Articles by David Carroll
Internet of things is worth the resilience trade-offs it demands – effort, thought and inconvenience ‘No society is more than three meals from revolution’ says the old adage. Updating the idea for the Information Age is a revealing, if somewhat worrying, exercise. How resilient are we as a society? Could your company function efficiently after a complete failure in IT? How effective would your employees be if forced to work from home following a collapse in the transport network? If the Internet could no longer be accessed it would probably not even count as a calamity for us as individuals, merely an annoyance. After all, we seem to manage for a few hours after the aircraft’s doors have been closed. A few tweets and profile updates are missed, but, in general, humanity rolls on. But what if civic leaders at the national and international levels were denied the ability to deliver critical services? Will our (increasingly driverless) transport networks fail safely or be at all operable if they lose connectivity? How long would it be before tap water became unsafe to drink? How would we talk to each other or organise any kind of response? Living in the future? Like it or not, we have already built a world in which everything is connected via an unassured and fundamentally insecure platform. We may be in a new Information Age, but it is, for the time being at least, an age of Information Insecurity. At AppSec 2015 in Santa Monica, Alex Stamos, Chief Security Officer at Facebook and previously CISO at Yahoo, countered the idea that we are living in the future. Rather, he suggested, we are only 3% into the information revolution and the days of dedicated hardware are over: everything is now a platform and application security is a topic more deserving of our attention. Even our bodies are becoming sensors, with the advent of internal and in some cases digestible sensors. Many of us are already part of this new world, albeit at a very basic level, using technologies like Fitbit or Strava, for example. Sharing and collating our medical data, including our genetic make-up, can make healthcare much more pro-active and sustainable, improving the quality of our increasingly extended lives or broadening our attack surfaces, depending on your point of view. In 2011 Marc Andreessen, a Hewlett-Packard Board member, warned in a WSJ article, “software is eating the world”. Four years on are we more or less vulnerable? Cyber Armageddon has been predicted on numerous occasions: from North Korean hackers destroying critical infrastructure, to a cyber Pearl Harbor “derailing trains loaded with lethal chemicals”. Sure, there are hackers with malicious intent, operating, as Alex Stamos says, if not in a state-sponsored capacity, certainly in a state-looks-the-other-way capacity. To demonstrate the industrial scale of hacking out there, at XQ we maintain an Internet of Things Honey Pot. Over nine months there have been nearly a thousand successful log-ins. That’s three log-ins a day to a machine that should be anonymous, and that nobody should even be touching. Automated log-ins As we move from a world of network security to one of application security we need to embrace (and be comfortable with) the near-certainty of being hacked and design resilience into our systems, processes and mind-sets What’s also interesting is that two-thirds of these log-ins are entirely automated. They are SSH scanners finding our machine and brute forcing the password. They’re easy to spot – they try hundreds of passwords combinations a minute. Faster than a human being could possibly type. The remaining third – the human part of the attack – is more interesting. They don’t try to guess the password; that’s all done automatically. These are people who come back once their scanner has done the hard work and really take a look at you. FireEye, a US firm specialising in network security, produced a survey in 2014 which examined 1216 organisations across 63 countries, covering over 20 industries. 97% reported a breach in the previous 12 months with 27% reporting persistence on the network. 75% had experienced command and control activity. The average time it took to detect a breach was 229 days, with two-thirds discovered by third parties. Currently the situation is one of attackers using automation to focus on vulnerable targets, while we, as defenders, are reliant upon patches, bolt-ons and reacting to breaches that are usually spotted by third parties in the first instance. That’s a lot of clients losing confidence in our ability to protect their data. Hardly a sustainable business model. Designing secure systems So there is a problem, and it’s not going away. Instead as we become ever-more connected, we will become ever-more vulnerable; as individuals, businesses and communities. Perhaps even to the point of the doomsday scenarios painted previously. If they are to build resilience, civic leaders (and individuals) need to assume a ‘when’, not ‘if’, approach to the shocks that will be caused, or at least made possible, by the very technologies that were supposed to make our lives better in the first place. As cyber security consultants, we’ve yet to come across an energy production or transmission network that we couldn’t reach from the Internet And it is a question of resilience, not disconnection. As cyber security consultants, we’ve yet to come across an energy production or transmission network that we couldn’t reach from the Internet, either directly or indirectly, from the corporate and supply chain networks that attach to it. The same applies for water, sanitation, emergency services, healthcare, welfare and so on. Modern industrial control and automation plants cannot operate in their ‘just in time’ world unless they are able to source materials in response to price and availability fluctuations. And to do this, they need the Internet. It is no longer sufficient to think solely of how easy it is to disrupt our energy supply via a cyber attack. It is now essential to design systems and think in terms of failing gracefully, in a controlled manner, before restoring services quickly and safely. Creating sustainable environments In the short term – say, the next fifteen to twenty years – it will be difficult to argue that billions of embedded devices that can’t be patched but are hooked to our networks, calling out into the darkness of the Internet is a bad thing. But we are not totally helpless. As we move from a world of network security to one of application security we need to embrace (and be comfortable with) the near-certainty of being hacked and design resilience into our systems, processes and mind-sets. We cannot turn off the Internet. Nor do we want to. We have, collectively, decided that the Internet of things is worth the resilience trade-offs it demands – effort, thought and inconvenience. The opportunity to create a more sustainable, economically prosperous and environmentally friendly society is too enticing to turn away from. Remember, we’re only 3% down the road.