Mocana Integrates Embedded Security Software with AWS IoT, Microsoft Azure IoT, and VMware Liota to Protect Devices
Two constants in current cybersecurity are the growing threat from insecure IoT botnets (Mirai, WireX, etcetera), and the continuing security provided by strong encryption. It is part of the mission of one venture capital funded firm to solve the former by use of the latter.
Mocana was formed in 2002 as an embedded security software company for military applications. With the help of venture capital ($11 million in May 2017 brought the total to $93.6 million), it has expanded into ICS and both the industrial internet of things (IIoT) and consumer IoT.
“We’re a crypto company,” Mocano’s CTO Dean Weber told SecurityWeek. “While traditional security has been to provide barriers and layers of network controls — even for IoT devices — we offer a different approach. We use cryptography to build a trust platform for IoT, mobile and industrial devices.”
The trust platform is provided as source code to device developers, who compile it into different target devices. “We’re building in trustworthiness from the ground up,” explains Weber. At a simple level, it can be viewed as a replacement for the widely used and hugely abused OpenSSL. Mocana comes in at about one-sixth the size of OpenSSL, and says Weber, “is an order of magnitude faster.” It has, since 2002, never had a Common Vulnerabilities and Exposures (CVE) vulnerability cataloged, while OpenSSL has received around 250.
“OpenSSL provides a cryptographic library that gets calls from applications to provide services as necessary. We replace that,” explains Weber, “but we do a lot more than OSSL because we start from a root of trust on the platform, and we build an X509 trust chain. The device ends up with a trust value. That trust value represents the cryptographic trustworthiness of the platform. We’re building the foundation on a device, which could be an edge device, a sensor, an activator, a switch, a gravitometer, or a flow meter, or accelerometer or whatever.”
In effect, a cryptographically trusted edge or IIoT device can communicate securely with its device controller. “Traditionally, that device is going to talk to a gateway service, which may be a PLC or RTU, which would then be connected to a back-end service,” says Weber, who is set to speak at SecurityWeek’s upcoming ICS Cyber Security Conference. “In the industrial space that would be the ICS SCADA; in the IoT space that might be a cloud service where you bring everything together for analytics or management, or both. At each one of those layers we can provide a trust platform that guarantees through the strength of the cryptography chosen (and we support many different types of crypto) that this communication/device is secure because the crypto is intact.”
In the world of consumer IoT devices, any successful infection of the device with a bot will break the chain of trust and outbound traffic can be blocked. In ICS, the integrity of both the IIoT device and its communication with the SCADA device can be guaranteed. In the commercial world, Mocana this week announced that it has verified the integration of its IoT Security Platform with the IoT cloud platforms of Amazon Web Services, Microsoft Azure IoT, and VMware.
“Digital transformation is driving the adoption of IoT technologies that can measure the performance and status of billions of connected devices, says Vikrant Ghandhi, industry director, digital transformation at Frost & Sullivan. “Mocana’s IoT Security Platform ensures that IoT devices can be trusted and communicate securely to the public and industrial cloud platforms. Their verification of the interoperability and integration of their cloud to AWS, Microsoft Azure IoT, VMWare-based clouds, and GE Predix is a significant benefit for companies working with Mocana.”
Mocana works in the greenfield space — it helps developers produce new secure devices. This is problematic for many devices already in the field — especially in the ICS world where IT teams do not like to disturb production devices. Nevertheless, explains Weber, “Customers can get an upgrade if the existing device has either an OpenSSL cryptographic library in place, or sufficient processing power to accommodate Mocana’s one. In some of the older brownfield sites there may not be the computer power to run a cryptographic stack. In that case there’s not a lot we can do for them other than start to apply our security in the next hop up in the industrial or commercial network. We can develop unique identities for each one of those devices — at least most of the devices can handle a certificate as a function of identity — not all, but most.”
Mocana makes it as easy as possible for developers to replace OpenSSL in existing devices. It has mapped OpenSSL APIs onto its own cryptographic library, so that the OpenSSL library can simply be replaced by the Mocana library. The device will continue to function without further changes, but using Mocana’s secure software without running the risks associated with OpenSSL’s known vulnerabilities.
Mocana describes its IoT platform as providing ‘military grade’ protection. This is a term often used without any justification by companies claiming to provide strong security. In Mocana’s case, it is perfectly accurate. Mocana technology is already used inside fighter jets, helicopters, commercial aircraft, oil refineries, water systems, electric smart grids, smart buildings and smart cities.