The internet of things broadly encompasses everything connected to the internet, but increasingly it defines objects that talk to each other. But this is just the beginning of a so-called 'smarter world'. Connected machines and objects in the commercial world allow for a fourth industrial revolution, taking the internet of things to the next level beyond the public domain: the industrial internet of things.
But if one thing can prevent the industrial internet of things from transforming the way we live and work, it will be a breakdown in security.
The latest episode of The Global Safety Podcast is on cyber security - we'll be looking at the ways to safeguard networks, devices and ultimately our own economy and infrastructure, increasingly underpinned by the internet of things.
The episode features insights from:
- Ruth Boumphrey - Director of Research for Lloyd's Register Foundation
- Sadie Creese - Professor of Cybersecurity at University of Oxford
- Robert Hannigan - former Director of GCHQ, current chairman of Bluevoyant international
- Rowland Johnson - founder of Nettitude, part of Lloyd's Register Group
The podcast will also discuss the Foundation's recent Foresight Review of Cyber Security and the Industrial Internet of Things. The review identifies key emerging risks and gaps in capability, calling for the urgent adoption of guiding principles to increase resilience to cyber attacks. The report is available to download in full through this link.
Listen now wherever you get your podcasts:
The Global Safety Podcast investigates the biggest safety issues facing the planet and looks at the latest science and innovations being developed to safeguard our future in an unpredictable world.
TOM HEAP [00:00:10] Almost everything we do now takes place in cyberspace, things we buy, what we watch from banking to traveling, we are connected wherever we go in the world. And as that network of linked technologies expands, our reliance has grown on what's become known as the Internet of Things. The Internet of Things, in the broader sense encompasses everything connected to the Internet, but increasingly it defines objects that talk to each other. But this is just the beginning of a so-called smarter world. Connected machines and objects in the commercial world allow a fourth industrial revolution, taking the Internet of Things to the next level.
[00:00:49] Beyond the public domain, the industrial Internet of Things, energy, transport, building, the infrastructure and manufacturing environments are all increasingly connected to the uninitiated. It may come as a surprise to hear that in the US, the firm Concrete Census has created a device that can sit inside the concrete itself and provide data on the materials conditions. We're talking truly groundbreaking connectivity here, but if one thing can prevent the industrial internet of things from transforming the way we live and work, it'll be a breakdown in security and not just a malicious attack. It could be a breakdown in the connectivity, technical or human error. And in today's podcast, we'll be looking at cyber security and the ways to safeguard networks, devices, and in the end, our own economy and infrastructure increasingly underpinned by the Internet of Things. So welcome to the Global Safety podcast from Lloyd's Register Foundation, the charity with the aim of protecting the safety of life and property. To shed light and offer plenty of wisdom, I'm joined by fantastic panel of experts.
[00:02:04] First of all, Sadie Creese is a professor of cyber security in the Department of Computer Science at Oxford, and she was founding director of What's Become Cybersecurity Oxford. And he's also an advisor on cyber for the World Economic Forum, a.k.a. Davos. Next up is Robert. Robert was director general of Q the UK's Intelligence and Security Agency from 2014 to 2017. He also set up the National Cyber Security Center in 2016.
[00:02:34] Robert, in a sentence, can you tell us what the National Cybersecurity Center actually does?
ROBERT HANNIGAN [00:02:38] Well it aims to make the UK the safest possible place to live and do business online for individuals and companies and organizations. It does that by bringing together expertize from government, private sector and academia.
TOM HEAP [00:02:53] And Roland Johnson founded Nettitude in 2003 to provide cyber and risk consultancy worldwide. Rolands award winning company is now the cybersecurity division of the Lloyds Register Group. And finally, Ruth Boumphrey, Director of Research at Lloyds Register Foundation. Previously, Ruth was the first head of Earth Observation at the UK Space Agency. What a panel. Welcome to everybody. And as many of you may have guessed out there, we are on Zoom today, sadly not face to face. That time will come. We all hope so. First, a quick question to you all, and a snappy response would be great to get us all going. We're all aware to some extent of existing cyber threats. To what extent will the Internet of Things open up a new frontier Sadie?
SADIE CREESE [00:03:43] Well, what's different about the Internet of Things is scale, pace and the general dynamics.
[00:03:51] We're talking about many more devices. We're talking about much more data.
