DoublePulsar – Worse Than WannaCry

In a world still reeling from the recent WannaCry attacks, who wants to hear about something even worse?  Nobody, really.  And yet, according to a recent article in the New York Times, A Cyberattack ‘the World Isn’t Ready For’, the worse may be yet to come—and we’d better be prepared.

Reporting on conversations with security expert Mr. Ben-Oni of IDT Corporation in Newark, NJ, the Times said that thousands of systems worldwide have been infected with a virus that was stolen from the NSA at the same time as the WannaCry virus.  The difference is that this second cyber weapon, DoublePulsar, can enter a system without being detected by any current anti-virus software. It then inserts diabolical tools into the very kernel of the operating system, leaving an open “back door” for the hacker to do whatever they want with the computer, such as tracking activities or stealing user credentials.

“The world is burning about WannaCry, but this is a nuclear bomb compared to WannaCry,” Ben-Oni said. “This is different. It’s a lot worse. It steals credentials. You can’t catch it, and it’s happening right under our noses.”

The concern is that DoublePulsar can remain hidden, providing a platform from which hackers can launch attacks at any time.  It may already be running on systems in hospitals, utility companies, power infrastructure, transportation networks, and more.  Ben-Oni had secured IDT’s system with three full sets of firewalls, antivirus software, and intrusion detection systems.  And still the company was successfully attacked, through the home modem of a contractor.

Closing the Door on DoublePulsar

Severity of the threat aside, this scenario points out once again the inherent weakness of relying on a VPN to secure an Industrial IoT system.  Had that contractor been connecting to a power plant, an oil pipeline, or a manufacturing plant over a VPN, it is likely that DoublePulsar could have installed itself throughout the system.  As we have explained in our white paper Access Your Data, Not Your Network, this is because a VPN expands the plant’s security perimeter to include any outside user who accesses it.

This threat of attack underscores the importance of the secure-by-design architecture that Skkynet’s software and services embody.  By keeping all firewalls closed, a cyber weapon like DoublePulsar cannot penetrate an industrial system, even if it should happen to infect a contractor or employee.  SkkyHub provides this kind of secure remote access to data from industrial systems, without using a VPN.

Growing IIoT Security Risks

As the Industrial Internet of Things (IIoT) grows, the security risks grow as well, according to a recent article by Jeff Dorsch in Semiconductor Engineering. According to his sources, the use of the IIoT is expanding both in the amount of new implementations, as well as how the data is being used. In addition to the traditional SCADA-like applications of machine-to-machine (M2M) connectivity, monitoring, and remote connectivity applications, it seems that more and more the IIoT is being used to power a data-driven approach to increasing production efficiency. Using big data tools and technologies, companies can employ better and more sophisticated analytics on industrial process data, thereby enhancing operational performance based on real-time data.

With the increase in use of the IIoT comes a corresponding increase in the potential for risk.  Looking at big picture, Robert Lee, CEO of Dragos, and a national cybersecurity fellow at New America commented, “There are two larger problems that have to be dealt with. First, there are not enough security experts. There are about 500 people in the United States with security expertise in industrial control systems. There are only about 1,000 worldwide. And second, most people don’t understand the threats that are out there because they never existed in the industrial space.”

Both of these problems are real, and need to be addressed.  And is often the case in issues of security, the human factor is closely intertwined with both. On the one hand, there is a crying need for security experts world wide, and on the other hand the man on the street, or in our case factory floor, control room, or corporate office, needs to quickly get up to speed on the unique security risks and challenges of providing data from live production systems over the Internet.

Addressing the Problems

As we see it, correctly addressing the second problem can help mitigate the first one.  When we understand deeply the nature of the Internet, as well as how the industrial space may be particularly vulnerable to security threats from it, then we are in a position to build security directly into control system design.  A secure-by-design approach provides a platform on which a secure IIoT system can run.

Like any well-designed tool, from electric cars to smart phones, the system should be easy to use.  When the platform on which a system runs is secure by design, it should not require someone with security expertise to run it.  The expertise is designed-in.  Of course, the human factor is always there.  Users will need to keep their guard up—properly handling passwords, restricting physical access, and adhering to company policies.  But they should also have confidence in knowing that security has been designed into system they are working on.

Thus, the most effective use of our world’s limited security manpower and resources is to focus them on understanding the unique security challenges of the IIoT, and then on designing industrial systems that address these challenges. This has been our approach at Skkynet, and we find it satisfying to be able to provide a secure IIoT platform that anyone can use.  We are confident that through this approach, as the IIoT continues to grow, the security risks will actually diminish for our users.

Cisco Study Shows Most IoT Projects Unsuccessful

One of the big take-aways from the annual Internet of Things World Forum (IoTWF) held in London last week were the results of a new Cisco study that only about 1/3 of the IoT projects were considered completely successful, technically.  Financially the success rate was even worse—just 15%—according to the business executives surveyed.  The study was conducted among over 1,300 executives in medium and large size companies in the manufacturing, energy, health care, transportation, and similar sectors. The findings suggest several reasons for low IoT project completion rates, and more important, point to specific remedies.

