True digital transformation means more than putting existing bureaucracies and business models on the internet. It’s a transformation towards digital-first, data-driven operations based on connected devices and shared data.
This presents tremendous opportunities, but it also carries risks. What produced the data? How secure is the machine that produced it? Who owns it? What vulnerabilities does it contain? What are its approved configurations? When was it last patched? Is the data real or is an attacker forcing you into making the wrong choice?
Cybersecurity in critical infrastructure and essential services is beginning to come under intense scrutiny by regulators. The Network Information Systems Directive is the lesser known relative of GDPR but the motivation is arguably more important than privacy: NIS aims to ensure the everyday services people rely upon such as drinking water and public transport continue to be delivered safely and uninterrupted in a world where threats are increasing and necessary internet connectivity is wiping out airgaps.
In some ways we had it easy raising the Internet: if an app gets old, we just throw it away and get a new one; if a new communication technology comes along we swap out components and voila! Youth holds power and in the famous words of Mark Zuckerberg: “Move fast and break things”. For the Industrial Internet of Things this is completely unreasonable: industrial machines often have lives of 25 years or more, not the 2 years cycle of the Internet. And then there are the practicalities: many fragmented suppliers, technology stacks, and integrations already installed and many more to come that will include multiple cloud infrastructures, plus all the regulators and safety authorities to look over them and sign them off. Making everything work safely and efficiently is a difficult feat of planning and bureaucracy.
The industrial IoT cannot move fast and break things: it needs a way to move fast and fix things. No stakeholder can do this alone; it’s a difficult team sport.
Risk: Reveal It, Reduce It, Report It
Revealing risk is to know what vulnerabilities are introduced through connected devices. The hardware bill of materials, firmware, operating system, libraries, software and configurations.
Reducing risk needs collaboration – it’s the software vendors that supply to device makers that will need to create patches, integrators that need to test system compatibility, owners to sign off on updates or put other mitigations in place, maintenance teams to schedule downtime and auditors to monitor service level agreements.
Reporting risk should always represent the current situation – things are only secure until they are not; and a year-old compliance report does not mean everything is still secure. Continual compliance through radical transparency could enable regulators to see issues as they emerge and become part of the team to help fix things, especially if they spot issues in adjacent industries before they impact yours.
Building a collaborative risk management platform needs a new approach, one that can’t be done in silos with paperwork or spreadsheets and connected bureaucracies. Distributed ledgers provide the foundations.
How It Works
RKVST augments your asset management operations by creating a “shared service history” of all assets, enabling all participants in a value chain to log records of “When Who Did What to each Thing”. The record includes events such as:
- Software vulnerability status, recalls, upgrades.
- Maintenance status and activities.
- General usage information.
The system strongly identifies who in which organisation recorded each entry and once committed can’t be undone, eliminating the chance of backdating records or ‘shredding the evidence’ in the event of an incident.
The underlying distributed ledger ensures all organisations have the same evidence base to work from, and strong access controls ensure only the right people in those organisations can see them.
Recognising that the majority of devices today cannot accommodate an embedded agent or smart module, RKVST offers multiple active and passive data capture options to build as full a picture of maintenance and cyber risk as is available in the organisation. Because we talk about devices rather than directly to them, RKVST can be integrated at the cloud layer, or alongside the IoT platform being used for telemetry, or in gateways, … anywhere appropriate.
Of course, we do support integration directly into the device too, and this offers even better resolution of trust and security data. Again, recognising that there’s a huge diversity of devices out there we don’t require heavy integrations in the chip or a secure manufacturing facility: all we require is space to securely store a standard access token and the ability to call a REST API over HTTPS.
How It Fits Together
While being offered as a simple-to-consume self-contained SaaS, RKVST is designed to connect into all your other Azure services. Out of the box we offer:
- Sign-on with your Azure AD account.
RKVST DOES NOT have its own user database, nor does it save usernames or passwords. It uses leading industry standard Open ID Connect to connect with your enterprise IDP (such as Azure AD) so that user access to RKVST is fully managed by existing corporate access policies which may include multi-factor authentication.
- Connect your IoT Hub-managed devices.
RKVST is designed to support your digital transformation initiatives by adding multi-party trust and assurance to all your sources of data: devices, maintainers, and digital twins. If you have devices connected to IoT hub you can link IoT Hub to RKVST, automatically recording relevant audit events on the distributed ledger without any disruption to your telemetry operations.
- Create custom reports in PowerBI.
RKVST is a data platform: different stakeholders in a connected industrial system need to know different things at different times, and these are typically unique to the organisation. If the built-in insights provided by the RKVST UI and APIs do not quite answer the right questions, PowerBI users can act on the base data of the shared service history to get to the truth, fast.
In essence, RKVST lays a foundation for collaboration, risk reduction and trust to industrial operations without disruption to the other great features and services already offered by the Azure platform. It is the security twin for your digital operations.
Why We Chose Azure
For RKVST, building a secure solution for serious industrial use required a cloud provider aligned to large Enterprise values, and that’s Microsoft Azure. Some of the founding team at RKVST worked on security technologies that underpin Azure KeyVault, so we’ve seen first-hand and appreciate the serious approach to security within the Microsoft team.
Read more at https://rkvst.com or on the Microsoft Marketplace.
Developers can read our open documentation at https://rkvst.readthedocs.io/en/latest/