Posted by: Greg Ness | March 6, 2020

“Quantum Matter” Anyone?

Eerie discoveries in thin substance research fuel speculation about what comes after silicon and oil.

Is free energy around the corner?

[Updated March 13, 2020] Last year a highly respected technologist (and friend) told me “free energy” was the most interesting and likely innovation on the horizon. When my eyebrows raised he continued, “Oh yeah, it’s real close.”

Since exploring the possibility of thin matter (graphene) and free energy in Antioch for several years now, I shouldn’t have been surprised. Frankly, I was quite surprised. He wasn’t talking, of course, about the instant global adoption of free energy, but rather the prospects of someone figuring it out… in the near future.Quantum Matter_

It’s a great angle, of course, for a dystopian novel with a social media war between two secretly united  “opposing” groups struggling to keep the public distracted from the power of bold innovation. That’s right: two enemies united by a common purpose. Been there, seen that, have a few T-shirts.*

But what if we are getting close?  What would it mean? “Passive carbon” energy anyone? Electric cars with unlimited range?

The prospects of free energy were in the crazy bin in 2011 when I started writing novels. (They might still be today-lol.)  In Antioch scientists in the mid-to-late 2020s were making some cool discoveries with layered graphene. They accidentally discovered the power of a new generation of advanced materials with eerie properties and a life was lost. So the “free energy” conversation entered the scene a bit closer to reality this time around- almost nine years later.

Things May Have Changed This Week

A few nights ago a friend sent me an email about scientists now predicting new states of matter. This followed another article on atom-scale materials and another on new types of hidden frequencies revealed by a graphene amplifier. [Thank you Stu and Rick!] The implications are powerful. Think materials that generate power passively, on their own, with or without sunlight or other forms of fuel.

Hendrik Casimir

Hendrik Casimir

At dinner last night some friends visiting from the UK speculated about how a potential Casimir effect could play into “quantum matter” energy states.

Because the strength of the force falls off rapidly with distance, it is measurable only when the distance between the objects is extremely small. On a submicron scale, this force becomes so strong that it becomes the dominant force between uncharged conductors. In fact, at separations of 10 nm – about 100 times the typical size of an atom – the Casimir effect produces the equivalent of about 1 atmosphere of pressure (the precise value depending on surface geometry and other factors).

Quantum Pucks?

Could layered sheets of one atom thick material amplify a Casimir effect and produce energy (the layered graphene “puck” from Antioch that led to the accidental explosion) anywhere they were placed? Could they be the building blocks for a new generation of hyper powerful fuel cells or solar panels that produce massive energy from small cells?

Thin materials (one atom thick, for example) could be densely stacked and create amazing Casimir amplification IMHO.

I’m not a physicist and I have the college transcripts to prove it.  Numerous experts have told me everything on the electrical and mechanical sides of things has been discovered and there wasn’t any room left for speculation. That makes these eerie properties of thin matter more than interesting IMHO. How many layers of graphene could be stacked in a 3 inch puck?

You may have already read about new approaches for creating graphene at much lower costs (from trash)  If thin materials became inexpensive we could see an accelerated pace of change. Recycling that turns garbage into energy cells? That’s pretty interesting.

Now there is talk of large-scale production of graphene.

Perhaps we’re on the cusp of a new thin (quantum) materials age with a broad spectrum of new potentials for massive leaps forward. Recent headlines point in that direction.

Storm

The Agrippa quandary is the trade-off between the discovery of free energy (from “zenin” or layered graphene) and the destruction it would wreak across dozens of industries; and the lengths a global entrenched status quo would go to slow it down or perhaps ultimately own it.

Eerie New Alliances

There would be plenty of unintended consequences from a radical shift from carbon combustion to “passive carbon” energy. Lots of sponsored research arguing “x” vs “y” impacts and who would benefit.

A new generation of potential billionaires would battle with an older generation, etc. Crumbling bureaucracies  would battle with new carbon coalitions working on climate solutions. Extremists on the Left and Right could easily join together in a pragmatic defense… of the tainted status quo.

The powerful carbon trifecta program discussed years ago at Future In Review could become a reality and reduce the carbon footprint on a global scale. [Note: See Everett Rogers Diffusion of Innovation, for how people typically react to new technologies. Then make it an exponential reaction.] That’s huge.

Graphene Valley?

Recent breakthroughs in graphene and other thin materials are making a new range of outcomes more possible, perhaps on a far greater scale than silicon… and in an even shorter time frame. Will there be a Graphene Valley or would abundant energy accelerate the diffusion of innovation?

