Welcome to part three of our critical infrastructure podcast series with Raj Samani, the Vice President and Chief Technology Officer for McAfee EMEA. Raj previously worked as the Chief Information Security Officer for a large public sector organization in the U.K., and during this podcast, we’ll be discussing critical infrastructure and the Internet: why connect at all? Before settling in to part three, check out part one and two if you haven’t already. You can also view the full part three podcast on YouTube and at the end of this post.
Raj, the last couple of times we talked about topics such as cloud computing for critical infrastructure and accountability within the space. Today we’re talking about what I think is probably one of the biggest questions that people outside the industry ask, which is, why are we connecting to the internet at all? To kick things off, with so many risks, why would you connect this previously isolated systems within critical infrastructure to this very open, public Internet? What’s the upside?
I can understand the question and I can understand the concerns. Equally, I can understand why organizations would be reluctant to connect previously unconnected systems in the past.
There are risks, absolutely there are risks, but let’s take a look at it first of all. Let’s just say that we’re going to stick to manual systems, and let’s say we have a filing cabinet full of paper. The benefit of having a filing cabinet full of paper is the number of people that can access that data are restricted to only those people within the physical proximity of that filing cabinet.
Now we’re going to say, actually what we’re going to do is we’re going to plug a network cable into the back of the filing cabinet [laughs] and now everybody in the whole company/world can access this data.
Now that does represent huge risks, but it also adds significant benefits and security benefits as well. If you sneak in in the dead of night and open the filing cabinet and take data out and walk out with it or make a photocopy of it, invariable nobody’s really going to know, right? It’s very difficult to find. Certainly you’re not going to sign your name into a log and say, “I took the data.” The digitization of information allows you to implement security controls, which give you the visibility and the ability to be able to monitor, which you can’t realistically do within the manual systems world.
With that analogy — and I think it’s a perfect analogy, as we’ve moved from file cabinets for example to file servers — do you feel that things were more secure in the manual? Perhaps I’ll say, analog days, than this movement to the Internet and to more digitization and connectivity?
I don’t think there is a right answer for that, because it would depend upon where your filing cabinet was stored and who had access to it. It could have been under lock and key and only Barry from the security office had the key, and he would sit and watch you. Or you could be talking about a file server that somebody by accident gives a public IP address to and plugs directly into the Internet.
You laugh, but I have actually been to organizations before where they gave every single system a public IP address and let each system be on the internet with no form of host-based security in any way, shape, or form. I think it really does depend upon how organizations have effectively enforced the need-to-know principle. How have you done that?
I don’t think that there is a sort of yes and no answer to that. There’s that wonderful quote which says, “If you wanted your data or your system to be secure, you just put it in a locked room with two guards in front of it,” and it’s safe and secure. Do you remember this? I think it’s an old quote from about 20 years ago.
I remember that.
So what I remember was, Kevin Mitnick, when he wrote The Art of Deception actually brought that quote back and said, yes, but you know, if it was me I would just socially engineer myself past the guards and gain access to it anyway [laughs].
Or just blackmail them or bribe them.
You know what? I’d love to sit down and talk to you about the whole theory of influence, because it’s one of the areas that I like to study. But that’s the thing, just because you’ve digitized it doesn’t mean that it’s any less secure. In fact, I’d probably say with the appropriate controls, you have much, much better visibility.
You also have a great degree of availability, because that’s the thing with paper records, right? Unless you make multiple copies and have them dotted around the place, how do you update them and so forth? It’s very difficult to do that. But with technology, you can increase the level of availability, you can increase the degree of monitoring and the degree of visibility that you have with regards to access, assuming that the appropriate controls are in place.
Now of course, you’ve got question marks about the number of people that can access that data, but you can put in controls to mitigate some of those risks. Then you’ve got to consider the business benefits. If we think about organizations in the past, being able to automate, being able to digitize has generated—businesses are now looking at the return on investment. What you’re able to do is, you’re able to reduce the operation expenditure of maintaining and managing large filing cabinets and large sort of rooms of physical records, which by the way, degrade anyway. So, there’s also business benefits associated with this, but of course there are risks.
Yes, and when I think of critical infrastructure, like yourself, we spend a lot of time with these organizations that would fall under this broad umbrella, whether it’s hydro plants or nuclear, or even telecom, transportation, etc. And what I really see is this duality of old and new. You’ve got serial and Modbus. You’ve got Ethernet, wired and wireless with TCP/IP, you’ve got SMS over cellular networks, you’ve got dial-up modems. If there’s anything that’s connected, it’s folks in this industry, right? It’s these critical infrastructure organizations.
And I was talking with Eric Knapp on a podcast a couple of months back about these three zones of corporate IT and SCADA and industrial control systems, and having situational awareness, being able to look across all these zones and all these different protocols and applications, it’s quite difficult, again, with this duality of old and new. If you were to take just a leap of faith and say, how many organizations out there actually have those capabilities enabled today where they really have situational awareness across all the old and new, across IT, SCADA, and ICS? Are we talking a fraction, or are most of them doing it right today?
I think that’s a great question. Actually, when we talk about security zones and when we talk about the demarcation between various different zones, I think the one thing that you didn’t sort of mention was, what about the consumer elements of this? When you consider doctors may turn around and bring their iPads in and say, “I’m now going to use my iPad within this medical environment; I’m now going to review your sensitive data on my device because it makes my life easier. It makes it easier for me to be able to diagnose you.”
You know, the interesting thing is, if you have a smartphone and you go to the app store, type in the word SCADA and have a look at the number of applications that are written with SCADA particularly in mind. We’re really seeing that blurring of different zones.
My colleague Eric Knapp talks about the concept of situational awareness. That to me is of absolute fundamental importance. It’s probably one of the most important things, and here’s the reason why. How many times have you picked up a newspaper or checked Twitter and seen another organization which has been taken out by something silly—by a computer virus?
In many cases, these sites that are taken out by simple things like computer viruses may well be elements that make up the critical infrastructure—they could be hospitals, they could be power plants. We could sit and talk about power plants and malware, but I think that one’s been done to death. I know sometimes some of these computer viruses could be brought in because there’s a PC sitting under the desk that nobody knew of, or there was something that was plugged in which hadn’t been patched and nobody was even aware that it was still around.
The first fundamental thing any security manager or IT department need to do is understand what their risk is. That risk could well be on your corporate network, that risk could be something that somebody brings in from outside, i.e., from their own smartphone. Consider today that most wireless networks within buildings have more devices than people connected to them.
I think in the last two to three years we’ve seen such a rapid pace of change it’s absolutely remarkable. I remember a number of years back I was doing some vulnerability management work, and I was talking to an oil and gas customer. They said to me, “Yes, you can do our corporate network, but that’s all. Anything outside of our corporate network, for example, in the industrial control side, don’t even think about it.”
Now we’re seeing greater connectivity between various different networks, which had previously been completely isolated and air-gapped. So, I think Eric, and probably certainly from yourself, I think you hit the nail on the head which is first understand what your risk is, and you need that information in pretty much real time. You need to understand what your risk is, because like we said, the pace of change is absolutely frightening.
Very well stated. Raj, thanks again for joining us.
Thank you, Brian.