Nashville, TN-based IoT security firm Phosphorus Cybersecurity has raised $38 million in a Series A funding round led by SYN Ventures and MassMutual Ventures. Phosphorus discovers, delivers timely and automated patching and credential rotation for IoT devices in what it calls the ‘Security of Things’.
Phosphorus was founded in 2017 by Chris Rouland (CEO), Earle Ady (CTO), and Rebecca Rouland (CFO). Chris Rouland is no newcomer to start-ups., having previously founded Bastille and Endgame. He also stood up the X-Force division at IBM where he was CTO and Distinguished Engineer.
Phosphorus was born from an epiphany. In 2016 Rouland read a paper from the University of Wisconsin analyzing a 13-years-long IoT DDOS attack (one of the earliest of its kind, primarily targeting Netgear devices). The paper showed that during this period, there was a hypothetical half-life of seven years for embedded routers to receive a patch. “I’m thinking,” he told SecurityWeek, “if all these little computers out there take seven years before half of them are patched, this is the biggest cybersecurity problem I have ever come across.”
It is a huge and growing problem. With a global population of something like 46 billion IoT devices expanding at around 30% per year, many if not most are unpatched and vulnerable to attack.
Rouland started by mapping out a few ideas, building an IoT lab, and employing a few interns. He was quickly able to demonstrate that he could push out automatic IoT patches in the same way that Microsoft automatically updates Windows. With an early beta customer, he was able to patch 10,000 devices in four hours. On the back of this he raised $5 million seed funding in August 2017.
But customers began to ask if he could manage the IoT credentials as well as the patching. This a different but similarly important problem for IoT – he found that about half of the devices he was patching still had the default password. But he didn’t want to get into the password storage business.
So, “We took all the IoT passwords and put them into a password vault, and we let the vault tell us when to change a password and how strong it needs to be. With these two capabilities, password management and patching, we’ve solved the two biggest security issues of embedded devices in today’s enterprise.”
But one problem remained. “We’d been asking our customers to complete a document that would demonstrate ‘proof of value’,” explains Rouland. “Part of this was to request a list of all their devices. No-one had a list. We had mistakenly assumed in 2019 that everyone had their own inventory – but they don’t. So, we had to build in discovery capabilities to go find the things that we were going to patch.”
The Security of Things Phosphorus platform now finds the things, manages their credentials, and automatically applies patches when they are ready. It doesn’t block malware because you cannot install agents on all these things. If malware gets through before the relevant patch is applied, it can be detected by Phosphorus because the firmware is no longer what it should be.
In such cases, an alert is issued to the customer and the thing can be remediated automatically, if the customer wishes. In cases where vendors continuously decline to issue firmware updates, that too generates an alert. The customer then has the option of changing the device to one from a more reliable vendor.
“Before Phosphorus,” said Rouland, “tens of thousands of embedded devices were completely out of compliance with their companies’ security policies. They had never been patched in 10 to 20 years, and the passwords had never been changed. We just automate the whole process and fix it.”