Cybersecurity is a hot topic as modern life becomes "smarter" in so many ways. The rise in smartphones, smart homes and smart grids connecting to each other means the number of devices accessing networks is growing rapidly, making it difficult for smart grid operators to know who's connecting to what from where. So how can cyber risks be effectively managed to make smarter living safer and more secure?
One of the key concerns for governments, businesses and smart grid operators is that hackers who find a way to access networks can potentially leave entire cities without power, vital infrastructure or communications. In the past few years, this has moved from a "what if" theory to a real-life problem.
In March 2015, two power stations in Turkey were switched off at the same time; the ensuing blackout closed down transportation infrastructure, interrupted public transport services, caused huge traffic jams and shuttered thousands of businesses for the day.
In the summer of 2016, a National Health Service (NHS) Trust in the United Kingdom had to shut down most of its network and cancel appointments and routine surgeries after a virus attacked its systems. On the East Coast of the United States, internet service was disrupted in Oct. 2016 after a distributed denial of service attack (DDoS) on Dyn, an internet infrastructure company headquartered in New Hampshire, left much of America's eastern seaboard without any online access for two hours. Because the hackers utilized a massively distributed DDoS, it was much more difficult to recover from the attack — let alone plan how to prevent a future one. What makes attacking a Domain Name System (DNS) server so effective is that it closes down the entire internet for any end-user whose DNS requests route through the server that has been compromised.
The impact spread across the Atlantic when the BBC's website, which relies on some services from the U.S., was also affected.
More recently, Ukraine's power grid was attacked in Dec. 2016, taking out electrical grids and leaving parts of Kiev with no lights.
There is widespread agreement among industry analysts that the Ukraine hackers used the country as a test-ground to make sure that the attack systems work. "Looking at the attack platform, the impact could have been much larger. It appears the hackers used Ukraine as a means to test their techniques and approaches, presumably to improve their ability to impact other western countries," said William Brennan, director of global cyber defense for Leidos UK/Europe.
"People simply don't understand the scale of the vulnerability that is being created as life moves increasingly online." - William Brennan, director of global cyber defense UK / Europe
"The issue that network operators are now facing is that the days of fully understanding all the external connectivity are gone. The number of devices that can now connect to the internet is huge, from children's toys to home heating management systems," Brennan explained. "People simply don't understand the scale of the vulnerability that is being created as life moves increasingly online."
Strategies for Addressing Vulnerabilities
So how should governments, network operators and industry leaders respond?
Brennan recommends the development of rigorous new standards for critical infrastructure, standards that would make them inherently safe by design. Another step is to link these standards to insurance. If operators don't have systems in place that adhere to these standards, then they won't be able to get insurance, meaning the financial impact of managing a cybersecurity attack could potentially bankrupt them.
Moving the focus from preventing hackers from getting access to instead developing a system of recognizable rules and a model of expected behaviors is also key. "Modeling behavior so that anything out of the ordinary is detected straight away will be a big step forward in making networks safer," Brennan said. "Believing we can build security walls ever higher to stop determined attackers gaining access to the systems is wishful thinking."
Brennan believes that biometrics and consumer education also have big parts to play in making systems less vulnerable to attacks. Increasingly, consumers expect to have a completely connected life with improved access to any information anytime and anywhere. Simple steps can be taken to reduce the vulnerability surrounding online systems and dramatically improve basic security — enforcing regular password changing and automatic patching, and perhaps moving from passwords to biometrics. Moving from system- and user-generated passwords to voice or fingerprint recognition would mean one less route in for hackers. HSBC Bank and Barclays in the U.K. have already moved to voice recognition for their telephone banking service.
"Biometrics is going to play an increasingly important role, with fingerprint and voice recognition replacing passwords," Brennan added.
Banks and other service providers will soon also be able to interrogate people's smartphones when they call or access online accounts through them. "Social media and email accounts will be scanned to enable a user profile to be built and further identify people, alongside traditional security measures," Brennan said.
This will surely raise privacy concerns but Brennan believes that these will easily be overcome by the fact that people will no longer have to create and remember a plethora of passwords for all of the various online accounts they manage.
"Within the next few years, the use of biometric security will become second nature and in 20 years it will seem like it was never done any other way," Brennan predicted.
Leidos is developing comprehensive solutions that include biometric systems, intelligence-driven cybersecurity and partnerships with key providers of end-point monitoring software such as Abatis.
Over the next few years, there will be an emergence of biometrics and profiling to provide improved security that is invisible to the user; it will just work.
“We will look back at the days of having multiple passwords consisting of letters, numbers, capitals and special characters that are all very similar to each other as being archaic at best," Brennan concluded.
Bill is the Senior Director for Global Information Security at Leidos. In this role, he uses his 15 years of experience in cybersecurity to protect Leidos Corporation and support the cyber goals of clients around the world. When not on a plane, most of his time is spent coaching his son’s sports teams or enjoying a rare quiet moment on the back porch with his wife.Follow on Twitter More Content by Bill Brennan