We turn back again to a reality check this time with a company. Probably if I know right from the largest company in the world right now, dealing with it and OT, and this is GE and we have the honor of welcoming the chief information security officer hunts, poin, please give him a hard, welcome. Hello. Glad to have you here. So what do you think about what we've said so far? What's your first impression?
Very interesting. I like the, actually the previous presentation about risk being a trade off.
I think I will try to scare you a little bit and hopefully you will tell me what the benefits are because I will focus on the risks in the real world.
Okay. Thank you very much. I'll be very interesting to hear you talk, thank you.
There is something to push buttons and greenness forward.
Yes, it says so by the way, the think security was done by a 12 year old neighbor. He asked me one day, NCE, what are you doing? And I told him what my job is. And five minutes later, he gave me this. So I like that very much. The usual disclaimer, I mean, I'm here, let's say privately. So anything I say is not an official statement of GE. I just have to point this out. Have you seen this cartoon? It's actually 12 or 13 years ago at the time it was only cartoon, but now it's almost reality.
If you read the news recently, you would find that American airlines and some of the airplanes, the pilots now have iPads where they have vital information of the plane on the iPad. And recently a plane had to turn back because the iPads didn't display something with the wifi and the plane was wrong.
Not far away, somebody not through Bluetooth, but using wifi may be able to hack into the electronics of an airplane and maybe take it over. We are not that yet there, but the FAA is already issuing very clear warnings that there must be clear Chinese walls, air gaps or whatever.
But this, when I saw this, I thought it's probably the best cartoon that depicts what I want to talk about. And I want to talk about risks to the analog, the real world, and this new book from Bruce Schneider has a great, a great sublines there, where it says, control your world.
You know, we think digital, mostly those of us who are it, people, but now, and we are already in there and it's gonna continue at an incredible speed. The digital world controls the analog world, the real world.
I mean, we humans. We are, we analog and we, we, we taste, we smell, we see, we touch all these things are analog. The entire world is analog.
The, the real world isn't digital, but all of a sudden we're bridging this gap here.
I'm not gonna talk much about the perception of threats because there is a, a great presentation. I believe tomorrow, just on the perception of threats that will allude to this. But it's always interesting that when threats are there, mostly the public doesn't realize them until something drastically happened, by the way, the sunburn example and the, the, the sunscreen was the same thing. Nobody thought about sunburns until this was all properly researched.
Nine 11 was a, a physical event, which from then on terrorism, wasn't everybody's mind before that, it was only a few people that thought about it. The internet of things. What I want to allude a little bit about is a similar things right now, there's just a few professionals that think about the risks that are associated with the internet of things. There is some indicators that the public becomes aware of. It stuck net.
You all know what that was. The thing that damaged the Iranian atomic centrifuges, just a few weeks ago, the TV five Mo happening the coverage was all over the press.
We will have more incidents where the real world is being hacked. I mean, in case you forgot what the TV five Mo thing was, they took hackers took down an entire TV station that couldn't broadcast anymore. So it was not just stealing some money.
I mean, that was bigger. So more of these things will happen. And what then typically happens is the public overreacts.
I mean, look at the, as Bruce Schneider calls it the security theater that we have at airports these days, which was the result of the nine 11 thing, does all that make sense? Probably not. But the public is just asking for this security theater to feel more secure.
The common perception of internet of things today is, oh, it just collects data. It collects all these things. There's even light bulbs. Now with IP addresses your refrigerator, your toaster, and all these things that that's the public perception. So it's all about confidentiality of my data.
And I don't want to give away my data, but you know, the old CIA, the confidentiality integrity availability, I think integrity and availability will be the much more interesting thing, which by the way, in the digital world, it is as well. If somebody changes the bank account in a trends, in, in a money transfer and the money goes to the wrong bank account, that's an integrity breach. So I integrant availability of the real world. That that is what we have to think about.
I'm not gonna name the company, but probably probably most of you will know which company this is about.
There's a car maker in Germany, where there is an option on the car to connect the car to the internet. And you could actually remotely hack into the car, slide down the windows, then just reach inside and just open the door. The traffic was not encrypted. And the idea of the car was the chassis number. That was all the raised, the German computer magazine. CT has a great writeup about all the details and this little box that you see there, the gray box that that's, that's a thing in the internet of things.
So when we say internet of things, we, we really should reflect on what are these things and what about integrity and availability? In this case, it's an integrity breach.
I mean, nobody was supposed to open the car other than the owner of the car, but everybody could do it.
Traffic lights. I'm not gonna read this slide. You can do this yourself. But apparently it is possible to just hack into a traffic control system and just change the traffic lights just, and actually this has happened to me some years ago where, and there was not a hack, but I know what I'm talking about is where at a crossroads, the traffic lights in all directions showed green. And I actually, I got into an accident. My car was badly damaged.
