Fulup Ar Foll, Founder and Lead Architect, IoT.bzh
Graham Williamson, Director APAC / Senior Analyst, KuppingerCole
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Phillip, what is the smart city for you? That's a, a big question.
It, it probably depends who you talk to, but the smart city is clearly the integration of the difference objects that are moving in the city. So it's, it's obviously a lot of cars, but also a lot of other vehicle bicycle pedestrians, but also all infrastructure. And most of the people in fact include the building management inside the smart city as being one element of the city itself. Yeah. So potentially also then the communication between the cars.
So for instance, 10 years ago, I had a discussion with one guy who, who wrote his PhD about the topic on an intersection of two cars, arrive, how they communicate interchange information and all that stuff. Is this a particular topic for smart city or is this a general IOT topic more or less, or is this an identity topic at the end? Honestly, I, I, the car not going to talk too much in between themselves because no one is ready to trust information coming from another car.
So that's very hard to even if there are some experiment on, on how we could implement that, technically it's going to be hard to, to go real life with that. On the other hand, what we see today is we have a roundabout or, or, you know, big traffic light where you have camera and the camera effectively are looking and filming the scene and they can send information to the car.
And, and the first information is probably more to, to buses. So for example, the buses can know if there is a pedestrian on the next street, so the buses can slow down or stop. I would expect that this type of scenario are going to be more and more generalized in, in, in all the cities. Yeah. Perfect. And I can see that Graham spec. So just for information, Graham, I've already asked him the question, what is the smart city for you? But now I would hand over to you.
Okay, thanks for that. I appreciate it.
The, actually for this session, we are talking about, well, securing clouds of things, but we we're using both smart cities and plant automation. Now, when I first saw that, Phillip, I really did think those are very different, right? We're using narrowband LPWAN type stuff in for smart cities to communicate from our parking lots and things like that. But in plant automation, we, we typically want to use in-house infrastructure that gives us the, the network capabilities we need and the bandwidth that we need.
So why we, why did we put those two together? What's the similarities and the differences we need to consider.
So in, in, in every devices, you know, and that's true, not only for smart cities, that's true for most of the industrial devices, we select whatever transport capability we have. So one of the very strong requirement we have for many devices in smart cities that they have to be self powered. So they run on battery and sometime you want the battery to last for 10 years. Okay. And if you want to have an equipment that can connect on the network and at the same time, run the battery for 10 years, you have to be extremely smart on everything, including the, the bandwidth management, obviously.
So there is a huge value in having a very small bandwidth in some specific case. And, and one of the key requirements obviously is a power consumption. Yeah. Okay. And that that's then the, the difference there, what are the similarities?
Why, why are we treating, why are we saying that in, for both of these situations, the securing the cloud is, is absolutely central. You know, this is what was said before.
You know, you have so fast of attack. And one point we, we did not approach that the hacker will always attack the, the weakest point of your security. So if your weakest point of security is a narrow bandwidth network, they're going to attack that one. If the weakest point is the, the big pipe they're going to attack the big pipe. So whatever is your entry door at the end of the day, you get in the system. And when you are in the system, you are able to inject malware and potentially to change the behavior of the device.
So I don't see any difference from a security standpoint of view in between narrow networking or bit networking, both need to be secure. Obviously it is very often harder to, to, to secure a narrow bandwidth network because the equipment at the end of a narrow bandwidth network is typically pretty simple. And so you have extremely limited capability in what you can do and what you cannot do. Yeah. Okay. And would you see that they're both equally vulnerable?
You, you mentioned that it like, so for instance, if I'm dealing with a, a, a parking lot, a sensor that's been put in the ground for 10 years, and I want my battery light to last 10 years, that would be kind of difficult for a hacker to do anything with, if I'm talking about a plant automation system where I have devices throughout my plant, and I've got communications going between them, I would think that would be more vulnerable. Yes or no. It's not obvious. Or honestly, we we've seen a lot of people coming in with very dumb devices. I I'll take a sample in a car, in a car.
You know, the, the sensor are connected by canvas and canvas is not protected, so anyone can inject false data in a car through the canvas. Okay. So here again, there is no magic answer. It really depend on the context. Historically, honestly, most of the, what we call MCU in our, in our domain, which is microcontroller did not have enough power and bandwidth to implement crypto crypto a or authentication model. So most of the exchange were done in Clearex, which more means that the security was done by the gateway. Okay. And this model is still through, in most of the implementation.
In fact, it has to change. Okay. Because it has been proven that people can get in and inject data in the system, through the, the dump device as well. Yeah. Okay. In terms of security measures, how do the two scenario these two scenarios differ in terms of a cloud deployment? Are they both equally capable of, of cloud we're talking securing cloud? Is that as important in smart cities as it is in our automated manufacturing? You know, one of the issues we have with cloud is that the API are changing too often. Okay.
