Whitepaper-Proactive-Fraud-Prevention-Industrial-IOT

1 .W H I T E PA P E R J U LY 2 0 2 0 PROACTIVE FRAUD PREVENTION FOR INDUSTRIAL IOT 4 ESSENTIAL CAPABILITIES TO STOP INDUSTRY 4.0 FROM BECOMING INTRUSION 4.0 

2 . INTRO The Industrial Internet of Things (IIoT), with its drive toward Industry 4.0, is transforming businesses across a wide range of industries. While initially focused on operational efficiency and cost optimization, primarily via automation, the arrival of new technologies, such as 5G, is driving companies to look at IIoT opportunities in new ways. At the core of these new opportunities is the ability to collect and aggregate data from assets, devices, and machines, and turn that data into intelligent, value-generating actions that can be immediately carried out by humans or via automation. For processing capacity: For credit card fraud: For DDOS: For <10ms (but only include The core value proposition of Industrial IoT, therefore, is that systems can operate with minimal to no interruption or intervention, which is why the emerging field of IIoT device command, control, and communication (C3) is so important. If by definition, IIoT is dependent on a remote controlling intelligence, it follows that either compromising communications or sending false commands could cause catastrophic problems. Unfortunately, with IIoT’s promise of ubiquitous connectivity and automation come the all too familiar risks of hacker intrusion, fraud, and revenue leakage. It’s a sad fact that fraud has been a reality as long as technology has been with us. At VoltDB, we’ve seen it happen across industries as diverse as telecommunications,    online advertising, network management, and financial services. As soon as new business opportunities are introduced for revenue and innovation, new threats will follow. As our customers have learned,   improvement in the only way toofaddress DDOCthreats is proactively, by Adbots and to detect Processing Capacity architecting solutions that incorporate Attacks Prevented security into every step of their Prevent Revenue Loss operations. This allows them to stop the threat at the first sign of it happening. VOLTDB KNOWS FRAUD PREVENTION VoltDB’s customers have already moved to proactive, preventive measures. Our technology is used across a wide range of industries and use-cases, including financial services to prevent credit card fraud at swipe-time, in telco to block fraudulent calls before devices can connect, in network management to prevent DDOS attacks, and in online advertising (AdTech) to stop fraudulent bots from stealing ad revenue.  of credit card Fraud Prevented  improvement in Processing Capacity  of DDOS Attacks Prevented  to detect adbots and Prevent Revenue Loss WHITEPAPER JULY 2020 2 

3 .All these examples share one particularly important factor – the ability to act upon enormous volumes of fast-moving streaming data at the precise moment an exception is identified, and before the threat is fully manifested. This is the only way to move from post-loss reconciliation to proactive prevention. “There’s another THE IIOT STAKES ARE HIGH When discussing IIoT security, it’s natural to focus on traditional topics, such as enormous implication securing assets, preventing DDOS attacks, spoofing, bypass attacks, and others. in IIoT. The rise of the But there’s another enormous implication in IIoT. The rise of the digital twin – a digital representation that enables physical assets and processes to be monitored, digital twin– a digital managed, tested, analyzed, and controlled in real-time. Digital twins can represent representation that products, machines, robots, production lines, energy grids, medical patients, and more. In fact, for a successful meaningful digital transformation, one can say that enables physical assets digitalization of all physical assets, living or nonliving, with evolving behavior, is quintessential. Thus, when we think of industrial automation in the context of and processes to be Industry 4.0, we are really thinking of digital twins. monitored, managed, If a digital twin is an intelligent digital model that can be used to make physical assets tested, analyzed, and perform in a predictable manner, it follows that hacking a digital twin can lead to manipulating its intelligence such that it performs in an unpredictable manner. controlled in real-time.” In fact, hacking into a digital twin could be catastrophic, depending on what it is controlling. Imagine hacking the digital twin of an energy system, for example, or a robot in a medical device factory. The point is that the very IIoT devices that are necessary for a digital twin to function create multiple access points for attackers to exploit. WHITEPAPER JULY 2020 3 

