AI has become a buzzword that is used each and every day in a variety of different contexts. What about when it comes to field service organizations – is AI really just enhanced Machine Learning. We have brought in an expert in the field – James Penney, Chief Technology Officer at Device Authority to share his experience and give us an overview where AI and Machine Learning stand today.
AI has become a buzzword that is used each and every day in a variety of different contexts. What about when it comes to field service organizations – is AI really just enhanced Machine Learning. We have brought in an expert in the field – James Penney, Chief Technology Officer at Device Authority to share his experience and give us an overview where AI and Machine Learning stand today.
Welcome to Speaking of Service, the podcast that uncovers practical ways to grow service revenue, control costs and improve customer satisfaction. If you're looking to innovate, gain a competitive edge, or just learn about the latest service trends, you've come to the right place. Today, Anthony Martha meets with James Penny, Chief Technology officer at Device Authority, to share his experience and to give us an overview where A.I. and machine learning fit into organizations today. Well, good day, everyone. This is Anthony, Martha here for speaking of service. Thank you for joining us for Session two of our three part series on security. Today I have joining me James. Penny James is from Device Authority. James, welcome to the show. Thank you very much for. I'm Nancy. And I'd like you to just give a very short introduction of who you are and what you do for device authority. Sure, I'd be happy to. So my name's James Penny. Obviously, I'm the CTO of Device Authority, having done security for about about 17 years now in various different aspects. But obviously most recently as all around Iot, I worked very closely with PTC on a number of things for a number of years actually as well. And so obviously as a CTO, I'm responsible for a lot of the product strategy and the vision and and the sort of deeper technical goings on at the device authority and responsible for a key scalable platform, which is an Iot sort of identity and access management and kind of security control center for for Iot devices at scale. So what we're talking about here, though, and there's nothing to make light of, right? Machine learning, is that absolutely important part of modernizing and streamlining the process of service. But and I environment's a little higher level than that. It's starting to make that machine think even more human. Like not just being pattern recognition. Yeah. And it's really is the is really the umbrella term for for a lot of those things. I think, you know, the reason the reason for the uptick, I think now there's an expectation, especially on tech companies, to do something with AI, if you want to call it that. And even I was reading recently that in in Q2, I think it was this year of earnings calls, something like 67% of companies who like mentioned AI in their earnings calls, they saw their stock price rise effectively. The share price went up almost instantly. And you only have to look at like Nvidia, for example, as well to see how well it's kind of gone for them. In terms of referencing A.I., I mean, they're very focused on it and I think they're always doing great things. But you can see the impact that it has and how that expectation makes its way almost into the boardroom and then trickles down a little bit from that. So we know that AI and machine learning really rely on data to be fed to them, and that's what an Iot system is doing. An Iot platform is really accumulating that data and feeding it into to the Iot to that environment. So I'm going to use that data to learn. But what's what about the impact of AI and ML on that environment, on that Iot platform? Right. There's a relationship between these two ones, giving it the data. What's the other one doing for that environment? What's AI and ML doing to that environment? If we just take a step back a little bit, one thing that you have that's very apparent with with Iot and associated with the platforms is that you have this big scale problem. Right at the end of the day, there's a scale problem in terms of the number of devices you deploy versus I think the number of people that you probably have to manage them. And and there's a couple of different ways, I think, to to dissect what machine learning could really do for for the sort of platform side. I will say this as as a slightly more kind of general statement is I think it's like inevitable in every Iot enterprise use case, at least, and not just from from a security perspective, which I'm sure we can get on to that, too. But the fact that there's like I was saying, there's just too many devices and not enough humans. And I think when you start to want to get this value from this data, the only way you're going to be able to do that is really through those processes, right? So I mean, if you take a look, we talk about some examples. So if you take a look at like predictive analytics, right, that seems like a pretty sort of low hanging fruit variety, I think, because that's really where you're going to start looking at it and saying, oh, you know, that part's going to fail within a certain number of hours based on other data that we might have seen. And I think the interesting evolution, and I'm sure you would have seen it too, is if you actually went back and looked at your or reviewed Iot use cases from like five or six years ago or whatever it might be, seven or eight or something like that. They were, they were quite binary, right. So it was I just want to get data. You take like an oil well or something, a connected pump for like a well. It used to be. I just want to know how many liters I'm putting out or whatever it might be or gallons obviously, and how much I'm producing each day. And now it's. Well, how is that compared to all the other wells and fields that I have deployed? And how is that production stacking up, you know, in terms of other metrics? And and I think Iot has naturally progressed on