Thank you very much. Good morning. Good to see you. Good that you made it through yesterday's evening and the award presentations, and especially the things after the award presentations. So good to see you. I have 20 minutes to talk about safeguarding iot, ot, I I O T, so lots of abbreviations, lots of acronyms, so devices, their identities and communication with autonomous networking. And as it says below, I'm the director of the practice.
I am, identity is close to my heart, so I will make sure that this is not missed, this aspect when we are talking about this topic. In the end, I want to make sure when you leave this room after 20 minutes together with me or stay with Alexei and continue that discussion that we should think of identities also related to non-carbon based life forms. And that is the main thing that I want to achieve for today.
I will start out with a few slides on terminology and basics. And when I received my microphone, the guys back there said, okay, I, I, I ot, I know what is the rest?
Yes, this is exactly that first part, the big picture and the challenges around what is autonomous networking, at least from my perspective. I'm not an an architect for IOT platforms. I'm looking at things from an authorization authentication point of view. And the third slide is then identities at the core.
What, what does that mean for creating such architectures? So the idea is when you leave identities, so before we start, we look at a picture that we have at cooking coal for quite some while, quite a while. So if you've been in other presentations, if you, this is not your first eic, you have seen that, and I don't want to to bore you, I just want to make sure that you know that all of this that we are talking today should also fit into that picture.
Otherwise, this identity fabric does not make any sense if there are blind spots.
So if we look at this, we have to the left, the identities to the right, the services in the middle, some kinds of capabilities that make sure that there is a way from left to right. And today we are here.
Devices, things, everything that is not carbon based acts autonomously or on behalf of a person. This is before we start setting the scene terminology, I O T I I O T O T. First of all, iot, ot. Just quickly definition, internet of things. So this is everything that is somehow connected to the internet, physical objects, devices, machines, maybe sometimes even processes, but okay, let's wait. They communicate usually without human intervention and they collect and exchange data. If somebody is watching this at home, loud on loud speaker, Hey Alexa, you're welcome.
So this is exactly what we are talking about. This is internet of things. My watch a sensor, your watch that's measuring when you're running this morning, the E I C morning run, exactly these things. I I O T is the industrial internet of things. So a sub sub-segment of this, this is everything that looks at IOT for industrial applications, machines, sensors, devices in such, in such a setting in an industrial setting in factories and plans on the factory floor where you expect those to be and where they support you in doing your business better.
So improving performance, reducing downtime, downtime, making sure that things work properly. Ot, close related but a bit different. Operational technology that is not it, but OT that is the same technologies a bit older, usually hardware and software that really control and monitor industrial settings at large scale, sometimes collected to a SCADA system.
Supervisory control and data acquisition sensors, actuators, controllers. Think of these things that build a car.
These things, this is ot of course there's much more, I'm really simplifying here, but just to set the scene, the challenge is why do we auto, why do we need autonomous networking? We want to have something where we can create a network without human intervention. That's the idea. Autonomy is meant in its literal way. Autonomy means no or little human interaction for a large number of devices without having control. Where this, where this is, we will look at examples in the next slides.
So interaction and collaboration of these devices with each other and the outer world, maybe realtime decision making. So time and decision making, security, scalability, stability, failover. And as an example of a use case, updates, purchase maintenance. You throw a device in a network that is not monitored, how do you update that?
How do you address it? How do you get there? This is what we're talking about today. So why autonomous networking? Is this really such a useful human common case? It's not that common is it? It is. Factory floor is an example.
We've heard that, but there are lots of other use case scenarios. I don't read through them otherwise I really burst my 20 minutes. But smart cities, when you think of all these components that are in there and communicate with each other, healthcare facilities, think of a hospital, think of a, a nurse, a doctor walking from A to B and trying to unlock devices that act on behalf of the patient or the customer or the the doctor or the clinic, realtime alerting, healthcare providers, everything that, even a device that you get home and you use at home has an identity.
Transportation, everything about logistics from controlling in the warehouse up until the container on a ship traveling from through the seus channel. Agriculture.
Yeah, I like the example of the drones detecting disease or pests flying around there, having an identity and communicating that is sometimes it sounds a bit like sci-fi, it is not. And it's growing. And the energy sector is, is another example. These are just six examples. But having this in mind, we need something that creates networks that can act without us. We give them guardrails, we give them rules, we give them concepts, but that's mainly it.
The bigger picture is that we need a network infrastructure picture.
