Are You Paying Attention to SOT and HOT?

Everyone in the cybersecurity space is very familiar with Information Technology (IT), but far fewer are as familiar with Operational Technology (OT) – software and hardware that focuses on control and management of physical devices like process controllers, lighting, access control systems, HVAC systems and the like.

However, cybersecurity professionals should familiarize themselves with OT because it is having an increasingly serious impact on their IT solutions and on their corporate data. Here are two of the several aspects of OT to consider:

Shadow OT (SOT)

Most of us are familiar with “Shadow IT” – individual users or departments employing their own mobile devices, mobile applications, cloud apps, laptops and other personally managed solutions to access corporate resources like email and databases. This phenomenon/scourge/blessing/reality has been with us for more than a decade and is generally well accepted by the IT community. But relatively new on the scene is “Shadow OT” – the use of Internet of Things (IoT) solutions in the workplace. For example, some businesses will employ consumer-grade solutions like routers, security cameras and lights in a work environment, introducing a number of vulnerabilities that are more common in consumer-focused IoT solutions than they are in industrial-grade solutions. Because consumer-grade IoT products are developed by manufacturers who are under enormous price pressure and will sometimes employ temporarily contracted teams to create these devices, the consideration of security in the design process, not to mention the ability to upgrade and patch these devices, is not common.

Because consumer-focused IoT solutions often will have vulnerabilities, they can create enormous security holes when used in the workplace. For example, as discussed at Trend Micro’s Directions ’19 conference earlier this week in a session hosted by Bill Malik (@WilliamMalikTM), a New Jersey hospital installed Bluetooth-enabled monitoring pads in its 2,000 beds to detect patient movement and dampness that would signal a patient needing a nurse’s attention. Doing so makes sense – using technology like this frees nurses from the task of going room-to-room to check patients who needed no help, allowing nurses to spend more time on other, more critical tasks. And, they were able to implement the solution for about $120,000 instead of the $16 million that would have been required to use FDA-approved beds that offered the same functionality. But these consumer-oriented devices very likely have major security vulnerabilities that could allow an attacker to access critical medical systems like insulin pumps and patient monitors, not to mention the hospital’s patient records that are valuable to bad actors.

Home OT (HOT)

Another important issue to consider is the use of OT in the home. Many employees work from home either occasionally or full time and they often do so in an environment populated by Internet-connected thermostats, baby monitors, game systems, voice-enabled home automation systems, security cameras, lights, alarm systems, wearables, refrigerators and the like. Here again, these often insecure solutions typically have numerous security vulnerabilities and access the home Wi-Fi network – the same one the employees use to connect their laptop and desktop computers to enterprise email and other corporate data sources. And, because all of these devices in the home connect through the same gateway, a bad actor’s access to one device exposes everything else on the network – including corporate devices – to unauthorized access and control.

The solutions to these issues won’t be easy. It’s tough to convince decision makers, as in the case of the hospital noted above, to spend 100+ times more on secure technology when they barely have the budget for what they can afford now. And it’s virtually impossible to require employees to disconnect the IoT devices in their homes while they’re working there. However, there are some things that can be done, such as using firewalls, monitoring solutions, VPNs and the like to make things more secure in the short term. Longer term security will require a change in design focus, as well as user education focused on being careful about using an ever-expanding array of OT devices, among other things.

Is BlackBerry Dead in the Water?

A blog post from yesterday asks the question, “Would you say that BlackBerry is pretty much dead in the water at this point or is there hope left for the struggling Canadian company?”

The question is a good one. In the first quarter of 2009, BlackBerry had  55.3 percent of the US smartphone market and 20.1 percent of the global smartphone OS market; as of the last quarter of 2016, BlackBerry’s share of global smartphone sales had fallen to 0.048 percent. The company’s revenues fell from a peak of $19.91 billion in FY2011 to $2.16 billion in FY2016. It’s operating income and net income have been in negative territory since FY2013. It’s stock price went from $138.87 on April 30, 2008 to $7.45 as of today. In September of last year, BlackBerry stopped making its own phones.

So, yes, a case can be made that BlackBerry is “dead in the water” or very nearly so.

However, I believe that 2017 and 2018 will see a modest resurgence of the company, albeit not to levels that we saw before the iPhone and Android devices began eating BlackBerrys for lunch. Here’s why:

  • BlackBerry isn’t really a smartphone company anymore, but is transforming itself into a software and cyber security company. If they’re successful in doing so, that will turn their 30-something margins into 70-something margins. The company’s financial results are at least hinting that margins are going in the right direction.
  • BlackBerry still has a very good security architecture for mobile devices, one that many decision makers should (and, I believe, will) seriously consider as mobile devices increasingly access sensitive corporate applications and data repositories. BlackBerry’s DTEK technology offers robust user control over privacy and that’s going to be important for many enterprise decision makers.
  • While BlackBerry’s market share in the US and many other markets is really, really poor, the company is still doing reasonably well in places like Indonesia and in some key verticals, such as financial services. For example, a major US bank is standardized on BlackBerry mobile technology, as is HSBC, among others.
  • BlackBerry is increasingly focused on markets that are quite far afield from its traditional phone business. For example, BlackBerry Radar is the company’s first IoT application and is designed for asset tracking, currently in use by a major Canadian trucking firm. BlackBerry QNX, a real-time operating system focused on the embedded systems market, is currently used in 60 million cars worldwide (and replaced Microsoft Sync at Ford). BlackBerry has some interesting and innovative solutions focused on addressing enterprise BYOD/C/A concerns.