to these more difficult problems to answer that doesn't come from these sort of very static processes. And I think people are generally used to implementing and the data is a core part of that and the platform is a massive part of that whole process, ingesting that data, you know, helping to organize it, feeding it into those processes. So being the presentation for the the warnings and what you're seeing and the output and the visualization of that data is incredibly important. And I think the two go hand in hand really well. But if you, you know, you can have a really good demo process. But if you're not seeing it or visualizing it or connecting it to anything else, then there's probably not much point in really doing it. So, you know, I think they're going to it really helps to drive a lot of the value that you get from from the Iot platform itself. And it's not only that, you know, it's you know, if you look at take a look at some other sort of examples of of this machine learning like image and video processing, right? So the the idea of monitoring, we were referencing in the previous conversation, but monitoring, you know, the sheer volume of connected cameras and things like that that you might have to to keep a place physically secure, just not enough people potentially for that. So I think, you know, they go really well together. And I do think there's some level of machine learning whether you actually go out and like build it yourself or anything like that. I'm I'm sure a lot of people won't have an interest necessarily in doing that. I think as many tools as are available to to help kind of create this almost out of the box experience for them and to help visualize that and understand what it means when they get these answers out of the platform in order to do something with them. I think those those two processes go so well fired because there's just not enough people. That and you bring up a really interesting point and that in the Iot space, we're talking scale, we're talking tens, thousands, hundreds of thousands of assets that are connected and creating this data, this information, obviously, part of that process has to be validating that data because the old term garbage in, garbage out, if I accumulate a lot of data, which is useless data, but I'm building a model off of it, well, that does me no good. Do you see AI and ML playing in a role in that validation of data? Looking at the data for consistency and making sure, yeah, this is what I expect to see as opposed to, you know, this is kind of strange. Yeah. And it's, it's a funny it's a funny problem to look at because you mentioned consistency, that which I think is a really interesting facet of of the whole conversation and what you really want your it's like a general machine learning process. I want to see anomalies in my data. That's what I probably have implemented it to try and detect. Right. If, if the pressure on the pumps only goes up really high and it's about to explode, I probably want to know about that and detect that. But at the same time, how do I know that it's not just another device like sending or the device has been compromised and someone was trying to get me to roll a truck for whatever reason out of that well or or creating havoc within my, within my environment to try and, you know, either for monetary gain or for malicious intent or whatever it might be. How do you kind of tell the difference between that? And I think it becomes this this sort of multilayered approach. I think there's several different ways in which you could apply machine learning to Iot in order to get the best out of it. So you could take a look at the data points and you can say, Oh, there's an anomaly of precious. This comes straight off, right? And we need to be mindful of that. But I think it also comes from trusting that data. It comes from a place of trust in the device. And I think the device trust nowadays is something that's really it's tough. It's a tough question to answer sometimes. You know, it used to be, again, quite, quite binary. I present a credential and I'm not device and now it seems like it needs to go a little bit deeper and you need to kind of take a look at this evolution of security for these devices in order to be able to trust the data. So you can trust the device. So you can trust the data so you don't necessarily end up with that garbage in, garbage out process. You know, it used to be you could connect between nine and five maybe, or something. That might be a limitation on that. In terms of your devices, authorization, obviously authorization not the same as authentication. Authentication is who you are. An authorization is what you're really allowed to do. But in terms of maintaining this kind of authorization, state, you know, maybe you said my my factory is only running between nine and five. Nothing should be doing anything outside of nine five. Right. And that's quite a binary authorization question. And now it might be, you know, it was for the last two years, it's been connecting in ten times a day to do whatever job that it needed to be doing. And all of a sudden, it's running 100 times a day. And is it still between the hours and nine and five? But there's something going on there that causing the the behavior, I think, of that particular device to change. So there's a big security aspect around indicators of compromise for devices. And and those are things that, you know, just like monitoring CPU, for example, maybe it's just 25%, everyone else is using 25% CPU to do that thing that just or whatever it is. And, you know, you got one that suddenly starts using 100% as either something wrong or this process is running on that particular device that that shouldn't be, you know, using machine learning to kind of monitor the network traffic as well as is something because if you think about detail or or ransomware that might get in and try and find its way to other areas within the company through these connected devices to, I think, look, monitoring the network code, for example, can be a good, good place to look as well. But you're really necessarily trying to figure out how someone