Thursday, March 9, 2017
Interview With Paul Myer, Veracity: Why The Industrial Internet Needs Security
In an age where topics like Russian hacking, CIA hacking tools and the stability of the power grid and industrial networks has suddenly become important, there are only a few companies tackling industrial network security directly. One of those is Aliso Viejo-based Veracity Industrial Networks (www.veracitysi.com), led by CEO Paul Myer. Paul sat down with us last week to talk about industrial networks, network security, and why suddenly those systems--used for manufacturing, the power grid, oil and gas, and other key infrastructure--need their own security tools. Veracity, which is backed by Microsemi and Frost Data Capital, recently inked a contract with the U.S. Department of Energy to help develop tools to secure the power grid. Myer is a veteran IT security executive, having recently been at 8e6.
Thanks for the time today. For those who haven't heard of Veracity, what is it you do?
Paul Myer: Veracity Industrial Networks is a startup in the industrial network security segment. Industrial networking is a new category for me, personally, and I only started here two years ago. However, if you think about IT security, all the systems everyone is familiar with, ERP systems, web, and email, and other basic network systems, all those systems that are designed to run companies, my history and background is in securing those platforms. However, industrial security is very different. That's what we call OT, or Operational Technology. OT networks had a parallel development track with IT systems, but had primarily been focused on industrial applications. They are used in factories, manufacturing, oil and gas, chemical processes, and critical infrastructure such as the power grid. All of the machines that those kinds of companies run on, over the last twenty years, have become automated. There are more and more valves, actuators, and pumps, as well as monitoring platforms, which have become computerized over time, especially over the last four or five years. They have increasingly become connected via internal networks, and over the last three years, they've increasingly been also connected to the Internet.
The problem with that, is these systems, in the early days, were air-gapped from IT networks within the same organizations. If you were a big company like Proctor & Gamble, for instance, you'd have a whole side of your business with IT, for your sales, marketing, and financial folks. However, your 75 other plants worldwide which were building products were running on completely different networks. Those networks were not connected, were air-gapped, and not connected to the Internet at all. Those were discrete manufacturing processes, intelligent devices like robotic arms, to build products. However, in the last ten years-- especially with the power grid--regulatory agencies have started to demand that those systems be able to be monitored for compliance. As they did that, they were not only increasingly connected internally, but people started to have remote access to those same systems. That allows you, for example, to access your factory in Dubai, rather than having to always fly to the site. You can remote in, pull some logs, and pull compliance data and reports. The big industrial control systems vendors, like Rockwell Automation, Emerson, Yokogawa, and GE, have also increasingly been building systems with web servers into the end devices, so that you can monitor them remotely. That lets you track processes remotely and saves them a ton of time, which is more efficient. But, at the same time, because all those systems are designed to be air-gapped, there has been zero security built into those same systems.
How did the company start working on this area?
Paul Myer: Veracity was originally part of Frost Data Capital, as part of their incubator. We raised money from Frost Data Capital. They are backed by GE and others, who are trying to solve problems in the functional areas of industrial, financial services, and healthcare. Veracity was part of that industrial focus. The primary focus was on big data analytics for industrial systems, and particularly, predictive analytics and data about industrial processes. What they realized, in the process of pulling large scale data from industrial networks, is they realized all of that was bypassing internal network security. Those industrial networks were now exposed to IT infrastructure and were a security risk that didn't exist previously. Frost came up with the concept to help lock down those networks, because no one else was. Cisco doesn't do this, Palo Alto Networks doesn't do this, no one does this. You can't take a firewall which was designed for an IT network and deploy that into an industrial network, because those systems are based on proprietary algorithms and unpublished specifications. That's how Veracity was born.
That was more than two years ago, and we exited the incubator, and are now working with another local company here in Orange County, Microsemi, in Aliso Viejo. They invested $1M in Veracity in April of last year, and we just recently had another seed round of half a million from Microsemi, and another investor, Hollinbeck Financial, plus other individuals. We've now exited the incubator and actually have an office at Microsemi. We also have a development office in Atlanta, where most of our developers sit. We're in Atlanta, because that's where a lot of the industrial control vendors are based out of. It's both a little less expensive there, but really, it's because they understand those industrial control systems.
Do you think there is more awareness of the security issues in this area as a result of Stuxnet?
Paul Myer: On the IT side, the primary area people worry about security, if you don't lock down your systems, you are going to lose important data. It will cost you money, or people will steal your money, or it will cost you a customer. In the industrial area, they don't care about any of that. Their number one concern is if their systems are running, and that they are safe, because they don't want things to blow up and kill people. The third is operational efficiency. The fourth is finally security, which is not a high priority. There are a few exceptions, however, when it comes down to power generation and distribution. That's a heavily regulated area, by the Department of Energy and NERC, which supervises and requires specific security for the grid. It's more compliance driven in that segment. The second, was actually Stuxnet, which became a watershed moment. That was the first concrete example of a concrete cyber exploitation of an air-gapped system, and it caused real, physical damage. The other event which has driven awareness is in late 2015, when Russia hacked the Ukrainian power grid, and essentially shut down their power using a cyber attack. That was a shot across the bow worldwide. That's about the same time the Department of Energy put together a program to regularly fund projects to secure or improve the grid. After the Ukraine event, we spearheaded a project to address those issues, and in 2016, we put together that project to reduce the attack surface on the U.S. power grid, and help commercialize those tools for the power sector. For that bid, we put together a successful proposal, along with Schweitzer Engineering Labs in Pullman Washington, as well as two industry partners, Ameren Energy out of Illinois, and Sempra Energy out of San Diego. We won that in late 2016, and have now kicked off a $4M project to help provide security as part of the team for the Department of Energy.
Given you background in the IT space at 8e6, what drove you to refocus on the industrial sector?
Paul Myer: That's a great question. I personally have been part of three different market opportunities in my career, which were brand new approaches to solving unique problem sets. The first one was when I left school, and I joined a company working on laptop computers. That was a watershed moment for portable computing. The second was at Compaq, when we launched the first, local area network file server based on commercially available technology, as the world was moving from mainframe and microcomputers to purpose built file servers from PC manufacturers. The third was the launch of e-commerce, and all of the shipping and logistics platforms for e-commerce. I had seen all three of those watershed opportunities in technology, and was part of them. This is exactly the same kind of watershed opportunity. It's a green field opportunity. Depending on who you believe, indsturial networking is going to be a $19 billion business. It will be big, and it's already very large and growing quickly. I think we have a unique market opportunity to provide a service and solution, which will be driven by the Internet-of-Things (IoT). That's fairly new to consumers, but industrial companies have been building IoT for the last 15 years, and it's already been proven out. Traffic on those industrial networks is all machine-to-machine traffic, and it's all about locking down and securing that, and ensuring they do what they are supposed to do. It's a huge opportunity which hasn't been solve before. It's fun, exiting, and in the long term, I think we're setting the standard by which people will be judged.
Finally, what's next for you as a company?
Paul Myer: As a company, we're working on that DOE project, and doing our first proof-of-concept with Ameron and Sempra. We are starting to work on March 15th with Ameron, and April 15th with Sempra, and we expect our first shipments will be in June of this year. We are pre-product but past proof-of-concept, and we've proven things out, although we haven't yet completed development work in conjunction with those strategic partners. The next big thing, publicly, will be the release of our product in June, and what you'll see mostly in 2017 are pilot projects, and proving out the platform in these large, industrial networks. In 2018, we hope to see widespread adoption of our product. It's still very early days for Veracity and this segment.
Thanks, and good luck!