4 .WHAT TELCO CAN TEACH US ABOUT IIOT Throughout the history of computing, a clear pattern has emerged of malign activity that exploits standards and norms, appearing almost as soon as the technology in question reaches critical mass. As soon as people had PC’s and started copying games on floppy disks, malign viral code started proliferating. The “The dynamic nature invention of internet bulletin boards turned virus management from an obscure problem into a major industry. Fraudulent internet advertising costs are measured of fraud means there in billions per year. are no standards The telco industry, especially, has a long history of battling fraud, which accelerated rapidly as digital services took over from analog. It offers some valuable lessons that or protocols can be immediately applied to the prevention of IIoT fraud. for addressing While standards and protocols are developed by standard bodies such as 3GPP for fraudulent behavior.” conducting standard business interactions between systems, the dynamic nature of fraud means there are no standards or protocols for addressing fraudulent behavior. The industry was simply not prepared for the lengths that fraudsters would go to in order to make money. Every industry experiences this and IIoT is not going to be any different. So, if we look at the evolution of telco technology... Specialized ‘firmware’ equipment gave way to commoditized equipment.  he specialty function is now software-enabled defined (virtualization, T containerization, etc.).  Intelligence is now within the software, making it more nimble and agile for faster updates and patches. W  hile becoming software-enabled means the system is more prone to malicious attacks, it also means that it can be modified to address these threats in addition to satisfying the normal functional requirements. ...we can see the same progression in IIoT  pecialized (and expensive) devices are giving way to commoditized sensors. S Online articles predict that we will likely see <$6 devices by 2022.  s with telco, the reason for this shift is that intelligence is moving from the A device firmware into the controlling software. In other words, IIoT devices are becoming dumber in themselves, and depending on cloud interaction to provide intelligence. This creates the same vulnerabilities we have seen elsewhere. While we are culturally predisposed to think of computer crime as the work of individual actors, the reality is that sophisticated ecosystems appear over time as unauthorized access becomes commoditized. The internet has ‘botnets for hire’, which give you wholesale access to other people’s compromised devices. Telco has a well-developed ecosystem for ‘SIM boxing’, which allows you to bypass international call costs. Because of the amount of money involved, and difficulty in obtaining prosecutions, the involvement of professional criminals is inevitable. WHITEPAPER JULY 2020 4 

5 .Given this trajectory, it would be naive to assume that there is no requirement for high level, automated, real-time oversight of IIoT networks. If history is a guide, we can expect to see dedicated businesses emerge whose goal is to secure the IIoT. Security will undeniably become a significant part of the total cost of ownership. PREVENTING INDUSTRY 4.0 FROM BECOMING INTRUSION 4.0 “Intrusion events Thanks to pioneering efforts across other industries - primarily telco and financial services - there is a proven solution for fraud prevention. must be identified Successfully addressing fraud requires four essential capabilities: and acted upon in 1. D  ata collection and processing must happen at the edge, closer to the source of the event. real-time, which 2. M  achine learning must happen in a central depository, so insights learned from means single-digit local events can be shared globally. milliseconds.” 3. I ntrusion events must be identified and acted upon in real-time, which means single-digit milliseconds. 4. R  eal-time aggregation must be possible to obtain up-to-date aggregate views of the IIoT in order to manage it successfully. When combined, these capabilities provide the ability to act upon enormous volumes of fast-moving streaming data at the precise moment an exception is identified, and before the threat is fully manifested. This is the only way to move from post-loss reconciliation to proactive prevention. WHITEPAPER JULY 2020 5 

6 .CAPABILITY 1: DATA COLLECTION AND PROCESSING MUST HAPPEN AT THE EDGE For Industry 4.0 to become a reality, billions of sensors and IIoT devices will be needed to drive it. These devices produce a lot of data. Continuously sending that data to centralized systems for analysis before sending actionable results back to the device slows everything down and quickly negates the point of automation. That’s why Gartner and so many other analysts and industry experts talk about the speed that distributed computing, storage, and resources are being pushed away from a centralized data center and closer to the location where it’s needed. In other words, to the edge. Not surprisingly, Gartner predicts 75% of generated data will be processed outside centralized data centers or the cloud by 2025. It’s a shift that is happening now and it’s happening fast. This matters in the context of threat prevention, because time is the critical element. To move to a prevention model, the entire entire event data management cycle of ingest-store-aggregate-measure-detect-decide-act must happen in Gartner lists the ‘Empowered single-digit milliseconds. This means decisioning must happen as close to the Edge’ as one of its Top 10 event source as possible. You simply can’t achieve the real-time, single-digit Strategic Technology Trends. millisecond decisioning necessary for intrusion prevention when you need to Empowered edge looks at how make trips back to the centralized data center or run a batch process on your these devices are increasing backend database. and forming the foundations for But for processing at the edge to be effective, it requires ‘intelligence’ to reside smart spaces, and moves key in a central depository, where it can deliver insights back to multiple edges to applications and services closer ensure precise, in-the-moment decision making. to the people and devices that This is the domain of machine learning. use them. CAPABILITY 2: MACHINE LEARNING MUST HAPPEN IN A CENTRAL DEPOSITORY Real-time threat prevention requires automatically analyzing every event inside massive streams of fast data, and looking for exceptions in that event data. You then leverage those exceptions to ask, “Is this a threat?” and act upon the answer. Presenting an accurate answer is made possible by machine learning. In the context of intrusion detection, we must understand that machine learning cannot be a one-time activity. Fraudsters are continuously evolving their activities and levels of sophistication. Just being able to apply a collection of static rules and alerting someone is not enough. The only way to counteract fraud is to stay many steps ahead of evolving intrusion events and threats, and acting to secure everything instantly. When real-time data can be continually fed into the machine learning layer, new insights are generated frequently by retraining the model. These retraining exercises generate new predictive and prescriptive insights that are better aligned with reality. Thus, machine learning plays a truly mission-critical role in IIoT WHITEPAPER JULY 2020 6 

