannot find any malicious code in it and is therefore already ruled out at this point. The fact is that this device also speaks many other protocols. For example, there are a number of devices that use an old data transfer protocol called SMB, which is considered very insecure, which can be an attack vector. However, this protocol is not required for the device to function. It could perhaps be used for updates, if there are any, which is rarely the case anyway. Older devices often no longer receive updates because the manufacturer no longer wants to take care of them. You can understand that. The point is, if that remains open, it’s an exploit vector. I don’t need it for the device to work, so I can close it. On the other hand, I can extract a lot of information from all these logs that the device needs, as these devices are extremely chatty. They reveal information about their manufacturer, device type, serial number and much more. Next, if we want to understand the communication of the devices, we create a kind of itemized bill. This is familiar from the telephony sector. If I know who the device is coomunicating with, then I can also determine whether these remote stations are required or not. An illustrative example of this is that we once found an IP camera that communicated with 200 IP addresses worldwide within 24 hours. In such cases, you don’t have to be a forensic scientist or technician to realize that this may not be desirable. And interestingly, these are the topics that we find again and again in companies.
Perhaps one more question in the direction of A1 Digital: In some previous episodes, we have already seen some extremely interesting customer cases that use this. How exactly do you work with A1 Digital here?
Holger
Basically, the collaboration arose from a request from the head of security at a really large hospital in connection with cybersecurity services. He asked me how to better secure medical devices in the network. I quickly realized that this was not a standard IT security issue and that I needed help from experts. That’s how Arne and I got to know each other. This resulted in a partnership, which is now secured by a partnership agreement between the two companies and is supported by the management teams. So the whole thing also has a certain binding nature. We carry out joint planning and coordination to determine how we position ourselves and how we can best structure the individual services to provide the customer with optimum support.
[18:45] Solutions, offerings and services – A look at the technologies used
Very nice. And now perhaps back to the joint customer case. I have understood so far that there is an interface problem here on the one hand. On the other hand, it is also about finding out how the behavior of the devices can be controlled to a certain extent, especially in the event of damage. Hence my first question: How do you even identify the behavior of these devices? Arne, perhaps you can say something about your software. How do you do it technically?
Arne
This is a very important topic, because everything stands and falls with identification. We do this by bringing sensors into the network. They then receive a data copy of the network stream that passes through there. As a result, we see the entire communication without being able to influence it in any way.
Sensor means, for example, a camera or an MRI machine or something similar? What do you mean by a sensor?
Arne
No, a sensor is a piece of sheet metal. We bring this piece of sheet metal into the network, it gets a network connector, and then we tell the large network central device to make a data copy. In other words, it should give us a copy of the network stream that flows back and forth between the devices and the data center. This data is also sent to us at the same time, and we extract precisely the data we need from this data stream: Devices, device names, communication behavior, etc. We compare this information and send it to the analysis unit. This is then what is in the Exoscale Cloud. This is the most efficient and cost-effective solution for most customers. There are a few with particularly high requirements that would like to have the analysis unit on site. This is also possible, but for reasons of cost and flexibility, the whole thing usually goes exoscale.
There we compare the device information with our databases. We have a lot of old devices in use, and to identify their weak points, we have to go back to the 1990s with our information. And IT security manufacturers don’t usually do this, as they assume that vulnerabilities will be fixed after three to five years.
However, this often doesn’t happen with these old devices or with these IoT devices. Often this is not even possible. And in order to give people this information, where exactly their weak points are and what they can do about them, we need this analysis unit at A1 Digital for this and much more information.
Holger
If I may interrupt for a moment, I think that’s really important. The reason is that Asimily doesn’t just say: “Here are your vulnerabilities, do something with them,” as a vulnerability scanner in the IT world likes to do. Asimily says very precisely: “These are the weak points, these are exploitable,” and breaks it down further to: “These are very easy to exploit and therefore quite evil.” It also suggests: “What can you do about it, dear IT? What kind of protocols can you turn off? What kind of settings can you make?” And in the end, if you can’t do anything about the system because IoT devices are not really configurable, the only option is microsegmentation. This means that a separate segment is built around a device. There are hospitals and other companies that lack this transparency and are now starting to micro-segment hundreds of IoT devices because they believe that this will make them secure. They do, but it’s an incredible amount of work.
In other words, a separate categorization of these devices.
Holger
Exactly. We come in with Asimily and say, “Hey, microsegmentation is fine, but you might only need that for ten percent of your devices. For the rest, you can do something else that’s much easier.” And here we are at the point of reducing the effort. It’s about helping IT departments to really integrate security into the company and ensure that it actually works without having to be constantly updated manually. And that’s exactly what Asimily does.
I see. Could one imagine that you have a kind of template structure in terms of the criticality of the individual devices? So that you can say, based on your wealth of experience: “Hey, you should take a closer look at this, it’s a standard case.” So do you have some kind of template structure? Or how do you have to imagine it?
Arne
You can think of it more like a dashboard. Many people can also access it. So I can also integrate building technology, medical technology and production. Anyone who is interested in their appliances or possibly even wants to make something themselves will then have a transparent treasure trove of information. So it’s not just IT-speak that is displayed there. The information security officers or CSO’s receive precise risk information.
We also offer a whole lot of additional information, as we already monitor many millions of devices, about which we have very, very detailed knowledge. We then bring this information to the outside world via this topic. If the customer wants a security assessment even before connecting a new device to the network, he can obtain this from us. We also offer appropriate hardening recommendations, i.e. how the device should be set to minimize the risk to the network. And when providing this proactive information, we then incorporate all of our expertise.
