12 Oct 2018
“When it comes to cybersecurity, you must act every week” states Kim Loy
Kim Loy is the Director of Technology and Communications at Vanderbilt Industries. Here, Kim discusses a range of topics varying from cyberattacks, vulnerability testing, IoT security, and smart cities.
To start off, one of the interesting things in the security industry in recent years, is the emergence of cyberattacks and the real threat that they pose. There have been several high-profile cases – the 2015 Ukrainian power grid attack, the 2016 WannaCry
The rapid gains made by technology into everyday living during the past decade or so have certainly impacted how the security industry operates. In short, the physical security industry has moved from being very simple inputs and outputs to being always-connected devices, and this makes us very much part of the IoT world. How this affects how Vanderbilt operates? Well, it has changed how we think when designing and developing our security systems, in particular our award-winning intrusion system, SPC. The system has built-in protection mechanisms whereby if the system is attacked, it will go into protection mode. The system will remain operational, and it will still be able to communicate out, but it will start to shut down elements of itself to protect the system from the attack. FlexC, Vanderbilt’s communications protocol, was redesigned from the ground up solely with cybersecurity in mind. The protocol has been designed to ensure everything is encrypted, all communications are monitored, and multiple types of attack are considered for defensive purposes to provide the best security possible. It is fair to say that while no system is invincible, SPC has been designed so that should an attack penetrate, the system has multiple communication paths available as backup. So, if one server is taken down the system can immediately switch to a backup server and then switch communication paths to bypass the attack and ensure messages still operate successfully. So that would be one example of how we have adapted to these ever-growing changes in the industry caused by the impact of modern technology.
You mention no system is entirely invincible. What type of attacks does the security industry generally prepare its solutions for?
Well, with more connectivity over the internet, IP physical security systems can be vulnerable to attacks. Hacking an IP security system can take place through a variety of forms, some being quite simple. So, for example, in a brute-force attack, a hacker just "guesses" passwords. Given that most people choose easy-to-remember passwords, many of these can be deduced through simple algorithms. Another standard method of attack is a Denial-of-Service. Here the offender attempts to overload the system by flooding the target with excessive demands that prevent legitimate requests from being carried out. This effectively makes it impossible to stop the attack by blocking a single source. But here's where best practice becomes so important, and from this point-of-view, vulnerability testing is a must. We always incorporate this into the development phase of products from day one onward. This thought process includes analysis of the type of cyberattacks that can potentially attack, breach, and disable a system. You then have the option to try and hack your own product from within the organization or hire a third party professional group to attempt to do it for you.
So, essentially vulnerability testing puts the product through its paces to ensure it is “sea worthy” before launching to the market?
Exactly. Vulnerability testing puts the product through its paces, and once weaknesses are exposed, they can be patched up, and the cycle of attack-and-defense can take place again until eventually, a watertight ship is in place and ready for market. It’s standard practice. Even the Pentagon brought in hackers to help identify more than 100 security vulnerabilities in their systems. It was reported that the hackers that could locate security issues were awarded up to $15,000 each, and I think it was roughly 1,400 hackers that took part in the project. So, the Pentagon’s approach might seem dramatic, given the cash incentives they put up for grabs. But when you consider how much people depend on online channels in today’s interconnected world, any security breach could lead to a devastating loss in customer confidence and therefore revenue. Testing is the critical discipline that helps identify where corrective measures need to be taken to rectify gaps in security. The more extensive an organization’s security testing is, the better its chances of succeeding in an increasingly volatile technology landscape.
Okay, that’s interesting. So, following on from that point, what are the most obvious weak links in people’s security?
Believe it or not, the most obvious low hanging fruit is to target people. This opens the door to the “weakest link” possibility that can uncover vulnerabilities such as lack of authentication and encryption, and weak password storage that can allow attackers to gain access to systems. I mentioned previously about weak passwords. Most hacks come down to human error whereby weak passwords, or clicking on contaminated email attachments, will expose an organization's security. Hackers have also been known to target contractors and wait until they go on-site for scheduled maintenance with their infected laptops. I actually read a statistic recently, and it said the top three sources of infection were the internet, USBs, and email attachments. If you remember back to 2014, the attack on a German steel mill, it was a spear-phishing email that was used in that attack. They then gained access to the plant’s network through the infected email attachment. What all this suggests to me is that the success of these non-complex methods would indicate low levels of awareness about how cyberattacks are in fact carried out.