got in. You're looking potentially for those indicators of compromise to trust the device on an ongoing basis. So ongoing and continuous validation and authorization of these devices that are effectively providing the data to the to the platform and the processes. Yeah. And that's I mean, what you're really talking about here is identity theft at a device level. We know it as individuals that somebody may steal entity and start to leverage that to do something nefarious. And you're putting this down at a device level and saying, well, it's still a possibility. We may very well have a situation where people will steal the identity of an asset and use that asset to do certain things. And how do you protect against that? Right. This is really what one of the things that device authority is really focused on how do you protect these field based assets from this kind of attack? Yeah, and it's important to remember that the attacks on these devices are also a bit easier depending on the physical security of where your devices are deployed. I mean, you know, you spend all that money in the workplace to protect people with firewalls and physical security and things like that. And then, you know, might be an unattended location wherever you're deploying these devices. And the physical security is not that people probably have better physical or easier physical access to some of these, depending on depending on your use case. So I think it's critical to have these kind of device bound identities and that continuous validation that I was I was just mentioning. So if if as long as there are, you know, TPMs, I think players play a really good role. I think TPMs from a from a hardware perspective, really help bind identities to devices. A lot of the stuff that we see, you know, the requirements this come through and it's got to be TPM, which is great to see back. And you know, probably what it might be five, six, seven years ago again when Iot, I think was a little bit more of let's see what we can do with it compared to the very serious thing that it is now. TPMs Whenever they're trying to hit on the requirement list, they weren't being considered. It costs an extra $3 or something on the bottom of the device. And I don't think it was it was really ever considered that strongly. And I'm happy to see that a lot more requirements come through for, you know, your software has to work for the TV on which we we obviously do, but that helps bind that identity to the device. Right. So you have the private key of all the secrets or API secrets, whatever might be stored inside this kind of physical tamper proof location within the device. It's not just if I as I say, Jan, I can, you know, secure copy it out straight onto a chanter onto another device. So I binding that identity to that particular device, I think is always a great way to stop it being cloned and stop the devices from, like you said, digital identity theft or device identity theft and just someone just copying and just go and doing whatever they want to impersonating that device and and and trying to send in dud values. But on top of that, the the indicators are compromised in the continuous validation is also going to help you understand when not every use case is necessarily, I guess, copying of of key or secret, whatever it might be, they could just take the whole device. If you think about retail outfit, hopefully the guy in the back looking at the monitors is watching all of them. But if you think of a retail outfit, you could go in and and there's a I don't know what it might be a centralized hub for like managing the refrigeration units and things like that. And it's responsible for processing all the data because they don't have the right Internet access. Obviously, they would go to a hub, collects all the data, collates it, and would maybe send it all up to the platform or do something local, but then kind of give a summary. But, you know, I could go in, I could take it off the wall and I can walk out potentially. So the actual monitoring and validation of those specific and individual devices is going to help you deal with or detect the instances in which someone gains access to a device. And instead of realizing that they can't copy the secret of it, just start using the device to send whatever they want, if that makes sense. Yeah, but you know, it's an interesting concept that in security, as it's applied to facilities, there are generally layers of security. So for example, you might have a key card to get in your building, you might have to have a key code to get into a specific room. There are cameras, there might be security guards and other things in play. And you're not provided access to everything in that building. We often think in the world of Iot as security being native to the device, the device has it's got a private key, it's got a public key. Maybe there's a token on there and it's own cert and so on and so forth. But you you kind of bypass that. But it's interesting. There's actually a physical, physical security component to this, too, because if you can reduce access to the asset so people can't physically get to it, that is that another layer of security. So in your case of the gateway, I have a gateway that's collecting data for a bunch of refrigerators. I may want to put that and enigma four enclosure bolted to a wall and put a lock on it. Yeah, it's not perfect, but it provides another layer to that processing people away from that device so they're not just getting into it or stealing it. Yeah, absolutely. It's funny now that you mentioned it kind of becomes recursive because then the systems, the physical access systems can also be monitored for using and feed data into machine learning processes to understand how, you know, I don't know who my John Smith never used this card in that particular room before of why is the have access or why is he going in there
