Personal blog of Yzmir Ramirez

When a hacker broke into the computer systems of the Oldsmar Florida water supply last month, it sent up red flags across the operational tech world, whether that’s utilities or oil and gas pipelines. Xage, a security startup that has been building a solution to help protect these hard-to-secure operations, announced a Zero Trust remote access cloud solution today that could help prevent these kinds of attacks.

Duncan Greatwood, CEO at Xage, says flat out that if his company’s software was in place in Oldsmar, that hack wouldn’t have happened. Smaller operations like the one in Oldsmar tend to be one-person IT shops running older remote access software that’s vulnerable to hacking on a number of levels.

“It’s not difficult to compromise a virtual network computing (VNC) connection. It’s not difficult to compromise a stale account that’s been left on a jump box. What we started to do last year was deliver what we call a Zero Trust remote access solution to these kinds of customers,” Greatwood told me.

This involves controlling access device by device and person by person by determining who can do what based on them authenticating themselves and proving who they are. “It doesn’t rely on knowledge of a device password or a VPN zone password,” he explained.

The solution goes further with a secure traversal tunnel, which relies on a tamper proof certificate to prevent hackers from getting from the operations side of the house — whether that’s a utility grid, water supply or oil and gas pipeline — to the IT side where they could then begin to muck about with the operational technology.

Xage also uses a distributed ledger as a core part of its solution to help protect identity policies, logs and other key information across the platform. “Having a distributed ledger means that rather than an attacker having to compromise just a single node, it would have to compromise a majority of the nodes simultaneously, and that’s very difficult [if not impossible] to do,” he said.

What’s more, the ledgers operate independently across locations in a hierarchy with a global ledger that acts as the ultimate rules enforcer. That means even if a location goes offline, the rules will be enforced by the main system whenever it reconnects.

They introduced an on premise version of the Zero Trust remote access system last October, but with this kind of technology difficult to configure and maintain, some customers were looking for a managed solution like the one being introduced today. With the cloud solution, customers get a hosted solution accessible via a web browser with much faster deployment.

“What we’ve done with the cloud solution is made it really simple for people to adopt us by hosting the management software and the core Xage fabric nodes in this Xage cloud, and we’re really dramatically reducing that time to value for a remote access solution for OT,” Greatwood said.

You might be thinking that CISOs might not trust a cloud solution for these sensitive kinds of environments, and he admits that there is some caution in this market, even though they understand the benefits of moving to the cloud. To help ease these concerns, they can do a PoC in the cloud and there is a transfer tool to move back on prem easily if they are not comfortable with the cloud approach. So far he says that no early customers have chosen to do that, but the option is there.

Xage was founded in 2017 and has raised $16 million so far, according to Crunchbase data.

Early Stage is the premiere ‘how-to’ event for startup entrepreneurs and investors. You’ll hear firsthand how some of the most successful founders and VCs build their businesses, raise money and manage their portfolios. We’ll cover every aspect of company-building: Fundraising, recruiting, sales, legal, PR, marketing and brand building. Each session also has audience participation built-in — there’s ample time included in each for audience questions and discussion.

Xage, a startup that has been taking an unusual path to secure legacy companies like oil and gas and utilities with help from the blockchain, announced a new data protection service today.

Xage CEO Duncan Greatwood, says that up until this point, the company has concentrated on protecting customers at the machine layer, but today’s announcement involves protecting data as it travels between parties, which is more of a classic blockchain security scenario.

“We are moving beyond the protection of machines with greater focus on the protection of data. And this announcement around Dynamic Data Security that we’re delivering today is really a data protection layer that spans multiple dimensions. So it spans from the physical machine layer right up to business transaction,” Greatwood explained.

He says that what separates his company from competitors is the ability to have that protection up and down the stack. “We can guarantee the authenticity, integrity and the confidentiality of data, as it’s produced at the machine, and we can maintain that all the way to [delivery to the various parties],” he said.

Greatwood says that this solution is designed to help protect data, even in highly complex data sharing scenarios, using the blockchain as the trust mechanism. Imagine a supply chain scenario in which the parties are sharing data, but each participant only needs to see the piece of data they need to complete their part of the transaction and no more. To do this, Xage has the concept of security fabric, which acts as a layer of protection across the platform.

“What Xage is doing is to use this kind of security outsource approach we bring to authenticity, integrity and confidentiality, and then using the fabric to replicate all of that security metadata across the extent of the fabric, which may very well cover multiple locations and multiple participants,” he said.

