Clouds_HiRes1.jpg_600x0
Clouds_HiRes1.jpg_600x0
Clouds_HiRes1.jpg_600x0
Clouds_HiRes1.jpg_600x0
Clouds_HiRes1.jpg_600x0

NED Cybersecurity Report Part 4: How I Learned to Stop Worrying and Love IoT

Feb. 12, 2016
In this chapter of NED's cybersecurity coverage, we discuss how the Internet of Things could be the solution to all our problems, and also destroy us, too.

In my first week at New Equipment Digest, my frenetic editor, Travis Hessman, and I were in his office, listing all the tech-centric stories we’d like to cover as our team endeavored to bring an 80-year-old manufacturing magazine into the 21st century.

Admittedly, we sounded like a couple of high school girls talking about the latest boy bands we’re crushing on.

“I think 3D printing is going to change everything soon,” I gushed. “I’ve been following it since I learned about it in 2007. It’s going to go mainstream real soon, I think. ”

“Oh yeah, it’s so super cool, though we just did a special section on it. It’s kind of my bae,” Hessman responded, (although maybe not in those exact words).

Then he pulled out another recent issue with Sawyer, Rethink Robotics’ collaborative robot, on the cover.

“Check this out, Hessman said slyly. “I actually got to meet him at a show once. They let me control it and everything. I was like ‘OMG!’”

Then he quickly started going into a diatribe on the Internet of Things. I nodded and agreed with everything he said about it being revolutionary and its ability to terraform our perception of productivity, and how important it is to our audience.

I nodded and chimed in with a “yeah, totally,” every now and again, but in my head, I was thinking, “What the hell is this guy talking about?”

Yes, I had no idea what the Internet of Things was. It sounded kind of important, so instead of faking my way through any more of our discussion, I asked casually, “So what is this ‘Internet of Things’ you speak of?”

Instead of laughing at me like my step-daughter does when I haven’t heard of the latest emo band du jour, Hessman morphed from a manic tech geek into a calm, collected professor-type to explain. He even put on tweed elbow patches and a bow tie before going in-depth.

He started by asking if I knew about Internet-connected thermostats and other common “smart” devices that constantly feed each other data.

I had heard of those, of course.

“Basically, the Internet of Things is ALL of these Internet-connected devices and machines working together to optimize production and efficiency,” he said, outstretching his arms for effect. “So a machine on a production line can tell other machines in the process if it’s broken or needs maintenance, and everything in the supply chain adjusts accordingly.”

This Internet of Things sounded a lot like my Catholic elementary school’s explanation of God: Omniscient, omnipresent, and omnipotent.

Like God, it is known by many names: IoT, Industry 4.0, Industrial Internet, Internet of Everything, and so on. And everyone argues which is the correct one. Some say it lives in the cloud, others don’t even believe it really exists.

Finally, no matter how much you know about it, you can’t say for certain whether it’s merciful in nature…or vengeful.

The Good

“It’s the democratization of innovation,” says Marc Blackmer, a product marketing manager for Cisco and prodigious IoT evangelist. “It goes more toward a meritocracy. The more minds that are cranking away out there, the more things are going to come out of left field that we never thought possible.”

Cisco calls it the Internet of Everything and affirms that connecting everything to everything will improve traffic patterns, water usage, and employee productivity. In the global public sector, a place where bureaucracy trumps efficiency, this “networked connection of people, process, data, and things” is estimated to generate $4.6 trillion in potential opportunity between 2013and 2022. The private sector will nearly triple that, creating $14.4 trillion.

Sure, it sounds like Dr. Evil has become an analyst for Cisco and is just making up numbers. And who would second-guess him or what it can do? A 2014 study from Acquity Group reported 87% of people didn’t even know what the Internet of Things is. Like me, they would just nod their heads and agree.

That’s about to change, though. No one knew what the Internet was in the ’70s and ’80s, except that it let them get money out of ATMs.

The early stages of IoT helped optimize supply chains and certainly made businesses make more money, and will continue to do so, but that doesn’t account for people’s unbridled excitement at the IoT’s potential.

As the ubiquity of broadband and machine-to-machine and person-to-machine connections spreads, expectation and reality move closer together.

Blackmer has noticed it just in the subject matter of the Cisco-run IoT World Forum, where the foremost authorities on IoT give TedTalk-like presentations about the current and future state of affairs.

“The topics of most of the speakers shifted away from improving logistics and how to make more money to the things that can improve people’s health and quality of life,” Blackmer says.

He specifically points out Green City Solutions, a finalist at the Cisco Innovation Grand Challenge.

The start-up uses four-meter high, moss-covered stone structures to filter the air in urban areas, and smart sensors to optimize the process. Embedded moisture sensors, for example, ensure the fixture absorbs an optimal amount of rainwater and remains self-sustaining. One wall has the air purifying power of 250 trees.

Air pollution causes 3.3 million deaths a year, according to a 2015 Harvard study, and this could double by 2050. So leveraging the IoT to clear the air would save millions of lives and even more in respiratory-related healthcare.

“I was surprised that we’ve already reached that point since we are so in the nascent phase of this,” he says of the positive global implications of IoT.

The Bad

When you put your faith in an unforeseen deity, sometimes you’re going to have a bad day. Even if you don’t, bad things happen to you. It’s just that with the IoT, which has a reach of literally anywhere with an IP address, the potential for bad scales, too.

