By Sean Martin
I was fortunate to receive an invitation for an interview with BBC World News Newsday. A good portion of my interview was aired on the 10th of October. In this article is a collection of my thoughts that drove the direction of my responses to their questions.
Of course, a successful physical attack on a power grid could disrupt many downstream systems: including traffic control systems for autos, planes and trains as well as water treatment and water supply systems plus many more.
Still, it’s not direct attacks against these physical sites that worry me. It’s actually the devices and systems held by society. This includes the devices people literally hold in their hand (aka smartphones) and the devices they purchase in the stores and online to monitor their house and control their thermostat—each of which connect to the Internet.
It’s these things that worry me most as they could be used to wreak havoc across a variety of critical infrastructure environments all at once. It’s not always the same targets we think of and not always the same methods we presume that are used to conduct the attack. Basically, it doesn’t have to be direct.
Here are three examples:
- Distributed denial-of-service attacks against multiple banks using an army of connected and compromised devices—similar to the recent attack and one of the most aggressive on record, against a cybersecurity reporter here in the US, Brian Krebs
- Connected devices in the home used to “control” and take down an electrical grid (scenario example reported by Ash Wilson at CloudPassage)
- The addition of ransomware to a set of compromised connected devices to bleed a healthcare system of its money before doing the physical equivalent to its patients (prediction scenario(s) reported by Scott Scheferman, Cylance)
The last scenario hits home hardest for me, however, since it’s about the people. It’s the type of situation and story I look for as the editor-in-chief at ITSPmagazine, and these are the stories we ask our contributors to bring to our readers. We want to discuss the impact of technology and information security on people and society—and vice versa.
When you think about the impact of technology on people, we are quickly led to things directly connected to and with humans: connected cars and driverless cars as well as connected medical devices (of course) including insulin pumps and pacemakers. Everything people connect to in their house, in their vehicles and on themselves could also have an impact on them, those around them, and society as a whole from a security perspective and certainly from a privacy perspective.
People are directly impacted by these technologies and they don’t even realize it. These things we use are made by humans and they are flawed. They have weaknesses. Using default passwords and making the systems un-patchable are two simple, yet tragic examples. These human-made things are used by humans, and they can be misused—unintentionally and maliciously.
The connected society represents the ultimate critical infrastructure—nothing else matters beyond the people. And people's’ own personal devices, systems and applications are likely going to be the elements used against them in an attack—on a large scale.
However, at the end of the day, it’s about the people. That’s what our contributors on ITSPmagazine typically write about: The impact of technology and information security on society and vice versa.
People represent the ultimate critical infrastructure—nothing else matters beyond the people. And people's’ own personal systems are likely going to be used to conduct the attacks against them on a large scale.
Not ready for such an extreme sci-fi view just yet? Then consider if we take IoT devices out of the picture for a moment, and we’re left only with traditional machines. Business machines, for example, that connect to business partner environments, creating the supply chains every company relies upon.
Look at the Target breach or the Home Depot breach. These were both the result of a third-party vendor used as a vector into another business environment. This same model could easily transfer over to a nation’s critical infrastructure.
How many third-party vendors breached by a coordinated attack against a larger number of Fortune 100 organizations would it take to be considered “critical infrastructure?”
If a global CRM company was compromised and used to take down all of its business partners, that may not be “critical infrastructure.” But it sure could impact the economy and big swaths of business (and society) in a big way.
The response to this risk is complex and can be challenging. However, it can start with basic hygiene for any and all systems we connect to the Internet:
- Change the default password on the device; use different passwords than are used for other devices, systems, applications; use strong passwords; change them often
- Put the device behind a firewall to keep it from being directly exposed to the Internet
- If the device supports it, be sure to update any and all applications and firmware as it becomes available; if possible, select devices and systems that support this update model
- Apply the appropriate layers of security that can protect the device from being compromised, even in the case of an undisclosed (zero-day) vulnerability
Beyond this, it becomes a game of monitoring for suspicious or malicious activity and responding to the events and incidents that are dangerous.
Listen to the Interview
About Sean Martin
Sean Martin is an information security veteran of nearly 25 years and a four-term CISSP. Sean is the co-founder and editor-in-chief at @ITSPmagazine and the president of imsmartin, an international business advisory firm.