at 2:00 in the morning and guys shouldn't even be at work. So it's kind of becomes this whole recursive sort of fountain of different ML processes that can really help drive better security within your overall, I think implementation. Yeah. And in fact we see that in hosting environments. For example, there is the physical security as well as the firewall security and other components. You just can't get into a hosting center. You you have to have access to that facility. So it is definitely a combination of of those things. You need to look at the physical as well as the cyber side of the security component. So fairly broad set of topics, but really interesting. And for me a little bit eye opening thinking about the world of security, slightly different than I always have. But again, we are limited in our times here, here. So I want to I want to wrap up with you. Have any parting advice that you would provide to people who are starting on this journey of Iot and maybe even starting on this journey of I've got a Iot, but I'm getting now to I want to be involved in machine learning and AI anything in that arena that you'd like to give them? Sure. I mean, my my first bit of advice would be to consider security from the get go, just as as a general thought, you know, I joke sometimes that security is stuff 11 in the 1 to 10 of getting an Iot device or product to market because people they will figure it out they we just got to get it working build a posse and then this posse works and is successful and then someone forgets to think about security or they're trying to shoehorn it in at the last minute. And that's always a bad place to be because you end up going back and redesigning a whole bunch of components and back end services and things like that. But so, so security is a forefront, but just try as hard as you can to get that security right from the beginning, from the sake for the sake of your your machine learning processes and the data that you're going to feed it. I think the worst one of the worst conversations that you probably would want to have with the board is trying to explain why all of your data you don't know how much of it is real because, you know, you found some some issue or some security problem with your particular devices. Now, we have to go back and, you know, rectify security vulnerabilities, be probably notify some regulatory authority and and then start recollect and data and effectively start from the beginning. Because all of those models that we trained on on all of this potentially bad data and again, you don't know what percentage of it might be bad. And even if you do know what percentage, you don't necessarily know which data is bad from the good stuff. So I would say security is at the forefront, if only for the sake of not having to start again in two or three years time with you. You machine learning data that you're you're collecting and trying to process and build models for. You know, it's interesting, you said it's step 11 in the process of a ten step process. The the juxtaposition to that is when I speak with customers who are thinking about deploying Iot or even better yet the customers who we will deploy a connected asset to our security is question zero. It is the first question. It's getting better. The second question I ask the question they ask, right? So from a design perspective, it's very often at the end of the process, from an implementation perspective, it is the first, second and third thing on their minds. I would say it's getting a lot better for sure. I mean, I mentioned the TVM example before $3 was too much and now people can't seem to get enough of it. I think it's a sign of real maturity in the industry, which is great and it's definitely getting better and security's getting involved a lot earlier in the conversation. But if there was anyone who was trying to push it off to stuff above and then maybe reconsider their position. And it is definitely an ongoing process. I think. For sure. Starting to see a trend wise is it's not a milestone in the development program. It is a continuing milestone means. Absolutely. Absolutely. This is after releases. After releases, we continually make modifications to that security profile. So it's not a one and done. That's that's absolutely right. Yeah. It's definitely evolutionary. I mean, last year, 25,000 vulnerabilities plus 25,000 plus vulnerabilities reported. So you only have to look at the size of that and this year it's going to be higher. So absolutely, it's an ongoing thing. It's not just a we're done and draw a line in the sand and let's move on to the next thing. It's it's an ongoing consideration. I would like to thank James for joining us today. James, this has really been insightful, kind of makes me rethink the security module, even though I've thought about this a lot. And I do see to your point, I do see this this movement in a new direction where people are starting to think about security first. In fact, our third in this series on security, we will be bringing in one of our customers, Fujifilm, Sony's site. They they just rolled out a program this year. And the interesting thing about that, and one of we wanted to bring them into the program is they started thinking about security when they were doing the bid. This was like before they even got into, okay, let's how do we roll this out? When they were thinking about how to build this system out, they had security requirements in there that were actually quite unique for some of our customers. So it does prove the point, James, that maybe that security step is moving from 11, maybe down to two or three, maybe one at this point. So really happy to see that. Hope you'll be able to join us for our next episode when we bring Fujifilm Sunnyside in for that and for those of you who have joined us today, thank you very much. This is Anthony Martha and this is speaking of service. Thanks for listening to the Speaking of Service podcast brought to you by PTC. If you enjoyed this episode, please subscribe wherever you get your podcasts and leave a rating or review and be sure to check out other episodes to hear new perspectives on improving life for aftermarket professionals, service teams and the customers they support. If you have a topic of interest or want to provide feedback, email us at speaking of service at Etsy.com or visit us at FT.com. Slash Speaking of service.