Not far from San Francisco International Airport, San Bruno is a quaint middle-class residential suburb, yet underground in San Bruno was a gas pipeline controlled by SCADA software that used the Internet as its communications backbone. On Sept. 9, 2010, a short circuit caused the operations room to read a valve as open when it had actually closed, spiking the readings coming from pipeline pressure sensors in different parts of the system. Unbeknownst to the families returning home from ballet and soccer practice, technicians were frantically trying to isolate and fix the problem. At 6:11 pm, a corroded segment of pipe ruptured in a gas-fueled fireball. The resulting explosion ripped apart the neighborhood. Eight people died. Seventeen homes burned down. The utility, PG&E, was hit with a $1.6 billion fine.
The accident investigation report blamed the disaster on a sub-standard segment of pipe and technical errors; there was no suggestion that the software error was intentional, no indication that malicious actors were involved. “But that’s just the point,” Joe Weiss argues. “The Internet of Things introduces new vulnerabilities even without malicious actors.”
Joe Weiss is a short, bespectacled engineer in his sixties. He has been involved in engineering and automation for four decades, including fifteen years at the respected Electric Power Research Institute. He has enough initials after his name to be a member of the House of Lords—PE, CISM, CRISC, IEEE Senior Fellow, ISA Fellow, etc., all of which speak to his expertise and qualifications as an engineer. For instance, he wrote the safety standards for the automated systems at nuclear power plants.
The problem, Weiss claims, is using the internet to control devices that it was never intended to control. Among these are industrial systems in power plants or factories, devices that manage the flow of electricity through the energy grid, medical devices in hospitals, smart-home systems, and many more.
The quintessential icon of the Internet of Things (IoT) and the darling of Silicon Valley techies and entrepreneurs is a round, wall-mounted gadget called Nest. Invented by two former Apple engineers, Nest was bought by Google for $3.2 billion in cash. Essentially a thermostat connected to the internet, Nest also has software that learns your behavior and adjusts the temperature in your house on its own. It also checks the internet for the weather in your zip code and adapts accordingly. More recent models of Nest are linked to door locks, lights, window shades, and cameras. Unlike most of the IoT, which is hidden from consumers inside of machines, whirring in factories and office buildings, Nest occupies a prominent place on the wall of the home; indeed, it controls the home, and it has become quite popular within the consumer electronics industry in recent years.
However, in mid-January 2016, there was a little problem with a software update from the month before. New York Times reporter Nick Bilton described his personal experience, “The Nest Learning Thermostat is dead to me, literally. Last week, my once-beloved ‘smart’ thermostat suffered from a mysterious software bug that drained its battery and sent our home into a chill in the middle of the night.”
“Although I had set the thermostat to 70 degrees overnight, my wife and I were woken by a crying baby at 4 a.m.” His Nest had died, its battery depleted by the software glitch. Thousands of other Nest users also woke in the cold because when the Nest died, it shut off the heat. Other users complained that their home alarm systems had triggered in the middle of the night for no apparent reason, ripping them from deep sleep into a state of panic. Nest apologized and suggested that users perform a complex nine-step process to revive their home-control systems.
The bug had taken advantage of an existing computer network. This computer network, transparent to most of us, is a critical part of the global infrastructure. It is known as the Internet of Things, the IoT. “The Internet of Things is just a marketing term that somebody thought up long after millions of machines were already networked,” Weiss explained to us, “And most of them are networked in ways that can be accessed, perhaps indirectly, from the public internet.” It is that understanding, that everything is connected, that keeps Joe Weiss up at night.
Joe Weiss’s concerns were confirmed in Oct. 2016, when over 100,000 video surveillance cameras connected to the internet were compromised by a hacking group, turned into a botnet, and then used to launch a flood of internet traffic—a distributed denial of service (DDoS) attack—on one of the largest internet address lookup sites, the Domain Name System servers. The result was that hundreds of large internet sites were unavailable until the attackers turned off the flood. The cameras lacked a firewall to protect from malicious software. Often, devices similar to those cameras require a password to access them, but equally often the manufacturer writes its own password in the source code so that it can always get in. Once this so-called hard coded password becomes known on the internet black market, the devices are easily enslaved for malicious use. With billions of such devices going online in the latter half of this decade, the potential number of bots is enough to disrupt the internet itself, and any site or network on it.
One market where the Internet of Things purveyors are pressing for widespread adoption is medical care. According to one estimate, the IoT-medical market could reach $117 billion by the end of the decade. The device types that are or will soon be netted into the IoT include pacemakers, implantable cardiac defibrillators, insulin pumps, IV pumps (including those for prescription painkillers), and heart-lung machines. The advantages seem obvious. These devices could detect medical problems and perhaps even administer treatment without the help of a doctor.
The problem is that the healthcare industry, which is rushing headlong into the IoT, has a bad track record when it comes to cyber security. BitSight, a Boston firm that ranks companies for their level of cybersecurity, compared five industries: health care, finance, retail, utilities, and federal agencies. Health care, represented by 2,500 companies in the survey, placed dead last. Veracode, another Boston cyber company also looked at five industries, but with a different metric. It asked what percentage of known vulnerabilities in software were fixed. In manufacturing, over 80 percent of the problems had been addressed. In medicine, it was half that number. In fact, more than three quarters of all medical software applications currently in use have a known vulnerability.
These vulnerabilities in the healthcare sector were highlighted in a big way when the UK’s National Health Service (NHS) was struck by the “WannaCry” ransomware in May 2017. Thousands upon thousands of computers had their contents encrypted, and operators could only regain access by paying the creators of the malware hundreds of dollars. In the wake of the malware’s proliferation, the NHS had to cancel thousands of scheduled operations and appointments, putting lives at risk and creating an enormous disruption of medical services in the U.K. This problem is driven in large part by the nature of healthcare technology itself, which often discourages administrators from upgrading their systems. Medical devices regularly run on software so old that the manufacturers no longer issue new “firmware” upgrades for them, essentially meaning that the devices don’t know how to speak to newer, more secure operating systems. Thus, if administrators were to upgrade the operating systems for their computers, their medical devices would no longer work.
Medical devices and other existing machines being tied into the IoT do not have the processors or memory to act quickly enough to process even simple security measures, Weiss says. “Simply performing a virus definition update on an older control-system processor can cause anywhere from a two-to six-minutes of downtime. That’s just doing your daily virus definition update!” As a result, Weiss believes that the first step in securing the IoT is to build entirely new devices with faster processors and more memory. In essence, hundreds of billions of dollars’ worth of machines need to be replaced or upgraded significantly.
Beyond the technical reasons for these huge hacks occurring, the problem is cultural too. Even when software companies do create patches to fix newly discovered vulnerabilities, people are rarely vigilant about installing updates. This is the reason why Microsoft, in particular, has made it increasingly more difficult to avoid installing security patches and software updates with their Windows 10 operating system. The recent chaos caused by WannaCry at the NHS will likely move the needle in terms of how quick healthcare administrators are in upgrading their systems, but the industry has a very long way to go. More fundamentally, until cybersecurity is seen as a legitimate and immediate concern by a large swath of consumers and businesses alike, we will continue to hear about massive service disruptions in the digital sphere. In the interim, the internet is and will remain the new Wild West for online criminals.