KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Meeting you here during that show. I think we have known each other since more or less 15 years now. Yeah. I think when I knew you, you still had some hair. Yeah. That Must very long ago. The first EIC it could have been right. 2007. Yeah. It was still in mini the city center in the technical museums. That was a cool place to have meetings. You were working on train VI vital train security networks. Is that correct? Yeah.
Been working in train at that time on the, you know, we, we implemented for the French TGV, the first CP IP network to interconnect different the, the machine with the, with the vegan. And at that time, the biggest issue was that when the train is going from Paris to breast in hands, they have to split the train in two trains. Okay. Because they have 20 years, they had 20 vegan. And so they had to do two times 20 and with the initial system, it, it require hours of, you know, system admin to reconfigure the network.
So we made a system where the system was reconfiguring automatically when the train were detached. So that, that was my Very interesting. So the background of the question is maybe one thing that we should bring to, to our audience's mind is the relationship between security and safety. Isn't that very different. If we talk about it, security and OT security. Yeah.
They, they are at the same time, very different and related. Okay. And I think I said in my presentation just now that, you know, safety is protecting human from the machine errors. Okay. And security is protecting the machine from urine bad behavior. Okay. So that's more or less different in between both. And in some cases you may use the same tools to implement that. And they have some commonality, for example, you to implement both safety and security, you have to make sure that you run the right code. Okay.
So, but obviously they are also different in, in a fact that security is, is typically under, by formal process. And you can reduce your process to something that is simple enough. So you can do a, a static proof that your processes behave as expected in the it world. It is rarely possible because most of the process are dynamic. Okay. And so the static proof is technically impossible.
And, and by definition, you don't know what is possible because you don't know how the attacker is going to attack you. Okay. It's so there is like no static definition of the potential attack. Okay. So yeah. So possible damage that could be done by an attacker on, on the it side, on the office side of an enterprise could be whatever data loss or that some secrets are stolen, but on the OT side, it could be, you know, that breaks of a car are not working and some persons get injured or even killed.
So that might be one of those differences that come into my mind, if, if I try to find out what, what those language differences are between it and OT. Yeah.
It's, it's clearly one of, of the issue, obviously that in one case, you know, the human life might be in danger. That's obviously a big challenge. This being said, if we talk about attacker, you know, it is not in the interest of the attacker to kill their customer. Okay. So they had to make sure that they keep the customer alive. So for them, for example, it is better to lock your, your car in your garage. Okay. In such a ways that you can still pay the, the runs, where to get your, your car back again. Okay.
So, so yeah. It's but yeah, obviously it depends which type of attack we're talking to. If we tackle attackers that are willing to make money, obviously, as they're not going to kill the people, if we tackle about, you know, terrorist attack, for example, it's very different. And in this case, potentially you can look for, you know, doing big, big domain on, on the system. We also had some other issue where, you know, some, some boat could not use any of the electronic system because nothing was working, which means they had no more positioning. Okay. Yeah. You like the boat example, right.
We do 30% of our business with, with maybe today. How has been the sailing season so far at your place in Louis? You know, the last time I took my boat was yesterday to go to the restaurant with some customer. Yeah. And we are going to take it back today. Yeah.
Very, Very nice. I would love to change with you Now, Martin said in this talk in his introductory talk today, once you are connected, you are on the attack. That means if, if I transpose this, that to the term industry for all, which means, you know, industrial environments that are customer driven and therefore open and hyper connected, they represent the production arm of a digitally transformed enterprise basically. And as such become as vulnerable, you named it to, for example, ransomware attacks as the, the it side of an enterprise. Yeah. Yeah.
It's we have recently seen a lot of these, of these ran Meritex that brought down industrial sides. Now, what is, what is it that we need? How do we need to rethink the way we do our OT security in such a hyper connected environment? Yeah.
I, you know, I, I said in many presentation in the past that for example, all the car are going to be connected and all connected car are going to be attacked. So that's obvious.
So I, I perfectly agree with Martin and that there is no doubt everyone's going to be attacked. And yeah, I think the last industrial attack was in Iran this week, yesterday, I think, or the day before and Say it was an attack in great Britain, for example, they don't even say that it is an attack. Yeah.
So, but yeah, we, we have many of them, so it's going to, to, to come. So yeah, so obviously the, the industrial system are exactly on the same trend as the it system. Now I'm also used to tell people, don't forget that on a car, brakes allows you to slow down, but this is also the reason why you can drive faster. Okay. And it's the same thing for cybersecurity. If your cybersecurity model is not good enough, then you cannot open your system.
And as today we've seen many and mean many companies that have been shutting down their system because they're not ready onto cybersecurity, you know, side, which means that they are effectively reducing their bus potential business, just because they're afraid of opening. It typically use case is on their update on cars or partial update on cars because they're not ready. They know that they should do it, but they're not ready to do it. So as a result, they limit the functionality of their, of their devices.