I’m old enough to remember the fission/fusion hype cycles that quickly swept from headlines into cinema and then the dust bin.   Yet I’m convinced this coming revolution could be much different. It could be a deep, fundamental shift, well beyond just battery storage and greater electric car range.

Reflecting on the global disruption of silicon (and social media) I couldn’t help but to speculate on what something even more disruptive could do to the already uneven playing field between zip codes, public bureaucracies trapped in decades’ old operating models and new generations of entrepreneurs changing the world on even larger scales.

Antioch - EBook FINALYou can call these new materials atom-scale or… quantum materials, for their strange new properties. It doesn’t matter. Either way, it’s pretty clear we’re likely on the cusp of a new age and many of us are going to feel quite provincial as research continues discover something much more powerful than silicon. Even those of us in Silicon Valley are likely in for some surprises.

What do you think? Feel free to weigh in here or on social media. You know who you are. We’ve been having these discussions for years. Tell me I’m wrong once again.

If you are aware of research which proves or disproves any of this feel free to share in comments or, even better, at the Sword of Agrippa Facebook page (see below), which is much more active. I’ll add some of the best links, etc into this post over time.

===============  first response from John Schroeter

I agree, as you suggest, that major disruptions are coming – and they will not only be exponential, but super-exponential. And this will call for anticipatory scenarios development, interventions, innovations, and most importantly, imagination. All of which leads to a need for a broader development of futures consciousness, which is what After Shock is all about. We can’t afford to be “future deniers”! After Shock speaks to taking our future head on, to shape it as opposed to be shaped by it. We do live in exciting times!

===============

A friend also shared this article on Tesla and some mystery surrounding a particle beam weapon and some potentially missing files. Check out graphene and Perovskite grapes for solar efficiency.

Graphene unveiling hidden frequencies. 

================

Note: I don’t blog very often about my science fiction writing.  It has been my “mental golf” for many years now. After reading an interview with Guy Kawasaki encouraging marketeers to do something wildly different, I started the quest in 2011. I’ve met some incredible people from around the world with similar experiences, passions/interests and managed to use my writing as a kind of weekend meditation retreat. Thank you to all of you who have encouraged me along the way. It means a great deal to me. Feel free to join us at the Agrippa Facebook page

*WHILE SUPPLIES LAST: I have a few leftover Sword of Agrippa T-shirts with the old cover and my obsolete pen name.  Contact me if you want one. I’m very easy to reach via LinkedIn and the Agrippa Facebook page.

The Capital One breach last year was significant on multiple fronts.  A trusted financial services brand on a leading public cloud environment was easily breached, to the tune of 10M records compromised.  I discovered Cloudneeti in January after I heard about their ability to enable DevSecOps operating models.  I asked CEO and cloud veteran Gururaj Pandurangi for his thoughts on the breach:

Q) Last year’s Capital One breach exposed a massive trove of sensitive data.  How could one of the world’s most trusted financial service companies operating on one of the most secure cloud infrastructures get breached to such an extent?

Guru[Gururaj] The Capital One breach was a combination of missteps. The most significant factor was an experienced former AWS employee who knew how to abuse different misconfigurations. There were additionally some minor IaaS issues, and I’ve heard that the provider has promised to fix them.  Part of this is also a cultural issue of using traditional on premises processes for the cloud and generally how tradeoffs between the need for speed and complex security/compliance policies is resolved. It should be noted that every company will face a combination of these conditions and threats in some shape or form. Misconfigurations combined with insider threats are clearly the biggest risk. The lesson from these types of breaches is that enforcement, similarly, needs to evolve.

Q) Why are cloud security and compliance postures so difficult to maintain, given the massive investments IaaS leaders have made in security?

[Gururaj] The cloud is allowing dev teams to accelerate their development cycles beyond anything possible for most traditional on premises environments. Changes can be made faster than ever. New apps, new business units, increasing frequency of releases and new cloud features have all contributed to an increase in the pace of change.  And the policies and frameworks themselves have hundreds if not thousands of configuration requirements. So higher rates of change, the very nature of cloud workloads that are easily exposed to the Internet combined with complex requirements, have substantially increased risk, even for companies investing heavily in best practices. We’ve done scans of many considered to be well-run environments and the compliance scores came out much lower than what was expected by the customer. 

Q) What kinds of tools do cyber criminals use to exploit configuration errors and how commonplace are they?  What levels of skills do they require?

