Microsoft's CyberX Acquisition: Securing IoT and OTPurchase Gives Microsoft a New Tool for Cloud-Based IoT Security
Integrating IoT devices into operational technology systems brings a raft of security concerns, which is why organizations generally want to move deliberately and carefully.
Microsoft’s acquisition of Massachusetts-based CyberX, which develops a specialized IoT/OT security platform, may give some organizations more confidence to tackle what can be a messy business of securing multiple types of IoT devices across a network. Microsoft reportedly paid $165 million for the start-up company.
Microsoft pledged two years ago to spend $5 billion in its IoT capabilities, says Tanner Johnson, senior cybersecurity analyst with Omdia. The CyberX acquisition “is more ironclad proof that IoT cybersecurity is a serious threat," he says.
CyberX will flesh out Microsoft’s IoT offering on Azure, where it has been building a cloud IoT platform called Azure Sphere. Sphere is a Linux-based OS that brings together chip-level security integrations for a hardware root of trust that's matched with a cloud security service.
CyberX’s technology gives Microsoft a versatile platform that can help organizations move into cloud-based security management of IoT, says Hugh Ujhazy, who leads the IoT and telecommunications practice for analyst IDC in Asia Pacific.
For example, Ujhazy says CyberX’s platform can detect devices that have been added on a company’s network by particular lines of business that IT may not even know about.
“The promise from Microsoft with this acquisition is going to be, ‘Hey, I’m going to make it all easier for you to make the move and take advantage of this stuff without necessarily cratering your business or exposing your data outside of the cloud’.”
There’s growing interest and investment in security tools that can managed the convergence of IT, OT and IoT, according to a report from Gartner released earlier this month titled Emerging Technologies: Venture Capital Growth Insights for Cyber-Physical System Security.
Gartner says two factors are driving the interest in in securing cyber-physical systems, or CPS. One is the inherent lack of security in IoT devices and OT infrastructures because air gapping isn’t always possible. Also, many IT security vendors aren’t offering the specialized features and architectures needed to secure cyber-physical systems.
“Enterprise prioritization on CPS security and related aspects has been driven by concerns over the loss of critical intellectual property and operational data, as well as safety impacts resulting from critical operations being compromised,” Gartner says.
A host of other companies besides CyberX are focusing on the network monitoring component of IoT deployments, including Armis, Bastille, Claroty, Dragos, Medigate, Ordr, Radiflow and Zingbox, which was acquired last year by Palo Alto Networks.
CyberX: Discovery and Monitoring
CyberX will help Microsoft address a couple of problems, write Michal Braverman-Blumenstyk, a corporate vice president who heads up Azure’s cybersecurity and Sam George, corporate vice president of Azure IoT.
First, companies need visibility into what IoT devices are already connected to their networks, they write. Organizations also need to manage security on so-called “brownfield” devices, or ones that are already in the field, which they write “have been historically difficult due to a myriad of custom protocols.”
“Our mission is to simplify IoT and make securing IoT devices easy,” Braverman-Blumenstyk and George write.
Several industries, including healthcare, critical infrastructure and oil and gas, rely on long life cycle legacy and brownfield equipment, says Dimitrios Pavlakis, a cybersecurity industry analyst with ABI Research. Those kinds of devices are more challenging to manage and secure due to inherently insecure communication protocols, he says.
Pavlakis says the CyberX acquisition will help Microsoft “allow for higher quality security monitoring and versatile IoT device and network monitoring options for greenfield versus brownfield devices.”
CyberX’s says that within an hour of being connected to an IoT and industrial control system network it can index assets, collecting data such as device type, manufacturer, model, serial number, firmware revision and open ports. The platform is designed to accommodate all IoT and ICS protocols and devices.
CyberX says it then can integrate these devices into security operation center workflows, where analysts can get real-time alerts on threats and take action.
“Gaining this visibility is not only critical for understanding where security risks may exist and then mitigating those risks, but it is also a fundamental step to securely enable smart manufacturing, smart grid and other digitization use cases across production facilities and the supply chain,” Braverman-Blumenstyk and George write.
Bridging IT and OT
IDC’s Ujhazy says there are many pieces in motion now as organizations deal with the implications of IoT and OT.
IT and operational technology groups within enterprises are struggling somewhat to build a bridge, he says. The OT group wants the flexibility and agility that the IT group is getting from cloud computing, software-defined networking and more, he says. But they’re also hesitant because the technology hasn’t adapted as fast to the agile model.
Vendors are also delivering new equipment, so even the least digitally inclined manufacturing organization is being thrust into the IoT and thus the security implications of it, Ujhazy says.
“When they buy a new CNC [computer numerical control] or a lathe or whatever they’re buying – even power tools – it’s coming with some level of intelligence and ability to connect to the network and deliver information,” Ujhazy says.