[00:03:57] We're talking about very large data sets, very small computing devices that you wouldn't even be able to see with the naked eye, such as those you've already said embedded in concrete. And the consequence of that is the volume of data and insight and patterns that can be detected enable us to predict things about the environment, which may enable attackers to predict weaknesses in the way in which we conduct ourselves, and that will give them opportunity to attack. With any new kind of technology, we run the risk of introducing vulnerability into our own infrastructures.
[00:04:35] Again, another opportunity for people to attack us. And of course, there's the complexity of the systems that we're creating just makes it incredibly hard to maintain their operations in a way that we would consider safe as well as secure. And that in itself can lead to very big challenges in how we actually enable people to engage with those systems and operate the systems in the safe and secure way.
TOM HEAP [00:05:04] Robert, you're nodding. There is a new battlefield for the people who want to defend us from cyber threats.
ROBERT HANNIGAN [00:05:09] Well, I think so, because, as Sady says, it's about scale and complexity. And there comes a point where it's very difficult for any human being to oversee this. And that's a real challenge. So the human starts to get removed from this. Machines are talking to machines increasingly and systems are talking to systems. And that's a real challenge.
TOM HEAP [00:05:30] And Roland.
ROLAND JOHNSON [00:05:30] So, yeah, I guess if we think about the Internet of old, most of the information that was out there was generated by people that were were keying in. And so one of the things that we're really seeing change with Internet things is that that information is more driven by computers and objects generating data. So there might be sensors that collect collect a whole lot of information that ordinarily might not seem relevant or interesting, maybe movement patterns to maybe machinery and how they interoperate with one another. And I guess as that data grows in volume, so there is an increased opportunity for other actors to want to go and target that data and potentially manipulate that data to have unintended consequences. So I think really what we're seeing with Internet of Things is just massive amounts more in a generation of data from computers.
TOM HEAP [00:06:29] And Ruth, I guess this is why from Lloyd's point of view, we're doing this because you perceive an emerging threat here that Lloyd's and the Foundation could help to address.
RUTH BOUMPHREY [00:06:41] Yes for me and the Internet of Things is all about that last word. It's the "things". So, in the past, the Internet would be used to exchange information or ideas or concepts or pictures. But now the Internet is connecting the arms and legs of big data. And those things can help us, but they can harm us, so actually by using the Internet of Things, if you think about safety, we need these objects around us to act in a safe manner.
[00:07:09] And that's the key thing for me, especially as these things are embedded into industrial systems, that that those things need to keep us safe and they need to be kept safe. So the Internet that we are trying to protect the systems that we're trying to protect are stopping those things from harming us.
TOM HEAP [00:07:26] Well, let's just develop a little bit the Internet of Things. I want to make sure as a foundation fact, if you like, people understand this, Roland, when we talk about the Internet of Things and the possible threats, you know, the sort of cliches are that, you know, President Putin is going to turn off my fridge or some cyber actor is going to drive my electric car into the central reservation; take us beyond that.
ROLAND JOHNSON [00:07:49] I think one of the challenges is that people don't really, truly understand the amount of data that is being generated. So they'll have an idea of the data that they are generating. So if you enter information into a website that's in their consciousness, if they put things onto social media, again, that's into into their consciousness is the unconscious data creation, I think potentially poses a bigger threat. So where have you been? What apps have you used? Who have you been close to? What locations have you been close to? All of those things ordinarily don't sound like they're hugely exciting, but if you can suddenly start gathering a picture of an individual suddenly that has huge amount of relevance to all sorts of threat actors that want to try and impersonate you. I think there's less of a risk of the stuff that people are consciously doing. But there's a huge amount of unconscious data generation every single day.
TOM HEAP [00:08:43] And of course, data generation you've just been talking about has been discussed a lot recently in a in a beneficial way, in a benevolent way, I should say, with regard to contact tracing with Coronavirus, doesn't it? Say, though, can you just take us from the kind of Internet of things, a few more examples of what the industrial Internet of Things could mean, maybe with relation to transport, energy, buildings, manufacturing, etc..
SADIE CREESE [00:09:06] So the industrial Internet of Things is is the increased use of these kinds of computing technologies throughout? What we would commonly discusses are critical infrastructures. So to most people, that means energy provision, which of course matters at home, at work, in our cities. It's what keeps things like the schools able to be attended by other examples would be the future of manufacturing. And of course, we all use manufactured goods all the time. Other examples would be in our physical infrastructures and the constructions of buildings and built environments all around us.