In the ’60s, people worried about the Russian government nuking a major American city, and then America retaliating, and Russia retaliating for that.

Now we don’t even know who may or why we may be attacked.

“If somebody fires a missile, it’s pretty easy to tell where it came from,” Blackmer says. “If someone launches malware, good luck. Attribution is one of the biggest things we face in trying to solve these.”

From a national security perspective, the results could be dire. A blackout in western Ukraine on Dec. 23, 2015, affected 80,000 residents for six hours. The Russian hacker group Sandworm has been blamed for the BlackEnergy3 malware that took down the grid.

The control systems, known as Supervisory Control and Data Acquisition (SCADA) systems, were targeted to temporarily disrupt the grid.

It could have been much worse if the hackers decided to open the breakers then close them out-of-phase with the grid, creating an Aurora event, writes Joe Weiss, a control systems cybersecurity expert in a January blog.

He suggests the attack was a cyber show-of-force to America from Russia, which he alleges has already infiltrated the U.S. electric grid.

“Considering most U.S. utilities have still not installed Aurora hardware mitigation and DHS has declassified Aurora information, it just may be a matter of time before really bad things happen,” he surmises.

Taking down the grid would be a next-level jam that would only an Elon Musk/Bruce Willis team-up could get us out of, using a combination of Tesla Powerwalls and yippee ki-yay's.

Little disruptive attacks, by corporate saboteurs, terrorists or even disgruntled employees can do untold damage, too.

Stoppage at an oil refinery, for example, could prove incredibly costly, says Blackmer.

“I heard it was a $1 million an hour of lost revenue, and it takes 20 hours to restart a refinery. You’re looking at a $20 million potential loss if the key system is impacted.”

Another potential problem connecting everything means you run the risk of injecting a perfectly good machine with good ol’ human error

“This isn’t just about stopping some über hacker,” Blackmer says. “How do you get Joe Operator not to push the big red button that says do not push? Sometimes that’s more the issue.”

Whether intentional or by accident, loss of life could also be the result of a more nefarious actor.

Industrial robots may become a prime target because control of these powerful, metal tools oftentimes is routed through IP network, explains Andrew Peters, a senior manager for product marketing for Cisco.

“That opens them up to a lot of security vulnerabilities,” he continues. “If somebody could get access to change it, it could hit or kill somebody. There could be hundreds of robots on an assembly line; one going haywire could stop the entire process.”

How to Take Control

Peters, who previously worked for the Air Force Information Warfare Center, says Cisco’s Identity Services Engine, featured in part 2 of this series, combined with Bayshore, a provider of rich policy controls and visibility for several major industrial protocols.

ISE supplies contextual data, such as IP address and location, to Bayshore, to boost its own profile. Both work together to perform software-defined segmentation and cut off suspicious users or devices.

This would not only prevent data loss but prevent human error, too, for example, when that “big red button” is pushed.

If an admin does something that is not within the policy, the Bayshore technology can detect this and direct ISE to stop the communication, Peters says.

This method could conceivably prevent something like the Stuxnet malware, which also attacks SCADA systems, and exploits a 0-day Windows vulnerability, allowing a hacker to take remote control of a system.

Stuxnet is a mischievous little virus that in 2008 infected Iran’s Natanz Enrichment Complex, according to the New York Times's David Sanger. It encouraged the uranium-enriching centrifuges to spin just a little faster than they should. The malware was doing its best Han Solo impression by telling the controllers “Everything is under control, situation normal.”

Meanwhile, the centrifuges were exploding all over the place.

So what evil hackers made Stuxnet? Well, that one was American-made apparently, with help from the Israelis. And it escaped, because, as Ian Malcolm says, "life finds a way."

Also, the Israelis may or may not have made some modifications, Sanger reports. 

The important takeaway is that Iran has vowed revenge and it will probably happen at your plant the day before your retirement.

Or you can take control of the situation by finding out about your company’s cybersecurity and encouraging your IT person to stop fixing the printer and plan a comprehensive cyber defense against Russia and Iran and hackers everywhere.

If you are the IT person, Blackmer offered a few tips:

  1. Get help: Have someone assess and catalog the environment to help you understand what is on your network. 
  2. Build from the inside out: Identify the crown jewels, and start building protection around those first.
  3. It’s all temporal: It is an ongoing process that never ever ends, so perform updates frequently.

There is more at stake than just one business getting breached or one blackout. Bad things are going to happen, remember? The important thing is to at least keep a balance in this new, connected world.

And hacking shouldn’t have the negative connotation that it does, insists Blackmer.

“There is malicious hacking,” he says, “but hacking is like driving a car. It’s just as easily drive to bank robbery as you could take your kids to school. It’s just a matter of how it’s used. Are you going to use it for good or for evil?”

As the Internet of Things grows to possibly 50 billion devices by 2020, and the Internet of Thieves grows as well, a lot of people are going to be asking themselves that question.

And the question you should ask yourself is how all this is putting you at risk in the cyber and physical world.

Scott Harrell, vice president of product management for Cisco’s Security Business Group believes answering that “is one of the biggest missions you could be on if you think about the scope of what it can impact in technology.”

And it affects your country, your job, and your family, he says, so assessing those risks is critical.

“A lot of people don’t understand what the risks are until something bad has happened,” Harrell laments. “By then it’s too late.”