Posted on Jun 12, 2019
By their very nature operations technology careers are focused on the management of physical spaces, most of them local. Since the advent of the green building movement smart devices have proliferated from office buildings and homes into hospitals, factories and even aboard cruise ships to save energy, increase worker productivity and develop more valuable, desirable living spaces.
Those localized devices are now being increasingly connected to networks, including the internet, in order to further boost efficiency and productivity. Aided by network connectivity, a single operations manager can monitor many more physical spaces from a distance than was ever possible locally.
Yet that jump from limited local to internet connectivity brings significant cyberattack risks. And the rise of those risks and their criticality is creating a growing gap between traditional OT skills and those needed today.
The signs of the increasing importance of cybersecurity to operations teams are already appearing.
Last month we sponsored a survey of OT pros managing a host of smart building control systems. With the first wave of phone interviews almost complete, LTM Research found about 20% of operations teams already had assumed responsibility for securing smart devices and control systems. Another 27% shared their cybersecurity responsibilities with IT. For 30% of those interviewed, IT was solely responsible for securing their smart building control systems.
In almost 50% of those surveyed operations pros played a key role in cybersecurity for physical systems/controls. As more control infrastructures are connected to the IT network those numbers are bound to increase. At this point only about 33% of those surveyed said they’re OT and IT networks were converged, and the sample is based on organizations which have purchased and deployed smart devices.
Given the business case for smart device connectivity one might be tempted to think that the rate of convergence should be much higher. Most participants cited budget (67%) as the biggest barrier to achieving smart building goals, followed by the length of planning and deployment cycle (23%).
There is clearly a good, bad and ugly aspect of OT/IT convergence:
Connecting "things" using traditional networking is not your biggest problem. The challenge is the growing attack surface created by inadequate networking of sensors, unconventional endpoints and outdated operating systems.
>- Tempered Networks CEO Jeff Hussey, In Forbes
A massively expanding attack surface is exposing billions of internet-connected devices to the risk of malicious attack. Two years ago, two of the most destructive attacks in history (WannaCry and NotPetya) spread globally in hours and damaged everything from connected maritime shipping to health care devices, validating a 2016 Cybersecurity Ventures prediction:
In August of 2016, Cybersecurity Ventures predicted that cybercrime will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015. This represents the greatest transfer of economic wealth in history, risks the incentives for innovation and investment, and will be more profitable than the global trade of all major illegal drugs combined.
With OT/IT convergence well underway and growing cyber threats one might be tempted into thinking that IT would simply handle convergence-driven security challenges. Yet that assumption has two critical flaws: 1) traditional IT security solutions weren’t architected for protecting control systems, many of which are running on vulnerable operating systems; and 2) there are already critical shortages of trained IT security pros.
A Gartner survey found that organizations are keen to integrate IoT and IT technologies (such as sensors, data stewardship, security and analytics) into OT systems. However, IoT deployment is still in the early stages, and most organizations don’t yet have the skills, expertise or time to drive the IT/OT alignment requirements.
Between the tools and personnel shortages and the growing attack surface there is plenty of career opportunity for OT pros who understand how to easily protect these exposed systems. The risks can be catastrophic, as stated by network infrastructure expert Gabriel Lowy:
Gaping holes in data quality and integration with IP/TCP (Internet Protocol/Transmission Control Protocol) networks and their fragmented security layers leave both industrial control systems (ICSs) – and the IP data infrastructure they are increasingly interfacing with – vulnerable to debilitating attacks. These attacks can range from disrupting production facilities and supply chains to crippling vital services and safety systems.
The consequences can be severe: financial losses, regulatory fines, reputational damage, loss of control over critical infrastructure and services, and health issues, including environmental harm and loss of lives.
OT pros who get trained in cybersecurity will be able to pick and choose from plentiful career opportunities in coming years, allowing their employers to enhance safety while driving massive gains in efficiency and productivity. Because of growing internet connectivity they will also be even more productive than their early peers confined to in-person operations management.
Posted on Jun 5, 2019
We have a problem. This problem potentially effects all of us. It is not fun to think about and it’s not going away anytime soon.
