Interview with Rainer Richter
We spoke to Rainer Richter, CEO & Co-Founder of IoT Inspector about why his company decided to join ZOIS, what IoT Inspector can offer to the association and the importance of IoT security.
Edward: It’s good to have you with us. I’d like to speak to you about your collaboration with the Zero Outage Industry Standard Association. Why did IoT Inspector decide to join ZOIS and what benefits do you hope to gain from this collaboration?
Rainer: Our main goal is to receive support for our mission of making IoT secure. Because without a secure IoT environment, zero outage won’t be possible.
Edward: What kind of expertise do you bring to the association? How do you imagine the collaboration with other members will work?
Rainer: At IoT Inspector, we have extensive R&D experience in IoT firmware security. Unfortunately, IoT security is still a blind spot in cybersecurity. On top of this, in 2020 we launched a very powerful feature in IoT Inspector: Compliance Checker. We are not only looking for vulnerabilities in IoT firmware, but we can bring them in conjunction with the most relevant national and international IoT standards. This is the base that we need to move forward: Lifting IoT security to the next level and coming closer to a zero outage industry.
Edward: Could you please define IoT devices and tell us why you think there is a need to pay them such close attention at this time?
Rainer: I want to start with the second half of the question. More than two thirds of all companies have experienced security incidents related to IoT devices. IoT devices are one of the largest attack vectors in corporate networks. Not only can an IoT device be taken over: An IoT device with weak security standards can be miss-used as a gateway into a corporate network. Perimeter defence and endpoint protection work rather effectively these days, so attackers had to look for new ways to reach their targets. That is why IoT devices are currently one of the weakest links in cybersecurity.
But so what is an IoT device? Too often people think that, for example, a kitchen gadget that is connected to the internet is an IoT device. Yes, of course, it is, but we are much more concerned that about 40% of the total IoT market is part of the enterprise IT. In our definition, an IoT device is a device with an IP or Bluetooth stack, but not necessarily a full keyboard or monitor. We’re talking about routers, switches, network cameras, access control systems. We’re also talking about network printers, climate control systems, facility control systems, VoIP phones and SIP gateways. And, of course, all kinds of sensors, e.g., a thermometer that is connected to your network. About 69% of all companies have more IoT devices than traditional endpoints in the network!
Edward: Why do you think IoT security is such a blind spot in IT security?
Rainer: On the one hand, vendors are not taking enough care of security: The major reason is that many vendors do not have security on the top of their radar. What’s important to them is time-to-market and to produce as cost-effectively as possible. We believe that this approach must change. As part of ZOIS, we have a chance to influence that.
On the other hand, corporates should do a risk assessment before they add a new device. For cost and time reasons they don’t do it. That’s exactly what IoT Inspector is addressing. It helps corporate customers, among other use cases, to undertake an easy and effective risk assessment before installing a new device.
Edward: How do you think organisations and corporations can step up their security?
Rainer: We differentiate between three different groups of customers. Group number one are vendors, who really should take care of providing secure IoT firmware in their products. This sooner or later will become a competitive benefit on the market, as long as there aren’t stricter legal requirements. That’s the reason why we offer a tool allowing them to confirm their compliance with the most important IoT security standards.
The next group are service providers. They could use IoT Inspector as a quality gateway in their IoT lifecycle. Swisscom for example is already using IoT Inspector as a quality gateway for their CPEs. Simply by avoiding after-sales support calls, Swisscom saves a huge amount of money every year.
The third group of IoT Inspector customers are corporate end users. For them, IoT Inspector can provide guidance to buy secure products and to identify vulnerabilities in their installed infrastructure.
Edward: Tell us specifically about IoT Inspector and what issues it solves!
Rainer: The way IoT Inspector works is that firmware image is uploaded to our platform – hosted in our own ISO 27001 certified data centre in Vienna. Then the firmware image is automatically decompiled and runs through several analytics engines. We are looking for the typical vulnerabilities that can be found in such a firmware image, i.e., user credentials and known CVEs. Our CVE detection database is updated daily against the NIST database. We are also looking for X.509 certificates, public keys or misconfigurations. And of course, we check for compliance with the most relevant standards. After checking all these elements, the customer receives an overview of all the vulnerabilities. On top of that, we also provide a Monitoring Service that checks for new vulnerabilities and compliance violations every single day, and informs administrators about newly detected issues.
Edward: Now that most people are working from home, what can employers do to ensure security across their organisations?
Rainer: Most of them have understood to run VPNs between their remote teams and their traditional infrastructure. What they currently might not have on the radar is that they are using an infrastructure that neither belongs to them nor is under their control. This might include WiFi access points or network printers in the home offices. Those are not owned by the company and might have dangerous security vulnerabilities. This creates the risk that attackers might try to enter the corporate environment via the home offices of its employees.
Edward: That’s very interesting. I would like to ask you about your collaboration with ZOIS Association and what you’re hoping for collaborating with other members?
Rainer: IoT Inspector is the leading European vendor in IoT security, and we bring a lot of expertise into the association. Our mission is to make IoT secure and take care of this area within ZOIS. Being part of ZOIS also gives us the opportunity to partner with other members and provide them with our know-how.
Edward: What value do you see in having a global industry standard for the IT environment as a whole?
Rainer: We must understand and accept that IT is a global technology. In Europe, we have a good understanding of security and that is one of the big benefits we can bring to the market.
Edward: Thank you so much indeed for your insights and your time.