Cyber Security for Industrial Control Systems
Secure solutions for cyber-physical systems
7 - 8 February 2018 | IET London: Savoy Place
Q&A with Raj Samani
We met up with McAfee’s Chief Scientist, Raj Samani, to talk about security solutions, preventing the next WannaCry and why it’s childishly simple for an 11-year-old to buy stolen data on the dark net.
I was asked once by a journalist: can you come in and show us how ransomware works? We’d like you to come to the studio and show us how you run a ransomware campaign. I said OK, but I’m quite busy; can I send my 11-year-old daughter?
He thought I was being facetious, and I do tease people a lot, but I wasn’t being facetious – I was being truthful. My 11-year-old daughter can go on the dark web, and she can run a ransomware campaign. She can buy stolen medical records; stolen credit cards. She can have cocaine delivered to our house. She can even hire a hitman.
We talk about adversaries, and we worry about things like nation states, but honestly, 11-year-old children can go out and run a campaign that can disrupt you. She can launch a DDoS attack against your company for three dollars an hour.
What’s your key message to engineers who are protecting Industrial Control Systems and who will be coming to the conference?
What you do is not about protecting industrial control systems per se. That’s the work that we do, but actually what we’re doing is we’re keeping the lights on and the water clean. Our role as an industry and as a society is to ensure that hospitals (for example) can continue to work.
Take the WannaCry incident: 8,000 operations were cancelled. 8,000 people weren’t given medical care because of a malicious piece of software that went out and caused disruption – and we knew how to fix that. It wasn’t new; we knew about it from March that this is how you could stop this particular vulnerability being exploited.
So my question and my ask is: what I want to do is for us as an industry to stop tearing each other down and say: what can we do to ensure that when my children are sitting in a self-driving car in two years’ time, that I’m not going to be sitting there wondering whether they have good data governance, whether they used good coding practices, whether this was tested, whether this was peer-reviewed.
All of these things that I do as part of my daily life; I’m going to be putting my children’s lives into your hands. That’s what we really need to be looking at – what more should we be doing?
How do you combine your role as a scientist and industry specialist at the same time?
My job is to help define the technical strategy for McAfee, and that’s very important, but actually we have a role and responsibility in shaping our digital future. For example, there was an email that was opened and an entire country’s power was taken down. So as an industry and as a society, we as security practitioners have a key role in helping safeguard our future.
Does MacAfee bring any solutions to the industry in this respect?
There’s a lot of products and services that we do, but I don’t want to be that guy who stands up and says: here’s all of our products. What I want to talk about is the initiatives that we’re doing. McAfee have this brand that we call Better Together and what that means is that we say; what more can we be doing together as an industry to help shape the future.
One of the things I talk a lot about is the initiative called No More Ransom; that’s an initiative we’ve done with global law enforcement and industry, with 117 partners. We co-founded the initiative with the objective of fighting back against criminals that are holding our systems to ransom.
To date, we’ve decrypted 29,000 computers across the world, free of charge. That’s the type of thing I think we should be doing more of. Let’s start to work together and celebrate our successes. We’re up against an adversary that is better funded than any of us individually, and they have the means to go out and disrupt our lives.
Whose job it is to protect national assets from hostile attacks, whether it is nation-states or hackers?
Quite frankly, if you want to live in a world in which your insulin pumps, your cardiac equipment, your cars are being held to ransom, then let’s just keep doing what we’re doing.
But if you want to properly protect assets, every single person has a role to play. Companies like McAfee of course have a key role to play: we provide the technologies that go into these solutions, but I think the employees have a responsibility to play. I think the companies themselves need to invest appropriately. Equally, government and regulators have a role to play, as does law enforcement.
Institutions like the IET also have a fundamental role: getting people to understand what the fundamental responsibilities of all of us are; giving people the right training; being open and collaborative; sharing best practice.
We need to stop looking at cybercrime as a separate area of crime. It is the evolution of traditional crime. If you look at what EC3, the European Cybercrime Centre have done, they’ve got established relationships with agencies all across the world. So it needs to be seen as a global issue.
It’s ridiculous that we live in a world in which we had the DDoS extortion attacks, and they went after Bank 1, Bank 2, Bank 3, Bank 4. Why didn’t Bank 1 contact Bank 4 to say that this is happening and please put these protective measures in place? Why do you have to find out later? So every single one of us has a role and responsibility to play.
Do you see the possibility of some sort of self-regulatory mechanism in the industry to step up to the cyber security challenge, or does someone e.g. a regulator have to be in charge?
It’s not simple because we’ve got vertical regulatory-based requirements. In the finance industry for example, you have PCI. Then you’ve got horizontal requirements, which are things like data protection across various industries. You’ve got regional requirements, you’ve got national requirements, you’ve got industry requirements…
I think the message is that it’s incredibly complicated. It’s incredibly difficult. How many regulatory requirements does an organisation have today? Tens, twenties, hundreds even?
For me, the most important message that I would give is compliance does not drive security. If you strive to achieve compliance and you believe you are secure because of that, I think that is a mistake. Follow security, do the appropriate due diligence, and security should drive compliance.
Who do you think should be the more pro-active – the industry or the regulators?
I think that the regulatory system definitely has a role to play. The market, as well, has a role to play – you read about Sonos for example, stealing your personal data and changing all of their terms of service.
Fundamentally, I think, it starts with us as an industry. I ask this question all the time whenever I speak to an audience, and I’ll say: When was the last time you spoke to your CEO? Generally, there’s one hand that goes up. How many security practitioners do you know that are on the board? How many of them are CEOs, CIOs, CTOs now?
We as an industry have become practitioners that don’t go beyond our discipline. And yet finance and marketing and all these other disciplines are now making the decisions in all aspects of business. So I really want to get to the bottom of why we as an industry are still seen as an IT or technology function.
What more should we be doing to help drive the innovation; to help drive the types of appliances that are going to be keeping us alive, or keep the lights on, or keep the water clean?