1 of 17

Cyber Security, Employment & Climate Concerns

PAST, PRESENT AND POSSIBLE FUTURE

2 of 17

“the best way to predict the future is to invent it”

ALAN KAY, XEROXPARC

Graphical Interface Computing (Pre Windows & Mac)
Object Oriented Programing, and personal computing

3 of 17

A Brief History in Time

ARPANET (4 node university internet & DOD weapon project): Dec 5^th 1969
UNIX Epoch: Jan 1^st, 1970 , Thompson & Ritchie edition 1 1971
Computer system administrator, network administrator professional roles: ~ 1977 – 1983
Certified Information Systems Auditor: 1978
Technology certifications: Novell CNE 1989, Microsoft MCSE 1992, Cisco CCIE 1993
Certified Information Systems Security Professional: 1994
First CISO role: CitiBank Steve Katz 1995
First ISAC : Financial services ISAC 1999
Certified Ethical Hacker: 2003

4 of 17

A Brief History in Qualifications

Computer system administrator, network administrator professional roles: ~ 1977 – 1983
- Comp Sci, engineering, math or physics degree, (Thompson & Ritchie – MSc & PHD)
Technology certifications: Novell CNE 1989, Microsoft MCSE 1992, Cisco CCIE 1993
- On the job training and willingness to sit multiple practical examples – no degree required
Certified Information Systems Security Professional: 1994
- 5 years in the industry and pass a 6-hour 225 question exam,
Certified Ethical Hacker: 2003
- Take the training and write an exam, no degree, no job requirements

So it seems logical that when computer and network administration first started to be a paying role only governments, engineering companies and universities had computers so people with degrees would likely be wandering that halls already. Most of the early leaders in this area were both academically accomplished and explorers. There really wasn’t a commercial software business yet, at least not what we know today, so most system admins also did either custom programming or a lot of fixing. You needed to know a great deal about how computers and networks worked at very low levels to get the most out of the systems and troubleshoot issues.

The mid 1980s and early 1990s so a much wider spread adoption of local area networks and computers on some workers desktops. A number of competing vendor technologies were in place which needed skilled implementers, but they needed to know the idiosyncrasies of the products, not necessarily the underlying workings of the computer or network technology. Vendors had their MSc and PHDs in the back rooms for support, bug fixes and new releases but there was a good living to be had as a technologist implementing and maintaining information systems. This led to the rise of vendor specific certifications. In addition to the difficulty of the exams, practical experience with the products was also a must.

Unfortunately, by the late 1990s exam cheat websites began popping up leading to a number of people getting certified with no practical field experience. This led to certifications getting a bad rap for a few years but the cert bodies quickly added practical and interactive capabilities to the exams to weed this behaviour out. Employers also caught on and looked for experience instead of just certifications.

The CISSP is still the gold standard for cyber security certifications because nothing else covers as much content. Although the CISA is older, the CISSP made sure candidates were fluent in concepts like cryptography, malware, data center design and so forth. 30 years later the exam is still brutal although a lot more accessible and to silence the paper certification detractors, you must demonstrate 5 years in the IT industry doing work covered in the knowledge domains. For those just about done your undergrad you get a 1-year credit, but you’ll still need 4 years in the business and other CISSPs will need to vouch for you. That said, it seems to be the number one sorting factor in the average HR search for cybersecurity specialists.

It is also interesting to note that the first formal training on ethical hacking didn’t come out until almost 10 years later. This was a significant move though, because previously hacking knowledge was very hard to come by. Comparing early CEH to SANS, adversarial training has certainly improved and become much more specialized, but these early attempts are very important because they acknowledged the need for adversarial knowledge to better defend and organization.

5 of 17

A Brief History of Hacking

Assumed Secure:
1903, ‘secure’ wireless discrediting of Marconi
1954 & 1960 phone freaking using toy whistles, (Davey Crockett & Captain Crunch -> Blue box)
Money:
1834 French bond traders encoded market movement in telegraph character correction
1994 Citibank cash management vuln, 10 million
2024 Estimated 9.5 Trillion USD cybercrime costs:
- ransom & stolen money, lost productivity, IP theft, identity theft, …. Forensics, new security

Now just because the CEH came out in 2003 and CISSP was first conceived in 1994 doesn’t mean hacking wasn’t already well underway.

It is important to look back into history because even though some of the tech has changed, the motivation, reasons for success and the outcomes really haven’t changed that much.