Yes, very nice. One last point on the subject of exoscale. This is where the hosting and data processing takes place. Could you elaborate again on what the special advantage of Exoscale is, perhaps also in comparison to other offers on the market? Perhaps also with regard to the integration of other data sources. What exactly makes Exoscale so special?
Holger
What makes Exoscale special is, of course, its European hosting, data security and adherence to all compliance requirements. This enables us to ensure that we can also use Asimily in environments that have to comply with strict regulations. Hospitals are an example of this, as is public administration in general. And what is good for hospitals and public administration cannot be bad for industrial companies, including large industrial companies, in my opinion. They also want to ensure that their data is protected. That’s what the Exoscale does.
You just mentioned interfaces. This is actually part of the Asimily system. However, these interfaces do not come exclusively via Exoscale, but via Asimily. It is particularly important for me to emphasize that Asimily should not be seen as an isolated system that just runs and does IoT stuff. There are many interfaces to other systems. When we think of IT security, for example. We are also a provider of SOC services.
A SOC should monitor the security status of a company, ideally in its entirety. However, a SOC usually only monitors IT security and does not keep an eye on the IoT. However, this is possible with Asimily. I also enable the SOC to recognize anomalies in the IoT area that could possibly migrate to the IT area at a later date, but are definitely a problem that needs to be dealt with.
On the other hand, Asimily enables security management to integrate vulnerabilities that are found using typical vulnerability scanners in IT into the Asimily system. This creates an overall picture of the risk. I get a risk matrix that shows me what I need to focus on first. This is an overall picture. With Asimily, I am able to view IT and IoT as a whole for the first time and act accordingly.
Arne
That is the crucial point. We do not work in a vacuum. The customer must create a security platform and we are an integral part of this. Wherever he can use data from us, we build the interfaces if they are not already in place. We are very good at that. Our primary goal is to fit seamlessly into the customer’s existing structures. This is where we differ from standard market solutions, as we offer this flexibility.
Very nice. A really exciting partnership. A1 Digital has very different partners for a wide variety of use cases and projects in the field of digitalization, and this is now also specifically related to the topic of IoT and paired with the topic of security.
Maybe the last question for today: I have a few more questions, but for those who are listening now and think that this is their topic and they are approaching it in a similar way, feel free to contact Holger and Arne. I’ll link the contact info in the show notes, including LinkedIn contacts, so you can schedule follow-up dates there if you’d like.
One last question for today: The topic is constantly evolving. I have already made several security podcasts with different use case characteristics. What is currently happening on the market and what trends can we expect in the future? Can you perhaps give the audience some insights and tell them which top topics they should be looking out for?
Arne
What we are seeing is that there is much more awareness in the area of vulnerability management or IoT security than there was a year or two ago. We assume that it will continue to rise. That is why we continue to develop our skills in this area. This means, for example, that we will also be able to carry out IoT patching in the future. This means that we can completely take over this process for devices that do not need to be certified and for which patches can be applied. This simplifies the entire vulnerability remediation process immensely. On the other hand, we are adding further options to help with disaster recovery. This means that we must also be able to act retrospectively if an incident occurs. We will also continue to expand our capabilities in this area.
And the great advantage of the collaboration is that A1 can contribute this expertise across different systems. This means that the customer is also supported in integrating these options into their infrastructure. This is another very important point.
Holger
In addition, we are in talks with many companies, not just hospitals, although we have talked a lot about this today. We find that either the topic of IoT security has not yet arrived in the company or that it is only just beginning to be addressed. On the other hand, I think it was in March, the American government warned that attacks on water facilities were feared and that increased attention should be paid. There are indeed more and more attacks on IoT. I don’t really like talking about attack scenarios when it comes to security and I don’t try to spread fear, but ultimately this is the reality. There are more and more attacks in the area of IoT, and this realization is becoming more and more widespread. We simply need to be more transparent about which systems are being used and what state they are in so that we can protect ourselves. There is no other way.
I see. This means that, on the one hand, Asimily is now moving a bit towards security updates that can analyze certain vulnerabilities. It is about certain new security updates that can be carried out. And on the other hand, there is a move towards real-time analysis and the topic of snapshotting, which is now also being introduced in order to secure the status of a system at a certain point in time. Exactly, so that would be one issue. And then there are the trends that arise accordingly. Okay, very nice. That’s a good outlook for the future too. I’m also generally excited to see how your projects progress. Perhaps we will hear from one or two users. I know, the topic is also a bit under wraps. I myself have also reported a lot on the KRITIS area in the podcast. So it’s great to hear from you and your partnership and especially to understand how this spillover of vulnerability analysis works not only in the IoT space, but also with IIoT device data.
So first of all, thank you very much for your time today. As I said, I would probably have many more questions, but you have understood very well how the whole thing works. This also applies to the partnership with Asimily, how the software is designed and what the benefits and business case behind it are. So thank you very much from my side for joining us today. Now I would like to hand over the last word to you.
Holger
Thank you, thank you. So from us, of course, thank you very much for letting us be there. It was great fun. I think we have got something great off the ground. I think you’ll be hearing a lot more from us in the coming months.
Arne
Thank you, Madeleine, for letting us be here.
Thank you very much and have a nice rest of the week. Take care.
Arne
Thank you very much. Bye.
Holger
Ditto, thank you, bye!