This approach enables customers to have confidence in the providence and integrity of the data they are seeing. “We’re able to allow all of the participants to define a set of security policies that gives them control of their own data, but it also allows them to share very flexibly with the rest of the participants in the ecosystem, and to have confidence in that data, up to and including the point where they’ll pay each other money, based on the integrity of the data.”

The new solution is available today. It has been in testing with three beta customers, which included an oil and gas customer, a utility and a smart city scenario.

Xage was founded in 2016 and has raised just over $16 million, according to PitchBook data.

Xage is working with utilities, energy companies and manufacturers to secure their massive systems, and today it announced some significant updates to deal with the scale and complexity of these customers’ requirements, including a new hierarchical blockchain.

Xage enables customers to set security policy, then enforce that policy on the blockchain. Company CEO Duncan Greatwood says as customers deploy his company’s solutions more widely, it has created a set of problems around scaling that they had to address inside the product, including the use of blockchain.

As you have multiple sites involved in a system, there needed to be a way for these individual entities to operate, whether they are connected to the main system or not. The answer was to provide each site with its own local blockchain, then have a global blockchain that acts as the ultimate enforcer of the rules once the systems reconnected.

“What we’ve done is by creating independent blockchains for each location, you can continue to write even if you are separated or the latency is too high for a global write. But when the reconnect happens with the global system, we replay the writes into the global blockchain,” Greatwood explained.

While classical blockchain doesn’t allow these kinds of separations, Xage felt it was necessary to deal with its particular kind of use case. When there is a separation, a resynchronization happens where the global blockchain checks the local chains for any kinds of changes, and if they are not consistent with the global rules, it will overwrite those entries.

Greatwood says these changes can be malicious if someone managed to take over a node or they could be non-malicious, such as a password change that wasn’t communicated to the global chain until it reconnected. Whatever the reason, the global blockchain has this power to fix the record when it’s required.

Another issue that has come up for Xage customers is the idea that majority rules on a blockchain, but that’s not always a good idea when you have multiple entities working together. As Greatwood explains, if one entity has 600 nodes and the other has 400, the larger entity can always enforce its rules on the smaller one. To fix that, they have created what they are calling a supermajority.

“The supermajority allows us to impose impose rules such as, after you have the majority of 600 nodes, you also have to have the majority of the 400 nodes. Obviously, that will give you an overall majority. But the important point is that the company with 400 nodes is protected now because the write to the ledger account can’t happen unless a majority of the 400 node customers also agrees and participates in the write,” Greatwood explained.

Finally, the company also announced scaling improvements, which reduce computing requirements to run Xage by 10x, according to the company.

Traditional industries like oil and gas and manufacturing often use equipment that was created in a time when remote access wasn’t a gleam in an engineer’s eye, and hackers had no way of connecting to them. Today, these devices require remote access, and some don’t have even rudimentary authentication. Xage, the startup that wants to make industrial infrastructure more secure, announced a new solution today to bring single sign-on and role-based control to even the oldest industrial devices.

Company CEO Duncan Greatwood says that some companies have adopted firewall technology, but if a hacker breaches the firewall, there often isn’t even a password to defend these kinds of devices. He adds that hackers have been increasingly targeting industrial infrastructure.

Xage has come up with a way to help these companies with its latest product called Xage Enforcement Point (XEP). This tool gives IT a way to control these devices with a single password, a kind of industrial password manager. Greatwood says that some companies have hundreds of passwords for various industrial tools. Sometimes, whether because of distance across a factory floor, or remoteness of location, workers would rather adjust these machines remotely when possible.

While operations wants to simplify this for workers with remote access, IT worries about security, and the tension can hold companies back, force them to make big firewall investments or, in some cases, implement these kinds of solutions without adequate protection.

XEP helps bring a level of protection to these pieces of equipment. “XEP is a relatively small piece of software that can run on a tiny credit-card size computer, and you simply insert it in front of the piece of equipment you want to protect,” Greatwood explained.

The rest of the Xage platform adds additional security. The company introduced fingerprinting last year, which gives unique identifiers to these pieces of equipment. If a hacker tries to spoof a piece of equipment, and the device lacks a known fingerprint, they can’t get on the system.

Xage also makes use of the blockchain and a rules engine to secure industrial systems. The customer can define rules and use the blockchain as an enforcement mechanism where each node in the chain carries the rules, and a certain number of nodes as defined by the customer must agree that the person, machine or application trying to gain access is a legitimate actor.

The platform taken as a whole provides several levels of protection in an effort to discourage hackers who are trying to breach these systems. Greatwood says that while companies don’t usually get rid of tools they already have, like firewalls, they may scale back their investment after buying the Xage solution.

