Dan Patterson speaks to cybersecurity expert Robert Lee about the capabilities of Russian hackers as well as the risks IoT and industrial IoT pose to smart cities.
CNET and CBS News Senior Producer Dan Patterson spoke with cybersecurity company Dragos, Inc., Founder and CEO Robert Lee about the risks emerging technologies like IoT pose to smart cities and their infrastructures as well as Russia’s involvement with hacking US elections. The following is an edited transcript of the interview.
Robert Lee: I think it’s very fair to say that we’ve been compromised and we’ve had attacks that have taken place that necessarily weren’t targeted. As an example, there was the WannaCry and NotPetya attacks, basically ransomware, but styled to go after specific entities that ended up spreading after the fact.
Those sort of caught the news for big impacts like Mariska American and having hundreds of million dollars in downtime, but those were only two or three cases that were public, and there’s been dozens of more infrastructure companies that have lost operations, had financial impact, or that’s been attacked by any means.
It just wasn’t necessarily targeted towards them. They just were sort of collateral damage, but the effect is still the same. We still had massive economic damage due to a cyberattack that I think five or six different governments came out and attributed to Russia.
SEE: Can Russian hackers be stopped? Here’s why it might take 20 years (TechRepublic cover story) | Download the PDF version
Dan Patterson: Actually before we get to Internet of Things (IoT), let’s talk a little bit about Russia. There’s just been a lot of chatter about Russia as a threat actor or Russia hacked elections. What are the true capabilities of an actor like Russia? Are they able to get into systems?
Obviously, we know through phishing, but in other ways there are fears and there are also probably a lot of FUD out there. There’s simply uncertainty that creates myths. Where do you see the reality when we look at a document like the Mueller Report? Help us get a sober take on hacking like that from a threat actor as capable as Russia.
Robert Lee: When you’re talking about compromising Democrat National Convention infrastructure, that’s the land that any decent threat actor could be. So that’s not even the capabilities of Russia. It’s not some kid in the basement, but it is absolutely any sophisticated team could have pulled something like that off. When you’re talking, taking down electric infrastructure or energy, that’s when you’re talking about the real A-players. That’s a Russia, that’s a China, that is a maybe North Korea and Iran, but still kind of suspect on that.
But when you’re talking about Russian capabilities specifically, we’ve seen them run the gamut and they are quite sophisticated. So I think there’s a lot of FUD out there and a lot of fear, uncertainty, and doubt on the impact that’s going to come. I think a lot of people misunderstand the impact from such attacks, but the ability to orchestrate and accomplish those attacks, if it’s possible, or if we can think of it and go, “Yeah, that makes sense to be something you could do in this space.” Then Russia would be one of those sort actors that could accomplish it.
Dan Patterson: Now, my favorite part, we’ll keep this fairly tight, but emerging technologies, particularly when we look at cities, we hear a lot of chatter about smart cities and smart infrastructure that’s reliant on the Internet of Things and many of those IoT devices will be industrial Internet of Things. However, so many IoT devices have terrible passwords. They are simply not maintained with firmware updates. What are the emerging risks that are parallel to emerging technologies?
Robert Lee: It’s useful to define things, right? When we think of IoT, some folks will think in the context of industrial, everything from IP addresses now on sensors to robot arms to interconnected devices that previously were not. On the other side, we have the folks that think of [Amazon] Alexa and “Hey Google” in Google Home. I would say the prevalence of IoT in our infrastructure is not to a level that is exposing some unique risk.
Our interconnected plants and our interconnected infrastructure is now exposing quite a bit of risk. I think the IoT discussions for more of your enterprise type environments, banks, insurers, so forth–that’s exposing risk for them in terms of access. The community is going to have to take a hard look at how they’re doing security on that. As you mentioned, they’re largely designed to be the cheapest product possible to ship out. You’re doing it in large quantities, it’s a race to the bottom. That’s where smart regulation might make sense.
On the other end of the spectrum is more of that industrial kind of infrastructure where, electric power, the grid providers don’t get a lot of credit, they’ve been doing a lot of security over the years. They need to do more, but they’re doing a ton. And when we look at now interconnected and environments and plants, now we need to think of that new risk. I can think of advanced manufacturing as an example, connecting plants that have never been connected before, maybe with a hundred plants around the world or more. That is a whole order of magnitude of risk that boards aren’t thinking about at those companies.