Thomas Brand, senior field applications engineer at Analog Devices.
To quote multinational electronics manufacturer Analog Devices’ (ADI’s) website, by way of being “a global leader in analogue, mixed signal, and digital signal [processing]”, ADI “help[s] solve the toughest engineering challenges”. So naturally, the manufacturer prides itself in its ability to utilise both analogue and digital signals in their industrial operations: one example being as a means to optimise their cyber security.
But as Thomas Brand, FAE in ADI’s EMEA Industrial Sales Team makes clear here, this is just one of the solutions that Analog Devices have integrated to reduce system breaches and leaks. In his capacity as senior field applications engineer, and a specialist in Ethernet, Thomas communicates regularly with customers about their industrial system solutions. He has essential thoughts on current attitudes, and the lessons to be learned, in relation to implementing security technologies—from two-factor authentication to edge-to-cloud and time sensitive networking.
Through this interview, Thomas discusses his experience, industry knowledge, and Analog Devices’ Industry 4.0 solutions at large with Electronics Point’s Sam Holland.
Sam Holland: Could we start with a bit about your background?
Thomas Brand: In my former company I was a hardware engineer, and then I moved to Analog Devices, where my first position was as an applications engineer. This was more involved with customer applications, so I was in deep contact with many customers—more the smaller ones back then.
Nowadays though, within my role as a field applications engineer, I deal with big, strategic customers in the industrial sector. I set out to build a deep relationship with them through—not only the selling of our products or even systems—but also in developing, and being involved in, the system processes that they require.
It is, however, impossible to have a deep technical knowledge about everything of course, especially as the ADI portfolio is becoming bigger and bigger. So all of us FAEs need to have specialist expertise in addition to seeing to the daily business and, when necessary, both providing and receiving the support of colleagues, who again, have the specific know-how. I personally am specialised in Ethernet communications, and because this goes hand in hand with Ethernet security, that's why the topic of cyber security itself is also of high importance to me.
SH: What do you think are the main concerns that engineers need to be aware of in relation to cyber security?
TB: The main concern is essentially that, for a lot of customers, it doesn’t occur to them to involve security features into their product already in the beginning of their development process. So many of them think: “Okay, we have a product release; we’ll add some security features afterwards”—but that's not easily possible. You have to involve the security features early on.
In fact, cyber security features typically conflict with other things like speed, usability and cost, so they are often the first things to be descoped from a design. This can have large consequences if the features were designed to protect critical parts of the system. Consider, for example, that not including a crypto accelerator block in a hardware design means you might have to do such encryption/decryption implementation in software that will then be slower and affect the system’s operation. Accordingly, the system architect may even elect to just not do encryption at all—even when it would be necessary to protect the sensitive data.
Another thing to bear in mind is that the product in question has to be expanded with the chosen security features. So to reiterate, security needs to be addressed early on in the development process: it’s important to work together, and in good time, with the customer to figure out how it's possible to implement the right, tailored, security. This is because every customer has another system and another requirement, so it’s not always possible to involve catchall security features throughout the different products offered. And because it does also depend on the product, this calls for really deep discussions with the customer.
But remember that security can relate to disadvantages, too: for instance, the speed probably will get slower for high-speed products, because more processes are needed for security features—these are concerns we have to think about. While, naturally, it makes sense to involve security features, people still need to ask: “Do I need all of the security features on offer?” And this means also intensive discussions with customers, establishing which security features, and levels of security, they want to have.
SH: What are your thoughts on time sensitive networking (TSN) approaches in cyber security?
TB: Almost everybody who deals with Ethernet and Ethernet devices is thinking about this at the moment: the question of whether TSN is or isn’t necessary. While it does depend on the product and the application, it’s generally becoming more and more important to have these features.
The biggest point here with TSN in relation to cyber security is to remember that, as more devices adopt Ethernet and TSN, they become part of the network and they increase the attack surface for exploitation. Adversaries see that network as more valuable to them: again, security is only as strong as the weakest link. Even if the customer thinks at first: “My product/my system/my application doesn't need any security features”, as soon as it’s connected to a network, it does need to have them. Otherwise, a hacker can attack through such an insecure device and into the whole system, where data can be taken out of the company, for example.
