
OT Security Made Simple meets IoT Use Cases. Klaus Mochalski talks to Madeleine Mickeleit, Managing Director of IoT Use Cases. Together, they shed light on the power of other companies' use cases in the realization of own projects, the added value of security solutions for completely unrelated use cases and the (also monetary) benefits of sharing experiences with the community.
Listen to us:
Transcript
Klaus Mochalski
Hello and welcome to a new episode of OT Security Made Simple. I am Klaus Mochalski, founder of Rhebo. My guest today is Madeleine Mickeleit from IoT Use Case. Madeleine, please tell us what you do at IoT Use Case and what problems you deal with in your day-to-day business.
Madeleine Mickeleit
Yes, with pleasure. And hello Klaus. Thank you very much for the invitation today. I'm very happy to be here. I'm Madeleine, founder and managing director of IoT Use Case from Berlin in Germany. We started at the end of 2019 and we are particularly interested in the practical side and how IoT really works in implementation. That's why we run a platform where we show examples of solutions that are already being used in practice, complete with a business case. And we run a community where people can also exchange best practices.
Klaus Mochalski
IoT Use Case. IoT is a very broad field. Here in the podcast, we mainly deal with the topic of OT security. I always include the IoT sector, i.e. the industrial sector of IoT, in this. And we've already talked about security challenges here in the podcast, for example how to protect large fleets of devices, technical devices such as battery storage systems, against cyber attacks. What scenarios have you seen so far in the area of OT security in particular?
Madeleine Mickeleit
Well, in every area. But you could say that security is almost a cross-cutting issue that is incorporated horizontally into every project to some extent. In other words, we have a fantastic number of projects where it is always a building block. And of course we know it from the Rhebo environment. For example, you do anomaly detection in networks. Of course, this is also a very important point that is involved in many projects.
Especially in the critical infrastructure environment, where many operators also want to detect network anomalies, for example, in order to simply anticipate attacks that may not have been known before. And there is always an element of security in every project. But the characteristics are always a little different. But of course in the best case it should always be considered, which is not always the case. But yes, in many projects that we know, [cyber security] is always a building block.
Klaus Mochalski
I like to hear that. Because it's always frustrating to see how time-consuming and expensive it sometimes is to retrofit security into existing systems. We see this above all in the industrial sector, where we are sometimes confronted with existing systems that are 10 or 20 years old. It would be all the more frustrating in a relatively new area like IoT if this wasn't considered from the outset, because it can never be cheaper or more efficient than planning it in from the outset.
In this regard, we talked in preparation about how to classify and categorize the use cases that you in particular have observed. The field is very broad and it is often used as a catch-all phrase. But it is actually very, very diverse. How do you think they can be categorized and classified, and how does that help users and customers?
Madeleine Mickeleit
To perhaps go back to the first part of what you just said. I think what's very, very special about IT projects is that you don't really know at the beginning what will actually come at the end, what might still come in the future and whether that might be particular data or devices and machines that you network. And so there are certain gaps. But perhaps we'll come back to that in a moment.
Klaus Mochalski
Security always comes. I think that's the issue you can't lose sight of. No matter what you build. Security is always an issue.
Madeleine Mickeleit
Yes, exactly. You're the expert here. But perhaps that's the project itself, what we're dealing with and how the issue of security always plays a role. We've looked at thousands of projects over the last few years, and I speak to five or six different companies almost every day. These are often manufacturing companies, but also operators of critical infrastructure.
And many companies implement different use cases, so to speak. For me, a use case is – I can perhaps give you an example: We have just got a new topic in. It's about classic condition monitoring. Everyone knows the term at first, but in concrete terms it's about detecting breakages, for example. In this use case, it's about so-called energy chains that are used by a port operator for certain cranes. And these energy chains carry cables, for example. Ultimately, this is like a channel for them. And here, so to speak, it is a matter of carrying out this breakage detection, for example due to tensile and shear forces. And in order to do this, we look at our database to see whether we have other customers who are perhaps similar to this port operator and have already implemented a solution in one way or another. In other words, we look a little bit at the industry to see whether there are already known solutions in the industry, but also according to various criteria.