Xage was founded at the end of 2017. It has raised $16 million to this point and has 30 employees. Greatwood didn’t want to discuss a specific number of customers, but did say they were making headway in oil and gas, renewable energy, utilities and manufacturing.

Xage (pronounced Zage), a blockchain security startup based in Silicon Valley, announced a $12 million Series A investment today led by March Capital Partners. GE Ventures, City Light Capital and NexStar Partners also participated.

The company emerged from stealth in December with a novel idea to secure the myriad of devices in the industrial internet of things on the blockchain. Here’s how I described it in a December 2017 story:

Xage is building a security fabric for IoT, which takes blockchain and synthesizes it with other capabilities to create a secure environment for devices to operate. If the blockchain is at its core a trust mechanism, then it can give companies confidence that their IoT devices can’t be compromised. Xage thinks that the blockchain is the perfect solution to this problem.

It’s an interesting approach, one that attracted Duncan Greatwood to the company. As he told me in December his previous successful exits — Topsy to Apple in 2013 and PostPath to Cisco in 2008 — gave him the freedom to choose a company that really excited him for his next challenge.

When he saw what Xage was doing, he wanted to be a part of it, and given the unorthodox security approach the company has taken, and Greatwood’s pedigree, it couldn’t have been hard to secure today’s funding.

The Industrial Internet of Things is not like its consumer cousin in that it involves getting data from big industrial devices like manufacturing machinery, oil and gas turbines and jet engines. While the entire Internet of Things could surely benefit from a company that concentrates specifically on keeping these devices secure, it’s a particularly acute requirement in industry where these devices are often helping track data from key infrastructure.

GE Ventures is the investment arm of GE, but their involvement is particularly interesting because GE has made a big bet on the Industrial Internet of Things. Abhishek Shukla of GE Ventures certainly saw the connection. “For industries to benefit from the IoT revolution, organizations need to fully connect and protect their operation. Xage is enabling the adoption of these cutting edge technologies across energy, transportation, telecom, and other global industries,” Shukla said in a statement.

The company was founded just last year and is based in Palo Alto, California.

As old-school industries like oil and gas increasingly network entities like oil platforms, they become more vulnerable to hacking attacks that were impossible when they were stand-alone. That requires a new approach to security and Xage (pronounced Zage), a security startup that launched last year thinks it has the answer with a concept called ‘fingerprinting’ combined with the blockchain.

“Each individual fingerprint tries to reflect as much information as possible about a device or controller,” Duncan Greatwood, Xage’s CEO explained. They do this by storing configuration data from each device and controller on the network. That includes the hardware type, the software that’s installed on it, the CPU ID, the storage ID and so forth.

If someone were to try to inject malware into one of these controllers, the fingerprint identification would notice a change and shut it down until human technicians could figure out if it’s a legitimate change or not.

Whither blockchain?

You may be wondering where the blockchain comes into this, but imagine a honey pot of these fingerprints were stored in a conventional database. If that database were compromised, it would mean hackers could have access to a company’s entire store of fingerprints, completely neutering that idea. That’s where the blockchain comes in.

Greatwood says it serves multiple purposes to prevent such a scenario from happening. For starters, it takes away that centralized honey pot. It also provides a means of authentication making it impossible to insert a fake fingerprint without explicit permission to do so.

But he says that Xage takes one more precaution unrelated to the blockchain to allow for legitimate updates to the controller. “We have a digital replica (twin) of the system we keep in the cloud, so if someone is changing the software or plans to change it on a device or controller, we will pre-calculate what the new fingerprint will be before we update the controller,” he said. That will allow them to understand when there is a sanctioned update happening and not an external threat agent trying to mimic one.

Checks and balances

In this way they check the validity of every fingerprint and have checks and balances every step of the way. If the updated fingerprint matches the cloud replica, they can be reasonably assured that it’s authentic. If it doesn’t, he says they assume the fingerprint might have been hacked and shut it down for further investigation by the customer.

While this sounds like a complex way of protecting this infrastructure, Greatwood points out that these devices and controllers tend to be fairly simple in terms of their configuration, not like the complexities involved in managing security on a network of workstations with many possible access points for hackers.

The irony here is that these companies are networking their devices to simplify maintenance, but in doing so they have created a new set of issues. “It’s a very interesting problem. They are adopting IoT, so they don’t have to do [so many] truck rolls. They want that network capability, but then the risk of hacking is greater because it only takes one hack to get access to thousands of controllers,” he explained.

In case you are thinking they may be overstating the actual problem of oil rigs and other industrial targets getting hacked, a Department of Homeland Security report released in March suggests that the energy sector has been an area of interest for nation-state hackers in recent years.