[Gururaj] Today cyber criminals need to become cloud experts. And the increasing pace of change also makes many of their traditional tools obsolete. The cloud providers have made significant investments in OS and network enhancements, which have closed some of the frequently used entry points. The good news is that the evolution of IaaS and PaaS, serverless, databases in the cloud are forcing cyber criminals to evolve, since their old tools aren’t as effective against these new environments.

Even more important is the emergence of new SaaS tools that help protect these more dynamic environments. For example, an entire new class of cloud security posture management (CSPM) solutions has emerged to automate security and compliance assurance.  Some are built for traditional SOC environments to quickly discover misconfigurations and others, like Cloudneeti, for DevSecOps models to prevent misconfigurations from ever happening. Dev and security teams can operate at almost the same fast pace today, without the conflicts and tradeoffs required with traditional manual processes.

Thank you Gururaj!

You can sign up for a 30-day free trial on Azure Marketplace. You can discover in minutes how well your cloud environment scores against more than a 1,500 security polices and 13 compliance frameworks.

Is your company addressing the growing gaps between digitalized, dynamic infrastructures (cloud, SDN, SD-WAN, etc.) and outdated cultures and tools?  Contact me and I may ask your CEO three questions.

Posted by: Greg Ness | February 10, 2020

New Perspectives on SD-WAN: An Interview with Stefano Gridelli

SD-WAN deployment has accelerated in recent years as organizations extend SDN benefits across wide area networks. It’s a pretty transformative process, producing new management and cost benefits along with new user experience and performance demands.Stefano

A few weeks ago I discovered NetBeez, a network monitoring company with a unique, proactive, user-centric approach to monitoring these more dynamic networks. Their hardware and software sensors are deployed at the edge, including before SD-WAN deployment,  to assess MPLS vs internet tradeoffs, from a user’s perspective.

A recent SDX exchange on the future of SD-WAN late last year prompted me to ask Stefano Gridelli, founder and CEO of NetBeez, three questions about SD-WAN monitoring. His perspective has been shaped out of network engineering roles in health care, which inspired him and his team of founders to introduce a better way to monitor SDNs and SD-WANS.

If anything, industry speculation at the end of 2019 about the “cloudy” future of SD-WAN brings new questions about gaps between new forms of dynamic network infrastructure, existing tools and practices and the evolution of careers in networking:

Q) Why is SD-WAN different when it comes to monitoring?

[Stefano] SD-WAN is a game changer in terms of network management. Benefits of SD-WAN include ease of configuration and operation, cost reduction from the use of Direct Internet Access (DIA) mixed with traditional transport technologies (e.g. MPLS), and centralized management. 

In terms of monitoring, most SD-WAN solutions have network and application visibility tools that provide statistics about top users and top applications. These statistics are collected by analyzing traffic traversing the SD-WAN router’s interfaces. The problem with this “passive monitoring” approach is that it doesn’t really build a network and application performance baseline (no user traffic, no data), and also reduced proactiveness on performance issues.

Another challenge of monitoring SD-WAN installation is that it makes use of tunneling, split tunneling, and virtualization. Since user traffic is dynamically routed, sometimes on a per-packet basis, across multiple lines, it is more difficult to pinpoint the root cause of performance issues. With split tunneling, users may use the Internet connection to browse public or SaS applications, reducing visibility into the end-user experience from the centralized NOC.

Q) Do you think SD-WAN will be commoditized by the cloud or become more strategic?

[Stefano] I don’t believe public clouds will completely replace private data centers. There is no doubt more companies today are running a fraction of their compute workloads in AWS, Azure, or Google Cloud. Yet, I don’t see the future being run 100% on public clouds. I believe the hybrid multi-cloud model is the future. For that reason, I see SD-WAN supporting hybrid multi-clouds, and we will see cross pollination between networking vendors and public cloud providers. We’ll also see more startups in this space than before, thanks to the decoupling of hardware and software, and software companies like VMware, which has been mostly playing in the virtualization market, tapping this opportunity. To conclude, I still believe SD-WAN will become more strategic, so I differ with others.

Q) How will SD-WAN change how networks are managed?

[Stefano] SD-WAN simplifies WAN configuration and management. In traditional WANs, configuration and troubleshooting was mostly done via a command line interface, one device at the time. SD-WAN equipment are centrally managed from a web interface, and applying consistent network and security policies is much easier. This advancement requires less skilled network engineers to operate SD-WANs, and I am sure that the larger the network, the higher the savings. AT&T for example is planning to cut over $1.5B in labor costs in the next few years.

