With Black Hat 2017 and DEFCON rapidly receding into the desert sunset, I am left with a couple of thoughts after several days on the show floor talking to customers:
1. Wow! So many fidget spinners – cheap ones, expensive ones, plastic, metal, ones that lit up, ones that didn’t, and ones that were supposed to, but didn’t. The go-to schwag for vendors this year was the fidget spinner. 2. There was a lot of interest in the security of industrial controls.
I’m not sure which topic you find more interesting, but I am going to assume for the moment that industrial control security has at least a passing interest here. While I find industrial control security intrinsically interesting, what I found more interesting was the wavering concern in the industry as a whole. For example, two years ago at DEFCON, there was a fascinating Industrial Hacking village, but last year and this year there was not – although the Voting Village was eye opening. And yes, the hacking of voting machines goes to the core of what makes a democracy viable: the integrity of the vote. But what a lot of folks don’t seem to realize is that industrial controls are everywhere and in use every day. My latest example comes from an article about how easy it was for someone to hack a car wash. Seriously… who does that? If you read the article, you will see that it has been done and quite easily, too. Humans, in general, are a lazy bunch if you think about it. Whenever we are tasked with a strenuous, expensive or tedious task we will find a way to automate. In ye olden times, car washes were populated by a lot of employees rinsing, scrubbing and drying cars. These days, you have the one guy who presses the button to start the wash as your car moves through and various robot arms perform the tasks formerly done by what our future robot overlords call "meat bags." But as illustrated by researchers, these controls in the hands of the pirate can be used for various forms of mischief. More and more everyday actions are getting automated, machines have been sorting packages and letters for decades. Amazon, UPS, FedEx and the post office, to name a few, have been relying on these systems for quite a while – but drone delivery? That’s new. Self-driving cars? Check. Security robots? Check. Hell… they even get depressed. As long as the good humans are in charge of everything, I have no fear of advancing technology. I worry, though, that the good humans aren’t paying enough attention to ensuring that the systems controlling their robots and other automatons are secure. When the pirates (who are always jiggling the door knobs) gain control of the good guys' technology, it’s us regular humans who get hurt. Having worked with more than a few security contractors who provide physical security for important people, there is an adage that gets tossed around: We have to be right 100 percent of the time. The bad guy only has to get lucky once. The same goes for industrial controls. The bad guy is out there and he is always trying new things. Unfortunately, the good guys aren’t even batting .300 when it comes to keeping them out. Who knows what would happen if the robots took over like they almost did at Facebook. In the non-industrial space, we are always talking about foundational controls. Those basic things that when performed diligently stop the majority of bad humans from doing less than fun things. For those who operate in the industrial spaces though, it’s almost a foreign language. If it gets in the way of their automation they don’t want anything to do with it. That’s just great – right up until the bad human or evil robot overlords take your efficient little robot and make it efficiently fill your car with water. We all better learn some robot language soon… beep beep boop…
