Cisco Performance IT makes multicloud possible for your digital transformation

Modern enterprise organizations rely on a diverse and flexible cloud approach, incorporating both public and private solutions, to accomplish their mission.

In fact, 40% of enterprise CxOs say they’re embracing a cloud-first strategy. Doing so, they realize benefits like enhanced agility, efficiency, and scalability.

However, the combination of increased traffic from SaaS providers, on-premises applications, and public clouds like AWS or Microsoft Azure is placing a tremendous strain on enterprise networks in terms of operations, security, performance, and cost.

And oftentimes, it’s creating a negative impact on the business, as the user experience is frequently impacted when a multicloud strategy is supported by legacy networks.

Introducing Cisco Performance IT

To address multicloud challenges, we started working with customers to build a model for network transformation. Our goal was to make it financially feasible to deliver networks that provide high performance and superior user experiences. All while being operated more efficiently, and at lower costs. We call this model Cisco Performance IT.

It’s a framework that helps clearly illuminate the benefits of evolving networks to match multicloud realities. Ultimately, it shows you how transforming your network represents significant financial and operational benefits.

Cisco Performance IT helps you chart a long-term course for your network and your business—and shows how the right investments can pay for themselves.

Why transformation is critical

Many enterprise networks are built on legacy technology that’s not ready for the demands of multicloud. Today’s world is dynamic, and infrastructure built on manual processes and static configurations can’t keep up.

Take a look at these network challenges created by the multicloud shift, based on our real-world projects:

◉ Connecting to SaaS provider isn’t as simple as it seems. West Coast SaaS traffic routed to a U.S. East Coast legacy data center where security is hosted—creating a massive performance bottleneck that slows application performance and impacts the user experience.

◉ Dedicated circuits slowing deployment. Access to public/private connectivity requires dedicated circuits for connection to the cloud provider. This often results in provisioning times exceeding 60 days, delaying the ability to deploy new revenue services for the business.

◉ High costs. Increasing demand for access to SaaS solutions requires dedicated links that come with expensive, multi-year commitments. Our enterprise customers are seeing circuit costs increase year-over-year as a result of SaaS connectivity growth.

◉ Overwhelming complexity. When every new cloud provider requires manual configurations of rules and policies, the operational workload skyrockets. Combined with flat or declining operational budgets, this creates delays as workloads increase.

Overcome the budget challenges of network transformation

Given the issues caused by aging networks supporting multicloud strategies, it’s obvious that significant network overhauls are necessary. But transforming networks in the traditional way is manual, costly, time-consuming, and difficult.

The capital outlay required for network transformation is a barrier for many organizations. They see the need, and even know the technologies they would require to make everything work—but they can’t build the financial case to justify it.

However, early adopters of the Cisco Performance IT approach are seeing incredible results: such as self-funded network transformation, the ability to deliver new services in much shorter timeframes, and sustainably reduced operational costs with simplified and comprehensive security.

While navigating transformation in the multicloud era is difficult, Cisco Performance IT can help you find the most cost-effective and savvy path forward.

Continue reading

Service Providers: Join Cisco at MWC 2020

It’s February again that means Mobile World Congress 2020 in Barcelona is just a few weeks away.  I know everyone at Cisco is looking forward to seeing all of you at what is arguably the biggest and most impactful technology event of the year (well, maybe tied with Cisco Live!).  We look forward to you visiting us at our awarding winning booth in Hall3 3E30 – same as the past few years. We have dozens of demonstrations in the works to show how you can leverage the 5G era to accelerate profitability and open new opportunities.

Cisco will have our executive leadership team, Product Teams, and many subject matter experts on hand to share information and discuss your opportunities, challenges and how Cisco can be your most valuable partner to pursue excellence and success.

So, please read on as I share with you some of what we are preparing just for you – our Mobile World Congress guests.

Our theme for MWC20 is “Between unlocking the potential of 5G and the Internet for the Future”. This builds on our “Bridge to Possible” theme which we introduced last year.  Through this we aim to share how together we can work for the betterment of the people that you serve.  This begins with establishing a strong and trusted foundation that delivers success.  We want to show you how by working together you can grow revenue, save money, and mitigate risk – for you and your customers.

