IoT Security. Sorry, No Cavalry Is Coming

Cyber marauders are constantly trying to break in; leaving the front door open is not helping

Why does this man look worried? Josh Corman, PTC chief security office and senior vice president, knows the hackers are coming after us and there is no cavalry riding to our rescue.(Image courtesy of PTC.)

Why does this man look worried? Josh Corman, PTC chief security office and senior vice president, knows the hackers are coming after us and there is no cavalry riding to our rescue. (Image courtesy of PTC.)

Josh Corman, PTC chief security officer and senior vice president, is doing his best to give us indigestion. We are at lunch at LiveWorx, PTC’s annual user meeting, in Boston’s revived Seaport District. PTC moved its headquarters nearby, in from the Boston suburbs.

Corman is spinning out one alarming tale after another, a data breach here, a crashed server there, stroke victims that die, their
IoT-based (Internet of Things) monitoring systems compromised (more on that later), stupid people (not his words) that buy off the shelf systems and leave them with
admin, admin logins… All that and more, in rapid staccato, an alarm that gets louder and louder. We have to be on the precipice of a total security breakdown, a compromise of our Internet, a digital Armageddon brought on by shadowy forces, digital terrorists and extortionists who need nothing more than a laptop and a connection to bring our civilization to the edge of collapse or our nations to war.

Corman is spellbinding, one of those rare individuals who can rattle off a whole speech without a script, hitch or pause.

We realize our security walls are cardboard, not stone, and our locks are easily picked. We are vulnerable and exposed. The world is full of black hats (hackers) and white hats (same skills as black hats but who protect against hacking), like robbers and cops, except the former are in abundance and the latter overwhelmed.

“All the fortune 100 companies have had data breaches or attacks,” he said. And don’t look for anyone to save you. “There is no cavalry.”

You’re Riding in Your Car…

Here are a few (paraphrased) examples of the trouble we are in from Corman’s presentation.

The Windows XP operating system may have 10 million lines of code. Microsoft may patch it once a month, addressing 12 or so bugs. Think about that effort for 10 million lines of code and then think of a 100 million lines of code. That’s the average number of lines of code per vehicle just three years ago. It’s even higher now. How often does your vehicle get patched. Do you ever patch your vehicle? Could you even try?

In your car, now loaded with electronics and software, you might think someone could hack your car information or entertainment system but never be able to hack the brakes. There was a Jeep in which a Wired journalist got hacked on the highway going 65 miles an hour. They hacked the radio and were able to shut off the brakes. That should never be possible.

It was six years ago, at the biggest hacker conference in the world in Las Vegas, that the initiative iamthecavalry.org was launched. The idea was the cavalry isn’t coming. On issues affecting public safety and human life—we say where bits and bytes meet flesh and blood—we are most worried. Our dependence on software and connected technology is growing much faster than our ability to secure it.

Denial of Service Attacks

When you have a denial-of-service hack on a website, it’s an inconvenience. You might have to come back later. If you have a denial-of-service on an oil and gas pressure pipeline, it might be an explosion. If you have a denial-of-service on medical equipment, it might be a fatality.

For 25 year years, we’ve known how easy it is to take out power grids. Now it’s been demonstrated on the world stage, with Russia taking out the power grid in Ukraine at least twice. So, we’ve gone from something that might happen to something that has happened.

Could hacking be any easier? Shodan, a search engine for connected devices, exposes default passwords. (Image courtesy of Wikipedia.)

Could hacking be any easier? Shodan, a search engine for connected devices, exposes default passwords. (Image courtesy of Wikipedia.)

You can search for “naked” Internet connected devices. One is called Shodan. We’ve known for a long time that anyone with means, motive, and opportunity can use Shodan to find an oil and gas pipeline or a water treatment facility, or a dam, and open the dam and cause a flood. A dam in upstate New York was hacked by Iran in 2015. There was no water in the dam, so it didn’t scare everybody. The scary thing is most of these devices you can find on Shodan have hard-coded default passwords that you couldn’t change if you wanted to. It’s almost a misnomer to call it hacking. They logged in with something as simple as admin, admin.