If, if you look for web API, typically every six months, you get a new one and you know, if you want to use Google API, you know, they probably going to be obsolete before your device is going to production. So if, if you look for like a boat, typically you have three to five years just for the design card time.
You know, a car is probably something equivalent. If we talk about the submarines, probably like 20 years. Okay. So we need a lot of stability in time. And unfortunately the web today does not offer that. So as a result, most of the industrial protocol today are, are pushing their own security until the cloud. And you only start to implement cloud API when, when you reach, let's say what people call the edge. Okay. Which for us is not the far edge.
So we are not in the embedded world anymore, but we are in something that is very similar to the cloud, but the border is, is not like it's not black and white. Okay. There are a lot of gray zone where depending on your context, you may have to implement some, you know, cloud protocol also at the edge. But for car industry, for example, today is not the case.
I, I'm not aware of any cars that connect directly on internet. All of them are connecting through a gateway that is controlled by, you know, the em, whether it is a LER, Merc, or Toyota and so on. And it's the same thing for the connected cities that I know. Okay. Okay. Very good. Let's just talk for a moment about the security vulnerabilities in terms of cloud infrastructure.
I'm, I'm, I'm an optimist. I'm thinking that as we adopt more and more cloud infrastructure for IOT applications, it'll actually drive better processes, particularly in the software development side of things. The cloud forces us to, to containerize, to focus on microservices. Do you see that as improving what in the past we we've experienced in terms of poor security practices? Clearly two of the techniques that came to the cloud two age devices, one is containerization. We have containers everywhere, even if it is very hard to use the same type of containers.
For example, at my company, we've been funding to, to work on very small containers that we can start in 10 millisecond. And so, you know, that one issue, the cloud does not care about another element that is extremely important is how you update your system in, in, in the past the system where update very rarely when they were like, like, you talk about a sensor in a parking, they probably would, you would never update them today. We know we have to update them. Okay. And this is also coming from, from Cal technology.
So this notion of rolling release is clearly something that is gaining adoption in theh as well. Yeah. Okay. Any other comments?
Like, I mean, I don't want to restrict this to just questions that I might have. What, what if there was one message you wanted to get across to us from your you've been in the business a long time? What would it be when it comes to cloud securing cloud of things? I think the border is going to be less and less visible in between cloud and age and far edge. Okay. You see more and more technologies that is moving from one world to another one. You talk about service oriented architecture.
And today, for example, we, we have a mechanism where in some circumstances, you, you want to run the service in the cloud. In some cases you want to run it directly on the edge, or even the far edge, depending for example, on the connectivity. And you want this to be transparent to the development and to the security model.
So for me, the biggest issue is, is how people are going to implement a global security model, where your security is able to move from the cloud to the sensor. Okay. Without creating some oil in, in your, in your architecture, that's clearly something that need to be worked out a second clearly issues in the embedded world is people are using far too many specific stuff, starting by the hardware. Okay. And so we clearly need more normalization. Okay. And open ID is one of them, but it's not the only, the only one. Okay.
And without normalization, we, we are never going to succeed in moving to the level of scales that the market is promising. Yeah. Thank you. Do we have any questions from the floor? Do we have any questions, any audience members you'd like to know anything? No. Then I have a question for you. What has been a most surprising experience as you're working with customers on this topic? You know, the, the, the, the most, yeah. What is the most surprising thing?
I, I think it is when we, we worked five years ago for Samsung and Samsung realized that the, the media vendors will not deliver the content to the Samsung TV, is that we're not secure enough. I think that that was like a, a huge discovery for those people or nicely, the alternative market is not there yet. They did not realize that potentially they're going to lose businesses. They do not implement the security the right way.
So that's, that was a, a, like a big surprise. And the surprise we see today is more and more people coming to us. They initially told us that we were completely stupid to go to standard approach and try to, to use our cloud technology at the edge. And now they start to realize that this is what they have to do. Okay. So that's obviously always a good thing. When you see people coming back with, you know, at the end of the day, your idea was not that stupid. Maybe we should talk about it. And so that's a bigger satisfaction, especially for a small company like ours.
Yeah, Yeah, Yeah. I, I, can I just make a comment on that?
I, I think you've hit the nail on the head, but the biggest issue we have right now is for people for the whole industry to raise, to raise the bar on our understanding of the security requirements that we have and bringing people along. I mean, you know, I'm very pleased this topics being con being discussed at EIC because it's these sorts of, of, of locations that people understand and start to think through what they have to do. So you bring up a very good point.
We need to raise the whole industry in terms of its their understanding of, and designing the capabilities we need to secure ourselves. Then a big thank you from our end to you to Graham. Thank you very much. Thank You. Thank you.