Grow Revenue – Save Money – Mitigate Risk

A remarkable 5G experience for consumers and enterprise customers begins with Cisco software-defined architecture for the 5G era.  Cisco builds trustworthy 5G networks with the industry’s most advanced automated infrastructure for profitability and competitive advantage. Cisco’s intent-based, software-defined architecture is the foundation for the Internet for the Future. New 5G experiences for consumers, businesses, and IoT can be deployed by existing or greenfield network providers as well as enterprises. Total cost of ownership can be reduced on average by 35% and the time to instantiate functions and introduce new services greatly accelerated.

The industry has shown that it appreciates what we have to offer as we have won dozens of 5G deals and collected 3 awards for our innovations in 2019 and have been shortlisted for the GSMA Global Mobile “5G Leadership” award at this year’s MWC event.

Demonstrations

You are invited to tour our “Mobile Transformations for Industry” demonstrations that are open to all.  Once inside our booth, you might wish to start your demo tour with our Big Picture demo that offers quick, high-level views of eight areas including architectures for service providers, enterprises, supporting mega-trends like Cloud, IoT, and the Internet for the Future, and key network attributes – Automation/Orchestration, and Secured and Trusted networks.  From here we can guide you to deeper dives to specific solutions and products to some of our newest innovations – including Silicon One and the Cisco 8000.  We also have innovations in seamless convergence and momentum in Open vRAN.

Seamless Convergence

Perhaps this is the Zen of mobile wireless – a seamless open converged radio network environment, providing the best user experience anywhere and everywhere.

5G and Wi-fi 6 together – Cisco has long promoted the right tool for the right job, and that includes wireless access.  Be it 4G/LTE, 5G (NSA, SA, mmWave), CBRS, Wi-Fi, Wi-Fi 6 or any of the assorted “machine-oriented” wireless access types.  The key is a trusted seamless roaming experience.  Cisco is the leader in ‘AnyAccess” and open seamless convergence.  You can enjoy the secured Open Roaming throughout the Fira Barcelona Gran Via as Cisco is the official wireless provider.  Additionally, we have a fantastic demonstration of Service Provider and Enterprise converged seamless network solutions.  See how Service Providers can extend their enterprise customer’s domains across their secured WAN and put the tools Enterprise IT wants into their hands.

Open vRAN Gains Momentum

2019 was a great momentum building year for Open vRAN with Etisalat, Vodafone, O2, Viettel and others announcing their intent to deploy Open vRAN and of course the industry pioneer, Rakuten going commercial with a 100% Open vRAN network.  The industry is seeing proof that not only does an open environment work, but it simplifies, reduces costs and eliminate vendor lock-in.  Cisco is proud to be a leader in this movement of opening the last proprietary segment of the mobile network.  Cisco is demonstrating our multi-vendor 4G/5G Open vRAN solution at MWC and welcome you to stop by, see the live demo for yourself and speak with our experts.

Events and Speakers

Cisco will be hosting events in our Booth for VIPs, Analysts, and more – these are sure to be entertaining and informative.

We will also have speakers throughout the week at GSMA sessions including Global Director, Bob Everson for “Security in the Tech Industry X Era” and VP for Global SP Marketing, Marci Hanlon for “Women 4 Tech” Diversity panel session.

Travel safe and we are looking forward to seeing you there!

Continue reading

The Evolving Cloud-Native Infrastructure

Over the last few years, we have been participating in a radical transformation of how modern applications are built, deployed and operated. Monolithic applications are being broken down into microservices and serverless functions to exponentially ease development, lifecycle management, increase the velocity of features, and improve the availability of the services offered.

More and more mission-critical workloads have become containerized. Anywhere between 35%-50% of an enterprise’s application sprawl is now containerized based on various Gartner and IDC estimates. And it’s not just the app front ends, or the dashboards, but mission critical workloads such as revenue generating data analytics pipelines, middleware, and core business logic.