Will network engineers be the casualty of software-defined networks, similar to what happened to switchboard operators last century? Network engineers are here to stay, at least for a while, but their job descriptions will change. Their roles will evolve into NetOps, and it will require a basic knowledge of the Linux operating system, of the Python programming language, and of APIs in general.

 

Thank you Stefano! For more information on network monitoring for SD-WAN, check out NetBeez. They were recently called out for having a top blog in network monitoring and management.

Posted by: Greg Ness | December 21, 2019

The Coming Security Revolution will be Messy

Within the next ten years half of today’s network security leaders will be either: 1) replaced by a new generation of leaders built upon advanced architectures; or 2) will have acquired new architectural offerings [while they still can] and evolved; or 3) be acquired by firms which have crossed the new chasm of scale and complexity: IIoT.

==================

A friend just sent me a link to a blog predicting yet another CSO/CISO year of living dangerously.  It’s a safe prediction. Since the spring of 2017 (or perhaps sooner) every year has become more precarious than the previous.

ComplexBlindfold

With thousands of security companies and billions in public vendor market caps offering protection, we still worry.  We’re more exposed than any time in cyber history. You could say we’re dumbfounded.

The exposure problem is easy to comprehend, with just three key drivers:

  • Escalating complexity;
  • Escalating scale; and
  • Channel/architecture/message fatigue.

Escalating Complexity

From the original network, now partially virtualized (and partially frozen in time), to the rise of the cloud and various hybrid operating models, CSOs are trapped in unprecedented layers and levels of complexity. “Divide and conquer”, the maxim of Napoleonic battle strategy, has been flipped on its head as infrastructure has become fragmented beyond recognition, and rendered ripe for the picking by bad actors with even primitive hacking tools.  Billions in security vendor market caps cannot fix this. Can any organization address this without breaking up with the network security / infrastructure cartels who themselves are trapped in monetizing complexity to the detriment of their customers’ careers?

Escalating Scale

As if complexity weren’t enough, thanks to the digital transformation traditional IT networks are now converging with OT networks, adding billions of insecure devices to the internet, creating new attack vectors which are much harder to protect from exploitation. We learned this in 2017 when NotPetya and WannaCry ravaged hundreds of global entities already investing heavily in cyber protection. The IIoT evolution represents a fundamental shift in scale and complexity.  And the cartels will help you “discover” your problems so they can extend the complexity addiction deeper into your organization. More vulnerabilities, more jobs, more gear needed.

Stack Fatigue

Today’s network security cartels (and their wildly successful channel partners) that evolved to create today’s infrastructure served an invaluable purpose. They brought us from mainframes to deep, computerized connectivity in a matter of a few decades. They also engineered their own obsolescence. Unprecedented scale and complexity have broken their fundamental architectures, rendering them incapable, despite billions in market valuations, in providing fundamental protection, from edge to cloud. I’ve introduced this topic via panel to the next Future in Review.

These three drivers combine to force an ongoing churn of shifting, enigmatic choices and paradoxes that will start upending balance sheets tomorrow as they upend careers today.

Today’s Architectures are Very Profitable and Obsolete

For the established security vendors it’s deeper than a messaging problem, it’s a fundamental architecture problem that leads to a messaging problem.  In short, how can these leaders white paper and webinar their way out of today’s deep, destructive architectural paradox?  Maybe hire a leading analyst and have him/her perform a card trick that mesmerizes CSOs for another buying cycle?

I cannot help but think of the highly profitable 1950s tobacco companies advertising the health benefits of tobacco. Today’s security vendors, in effect, could be accused of doing the same thing today, monetizing CSO career dead ends with the mantra “All you need is complexity and more and more trained security pros.” That won’t last.

Hence my prediction: Within the next ten years half of today’s network security leaders will be either: 1) replaced by a new generation of leaders built upon advanced architectures; or 2) will have acquired new architectural offerings [while they still can] and evolved; or 3) be acquired by firms which have crossed the new chasm of scale and complexity: IIoT.

The cloud needs the edge and the edge needs the cloud…

While pundits debate the edge versus the cloud (flashback reminder: the hybrid cloud debate of 2013) there will be a growing realization that the edge needs the cloud and the cloud needs the edge and both need a new vision of security and connectivity. The multi-billion cartel of today is out of sleight of hand card tricks… and a new infrastructure is needed.

Posted by: Greg Ness | October 29, 2019

The Firewall Chasm is…

Network Effects are Powerful

FWCHasm

Since the early days of TCP/IP, connectivity has created waves of multi-billion-dollar markets, seemingly out of thin air. All of the successes have had one thing in common: they created unprecedented network effects.