Nothing happened to me, gladly airbags and all these good things. The other one was a truck. Nothing happened to him at all, but just imagine somebody could just cause chaos in a city by just, you know, playing with the traffic lights. And if you read this, it is possible. This is one of my favorites. Now we are getting really analog in the real, any world. Now we're talking about killing people. Has anyone of you attended black hat in 2011?
So you know what I'm talking about, there was this, this great team that showed a hack where, I mean, there's insulin pumps. Yes.
Those of you who have insulin pumps know what I'm talking about. They inject insulin, so you don't have to inject it manually.
They, they permanently do this. And then there are sensors that measure the blood sugar level of, of your blood. And so you have this closed loop, depending on what your blood sugar level is. The insulin pump will give more or less insulin. And those two things communicated wireless. And the guy that did the presentation hacked the wireless connection. That means you can override the signals and give the insulin pump wrong readings resulting in either too much insulin or no insulin. Both is lethal. You can kill a person with a digital attack if you want to.
It's just life, right?
Turning off power and water grids. Well, that has been discussed in the press several times, turning it off. So there is no water. There is no power, but think about what would happen if you program or hack it, such that it malfunctions.
I mean, no function means no water. Ah, you still have a couple of bottled waters and you can drink beer, you know, for the fluid.
And, and eventually, you know, the fire brigade will come along and bring some water. And we see this on TV, but just imagine somebody would be able to manipulate the water treatment station, such that the water is poison.
And again, you can kill people. Stocks, net. I mentioned that before stocks, net was a weapon, stuck net was a weapon made out of code, probably the first weapon that was completely made out of code. It's open source. You can download the code if you want to. So the debate was always around who did it? I think the much more interesting question is who will do it again and what will they attack next with a similar scheme? Bruce Schneider? I think I mentioned him before my favorite author. Guess I read all his books and his newsletter.
Again, I'm not gonna read all this, but if you take the red line, there's so many reputable firms in the world that have been hacked. How sure are you that you and your products will not be hacked? You shouldn't be sure. I think you should assume they will be hacked. Any product, any service that you provide will eventually be hacked.
It will, it will. It will happen.
This is just, you probably have seen similar pictures, just the explosion of devices on the internet of things. So my conclusion against attacks against anything on the internet will happen. And if you produce any product, any piece of machinery with embedded code eventually will be internet connected and eventually will be attacked. And eventually the attack will be successful. So you have to be prepared.
I mean, you should take all the measures to avoid this, but you should always focus also on what do you do if it does happen?
Resilience to me is, is a key word, which we haven't used much in the past. It was protect, detect, or prevent, detect react. I think resilience is really a key word that will enter the CISO's world in the future. We must understand the things that we control.
I mean, even such a mundane thing as a toaster, you can probably set a house on fire, you know, if you hack into a toaster and manipulate it somehow. So we must work with the engineers that, that produce these products. It's no longer just the digital things, softwares and all these things.
And we, it, people must talk to the engineers of those real things that are produced, whether it's caterpillars or toasters or light bulbs or whatever it is. So it's a more holistic view. And that's what I wanted to bring over to you.
Thank you very much, hunt. This is scary. Isn't it? So only a little bit. Yeah.
So how, how do you prepare your team?
We have started a software center in the Silicon valley that exclusively focuses on software development for embedded systems, whether it's aircraft engines or any of the other products that we produce. So it's completely separate from the traditional it, and the job of these people is to bring it rigor to the development of software in embedded systems.
So it's about engineering, educating the engineers, producing the things
Vice versa. Okay.
It's, it's a two-way education.
Okay. Do you think that two security technology, I mean, security technology, like the things you see here in this fair and conference is suited to address these challenges
Only partially because I mean, I, I cannot really imagine that every single light bulb has an ID, you know, very soon every single light bulb is a computer of its own probably already is today. So that's why I'm saying there will attacks will happen. Things will go wrong and we should be prepared for that.
So this is my, my last question, actually, I wanted to stress as well.
So today's focus and more security solutions is prevention. We are starting seeing some traction in the detection markets, like big data analytics, security operations centers as a service, or in-house having the right solutions and so on. But do you see any technology helping in the reaction elements?
No. I think we're just at the start of this to think about resilience and, and, and the reaction because there is just a pure amount of things that are on the internet that can go wrong in some combination, even I think we are just starting to see that.
And it's gonna be interesting whether in future trade shows, we will see more vendors, you know, giving products or other approaches to address this issue.
Mm. Interesting.
Well, it's going to see what happens. Thank you very much. Again. Thank you.