This transition is putting pressure on the processes, data flows and organizational structures to evolve dramatically within the enterprise. As customers continue to invest in digital capabilities to transform their business, build new products and compete aggressively against new competition, with applications as the new currency, Cisco is helping them achieve their business KPIs and stay nimble through 4 technology pillars –

1. Delivering evolvable application platforms

2. Driving new cloud-native networking and security

3. Building AI/ML systems for your data science and ML-Ops needs

4. Nurturing developer-friendly communities for adoption

Evolvable Application Platforms

It is predicted that over the course of the next few years, the absolute number of apps within an Enterprise will continue to rise. In fact, a recent study from IDC predicts a 50 percent increase in the number of applications over next two years.

There are various drivers for this, but primarily, the “software eats the world” mentality means that everything is being solved (and should be solved) by software. This is Digital Transformation at work.

As this app explosion takes place, the percentage of modern cloud-native applications within an enterprise will only continue to grow. Most of this growth will stem from newer applications taking over the old in performing similar capabilities with much better velocity, availability and efficiency KPIs. These newer apps (shown with Green arrow) will most definitely be born cloud-native, as either microservices or serverless apps. The existing apps and capabilities will slowly migrate to being re-architected as cloud-native, dropping the percentage of monolithic bare-metal and virtual machines apps steadily over the next few years.

Cisco’s approach is to provide organizations with software and hardware building blocks that allow you – the enterprise Application Developer, Platform Engineer, Cloud Architect or IT Engineer – to evolve seamlessly along with the technology trends that drive your business. Whether you need a data-hungry on-premises bare metal monolithic app, a cloud-native insights pipeline, or a securely-governed extension of your compute capabilities to your preferred public cloud, the same application platform architecture should power your entire development and software portfolio.

The Cloud-Native Network

As we have seen, a modern application is not a monolithic, siloed, single-compute application. Cloud-native is a synonym for scaled-out distributed applications. And a well-behaved distributed system relies upon a capable, well-abstracted, highly available and secure Network. You cannot develop a successful cloud-native application without paying attention to the characteristics of the network.

As cloud-native architectures are becoming more pervasive, applications components are becoming thinner and thinner (microservices, functions), and geographically diverse (cloud regions, on-premises, across the globe). The connectivity problem for even a single application is becoming much, much worse.

There is ‘more network’ in every flow than ever before.

A quick look at the service dependency graph of a cloud-native application (e.g., the Monzo banking app) will give us a sense of the networking and security problem needing to be solved. Each node of a typical application graph such as the one shown below is an API or service endpoint, and in theory, could be anywhere in the world and on any kind of infrastructure – owned or rented.

The Microservice Dependency Graph of the Monzo Banking Application

At Cisco, we have been thinking through what connectivity looks like to the application developer and platform engineer. The cloud-native Network would connect all such service endpoints, and only those endpoints, wherever they happen to be and in whatever form – as modern cloud-native, or traditional monolithic systems. This Network is built for the application developer. It has narrow and deep context and is less worried about all the rest of the traffic flowing through the network below. It follows the principles of simplified connectivity, relevant context, and follows the same activation models that are used in application development.

AI/ML systems for Data Science and ML-Ops

The necessity of real-time insights on an exploding data universe is driving the need for AI/ML in every industry. A modern and agile enterprise is using AI/ML pipelines for streamlining its operational needs (ML-Ops) as well as for driving critical business insights through its various data science and business insights organizations.

Because of the ubiquitous availability of AI toolchains – both on-premises and in public clouds via pipelines such as Kubeflow – new use cases for AI-Applications in deriving insights in industry verticals, systems design, and solving complex closed-loop operational problems are only going to blossom.

An MIT Review study looking at more than 16,000 papers on AI over the past 15 years already pointed to this trend.

Cisco is building AI/ML hardware and software systems to help enterprises and communities solve their data insights and operational needs. Whether it is helping a large optics manufacturer find defects in their manufacturing process or helping solve the difficult data problems of less-understood genetic disorders.

We are also focusing these systems back into solving the problems we understand best – whether it is helping our customers manage the complexity of networking and computing nodes in their environment, helping them fine tune the performance of their hybrid apps, or alerting them on potential security threats and provide remediation measures before it hits them.

Developer and Community Adoption

The application-centric nature of all business going forwards implies working closely with developers and fostering communities. Driving code and projects into open source and fostering forums and bodies that enable sharing of knowledge, data sets, processes and use cases are just some of the ways that Cisco has been nurturing open communities.

