In a recent interview with SafetyDetectives, Dr. Ryan Heartfield, the CEO and co-founder at Exalens, discussed his diverse professional journey, blending experiences from government service, academia, and entrepreneurship. Exalens, founded based on research from 2014, specializes in AI-driven cybersecurity for cyber-physical systems. The company’s flagship features include an agentless OT EDR and a cyber-physical AI analyst, automating root cause analysis for rapid incident response in industrial systems. Dr. Heartfield emphasized the significance of end-to-end visibility in digital transformation and addressed industry skepticism towards AI integration. He highlighted the fusion of cyber and physical data as crucial for accuracy and reduced latency in threat detection. Looking ahead, he sees AI facilitating collaboration between diverse teams in addressing the complexities of IT systems in the industrial sector.
Hi Dr. Heartfield, thank you for your time. Can you talk about your journey and your role at Exalens?
I have a hybrid discipline, combining the private and public sector along with academia.
Initially, I spent about eight years in government service, focusing on computer and network security. Post this tenure, I joined Splunk as a security architect. My role primarily involved orchestrating and automating security operations. After my stint at Splunk, I ventured into entrepreneurship and co-founded Exalens.
Parallel to my industry engagement, I have maintained an active presence in academia as a Research Fellow. My research predominantly revolves around AI-driven methodologies for detecting and responding to anomalies in what we term ‘cyber-physical systems’. This is an encompassing term for IoT, OT, and industrial systems, offering a more comprehensive academic perspective.
My role at Exalens is essentially an extension of my combined experience in industry and academia. The focus here is on leveraging AI to bolster cybersecurity in cyber-physical systems. The objective is to not only protect these systems but also to monitor them efficiently, identifying and responding to potential threats rapidly and effectively.
The inception of Exalens can be traced back to early research conducted by me and some colleagues in 2014. This research centered around the hypothesis that a more integrative approach to monitoring IoT and OT systems could enhance threat detection. Traditionally, monitoring primarily focused on network activities. Our approach proposed a dual focus, combining both network and physical behavioral analyses.
The thesis was does that help you detect more, or faster, is it how you can understand what the root cause of perhaps the anomaly or the high risk activity is?
The short answer to that work with was yes, it does. Now, you can fast forward almost seven years and see that Exalens has really taken that early scientific work and implemented it into a product at the time at which the industry is now ready for this kind of technology. We’re seeing it across manufacturing, smart industries, and industrial sectors that are undergoing digital transformation, where the idea that the paradigm of cyber physical monitoring is needed more now than ever. We’re starting to create these complex physical systems that are connecting physical processes to computational environments, and by only looking at the physical side or network side you can only see 50% what’s going on.
What are the flagship features of Exalens?
Exalens combines three main areas: monitoring, detection, and response. It’s able to integrate what we refer to in the industry as NDR, which is network detection and response. Alongside this, we offer what we argue is the only existing agentless OT EDR (Operational Technology and Endpoint Detection and Response). Typically, there’s no EDR that you get for OT devices. If you look at vendors like Microsoft, CrowdStrike, SentinelOne, these are vendors that provide an EDR tool that installs on your Windows, Mac, or even your mobile phone. But you can’t install that on an operational device like a PLC (Programmable Logic Controller). It’s embedded; there’s no operating system, so you can’t install it.
What we’ve managed to achieve is building this agentless OT EDR, which allows us to provide the equivalent of what you would see in Windows Defender, or CrowdStrike, etc., for industrial endpoints, but at the same time extend this capture and monitor the full cyber-physical behaviour of OT devices and processes. It’s an emerging sector of industrial endpoint security. With NDR and OT EDR, which is a brand-new capability that we’re bringing to the market, we’ve combined these together as two rich sources for complete 360 visibility of operational environments at the network, process, and endpoint level. Then we’ve built a key feature on top of it called a cyberphysical AI analyst.
Now, that’s all well and good having a detection system. You can have really good detection in the network. And in this case, brand-new detection at a cyber-physical level for process endpoints like PLCs, HMIs (Human Machine Interfaces), RTUs (Remote Terminal Units), Actuators, Sensors, SCADA devices and such. But once you have the detection, you need to do something with it. Usually, a security analyst or a process engineer would look at these detections and do some correlations, investigations, and analysis manually themselves.
But what we’ve built is a cyber-physical AI analyst that does that for you at machine speed. It’s able to take the telemetry from the NDR, the detection telemetry, and take the detection circuitry from the OT EDR, whether it’s cyber or physical anomalies or harmful activity, and stack the activity together to understand how it’s related, and automatically determine the root cause for you at machine speed in real-time, continuously.
