Schweitzer Engineering Laboratories
Newsroom
The IT World Today and the Enemies of Complexity and Opacity
The faulty CrowdStrike update of about 12 hours ago may turn out to be the most disruptive cyber incident ever.
How could that be, when CrowdStrike is a supplier whom we trust, with a great product, fabulous support?
CrowdStrike is one of a SET of tools that our IT folks employ to keep us safe from the constant stream of cyber attacks.
Why do we need to buy a set of tools to keep our cyber tools safe?
Why aren’t our computers and their networks INHERENTLY SAFE?
Years ago, I posed the question: What is Inherently Safe Cyber? Nic Seeley, Ryan Bradetich, and many others are addressing that question.
Because we are dedicated to making electric power safer, more reliable, and more economical, we have deep concerns about cyber, and have developed some great products over the years…like the serial encryptor, the ICON networks, and SEL OT-SDN. Before that, we used dial-back modems, two levels of passwords, alarm contacts triggered by critical communications, and interposing relays in telephone lines to only expose substation phone lines when necessary.
I’ve been credited with inventing the digital protective relay in 1984. The invention uses a microprocessor as a signal processor, looking at voltages and currents to see if power apparatus is ok or not. And, we included a serial port to get at the data…metering, event reports.
AND, we made it possible (if you plugged a hardware jumper in the correct position) to TRIP and CLOSE the circuit breaker…secured behind a second password, and monitored by a pulse of the alarm contact.
That worked fine, because it was expensive and time-consuming for attackers to robo-dial looking for phone numbers, and because it was unlikely that anyone would get anywhere with the aforementioned security in place.
The IT world grew up differently. Ethernet enables everyone to talk to everyone else…like a party-telephone line! You have to put RULES into place to calm it down. AND it’s FAST! We’ve moved from 300 and 1200 bps modems to gigabits per second.
And cheap: long-distance calling used to cost a lot of money, but we send text and email nearly instantaneously around the world for virtually free!
Where do our IT vulnerabilities come from today? What are their roots?
- The idea that everything should be accessible to everyone and everything else…connectivity.
- Communications so fast and low in cost that attack strategies can be fast and furious. (Our vice president of IT told me years ago that over 70% of the traffic coming into SEL is spam or dangerous or both. We get less than 1/3rd of the bandwidth we want because of that!)
- Technology that rarely was designed with security in mind. Think of all the “afterthoughts:” securing USB ports, securing memory sticks…make YOUR list!
- Software architectures in operating systems that have grown exponentially, and look more like onions than solid designs.
- Widespread use of “freeware” developed by others…maybe even being cyber bait to an unwitting developer.
- Ubiquity. Everyone has at least one IT device…computer, laptop, cellphone, … I wonder what the average number per person is!
- Common factors: just a couple of operating systems in widespread use, virtually a single communications protocol (Ethernet), just a few providers of networking devices, …
- Limited warranties offered by the dominant suppliers.
- Complexity far beyond the reach of most of us, but being exploited by bad guys around the world.
- Adoption by critical sectors, including energy, health care, banking, agriculture, education, government, insurance….for the fabulous convenience of us all, and with a poor understanding for the risks involved.
- The widespread acceptance of the IT tools…phones, computers, Internet…and the fabulous value it brings to us every day…until it doesn’t.
- Our patience when things go wrong: how many times a year are we replacing credit cards that got hacked? How many times a day do we have to deal with spam and malicious texts and emails?
- Our love of “social media” (I don’t use them, because it’s risky).
- The satisfaction we get when we’re “connected.”
- The multiple radios in a phone…Wi-Fi, Bluetooth, GPS reporting your location, … … I’ve lost count!
- The fundamental lack of security demands layers of security on top of the basic device.
- The hidden activities of “patch Tuesday,” and of multiple behind-the-scenes updates of the threat descriptors.
- IT system are never static…they’re changing all the time, because of the frequent patches, updates, and so on. One measure is how many apps on your cellphone want you to update them every week. Maybe a dozen a week??? Risky.
We pay a lot for these vulnerabilities:
- Today, millions of computers stopped working, and required manual intervention to get them going.
- A normal-seeming threat-descriptor update from a well-respected supplier managed to crash every computer it touched.
- We pay for operating systems AND on top of that we pay for extra security applications.
- We pay for 100% bandwidth, but 70% of our traffic puts us at risk and inconvenience, and only 30% does us any good.
- Our IT experts have a tremendously difficult job to do, keeping us all safe and up and running. But it’s kind of like shoveling snow in a snowstorm…hard work and you don’t feel like you’re getting anywhere at times.
- Our IT guys are GREAT at doing this! Think how much better we’d all be if we could buy inherently safe cyber stuff, and they could be spending more time helping us use IT instead of protecting us from IT.
- We are subjected to phishing tests. I admit I have failed a couple over the years. The tests cost money, take our time, and, when we fail one, we feel stupid. I know I felt stupid, anyway.
- Then, we have to take a “reminder course” online so we sharpen our “cyber awareness,” instead of inventing the future, building something, selling something, or helping someone.
- We’re paying a lot right now…as we all read this! Sorry about that….
- We are constantly challenged to develop cyber-safe products, projects, and internal systems…because we know we are having to work with faulty inputs.
What can we do?
- Realize that this huge cyber problem is also a huge OPPORTUNITY!
- Continue the quest of Inherently Safe Cyber.
- Consider introducing changes INCREMENTALLY…a few devices at a time, to “test the waters,” to conduct “small reversible experiments,” whether it’s our changes or a third-party’s changes. Sort of like bringing up a power plant s l o w l y, versus putting it in service and demanding full load right away.
- INTERNALIZE that complexity means it’s probably impossible to make a change to today’s IT systems with certainty.
- Do you really need a computer or computer application to do it, whatever “it” is?
- What if the computer fails? How do I do my job? How will the physical system behave? Can I make it “fail safe? Can I make it simpler?
- How can I make the opaque VISIBLE?
- I like to say, “NEVER connect critical infrastructure to the Internet. Audit this!” Yet, I use computer banking. Hmmm…
- Reduce our attack surface possibly by investigating building smaller systems, with interconnections, and managing the smaller systems serially when it comes to trying new hardware, software, applications, communications, and updates.
- INTERNALIZE that convenience for you and me and for our customer is almost always a convenience for an attacker.
- Think carefully about every detail we publish and put out on the Web. Not everybody has the need to know everything about everything.
- …and my favorite: LET’S INVENT INHERENTLY SAFE CYBER! BUILD ON THE SUCCESS OF SEL OT-SDN! WHAT’S NEXT?
After all, we love to predict the future by inventing it…and it looks to me like there’s a lot of inventing that we could be doing here!
Thank you everyone who builds as robust systems as possible, and keeps them running for the benefit of all of us, SEL, and our customers. You are at the front lines of this cyber war and are in the best position to help us INVENT THE FUTURE in cyber!
I sympathize with the folks at CrowdStrike, who are attempting to secure the systems designed and manufactured by others…and end up having a Real Bad Day by getting bit by the very complexity they are shielding us from.
Thank you for taking the time reading this.
Warm regards to all,
Ed