Unexpected Difficulties

As we have seen in the past, one of the primary reasons for project failure or lackluster results for IoT projects has been that those initiating the project were not aware at the outset how difficult implementation would be.  This is illustrated in the Cisco study results, where cost overruns and the need to extend timelines to completion were common.  Many respondents noted that they lacked the necessary internal IoT expertise.  As a result, over half of the IoT initiatives didn’t make it past the Proof of Concept phase, and of those that did, many ended up with poor IoT integration and/or low quality of data.

Need for Partnerships

These results underlined, according to the majority of survey respondents, the need for IoT partnerships.  At every stage of the project, from planning and design, through implementation and deployment, and during the management and maintenance phases, those organizations that engaged with IoT partners were more successful.  This applied to general areas of technical consulting and support, as well as specific aspects such as data analytics.

Commenting on this kind of relationship, the final report stated: “Our study found that the most successful organizations engage the IoT partner ecosystem at every stage, implying that strong partnerships throughout the process can smooth out the learning curve.”

Learning from Failure

The good news in all of this is that companies are willing and able to learn from mistakes.  Most survey respondents are optimistic for the future of the IoT, and they see its potential.  Over sixty percent believe that they “have barely begun to scratch the surface of what IoT technologies can do for their businesses.”

Among the participants who have completed projects, most said that they are using data from the IoT to improve their business.  Two out of three of them have seen the greatest benefits in improved customer satisfaction, more efficient operations, and better quality of products and/or services.  The most unexpected benefit was improved profitability for the company.

These results corroborate our experience.  The companies that we partner with report a much higher success rate than most of those participating in the Cisco study.  We agree with the finding that “strong partnerships throughout the process can smooth out the learning curve,” and we take seriously the challenge of removing the difficulties that may crop up when embarking on an IoT project.

Don’t WannaCry on your Industrial IoT System

Pretty much anyone who has a computer or listens to the news has heard about the WannaCry virus that swept across the world a few days ago, installing itself on computers in businesses, hospitals, government agencies, and homes, encrypting hard drives and demanding ransom payments.  After scrambling to ensure that our operating systems are up-to-date and protected against this latest threat, the question soon comes up: How can we protect ourselves against similar threats in the future?

“How?” indeed.  That would seem difficult.  Our reliance on networked computers for business and personal use is fully entrenched, and business/personal PCs will remain vulnerable for the foreseeable future.  In the industrial arena, some may conclude this latest attack is yet another reason to hold off on their IoT strategy.  Or, at least: “You should use a VPN to keep it safe.”

And yet neither of these instincts is necessarily correct because (i) it is possible to build a secure Industrial IoT (“IIoT”) system, and (ii) VPN is not the way to do it.  Industrial control systems may use the same underlying operating systems as PCs but they are different in one critical aspect.  They exchange real-time control data, not files and emails.

How WannaCry Got In

WannaCry comes in two parts – an email “bomb” that exploits your anti-virus software and a “worm” that propagates throughout your network by exploiting configuration weaknesses and operating system bugs.  The special danger of WannaCry is that it can infect a computer through email even if you never open the email message.  Once WannaCry arrives through email, the worm takes over to attack the rest of the computers on your network.

The worm portion of the virus spreads itself by finding other machines on the network.  According to analysis of the code by Zammis Clark at Malwarebytes Labs, “After initializing the functionality used by the worm, two threads are created. The first thread scans hosts on the LAN. … The scanning thread tries to connect to port 445, and if so creates a new thread to try to exploit the system using MS17-010/EternalBlue.” (the bug that the virus exploits)

If there is no open port on the other computer, the virus cannot spread.  But the VPN is not much help here.  If anyone on the VPN is struck by the virus, then every machine on the LAN is exposed.  Suppose you have an IIoT system connecting a corporate office to a process control system over a VPN.  If the virus activates on any of the connected machines in the IT department, it can easily propagate itself to any of the connected machines on the industrial LAN.

How to Keep WannaCry Out

The tongue-in-cheek answer is “don’t use email”.  More seriously, industrial systems and IT systems should be separated from one another.  There is no need to read email from the industrial LAN.  Don’t install email software on your industrial computers, and don’t allow email traffic through your firewall.

But industrial systems still need to communicate their data.  How can you reach the data without exposing the industrial network?  The solution is spelled out in detail in the latest white paper from Cogent (a Skkynet company) titled: Access Your Data, Not Your Network. This paper explains why the traditional architecture of industrial systems is not suitable for secure Industrial IoT or Industrie 4.0 applications, and discusses the inherent risks of using a VPN.  But most important, it introduces the best approach for secure IIoT and Industrie 4.0, which is to provide access to industrial data without exposing the network at all.

Specifically, the Skkynet-provisioned devices and the DataHub can make outbound connections to SkkyHub without opening any firewall ports.  These connections are robust channels that support bidirectional, real-time communications for doing monitoring and supervisory control.  The WannaCry virus or anything similar cannot spread into this system because they can’t see anything to infect.  The devices on the network are completely invisible.  Skkynet’s approach provides access to the data only, not to the network.

