Bolstering businesses' cyber security on agenda for Abu Dhabi meeting

Each year a group of cyber security experts gather to discuss the latest threats from hackers, terrorists and rogue states

Former Rutgers University student Paras Jha is seen as he leaves the Clarkson S. Fisher Building and U.S. Courthouse after his hearing in Trenton, New Jersey, U.S., December 13, 2017. REUTERS/Dominick Reuter - RC11344ADAB0
Powered by automated translation

This week Abu Dhabi is playing host to a select group of people with one of the toughest but most vital jobs in the Middle East. They are charged with defending the energy and utilities business from cyber attacks.

Each year they gather to discuss the latest threats from hackers, terrorists and rogue states. And each year the challenge of keeping the lights on just gets harder.

Those attending all know the horror stories. Last year's malware attack on the Ukraine, which hit gas and electricity companies, and even the notorious Chernobyl nuclear power plant still looms large. So does the re-emergence of the feared Shamoon virus, responsible for the devastating attack on Saudi Aramco in 2012.

And the UAE remains a major target in the region, with more than 100 cyber attacks on government sites alone last year.

As non-combatants in this global war, the public can only hope the cyber experts meeting this week can succeed in keeping the enemy at bay.

But they know the enemy is already among us, in a myriad of devices tied together by the Internet of Things (IoT).

Mention IoT to most people and — if they’ve heard of it at all —  they’ll probably think of cool gadgets that allow your fridge to warn when you’re low on eggs, or gets your TV to pick a movie.

But the reality about the IoT is chilling. It provides a way into homes, businesses and installations across the world. And the bad guys know it.

This month an American university student was due to be sentenced for attacking hundreds of thousands of gadgets linked by the IoT in the US.

Computer science student Paras Jha and two accomplices created malware known as Mirai, which targeted vulnerable household routers, webcams and other devices.

Having gained entry, Mirai hijacked the computers linked to the gadgets and used them to launch a massive “distributed denial of service” (DDOS) attack in 2016, blasting network servers with data until they failed. Large chunks of America’s internet simply stopped working.

It was a terrifying demonstration of what the IoT makes possible — equivalent to a burglar sneaking in to a few homes, and finding they all contain the master-switch for the national power grid.

No less terrifying is the speed with which these vulnerabilities are spreading.

According to a new report by Business Insider Intelligence there are already 9 billion IoT devices out there, and by 2025 that will grow to 55 billion.

Despite providing back-doors into key parts of the internet, these devices typically have only the most basic security measures. Even these are often undermined by users sticking with factory settings and passwords like “Admin”. Many devices can’t be upgraded as new vulnerabilities come to light either.

But most worrying of all is the lack of public awareness of the presence of the IoT in their homes.


Read more:

Middle East energy companies' cyber-security investments lag behind threats: Siemens 

Protection from cyber attacks 'critical' as UAE Government prepares to share data

Dozens of cyber attacks target UAE Government and companies in January


On that front, some people have now had a scary wake-up call — quite literally.

Earlier this month, owners of Amazon's virtual assistant, Alexa, reported being woken in the dead of night by evil-sounding laughter coming from "her" Echo speaker.

Amazon responded by claiming that the voice-operated device had a glitch making it misinterpret some commands as a request to laugh.

But some users insisted this wasn’t the problem at all. The scary cackle had come from Alexa unprompted, as if possessed by some evil spirit.

The company issued a software update it said would fix the problem — seemingly oblivious to the fact this confirmed the scary truth about Alexa: outsiders can control it remotely.

Doubtless most owners of the device are happy to put the “glitch” behind them, and get back to the wonders of interacting with Alexa.

Certainly Amazon would like to move on, as this small device is crucial to its humungous vision for the IoT.

Launched in 2014, Alexa has come to dominate the digital assistant market, ahead of the offerings from rivals like Google. There are upwards of 30 million units in the US alone.

But such popularity has it price — by making it a priority target for the world’s army of hackers. Security experts have already found ways of hijacking Alexa and its rivals. They include “backdoors” created by their use of Bluetooth to the installation of illicit hardware.

Some vulnerabilities are shockingly simple —  like getting into “smart” homes by telling Alexa to open the door via the letterbox.

Of course, the tech giants insist the devices come with a wealth of security measures. What they don’t have is any way of ensuring consumers use them, or that hackers can’t evade them.

Avoiding this security nightmare is becoming all but impossible. Most cars and other high-end technology now comes “internet ready”.

Adopting rigorous security standards yourself doesn’t help either. When you’re part of a vast network, it just takes one slip by someone, somewhere to land everyone in trouble.

Exhibit A is that attack on the Ukraine last June, which spread to affect organisations across the world.

Investigators concluded it began with malicious code spread via an update of an accountancy software package whose Kiev-based makers allegedly ignored repeated warnings about its security measures. The consequences were felt by around 2,000 companies, from Los Angeles to Tasmania.

The three students who developed the Mirai malware that exploited the IoT were rightly punished, but their case holds salutary lessons for all of us. As one cyber expert told The Guardian newspaper: "Imagine what a well-resourced state actor could do with insecure IoT devices".

Those gathering in Abu Dhabi this week carry the heavy burden of ensuring that we never find out.

Robert Matthews is Visiting Professor of Science at Aston University, Birmingham, UK