TOM HEAP [00:09:48] Now, one of the areas I do know a little bit about is, energy and especially renewable energy in this smart energy world where we have many more sources of energy generation and many more sources of energy consumption, and that these need to talk to each other for this system to work rather than having one big power station and a few big users. Can anyone help me out in kind of maybe manufacturing? Give me a good example, Robert.
ROBERT HANNIGAN [00:10:15] Yeah, I mean, I think the benefits of the industrial Internet of things are massive. The first is safety in manufacturing and in energy. And you pointed to the cement example. I mean, it's really useful to have data about the condition of metal in a plane's wings, for example, or on oil rigs, pipes or drilling mechanism. So what we'd call telemetry stuff that is telling us how well is that performing? Is it about to break? And if you think of all the disasters that could have been averted over the last 50 years in the energy sector, for example, and in manufacturing by something or indeed in roads...
TOM HEAP [00:10:56] if you take the Italian, you know, bridge collapse, the concrete and all that.
ROBERT HANNIGAN [00:10:58]. Exactly. Might have helped. Yeah, yeah, exactly.
If something had told us this is about to break, we could have done something about it. So there's a massive safety benefit. There's also an efficiency benefit. You know, if if we know more about journeys, for example, and demand for deliveries like a pandemic, at the moment, we're all getting stuff delivered. You can do that much more efficiently. And most delivery companies are already doing this using Iot. And that, of course, then, Assadi says, leads to a green benefit because the more efficient we are, the less carbon we're going to be producing. And there is a massive benefit for the environment.
SADIE CREESE [00:11:36] Just to add into that, I think taking people out of the loop as well is it's a huge safety benefit. So many of the Internet of Things systems are robotic systems. They're there that help remote inspections. They're there that get underneath bridges or down sewage tunnels. And they also can do things like fly airplanes for us and to take away the sort of human error in those systems. So what we want to do is to enable the safe growth of these kinds of systems, to enable the safe development of the Internet of things. And I think safety and security are sometimes unhelpfully kept his two words, you know, safety and security, too. The same thing. They're there to keep us safe. And and in German, there's a word "sicherheit", which means both safety and security. And it changes the way you think about things. We don't need to think necessarily just about threats or just about accidents. The things go together. Sometimes you connect things and they make things unsafe. Sometimes they make them unsafe because somebody wants to harm you and sometimes they make them unsafe because you've just connected the wrong two things, Parts of the system.
ROLAND JOHNSON [00:12:40] Obviously, loss register has a strong heritage in the maritime sector and we're beginning to see real opportunities for industrial Iot on vessels. So there's a lot of talk about autonomous vessels. And, you know, there are many organisations that are making big strides towards creating autonomous vessels in the coming years. But we can see industrial Iot systems on many vessels today that are making a really big impact. So historically, when a vessel was going from one side of the world to another side of the world, you would have had people on board that would have been looking at weather maps, information about tides and currents. And they were making decisions based upon experience and intuition and what they could see with their eyes. And I guess now vessels are able to consume information from live streaming of weather conditions. And not only that, they can use that to try and chart passages that are going to be more fuel efficient. You can well imagine the cost of navigating that. The Pacific Ocean is a very expensive and if you can find a pathway that is going to be less impacted by wind, is optimised based upon tight conditions, and you can really use data to drive that vessel as a whole load of efficiencies that naturally will come. And so we're definitely seeing an increased number of operators looking at putting technology onto vessels that can consume information that can then navigate based upon that information, turn turbines up and engines down etc., to try and be more fuel efficient. And I guess these are all indications of how technology is moving us in a direction that is, I guess, different to what we've ever seen historically.
TOM HEAP [00:14:29] Yeah, well, I'm intrigued by this development. You're talking a lot about autonomy. You're talking about giving a sort of greater role to this, the machine learning here. And we've become used to algorithms in our digital lives, knowing our shopping habits, political leanings, even our entertainment preferences. And in many ways, it was what makes the Internet of screens, if you like, so user friendly. But it can also be dumb rather than smart, occasionally intrusive and frequently make us feel uneasy. And I have to say, you know, Ruth's remarks a moment ago certainly remind a pop culture person like me of, you know, Terminator Two, The Matrix, and perhaps more recently, Ex Machina when machines go bad. Robert, is this is there a sort of danger, a trust threat here? Almost leave aside the kind of outside actors if we don't trust it, if we're not happy with it, that's a threat in itself, isn't it, Robert?