Hospitals Compromised

We knew hospitals were prone. A SamSam ransomware attack on Hollywood Presbyterian hospital in February 2016 shutdown patient care for a week. It diverted ambulances up the street in L.A. traffic, canceled surgeries and forced critical care patients to be moved. One little flaw, one little device, took out a hospital for a week. The hospital had been warned about the attack by the FBI, but the hospital couldn’t tell which of their 20,000 different devices were affected. We pushed pretty hard for an ingredients list so that at a glance, when there is an attack, we could see JBoss [an open-source, cross-platform Java application server which, when unpatched, was exploited by SamSam ransomware] in these few places and not have to look at 20,000 potential target

On Friday before Mother’s Day 2017, WannaCry, the largest ransomware attack in history started. Ransomware had gone from a single hospital in Southern California and made healthcare the No.1 target for ransomware globally. WannaCry took out 41% of the healthcare delivery in the United Kingdom’s government for the whole Mother’s Day weekend.

In London, all the stroke and trauma centers were completely offline. In medicine, time matters. Delaying patient treatment affects mortality rates. People die. The official statement was no one died. But we know they died. There’s a “magic hour” after a stroke, an hour to save the brain and vital functions. There are two kinds of strokes. If you can tell it’s one kind, there’s a drug that can save your brain within the magic hour. If it’s the other kind of stroke, that same treatment will kill you instantly. Those stroke centers, which can tell which type of stroke you’ve had and give you critical time sensitive intervention, were all offline. Anyone that had a stroke that weekend may have had permanent brain damage or lost their life.

In the U.S., 85% of hospitals lack a single security person. A large hospital should have between 10 and 50 people doing security like a bank might. For small, medium and rural hospitals, you’re hard pressed to find a single security person on staff. They say they don’t have money. I have empathy for how lean the delivery of healthcare is, but there’s a cost that comes with connectively. If you can’t afford to protect it, then you can’t afford to connect it. Is that the burden that comes with connectivity? I met Stan Lee in ComicCon. I hope he’ll forgive me when I say, “With great connectivity, comes great responsibility.”

Admin, Admin… Let Us In

Cheap webcams like this almost brought down the Internet when they were used in a distributed denial of service (DDoS) attack in 2016.

Cheap webcams like this almost brought down the Internet when they were used in a distributed denial of service (DDoS) attack in 2016.

Two attacks were by the Mirai botnet, which happened just before the U.S. presidential election. It was the largest botnet is history. It was carried out by teenagers who took advantage of $100 IoT cameras. These IoT cameras have a hard-coded password of
admin, admin. You couldn’t change it, and you couldn’t patch it. There was no secure update capability. It was largest distributed denial of service (DDoS) attack in history to date. It took the Internet offline for most of that Friday in the Eastern half of the country.

While we were reeling from WannaCry, we were struck with NotPetya, which did so much more damage—$10 billion, according to U.S. officials. NotPetya was part of Russia’s cyber war against Ukraine and attacked tax/accounting software favored by Ukrainian companies. This tax software escaped its intended blast radius. Anyone who had an office in Ukraine got hit. Then it went international. Merck, makers of pharmaceuticals, said NotPetya cost them $670 million.

Maersk, the world’s largest shipping conglomerate, was shut down after the NotPetya attack. (Image courtesy of Maersk.)

Maersk, the world’s largest shipping conglomerate, was shut down after the NotPetya attack. (Image courtesy of Maersk.)