Over the last 20 years, millions of Medical IoT devices have been connected to IP networks at Hospitals and Clinics. These connected Medical devices often keep us alive. We trust them to deliver the right amount of medication or to literally keep our heart beating. We trust them to do the job perfectly. Unlike a human, these machines do not make mistakes. The problem is that these live-saving devices are often connected to sprawling hospital networks.
The IP networks at hospitals were designed for availability. As doctors and nurses move devices around or deploy new ones, they need to connect and work - every time. There is no time to call IT and make a change. Everything device is routable, the network flat and available. Security was an afterthought.
While this all happened, hackers quickly figured out that Hospitals are a gold mine. Patient information has high value on the black market; unlike credit cards, you can’t reset your social security number. Hackers found they could breach these networks and find thousands of servers to attack, all full of sensitive information. Accordingly, the healthcare industry has spent a lot of money on protecting servers that contain your medical records.
But what about the Medical devices on these networks? Most medical devices do not contain patient information.
There are hundreds of medical device types and most of them run proprietary operating systems. Some of them run Windows. Some of them run Windows XP! Some of devices have hard coded passwords (like admin/admin). Some devices have backdoors for easy access for trouble shooting. Some devices can’t be patched without FDA approval. Some devices have a VPN connection to the vendors. Some of these devices talk directly to the internet for updates!
The nightmare scenario that keeps me up is this: malware breaks out inside of a Hospital network that is attacking these medical devices. This could happen very fast and the result could be a devastating loss of life. When breached, Hospitals around the world are forced to unplug everything that’s connected to IP networks. They are forced to return to pen and paper and the entire healthcare industry is forced back into the dark ages, costs millions of dollars and reduces patient care.
How do we make sure this never happens?
Hospitals could hire a small army of network engineers and install firewalls and NextGen security technologies for every medical device. This would cost over 10 million per hospital and would likely bankrupt the healthcare industry in the process. The hospitals that could do it, would be forced to keep that small army of network engineers on staff 24/7 to deal with all of the changes to this new, locked down and inflexible network. Let’s be real; this will never happen.
The other option is to install a purpose-built network switch directly in front of the medical device. This switch would make the medical device invisible to hackers. It would insure no un-authorized machine could every communicate with the medical device that’s delivering medication. The switch does not require FDA approval. This switch is shipping now and has 20 years of development behind it.
It’s called a HIPswitch. Over the last 18 months hospitals are accelerating their deployment of HIPswitches in front of medical devices. The deployment only takes a few minutes and it requires almost no changes to the hospital network. HIPswitches work with both state-of-the-art medical IoT devices and formerly un-patchable legacy equipment.
I am passionate about communicating this solution to every hospital and healthcare organization in the world. This is not just a Security issue, it’s a human safety issue.
Our solution is already securing and connecting hospitals in the US. For a deeper dive you can read our use-case here.
Posted on May 30, 2019
IBcon has grown to become the world's most comprehensive and leading-edge discussion on the next generation of smart, connected, high-performance, green, sustainable, intelligent buildings. This event is not about the traditional one building, one system, one vendor smart building of yesterday, but rather the open architected, interoperable, integrated, IP, IT centric smart buildings of tomorrow.
We deliver peer-to-peer encrypted networks that make it simple to connect and micro-segment BAS across separate buildings and networks, with little to no change to existing infrastructure. With a simple plug-and-play deployment model, you can now easily and quickly integrate systems across the LAN and WAN, without heavy IT involvement. We enable you to reduce costs through improved efficiency and predictive maintenance with BACnet traffic isolation and centralized control of distributed buildings.
Contact us by June 7th and make an appointment to meet with Penn State’s smart building isolation expert Tom Walker to learn how his team was able to enhance security, increase connectivity and availability and reduce costs and complexity. Penn State won the Digie Award in 2018 for Most Intelligent University Campus. We'll also be giving away a drone!
You can read more about Penn State’s success by downloading our Spring 2019 Smart Buildings 2.0 e-zine.
Posted on May 23, 2019
The advantages of digitalization are well documented and understood, especially in health care. Patients, for example, benefit when their doctors can access their critical data by simply plugging a device into a wall jack. That wall jack often connects to every other connected device in the hospital.
No one has to file a report or make a call to get timely access to data or even administer critical care devices from across a hospital. If the hospital is part of an MPLS network then the scale of access and convenience is taken to an even greater level.
