Clouds_HiRes1.jpg_600x0

NED Cyber Security Report Part 4: How I Learned to Stop Worrying and Love IoT

In this chapter of NED's cybersecurity coverage, we discuss how the Internet of Things could be the solution to all our problems,and also destroy us, too.

My first week at New Equipment Digest, my frenetic editor, Travis Hessman, and I were in his office, listing all the tech-centric stories wed like to cover as our team endeavored to bring an eighty-year-old manufacturing magazine into the 21st century.

Admittedly, we sounded like a couple of high school girls talking about the latest boy bands were crushing on.

I think 3D printing is going to change everything soon, I gushed. Ive been following it since I learned about in in 2007. Its going to go mainstream real soon, I think.

Oh yeah, its so super cool, though we just did a special section on it. Its kind of my bae, Hessman responded, (although maybe not in those exact words).

Then he pulled out another recent issue with Sawyer, Rethink Robotics collaborative robot, on the cover.

Check this out, Hessman said slyly. I actually got to meet him at a show once. They let me control it and everything. I was like OMG!

Then he quickly started going into a diatribe on the Internet of Things. I nodded and agreed with everything he said about it being revolutionary and its ability to terraform our perception of productivity, and how important it is to our audience.

I nodded and chimed in with a yeah, totally, every now and again, but in my head, I was thinking, What the hell is this guy talking about?

Yes, I had no idea what the Internet of Things was. It sounded kind of important, so instead of faking my through any more of our discussion, I asked casually, So what is this Internet of Things you speak of?

Instead of laughing at me like my step-daughter does when I havent heard of the latest emo band du jour, Hessman morphed from manic tech geek into a calm, collected professor-type to explain. He even put on tweed elbow patches and a bow tie before getting in depth.

He started by asking if I knew about Internet-connected thermostats, and other common smart devices that constantly feed each other data.

I had heard of those, of course.

Basically, the Internet of Things is ALL of these Internet-connected devices and machines working together to optimize production and efficiency, he said, outstretching his arms for effect. So a machine on a production line can tell other machines in the process if its broken or needs maintenance, and everything in the supply chain adjusts accordingly.

This Internet of Things sounded a lot like my Catholic elementary schools explanation of God: Omniscient, omnipresent, and omnipotent.

Like God, it is known by many names -- IoT, Industry 4.0, Industrial Internet, Internet of Everything, and so on. And everyone argues which is the correct one. Some say it lives in the cloud, others dont even believe it really exists.

Finally, no matter how much you know about it, you cant say for certain whether its merciful in natureor vengeful.

The Good

Its the democratization of innovation, says Marc Blackmer, a product marketing manager for Cisco and prodigious IoT evangelist. It goes more toward a meritocracy. The more minds that are cranking away out there, the more things are going to come out of left field that we never thought possible.

Cisco calls it the Internet of Everything, and affirms that connecting everything to everything will improve traffic patterns, water usage, and employee productivity. In the global public sector, a place where bureaucracy trumps efficiency, this networked connection of people, process, data and things is estimated to generate $4.6 trillion in potential opportunity between 2013and 2022. The private sector will nearly triple that, creating $14.4 trillion.

Sure, it sounds like Dr. Evil has become an analyst for Cisco and is just making up numbers. And who would second-guess him or what it can do? A 2014 study from Acquity Group reported 87% of people didnt even know what the Internet of Things is. Like me, they would just nod their heads and agree.

Thats about to change, though. No one knew what the Internet was in the70s and 80s, except that it let them get money out of ATMs.

The early stages of IoT helped optimize supply chains and certainly made businesses make more money, and will continue to do so, but that doesnt account for peoples unbridled excitement at the IoTs potential. As the ubiquity of broadband and machine-to-machine and person-to-machine connections spreads, expectation and reality move closer together.

Blackmer has noticed it just in the subject matter of the Cisco-run IoT World Forum, where the foremost authorities on IoT give TedTalk-like presentations about the cuurent and future state of affairs.

The topics of most of the speakers shifted away from improving logistics and how to make more money to the things that can improve peoples health and quality of life, Blackmer says.

Green City Solutions is attempting to use moss monitored by IoT sensors to filter smoggy cities.

He specifically points out Green City Solutions, a finalist at the Cisco Innovation Grand Challenge.

The start-up uses 4-meter high, moss-covered stone structures to filter air in urban areas, and smart sensors to optimize the process. Embedded moisture sensors, for example, ensure the fixture absorbs an optimal amount of rainwater and remains self-sustaining. One wall has the air purifying power of 250 trees.

Air pollution causes 3.3 million deaths a year, according to a 2015 Harvard study, and this could double by 2050. So leveraging the IoT to clear the air would save millions of lives and even more in respiratory-related healthcare.

I was surprised that weve already reached that point since we are so in the nascent phase of this, he says of the positive global implications of IoT.

The Bad

When you put your faith in an unforeseen deity, sometimes youre going to have a bad day. Even if you dont, bad things happen to you. Its just that with the IoT, which has a reach of literally anywhere with an IP address, the potential for bad scales, too.

In the 60s, people worried about the Russian government nuking a major American city, and then America retaliating, and Russia retaliating for that.

Now we dont even know who may or why we may be attacked.