We have been Platinum members of Cloud Native Computing Foundation (CNCF) and part of their Governing Board since its inception in 2015. We have contributed to the Kubernetes (K8s),  compute and networking projects for a few years now, helped create the Network Service Mesh project (currently in Sandbox), and utilize our presence at KubeCon + CloudNativeCon to evangelize adoption of these cloud-native technologies.

In the AI/ML landscape, Cisco has joined forces with Google, Facebook, Microsoft, Stanford, MIT and others in forming the MLPerf (mlperf.org) effort to standardize on AI/ML performance and systems evaluation. We have published our AI/ML research in academic avenues such as NIPS and SysML, and have contributed significant code to the Kubeflow project.

On the networking side, we have assisted in the formation of the Linux Foundation for Networking (LFN) and have been Platinum members since its inception, contributing quite significantly to various projects such as OpenDaylight and FD.io. We have published a significant amount of our research findings in various IEEE and ACM conferences and papers.

This would all be moot if we don’t walk the walk together with our customers and help them evolve as well. The Cisco DevNet group was created for that very mission, and just recently, DevNet has released curriculum and certification to help our customers in their skill-set journey.

Finally, and most importantly, we run some of the world’s largest SaaS offers in a cloud-native way. Meraki, Umbrella and WebEx are just some cloud-native SaaS production stacks that influence our software and hardware product design and operational paradigm shifts.

Continue reading

Cisco Edge Intelligence: IoT data orchestration from edge to multi cloud

The next frontier of Internet of Things (IoT) is going to be won with the right applications. Applications deliver business outcomes that drive metrics for growth and profitability. However, the most common problem witnessed with these applications is getting clean and well-groomed data securely, reliably and consistently. Here enters IoT Edge Computing. It’s not surprising that a Gartner survey shows that more than 75 percent of data extracted will need edge computing. 

However, various challenges stand in the way of enabling this today:

◉ Geographically remote and distributed assets – The location of IoT assets vary from a dense urban area like traffic intersections to remote area like gas and water distribution where cellular connectivity is scarce

◉ Heterogeneous environments – IoT assets come from various manufacturers and no two manufacturers speak the same protocol or handle the same data model

◉ Multiple consumers of data – As the need for IoT data grows and the number of applications that can leverage data increases, making sure there are proper control and governance policies before the data leaves the network is an ever-growing challenge

◉ Complexity – Current approaches are often sub-scale and require custom software and integration of multi-vendor technologies that are overwhelmingly complex to deploy and manage

Cisco recently announced a new offering for IoT edge called Cisco Edge Intelligence. Cisco Edge Intelligence is a new IoT data orchestration software that extracts, transforms and delivers data of connected assets from edge to multi-cloud destinations with granular data control. It is a software service deployed on Cisco’s IoT Gateway (GW)/ Networking portfolio for easy, out-of-the–box deployments.

Cisco recently requested 451 research to conduct an analysis on the top issues with IoT deployment and the role of IoT edge. The research report helped validate the hypothesis of the problem and the solution that Cisco Edge Intelligence is addressing. 

Cisco is currently conducting early field trials/pilot projects with select customers such as voestalpine, Port of Rotterdam, AHT Cooling (Daikin), National Informatics Center – India and many more across roadways, water quality/distribution and remote industrial asset monitoring. Cisco Edge Intelligence will be available for public in 2Q CY 2020. Primary value proposition of Cisco Edge Intelligence is as follows:

Out-of-the-box solution  

Cisco Edge Intelligence comes out of the box working on most of Cisco’s IoT GW portfolio for plug–and–play operations, which is configured and managed using a SaaS or on-prem solutions. User experience is built grounds up after studying various industry user personas. Cisco Edge Intelligence has simplicity built into its core and makes data extraction, transformation, governance and delivery to its applications as easy as a click of a button. It can be deployed across thousands of gateways from a centralized location without having to worry about the underlying network configurations. 