The 1990s ushered in the power of network effects. New levels of connectivity and scale allowed consumers then enterprises to deliver content and services virtually. The consumer web blended with the enterprise web, supply chains and so on.

The TCP/IP stack (developed almost fifty years ago) underneath this connectivity was promiscuous by design, almost to a fault. From communications to commerce we saw a radical reduction in friction and fortunes shift from manufacturers and services to connectors.

[Note: The “radical reduction in friction” link is to Bill Janeway’s amazing 2016 Future in Review keynote (start at 7 minutes in) on Flows. This is a must see for anyone interested in tech and economics.]

Network Effects are More Powerful than TCP/IP Inventors Could Imagine

Network effects have become more powerful than anything envisioned by the creators of the TCP/IP stack. Wave after wave of devices and functions, from supercomputers and dumb terminals to today’s industrial internet of things (IIoT) have been connected. And the connection process is still underway. The results are profound on almost unimaginable scales.

We’re still underestimating the power of network effects, this time to our detriment.

Let me first take you through some examples of the power and transformation underway in this new IIoT networking era. A commercial real estate developer can almost immediately increase the value of a portfolio of buildings by connecting their environmental controls to the cloud so that heating, cooling, etc. can be managed much more efficiently and at scale. Similar network effects play out in manufacturing, health care and even maritime, from smart factories and hospitals to advanced ships at sea.

Air Gaps Protected Sensors and Controls from Cyber Mayhem

Vast transformations taking place at the edge as it connects and interacts with the cloud are changing the fundamental chemistry of the internet from the standpoint of remote control of physical infrastructure. In effect, we’re creating “programmable perimeters” of sensors, controls and devices once built and installed exclusively for local/onsite control.

This massive leap from onsite to remote control crosses the air gap, the previous defense mechanism protecting the physical control of a facility from cyber mayhem. Because they were previously air gapped, very few of the billions of IIoT devices deployed had either cyber security designed in or even allowed for security updates (commonly known as patches).

Network Effects are Double-Edged Swords (they cut both ways)

Network Effects PowerfulI talked about this issue in more detail at The Digital Cyber Security Paradox and in a recent theCUBE panel with Gabe Lowy (author of  Securing Critical Infrastructure against Cyberattack [IIOT Cybersecurity: Apocalypse Now or Later].

Billions of industrial controls are already connected to the network, to the internet. And hundreds of millions are insecure and may never be patched. This level of susceptibility of facilities and data, makes the preconditions to the creation of the firewall industry in the 1990s trivial by any measure. And that is the core challenge of our digital generation IMHO.

The Firewall Chasm is… IIoT

While nations fret about “unskilled” workers at their borders ( a hint back to that Janeway address you probably passed over because the internet has shrank your attention span) the bigger problem is “skilled” workers easily traversing networks and nations.

We Need a New Firewall Vision based on the Concept of an Air Gap: We Need an Airwall

The firewall was created in parallel with the rise of network security.  First came the network, then came network security. Now we have an internet enabling remote control of our physical places/spaces… an Internet of Places. We need secure networking, in the form of an Airwall, an air gap firewall built specifically for the secure networking demands of the digital age.

What are those demands?  Think Purdue Model cybersecurity based on IIoT  (versus IT) cybersecurity requirements. We need to shift our thinking from the “next-generation” UTM-think (“defense in depth” kluge of layers and logs and skills shortages) to a fundamentally new approach to secure networking for IIoT. Otherwise this new digital age is a nightmare.

Posted by: Greg Ness | October 6, 2019

The Digital Age Maginot Line as Foreseen by Mel Brooks

Blazing Saddles tollbooth

Attack Vectors in the… Trillions?

The growing attack surface of the new industry 4.0 internet is a big problem. On this everyone agrees. But underneath the headlines and the frequent “patch now” warnings from firewall vendors is a more ominous reality few are talking about: the exponential vector problem.

Yes the attack surface is huge and growing. 127 new devices per second are being connected to the internet, many of them insecure by design, creating a global hacker’s superhighway. Got that. I discussed this in more detail in The Digital Cyber Security Paradox:

In 5 years there will be 75 billion devices connected to the internet, perhaps a few billion insecure and unpatchable.  An estimated 2 billion run VxWorks and perhaps a couple hundred million of those will not be patched in any reasonable length of time. – Archimedius

[Here is a great collection of IoT connectivity and market size stats from Cisco, Gartner, etc. on various aspects of the Saganesque “billions and billions” IoT estimates.]