And in the end, that's where the implementation of the project comes into play. In other words, data acquisition, data transfer, integration, security, IT, OT, but also data analysis. And we structure these projects behind them, so to speak, in order to simply help the users to say: Hey, this project has been done before in this or a similar way! We then take a look at our database and can also help with, let's say, ready-made products, solutions and technologies that have been used before. Something like that. I hope that was understandable. A little bit.
Klaus Mochalski
That's where I have a follow-up question. Of course, that makes sense at first. If I, as the operator of a system or infrastructure, am dealing with an IoT solution for a problem like the cable inspection problem you described, it naturally makes sense to look at how others have solved this in similar areas. Of course, there are many different problems that I can imagine. And the question is, how can I categorize this solution so that it is really helpful? So that I can find solutions that are sufficiently close, even if there is perhaps no solution in this direct area.
So, perhaps there is no other port provider that has already solved this exact problem. But there may be a manufacturer that operates a factory hall with robots, and it also has a cable wear problem there. We've actually seen this before and you could say that this is perhaps similar enough. How do you make this categorization in order to really convey the added value to the customer?
Madeleine Mickeleit
Yes, exactly. So in the end, we first look at the project from above and then we have different categories. One is the classic use case, which ultimately involves the business benefit with a euro amount or perhaps a sustainability aspect. Then we look at the asset, for example the device, the machine or other devices that are networked, because they always have similar characteristics. For example: Is this asset in a certain infrastructure, i.e. the energy chain, static or mobile? Take the driverless transportation system, for example. That is a moving asset. You also look at criteria like this, right down to the data that you might also need. In other words, data types. At what intervals does it need to be sent? Is it real time, i.e. hard real time? Or do I perhaps need to send it once an hour, maybe even just once a quarter? We look at this different information.
And what is also very important is the customer itself. So, for example, if I have a port operator, not only is the use case similar, but also the asset type, but also the customer structure behind it, i.e. similar port operators. And then we look into which industries there are in this segment. What is the persona behind it? Is this a classic maintenance case or, for example, something like the question: In which functional area does this occur? Is it in logistics, in the supply chain? There are many different criteria.
And in the end, we look at these criteria in order to find suitable solutions. And also technologies, because not every technology necessarily makes sense. If I only want to send data types or data every second and not in hard real time, for example. There are also differences as to which technologies I might want to use.
Klaus Mochalski
In other words, if I understand correctly, you don't have a formal category system that is predefined, but rather, when you have a new requirement from a customer, you look in your database using corresponding filters and search criteria to see whether there have been similar projects from which you can learn something?
Madeleine Mickeleit
Exactly, similar characteristics, which are then recurring, where the problems behind them are also recurring, where you then have suitable solutions. Exactly.
Klaus Mochalski
You mentioned the example of the port operator. How was the search for a similar case there? Are you already at the point where you have actually been able to identify similar solutions that will help to make this project more efficient?
Madeleine Mickeleit
I'm not allowed to name the customer behind it now. But there are of course various port operators who have similar challenges. And in this particular case, we worked together with one of our partners. This is the company Igus, which builds these energy chains. And we looked at the background and then actually thought about how we could help other customers who have similar problems.
And that's the case with us: Through the platform, we have various opportunities to bring users who are searching on Google, for example, to the right solutions. And that's why our idea behind it is to actually make this information available free of charge on a page where you can access it. We are planning to develop the platform further so that we no longer have to look in the database, but that users can simply [search] in a similar way to eCommerce – if you are looking for a white Adidas sneaker with blue stripes, you will end up on a page where you can find these products. And it's similar in the IoT. Just a little more complex. We are working on this therefore.
Klaus Mochalski
I could really imagine that. In other words, if I want to solve an IoT problem myself, I can ask your – you could also call it – IoT Genius who will then say: These customers have had comparable problems. And then I can at least get inspiration there, maybe even direct help.