Aside from vulnerability testing, what other methods can companies implement to follow best practices?
Well, in my mind, one very important thing to remember is this. Technology might be growing at a rapid rate that can lead to fears about potential security breaches, but you must then also remember that this growth means that security defenses are developing in parallel. At its core, security is about being continuously observant, following best practices, and being ready and able to react against a security issue. Unfortunately, as we know, this isn’t always the case. I read another survey a while back that said, of nearly 600 utility, energy, and manufacturing organizations, only half of the companies had a dedicated IT security program. Some methods to employ would be.. let me think. Email controls would be one measure. These can assist in blocking phishing attacks that can bypass spam filters. Regular compromise assessments would be another. These will check to see if an attacker is already in the system. People should be aware that currently, a hacker will wait an average of 146 days from having penetrated a system before they strike. So, regular assessments will give you the opportunity to root out penetrations before they hit. But you know, I consider one of the most obvious places to start is to choose equipment from reliable suppliers that have a knowledge and interest in cybersecurity and are focused on protecting your data. When your security system is designed from the ground up to protect against cyberattacks, naturally your organization will be in a much better place.
Smart cities are on the rise. Some experts have concerns about this growing trend when viewed through the eye glass of cybersecurity. How do you see it?
It certainly makes possible the ability for cities to increase efficiencies across services like transportation, water management, and healthcare. However, the fast adoption pace of networked technologies does also have the potential to create some vulnerabilities. There are already millions of smart home devices in the world. Where this could get tricky is, as smart cities rely on accurate data to properly function, if the information is hacked, it has the potential to bring a city to a standstill. So, by this I mean, you would be talking about things like traffic control systems being exploited to cause jams or crashes. Other risks would include subways grinding to a halt, or water supplies being contaminated. This scenario is not as far-fetched as it may sound either. Back in 2011, hackers gained control of a water control system in Ohio and destroyed a pump that serviced 2,200 customers. Furthermore, hacking entry points can be quite straightforward to unleash this chaos. For instance, smart lights bulbs and vending machines on a college campus were recently used as a starting point to launch a cyberattack against an unnamed university in the States. Given the huge quantity of smart devices now in our everyday life, defending against the sheer volume of attacks will become a challenge for smart cities. But of course, it is not all doom and gloom. Smart cities are springing up at a rapid rate for a reason. In Barcelona, smart water meter technology has helped that city to save $58 million a year. And in South Korea, one city cut building operating costs by 30 percent after implementing smart sensors to regulate water and electricity usage.
Any final thoughts before we finish?
You’re most welcome. I guess I would just finish by reiterating that with cybersecurity, you must act every week. It is not something where you can say, “we’re safe, we’re secure, let’s forget about it.” Every time you release a product or release an update, you must centralize your mindset on cybersecurity. Vanderbilt’s fundamental way of approaching this issue is to stay in the mindset of assuming someone is currently trying to attack one of our systems. Another thing to mention is, people have a misconception that vulnerability announcements are a terrible thing. On the contrary. They can and should be viewed as a positive thing. Having an environment within the industry of open disclosures only means that we can learn from mistakes, we can see how hackers are attempting to breach systems, and ultimately, it can help us stay ahead of the curve. Finally, when system vulnerabilities are reported, it just means that vulnerability testing down the line will improve; that bar will continue to rise. So, by that I mean, look at what happened in the IT industry. Customer demand sparked the change to deliver robust security protocols, which the manufacturers then implemented. Now companies like Microsoft and Apple openly fix software vulnerabilities on a regular basis, and no gloss is taken off the prestige of their brand for doing so, because this is what the consumer now expects and wants from these software giants. This is the same mentality that needs to be adopted by security manufacturers.