7 .fraud prevention. Threats will keep evolving but, if machines can keep learning, they can continue to secure the network against bot attacks and intrusions. A challenge in all industries, especially with IIoT, is the sheer volume of data streaming in at high speed. Turning that data into valuable insights means being “For IIoT to provide able to first sort the useful data from the noise, before it’s moved into the central depository. Otherwise it’s just noise building upon noise, and of no use to real- value, decisions time decisioning. must occur within Put this all together and the result is a machine learning engine that has moved beyond a localized context and into a globalized context. So, what you learn the moment, and it’s ‘over here’, you can actually feed to ‘over there’. For example, if a digital twin of a this need for precise production line in factory A gets attacked, the ‘learnings’ from the attack, along with the prevention mechanism created in the central depository are then used to real-time that is driving preemptively watch for the same threat in factories B & C. The same intelligence also takes care of processing false positives. After all, no core IIoT investment manufacturer wants to shut down a production line because of one bad sensor. decisions.” Machine learning with complex relationships and dependencies that humans couldn’t even begin to unravel and understand in the necessary timeframe, and it’s that element of time that leads us to the third critical capability. CAPABILITY 3: INTRUSION EVENTS MUST BE IDENTIFIED AND ACTED UPON IN REAL-TIME For IIoT to provide value, decisions must occur within the moment, and it’s this need for precise real-time that is driving core IIoT investment decisions. Near real-time is no longer enough. The shift in machine-to-machine and process automation demands that the entire cycle from event data ingestion, through automatically triggering the necessary protection needs to be completed within single-digit milliseconds. Otherwise, the intrusion is already ‘in the system’ and causing untold damage. But let’s be clear, we’re talking about more than simple ingestion and movement of data. As we’ve seen, the new expectations of real-time includes applying sophisticated rules, algorithms, and machine learning models to multiple streams of event data, using that analysis to detect exceptions, and then making and acting upon a decision – all within 10 milliseconds. Without that, event data just becomes more noise, taking up server space. For real-time decisioning to become a reality, a holistic data platform is needed; one that brings database and stream processing together to address the entire event data management cycle of ingest-store-aggregate-measure-detect-decide- act. And where the captured data driving those decisions and actions can be sent to centralized platforms to continuously improve learning and stay many steps ahead of hackers and fraudsters. WHITEPAPER JULY 2020 7 

8 .CAPABILITY 4: AGGREGATION - FRAUD PREVENTION’S SECRET SAUCE We’ve already discussed how data streaming in and out of a digital twin enables a physical asset or process to be monitored, managed, tested, analyzed, and controlled. An entirely different layer of value becomes available when you start to look at the collective behaviour of digital twins in the aggregate, especially if you can do so in real-time. While the behaviour of individual elements may be harmless, bad things can happen when that behaviour is scaled. Let’s look at two examples: Example #1: In the United Kingdom, the companies managing the power grid must pay close attention to TV schedules, as broadcasting popular programs can “Failure to properly lead to a ‘TV pickup’, where several million people turn on a kettle to make tea at more or less the same time and threaten to drain the grid. interpret aggregate This demonstrates how events that are harmless at an individual level can become information can dangerous at the aggregate level. Example #2: In 2017, popular mapping applications directed motorists towards lead to dangerous dangerous fires, because their flawed aggregate view of the world indicated that situations.” the roads in the area were mysteriously empty. This demonstrates how a failure to properly interpret aggregate information can lead to dangerous situations. The lesson is clear: Just as the IIoT assumes we have a command and control loop that operates on millisecond timescales, we also need to be able to obtain up-to-date aggregate views of the IIoT in order to manage it successfully. A VoltDB customer in the business of IIoT smart meters manages communications network capacity on the dedicated communications system for the power network. Mission critical messages like, “Please turn off the gas. Your building is on fire.” can get through even when there are millions of requests for routine readings being made. WHITEPAPER JULY 2020 8 

