Connect with us

Hi, what are you looking for?


Cloud Security

Mocana Integrates Embedded Security Software With Industrial Cloud Platforms

Mocana Integrates Embedded Security Software with AWS IoT, Microsoft Azure IoT, and VMware Liota to Protect Devices

Mocana Integrates Embedded Security Software with AWS IoT, Microsoft Azure IoT, and VMware Liota to Protect Devices

Two constants in current cybersecurity are the growing threat from insecure IoT botnets (Mirai, WireX, etcetera), and the continuing security provided by strong encryption. It is part of the mission of one venture capital funded firm to solve the former by use of the latter.

Mocana was formed in 2002 as an embedded security software company for military applications. With the help of venture capital ($11 million in May 2017 brought the total to $93.6 million), it has expanded into ICS and both the industrial internet of things (IIoT) and consumer IoT.

Mocana Logo

“We’re a crypto company,” Mocano’s CTO Dean Weber told SecurityWeek. “While traditional security has been to provide barriers and layers of network controls — even for IoT devices — we offer a different approach. We use cryptography to build a trust platform for IoT, mobile and industrial devices.”

The trust platform is provided as source code to device developers, who compile it into different target devices. “We’re building in trustworthiness from the ground up,” explains Weber. At a simple level, it can be viewed as a replacement for the widely used and hugely abused OpenSSL. Mocana comes in at about one-sixth the size of OpenSSL, and says Weber, “is an order of magnitude faster.” It has, since 2002, never had a Common Vulnerabilities and Exposures (CVE) vulnerability cataloged, while OpenSSL has received around 250.

“OpenSSL provides a cryptographic library that gets calls from applications to provide services as necessary. We replace that,” explains Weber, “but we do a lot more than OSSL because we start from a root of trust on the platform, and we build an X509 trust chain. The device ends up with a trust value. That trust value represents the cryptographic trustworthiness of the platform. We’re building the foundation on a device, which could be an edge device, a sensor, an activator, a switch, a gravitometer, or a flow meter, or accelerometer or whatever.”

In effect, a cryptographically trusted edge or IIoT device can communicate securely with its device controller. “Traditionally, that device is going to talk to a gateway service, which may be a PLC or RTU, which would then be connected to a back-end service,” says Weber, who is set to speak at SecurityWeek’s upcoming ICS Cyber Security Conference. “In the industrial space that would be the ICS SCADA; in the IoT space that might be a cloud service where you bring everything together for analytics or management, or both. At each one of those layers we can provide a trust platform that guarantees through the strength of the cryptography chosen (and we support many different types of crypto) that this communication/device is secure because the crypto is intact.”

Advertisement. Scroll to continue reading.

In the world of consumer IoT devices, any successful infection of the device with a bot will break the chain of trust and outbound traffic can be blocked. In ICS, the integrity of both the IIoT device and its communication with the SCADA device can be guaranteed. In the commercial world, Mocana this week announced that it has verified the integration of its IoT Security Platform with the IoT cloud platforms of Amazon Web Services, Microsoft Azure IoT, and VMware.

“Digital transformation is driving the adoption of IoT technologies that can measure the performance and status of billions of connected devices, says Vikrant Ghandhi, industry director, digital transformation at Frost & Sullivan. “Mocana’s IoT Security Platform ensures that IoT devices can be trusted and communicate securely to the public and industrial cloud platforms. Their verification of the interoperability and integration of their cloud to AWS, Microsoft Azure IoT, VMWare-based clouds, and GE Predix is a significant benefit for companies working with Mocana.”

Mocana works in the greenfield space — it helps developers produce new secure devices. This is problematic for many devices already in the field — especially in the ICS world where IT teams do not like to disturb production devices. Nevertheless, explains Weber, “Customers can get an upgrade if the existing device has either an OpenSSL cryptographic library in place, or sufficient processing power to accommodate Mocana’s one. In some of the older brownfield sites there may not be the computer power to run a cryptographic stack. In that case there’s not a lot we can do for them other than start to apply our security in the next hop up in the industrial or commercial network. We can develop unique identities for each one of those devices — at least most of the devices can handle a certificate as a function of identity — not all, but most.”

Mocana makes it as easy as possible for developers to replace OpenSSL in existing devices. It has mapped OpenSSL APIs onto its own cryptographic library, so that the OpenSSL library can simply be replaced by the Mocana library. The device will continue to function without further changes, but using Mocana’s secure software without running the risks associated with OpenSSL’s known vulnerabilities.

Mocana describes its IoT platform as providing ‘military grade’ protection. This is a term often used without any justification by companies claiming to provide strong security. In Mocana’s case, it is perfectly accurate. Mocana technology is already used inside fighter jets, helicopters, commercial aircraft, oil refineries, water systems, electric smart grids, smart buildings and smart cities.

Related: Learn More at SecurityWeek’s ICS Cyber Security Conference

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.