Digitalization allows health care workers to focus more time and resources on administering medicine. Patients benefit because those caring for them are more productive, more knowledgeable and faster to respond:
The health care industry increasingly relies on technology that’s connected to the internet: from patient records and lab results to radiology equipment and hospital elevators. That’s good for patient care, because it facilitates data integration, patient engagement, and clinical support.
– Nicole Wetsman, HEALTH CARE’S HUGE CYBERSECURITY PROBLEM, April 2019
Digitalization also exposes more critical care processes and controls to the internet and that’s a big problem. Two years ago this week WannaCry took down hundreds of thousands of systems globally in a matter of hours, including about a third of England’s hospital trusts and 8% of the nation’s general practitioner offices.
In June we’ll note the anniversary of NotPetya, one of the most devastating cyber attacks of all time. Like WannaCry, it had devastating impacts, including hospitals and clinics. And WannaCry is still out in the wild, continuing to infect computers:
In its global list of countries where WannaCry variants have been detected over the past two years, India is at the top with 727,883 WannaCry infections, followed by Indonesia (561,381), the US (430,643), Russia (356,146) and Malaysia (335,814).
- Dev Kundaliya, WannaCry remains a serious IT security threat worldwide, researchers warn, May 2019
While tens of thousands of appointments, including surgeries, were cancelled or scheduled, no one has yet to die because of a cyber attack. Hospitals are starting to realize that there are 1000’s of devices connected to Hospitals that if breached, could hurt or worse kill someone. These include devices that deliver medication, drugs, chemotherapy and radiation.
There are, for example, vulnerabilities on scores of vulnerable medical devices (see Melanie Evans and Peter Loftus Rattled by Cyberattacks, Hospitals Push Device Makers to Improve Security):
The Department of Homeland Security last year issued 30 advisories about cybersecurity vulnerabilities in medical devices, up from 16 the year before, according to MedCrypt, which makes security software for medical devices.
And the situation is getting worse:
Reports show that ransomware and other cyberattacks are on the rise — and health care is one of the biggest targets. Just this week, researchers in Israel announced that they’d created a computer virus capable of adding tumors into CT and MRI scans — malware designed to fool doctors into misdiagnosing high-profile patients, Kim Zetter reports for The Washington Post.
Hospitals are attractive targets because they have a shared infrastructure. Like an airport, they also have lots of 3rd party vendors working on the same L2 network through hundreds of VPNs, some connected directly to critical care equipment. Giftshops, vending machines, bio-medical services, laboratories can also share that same common network.
Hospitals often have no idea what’s on their network at a particular moment. They’re often using networks built over the last 20 years and no one made a map. Very few have done any inventory of connected devices. And those devices can be plugged and unplugged from the network in seconds. Many of them are running outdated and unpatched. operating systems.
Around 10% of the devices on hospital networks run outdated operating systems (XP, Windows 2003 as examples). Hospitals are also starting to realize that there are 1000’s of connected devices that if breached, could hurt someone. These include devices that deliver medication, drugs, chemotherapy and radiation.
That’s where Tempered Networks IDN solution can help. Tempered’s HIP switches can drop into these flat L2 networks and deliver instant segmentation without having to make changes to the network. They can install in minutes. Patients gets the health benefit of digitalization without much of the health risk inherent with flat L2 networks.
You can read more about how we secured and connected one healthcare facility here.
Posted on May 6, 2019
If you connect the dots between a recent article in Forbes and another on LinkedIn by “unencumbered” infrastructure analyst Gabriel Lowy, the answer to the OT/IT cybersecurity conundrum is teamwork.
While cooperation between OT and IT isn’t common, Gabriel points out that the DevOps movement was once nascent as well. And OT/IT teamwork might be forced by greater pressures from a catastrophic loss. What could be worse than losing financial records? Losing control of a smart hospital, factory, ship or building.
As Tempered CEO Jeff Hussey points out in Forbes, smart and secure as mutual goals can pose harsh dilemmas for organizations pursuing optimal returns:
Businesses are keen on optimizing operational efficiencies for enhanced service delivery, reducing costs and downtime through preventative maintenance, all while lowering energy consumption and harmful environmental impact. This is accomplished by collecting, analyzing and leveraging data from internet of things (IoT) devices, which, according to Gartner, Inc., can "learn behavior and usage, react with preventive action, or augment or transform business processes."