ROBERT HANNIGAN [00:15:25] I think that's true. And it sort of sits almost above cyber security. And there's a lot of work going on about the ethical decisions behind creating new algorithms and behind the whole artificial intelligence industry. How do we ensure that the computers that will be making the decisions in the future for us are learning as they go along, are doing that in a way that doesn't make us feel uneasy? Because you're basically right that if we don't trust the system, we're not going to use it.
TOM HEAP [00:15:54] You've mentioned "removing humans", and that's always a phrase that kind of slightly rises as the hairs on the back of my neck. What do you think about this?
SADIE CREESE [00:16:00] Well, as Robert says, there's a huge body of work exploring how we can underpin trust in deep machine learning, which is currently the approach that we're taking as an international community to making these decisions within the systems and in particular, how we can explain the basis of those decisions, because, of course, we don't live in a utopia.
[00:16:27] There's opportunity to maliciously affect the decision making of these algorithms. But there's also a challenge around the complexity and just understanding how they're arriving at their decisions.
[00:16:39] And they're both different challenges that we will have to face. But there's some doubt it, isn't it, that these these technologies will be there. And so the truth of the matter is they will introduce new research into these industrial Iot environments. The body of work that's going on around the world to really understand how you would go about verifying the integrity, verifying the absence of bias, explaining the basis of decisions just to think about humans and nature versus nurture. We have to start from somewhere. And so what we do is we initially train on data sets and from that we evolve or the algorithm evolves. Its perception of the environment based upon all of these data points, how that happens, that evolution, you can bias it just based on the training data sets alone. And there will be a market for those, too. And so when we think about safety and security and some of the bigger challenges and how you build trust, we're talking about building trust in the foundation part, as well as the way in which it learns and forms new views upon which decisions will be made moving forward.
TOM HEAP [00:17:53] So you just said that it will introduce new risks. At the same time, we've heard there's an opportunity to make our systems and our lives safer. How do we make sure we get more one and less of the other?
ROLAND JOHNSON [00:18:08] An awareness of what data is being captured and utilised. And I think one of the challenges is often we're in the dark. And I think what we are struggling with at the moment is that some of the technology companies are not quite as open and transparent about the data that they're capturing and how that data could be used. And so when it is used in a way that we weren't expecting, that makes us distrust them and its own right. It is a threat to us wanting to use the data or use the system or the IoT or whatever it might be.
SADIE CREESE [00:18:38] Sometimes I think people can view individual privacy as something that's entirely separate to, for example, industrial control systems and the IoT and but they're connected on the human layer. There was a very famous attack many years ago called Stuxnet.
[00:18:55] And what it did is it undermined the integrity of some devices in the uranium enrichment facility.
[00:19:01] What they did is they changed the information that was being shown to the human beings that were monitoring that facility. So where they would be looking for telemetry that would tell them everything's okay. And normally if one of these turbines had a fault, then that screen would say there's a fault, you need to go and investigate. These cyber attackers changed the code on these screens so that when things go wrong, the human beings that were monitoring the systems were still being told there was no problem.
[00:19:34] And that's an example of quite a common way in which we manage these kinds of industrial environments. We often put a human in the loop to watch over the systems.
[00:19:43] So if we can just imagine the Internet of Things as it rolls out and the kinds of technologies we were discussing, like automatic decision making, computer-computer interaction, we're already planning to take the human monitor out of the loop. And so what we're all really observing and discussing, are we not, that somehow we need to do that in a way that still enables some kind of oversight, given that we've already observed cyber attacks that are directly aimed at trying to compromise our ability to have oversight. And so we have some challenges.
[00:20:19] We want the benefits of these technologies in the world, but we really need to think about how we actually going to oversee the integrity of these systems so that we do deliver safe environments.
TOM HEAP [00:20:31] OK, well, let's move into the area of potential state threats here, because it's one of the headline grabbers in the U.K. We're probably quite lucky in that we haven't really felt the full force of a big state-based cyber attack. Not so lucky in Estonia. Famously in 2007, their banking system went down and that grew into an assault on the whole infrastructure. Colonel Jaak Tarien is director of NATO's Cooperative Cyber Defense Center of Excellence, and he remembers the attack. Well, it was a new and invisible battlefield.