Skkynet at CSIA 2017

Several of us at Skkynet had the pleasure of attending the Control Systems Integrators Association annual conference (CSIA 2017) last week, in Fort Lauderdale, Florida.  Everyone appreciated the beach-side venue and great food, and the balmy weather was a welcome change to Ontario’s cold, rainy spring. The theme of the conference this year was “From Best Practices to Transformative Business Models,” which set the tone and direction of many of the presentations and resulting conversations.

The idea of transformative business models was presented by Mike Harvath, CEO of Revenue Rocket Consulting Group, who offered a vision of the way digital technologies and the IoT are changing how business will be done by system integrators over the next few years.  One of the main differences he and others foresee is a shift from projects and products to services.  Citing recent trends, such as companies providing lighting as a service, Harvath foresees system integrators designing projects and providing products on a service-based model.

Many of the integrators we talked to at CSIA 2017 understood the Industrial IoT in the terms of cloud-based data storage and analytics.  Offering their customers this kind of cloud service would fit the transformative business model, they felt, but a number of questions were raised about how to implement the vision.  In a special “Unconference” on transformative business models, we had a chance to brainstorm and bounce ideas off one another in a peer-to-peer environment.

Top Concerns

Among the top concerns were how to start moving towards a service-model business in general, and how to provide secure IoT services in particular.  Most of the customers for these system integrators are large manufacturing or infrastructure companies, like energy or wastewater facilities, and tend to be conservative in adopting new business models.  Likewise, being engineers and responsible for multi-million dollar budgets and mission-critical systems, the system integrators themselves are being cautious.

I spoke with a number of them about business transformation and the IoT, and most indicated that they are open to the idea, but that seeing is believing.   They and their customers want to see examples of secure IT to OT connectivity, cloud-based data collection, and good return on investment.  We had some enlightening conversations about Skkynet’s secure-by-design approach to the IIoT, and showed them on some demonstration hardware how to monitor and control a system from a web page or smart phone.  The revenue-sharing opportunities of the SkkyHub service struck a welcome chord with those who were getting serious about shifting towards a more service-oriented approach to their business.

Overall, CSIA 2017 was a good experience—a chance to meet those in a position to use or recommend the DataHub and SkkyHub, and find out whether their customers can benefit from this kind of technology.  It turns out that many of them can, and they are starting to realize it.

Embracing an Automation Economy

Since the beginning of the industrial revolution, automation has been a steadily growing trend for the manufacturing and process industries, to the joy of some and the dismay of others.  On the one hand, automation is synonymous with lower production costs and higher quality, providing more consistent output with less physical labor.  On the other hand, from time to time there is concern about job loss as machines replace unskilled labor, and put people out of work.  As far back as 1779, so the story goes, a young weaver’s apprentice named Ned Ludd vandalized a couple of knitting machines, thus becoming the namesake of the Luddite movement, a group of skilled workers who violently protested one of the world’s first industrial automation initiatives.

Now there is a new automation revolution taking place that may have an even greater social impact.  Thanks to new digital technologies like artificial intelligence, big data, robotics, satellite geopositioning, and others, jobs that we once thought only humans can do are now seen as potential targets for automation.

“In the past, automation was largely restricted to simple manual or procedural tasks,” said Carolyn Wilkins, Senior Deputy Governor of the Bank of Canada, in a recent speech to the Toronto Board of Trade. “Today’s technology makes it possible to automate an increasing number of cognitive and non-routine tasks across a wide range of industries.”

The impact of automation on virtually every employment sector for the near future was the subject of The Future of Employment by Carl Benedikt Frey & Michael Osborne of the University of Oxford.  “According to our estimates around 47 percent of total US employment is in the high risk category,” the paper states in its conclusion.  “We refer to these as jobs at risk – i.e. jobs we expect could be automated relatively soon, perhaps over the next decade or two.”

Some of the jobs most at risk were in categories like “Machine Setters, Operators, and Tenders” in various industries.  This what we might expect, given the recent robotics trend in manufacturing.  More surprising were job categories like hotel desk clerk, agricultural inspector, bill collector, animal breeder, restaurant cook, and legal secretary.  Twenty years ago, who would have imagined these occupations being automated?  Yet most of them will be in the next twenty years, according to the study.

What now?

Where does that leave us?  “What we need to do is embrace the technologies in areas where we can make a difference and promote productivity,” recommends Carolyn Wilkins.  She mentioned in particular the STEM subjects (science, technology, engineering, and math) as “solid foundations that provide a platform for future learning.”  Perhaps she is right.  The Oxford study lists a number of occupational areas with a low chance of replacement, and engineering is among them, for sure.  And for those with a more humanistic interest, health care, education, the arts and entertainment are other options, as they also are not expected to be automated any time soon.

At Skkynet we our doing our part to make automation easy to embrace, by making our products and services convenient and affordable.  And internally, we are always looking for ways to streamline our work flow.  The more we automate the boring and repetitive jobs here in the office, the more time we have to do the cool, fun, and interesting stuff that keeps us at the leading edge.