Expert Insights with CyberEdBoard

Application Security , Business Continuity Management / Disaster Recovery , Cybercrime

The Troublemaker CISO: Killware

Security Director Ian Keller Asks: Should Critical Systems Be Connected to the Web?
The Troublemaker CISO: Killware
Ian Keller, security director and CyberEdBoard executive member

Have I been under the wrong impression that critical networks must be protected to the nth degree?

As you reluctantly wake up to the beeping of your alarm embedded in your shiny new iPhone or Droid, you realize that for some reason your phone is now on your chest and not on the nightstand where you left it. Strange … As your cognitive abilities reach Max Q, your phone starts to morph into a tiny little robot and attempts to strangle you to death. It's like a scene from "Transformers." Killware is here!

See Also: Webinar | Mythbusting MDR

Killware is a hack of critical services and or infrastructure that can lead to the loss of life. No, your phone is not going to strangle you. Well, not yet, anyway. And the COVID-19 vaccine did not introduce nanites that can blow up your cerebral cortex. But an anti-killware app will be released shortly, perhaps rebranded as an EDR solution. And so will a Cerebral Cortex Isolation Shield - otherwise known as a tinfoil hat - for those pesky little nanites.

Killware Kills

There are tons of cases in which hacks have or could have caused loss of life. Allegedly, a superpower used Stuxnet to take out an Iranian nuclear power reactor, and if things had gone wrong - Boom! Chernobyl 2. Hackers recently kept hospitals to ransom, which led to the loss of life. They have also messed around with all sorts of critical infrastructure since the dawn of the internet.

Back in the day, one bright spark hacked into a South Korean government installation and launched a cyberattack on North Korea that almost resulted in bullets flying over the DMZ. The list goes on and on.

But suddenly killware is being marketed as something new. It's like "cyber" - just a fancy new term dreamed up by someone who needs a new revenue stream because their gold mine tapped out.

The more you connect to the internet, the more you place at risk.

Make no mistake: The threat is real. We have been preaching this for 30 years, but adding a moniker like "killware" won’t help solve the problem, which is that the more you connect to the internet, the more you place at risk. Some things just should not be on the web at all, no matter what.

Why should the power grid - or hospitals, water treatment plants or your pacemaker - be internet-accessible? I can dream up a metric ton of reasons why it is, but none of them are good enough to warrant the risk.

What I wrote in my rant on why we are getting hacked applies here: We are either just too damn lazy for our own good, have a limited understanding of the risk we are taking, or want to impress someone. For the largest time in human history, we did not have anything connected to anything else, and we managed to thrive. Now it seems we can only grow if we put things on the web.

What is driving this insatiable lust for internet connectivity on all things? Is it just so we can say, "Siri, give me a heart attack and unlock all the doors, start my car and feed the cat"?

Protecting Critical Networks

Have I been under the wrong impression that critical networks must be protected to the nth degree?

We have air gapped networks, which are essentially two networks physically and logically separate from one another, with separate PCs, network cables, servers, routers, switches - everything. They are specially designed for critical infrastructure, to keep things separate from one another, the way it should be, in a hardened structure with multiple levels of authentication to go through before you can gain access to the physical infrastructure. Sharing information between the two networks is only done at one location, and the sharing infrastructure is hosted in a multilayer DMZ with strict rules on what goes where, when and how, if allowed at all.

This system allowed us to keep stuff safe and stop the bad people from harming anyone else, including themselves. Though I hate the fact that people dream up these phrases to gain podium time or generate new sales, the fact is: "Stupidity kills."

When we allow networks and systems that were built to sustain life to connect to the World Wide Web, we are just looking for trouble. Have you not watched "War Games"? The movie, which came out in 1983, is an exceptional initial lesson in why you don't connect these systems to the web.

Who Is Accountable?

In my career, I have defended networks whose compromise could lead to the loss of life, and I did everything in my power to make sure that those I defended made it home … by not doing something stupid.

For the normal user, there are risks, and sometime serious risks, which you accept when you connect devices to the web. The same goes for your traditional business. But critical systems? This is something that you should do only in exceptional circumstances and only if you have the money to throw at it. In my mind, you should face a panel of industry leaders to ratify your designs even before you can consider it.

I would also like to see something on proper disclosure, but that is for next month's rant.

Now, I sit here and wonder: If you put something on the web and your actions cause the death of another person, should you be charged with murder or manslaughter? Who is accountable?

CyberEdBoard is ISMG's premier members-only community of senior-most executives and thought leaders in the fields of security, risk, privacy and IT. CyberEdBoard provides executives with a powerful, peer-driven collaborative ecosystem, private meetings and a library of resources to address complex challenges shared by thousands of CISOs and senior security leaders located in 65 different countries worldwide.

Join the Community -

Apply for membership

Ian Keller, who is director of security at a telecom company, is an information security evangelist with over 30 years of experience. He started his career in the South African Defense Force’s Combat School, where he served as an instructor in Army intelligence. Keller took this background into the corporate world and was instrumental in the creation of the global information security function for one of the country's Big Five banks. He subsequently was appointed as chief information security officer for one of South Africa's leading corporate and merchant banks.

About the Author

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.