Pre-integrated data extraction for specific industries 

Cisco has learnt that the hardest and challenging aspect of IoT deployments is consistently extracting data from various greenfield and brownfield assets. Cisco Edge Intelligence comes pre-integrated with a curated set of asset/device connectors based on specific industries that allow customers to onboard IoT assets seamlessly. Further, it provides an ability for customers to add meta data that helps normalize data across vendors.

Convert raw data to intelligent data  

Based on feedback received, Cisco has embraced tools for development and debugging which are widely accepted by the community. Cisco Edge Intelligence provides scripting engines that allow customers’ and partners’ developers to develop scripts that can convert raw data to intelligent data. The scripts could be simple filtering, averaging, thresholding of data or complex analytical data processing for cleaning and grooming of data. These tools enable developers to remotely debug on a physical IoT GW and deploy with a click of a button from the same development interface. 

Granular data governance  

As the promise of IoT is delivered with every small thing being connected, and as the number of applications that can make sense of the IoT data increase, the problem of N*M arises. ‘N’ things being source of data from multiple things from different manufacturers and ‘M’ applications being destination of data from multiple applications from different vendors. The goodness IoT brings, could become a chaos to deal with, if not addressed ahead of time. 

As this data deluge erupts, Cisco Edge Intelligence provides a fundamentally strong and holistic data control from the point of ingestion to consumption in a non-overwhelming way.

Pre-integrated with growing eco-system 

The last and a key step necessary to deliver data to applications requires Cisco Edge Intelligence to be integrated with a growing set of platforms and applications. It is currently pre-integrated with one of the leading cloud providers and other platform/on-prem providers such as Software AG and Quantela. Cisco Edge Intelligence also supports standards based MQTT and encourages partners who are interested in working with Cisco to leverage the same. Cisco will continue to grow this ecosystem of IoT platform/application partners.

“When customers take advantage of both Cisco’s new Edge Intelligence running on Cisco’s GW and Software AG’s Cumulocity IoT running in data center or cloud, they will be able to bring IoT asset data from edge to cloud quickly and seamlessly,” said Yasir Qureshi, VP, IoT and Analytics at Software AG. “Keeping IoT simple with little or no coding has been a key to successfully unlocking the business value of the IoT on either edge or cloud-based applications.”

Cisco Edge Intelligence is a big step for Cisco IoT towards bridging the gap from where data is generated to where it is consumed. It offers an out–of–the–box, plug–and–play solution for everything in between.

Continue reading

Improving Partner Performance with Black Belt

When you work with Cisco, there’s a lot to learn. About complex customer challenges, how our products solve them, and how you can set yourself apart from the competition. That’s why we at Cisco are always looking for ways to make it easy for you to learn about and sell Cisco solutions.

So we’ve put together a new Partner Performance team to help you do just that. Our goal? Simplify and improve your experience as a Cisco partner. For example, we’ll be rethinking the way we work, looking for places to cut down on the back-and-forth. All to help you stay focused on what matters most—driving new business and getting predictable results.

One key initiative is our Black Belt Partner Academy. This is a comprehensive digital learning framework that has been a huge hit in our Asia Pacific region and is now available to all partners around the world. When utilized effectively, Black Belt will help you build the skills foundation to differentiate and put a game plan in place to battle the competition. Here are a few highlights of what this framework can do for you.

Become an expert in Cisco solutions

In a nutshell, our Black Belt Partner Academy is a digital, self-paced training framework, customized for your role. You can take it to learn all about how to sell, deploy, adopt, and support Cisco solutions. The idea is to become more competent, confident, and connected with Cisco—and our customers.

Specifically, you’ll learn how to:

◉ Help customers transform their business with complete, connected solutions

◉ Be confident and compelling in how you engage with customers

◉ Have richer, deeper conversations with customers

◉ Stand out from your competitors

◉ Execute on your key sales priorities

Take training tailored to your role

We’ve customized each learning map for all major roles that are involved in selling and delivering Cisco solutions. This includes engineering, sales, business architects, and services. So, if you’re in sales, you can take the Sales Track, which lets you:

◉ Get the same sales training as our own Cisco account managers

◉ Stay up to date on the latest market trends, competitive advantages

◉ Explore learning maps for each architecture

◉ Get credit for continuous learning

◉ Earn incentives

You’ll learn things like how to:

◉ Sell the exact solutions your customers need

◉ Set yourself apart from the competition

◉ Craft compelling sales presentations

◉ Use social selling to reach out to the right people

◉ Get help from Cisco when you need it

To give you an idea, here’s a sample learning map for the Sales Track.

