January 21, 2016
This week on The Digital Life, we chat about hacking power grids, the IoT, and the escalation of cyber warfare.
Power grids are becoming increasingly subject to cyber attacks and now, at least one has been successful. In December, an attack on a utility in Western Ukraine caused a blackout for 80,000 customers, which was the first known power outage caused by a cyber attack. The malware used in the attack, called BlackEnergy, infected systems via a corrupted Microsoft Word attachment. In January, Kiev’s main airport went dark after a power outage, once again linked to BlackEnergy. As cyber attacks begin causing life and death situations in the real world, the concern over security and the IoT grows.
First Known Hacker Caused Power Outage Signals Troubling Escalation
Malware Clearly Behind Ukraine Power Outage, SANS Utility Expert Says
Hackers caused power cut in western Ukraine – US
Of course, I mean electric power is the ultimate foundation of a lot of our civilization. We take it for granted but it’s powering pretty everything from heating systems to communication systems. You name it. These are life and death situations when you lose power unexpectedly.
Sometimes, here in the northeast, the US, we have some warning when a power outage might come as a result of a storm, but this sort of cyber attack introduces a level of volatility around power usage that we’re certainly not ready for in the US. In a place like Ukraine, I’m sure its devastating, very cold.
The malware used was called black energy, which of course I know very little about malware, but apparently it was delivered via a corrupted Microsoft Word document, which if that’s not a reason to switch to Google docs. I don’t know what is.
Even more disturbing, there was a 2nd power outage in January at the Kiev airport attributed to this malware as well. This is all setting up a scenario that we’ve talked a lot about, and security experts, an IoT experts have talked a lot about, but now, it’s becoming real life. There was a television show on a couple years ago about the end of society when the power goes out. I can’t recall the name of this series. Off the top of my head, but I’ve watched a couple of episodes and the predictions are dire. Dirk, what do you make of this?
Well, enter the Ukraine. Certainly, they weren’t doing things to prevent that from happening. 80,000 people were without power for an extended period of time. The computers, the systems running this 1 or multiple … I don’t even know electricity, how the process works enough, but I’ll call it substations knowing it’s wrong, we’re fried.
That’s what’s scary about it. Right? It’s taking these things, that were almost bogeyman predictions that while on 1 hand logically, you’re like, “OK, yeah. I mean, maybe that could happen,” but realistically like in a way, that’s never going to transpire. Well, it has transpired. It’s not theory anymore. It’s practice and real, and something that can impact us.
From a very local perspective, just looking at myself, we had to due to the weather, a few years ago, our home and the homes in the area had no power for about 2 weeks, which was miserable. It was miserable to the point that after a few days, we just drove out of town. We just left. We’re close enough to family to be able to do that. Hotels, and motels, 20 plus miles away are all filled up. I mean, people left.
For me, when I own a home form here on out, I’m always going to have a generator of some kind to keep some basic stuff working so that it remains habitable. It’s habitable without electricity, but you don’t realize how nice it is to have a refrigerator, this was in the summer, air conditioner, have some temperature controls over the water used for things like laundry and bathing, until they’re gone. Yeah, now we’re going down a different path. We’re getting into the specifics of not having electricity, but no, it’s cyber. It’s the potential for cyber attacks really exhibited at a large scale, and in a way that can affect us, our life on a day-to-day basis.
Now, you can isolate systems and you can try your very best to protect them from attack, but basically, the attack surface of the IoT is quite broad. There’s all sorts of whether you’re talking about the individual device, or you’re talking about aspects of the network that are exposed. There’s all sorts of opportunities for systems that are coming online via the Internet of Things to be maliciously abused like this Ukrainian power system.
I think this event is going to bring to the forefront, at least for the folks who are planning things like smart cities, who are planning things like municipal services using IoT technologies who are doing things for manufacturing to take a second look and to realize, yes, this Ukrainian system might have been very, very easily exposed, but I don’t know how many degrees better off corporate security can be. You only need to look at the Sony hack recently where a lot of sensitive email information was exposed to realize that corporate security is some good, some not so good.
As we’re in this awkward teenage stage of the IoT where we’re getting our legs and learning what the world is like, I think there’s going to be some nasty events to come as the systems role out. What’s your take on that?
The smart city stuff, there’s not a lot there that can kill people. That can have that type of an impact, but I’m concerned about the things that could take life by virtue of a virtual hack. We’re going to have to be very diligent in protecting against those because it’s going to be evermore seductive to implant things in or on our body for people with maybe diabetes to regulate our endocrinology, regulate endocrinology even for other not just diseases, but just conditions and states of being, or more advanced tools for regulating the heart. All these thing that a hack could directly end up taking a life. We’re heading towards that.
I think there will be moments where hacks do take people’s lives. That’s where it get really hairy.
I want to talk a little bit about the way our culture and our society is digesting these cyber threats and cyber dangers. We call the show The Digital Life, and of course, The Digital Life is evolving so much more quickly than we might expect. These books by science fiction authors like William Gibson, like Neuromancer for example. There’s this underlying understanding of the online, and the offline culture like the way those things intersects in science fiction. There’s a certain way of viewing online culture that I don’t think that we’ve quite absorbed as a society.
I don’t know whether it’s a level of seriousness where we’re not equating the level of danger and evaluating it properly, or we talk about the digital divide. The digital haves, and the haves nots. I think there is a baring levels of access and understanding of what the online world is like.
Additionally, folks like you and I might be very naïve about what’s present on the dark net. The criminal aspects of the digital life. We have familiarity with these things in reality. We understand how these things work in the physical world, but the digital world is still patch work misunderstood. From a policy standpoint, from a suicidal standpoint, I don’t think we’ve fully digested the digital life quite frankly.
I’m almost looking to this works of science fiction to give us some kind of grounding, some kind of footing in terms of how should we be considering this dangerous elements now. Do we need cyber police. God knows we have regular police to patrol the physical world. How do we address the online environment here when it’s really like the wild west?
The other thing too is the real world is simple. We can see and understand the real world pretty well with our senses, just going through it. To understand this wild west of the dark net and all of these stuff, you need technical skills, and training, and knowledge. Not just anybody going through the world can understand it and have some intuitive sense of how to react to it and protect themselves from it.
To me, that’s the biggest challenge is that you need so much knowledge and training to compete, participate, protect whatever vector you want to take on it that it’s just a small slice of all people who are able to even contemplate that. That becomes really dangerous from the standpoint of power, and control, and influence over the world, not just from the bad guys, but from the good guys as well.
We’ve included links to pretty much everything mentioned by everybody. It’s a rich information resource to take advantage of while you’re listening, or afterward if you’re trying to remember something that you liked. If you want to follow us outside of the show, you can follow me on Twitter at jonfollett, that’s J-O-N F-O-L-L-E-T-T. Of course, the whole show is brought to you by Involution Studios, which you can check out at goinvo.com, that’s G-O-I-N-V-O.com. Dirk?