COLONEL JAACK TARIEN [00:21:05] 2007, Estonia got cyber attacked, our technicians are certainly the really good job, the higher you got, the more confusing it got political level.
[00:21:16] What is going on? People don't know. It's the first time. And as I've been told by the high level of state leadership in Estonia, when they went to Brussels to NATO HQ and told allies Estonia is under attack, the first response was to switch on TV, to BBC, CNN say, well, where is the tanks? Where is the aircraft? What do you mean attacked? So the thought of cyber domain being used to attack a nation in a politically motivated way, it wasn't there and it launched several political policy initiatives since 2007.
[00:21:50] The cases of cyber being used in a politically motivated way has gone up increasingly as well.
TOM HEAP [00:22:00] That was Colonel Jaak Tarien speaking at an international cybersecurity conference in Estonia last year. Well, since that cyber attack on Estonia in 2007, we've seen further high profile attacks on Iran's nuclear infrastructure, private companies such as oil and gas companies, logistics firms and even national power grids. Well, I suppose this is one of the key questions with the industrial Internet of things. Be a target for state sponsored cyber attack and how can it be secured? Definitely want for you to kick off with Robert.
ROBERT HANNIGAN [00:22:31] Well, I think it's already happening. And we saw an example just a couple of weeks ago, a well publicized of an Iranian attack on Israeli water purification plant. And that is really apparent Israeli response against the port infrastructure in Iran. So neither country has really denied this. And I think it's a very interesting example of how critical infrastructure can be used to exert pressure and to pursue political campaigns. And Estonia was the first very public example that other things have gone on in private, but it suddenly hit. The headlines may be worth saying that Estonia did a great job afterwards. And I think their response was not to shut off the digital world. It was actually double down there, probably the most digitally enabled governments in Europe. But they did some some impressive things like backing up all their data in another country so that they can effectively run the whole thing from elsewhere. And of course, they've invested a lot of money in cyber security and they've raised awareness in the population among their companies. So they've shown that it can be done.
TOM HEAP [00:23:37] Would I be right in describing these attacks, perhaps not the Estonia one, but the others as sort of skirmishes rather than all out assaults on the country? Or do they kind of really threaten the viability of that society or could we be moving in that direction?
ROBERT HANNIGAN [00:23:52] Well, I think we're moving in that direction. And it may happen by accident, particularly given the interconnectedness of systems. But if you think of a couple of real examples of Russia switched off domestic power in parts of Ukraine three years ago as part of a political campaign against the Ukrainians, the ransomware attacks, one of which was aimed at Ukraine, got out of control and ended up disabling manufacturing right across Europe. And our own parts of our own NHS were hit, you'll remember, by one of those ransomware attacks, which was state in origin. I'm sure that wasn't the intended target. But it's a nice illustration of what we're talking about is that it's very hard to know where your attack will end up and the interconnectedness of the future Iot is going to make that the even bigger threat. And that's the point at which the systemic meltdown that you're hinting at could happen.
TOM HEAP [00:24:47] Well, I want to give everyone a chance to come in here. So is this something that, you know, very much preoccupies you, the heart threat?
RUTH BOUMPHREY [00:24:56] Yes, it does. It's about resiliency. What we're seeing is the aspects of life where we're acting at a global level, Allianz interconnected level and the Internet of Things is an exemplar fire of that. And interestingly as well, COVID-19 is an amplifier of that. It's about how we connect to each other, about how quickly connections can be made and about the harm that can come from these kind of connections. If we don't understand them and don't have the ability to shut them down when we need to. And so I think resilience is a key concept here for security and safety in the Internet of things that we need to have the right sort of tools and the right kind of awareness to shut off the right bits. I don't think this is all about stopping things going wrong. It's about accepting that things will go wrong and knowing how to respond to them effectively and quickly when they do.
ROLAND JOHNSON [00:25:47] One of the things that we're really seeing is that there's an increased need for organisations to do some form of cyber simulation to try and understand first of all, what does that threat look like? What threat actors are there are you know, is that a geopolitical threat actor or is it somebody that is an organized crime unit? What kind of things do they want to go after? And, if an asset or a data set could be compromised, what kind of impact would that have historically if you were to go back a number of years ago? Those types of war games or simulations, as we might describe them, were agnostic to industry. And so as a result, you would have found red teaming exercises being conducted against parts of critical national infrastructure in a fairly consistent manner. But, of course, as we see more and more technology enabled within systems, so those simulations need to evolve. So now you have some very, very specific types of activities being simulated within the aviation sector, within the financial services sector, within the energy production sector to try and understand what are the different threat actors targeting those systems. What is it that I would want to do if they could disrupt, what would the impact be? Our knowledge and understanding of that is still evolving, but it's definitely a lot better today than it would have been maybe four or five years ago.