Maersk, the Danish company that controls 20 percent of global maritime shipping, the company most responsible for getting perishable goods to our ports, was hit by NotPetya. These are goods that were lost and gone forever during the delay they had. They had a global Tom Clancy-like scurry to try to shut off as many computers as they could in their global shipping network. They were only able to recover because there had been a power outage in Ghana, Africa, which left the Ghana port offline and uninfected by NotPetya. They had the last and only copy of software, so Maersk was able to rebuild its network.

Software Bill of Materials

With PTC’s Windchill, we have bill of materials. Similarly, why not have a software bill of materials? You want providence and pedigree? You want to know when something’s broken? We want visibility. A lot of people are using a lot of old software. This visibility will highlight a multitude of sins. As such, people are going to have to shift from the attitude of never updating the software to having to update, possibly, quite frequently.

While a software bill of materials would be helpful, its passage to law has been slow.

In January, we had our working groups and workshops. In March, the commentaries were closed. In parallel to this, the Commerce Department, said, “Wait a second. We don’t want the FDA to accidentally create a software list for all software. We have IoT, we have cars, we have airplanes. Let us do a voluntary standard best practice for everybody.” The NCA, part of the Commerce Department, has been running workshops on best practices for software bill of materials for over a year.

The FDA has said, “If NCA comes up with a good standard in time, we’ll use it.”

This public policy is probably the most pointed, but also the most far reaching in its effect. The act of more transparency into that software supply chain allows us to manage it. It’s like [inaudible] right? It’s fewer, better suppliers and higher quality parts from the suppliers, as well as knowing which parts go where. If there’s a defect, you can prompt it up to recall. This is why the Toyota supply chain and Toyota will now be our manufacturer for 40 years. You can take those prudent practices and put them into modern software.

One bill introduced in Congress settled on three things. Software should be patchable, have no fixed passwords and have a welcome mat to hackers acting in good faith. There was pretty bipartisan support in both House and Senate. It should have passed. It did not pass. What did pass was a similar bill in California. The state of California is the sixth largest economy in the world. They passed a law to require meaningful and reasonable security controls for IoTs by 2020. By the end of this year, you can’t sell software to the state of California without fixed passwords and it being patchable, for example.

The UK government liked the U.S. bill, but it doesn’t go far enough. They put out a UK code of practice, for safety and IoT. It had 18 items. The top five were pretty much the ones from the U.S. bill. It said the software must be patchable. Developers had to declare how long they were able to provide patches. They were not to have hard-coded credentials or passwords. It required a disclosure program for researchers. They said compliance shouldn’t be voluntary. Enough attacks are happening on our citizens. The remaining 18 items on the bill were going to be voluntary labeling.

For public safety and human life, these are baby steps. They’re not going to prevent a nation state adversary perpetrating cyber warfare. What they might do is raise the bar for consumer IoT devices so we don’t see a tsunami for denial of service attacks, for example.

What Is PTC Doing?

What do we (PTC) do about this? The attackers have changed everything. The public policy members are actively changing everything. Now what? Well, almost exactly a year ago, Jim Heppelmann (CEO, PTC) and I put out a public policy statement for shared responsibility, or safety critical IoT. It’s very rare to see a CEO of the trading company weighing in on security. We outlined all the changes that have happened to date. We outlined all the changes we anticipate. And we said, “Agencies, we need to do our part, but this a shared responsibility. We expect you to do your part. If you’re unwilling or unable to do your part, we may need to part ways.”

Heppelmann is and remains willing to part ways with some of our historical customers if they’re going to put their customers’ national security and ourselves at risk. We’re having some hard conversations with people that have not seen the need to adapt. When someone’s willing but doesn’t know how, we have flooded them with resources and assistance and equipping them for their internal stakeholder arguments on why these changes are important and necessary.

Lastly, there’s so much more to do. This is a relay race. We will continue to see these attacks, and we will continue to lose. Great connectivity is a shared responsibility. I’m up for it. I know
Jim’s up for it. Please help us get the message out to the rest of the digital innovators.

You can see more of PTC’s views on IoT security at www.ptc.com/security.