In other words, devices that are now connected via Ethernet may not need any security features in themselves, but because they participate in a network with devices that do require security, they could be used as the entry point for attackers to gain a foothold into the network. But ultimately, security features of devices at the edge should be looked at as a system of systems application.
SH: What do you consider to be the most beneficial solutions when it comes to implementing and maintaining the best possible cyber security?
TB: Authentication is one of the most beneficial solutions, particularly at multiple stages of a system: for humans, 2-factor authentication helps mitigate bad, weak and/or stolen passwords; and for devices, security protocols like transport layer security help determine which devices are authorised and which devices are not.
SH: When compared to other manufacturers, what would you say that ADI is doing differently in relation to implementing cyber security?
TB: At ADI, we offer a whole portfolio from the edge to the cloud. We want to deliver secure products, after all, and so we not only ensure secure connections between the components to the cloud or to the network, but also, we ensure that security is already at the edge of the whole signal chain.
A diagram that depicts Analog Devices’ joint analogue and digital (the transitional period of which is named the ‘Sweet Spot’) signal processing infrastructure, which ends in cloud-based security. Image courtesy of Analog Devices.
Fundamentally, ADI is uniquely positioned in that our products are typically at the edge, where real-world analogue signals are sensed, captured, and digitalised as data. Adding security as quickly as possible where the analogue-to-digital conversion occurs allows the security to remain embedded within the data as it moves to higher levels, including the cloud. By doing so, ADI makes it more challenging for an adversary to defeat or circumvent security features added at the edge.
SH: In regards to the current efforts in place to implement Industry 4.0 cyber security, to what extent do you think that attitudes towards cyber security may or may not improve throughout the industry in the foreseeable future?
TB: It's not a secret: everybody knows that more and more attacks are happening throughout the world. We’re seeing more and more reports of companies experiencing cyber security attacks, or that have had customer data stolen and/or leaked. So systems without any security features will not be acceptable in the future—devices will have to be secure.
And as already mentioned, there are some devices out there without any security features, meaning it’s possible for an attacker to break into a company system. But the more this happens, the more that security features grow as a result—and therefore, the more that everybody, customers included, continues to talk about security. And that’s even if they don't know much about it: they’ve at least heard about it and they are aware of its importance. They want to have secure products.
In fact, outside of traditional industrial attacks we hear about, the demand for security will also continue to grow from more general customers/operators/end users who in the past did not see a need for adding security to their systems. When reading the right articles, it might come as a surprise to some people that aspects of our lives, such as critical infrastructure, transportation, voting, and so on are all potentially vulnerable to attacks by adversaries. And this can cause socioeconomic damage, or even be seen as acts of war.
Such security exploits will continue to occur, but the attitude will change such that a system without any security will no longer be acceptable in the future. All in all, the general attitude regarding security could trend toward citizens demanding it as a common, i.e. public, good.
Analog Devices’ slogan. Image courtesy of Analog Devices.
SH: On a closing note, could you let me know more about your experience as senior field applications engineer for ADI?
TB: FAE work means being involved in large projects: you learn much about the customers’ applications and you also receive feedback from the customers, which means you get answers to important questions like: what are their requirements? What are their concerns?
You also have to keep an eye on market trends and discuss appropriate products and solutions with, not just the said customers, but our business unit as well. The advantage of our ADI location in Munich (most of our business units are in Ireland or the U.S., where our headquarters is based) is that I get a lot of insight into market trends from German customers, which covers a big industry: one of the main industries of the world, in fact.
That's a big advantage for ADI, I think: to have different perspectives from around the world, and to discuss them internally to make better products—especially those that are required by the whole market and throughout the whole world.
A big thank you to Thomas Brand for his prominent thoughts on Analog Devices’ industrial security solutions, edge-to-cloud communications, and more. With the importance of cyber security growing exponentially, such industry perspectives reflect the vital need for more informed attitudes to timely, well-integrated security features.