IoT Risks Loom Over Critical Infrastructure
With the Internet of Things promising—or perhaps threatening—to connect many more millions of devices, experts from industry, government and the military are urging action.
The critical infrastructure covers a lot of territory, including banking and finance, gas and oil, health care, agriculture, water distribution, transportation, communication, law enforcement and emergency services. Many outdated and poorly secured computers, experts say, operate a great deal of that infrastructure. Additionally, commercial or private entities own the vast majority of the infrastructure, meaning that government has little authority to protect it.
U.S. government and military officials have been warning about a digital attack on the nation’s critical infrastructure since the 1990s, when “cyber” was barely even a topic. And although “digital Pearl Harbor,” a 1990s phrase, is barely used anymore, many experts still worry about the possibility of a devastating strike. “The nightmare scenario for me is an attack on the relatively weak underbelly of the U.S. economy. You could very easily paralyze an entire city or state with one attack,” says Simon Crosby, co-founder and chief technology officer of Bromium, a Cupertino, California, firm focused on global enterprise security.
He cites the growing threat of encryption malware as a major concern. The software infects a computer system or a network and encrypts files so that authorized users can no longer use the files unless they pay a ransom. Two examples are WannaCry, which recently infected computer networks in more than 150 countries, and Petya, which first infected Ukraine in an attack Ukrainian officials blamed on the Russians but Russia denied. “I’m immensely worried about the big shift toward crypto malware. If I want to take down any organization that is chartered with being available at all times, like a government agency, a city, health care, military, first responders, anything like that, I can bring it to its knees easily with crypto malware,” Crosby declares. “By the time you get your first alarm, you’re done. You cannot move.”
America’s digital economy and lagging government technology leave the nation vulnerable. Crosby recalls that the United States put its economy online more quickly than any other country. By contrast, Russia—one potential adversary—has a relatively small portion of its economy online. And China—another potential adversary—has been adept at keeping its systems up-to-date with some mostly unintentional help from the United States. “In the 1990s, China was a cultural and technical backwater,” Crosby says. “We put all of our best stuff into open source so that they could download it every day. So, it would be harder to get back at them because they moved forward faster.”
He contrasts China’s ability to modernize with the situation in the United States. “Everything we praise Silicon Valley for gives other countries the very best American technology every damned day. And we sit with Windows XP running the U.S. federal government,” Crosby muses.
The Internet of Things (IoT) only makes the security risk more severe, he adds. “And ... with IoT, every system is vulnerable,” Crosby says.
Douglas Maughan, who directs the Cyber Security Division within the Department of Homeland Security’s Science and Technology Directorate, agrees that the IoT presents security challenges. “The issue with IoT is that it’s everything from home automation to critical infrastructure to all these other sectors we’re counting on. Nobody’s really making sure that everybody is doing things correctly,” Maughan offers.
He stresses the importance of safeguarding the critical infrastructure. “At the core of everything we all rely on—and are betting our lives on—is critical infrastructure. We’re counting on the electric system to be up all the time. We’re counting on the banking and finance sector to always work. We’re counting on the water supply system to always work. We’re counting on our cars to not be hacked into. We’re counting on our medical devices,” Maughan notes. “We need to spend more time and energy … to improve [these capabilities] and make them more secure because the bad guys know that if they can attack the infrastructure, they can do us harm.”
Maughan’s division makes a point of rapidly cranking out technologies to protect the homeland from cyber assaults. (See “The Science of Cybersecurity,” page 38.) He points out that the White House issued an executive order in May to strengthen the cybersecurity of federal networks and the critical infrastructure. In the same vein, industry needs to design more secure software, and companies should be held accountable when they produce faulty products in an effort to “beat the time-to-market clock,” Maughan says.
Crosby, on the other hand, describes himself as a “cyber optimist” and says technology producers overall are doing far better. Systems can be made “massively secure,” he insists, adding, “I think that’s a solved problem.”
But too many, including the federal government and critical infrastructure stakeholders, are too slow to adopt updated technology, he says. “We could make it so that only the few most skilled people in any one of the nation-states could have a go at us. Great. We should go there,” Crosby states.
He and Maughan, along with Adm. Richard C. Macke, USN (Ret.), former Joint Staff J-6 and former commander of the U.S. Pacific Command, cite the American work force as one of the biggest vulnerabilities in the cyber domain. “Take all the users off the network. Let the machines run it,” Adm. Macke bluntly recommends. “What we need to do is get them to be careful about what they click on. Still, the weakest link in any cyber is the user.”
All three experts suggest educating students at an early age to develop a more cyber-savvy work force. “One of the things we need to do is to start teaching cyber at the kindergarten level,” Adm. Macke asserts. “Maybe we could do it as they come out of the nursery.”
The admiral adds that today’s children become expert computer operators at an early age, but they do not necessarily understand the dangers in the cyber world. “They’re all over the computer. Not all, but certainly some of our problems are created by the kids who are using Mama’s and Papa’s computers and … picking up malware right and left, but they don’t understand the threats of cyber. We need to start that education early on.”
Maughan indicates that schools need to adjust. The recent executive order calls for cybersecurity-related curricula, training and apprenticeship programs from primary through higher education. “We’ve got students who are using computers and technology at a very early age. The students are very different, but it’s the same education system,” he elaborates. “It’s not just an issue for the people who are in the work force today. It’s the entire pipeline and how to prepare the next generations—how to get them trained and educated.”
The United States is not the only nation struggling with the work force issue. “Not only is that a national issue, that’s a global issue. Every country that I’ve been to in the last three years has the same problem,” Maughan reports.
All three experts also tout the power of automation, or removing the human from the cybersecurity loop as much as possible. “There’s going to be more and more automation. We just have to figure out how to use it to help us defend our systems. That might be using artificial intelligence or machine learning,” Maughan offers. He adds that automation can “remove the human from some of the processing” because “computers work much faster than humans.”
He acknowledges a dark side to automation tools. “The bad guys could use artificial intelligence and machine learning to figure out what our defenses are … and to crack into systems. We want to use it for good purposes; they want to use it for bad,” Maughan says.
Nonetheless, Crosby promotes the power of cloud computing for both federal government systems and for the supervisory control and data acquisition systems that run much of the critical infrastructure. “We are massively exposed there. That stuff is easy—easy—to break,” he says. “My recommendation would be that we move to the cloud as quickly as possible.”
With cloud computing, systems are automatically upgraded and patched as threats are identified. “It’s absolutely critical that we automate.
“The cloud does a much better job of keeping things secure and up-to-date. It’s just better,” Crosby states.
Adm. Macke, however, says cloud computing may not be the total answer. “I’m on Apple, and I’m on Apple’s cloud, and I still get malware,” he counters.
Both Crosby and Adm. Macke contend that government and politics sometimes get in the way. “There has been a muddled charter between different agencies. They all run around trying to do something, and in the process we lose a lot. Right now, there are too many dueling factions, all of whom think they’re cyber experts claiming to solve the problem,” Crosby says.
Adm. Macke responds: “Washington is a city of dueling factions.”