Inside Emerging Startups: The lattest addition to WRALTechWire’s exclusive content offerings for Insider members is a profile of Raleigh-based startup Automatak. Web users are familiar with HTTP. Watch out for Automatak’s OpenDNP3, which even the Department of Homeland Security sees as setting a new standard for security. And Red Hat is already a partner. Insiders can access an exclusive interview with company founder Adam Crain about what he sees as his “big impact company.”
RALEIGH, N.C. – “The company I am trying to build is not a big growth company,” says Adam Crain, founder of Automatak, “but I do think it is a big impact company.”
With a recent partnership with Red Hat (NYSE: RHT) and the announcement earlier this fall that the company had received a grant from the Department of Homeland Security, there’s a chance that Crain could do both. Automatk aims to make networks more secure, especially utilities.
Crain, a graduate of UNC-Chapel Hill who describes himself as a “digital wanderer,” left a position at Green Energy Corporation in 2012 to commercialize a project that he had been working on during his tenure, OpenDNP3. DNP refers to “Distributed Network Protocol.” And Automatak is targeting means of improving DNP3 – an industry standard for utility networks. Upgrades are needed, as President Obama noted in signing an executive order in February calling for utilities to improve grid and network security.
DNP3 is a set of communications protocols linking components in process automation systems, and its main use is in utilities.
Red Hat recently joined the OpenDNP3 development community, an open source group seeking to use collaboration to improve security rather than proprietary solutions. A Red Hat announcement about that decision reflects the opportunity Crain is addressing:
“As recent articles highlight, flaws have been found in proprietary implementations of an existing standard communication protocol (DNP3) that is heavily used within public utility IT infrastructures today. Built from the DNP3 specification, these proprietary implementations, designed to enable secure machine to machine communication for control and data information exchange, have shown areas of vulnerability that could go undetected by public utilities and potentially open those utilities to significant cybersecurity issues. These weaknesses were recently uncovered by researchers working to build an open source version of the DNP3 specification known as OpenDNP3.”
Think HTTP
“This project is a standard protocol, a way to think about what it means, via analogy, is like ‘http’ means hyper text transfer protocol,” Crain explains.
OpenDNP3 works much like the hypertext transfer protocol for the Internet.
“If HTTP wasn’t a standard, than browsers wouldn’t be able to speak to web servers, and certainly wouldn’t speak to different manufacturers, it’s a common language,” he adds.
OpenDNP3 works in a similar fashion: “Its primary function is to bring measurement data back from the field.
“If I’m an electrical utility and I want to know what the voltage and currents in my lines are or I want to know the breakers that have tripped in my substations, it’s likely that I am using a protocol like that to bring the measurements back.”
This is how the operators in the control room know what is happening in the power grid, Crain points out. “Likewise, if I want to send a control message, I would need that protocol to do that as well.”
Disruptive Technology?
In April, a friend of Crain’s at a major utility helped Crain test security devices, and they realized that the OpenDNP3 protocol could be applicable across industries.
“Since that time, I’ve decided to commercialize the technology in a disruptive way,” Crain says, “instead of trying to sell the technology to vendors, I’ll be releasing it open-source in March and forming a community around the technology.”
That’s the business model – that’s what the company does.
“We’re moving on from this one specific protocol to develop security products for other protocols and moving outside of this one industry to develop protocols for other sectors, like oil and gas, or water utilities.”
Automatak is already cash-flow positive, Crain notes, and recently announced a partnership with Red Hat.
Red Hat’s Embrace
“He didn’t need assistance,” points out Emily Stancil Martinez, a spokesperson for Red Hat, due to his prior work in testing with the OpenDNP3 community.
The security solutions that Red Hat currently offers, “builds on the work that Automatak is doing by providing a stable, secure, enterprise grade platform and set of applications to provide fundamental building blocks to create the IT infrastructure of public utilities,” she says.
Having Red Hat’s support means a great deal to Automatak, since the Linux software powerhouse has been influential on the business network side of utilities, like selling servers for hosting websites or business process software, Crain says.
“They [Red Hat] haven’t had much penetration yet into the operational side of utilities, like control systems. That’s traditionally an embedded world, or a Windows system, but I think they’re looking at this as an opportunity to grow into that area as well.
“Red Hat is actively engaged in what we’re doing,” he adds, “both from a securities testing perspective and also from an open-source implementation perspective.”
The Hatters see powerful opportunities.
“The OpenDNP3 project, and the utilities he [Crain] has built around it for testing have the capacity to affect any utility or software/hardware vendor that is leveraging DNP3 in their grid or software,” Martinez says.
Targeting DNP Community and Security
Come March, Crain could be making even more news.
“As enough of those form within a community, Red Hat can wrap them up as a product,” he says, and that’s the goal of the planned launch of the OpenDNP3 community in March 2014 .
“There’s a very litigious backwards culture in this industry compared to other industries,” he adds. “In this industry, we’re probably 10-15 years behind the rest of the industries in the world like telecom, because there’s a huge stigma when discussing security concerns.”
International headlines helped drive his own business.
“It’s because it’s so new,” Crain says about security concerns. He referenced the Stuxnet virus, discovered in June 2010 as the first malware that spies on and subverts industrial utility systems and networks, suspected to be created by the U.S. and Israel to target Iran’s nuclear program, that people started to realize that “if we could do it to them, then they could probably do it to us.”
That represents a significant security concern, says Crain, “and now there’s a huge interest in securing these systems, like electricity, water, gas and oil, really anything that communicates.”
With the Red Hat partnership and the launch of the open-source community, Crain hopes the security systems can be bolstered.
“The idea in the end is to get vendors contributing to it as well, within the private community,” he explains.
“In the long term, in terms of monetization, there’s a number of ways that we could go with it, “there’s not just the testing tools, but there’s the trademark and certification process.
“That’s the space in which we work. We’re trying to make the software systems in this space more reliable and less prone to vulnerabilities.”