OOPS- We’ve Gone Global

While everyone is focused on the massive, unprecedented growth in the IoT attack surface, the bigger problem is the exponential increase in attack vectors. This quiet reality is buried deep inside the WannaCry/NotPetya “oops- we’ve gone global” cyber attack. Remember when IIoT targets in Ukraine were unintended back doors into the UK health system, Maersk and FedEx? “Exponentially increasing attack vectors” is the hidden byline underneath our growing digital age cyber security malaise.

 The Maginot Line, when lateral movement trumped massive security investments.

Based on France’s experience with trench warfare during World War I, the massive Maginot_Line_1944Maginot Line was built in the run-up to World War II… French military experts extolled the Line as a work of genius… The line has since become a metaphor for expensive efforts that offer a false sense of security.”– Wikipedia

The Maginot Line was built based on the assumption that the next French war would be fought based on the technology of the last one. When the Germans quickly and easily conquered France, they did it by simply going around it.

Most firewalls deployed today were architected in the 1990s…. when there was only one way into a network. Today there are trillions of attack vectors and growing.

Old Architectures versus New Realities

Deploy a firewall in front of each device?  That would bankrupt most organizations. That is, if they could find enough skilled security pros to manage them. The new digital era problem: how old architectures address new realities. It’s complicated… and expensive… just like the Maginot Line.

A few weeks ago this came up on an episode of theCUBE, recorded after Gabe Lowy published his thought-provoking paper: Securing Critical Infrastructure Against Cyberattack. I mentioned how “we don’t even have the semblance of a Maginot Line when it comes to IIoT infrastructures. And these infrastructures offer access to critical systems in factories, hospitals, cruise ships and even power and water stations.

An Important Realization

At the close of IIoT and Cybersecurity: Apocalypse Now or Later John calls the IIoT  problem “one of the most important stories in the tech industry in a long, long time…” He’s right.

Perhaps Mel Brooks saw this futile digital age scenario coming decades ago. Imagine a toll booth sign saying “’Zero Trust’ courtesy of your firewall vendor.” Now that’s comedy, or at least tragicomedy.

 

See You at Torrey Pines!

On October 10 I’ll be discussing this problem further at Future in Review with Anne Hardy, Steve Fey and Derek Harp. I hope to post the panel video here in a few weeks.

Posted by: Greg Ness | September 7, 2019

The Digital Cyber Security Paradox

Digital Paradox

Everything is Connected

In 5 years there will be 75 billion devices connected to the internet, perhaps a few billion insecure and unpatchable.  An estimated 2 billion run VxWorks and perhaps a couple hundred million of those will not be patched in any reasonable length of time.

About 200 million Internet-connected devices—some that may be controlling elevators, medical equipment, and other mission-critical systems—are vulnerable to attacks that give attackers complete control, researchers warned on Monday. – Ars Technica

Deep Asset Risk

It’s no longer just about data ex-filtration but instead also the specter of the loss of physical control. Thanks to the overwhelming business advantage of digitalization many organizations are creating massive, porous attack surfaces of insecure devices responsible for controlling physical infrastructure, from water, HVAC and power to medical, manufacturing and even maritime structures.

What Could Go Wrong?

Headlines

The digital paradox is the inherent conflict between business advantage and deep asset exposure to bad actor control. And we’ve already seen the opening moves in the new hacker game. The lines between networks, nations and organizations are getting blurred by vanishing air gaps that once protected these devices from unseemly remote actors.

Unintended Consequences

Let’s face it, we’re emerging from the perfect Sorites Paradox scenario, where a heap of sand (the growing business value of interconnectivity) is eroded just one grain at a time by malware or remote bad actor control. Today, as billions of insecure devices connect, there is a growing, critical mass of exposure where many more grains can exit at a time.

I discussed this in more detail with Gabe Lowy, Tempered’s Bryan Skene and SiliconANGLE’s John Furrier a few weeks ago on theCUBE. You can read more about it as well at A Clear and Present Danger.

For example, attacks against critical infrastructure in Ukraine in 2017 (WannaCry and NotPetya) inadvertently spread globally and shut down hospitals, ships at sea and even distribution centers. They were among the most devastating and unintended cyber attacks of all time. OOPs.

These attacks aimed at Ukraine accidentally cut globally like a hot knife through warm butter, from network to network, nation to nation, seeping into the critical systems of some of the most well-defended companies. Read excellent coverage of NotPetya in Wired.