Get ready-made resources

Along with training, you also get a trove of ready-made resources for each track. For sales, this includes things like case studies, demos, architectural overviews, market trends, industry reports, competitive battle cards, and presentations.

Take it at your own pace

Another great thing about this framework—it’s all digital, available 24×7. You can take the training in your own time. And we’ve broken it out into three stages, so you can space it out and give yourself time to apply and digest. We estimate that each stage will take you, on average, 6 hours.

◉ Stage 1: Blue Belt – demonstrate learning

◉ Stage 2: Green Belt – demonstrate application

◉ Stage 3: Black Belt – demonstrate success

Earn your badge

In martial arts, black belts are often a coveted symbol that you’ve put in the time to become an expert in something. And it’s the same here. After you take all your training and exams, you get a badge for finishing the Stage 1 learning maps. If you want, you can then move on to the deeper Stage 2 and Stage 3 learning maps, which come with their own badges, but also require you to apply the knowledge you learned to your company’s business.  Only when you proved that you applied the knowledge and successfully close a deal will you be able to call yourself a Cisco Partner Academy Black Belt.

Then you can spread the word to your boss, your colleagues, and your customers that you’ve just earned the coveted black belt—in Cisco.

Continue reading

Digital Green: Providing for those who provide for others

Smallholder farmers produce more than 80 percent of the world’s food. But they also make up 80 percent of the world’s poorest people, which means they often lack the resources to grow their businesses. Digital Green, a Cisco social investment partner, is using technology to change this equation.

The nonprofit began in 2008 with a vision of helping smallholder farmers improve agricultural practices and boost their incomes. They began by sharing information with farmers on how to increase their yields, producing thousands of locally relevant videos in more than 50 languages. But they realized that more needed to be done to boost farmer incomes. Just as important as growing food is having a place to sell it. That’s why Digital Green built the Loop app, which helps farmers aggregate their produce and get it to markets. It uses a learning algorithm to optimize vehicle routing so farmers get the best prices for their produce. With Loop, farmers can:

Investment from Cisco makes this possible. Cisco was the first donor to provide dedicated funding to support Loop. Farmers saw a gross increase in income of 17 percent as a result of using Loop. Our latest grant will help Loop spin off into a separate social enterprise. Through the collective power of technology and grassroots-level partnerships, Digital Green and Cisco are helping farmers lift themselves out of poverty.

Digital Green is a Cisco partner in our social investment focus area of critical human needs and disaster relief, along with Destination: Home, Mercy Corps and many others. Our Critical Human Needs and Disaster Relief portfolio focuses on increasing access to essentials like water, food, and housing. We also invest in technologies that help people in crisis, from delivering humanitarian aid to providing relief after natural disasters.

Cisco’s research helps guide our grantmaking and related investments to make a meaningful impact. These investments in nonprofit partners enable them to use technology-based solutions to improve how they operate and reach underserved communities. And they support conditions for the communities they live in to thrive. Our approach is to invest in early-stage solutions. This is the stage where funding is most needed and where we can make the biggest difference. Funding from Cisco and the Cisco Foundation helps nonprofits apply technology to:

◉ Create innovative solutions targeting individual and community needs

◉ Implement proof-of-concept pilots to validate viability of solutions

◉ Improve the delivery, quality, efficiency, and effectiveness of their products and services

◉ Scale to reach more people

◉ Replicate to multiple geographies globally

◉ Validate social impact

◉ Make progress toward financial sustainability

◉ Use data for better decision-making

We also provide our nonprofit partners with ongoing consulting services, advisory support, and technical expertise in areas including:

◉ Governance and operational structure

◉ Organizational leadership capacity

◉ Business planning and strategy development

◉ Impact evaluation

◉ Financial sustainability planning

It is important to confirm that the solutions we invest in are making a difference. We work closely with the nonprofits we fund to measure their effectiveness and impact. This measurement also provides partners with insights on how to improve. We measure both breadth (number of people reached) and depth (the impact their programs are making). Depth is measured with a standard set of metrics for each of our three investment focus areas, as well as custom metrics specific to our partners’ social objectives. We also ensure that solutions serve communities that need it most. Grantees must validate that at least 65 percent of their programs’ participants are from underrepresented and vulnerable population groups. They also provide quarterly reports to share progress against targets that we agree upon, such as client satisfaction.

