Hollywood can teach us a lot about technology
BT's Andy Rowland on technological risk, and how the systems fundamental to modern life are under attack
Have you ever noticed how good Hollywood is at predicting future technological advances? ‘2001: A Space Odyssey’ (1968) brought us tablet computers and space stations. ‘The Terminator’ (1984) — military drones. And ‘Minority Report’ predicted gesture-based interfaces in 2002. In 2007, ‘Die Hard 4.0’ saw John McClane battling hackers who were trying to turn the lights off across America — which could now be a reality thanks to an increasingly connected world and the advent of state-sponsored cyber attacks.
Increasingly, the systems fundamental to modern life are under attack. Imagine what would happen if there was no sewage treatment, no clean water, no electricity or gas. All of these industries have something in common — they all use industrial control systems to regulate temperatures, pressures and turn processes on and off automatically. The systems that do this were developed by engineers for engineers. There was little thought for security, as they weren’t connected to corporate IT or the Internet. They relied on security through obscurity.
The key risk factors
But these systems are now at serious risk — for two main reasons. The use of IoT sensors to drive efficiencies, and the huge demand for analytics to optimise processes, known as Industry 4.0.
For example, why drive out to a remote pumping station to check it’s OK when a battery-powered sensor could send you an update over a cellular connection? In the case of Industry 4.0, it’s all about gathering data from different sensors and systems, and collating it into a data lake, used to apply machine learning and drive efficiencies. In both cases, you’re now connecting lots of things that, traditionally, were never designed to be connected.
So, how does the risk manifest itself? Typically it falls into two broad categories — technology and processes. A good example of the former is the recent discovery that inverters — designed to convert the output from solar panels to feed the grid — could be hacked. Either the grid could be flooded with power, causing other generators to shut down, or blackouts could be created as in Die Hard 4.0. In Europe, over 90 gigawatts of power is generated from solar generators, with Germany using solar power to meet 50 per cent of its needs — so this is not an insignificant issue.
In terms of processes, while we’re on the subject of power, let’s look at the hack that turned off the electricity for a quarter of a million people in the Ukraine. Here, the attackers used phishing emails to get as far as the corporate network, but the industrial control systems were wisely firewalled. However, from the corporate network, the hackers were able to harvest the credential of engineers who used VPNs to access the industrial systems. And as they didn’t have two-factor authentication (something you know, e.g. a password, something you have, e.g. a token, or something you are, e.g. biometrics) they were able to use the stolen passwords to reconfigure the grid and turn off the power.
So how do we address this problem?
First of all, you need to deal with the basics, just as you would at home. So lock your doors and windows, don’t let your children open the door to strangers and fit an alarm for when you’re out. In the same way, you need to segment your network with firewalls, educate your employees on things like spear phishing, and install intruder-detection systems.
You also need a joined-up approach to security, involving engineering, IT, third-parties and service and support. Perhaps you could bring in some external security experts to do some social engineering/ethical hacking, where they might pretend to be your technical help desk, leave a few infected USB sticks around, and even undertake some targeted phishing!
Finally, you also need the equivalent of smoke detectors — systems that provide advanced warning of a problem. Mature security operations use highly advanced systems to cross-correlate data from multiple sources, and artificial intelligence to look for new patterns they’ve not seen before that could indicate a new attack vector. To prevent what John McClane in Die Hard calls the “fire sale” (i.e. everything must go) you may need to bring in the action hero.
To learn more, download our report exploring the five steps you have to navigate to protect your organisation from attack.
PublicTechnology talks to Siim Sikkut about why data embassies and ‘invisible services’ are key to country’s technological future
Top department officials tell select committee that preparations for EU departure are going well
Firms can avail themselves of training in areas such as using search engines and social media
Health secretary reveals email will be opened up to allow use of ‘any secure email provider’
Whether you need mobile devices or fibre optics, cloud services or switchboard systems, with UniCORN you'll have more purchasing power and unlock benefits you wouldn't get alone
BT understand the public sector in the capital. Frameworks offer a single, simplified way to get the ICT products and services you need
Download Gartner's expert analysis to help you plan your SD-WAN implementation
BT always talks about helping its customers be there in the moments that matter. And that’s the idea at the core of their new Customer Experience Centres. Experience BT solutions first-hand and...