IT isn’t ready for IIoT

Gabe on firewalls

The firewall vendors warn you to patch and segment, segment, segment.  How many skilled security experts will it take to protect you?  How many lines of code? How many ACLs?  The answer: you’ll never have enough resources.  See this 102 second explanation from former Wall Street infrastructure analyst Gabe Lowy on the futility of the firewall in the age of IIoT:

“So if you’re an organization moving IIOT data from your OT systems across your network into IP analytics systems or software, that’s lateral movement. Your firewall- traditional firewall, just not going to be able to handle that and protect against it…”

From Geeks and Greeks to Rolling Stones

That brings us to another insight from the ancient Greeks: the myth of Sisyphus. The firewall and segmentation problem is, at its core, a scale and resilience/availability challenge exacerbated by the direct link between skills shortages and human error in the security chain. Every step up the mountain, a step back. All the while the attack surface grows and the attack vectors proliferate.

What could go wrong?

cyber war and IIoT

A recent theCUBE panel on IIoT and cyber war concluded that the bad guys were already in your network.  They are being held back by the threat of attacks against their own soft underbellies. But what about private players who are primarily playing defense and have no offensive countermeasures?

The digital enterprise merely connecting IIoT devices to the internet?  Do they launch attacks against bad actors or do they just pay ransom? Today I suspect they’re simply paying up or suffering the losses. Maybe they’ll take out cyber attack insurance.

The ancient Greeks took exception to rolling stones uphill. It was a notable curse.

Think you can hire and spend your way to the top with your existing security stack? Get Gabe’s paper here.

Gabe cover

 

Posted by: Greg Ness | August 10, 2019

IIoT: Apocalypse Now or Later

The IIoT problem no one has been talking about, despite high profile attacks:

“The hyper-converged infrastructures we’re building because of overwhelming business advantage is putting us at an overwhelming cybersecurity disadvantage.” – Archimedius blog

Had a chance to talk about the problem with John Furrier, Bryan Skene and Gabe Lowy, the author of the recently published paper “Securing Critical Infrastructure against Cyberattack” on SiliconANGLE theCUBE this week: watch the panel on YouTube

IIoT Power Panel

If you’re not concerned about the security risks of digitalization then you’re not paying attention. “The level of scale, porosity and risk is unprecedented…”

Right after we celebrate the birthdays of two of the most destructive cyber attacks ever launched (WannaCry and NotPetya) a disturbing VxWorks advisory is issued for billions of IoT devices, and perhaps millions of them are unpatchable. There is a simple, fundamental equation that no one seems to grasp when it comes to IT skills, resources and capabilities: IT<IIoTIT IIoT (1)

It’s clear the digital era we’re being pulled into is creating a massive attack surface; and there are not enough people, training courses and/or funds to deploy another layer of traditional firewalls, access control and segmentation solutions fast enough to keep up. And the security and networking cartels would rather sell you more of the same (see below):

Archimedius Traditional Networking at Scale

This stack is DOA for IIoT.  It’s too cumbersome, complex, expensive for the digital era we’re entering (of billions of connected devices, many of which are easy targets to get inside a network).  And, even worse, none of these solutions were architected for the demands of IIoT. An upcoming paper by unencumbered network infrastructure analyst Gabe Lowy spells out the critical shortcomings of the current network security stack:

Traditional firewall and VPN solutions were not architected for Industrial Internet of Things (IIoT) initiatives.  They were designed to protect against earlier generations of malware.  As such, they are no match for the IIoT threat environment.

      – Gabe Lowy, “Securing Critical Infrastructure against Cyberattack” – August 2019

His five requirements (availability/resilience; scale; visibility; management; and security) will certainly stir the pot with the traditional network stack vendors. I’ll share a link to the paper in August when it’s published.

It is readily apparent the network security stack has arrived at the same place it was in the 1990’s, with the advent of the firewall in response to primitive worms and viruses attacking small pockets of connected networks (what we called the information superhighway). Yet that highway was nothing compared to today’s emergent digital era.

What the New Equation Means in Terms of Risk: “We’re not in Kansas Anymore”

What’s at risk beyond the new ability to compromise physical spaces, from lighting, to water, employee/customer access, patient care and diagnosis, production lines and transportation?  The basic tenants of the digital era… or some could say the tenets of western civilization itself. Hyperbole, you say?  Well, read this sobering report​ on the prospects for cyber war based on Richard Clarke’s new book (The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats) and how this new reality levels the playing field between the “superpowers” and the isolated upstarts once solely obsessed with nuclear weapons:

In the real world, Iran does have significant offensive cyber capabilities. The barrier to entry to having a meaningful cyberwar offensive force is low. Countries that could never defeat the United States in a purely conventional military battle can pose significant asymmetric risks to us in cyberspace.