Telecomhacks: https://eandt.theiet.org/2017/03/13/hacking-through-years-brief-history-cyber-crime

Marconi is credited with radio invention and in the early days, morse code over radio was a replacement for the telegraph. A public demo in 1903 showing how this was “secure” because of the specific frequency it was transmitted on failed because an attacker set up his own transmitter near the demo and submitted his own data into the stream. The presumed goal was to slow Marconi’s business from shutting down telegraph companies.

https://link.springer.com/chapter/10.1007/978-94-009-1784-2_5

https://www.industrialcybersecuritypulse.com/threats-vulnerabilities/throwback-attack-the-marconi-wireless-hack-of-1903/

Long distance phone calls used to cost money and the call set up could be done with audio tones, 1954 saw the connection of long distance using a 1000 hz whistle , Davey Crockett and 1960’s Captain Crunch whistle. The Captain Crunch whistle later turned into an electronic tool to generate tones and this lead to the first underground hacking groups. Steve Wozniak of Apple fame apparently built one and got interested in computers ☺

First financial hacks --- https://www.schneier.com/blog/archives/2018/05/1834_the_first_.html

https://www.fbi.gov/news/stories/a-byte-out-of-history-10-million-hack

The telegraph predates the radio and the telephone but moved data long distances quickly using binary encoding, just like today’s internet.

A very elaborate hack involved market direction information being added to a telegram followed by a backspace which meant disregard.

Someone watching the telepgraph operators at the remote end, who knew the code, could get the secret without the receiving operator knowing.

The scam worked for almost two years. Exact amount unknown but it paid enough to bribe people for two years. This was not against the law either.

The Citibank hack is noteworthy for a few reasons, it was due to a hacker taking advantage of vulnerabilities in the banks cash management system. The bank was tipped off because some customers noticed 400K missing from their accounts. The FBI assisted and they let the attack play out further but froze the funds on the remote end. The 10 million number is what would have been lost had the incident not been identified and responded to.

This incident also led to the creation of the first CISO position

https://www.weforum.org/stories/2024/01/cybersecurity-cybercrime-system-safety/

https://www.esentire.com/resources/library/2023-official-cybercrime-report (https://www.esentire.com/web-native-pages/cybercrime-to-cost-the-world-9-5-trillion-usd-annually-in-2024?utm_medium=email&utm_source=pardot&utm_campaign=autoresponder)

The 9.5 trillion is a scary number and it factors in a lot of things beyond the money criminals steal. From the perspective of people working in cyber, and those planning to, some of that is our salaries, some of it is the new equipment and software that is magically funded after a breach. It all represents a significant drag on the economy and enough businesses know this that investment in prevention is significant.

First convictions ( Mitnick & others)

First govt exploits ( cuckoo )

First worm

First business impacting viruses

First pentesting framework

First Ransomware

6 of 17

“Cyber Security �is full!”

Medium post received attention

Intended point entry level jobs

Conflated with post covid slump

Correctly ID’d industry half truth

7 of 17

Climate Change Relevance?

Carbon Credit Market: Money exchanged raises the potential for fraud
C-Quest Capital - $100 million fraud case falsifying data to verify emissions reductions
Amberg Corp – 25 charges providing false information, unqualified auditors

Unregulated voluntary market challenges:
Lack of standardization exaggerated benefit claims difficult to monitor
Higher global “net-zero” demand increases providers – multi-billion industry

8 of 17

Gaps & Potential Solutions

Standards, Baselines & Auditing:
Data modeling & tracking - as complex as the carbon options
Monitoring difficulties:
IIOT sensors & embedded devices, (Solar, SBC, Satellite & 5G, Cloud analytics)
GIS, thermal and arial drone footage analysis, (Multi-modal AI)
Commercial transparency:
Registries with SOC II and MFA,
Block chain recording of payments and credits

Before there was a CISSP there was a CISA, organizations realized a long time before hacking was a problem that people misusing the information systems, potentially for personal benefit was credible threat and standards on what and how to audit were created.

There isn’t just one method of carbon capture, and how you measure the growth of trees in Iceland vs Brazil is going to differ, so to would modeling livestock feed changes and soil-based recapture. Measuring the amount of capture over huge areas and tracking how well things are working so effectiveness ratings can be adjusted is going to take a lot of data over a long time. People to build these systems up and maintain them are going to be needed just like we needed data modelers during the pandemic, the difference being this is a lot larger and longer scale.