Continue reading

Securing Industrial IoT

It’s hard to ignore the ubiquity of the internet of things (IoT). Even if you’re one of those holdouts that doesn’t own consumer IoT devices such as a smart speaker, internet-connected thermostat, or a smart watch, industrial IoT (IIoT) devices—a subset of the IoT landscape—are already playing a part in your daily life. From the delivery of water and electricity, to manufacturing, to entertainment such as amusement park rides, IIoT devices are part of more industries than not, and have been for some time. Gartner recently estimated that there were 4.8 billion IIoT assets in the world at the end of 2019, and expects that number will grow by 21 percent in 2020.

The biggest issue faced in many operational technology (OT) environments, which host IIoT assets, isn’t just this growth, but also dealing with older industrial control systems (ICS) that have sometimes been in operation as long as 30 years. Many of these assets have been connected to the network over the years, making them susceptible to attacks. These legacy devices were often deployed on flat networks, at a time when the need for security took a back seat to other priorities, such as high availability and performance.

The discovery of vulnerabilities in these systems doesn’t always mean that patches are, or even can be, rolled out to fix them. Patching many of these IIoT assets means taking them offline—something that’s not always an option with critical infrastructure or production lines that rely on high availability. So patches are often not applied, and vulnerabilities stack up as devices age, leaving attackers with a large swath of exploits to attempt in the pursuit of compromising IIoT assets.

And the number of vulnerabilities discovered in IIoT devices is growing, as is evident in research carried out by Cisco Talos’ Security Research Team, whose mission is to discover vulnerabilities before the bad guys do. During their look back at 2019, Talos pointed out that they published 87 advisories about vulnerabilities in IoT and ICS devices—by far the largest category for the year. In fact, there were 23 percent more advisories published in this space than there were for desktop operating systems, the second largest category, and historical mainstay targeted by attackers.

This isn’t all that surprising in a field that’s growing this fast. But it’s worth considering how adding new assets into a network, as well as securely maintaining the OT network where assets reside, presents new challenges and naturally increases the attack surface.

So, if you’re using IIoT assets in your business, what sorts of threats do you need to look out for? And how do you protect your devices?

Getting in

The good news is that most IIoT assets aren’t directly exposed to the internet, meaning attackers must rely on other methods to get to them. In essence, the same techniques used in other attacks are used to get to IIoT assets.

The most common vector for compromise—email—certainly applies here. An attacker can attempt to gather information about engineers, plant managers, and developers that have access to IIoT systems and specifically target them with phishing emails. Compromising a computer owned by any of these users can be the most direct path to compromising IIoT assets.

Unpatched systems, simple or default device passwords, and relaxed remote access policies for maintenance contractors all offer attackers avenues of approach. Weaknesses in any of these can provide ways for an attacker to move laterally and gain access.

The reality is that IIoT-specific threats are not that common of an occurrence. There are threats that have attacked general IoT devices en mass, such as Mirai and VPNFilter. And there are threats like Stuxnet, which specifically targeted PLCs. Of course such highly targeted threats are cause for concern. But it’s far more likely that an IIoT device will be compromised and reconfigured by an attacker than be compromised by a trojan or a worm.

Scorching the earth

Let’s say an attacker sets their sights on bringing a particular business to its knees. He or she begins by crafting an enticing phishing email with a malicious PDF and sends it to HR in the guise of a job application. The employee responsible for monitoring job enquiries opens the PDF, effectively compromising the computer.

The attacker works his or her way laterally through the network, monitoring network traffic and scanning compromised systems, looking for logins and authentication tokens. Without multi-factor authentication enabled for access, they encounter few issues in doing so. The attacker eventually manages to compromise a domain controller, where they deploy malware using a Group Policy Object (GPO), successfully compromising the entire IT network.

