The Impact Of Emerging Technologies On The Cyber Threat Landscape

okay this um penultimate talk is going to be done by me and Scott and we're going to look at the impact of merging technology on critical National infrastructure [Music] I know that's fine okay so this is essentially the agenda uh we're going to run through we're going to talk a little bit about uh firstly who we are a quick introduction into what critical infrastructure is for those don't know look at digitization um some of the dangers and the threat landscape for cni as well and some of the key things and also some of the potential Solutions so that's who we are Okay so digitalization is what's causing the problem everybody now is trying to get online whether iot devices being put into your baby monitors your fridge your light bulb everything that moves is being digitalized but in the rush to digitalize very few people are thinking about security so before we jump in just to make sure everyone's on the same page here as to what critical infrastructure is it is what makes a country work really your energy supplies your finances your people your food your water your chemical supplies your energy everything like that that would cause an awful lot of chaos if it broke and if you want to think about the impact or how digitalization can be used against the country we need to go no further than stop Nick which was an interesting proof of concept case yeah okay so start snap for those that you don't that don't know essentially was probably the first nation state uh sanctioned attack that took place um although it's not absolutely conclusive it was the Americans uh the Israelis and possibly the Brit's help and they uh desire they basically got the intelligence about the Iranian nuclear program and how in the towns they were enriching you uranium um using centrifuges there so um the Americans and Australians worked with uh Siemens nextoff who produced this centrifuges got a whole load of them stood them up in the desert and then got some really good software Engineers there to um start finding bugs and holes in it and they wrote code that would cause a centrifuges to spin up an awful lot faster but at the same time report back to all the monitoring systems that everything was normal uh then um an Israeli operative was able to bring that code inside and tans and get it into the systems there and they caused an awful lot of damage to all of their centrifuges there and um set their nuclear program back and it Russia has understood the importance of digitalization and by 2030 they're now moving to ensure that they are Supreme Sovereign of their digital space they're actually we talk about um when we talk about security it's layered security they're actually creating an internet that's interlocked security so that they can actually they're looking to make this geographical internet safe so that they can take it offline if they want to which means they can militarize it and that's their objective and it's not just Russia China and India understands the importance of a geographical Sovereign internet so now looking on to some of the actual uh cni flat landscape and emergency Technologies here uh we'll start with uh scada or scada however you want to pronounce it um security control and data acquisition anywhere where you've got power generation energy generation large Transformers things like that you'll find scada you'll find ICS systems in there and other operational Tech now these are all pretty much running on serial protocols that were very common in the 90s generally in the clear and now for cost saving exercises a lot of these are being connected to the internet for remote access these are very outdated Technologies but they are part of critical infrastructure of uh lots of companies um they're susceptible to side Channel attacks they've got very large attack surfaces on there and digitalization of our electric meters we were all pushed it was going to do an awful lot of good the first generation of electric meters that went into our homes they had a feature that if you fail to pay your electric bill they could cut you off from central office but if they wanted to reconnect you they had to go to your home now you didn't need to be a rocket science to work out in the middle of a winter if you cut all the electric meters off you could freeze us out and that could be an attack which doesn't do any harm to the infrastructure but you could kill thousands and that's because of digitalization without security then you have 5G 5G is absolutely brilliant it's faster it carries a greater data set we all love it but it has some problems with 5G they've moved they've moved away from your old when I went into you had old switching um Hardware with with regards to networks now we have software switching which has opened up the landscape where you can be attacked um you also have a problem with trustworthiness and 5G an argument that's being put forward by America and the UK because one of the biggest players in 5G is a company about the Americans and and the British think shouldn't be in our Network and but they're there and BT have been told take them out BT has said we have no other technology it will put us back decade so the agreement has been to kick it into long grass and wait until 2 2007 2027 to fix the problem that's three years before Russia is completely contain and put his hole into into a container so it can cut it off attack we're still arguing about our switches and our routers and whether they're safe or not so moving on to one of the other emerging Technologies here artificial intelligence or probably uh more specifically the subset of that machine learning now it's great it's become ubiquitous it's in everything from uh of civil agents are the decisions on whether or not you get a loan whether you get insurance it's in driverless cars it's being used to make decisions on lots and lots of things but one of the areas that particularly concerns me here is the lethal autonomous weapons now these can act as basically the familiar with drones flying around the air you've got um autonomous um vehicles on land uh tanks are almost autonomous you've got them submarines that are autonomous and now we've got most of those powered by some form of machine learning in there now with um machine learning has got lots and lots of vulnerabilities in it in terms of adversarial machine learning and how you how whether or not you're poisoning