Most of the fraud issues reported can be traced back to data quality issues. As standards evolve, the ability to measure compliance becomes a lot more important and a lot of these capture facilities are remote and politically unstable. The single board computer and a wide variety of sensors as well as almost ubiquitous data communications mean an entire industry of carbon verification tech could be made in low-cost forms and widely deployed. While it is a fairly easy weekend project to build a weather station on a raspberry pi it is a very different thing to design a computer on a chip that runs on extremely low power at -50 and +50, while phoning home readings once a day or once a week. Software and hardware engineering are key skills here but let’s not forget Marconi. These data transmissions from the field must be trustworthy, cybersecurity will be an expectation in the design, not a bolt on after the fact.

A few carbon markets have been hacked because of simple account compromise, and in some cases, credits were stolen and reapplied in other markets. This is basic hygiene these days and no online bank would be in business long operating without good cyber security so raising the basic level for all markets may be a good start. According to the internet, block chain isn’t really a factor in the markets, they felt going to serial numbers was a good start. I don’t claim to be any kind of an authority in this area but many other accounting practices are using

9 of 17

Humble Beginnings�

UCLA, Standford, Santa Barbara & University of Utah 1969

TCP/IP added 1983

HTML markup 1989-1990

~2.8 million users

~100 million users 1998

~5.5 billion 2024

Sources: CHM, OurWorldinData,Org - Ritchie et al

10 of 17

“turbine to toaster”�

~25% GHG – Electric generation

~15% GHG by 2030 via digitalization (WEF)reduction

Consumption Reduction Benefits

Lighting 15% & falling globally

Smart Grid slower & unequal

~1 billion electric, gas, water

Sources: Inside Lighting, IOT Analytics

Since 25% of green house gases still come from electricity generation and very little in our modern world doesn’t require electricity this seems like an important problem to tackle. According to the world economic forum, digitalization is can reduce overall GHG by 15% if we get to half adoption by 2030. https://www.weforum.org/stories/2019/01/why-digitalization-is-the-key-to-exponential-climate-action/

While that sounds great, lets look at a couple barriers.

According to some reports lighting used to account for almost 40% of the power used, and even though the top chart is 5 years old we can see LED lighting was already commonplace.

The cost has come down quite a bit since then and for the most part LED lights can replace old incandescent and fluorescent with out any major changes to electrical wiring so we can expect LED to be almost the norm in most buildings within 5-10 years which is great.

Conversely, look at smart meter adoption, this is fairly low across the globe because there is a great deal of infrastructure changes that need to take place as well. As you can see on the map, adoption tends to align with political stability and high economic output.

I am neither an economist or a politician but from a cybersecurity perspective this highly digitized power grid adoption pattern looks like a problem.

11 of 17

Eco Driven Cyber Threats

Attack Surface Expansion
Bidirectional & mesh communications
Controlling or monitoring physical equipment
“IT” Components:
OS & software bugs
Authn & Authz
Remote admin reqs.
Sources: IET, IEEE

I override give full credit to Open AI for the best title of a new risk category, but like everything AI, we need to do the hardwork of answering “what does that even mean?”

We mentioned already that current modes of cyber crime are draining billions from businesses and national economies via cash theft and even more than that on remediation and mitigation work that follows these attacks.

If we pivot from banking and holding company data ransom into the cyber physical world I think we can start to articulate what exactly “Eco Driven Cyber Threats” might look like.

The ability for an adversary to attack a cyber physical system is dependant on number of places it is possible to tamper with data or disrupt communications

Much of the “smart” capability within equipment is the ability to communicate quickly and precisely between nodes running microprocessors and some sort of instruction set.

Whether it is called firmware or software, it was created by humans with deadlines so there are almost certainly vulnerabilities in the intelligent equipment being deployed in the field. Some which may go undetected for years, all of which will be difficult to repair once deployed.

The image on the right is from an IOT cyber security literature review but it captures the main attack surfaces of a cyber physical system,

With the physical sensors and controllers there is often a combination of embedded firmware and programed logic running the equipment. When an attacker can change those instructions damage can occur

The network communication path we see in the middle is often a way to inject messages into these supposedly closed systems. If both the physical an network elements are not accessible, most cyber physical systems have one or more applications that are controlling the equipment or at least monitoring for performance and safety issues. If an adversary can control the application somehow then once again the cyber physical environment is potentially vulnerable to disruption or sabotage.

Many of the problems that have been plaguing us for years in conventional IT like account management, application and operating system vulns continue to be a factor in cyber-physical.

Unlike releasing data in the current ransom ware attacks we are currently experiencing, a threat actor taking over critical infrastructure can damage equipment to the point of replacement or over ride controls that result in a polluting event.