And we've seen Tesla taking the market and, and becoming extremely popular and very rich also because they pass so 1 billion on, on the trade value by being before every single leader in software. Okay. And that's obviously a big challenge. So I think Volkswagen and BMW announced recently that they're finally going to go for on their update. Okay. But I would say they are already 5, 5, 4 years late. Okay. They should have done that four years ago, which means that they don't have all this background of knowledge that they could have acquired in the, in the past four years.
And, but yeah, it's, it's important that the system have to be open because this is what the customer want. And this is the only way to implement a global connectivity. And we cannot open them if we don't have the right level of security.
As you talk about Tesla, as you mentioned, Tesla, isn't it that Tesla, the way Tesla is doing the IOT part of their product, that it's, it's a big difference to how, for example, European income manufacturers, the traditional ones have been doing it with a central computer managing most of, of the vehicle, various in traditional cars, you see many, many, many devices spread all over, all over the vehicle being representing a much more complex environment. Is that something where you would say it is a trend for the future to simplify OT environment? Yeah. It's clear.
And you know, in a modern car today, you have in between 100 and 150 CPU MCU. So it's, it's a nightmare, okay. To maintain all that running. And you clearly, you're not going to go to one, but you clearly want to reduce that. And in fact, if you look for the, the new generation of vehicle, including in Europe, you start to have less bigger CPU and, and less CPU because we can use virtualization and installation technique to, to reduce the amount of CPUs. One issue that is very specific to the automotive market is this market is mostly working by acquisition of component. Okay.
And I think one of the strange of Tesla is that they have a far more integrated model. So you may have one team that is responsible for multiple functions. So it makes much easier to integrate them under the same hat. Obviously, if you have one subcontractor doing function, one and another one doing function B running both in under the same system is very complex because no one is willing to take the responsibility of having a trouble.
So it's, it's not only technologies that has to change also the, the financial model and, and the way people develop software has to be changed. And in Europe, on Nestle, I think BMW is probably the one that has done the, the biggest part of the work today is the other one. I still have a lot of work to do, to, to move to this new model. Yeah. Thank you. Maybe one last question that leads a bit more back to your presentation regarding code and code quality, poor code quality and risk coming from that. You say that you shouldn't trust your code. Now that's easier said than, than done.
Isn't it some sort of zero trust against your code, maybe for, for the it side of our, of our listeners. Could you explain as easy as possible, maybe in a two, three steps thing, what needs to be done to make code more reliable and secure? You know, the first thing is to in French, we, we call that agriculture good sense. Okay. Which is you have to go back to the root of, of the, you know, some fundamental of the issues.
If we compare with, again, an automatic mechanical sectors that everyone understand, if, if a big company like a track company or train company is a receiver mail from Bosch that say, we have an issue with injector, from series number X to number one. Okay. They can go in their system. Introspect look for which is concern and put up a plan in, in place to say, we are going to change this. And this is how we're going to do it.
Now, if we send the same may, and we say, we have an issue with lead booth from version four, 12 to four 14. Okay. Tell me what system is impacted and how you're going to fix it. No one is able to give an answer. So I think that's the first thing. Okay. The first thing is you should know what is your inventory of software, where it is deployed and understand how you can fix a part of this software, if something is going wrong. Okay. So that that's the first step. And most of the company already cannot do that. Okay.
It's quite funny is it can do it for mechanical stuff for electrical stuff, but not for it. Okay.
And, and the second element is you, and this is, you know, one of the element in cybersecurity, in cars and probably in other industries or new specs that just came out, which ISO 21, 4, 3, 4, okay. Which is a risk assessment method.
And, and it is going to be Ary in Europe for any new car by 2023, baby is going to shift a little bit, but you know, it's it's for tomorrow. Okay.
And so in, in this spec, you have, for example, to handle all your, your dependency graph, and you have to access every component that you have in your system with what is going to happen. If this components attack and how I'm go, I can ate if ever, you know, the act attack is successful. So the fact you say, I protect my C is not enough. You always have to say, what is going to happen if this component is attacked. And when we say about adopting the right code, this is what we have to do. We have to run the test and we have to understand what is going to be the impact.
If the component is attacked and it is both complex and not that complex. Okay.
It's, it has to be done. Okay. In a typical embedded system, we have in between 2000 and 3000 component. Okay. Which probably end up in something like 10 time, more asset. And so you have to track all those asset and implement a risk management on those assets.
So it's, it's a real job. Okay. It's not going to happen by itself. Yeah. Thank you very much. It was a pleasure talking to you. Okay. And I'm sure there will be many more questions from the audience. We'll root them to you. Okay. Thank you. No problem. Have a good day. Bye-bye Thank you very much. Goodbye.
