Security for connected devices

What does Phosphorus do?

Phosphorus was founded in 2017 by Chris Rouland and Earle Ady, who had previously founded other startups such as Endgame and Bastille. The company operated in stealth mode for several years while developing its technology. We have been actively going to market for just about a couple of years and are currently in a Series A round of funding.

The company was specifically founded to address the issue of insecure connected smart devices. There are well over 60 billion of these devices worldwide, ranging from enterprise Internet of Things devices such as cameras, printers, and HVAC controllers to operational technology and industrial control systems, robotics, and medical devices.

These devices are in a horrible state of security. The company was fundamentally built to address this issue. However, to do that, we must discover these devices and conduct a full risk assessment. Therefore, we built our own discovery engine from the ground up to locate all these devices safely and efficiently. So, that’s essentially what we’re doing.

Can you provide more detail on how Intelligent Active Discovery works and how it ensures accurate identification of xIoT devices?

The challenges with these devices are because of their difference from traditional IT assets like laptops, workstations, and servers. These devices are more sensitive, and you can’t install endpoint agents on them. Therefore, it is difficult to use a traditional vulnerability management or scanner, primarily designed for IT assets, to communicate with these devices. 

That’s why we built our discovery engine, ‘Intelligent Active .’ There are two reasons for this name. Firstly, it’s active, unlike many legacy IoT/OT solutions that are passive, merely listening to network traffic. Secondly, we employ intelligence in a layered and cautious approach. When communicating with these devices directly, we start with just a few packets to understand their preferred port and protocol. Once we identify the device, we move on to the next tier. This approach is crucial because it ensures we communicate with the devices in the manner they expect, enabling us to discover them safely and efficiently. We can perform the discovery process quickly and safely by minimizing the number of packets sent to these devices.

Traditionally, especially in OT and ICS environments, many organizations are wary of active discovery due to past experiences with legacy solutions causing harm to devices. However, our approach is different; it ensures efficiency, speed, and safety, addressing the concerns associated with active discovery in industrial environments.

Phosphorus operates without hardware or agents. Can you explain how it achieves this, and what advantages this approach offers for deployment?

We are a fully software-based solution with no agents required. Our deployment process is straightforward. For on-premise deployments, we provide an OVA (Open Virtual Appliance), which is a virtual image or machine. Customers can deploy this virtual machine themselves, or if we conduct a proof of value concept, we assist in the deployment. The process is simple: you provide us with a range of IP addresses and specify what you want us to find and discover. Once you input the IP address range, our system will scan and discover all devices within that range.

We can find any smart device within the specified IP address range. Once discovered, we provide detailed information about each device, including its make, model, and series. Additionally, we conduct a full risk assessment for each device. This assessment includes details such as whether the device is using default credentials, the firmware version and its age, the number of CVE IDs associated with the firmware, and whether certain services, such as Telnet or SSH, are open and unused, posing a security risk. We also alert you if certificates on the devices are expired or insecure. With this comprehensive risk profile for each device, organizations can prioritize which vulnerabilities to address first and decide on the appropriate mitigation strategies.

Could you elaborate on the automation capabilities of Phosphorus for addressing cyber-physical vulnerabilities?

We like to say it’s automated but with full control. Depending on the environment, it can be scary to think that an automated platform is going to start performing actions on smart devices without any control. Therefore, we have the ability to schedule what we call ‘jobs’ on this platform. For example, you can schedule a job to rotate the credentials or passwords on maybe 10,000 different devices. With just one button, you can perform the same action for firmware updates or any other task. You can also perform these actions on just one device or a specific number of devices. For instance, you can schedule the platform to rotate passwords on these devices every 60 days, and it will happen automatically. So, in that sense, we offer full automation but under the operator’s control.