And this, as I said, I'm not a network architect. I think of it as a logical component architect. What do we need? Of course we need network infrastructure. This is something that we throw out somewhere in the field and that is used by this autonomous networking. So there must be some kind of physical things, routers, network, wifi, whatever. We have network orchestration that controls this, that creates virtual or integrates physical devices into that. So coordinate, manage that. We need to have proper security.
If you throw a network somewhere in the field, think of this agriculture example, you really want to make sure that nobody messes with that with this network. So in security of course is of high importance. Monitor and protect that and even maybe react, detect and react on that. Respond to that.
We need to have access to these systems. So we need need something like APIs that give access to the, to the network or to the services within the network and integrations to make sure that, for example, this is something that needs to be integrated in the larger SCADA context.
You need to have the way in out securely. We need to have user interfaces. Hey Matthias, didn't you say autonomous?
Yes, of course, but sometimes you need access to these, so you need to make sure that things work properly. Configure something, change rules inside that. And on the, on the other side, we have analy analytics and insights. And of course this is EIC 2020 through of course machine learning and AI that helps in understanding what's going on in that network. The really big picture, we really want to have something that reacts autonomous at a larger scale.
So automation network operations management is automated. It's independent. It it is autonomous.
It, you can leave it alone. It does its work on its own.
It's it, it interacts with the components inside the network and sometimes outside of it. And it makes decision on what it gathers in on information that it has. Ideally it improves over time. It learns how to improve routing routine costs, how to, to increase the, the speed of, of, of response times and get to greater reliability. And in the end also something, again, the machine learning aspect comes here and as well. So really optimizing network operations based on pattern matching upon understanding what's happening and really maybe sometimes even machine learning.
So it's really a big picture. And if you scale that up, think of smart cities, there's lots of, of, of intelligence required to achieve that. I think we should have for all of these components, identities at the core you can say this is this router, this is this device, this is this sensor.
Even if it's a process that is just winded up, wound up for, for just five minutes, it should have an identity because it did maybe something that you want to audit afterwards, although it's no longer in existence. So identities are important. Why?
Yeah, well this is the eic, the I is identity, sorry. So we need to talk about that. Each device and system on the network must have a unique identity for secure communication. And this is when we come back, okay, this is the what we know. I want to as Matthias want to communicate securely authenticated, authorized and encrypted trust and authentication. Granular access control system A can do with system B, the following actions and nothing else. Simplified management and scalability. If you know your name, if you know the device name, you can talk to it and manage it.
You can monitor and track it, you can automate operations of it and you can orchestrate more of it. And in the end, maybe you are talking about a regulated environment or a controlled environment. Think healthcare, think energy, think banking, maybe there are use case for that. Auditing is of importance. And so we need to have this ID card for this IOT device.
I look at a few use cases, bootstrapping and handover. Ignoring handover. We are just looking at bootstrapping.
But if you think of a network like I, I tried, I asked stable diffusion to make a pop-up book and this is what it came up with. So I wanted to have a pop-up book. You know these things that you open up and you have a network in the, in the, in the in the open, in the wild. And then you throw a device in that and say, okay, can you talk with each other? This is bootstrapping. Bootstrapping a device. Secure initial provision of a device identity in assure secure integration of devices, prevent unauthorized access and reduce the risk of security breaches.
Other processes would be device handover, change of ownership handing over in a different network. These are important use cases ignored for today. We look at the bootstrapping part.
So we have this pop-up book and we throw device into it. So what is the challenge? The need for secure initial provisioning of identities into an autonomous network. So the question is how can I deploy a new device into such a pop-up book network? And that could be home wifi, that could be a factory network or it could be an isp.
So if you think of the components, I have that in the first packet, a smart home device, a turbine, nothing that you deploy at home. A network router may be in IP context. So different network areas, different devices, but the challenge is the same. You throw it in and you power it up. Am I in the right network? This is the question for the device. And the network says, do I trust this device? The foundation to dissolve this as one example is trust through cryptography. So way back, good old X 5 0 9 created 1984 if I remember correctly with the X 500 O ozi stack.
And there are standards for that. They are called acp, autonomous control planes as examples and B R S K I pronounced brewski bi, sorry, brewski, bootstrap, remote secure key infrastructure to RFCs. And these are functionalities that I want quickly to describe to make sure that you understand how these devices have identities and how these identities help them in onboarding into the network. So the process, here's the device, here's the network. The device is thrown in, powered up. This is the network. It does not know anything about the network. That's the why.