TOM HEAP [00:27:11] Is this a way of kind of countries attacking one another stealthily, if you see what I mean, without actually putting troops on the ground and without having kind of that level of quite literally offensiveness, they almost think they can get away with a cyber attack in a way that they couldn't with a physical, you know, bombs and boots attack.
ROBERT HANNIGAN [00:27:29] I think that's a really good point. So the attraction for states of offensive cyber capabilities is that just below the threshold of actual war or conflict? The problem with that is that it's very easy to miscalculate and at almost any moment you could tip over into conflict. You take an example of actually of the North Korean inspired ransomware that ended up disabling part of the NHS here three years ago. Imagine that had happened in the US and that the health care system had been disrupted to the point where people died. The pressure on a government to respond and respond pretty aggressively would be huge. So it's very easy for states to miscalculate. And almost certainly in the future, a conflict will come out of a miscalculation rather than somebody setting out to create a war out of cyber.
TOM HEAP [00:28:25] But threats can come from private companies, organized crime, hackers with a grudge, mischievous nerds and quite importantly, accidents.
[00:28:34] In a moment, we'll get into these. But first, to help us out with the nature of many cyber attacks, here's Jason Nurse from the University of Kent School of Computing.
JASON NURSE [00:28:44] For me, the cyber threat is basically an an actor, particularly that some forms of threat using digital or electronic systems. A cyber attack is basically the actual action that's perpetrated by cyber attack, by a threat actor. It's really interesting to to see that there's kind of a variety of different ways that cyber attacks can manifest. For some some organizations it can be systems being accessible or doing so. For example, ransomware, which is probably one of the most popular attacks now is really all about encrypted individual systems. So they can't be accessed until individuals pay some ransom. I mean, and this is exactly what happened with the NHS where people start to switch our computers. Computers just would not turn on.
[00:29:24] They wouldn't allow individuals to access very, very important data, very, very poor services, unless they look happy in a company or even in a home. Mum and dad tried to turn on the computer to, you know, Facebook or whatever they want to do. And the computer simply pops up the message saying, cannot access your data unless you pay this amount of money, usually in Bitcoin or some form of cryptocurrency, the idea there is that it can't be traced. I think this is actually one of the big pushes for some cyber attacks, especially on home infrastructures or businesses, is really all about money. Companies can't fluctuate with their data. They can't function without services. You stop them from functioning. That's a big problem for them. So they're more likely to pay a ransom where he's going to win one of the popular ones. And that's probably why they probably should mention is phishing. You know, you receive an email that claims to be from someone else, someone that maybe you know or someone that you would trust. Maybe you enter some credentials or you click on lengthy, you visit the wrong site, maybe download the wrong file, maybe you enter a username and password into a fake site. And then from there, the person has their credentials or they have your files or they've downloaded malware or your computer could even be ransomware, phishing and some where the two of the most popular forms of attack of note and they are extremely successful.
TOM HEAP [00:30:34] Sadie, I was wondering, does that have relevance talking to the industrial Internet of Things that could be lots of different smaller companies, could be a victim for and also whose doing it? Is it kind of money making criminals? Can it be kind of other people with a grudge, other agendas?
SADIE CREESE [00:30:49] Historically, what we have seen is that once weapons get used, they become less valuable because the the cyberweapon that you've not seen before is the hardest one to defend against. I would say you would expect to see all the same kinds of threat actors that we have seen for the last 10, 20 beyond years, also operating in the industrial Internet of Things.
[00:31:14] And the kinds of attacks we will face will be partly defined by the level of harm that can be created from their use, and that will relate to the incentive to an attacker, whether that's monetisation or political motivation or I think somebody has already mentioned the disgruntled employee and it will continue to evolve.
[00:31:42] And so I guess the challenge that we are facing in the Iot is that our opponent controls that we put in place to try and slow this down or to incentivize some of who are attacking these systems because it would just be so costly, it would take so much of their brainpower or financial dollars to develop the weaponry, to even find the way in. Sometimes we can make that so costly that it's a form of defense because they'll go after other targets. And all of those strategies are going to play out. And as we've all observed so far in this podcast, humans sre within the system, so we are both a solution and also an attack surface.
