Dams, the power grid and other such infrastructure were once closed network systems. Then they were added to the Internet.
“We still thought of them as closed networks — but they’re not,” said Lt. Gen. Edward Cardon, commander of U.S. Army Cyber Command and Second Army.
“Other systems touch them and that starts to create some problems,” such as vulnerabilities to being hacked, he said.
Cardon spoke at the Army Cyber Institute and Palo Alto Networks-sponsored Joint Service Academy Cyber Security Summit, at the U.S. Military Academy, April 20 and 21.
It has been demonstrated that cars too, can be hacked, with each containing millions of lines of code, Cardon said.
In fact everything with lines of code on the Internet can be hacked and that’s a problem for national security, he said.
INTERNET OF THINGS
Mark Bristow, chief of Incident Response, Department of Homeland Security, Industrial Control Systems-Cyber Emergency Response Team, said there are in the U.S. 84,000 devices running buildings, power plants and other infrastructure, all connected to and part of the “Internet of things,” or IoT.
Another example, Bristow said, are Nest Learning Thermostats, which are replacing traditional thermostats in ever-increasing numbers.
Nest is connected to the Internet, so it’s part of the IoT sphere and it knows when people are home and when they’re not in order to save energy by switching off power to appliances like the air conditioner, he said. It even has a hidden camera to detect occupants using a motion sensor.
If someone hacked into this system on a large scale, there would be lots of unintended consequences from the design perspective, he added.
Mark McLaughlin, chairman of the board, Palo Alto Networks, said there’s been a big uptick in ransom attacks at hospitals, where hackers demand ransom money or else they threaten to shut down life-support equipment the hospitals use that’s connected to the IoT.
McLaughlin added that trust in the IoT “is bleeding out” and that there’s a “razor-thin margin between chaos and order” in this IoT-driven society that touches everyone’s lives.
IOT ATTACK PREVENTION STRATEGIES
Cardon pointed out several ways to limit these types of problems.
One of the biggest ways, he said, is through public-private partnerships. Industry, military and government are all in this together as far as wanting to reduce risk. The Army is already partnering with Silicon Valley to make this happen, he said.
Retired Army Chief of Staff Gen. Ray Odierno, senior advisor at JP MorganChase, said a big thing he learned from being a commander in Iraq and elsewhere is that a whole of government approach is needed to go after the problem.
Odierno said synergy can be built by partnering, and that one of the important missions of the Army Cyber Institute, which was stood up at West Point two years ago, is to advise on how do just that, both stateside and internationally.
Cardon said the culture too must change. He said he’s trying to create a “culture of compliance,” where cyber security is taken a lot more seriously than it has been.
Another approach is tighter controls over architecture, he said. For example, Cardon said he recently toured a Boeing production factory where they had extreme control over their flight control architecture.
Nothing was allowed to touch it, he said, meaning no device and no Internet connection. That’s how much attention was being paid to safety.
Getting the authorities right should be another priority, Cardon said.
Regarding authorities, Odierno said there should be protocols in place to get private-sector help from the military and government if they need it regarding cyber defense, offense and best practices. It should be set up with a comprehensive approach in mind.
McLaughlin said cyber protection needs to become more automated. Now, a lot of people are manually responding to attacks. But those attacks will never abate, so a better technology is needed for detection and remediation of attacks. People need to focus on the less common and unusual attacks.
Odierno said leadership is key. “Unless commanders and CEOs decide this is an important problem, it won’t get solved.”