Images: https://ietresearch.onlinelibrary.wiley.com/doi/epdf/10.1049/stg2.12090 , https://ieeexplore.ieee.org/document/9509539

12 of 17

Eco Driven Cyber threats

Legacy infrastructure increasing target:
Protocols control & speed focused “insecure by design”
AIC triad, reliable operations primary goal
Current security approach “after the fact”
Old Tech, New Tech Blend:
Utilities adopting “green tech” also retain legacy ops
High reliance on remote access

Consequential Cyber attacks against critical infrastructure occur far less frequently than fraud and corporate data ransomware but the trend is toward thousands per year by 2030.

Looking at the types of industries being targeted over half could have negative environmental impacts if the intended processes are being manipulated by adversaries.

Industrial protocols designed to control machinery were originally designed to use a small number of packets to issue commands and return sensor information to operators. The belief was these networks were isolated from normal corporate network chatter, viruses and worms and there was seldom any authentication or validation built into the command processing. If an attacker can inject specific types of messages into a control environment the receiving machines will typically do as they are instructed, even if that is a destructive action.

These charts are taken from the Waterfall Security 2023 threat report which is focused exclusively on industrial systems cyber security. Ransomware was behind 75% of the investigated attacks, the adversaries counting on the ICS owners’ desire to get back into operations as soon as possible.

Now even if an organization were to adopt a lot of green tech with great cyber security features, they would almost always also be running older systems without these features as well since changing this equipment out takes a lot of time and capital, often spread over years. They may also have connections with other businesses that require the legacy equipment so these environments are going to remain somewhat vulnerable for a while to come.

It is getting better, there are standards being put in place that require companies to protect the critical infrastructure but this is an after the fact solution built at the edges rather than something baked into a hardened endpoint. One of the big challenges is the distributed nature of things line power generation, pipelines and mining. To save on travel time a lot of field sites require remote admin access to be enabled on most of the digital equipment. If an adversary can gain access to these remote control capabilities they can potentially shut down systems or make changes that cause damage.

13 of 17

Eco Driven Cyber threats

Common supply chain:
Devices used to control current industrial processes often also used in green tech
Software, hardware vulnerabilities identifiable via reversing, injectable into commercial stream
Personal Compromise – Activity Tracking
Green tech often closer to people’s daily lives
Bi-directional comms collect & potentially expose usage patterns

No one builds everything in their organization anymore, they buy equipment, software and even programming services from third parties. About 4 years exploited, a very well known network monitoring platform called SolarWinds was compromised by the Russian military in an attempt to gain access to networking and server equipment in major western countries and only detected after a number of high profile companies, including Microsoft were hacked.

Adversaries have access to all the same brands and types of equipment legitimate operators are using. If they identify flaws that could be exploited they can initiate attaks directly or potentially tamper with aspects like device firmware and sell the tampered equipment back into the industry they are targeting

In addition to climate impacts, green tech cyber issues could get personal. There have already been a number of cases of privacy breaches because home assistants like Siri and Alexa were listening to everything going on in the house. What are the impacts of someone illegally monitoring your power and heating consumption, potentially figuring out patterns for when you are home, at work, sleeping, gone for the weekend etc. Would a data breach in this area result in just a burglary or escalate into an assault?

14 of 17

Possible Future Employment Ops

Equipment Design, Solution Implementation:
Software engineering skills, application development, big data design & analysis
Policy Creation & Enforcement:
Laws & regulation can lag 5-10 years behind industry
Auditing and compliance reporting
Machine Learning:
Global sized data problem != Excel
Prediction and model maintenance

15 of 17

Recommended Skills

Cyber Security Conceptual & Technical Knowledge:
Integrate security concepts into all aspects of a technology solution
Understand use cases and dependencies/requirements for emerging technology ( IT skills)
Risk Management:
Methodical, defendable identification of credible threats & impacts
Analyze mitigations proposed, prioritize actions (foundational business skills)
Communications:
Written and verbal, (briefs, fulsome reports, presentations, learning modules) (business coms class)
Multi-constituent comfort, IE, engineers, executives, operational staff, possible HR …

16 of 17

Questions?

17 of 17

Thanks & Contact Info

Organizers for inviting me,
You for listening

Doug.Leece @ Gmail ( slide copies, citations )
https://www.linkedin.com/in/dougleece
https://caffeinatedrisk.com/podcasts
Bsides Calgary https://www.bsidescalgary.org/