The reason, the reason why the network is gray, the cloud is gray, but the device comes with their own built-in identity that is called i d id. There's a standard for that in brackets. That's a cryptographically secured id and it contains everything that you need to know about the device manufacturer, serial number, device type, and everything else that you need. And all of this. This card is signed by the manufacturer ca. So all above is the manufacturer. Below is the device.
And the device knows its trust anchor, it knows that this is my issuing ca and this is the certificate for it.
And then it says, Hey, this is me. I'm in this network. It announces its identity towards the registrar. Somebody who should be in the network that listens and says, yeah, this is me and it is signed. It is a signed pledge towards the network. And the network says, yeah, I, I know I, I knew this device would come that has been configured for me or I know this, this vendor or I know this range of serial numbers. And then I can say, yeah, I know this device. And the device says, but I don't know if I'm right here. Next step bootstrapping.
Now it says, okay, I can communicate somebody has accepted me but I'm not sure if I'm right here. Let's issue a voucher to make sure, can you prove that this is really the right network? Can you tell me that I'm in the right network? So it says, sends out a voucher and says please verify that and that ti at that time the network registrar wakes up and says, okay, let's take this voucher and pass it on to a so-called maza. Maza means manufacture manufacturer authorized signing authority. It could be this one.
But usually there are instances that act upon a group of vendors that really check that and they verify the validity of the voucher and say, okay, is this something that I did expect? Contract internal records or maybe trust by default, if you just throw in another repeater into your home network or another sensor they just approve should be fine. If it's a turbine, most probably not. There should be a contract and maybe human intervention in this maza process. Maybe
What? What happens? Everything is fine.
Maza says, yeah, great. I create a a voucher from that voucher request.
I sign it, I return the voucher. This is expected. This device has a contract, I believe that. And it sends it back to the device. And the device verifies the the signature of the barza. And thus from the issuing instance, initial trust is established and key exchanges take place. Secure communication can be established. And that is everything that is necessary to establish this communication.
Hey, I don't trust this network but by vendor trust this network and thus I trust this network here
Beyond bootstrapping. I know I'm running late. Two minutes left. So what else should be there? And I just looked at this bootstrapping part and that is what brewski covers very well. But there's much more to do. So this journey is not yet complete. We look at the discovery of existing devices. This network is not empty. How do I deal with devices that are already there? Ownership and accountability, change of ownership. Stakeholders beyond vendors.
Somebody who does updates, how somebody who does maintenance, how are they onboarded? Network change, moving a device from A to B, multi-network scenarios and lots and lots of more. And in the end offboarding and important part is the full life cycle management. Brewski is just br bootstrapping, but there's much more. So there needs to be more work to be done. But we need that for implementing these automated networks or autonomous networks. And lots of work is already done on that area.
So the story for me for the final slide is devices and things have identities.
They demand for a proper management of the inter infrastructure and therefore you need to identify each and every device, be it virtual, be it physical and understanding each device and thing is in its uniqueness is essential for governance, for maintenance. Maybe you want to make sure that only the right people get access to that for maintenance, for updates, for whatever you want to have. And this is identity management way back.
I'm here, I'm director of the practice. I am. This is identity management. You need to deal with them properly. And this is why things and devices need to be part of the identity fabric and ACP and B brewski initiate kick off their lifecycle management. So we are here. Thank you very much.
Wow, thank you very much Matthias. That was really insightful and interesting. And I would even say a little bit creepy because my first thought was Matthias is describing blueprint for Skynet. Nope. And my second thought was, wow, maybe he's describing the blueprint, how not, how to prevent Skynet from getting self-conscious right in the future. Awesome. So do we have any questions from the audience?
If not, I might ask a little short one. Sure. Myself. So how far are we on this journey in terms of practical implementations? Are there any autonomous networks somewhere in production?
Actually we are working currently with organizations who are implementing Brewski and acp. These are of course the usual suspects. So if you think of Buddy who, somebody who really needs that, yes, we are talking exactly to them. And we are also looking into the completeness of the lifecycle process.
That's the reason why are brought up also this topic, the the standards, as I said, these are RFCs, they are there and they are not only theory, they are really showcased in in real life, but there's more to be done. And these working groups that created these two standards are working on continuing that journey. Yes.
Okay.
Okay, great. Well thanks again Matthias and thank you. Without further ado, let's.