training data sets things like that specifically jumped out was in the um back in 2020 if you could just jump back to that yeah back to back in 2020 there was the uh cargo 2 drone and that actually attacked it was filled with explosive and um attacked a group of people in Libya um and killed them and that was based totally on its own decision-making process this wasn't like the first generation of drones where they had a remote operator back flying them somewhere else and this is the first step Russian Federation here is also actively developing um artificial intelligence in tanks and drones and missiles invite and other robots and they're the US Navy as well is um developing a complete Fleet of um ghost ships in there and like all these things they have the potential to be hacked and that's concerning [Music] and um yeah satellites in space this is um another sort of potentially big area of concern um especially now that we've got the commercialization of space from lots of the world's billionaires um things like a complete coverage of the planet now with their satellites for internet absolutely brilliant that you can get fast internet anywhere in the world but at the same time there's some big risks there there's um actually going into space you've got issues around um compromise of the set these Satellite Systems compromise of our GPS systems that we're all dependent upon it's it's fairly trivial to spoof GPS systems and do replay attacks against GPS and things like that you've also got other concerns when you look at space as um people like Elon are planning to develop asteroid mining you've got to have latency tolerance networks how do you handle when you can't Uplink for six hours eight hours things have it and what happens when someone compromises us and then you've got my favorite subjects iot brilliant stuff they're everywhere they're in light bulbs baby monitors I've said that but iot has a problem the small size of the hardware means it has limited memory um limited Hardware capacity um and limited power uh iot devices are now also been recruited by botnet Masters to actually attack the internet the biggest takedown of the internet was a distributed dos attack which was instigated by um the plug and pay play aspect of iot devices people didn't know that their smart speakers were actually attacking the internet and the Mariah attack which is what it was was a proof of concept you can now buy that and choose who you want to attack but iot devices have been rolled out by companies who are interested in giving us a device and less interested in the security or that I've heard there are things um happening in that um ecosystem but up to this point iot devices have been a very easy way to get in and attack [Music] which then brings me on to one of my other favorite areas Quantum Computing and its impact on cryptography there is one area that's already quite effective that's Quantum key exchange and that's been proven to work over distance um but they're probably more of a concern for us in looking at cryptography is what quantum computers can do and there's two specific algorithms there that affect it now most of our asymmetric cryptography public private key cryptography is based on hard maths problems so you've got things like factorization of large numbers uh discrete logarithm algorithms and elliptic curves now um Shaw's algorithm here basically breaks up because rather than just having your usual bits you've got qubits you can do multiple things all at the same time so that works and um that basically means that there are standard um asymmetric cryptography that we use for everything these days will be broken when the quantum computers reach the um the level large enough to handle those key sizes and they're growing year on year rapidly you've constantly got Google and IBM competing for who's got the fastest quantum computer at the moment that's going to cause a big problem we've also got Grover's algorithm which effects are then symmetric keys there and that effectively halves the key size the normal key size so that's less of a problem to solve because you can just double your key size to get around that now nist has um been running a number of competitions over the last few years to look at post Quantum cryptography there most of those are based around lattice lattice cryptography um so some of the early contenders were announced probably a month or two ago and um one of them has just hit the news um because it was breached by um an old Xenon um single processor computer and it broke it in an hour so it might be quantum computer proof but it's not proof against them an odd Xenon computer so that puts us in a tricky situation particularly if you're in a situation where you need to keep something encrypted for at least seven to ten years minimum 15 years minimum and at that time time scale most of the experts in the field um estimate that the quantum computers will be suitable to break that so that causes us some problems now don't be our Hind Russia China India because we don't have the intellectual capacity we kind of maybe lack an overarching approach to security when it comes to the new generation security but we definitely have some solutions NATO took a look at this problem last year and they identified in a 36 report page report that there were Solutions being produced in the west of these problems if we only had an overarching approach we have I read a report on a lightweight multi-factor attribute-based authorization approach I know it's not sexy but it's brilliant because the person who wrote that understood an important thing attribute base authorization gets around the distribution um consensus problem that you have in networked with iot devices which and with cryptocurrencies you have a problem with this how do you know when something's been agreed simultaneously by all the miners in all the places at the same time and this has been proven to work and it would work in a scout or discarder system layered encryption using hash but you're hashing the security together as opposed to action air and saying this is correct your hashing each bit of security together and so if you break that the hash change and therefore you know you've got the balance authentication mechanism which I worked on which goes right back I had to look at math Going Back 40 years to find a way of getting cryptocurrency to work as it should do um by allowing um people in different parts of a network to agree and to agree simultaneously sounds like it couldn't happen but it can in our universities we're coming up with a solution but what we need is to work together industry University and professions we need to come together or by 2030 it is possible that Russia China and India will be Sovereign over the internet any questions at the moment what rush is looking for is geographic sovereignty so what they're looking for is to genuinely be able to disconnect from the internet so if they kicked off say a Cyber attack they can disconnect and then it can corrupt all our sphere ecosystem apart from them then they can reconnect and China and India aren't too far be behind but because we don't have an overarching approach to the way we do things lots of Industries um because of the way our system is work on separate things and they may come together when it gets really bad and solve the problem but because we work in small sorts um groups like that we find it and we're finding it difficult to deal with that but I've heard that there are there is standardization coming along um I'm hoping it deals with the problem that's out there [Music] [Music] foreign and it depends yeah you could just put a massive more emote around it and then once you're over that you're in um but this is something they've been looking at since the 1990s so I'm interested to see are they doing a bolt-on system or is it interconnected literally a dome around I don't know what they're doing I don't know what we're doing to some extent I've heard there's there's things that are boots things are happening but they are aiming to militarize the internet that's their ultimate aim you always started with darpanet and it yeah but we've had a little bit of fun with it and we like it as fun and but they're taking it back so I need to take a look at what they're doing and I would love to take a look at what they do foreign we could get each corporate organization to play ball and to connect and to implement the right rules even though we don't have eyes and what they do and we just take their word for it um then yeah that would work because about history has told me a lot of corporate organizations tell us one thing but do another and I think we and we need to work out do we want what do we want in the future for our internet what do we want um especially in light of their attempt to militarize it and we've got to decide what approach we want to take sorry um I'll grab the mic okay um yeah I just want to add to that if you think back for those who you can remember to uh 88 uh when uh Robert T Morris launched the internet work and that spread throughout the whole global internet at the time basically calls it to Grant to help if you had a kill switch which you could cut off the entire network for your country and deal with that and know that's coming in and Patch it or if you look in the early Northeast when Slammer went through everything and that went through some of these supposed air gap networks as well it hit a number of uh of those and caused loads and loads of chaos if you can cut that off it gives you an opportunity to deal with it if you're enough if you're a country that has actually deciding to make an offensive attack out there and you cut off first before you do it and we've seen that countries plan ahead and you just look at how they cut um the gas reserves back in Germany the um prior to Casper okay a panther so is the traumatization a security I think the kill switch could be Nationwide it could be individual it could be based on your home but what we need to do is get our act together because we're falling behind and we need to make take a stance and go for it this I in my mind I'm going to go on a rant in my mind I remember when interest rates were managed by politicians that was such fun and then they gave it to the bank of England I think cyber security is so important that it should be taken away from government and it should be put like interest rate in the body that's actually concerned with the nation to protect our nation I think we should take an approach but hey it's a rant sorry about what's the political system we want to live in and I think it's a really really important conversation but I think that question about how to kill switch you have that capability where it might go whose interests are represented what does that mean for Democratic country these are being I think that this is a hugely important topic but I think you can't have I mean for you to have this conversation without acknowledging the political yeah dimensions of the politicians because scientists I want to take I I don't know I'm asking you tell me yeah but anyway I'm sorry you take it away from the politicians like a new ncsc or a gchq whatever organization you go back in history with the list [Music] three-way encryption let's listen to all this information yes I think it's a conversation we have to have we may just say status quo like you said it that may not be the route but we do need to have the conversation and because other people are making moves and we need to acknowledge that change needs to come but do I have the solution no I'm a bit of an optimist I think if we get really nice people into a committee and we laughs okay we've probably got time for maybe one more question I think because we're now starting to overrun a bit um so anyone else go put your hand cut up [Music] foreign because all the things that China is and all these episodes yeah I mean we don't want to go down the route of a totalitarian but I'm I the carrot and stick you know the old-fashioned carrot and stick we're going to take lots of money off you if we found that you've breached somehow someone's breached your security is also not proven very helpful there is a middle ground and if we don't start talking about the middle ground that Council of nice people who are very intelligent come together and start talking about where that middle ground is we have to have that conversation I think as a nation because it is it can be the internet can be something that can be you know a really good thing but it can soon become a weapon that can be used against us and we need to find a way of Defending ourselves and that means difficult questions you sure something like this [Music] can we trust ourselves can we trust our nation probably not okay I think we're gonna have to pick this up in the after party and come back to it then yes so um okay so thank you very much