What this really means for the combination of these three capabilities is that security teams, including Industrial Security and OT security teams, and engineering teams in equal measure are able to cut down on hours, days, or even weeks of investigative time, in terms of responding to incidents and issues in factories or industrial systems, to seconds and minutes.
The cyber-physical AI analyst becomes part of their team, and it’s almost 50% engineer, 50% security analyst if that makes sense. It’s able to automate that root cause analysis for them. And what that root cause analysis determines is whether a threat or cyber incident is a threat, a fault, or a failure. And knowing the answer to that question basically tells you how to respond appropriately. Right now, that’s a manual question that’s answered. It takes time to look at the data, to analyze it, and typically speaking, process engineers are not very familiar with networks, and cybersecurity teams don’t really know physical processes. With Exalens, you don’t need to know that because it does it for you automatically. So you could be an engineer or a security analyst and benefit from the intelligence it gives you to respond appropriately and at pace.
How do industries view the integration of AI-powered monitoring systems in OT (Operational Technology) and IoT (Internet of Things)?
Probably with cynicism, if I were to guess. The main thing driving the adoption of AI-powered solutions is the question of what you’re trying to answer. First and foremost, the hardest question is integration: How do we get access to the data without disrupting an existing industrial system? I think they’re looking for answers to questions like:
- What is the challenge around data acquisition?
- How do we utilize the existing systems we have to share that data with this corresponding environment?
- Can we do that in a way that isn’t going to create disruption and will create greater return on investment in our existing factory systems?
The second aspect is data security. When using AI-powered systems to collect and analyze data, it needs to answer questions such as:
- How can I optimize my process?
- How can I reduce carbon emissions?
- How do I minimize downtime, like when, once a month, my motor breaks and it causes downtime on a conveyor belt in my production line?
I think the main concerns are about answering questions like:
- How do we get this data?
- How can we acquire it in a simple way without making significant changes to our existing infrastructure?
- Once I get this data, how do I protect it? How do I manage it, and where will it be stored?
- How can I understand the answers it’s giving me? Is it a black box? Is it something my engineer can use on a day-to-day basis? Or is it just going to be a high-level piece of insight that doesn’t really allow me to have actionable input on my business operations?
In the realm of industrial systems, how critical is it to have a holistic and real-time view of both OT & IoT assets and processes?
Ultimately, it’s the most important thing to support any level of digital transformation. Without visibility from end to end, you have no idea, for example, when something goes wrong, what the cascading impact can be and what the root cause is. So, if you don’t gain end-to-end visibility, you will limit your capability as a business to understand how to optimize your processes and also keep them resilient when either the IT or the OT system is disrupted.
Like I said before, if you have only 50% of the view, it only gives you 50% of the answer. When we talk about monitoring industrial systems, we need to consider that, as we connect and automate them more, as we integrate them and increase convergence, that heightens the need for getting full visibility across them. Rather than having isolated views that individual teams currently have — the IT team has the view of the network, the OT team is only looking at the physical process — it’s absolutely essential that we bring the data together, fuse it, so we can have a complete end-to-end view.
How does the fusion of cyber and physical data improve accuracy and reduce latency in the detection of anomalies and threats?
The short answer is that sometimes physical indicators can be the first sign of a cyber disruption, and vice versa. Sometimes, cyber indicators, like an anomaly in an IT system, can give an indication of something going wrong physically. So, the combination of cyber and physical data points actually leads to three main benefits by fusing that data.
First, root cause analysis becomes faster and more accurate. We can reduce the latency of identifying anomalies based on early warnings, whether they occur physically or computationally. This reduction in time to detection improves the identification of the root cause, so you can respond faster. This, in turn, reduces downtime or disruption and lessens the impact.
With increasing cyber threats targeting industrial sectors, what future challenges do you predict, and how can AI help mitigate them?
The future challenges lie in the increasing complexity of IT systems. They’re blending a whole range of different skill sets and knowledge bases. You’ve got OT systems, industrial systems working on physical processes like electrical, mechanical, hydraulic, and pneumatic systems, to name a few. At the same time, these are increasingly connecting and automating their processes with computational systems, networking, servers, and applications. These represent different disciplines and skill sets among people, making it very challenging to have a team with all these skill sets to understand when cyber incidents might occur, how they can impact the system, and to have full knowledge of potential disruptions.
AI can blend these views by gaining an understanding of the impact that can occur across both IT and OT systems and explain it to both teams. This way, when they are responding to situations, it’s explained in their language, allowing them to collaborate more effectively together.
I don’t believe AI will take over completely in response when an industrial system is impacted. I think that would be quite a quantum leap. However, I do believe AI should facilitate closer collaboration between disparate teams, like IT security and operational engineers. So, when they are spotting issues, AI can explain where the root cause is, allowing them to collaborate effectively and respond together in an accelerated more effective manner.