TOM HEAP [00:32:23] Well, I want to turn to Ruth Boumphrey now because in her position as head of research for the Lloyd's Register Foundation on this kind of thing, you very much for the driving force behind a review, a push for a forsight review into cybersecurity. Why did you think there was such a need for this report?
RUTH BOUMPHREY [00:32:42] I think Sadie just used the expression humans as an attack surface, which scares the bejesus out of me. And I think we need to sort of democratise the way we talk about anything technical. And what I need is to be able to ask stupid questions I need to be able to get technical information and advice in ways that make sense to me and the kind of decisions that I have to make. And that's what Foresight Reviews are supposed to help us do. They put things into plain English and provides an accessible knowledge about the subject, which can be very complex and that we might need to plan for. I'd like us to feel comfortable in this environment, but to know what to do when something goes wrong and to understand how to keep ourselves safe. The second area, which I think is more pressing in this industrial Internet of Things, is about corporates and about supply chains.
[00:33:34] And I sit on a few boards of companies and I haven't had any training in what to do if we get a ransomware attack or a phishing attempt. I don't know, actually, you know, people in the company that don't know how much training they've had and I don't know the consequences for these companies. And that's why I think we've got some real vulnerabilities in our system that are in industries and are delivering these critical infrastructures that we all need to live. You know, the water, the food, the energy, the transportation. A lot of them are being delivered through the private sector and at companies of vastly different scales from one man band flawlessness right in the way up to massive global corporates. And I think the level of understanding and literacy in the boardrooms of all those companies is very low. That's where the Foresight Review comes in, it's about getting a conversation going. It's about not scaring people, but just raising awareness and giving people some simple to some simple questions to ask so you can ask your dumb questions without feeling that dumb.
TOM HEAP [00:34:36] I guess whilst you don't want to scare us, it's important for the future security of this system for us to be prepared rather than ignorant. What do you think, Roland?
ROLAND JOHNSON [00:34:48] Absolutely. I mean, back to my comment about doing simulations. Try and find out where your vulnerabilities are. Is it your technology? Is it your supply chain? Is it your people? Is it a combination of all of those things once you've understood, where are your weaknesses? How long did it take for you to detect it and then respond? And I think if if more organizations were to do that, it won't necessarily make them secure overnight, but it'll give them a roadmap.
TOM HEAP [00:35:16] As I say, let's move on to the governance. And Robert, should there be an international code of practice to safeguard the industrial Internet of things? Should we have sort of acknowledged Kitemark - tricky when the Internet knows no boundaries?
ROBERT HANNIGAN [00:35:28] I think the chances of any international agreement are pretty slim at the moment on on perhaps anything but certainly on this, but that doesn't mean we shouldn't try. I think it will be a long haul and even the process of discussing what those standards should be is worth having.
TOM HEAP [00:35:43] And what would be the kind of pushback? What was the negatives there that I haven't seen of people saying, no, we don't want the standards? Would it be considered to be anti-competitive or restricting entrepreneurism or what would be the argument?
ROBERT HANNIGAN [00:35:55] The biggest pushback from manufacturers certainly is that there isn't a level playing field here. So a device that is manufactured without any security built in is going to be much, much cheaper than one that has security built in. So unless everybody has to do this through regulation, as you say, or through international agreement, it's quite hard to incentivize this.
TOM HEAP [00:36:19] We've brushed on skills, but I wanted to sort of develop it a bit more slightly. Sadie, should all CEOs be coming through your doors at Oxford University for a little bit of training on industrial cyber security, if I can turn this around slightly?
SADIE CREESE [00:36:33] I find it incredible to imagine a future 10, 15 years out where the leaders of our our businesses and the deliverers of our critical national infrastructures don't have cyber literacy.
[00:36:48] There is absolutely no way that this threat is going away. There's every sign that it will continue to grow.
[00:36:54] To my mind, cyber literacy should be as fundamental as financial literacy.
TOM HEAP [00:37:00] Nods all around on the Zoom screen for that one.
ROBERT HANNIGAN [00:37:02] I think. I mean, I think the single biggest underlying problem in all of this is lack of skills.