Madeleine Mickeleit
Yes, exactly. Along the lines of: Other customers also bought... and so on. It's just a bit easier in the B2C business. In IoT, it's a level more complex, but it works. We now have real use cases that are so clear and so recurring that you really don't have to start from scratch. So it will be really exciting over the next few years to see what we can do with it.
Klaus Mochalski
Let's get back to security requirements. These are often listed at the bottom of the requirements and are often seen as a necessary evil. Because first of all, of course, it's about the specific function that I want to provide, and that's rarely a security function. Instead, it's about process optimization, capturing data and values that I couldn't capture before. Or, as in this case, the error analysis of things that previously eluded analysis because I was unable to collect this data at the specific points on site in the appropriate quantity and quality.
However, as I mentioned earlier, security always plays a role. Can your approach with classification also help to incorporate security more efficiently? Because the biggest counterargument we always hear is that security is expensive and that it doesn't produce any value. That it only becomes valuable, so to speak, when the hypothetical attack turns into a real attack – and I can actually prevent a system failure, for example, with this solution that I have on board. But if that doesn't happen, then it's just a cost. Can you help there? How to plan such OT security functions more efficiently into projects from the outset?
Madeleine Mickeleit
Of course, the fact that the categories are relatively specific means that we can also say – and this is where I find your opinion interesting – because you have tensile and shear forces, for example, where the manufacturer, in this case the energy chain manufacturer, expects certain values to occur. What happens if it is hacked? In other words, if someone connects to it and attacks exactly this data set and manipulates values, where one would say, this is not going in the right direction. And the standard IT might not realize this with the current process.
Of course, we can also say: Hey, other users have used a Rhebo solution here because we know that such data or data types are vulnerable. This plays a role in every project, where you can of course also make a recommendation, because there are fantastic examples from your customer network, who use something like this [i.e. an OT security monitoring with anomaly detection] and therefore also save costs in the end when something like this occurs. I would be interested in your views on this.
Klaus Mochalski
This is actually an added value that we always present to our customers. Because at first glance, when you think of cyber security, you think of the classic cyber attacks that we are currently dealing with. Where there is a ransomware attack, for example, where data is encrypted. And this can also happen in the industrial sector in the OT area, because I now have Windows systems in use that are vulnerable and where I also have data on hard disks that could potentially be affected. This also happens frequently. The type of attack you describe, where someone actually manipulates OT or IoT data in order to disrupt a process, is actually seen less of a challenge.
This is actually seen as less of a challenge. And this is exactly what we can cover with the anomaly detection that we offer, for example, because we don't try to identify whether an action that we observe in the communication is benign or malicious. Instead, we first look to see whether it deviates from the normal picture we have of the communication or the operation of the system. And what you describe, that values are transmitted that are significantly higher or lower than in day-to-day business, or that these data transmissions occur significantly more frequently or much, much less frequently, then these are also anomalies that may not necessarily be security-relevant at first, but can of course indicate manipulation of this kind.
I would go one step further. Security actually often offers added value that you don't see at first. Over the years, we have observed that the communication infrastructure, the network, is becoming a very important element of the infrastructure for customers in the OT sector – for example, when we look at digitized production facilities, but also, for example, the industrial control systems at critical infrastructure operators, where we still have some older equipment that is being digitized. You mentioned condition monitoring at the beginning. That's often the same as machine condition monitoring. So I monitor my systems. And we have actually expanded this [with our network monitoring with anomaly detection] and said: In such digitalized infrastructures, the network, which I need for communication in order to control the devices, suddenly becomes my most important machine. That's why we tried to expand this condition monitoring to include network condition monitoring. And not just with a focus on security, because as we all know, specific OT security incidents are relatively rare. There have also been very few targeted attacks on the OT infrastructure in recent years. But of course we also monitor day-to-day business to see if there are any deviations in communication patterns.
And that brings me back to your port example. We had a few customers here who had to deal with cable breakages – especially in the industrial sector. The cables are moved, pulled through narrow ducts and mechanical damage occurs from time to time. In other areas, a lot of work was done with fiber optics. The German automotive industry, for example, works a lot with fiber optics in production. And this glass fiber deteriorates over time under these harsh conditions with temperature changes. The optical attenuation then increases and this had to be measured. And here, too, we used our solution to detect transmission errors or transmission failures at the early stage of the deterioration processes. This enabled us to show our customers that a security solution like this can also create real operational added value for daily monitoring.