The bottom line is that BlackBerry is nowhere near out of the woods, but is definitely showing signs of life. John Chen has done a good job at starting to turn the company around, there is promise in several of BlackBerry’s key markets, and the company has a decent base of working capital. I have some confidence that in a couple of years BlackBerry will see something of a resurgence.

Internal Combustion Engines, Critical Thinking and Making Good IT Decisions

Germany’s Spiegel magazine has reported that the German Bundesrat (Germany’s federal council that has representatives from all 16 German states) will ban the internal combustion engine beginning in 2030. Consequently, the only way to achieve this goal would be en masse adoption of electric cars to replace today’s cars that are powered almost exclusively by internal combustion engines. This is a bigger issue in Germany than it would be in the United States, since there are significantly more cars per person in Germany than in the US.

Sounds like a good idea, but edicts passed down from senior managers are not always feasible, particularly when those managers might not have done the math to determine if their ideas can actually be implemented by those in the trenches. For example, here’s the math on the Bundesrat’s edict:

  • As of the beginning of 2015, there were 44.4 million cars in Germany. If we assume that the average German car is driven 8,900 miles per year and gets 30 miles to the gallon, each car consumes the equivalent of just under 10 megawatt-hours of electricity per year (based on one gallon of gasoline = 33.7 kWh).
  • Replacing all 44.4 million cars with electric vehicles would require generation of 443.9 terawatt-hours of electricity per year solely for consumption by automobiles (9.998 mWh per car x 44.4 million cars).
  • In 2015, Germany produced 559.2 terawatt-hours of electricity from all sources. That means that Germany would need to produce or import about 79% more electricity during the next 14 years than it does today. However, during the 13-year period from 2002 to 2015, German production of electricity increased by only 12%.
  • If the additional electricity needed for use by cars came from wind generators, it would require 64.5 million square miles of wind farms (based on an average of 93.0 acres per megawatt of electricity generated), an area that is 468 times larger than Germany’s footprint of 137,903 square miles.
  • If the additional energy came from solar, it would require 1.22 million square miles of solar panels (based on an optimistic assumption of 13 watts of electricity generated per square foot), an area about nine times larger than Germany.
  • If the additional energy came from nuclear power, Germany would need to build the equivalent of 13 high-capacity plants (assuming they have the capacity of the largest US nuclear plant, operating at Palo Verde, AZ).
  • Germany could use all of the oil it currently imports for automobiles for the production of electricity, but that would defeat the purpose of switching to electric cars.
  • Consequently, the only logical options to achieve a complete ban on the internal combustion engine by 2030 are a) build lots of new nuclear power plants that will generate the electricity needed for electric cars, or b) reduce driving in Germany by at least 85%. But even the last option would requires substantially greater production of electricity in order to power the additional rail-based and other transportation systems that would be required to transport Germans who are no longer driving cars. Even if we assume the German government would phase in the abolition of the internal combustion engine over, say, 10-15 years following the 2030 deadline, there’s still the problem of producing 79% more electricity between now and 2040-2045.

So, while converting to electric cars is a good idea in theory, in practice it is highly unlikely to happen in the timeframe mandated by the Bundesrat. In short, edicts from senior managers often can’t happen because these managers never did the math or spoke to anyone in the trenches who would be responsible for trying to make it happen.

The point of this post is not to criticize the German government or the notion of reducing the consumption of fossil fuels, but instead to suggest that critical thinking is needed in all facets of life. When someone proposes a new idea, be skeptical until you’ve done the math and thought about the consequences and considered the various ramifications of the proposal. For example, when senior management suggests your company move the email system completely to the cloud, think through all of the potential ramifications of that decision. Are there regulatory obligations we will no longer be able to satisfy? How much will it cost to re-write all of the legacy, email-generating applications on which we currently rely? What will happen to our bandwidth requirements? How will we deal with disaster recovery? How do we manage security? What is the complete cost of managing email in the cloud versus the way we do it now?

Senior managers or boards of directors will sometimes implement policy or make other important decisions without first consulting those who actually need to make it happen. This means that senior management teams, task forces, boards of directors, etc. need to a) stop doing that, b) do the math for any decision they’re considering and c) consult with the people who will be charged with implementing their decisions.