ROBERT HANNIGAN [00:37:09] It's very hard for board members, particularly maybe it's generational in some cases to understand cyber risk, to ask the right questions and to know what measures will actually reduce that risk, because understanding it's fine. But if you can't actually mitigate it, there's not much point in going through the process. So there's education to be done there, which is part of the purpose of this review. But at every level, we need to up-skill people on cyber. We need to increase the pipeline of people who are deep specialists.
[00:37:37] Not everybody needs to be a deep specialist, but we do need more of them.
ROLAND JOHNSON [00:37:40] Giving people confidence that a hand up and ask questions. That's going to be helpful, getting more people into schools to do GCSEs, into STEM subjects, into computer science, trying to get more females and more diversity into all of that will help educating people that historically maybe went into careers, into electrical engineering or manufacturing, engineering and saying, actually, you know what, cyber is relevant. Let's cross train you as well, and at the top of our organisations as well.
TOM HEAP [00:38:08] Something which isn't the solution but could be a very important sticking plaster, could be insurance. Is this an area where insurance is going to come in?
ROBERT HANNIGAN [00:38:18] It's an area which a number of governments are on to. So the recent commission report in the US, which may get implemented, suggests there should be liability, particularly in the Iot area for developers. And I think there's some big talk about the European Union as well. So I think we're moving in that direction. What insurers are really worried about is systemic risk we've seen in the pandemic that is an almost uninsurable event. What's the cyber equivalent of that? And there's been a lot of modeling of what does a cyber systemic meltdown look like and is it really insurable? So at that level, it's a problem. At the ground level, I think insurance has got a big role to play in improving standards.
TOM HEAP [00:38:58] You brought up the COVID pandemic. We've talked a lot about the cyber war in the last year, but we didn't really talk about biosecurity and look what happened. We got whacked by a virus. So is cyber really the big threat that we're making it out to be?
SADIE CREESE [00:39:11] It's big and it's significant. And I think the real reason why this Foresight Review matters is because it looks like we're going to face a significant step change in the potential for harm. So even though the threat is really significant now, the Internet of Things in the industrial Internet of Things is is going to bring about the potential for much larger degrees of harm.
TOM HEAP [00:39:41] What do you think, Ruth?
RUTH BOUMPHREY [00:39:42] We have to, I think, accept that these things are going to happen just as the same way that we knew that a pandemic was going to happen. It wasn't a what if a pandemic happens? It was it is going to happen. We should accept that there will be a large scale disruption that will have cascading consequences across international boundaries into systems which we our lives depend on. And our water system our heating, our light, our power, our food systems. This will happen. What we need to do is prepare ourselves for those and think how ready when our governments be when that happens and really think of it in the same way. So I think it's a good parallel and some lessons to be learned from right now.
TOM HEAP [00:40:21] And Robert, as governments have a tendency to sort of tool up the last crisis, do you think the danger here is that they might end up putting all their effort now into biosecurity and run down cyber security? And how damaging could that be?
ROBERT HANNIGAN [00:40:34] Yes, it's always hard for governments because they think in four year cycles, really, and if you think of the pandemic, well, officially the UK government and lots of governments have said this for over 10 years. This has been the top threat to the nation, but not enough has been done. And it's hard to get people to focus on those high impact, but maybe slightly lower probability in the next four years risks, and cyber falls into that. But as Sadie says we're about to enter a new world where all this is celebrated. I think you're right in your question that we can overplay the threat. But I also agree with Roland that if you just look at what's happening every day, the sheer volume and growing sophistication of cyber attacks against companies and fraud against individuals, it's something that we we absolutely have to worry about. And there are things we can do. So this isn't something where we should despair and we can take measures to improve our security and to make sure our recovery will be better when things go wrong. So there is hope.
TOM HEAP [00:41:32] What I've gleaned from this conversation is that what we can all do something about is skills. It's about preparedness and investment and accessibility. So this doesn't become an area that the common man or woman can't understand or access. If we bring all those things together, there is a chance of keeping our industrial internet of things delivering for us and remain secure. So thank you very much indeed to my guests, Robert Hannegan, Roland Johnson, Ruth Boumphrey and Sadie Creese. And thank you for listening. We'll be back soon with our next edition. There will be focusing on dealing with future pandemics in the light, of course, of the current COVID-19 crisis.
[00:42:18] The Global Safety Podcast. Subscribe to be sure you don't miss an episode.