Madeleine Mickeleit
Yes, super impressive. So you can see that this use case of breakage detection can be applied to any industry and functional area. The example was from the port but, of course, this also applies to manufacturing or, as you said, no matter where these cables are located. The use case is always the same and the solution is theoretically the same. Nonetheless, it often it feels like people always start from scratch – or perhaps many do. And [we] simply recommend building on existing knowledge. That's also what we do, where we can take a more concrete approach because we know that the use case has already been solved before.
Klaus Mochalski
When you described the use case, I immediately had the same thought. Yes, of course I could install new sensors everywhere and try to detect these cable breaks. But it's often worth taking a look first: what data do I already have on site that isn't being used today, but which I can use for this purpose? And in the case of the cable damage problem I just described in a production plant, the company didn't have to install new sensors, but instead used our sensors, which were [already] installed elsewhere, to additionally query the attenuation values of the industrial switches. And it turned out that they already had all the information they needed for this, but that it had not been utilized. And it would have been commercially more than counterproductive to install new sensors, new IoT sensors, so to speak. Instead, we could simply tap into this data source with the existing sensors and make it usable.
It's often solutions like this that make projects more cost-effective and efficient. And I can imagine that a platform like yours, where there is this exchange, can work wonders and ultimately make this added value available to customers.
Madeleine Mickeleit
Yes, exactly. The infrastructure is of course crucial. And whether I have a greenfield or a typical brownfield – do I want to retrofit or do I already have the data? – that is perhaps something that has to be looked at in detail as to how you want to solve it. Or do I buy a completely new product that solves it out of the box? The problem offers various options.
Klaus Mochalski
Absolutely. Finally, if I now have a problem as an infrastructure operator where I think an IoT infrastructure in some form is the solution. What are your first steps in helping a customer like this?
Madeleine Mickeleit
So in the end, it's an initial appointment. It's a kind of sparring session where we simply look at what the use case or use cases are. And then ultimately we look at who has already solved this or something similar. In other words, we build on a standard or existing knowledge instead of starting from scratch. We look at tried-and-tested solutions and standards and then ultimately make a recommendation on how to proceed.
In our case [at IoT Use Case], however, we would arrange a contact at this point. We would make an appointment with another user [in the community] who has already solved the use case in this or a similar way. Not a competitor, but simply someone from a different industry who has already had this use case – for example, what you said about fiber optics – and has solved it in this way. So you can build on that knowledge. Or we would simply look to see which of our partners from the ecosystem can solve it. We would check the database in parallel and look at these categorizations to see if we can identify any similarities. Then we prepare this accordingly for the appointment.
And then you end up with a list of solutions and contacts. Either for best practice sharing with other users or simply partners who can help implement this use case.
Klaus Mochalski
Super. To summarize, I can only say that I encourage anyone who has a new project to contact you and see if there are already identical or comparable use cases in your large and growing database. When we talked about categorization and classification in the run-up to the episode, I initially thought: Oh, that sounds very dry.
But the added value is obvious and it's a good idea. That's why I can warmly recommend it to all our listeners who are trying to start a project in this area. And I can only thank you for your contribution. It was definitely very interesting and an exciting outlook on this field. Let's talk about this specific use case that we've just discussed sometime.
Madeleine Mickeleit
Yes, I would love to. So thank you very much for having me here today. If anyone is interested, please get in touch. Maybe you can put my LinkedIn profile in the show notes and then I'll be happy to get in touch. And thank you very much for the session today.
Klaus Mochalski
Thank you Madeleine for being here.
Madeleine Mickeleit
Thank you. All the best. Ciao.
Explore IoT Use Cases under https://iotusecase.com/en/.
Connect with Madeleine Mickeleit via LinkedIn: https://de.linkedin.com/in/madeleine-mickeleit