IoT Security Firm Mocana Prides Itself in Being Different
Founded in 2002 to help secure military vehicles and devices, Mocana occupies a unique place in the IoT landscape. The company is a finalist in the IoT World Awards and a recent recipient of the Frost & Sullivan 2019 North American Visionary Innovation Leadership Award. It works to help more than 200 industrial automation and IoT companies secure their assets, which range from industrial automation equipment to thermostats, surveillance cameras, gateways and medical devices. Its partner ecosystem includes the likes of Arm, Dell, Intel, Microsoft, NXP and Qualcomm. To date, the company has received $105 million in funding.
Mocana’s security philosophy, while acknowledging the importance of idealistic models such as defense in depth and the zero-trust model, strives for pragmatism. The company doesn’t aim to add ever-more layers of incremental and, at times, hard to quantify security features as the defense in depth model recommends, an approach the company’s chief technology officer refers to as “bolt on, bolt on and bolt on some more.” And instead of rejecting the trust in all systems, services and actors as the zero trust model prescribes, the company’s TrustPoint software complies with NIST FIPS 140-2 Level 1, the U.S. government computer standard for cryptographic modules, to ensure IoT devices are trustworthy.
“In 2016, the company rebuilt itself and moved away from just providing and developing security software for embedded systems. We developed a new strategy to provide the protection, management and analytics for device security,” said Keao Caindec, the company’s vice president of marketing. In that vein, Mocana’s TrustCenter device security management platform automates the provisioning and management of keys and digital certificates while taking charge of firmware updates, provisioning new devices, credential management and so forth.
“One of the things we’re seeing in the broader landscape is that when you think of IoT security, a lot of companies are looking at it through lenses that are limiting their view of how to actually approach the problem,” Caindec said. People on the IT security side tend to focus on using network-based tools such as firewalls, intrusion detection and protection systems, and threat analytics. “On the operational technology side, process engineers tend to refer to the Purdue model that provides guidelines for physical security defenses, network segmentation, people-centric processes and response,” Caindec said. “They’re missing the device security aspect of it.”
And as a result, a lot of the attacks on industrial targets are bypassing common IT and OT defenses. “It’s easy for hackers to compromise industrial control systems because the devices themselves are so vulnerable,” Caindec said.
The costs of attacks in the industrial sector can be significant. Maersk estimated in 2017 that the financial impact of the NotPetya cyberattack will be somewhere in the range of $200 and $300 million, which contributed to a quarterly loss for the company. That same year, FedEx cut its profit forecast after estimating that its ransomware outbreak would cost the company some $300 million. Overall, the U.S. Council of Economic Advisors reckons cyberattacks do $57 to $109 billion worth of damage annually.
“The dollars are adding up for certain kinds of breaches,” Caindec said.
Meanwhile, Mocana points out that there hasn’t been a confirmed CVE vulnerability attributed to the company’s products since the firm was founded.