Hollywood can teach us a lot about technology

Written by Andy Rowland on 26 March 2018 in Sponsored Article
Sponsored Article

BT's Andy Rowland on technological risk, and how the systems fundamental to modern life are under attack

Have you ever noticed how good Hollywood is at predicting future technological advances? ‘2001: A Space Odyssey’ (1968) brought us tablet computers and space stations. ‘The Terminator’ (1984) — military drones. And ‘Minority Report’ predicted gesture-based interfaces in 2002. In 2007, ‘Die Hard 4.0’ saw John McClane battling hackers who were trying to turn the lights off across America — which could now be a reality thanks to an increasingly connected world and the advent of state-sponsored cyber attacks.  

Increasingly, the systems fundamental to modern life are under attack. Imagine what would happen if there was no sewage treatment, no clean water, no electricity or gas. All of these industries have something in common — they all use industrial control systems to regulate temperatures, pressures and turn processes on and off automatically. The systems that do this were developed by engineers for engineers. There was little thought for security, as they weren’t connected to corporate IT or the Internet. They relied on security through obscurity.  

The key risk factors

But these systems are now at serious risk — for two main reasons. The use of IoT sensors to drive efficiencies, and the huge demand for analytics to optimise processes, known as Industry 4.0.

For example, why drive out to a remote pumping station to check it’s OK when a battery-powered sensor could send you an update over a cellular connection? In the case of Industry 4.0, it’s all about gathering data from different sensors and systems, and collating it into a data lake, used to apply machine learning and drive efficiencies. In both cases, you’re now connecting lots of things that, traditionally, were never designed to be connected.  

So, how does the risk manifest itself? Typically it falls into two broad categories — technology and processes. A good example of the former is the recent discovery that inverters — designed to convert the output from solar panels to feed the grid — could be hacked. Either the grid could be flooded with power, causing other generators to shut down, or blackouts could be created as in Die Hard 4.0. In Europe, over 90 gigawatts of power is generated from solar generators, with Germany using solar power to meet 50 per cent of its needs — so this is not an insignificant issue.

In terms of processes, while we’re on the subject of power, let’s look at the hack that turned off the electricity for a quarter of a million people in the Ukraine. Here, the attackers used phishing emails to get as far as the corporate network, but the industrial control systems were wisely firewalled. However, from the corporate network, the hackers were able to harvest the credential of engineers who used VPNs to access the industrial systems. And as they didn’t have two-factor authentication (something you know, e.g. a password, something you have, e.g. a token, or something you are, e.g. biometrics) they were able to use the stolen passwords to reconfigure the grid and turn off the power.

So how do we address this problem?

First of all, you need to deal with the basics, just as you would at home. So lock your doors and windows, don’t let your children open the door to strangers and fit an alarm for when you’re out. In the same way, you need to segment your network with firewalls, educate your employees on things like spear phishing, and install intruder-detection systems.

You also need a joined-up approach to security, involving engineering, IT, third-parties and service and support. Perhaps you could bring in some external security experts to do some social engineering/ethical hacking, where they might pretend to be your technical help desk, leave a few infected USB sticks around, and even undertake some targeted phishing!

Finally, you also need the equivalent of smoke detectors — systems that provide advanced warning of a problem. Mature security operations use highly advanced systems to cross-correlate data from multiple sources, and artificial intelligence to look for new patterns they’ve not seen before that could indicate a new attack vector. To prevent what John McClane in Die Hard calls the “fire sale” (i.e. everything must go) you may need to bring in the action hero.

To learn more, download our report exploring the five steps you have to navigate to protect your organisation from attack.

Andy Rowland is BT's Head of Customer Innovation: Energy, Resources and Manufacturing

Share this page

Tags

Related Articles

AI will save lives of 22,000 cancer patients a year, prime minister announces
21 May 2018

Theresa May uses speech in Macclesfield to announce plans to work with technology sector and NHS to improve diagnoses

IR35 reforms have had ‘little impact on projects or vacancy-filling’, says HMRC
19 May 2018

Changes to the legislation made last year – which had been expected to have a big impact on IT contractors – have also brought in £410m in extra revenue, the tax agency claims

The library where councils can borrow the building blocks of a ‘Lego’ government
18 May 2018

A number of large local authorities have already signed up to a new library for sharing service-design templates. PublicTechnology finds out more

Related Sponsored Articles

Building trust in the digital age
15 May 2018

BT argues that the digital age requires a certain level of trust in technology. But how can we establish this and still make the most of digital transformation?

GDPR compliance as a detox exercise
8 May 2018

BT's Mike Pannell argues that organisations should get rid of data they no longer need

The Grief of GDPR Compliance
23 April 2018

Sean Luke, BT's CIO for the Universities Sector, on the strange parallels between GDPR readiness and grief