If somebody fires a missile, its pretty easy to tell where it came from, Blackmer says. If someone launches malware, good luck. Attribution is one of the biggest things we face in trying to solve these.

From a national security perspective, the results could be dire. A blackout in western Ukraine on Dec. 23, 2015, affected 80,000 residents for six hours. The Russian hacker group Sandworm has been blamed for the BlackEnergy3 malware that took down the grid.

The control systems, known as Supervisory Control and Data Acquisition (SCADA) systems, were targeted to temporarily disrupt the grid.

Is Sandworm knocking on your door?

It could have been much worse if the hackers decided to open the breakers then close them out-of-phase with the grid, creating an Aurora event, writes Joe Weiss, a control systems cybersecurity expert in a January blog.

He suggests the attack was a cyber show-of-force to America from Russia, which he alleges has already infiltrated the U.S. electric grid.

Considering most U.S. utilities have still not installed Aurora hardware mitigation and DHS has declassified Aurora information, it just may be a matter of time before really bad things happen, he surmises.

Taking down the grid would be a next-level jam that would only an Elon Musk/ Bruce Willis team-up could get us out of, using a combination of Tesla Powerwalls and yippee ki-yays.

Little disruptive attacks, by corporate saboteurs, terrorists or even disgruntled employees can do untold damage, too.

Stoppage at an oil refinery, for example, could prove incredibly costly, says Blackmer. I heard it was a $1 million an hour of lost revenue, and it takes 20 hours to restart a refinery. Youre looking at a $20 million potential loss if the key system is impacted.

Another potential problem connecting everything means you run the risk of injecting a perfectly good machine with good ol human error

This isnt just about stopping some ber hacker, Blackmer says. How do you get Joe Operator not to push the big red button that says do not push? Sometimes thats more the issue.

Whether intentional or by accident, loss of life could also be the result of a more nefarious actor.

Industrial robots may become a prime target because control of these powerful, metal tools oftentimes is routed through IP network, explains Andrew Peters, a senior manager for product marketing for Cisco.. That opens them up to a lot of security vulnerabilities, he continues. If somebody could get access to change it, it could hit or kill somebody. There could be hundreds of robots on assembly line; one going haywire could stop the entire process.

How to Take Control

Peters, who previously worked for the Air Force Information Warfare Center, says Ciscos Identity Services Engine, featured in part 2 of this series, combined with Bayshore, a provider of rich policy controls and visibility for several major industrial protocols.

ISE supplies contextual data, such as IP address and location, to Bayshore, to boost its own profile. Both work together to perform software-defined segmentation and cut off suspicious users or devices.

This would not only prevent data loss, but prevent human error, too, for example, when that big red button is pushed.

If an admin does something that is not within the policy, the Bayshore technology can detect this and direct ISE to stop the communication, Peters says.

This method could conceivably prevent something like the Stuxnet malware, which also attacks SCADA systems, and exploits a 0-day Windows vulnerability, allowing a hacker to take remote control of a system.

Former Iranian president Mahmoud Ahmadinejad at the Natanz uranium enrichment plant.
photo credit: AP

Stuxnet is a mischievous little virus that in 2008 infected Irans Natanz Enrichment Complex, according to the New York Times David Sanger. It encouraged the uranium-enriching centrifuges to spin just a little faster than they should. The malware was doing its best Han Solo impression by telling the controllers Everything is under control, situation normal. Meanwhile, the centrifuges were exploding all over the place.

So what evil hackers made Stuxnet? Well, that one was American-made apparently, with help from the Israelis. And it escaped, because , as Ian Malcolm says, life finds an way. Also, the Israelis may or may not have made some modifications, Sanger reports.

The important take away is that Iran has vowed revenge and it will probably happen at your plant the day before your retirement.

Or you can take control of the situation by finding out about your companys cybersecurity and encourage your IT person to stop fixing the printer and plan a comprehensive cyber defense against Russia and Iran and hackers everywhere.

If you are the IT person, Blackmer offered a few tips:

  1. Get help: Have someone assess and catalog the environment to help you understand what is on your network.
  2. Build from inside out: Identify the crown jewels, and start building protection around those first.
  3. Its all temporal: It is an ongoing process that never ever ends, so perform updates frequently.

There more at stake than just one business getting breached, or one blackout. Bad things are going to happen, remember? The important thing is to at least keep a balance in this new, connected world.

And hacking shouldnt have the negative connotation that it does, insists Blackmer.

There is malicious hacking, he says, but hacking is like driving a car. Its just as easily drive to bank robbery as you could take your kids to school. Its just a matter of how its used. Are you going to use it for good or for evil?

As the Internet of Things grows to possibly 50 billion devices by 2020, and the Internet of Thieves grows as well, a lot of people are going to be asking themselves that question.

And the question you should ask yourself is how all this is putting you at risk in the cyber and physical world.

Scott Harrell, vice president of product management for Ciscos Security Business Group believes answering that is one of the biggest missions you could be on if you think about the scope of what it can impact in technology.

And it affects your country, your job, and your family, he says., so assessing those risks are critical.

A lot of people dont understand what the risks are until something bad has happened, Harrell laments. By then its too late.

€‹



The next chapter concludes our cybersecurity coverage, and will focus on the most important areas to protect: your home and family.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish