Luther “Chip” Harris on worrisome vulnerabilities in critical infrastructure

Luther “Chip” Harris works as a Senior Cybersecurity Investigator in IIoT security (industrial internet of things) for MSA Security.

What he has learned firsthand should make every industrial enterprise in the United States concerned. I asked him to share what he's able to. He had a lot to say. I didn't have to ask him any further questions.

Harris:

"Here is what is going to affect the current landscape that we deal with in the Integrating the Internet of Things (IoT) into critical infrastructure in cities can offer numerous benefits, including improved efficiency, enhanced services, and better resource management. However, this integration also comes with certain risks and challenges that need to be carefully addressed. Here are some key risks associated with cities integrating IoT into critical infrastructure:

Security Concerns:

· Cybersecurity Threats: Increased connectivity creates more entry points for cyberattacks. IoT devices are often vulnerable to security breaches, and a successful attack on critical infrastructure could have severe consequences.

Data Privacy: Collecting and sharing large amounts of data through IoT devices may lead to privacy concerns if not handled securely. Unauthorized access to sensitive information can compromise citizen privacy and trust.

Reliability and Resilience:

Dependency on Technology: Cities become highly dependent on the proper functioning of IoT devices.

Malfunctions, technical glitches, or cyberattacks could disrupt essential services, leading to potential economic and social consequences.

Resilience to Disasters: Natural disasters or large-scale cyber-attacks could severely impact interconnected IoT systems. Ensuring resilience and redundancy in critical infrastructure is crucial to minimize disruptions.

Interoperability Issues:

Compatibility Challenges: Integrating diverse IoT devices from different manufacturers may result in compatibility issues. Standardization efforts are essential to ensure seamless communication and interoperability between devices.

Liability Issues: Determining liability in the event of a security breach or system failure can be challenging.

Establishing clear regulations and responsibilities is crucial.

Scalability and Maintenance:

Scalability: As cities expand their IoT infrastructure, ensuring scalability becomes a significant challenge.

Systems need to accommodate a growing number of devices and evolving technology.

Maintenance and Updates: Regular maintenance and updates are essential to address vulnerabilities and improve system performance. Neglecting these aspects could result in increased risks over time.

Public Perception and Trust:

Perceived Intrusiveness: The deployment of IoT devices for surveillance or data collection may lead to concerns about invasions of privacy. Managing public perception and building trust is crucial for successful integration.

Third-Party and Vendor Risks:

Supply Chain Dependencies: Organizations often rely on a network of suppliers, vendors, and service providers. Any vulnerabilities in their systems could be exploited, affecting the overall supply chain security.

Hold onto your butts. Here goes 2025...

The White House, Congress, and federal agencies raced to keep up with a rapidly evolving cybersecurity landscape throughout 2023, a year characterized by the introduction of new artificial intelligence tools, record-breaking ransomware attacks and emerging threats to critical infrastructure sectors across the country.

See also: JavaScript and Blockchain, technologies you can't ignore.

The administration issued a wave of guidance - most notably the national cybersecurity strategy issued by the Office of the National Cyber Director in March. The plan seeks to fundamentally shift the bulk of cybersecurity responsibilities from end users to the organizations most capable and best positioned to mitigate threats, while realigning cybersecurity incentives to favor long-term investments in 'secure by design' principles. Paper thin if you asked me. China is kicking our cybersecurity asses.

Millions of Americans nationwide also began harnessing the power of AI technologies in 2023, from ChatGPT to the explosion of new machine learning tools and services available across the web. The White House meanwhile secured voluntary commitments from big tech firms leading AI development to follow a set of best practices, and it worked with international partners to form a G7 Code of Conduct for AI development.

But so far, the recent AI guidance and cybersecurity requirements remain largely voluntary and unenforceable. Congress has signaled plans to introduce bipartisan, comprehensive legislative to begin regulating AI, as well as new cybersecurity mandates to secure the supply chain. As lawmakers gear up for a new year of legislative priorities...

We still can't fix password issues and fit our OT issues nationally!

Here are the cold hard facts. Here are my findings. I am just ahead of the curve.

Electricity: Failing any surges or damage to infrastructure, the electricity will likely last for several days to several weeks, depending upon it generation source and the overall levels of repairs of the infrastructure.

After that point, most major cities will be in darkness and many minor areas (unless they have windmills or solar panels) will also be dark. ETA for family survival - 42%.

Water: Is pumped under pressure into water towers which equalize their pressure using electrically- powered pumps. After the power fails, unless there is major damage to pressurized lines , water pressure should remain strong for several days, tapering off after a week in major cities. In smaller towns, the residents may be able to retain water pressure by diverting electricity to pumps to maintain it. Major fires will deplete this reserve if the water is used to extinguish them. ETA for family survival- 34%.

Natural Gas - The wild card. There are likely going to be one or more major gas explosions after an incident and unless the gas pressure is reduced to those fires they will keep burning until they have exhausted their fuel. Plan on gas lasting several days at the most; perhaps less than that. ETA for family survival - 21%.

Gasoline and vehicle fuel - Requires electricity to pump, but can be made available using portable electric or hand pumps. Most stations needs to be refueled every other day, so most stations will be drained within several days. Unless your are near a storage facility or a refinery, expect gas shortages inside of a week or less. ETA for family survival - 19%.

Coal - Should be plentiful in many areas (most areas have at least one coal-fired plant) and it can be burned for fuel. It is exceptional dirty. It will likely cause respiratory ailments and it will be difficult for many to use. ETA for family survival - 43%.

Martime - If that goes, we all go...

So look at it like this. You have less than a 50% chance of survival for a family of four.

Is it paranoid to worry about Chinese hacker attacks? Or would it be naïve not to worry? The question is reminiscent of the Huawei debates. Against the backdrop of I-Soon and Volt Typhoon, paranoia would at least not be out of the blue.

Artificial Intelligence (AI) has the potential for both positive and negative impacts. As its potential continues to unfold, we must understand the dark side of AI. Here are some examples of how the current version of AI could be misused, highlighting the need for robust regulation, ethical guidelines, and security measures.

I am looking for current and past events that AI has been used for bad. Not good.

1. Privacy Breaches: AI's ability to process vast amounts of personal data has led to fears of misuse, including unauthorized surveillance, identity theft, and invasive profiling.

2. Deepfake Technology: AI-powered deepfake algorithms are capable of creating realistic fake videos or audio recordings. These can spread misinformation, defamation, and manipulate public opinion, undermining trust and fostering confusion.

3. Autonomous Weapons: The use of AI in the development of autonomous weapons systems raises ethical questions. Without proper controls, these weapons could be used indiscriminately, bypassing ethical considerations and potentially causing untold harm.

4. Job Displacement and Economic Inequality: AI's ability to automate tasks can exacerbate economic inequality by causing job loss and unemployment in certain sectors.

5. Biased Decision-Making: AI systems trained on biased or incomplete datasets can perpetuate societal biases and discrimination, leading to unfair decision-making in areas such as hiring, lending, and criminal justice.

6. Cybersecurity Threats: The sophistication of AI systems also means they can be used maliciously in cyberattacks, enabling more effective phishing attempts or bypassing security measures.

7. Social Manipulation and Misinformation: AI can spread propaganda, manipulate social media trends, and amplify divisive content, leading to social unrest, polarization, and eroding trust in public discourse.

8. Financial Market Manipulation: AI could be used to manipulate stock prices, engage in high-frequency trading, or conduct market manipulation, leading to potential economic instability."

That's the warning Harris is eager to share.