And here is the catch:
Despite the sizable number of positive business impacts IoT devices can have on businesses, many organizations have balked at the idea of deploying IoT devices and control systems, citing an overwhelming level of complexity and a lack of personnel with IoT training as their reasoning. The gap in IoT skills is a direct result of the information technology (IT) and operational technology (OT) convergence. Unfortunately, bridging that gap isn’t an easy equation. Simply adding IT staff to an OT team does not produce the correct answer. It’s back to complex mathematics again.
Gabriel Lowy recognizes the problem in his recent post on catastrophic risks when OT/IT infrastructures converge and the teams don’t. He also draws an insightful parallel between the emergence of DevOps and the much-needed operational convergence of OI/IT. A common, blended organization tackling both makes the most sense:
Converged OT/IT teams can ensure stronger defenses in the face of challenges posed by external cyberattacks, outmoded network and edge security, and internal data misuse by either ambivalent or malicious insiders. As ICS platforms better interface with IT systems securely, organizations can realize the benefits of improved assets management and operational visibility across converging OT/IT infrastructure.
Posted on Apr 22, 2019
Spring 2019: The Most Intelligent University Campus
A small team at a large university did what many thought would be impossible. They quickly and easily isolated a statewide control infrastructure spanning more than 600 buildings. Indeed, while many organizations struggle with rising security stack complexity and the added difficulty of securing converged infrastructures, they finished their project in record time and without adding staff.
From remote cornfield agri-labs to campus complexes of smart buildings serving a population of more than 100k students, the operations team increased connectivity and availability, enhanced security and reduced operating costs in what may be one of the fastest isolation projects ever completed.
Their success was recognized with the 2018 IBCON Digie Award for the Most Intelligent University Campus.
The 10-page eBook, complete with easy to understand charts and graphs, discusses key challenges the team faced, what they did to address those challenges and how they were able to quickly enhance security without creating an even more complex security stack.
For a limited time you can read and share their story without registration.
Posted on Apr 16, 2019
The TCP/IP stack made it easy for billions of devices to connect over the internet in just a few decades, starting in the 1990s. Now we’re expecting more than 75 billion devices to be connected by 2025. Maybe TCP/IP was too good at its initial mission to ensure easy, rapid connectivity. But that’s just chapter one of the emerging cyber security problem.
Chapter two is even bigger, from both an opportunity and damage standpoint. The key to understanding the risk isn’t to quantify it in terms of more infected computers but rather unauthorized control over physical environments. Bruce Schneier takes us there in his new book Click Here to Kill Everybody: “The Internet, once a virtual abstraction, can now sense and touch the physical world.”
The current defense in depth strategy which has evolved to address stack promiscuity has become so complex even trivial additions to a network can drive significant increases in the operating and capital expenses required for effective defense. We call this reverse correlation (between rising complexity and declining protection) stack fatigue. This was before digitization and the “smart era.”
Digitization is Paving the New Hacker Superhighway
As organizations digitize their office buildings, factories, hospitals and even ships at sea to boost efficiency and productivity, they are exposing critical data and physical system functionality to the internet and cyber attacks. Think of the difference between taking down a hospital billing system and shutting down blood freezers, environmental or even ship controls.
A recent podcast on maritime cybersecurity--in response to an article on Threatpost about how hackers could sink a ship at sea--puts it in perspective. About 10 minutes into in Alex Soukhanov’s (Director and Master Mariner at Moran Cyber) podcast, he coolly explains just how vulnerable the common control systems and sensors in all kinds of smart facilities, floating and terrestrial are today. Smart water and power systems, smart assembly lines, smart navigation all use common sets of smart devices for managing critical systems. These systems control the physical environment. Whomever controls them controls virtually everything.
Digitization is accelerating the convergence of OT/IT infrastructures and in turn creating a new generation of high growth and ultra-permeable attack surfaces. The proliferating attack vectors in this new converged network are increasing complexity, degrading protection and exposing mission critical systems to unauthorized access as even primitive malware can go global in a matter of days.
Indeed, the stakes are higher than ever. HIP anyone?