BT's Andy Rowland on technological risk, and how the systems fundamental to modern life are under attack
Have you ever noticed how good Hollywood is at predicting future technological advances? ‘2001: A Space Odyssey’ (1968) brought us tablet computers and space stations. ‘The Terminator’ (1984) — military drones. And ‘Minority Report’ predicted gesture-based interfaces in 2002. In 2007, ‘Die Hard 4.0’ saw John McClane battling hackers who were trying to turn the lights off across America — which could now be a reality thanks to an increasingly connected world and the advent of state-sponsored cyber attacks.
Increasingly, the systems fundamental to modern life are under attack. Imagine what would happen if there was no sewage treatment, no clean water, no electricity or gas. All of these industries have something in common — they all use industrial control systems to regulate temperatures, pressures and turn processes on and off automatically. The systems that do this were developed by engineers for engineers. There was little thought for security, as they weren’t connected to corporate IT or the Internet. They relied on security through obscurity.
The key risk factors
But these systems are now at serious risk — for two main reasons. The use of IoT sensors to drive efficiencies, and the huge demand for analytics to optimise processes, known as Industry 4.0.
For example, why drive out to a remote pumping station to check it’s OK when a battery-powered sensor could send you an update over a cellular connection? In the case of Industry 4.0, it’s all about gathering data from different sensors and systems, and collating it into a data lake, used to apply machine learning and drive efficiencies. In both cases, you’re now connecting lots of things that, traditionally, were never designed to be connected.
So, how does the risk manifest itself? Typically it falls into two broad categories — technology and processes. A good example of the former is the recent discovery that inverters — designed to convert the output from solar panels to feed the grid — could be hacked. Either the grid could be flooded with power, causing other generators to shut down, or blackouts could be created as in Die Hard 4.0. In Europe, over 90 gigawatts of power is generated from solar generators, with Germany using solar power to meet 50 per cent of its needs — so this is not an insignificant issue.
In terms of processes, while we’re on the subject of power, let’s look at the hack that turned off the electricity for a quarter of a million people in the Ukraine. Here, the attackers used phishing emails to get as far as the corporate network, but the industrial control systems were wisely firewalled. However, from the corporate network, the hackers were able to harvest the credential of engineers who used VPNs to access the industrial systems. And as they didn’t have two-factor authentication (something you know, e.g. a password, something you have, e.g. a token, or something you are, e.g. biometrics) they were able to use the stolen passwords to reconfigure the grid and turn off the power.
So how do we address this problem?
First of all, you need to deal with the basics, just as you would at home. So lock your doors and windows, don’t let your children open the door to strangers and fit an alarm for when you’re out. In the same way, you need to segment your network with firewalls, educate your employees on things like spear phishing, and install intruder-detection systems.
You also need a joined-up approach to security, involving engineering, IT, third-parties and service and support. Perhaps you could bring in some external security experts to do some social engineering/ethical hacking, where they might pretend to be your technical help desk, leave a few infected USB sticks around, and even undertake some targeted phishing!
Finally, you also need the equivalent of smoke detectors — systems that provide advanced warning of a problem. Mature security operations use highly advanced systems to cross-correlate data from multiple sources, and artificial intelligence to look for new patterns they’ve not seen before that could indicate a new attack vector. To prevent what John McClane in Die Hard calls the “fire sale” (i.e. everything must go) you may need to bring in the action hero.
To learn more, download our report exploring the five steps you have to navigate to protect your organisation from attack.