Due to poor segmentation, the attacker manages to eventually work his or her way to the OT network. Once in, the attacker performs reconnaissance, flagging the IIoT assets present. The attacker identifies vulnerable services in the assets, exploits them, and knocks them offline.

Production grinds to a halt and the business is effectively shut down.

Defense with an arm behind your back

So how do you defend your IIoT assets and the OT network as a whole against attacks, especially for high-availability assets that can’t readily be brought down to patch?

Network monitoring is often the most effective step you can take. However, it’s important to passively monitor the traffic when it comes to IIoT assets. Active monitoring, where traffic is generated and sent through the network specifically to observe its behavior, can result in an increased load on the network, causing disruptions to device performance and even causing them to fail. In contrast, passive scanning listens to the traffic, fingerprinting what it sees, rather than introducing new traffic into the OT environment.

Keeping a current inventory of assets on the network is also very important in protecting the IT and OT networks. Passive monitoring can help to identify assets on the network, including errant and rogue devices. With a comprehensive list of devices, you can create policies for asset groups.

It’s also very important to segment your networks. Having a complete asset inventory and policies in place will help when figuring out how to segment your IIoT assets and the OT network. While this may not prevent a determined attacker from crossing the boundaries between different areas of the network, it can slow them down, providing more time to respond in the case of an attack. Explore implementing zones and conduits as discussed in ISA99 and IEC 62443 within your organization.

However, it’s worth noting that many IIoT assets leverage broadcast and multicast network communications, where one or more devices will send traffic to all other devices on the network. This can pose a challenge when aggressively segmenting a network. To address this, having a complete inventory of assets on the network is important. Strong dataflow mapping is also helpful when it comes to knowing which assets are talking to each other and how they interact as a whole.

Patching IIoT assets as soon as possible after a vulnerability is discovered is highly recommended. But if it isn’t possible to take a device offline to patch, then visibility becomes critical. It’s important to know what assets you have and the network layout to identify what absolutely must be patched. It may also be worth exploring IIoT redundancy within your network, allowing you to take one device down while others pick up the load during maintenance cycles.

Being able to detect IIoT traffic anomalies is also very helpful. Look for behavior that falls outside of what is expected, such as two IIoT assets talking to each other that shouldn’t be, unplanned firmware updates, unexpected configuration changes, or other anomalies.

Finally, threat hunting is a great way to look for and weed out threats within your OT environment. Proactively looking for bad actors doing bad things, building playbooks, and automating them will go a long way to improve your security posture.

Easing the burden

Protecting IIoT assets is arguably one of the more difficult tasks in security. There are a wide variety of devices, many of which operate in a very tailored manner and don’t respond well to disruption that could be caused by many security processes and procedures.

Fortunately, there are a number of Cisco Security products that can help.

◉ Cisco Cyber Vision gives OT teams and network managers full visibility into their industrial assets and application flows. Embedded in Cisco industrial network equipment, it decodes industrial protocols to map your OT network and detect process anomalies or unwanted asset modifications.

◉ Identity Services Engine leverages the asset inventory built by Cisco Cyber Vision to create dynamic security groups and automatically enforce segmentation using TrustSec.

◉ ISA3000 is a ruggedized industrial firewall appliance you can deploy in harsh environments to enforce zone segmentation, detect intrusions, and stop network threats.

◉ Stealthwatch is a security analytics solution that uses a combination of behavioral modeling, machine learning, and global threat intelligence to detect advanced threats. Integrated with Cisco Cyber Vision, this visibility extends deep within the IIoT infrastructure.

◉ AMP for Endpoints can be used to protect engineering workstations within the OT environment.

◉ Duo’s multi-factor authentication can be used to prevent an attacker from gaining access to systems on the network as a they attempt to move laterally.

◉ Cisco Email Security can detect targeted phishing emails aimed at IIoT operators and others, preventing malicious payloads from reaching their intended target.

Ultimately, a layered approach will provide the best security. For instance, Cisco Cyber Vision can automate visibility of industrial devices and secure operational processes. Integrated with Cisco’s security portfolio, it provides context for profiling of industrial devices in Stealthwatch, and maps communication patterns to define and enforce policy using granular segmentation via with ISE.

Continue reading