9 .This ever-evolving, always up-to-date understanding of the state of the network is only possible with the ability to create and analyze aggregate views of activity which, in turn, is necessary to immediately identify and prevent fraudulent activity. HOW VOLTDB HELPS The IIoT offers companies enormous opportunities for operational efficiency, cost optimization and profitability, but its ubiquitous connectivity and movement of data introduces risk. Business owners can focus on reaping the value benefits of IIoT by identifying common pitfalls and ways to avoid them. Luckily, the technology exists to automatically identify and act upon a threat or intrusion at the exact moment it is happening, and before it leads to revenue loss. VoltDB isn’t in the business of developing applications, but we are making sure that our customers can take full advantage of the IIoT opportunity by eliminating the known risks. Selecting a platform designed by experts and proven to work by some of the most recognizable industry pioneers in the world allows you to skip much of the trial and error that plagues companies trying to launch new initiatives. VoltDBs ability to apply machine learning rules to detect and prevent intrusions in IIoT networks is grounded in a solid history of solving some of the biggest fraud “VoltDBs ability challenges around the globe. to apply machine Using VoltDB, telco businesses are saving millions of dollars by evolving from post-call fraud determination to preventing connection of fraudulent calls. learning rules to detect Financial services companies have moved from end-of-day reconciliation to in- transaction credit card fraud prevention. And the same live analysis approach, and prevent intrusions using a combination of edge processing and centralized machine learning to in IIoT networks is ingest millions of individual events from multiple streams of data, check for numerous forms of suspicious behavior, detect anomalies, and take action in grounded in a solid less than 10ms, is how VoltDB is increasing the success rate of intrusion and fraud prevention in IIoT. history of solving some In short, VoltDB delivers the 3 core capabilities necessary for intrusion detection of the biggest fraud and prevention: challenges around 1. Intelligent processing of massive streams of fast data happens at the edge, closer to the source of the data to achieve necessary real-time latencies. the globe.” 2. M  achine learning happens in a central depository, with real-time data being continually fed into the machine learning layer for frequent retraining of the model, so new predictive and prescriptive insights are better aligned with reality. This allows combat the false-positives and false-negatives more effectively to ensure process optimization doesn’t need to compromise the customer satisfaction or experience. 3. C  ontinual retraining of the model means insights are immediately assimilated into a real-time decision-making process, so ever-evolving intrusion events can be identified and acted upon in real-time, which means single-digit milliseconds. WHITEPAPER JULY 2020 9 

10 .Our operational database offers the infrastructure needed with a small footprint, a streaming engine, a notification system, and low latency to improve data accuracy. This enables companies to accelerate their efforts of digital transformation in a disruptive manner bringing together a holistic approach of real-time data handling. While this paper focuses on intrusion prevention, the same built-in integration with data sources, syncs, and machine learning models also allows responsiveness to a market, customer, or production event in the most opportune manner. CONCLUSION The use of IIoT devices in industrial settings is exploding and will continue to do “VoltDB helps so. 5G, edge computing, AI, machine learning, advanced real-time analytics and other disruptions have the potential to change the application of IIoT in ways that global organizations are difficult to predict. evolve from big data But one aspect of this rapid growth is easy to predict. Fraudsters will be stepping up their efforts to hack IIoT networks and drain revenue from a multitude of businesses. analytics to fast IIoT is already proving to be a gamechanger. But for it to work as promised, devices data decisions.” must be running and optimized to ensure they operate at full capacity and data must flow into the digital engine without compromising its usefulness and intent. With the rise of more process automation, digital twins, and real-time control loops, companies must ensure that security becomes intertwined with business- as-usual operations, and not treated as a separate action that is only addressed when time allows. Securing IIoT networks will require intelligent threat detection and prevention solutions that automate the process of not just mitigating risks, but proactively preventing them. VoltDB has years of experience doing this across multiple industries and use cases. VoltDB helps global organizations evolve from big data analytics to fast data decisions and instantly derive value from anomalous events captured across multiple streams of fast data. While this paper has focused on how precise decisions, made in less than 10ms, can directly prevent digital fraud, companies also use VoltDB to influence in-the- moment monetization and power digital transformation initiatives. To find out more, contact us today. ABOUT VoltDB VoltDB empowers global organizations to leverage emerging 5G latency standards to power new revenue opportunities, transform their business and operational support systems, or develop strategic integrations for their enterprise customers. The platform instantly derives value from anomalous events captured across multiple streams of fast data, directly influencing in-the-moment monetization, preventing digital fraud, and supporting digital transformation initiatives. VoltDB is purpose-built to address application-specific scale and latency challenges and augment previous big data and messaging investments to enable businesses to evolve from big data analytics to fast data decisions. For more information, please visit voltdb.com/. WHITEPAPER JULY 2020 10