– Fast Company Editors reviewing Richard Clarke and Robert Knake’s The Fifth Domain

A new approach is needed. But first we have to realize that IT<IIoT.

The hyper-converged infrastructures we’re building because of overwhelming business advantage is putting us at an overwhelming cybersecurity disadvantage.

Future In Review: See You There?

I’ll be talking about this paradox at Future in Review on a panel entitled: IT isn’t ready for IIoT with Steve Fey, CEO of Totem Building Cybersecurity; Anne Hardy, Chief Security Officer at Join Digital; and Derek Harp, Founder of CS2AI.

FiRe2019

The advantages of digitalization are well documented and understood, especially in health care.  Patients, for example, benefit when their doctors can access critical data by simply plugging a device into a wall jack. That wall jack typically connects to every other connected device in the hospital.  If the hospital is part of an MPLS network then the scale of access and convenience is even greater.

Patients benefit because those caring for them are more productive, more knowledgeable and faster to respond. The problem, however, is that easy access can extend beyond the wall jack to the internet.

Health Care

Digitalization can expose more critical care processes and controls to the internet and that’s a big problem.

Two years ago this week WannaCry took down hundreds of thousands of systems globally in a matter of hours, including about a third of England’s hospital trusts and 8% of the nation’s general practitioner offices. In June we’ll note the anniversary of NotPetya, one of the most devastating cyber attacks of all time. Like WannaCry, it had devastating impacts, including hospitals and clinics. And WannaCry is still out in the wild, continuing to infect computers:

In its global list of countries where WannaCry variants have been detected over the past two years, India is at the top with 727,883 WannaCry infections, followed by Indonesia (561,381), the US (430,643), Russia (356,146) and Malaysia (335,814).

– Dev Kundaliya, WannaCry remains a serious IT security threat worldwide, researchers warn, May 2019

While tens of thousands of appointments, including surgeries, were cancelled or scheduled, no one has yet to die because of a cyber attack. Hospitals are starting to realize that there are 1000’s of devices connected to Hospitals that if breached, could hurt or worse kill someone. These include devices that deliver medication, drugs, chemotherapy and radiation.

A recent study predicted that by 2020 70% of medical devices will be running on unsupported, insecure operating systems, many of which are tied to patient care(CSO Australia):

Some 38 percent of connected devices related to patient identification and tracking systems, while 32 percent were infusion pumps, 12 percent patient monitors, 5 percent point-of-care testing, and 3 percent medication dispensing systems.

               – David Braue, For breach-weary healthcare CISOs, Internet of Medical Things is yet another headache, May 2019

There are scores of vulnerable medical devices (see Melanie Evans and Peter Loftus Rattled by Cyberattacks, Hospitals Push Device Makers to Improve Security):

The Department of Homeland Security last year issued 30 advisories about cybersecurity vulnerabilities in medical devices, up from 16 the year before, according to MedCrypt, which makes security software for medical devices.

The situation is getting worse just as we commemorate the rise of powerful cyber attacks and ransomware:

Reports show that ransomware and other cyberattacks are on the rise — and health care is one of the biggest targets. Just this week, researchers in Israel announced that they’d created a computer virus capable of adding tumors into CT and MRI scans — malware designed to fool doctors into misdiagnosing high-profile patients, Kim Zetter reports for The Washington Post.

Hospitals are attractive targets because they have a shared infrastructure. Like an airport, they also have lots of 3rd party vendors working on the same L2 network through hundreds of VPNs, some connected directly to critical care equipment. Giftshops, vending machines, bio-medical services, laboratories can also share that same common network.

Hospitals often have no idea what’s on their network at a particular moment. They’re often using networks built incrementally over decades and no one ever made a map. Very few have done any inventory of connected devices. And those devices can be plugged and unplugged from the network in seconds. Many of them are running outdated and unpatched. operating systems.

Around 10% of the devices on hospital networks run outdated operating systems (XP, Windows 2003 as examples). Hospitals are also starting to realize that there are 1000’s of connected devices that if breached, could hurt someone. These include devices that deliver medication, drugs, chemotherapy and radiation.

So as hospitals converge OT/IT infrastructure new demands, from attack surface, to vector sprawl confront firewalls and segmentation solutions architected for quite different challenges.  See Happy Birthday WannaCry

Older Posts »

Categories