Tag Archives: Stuxnet

Upgrade or perish

Good old technology
Good old technology

The Voyager 1 spacecraft was launched in 1977 and will continue operating until 2020 (43 years), approximately 18 billion Km from earth. The NASA team built a dedicated control room for this and other deep space missions. This means they can continue to use the original computer and communication systems through the decades without continually upgrading operating systems.

A few years ago I visited the European Space Agency Operations Centre in Darmstadt, Germany where they had developed new approaches to dealing with the technology cycle and were building shared control rooms for their multi year missions like Rosetta and Cluster II. This is a complex challenge as operating systems become unsupported, programming languages change and engineers move on or retire.

Unfortunately most organizations do not have the luxury of ignoring the upgrade requirements from the technology cycle. IT departments put significant resources into continually upgrading products, often for no tangible business improvement. One of the biggest challenges around upgrades is the computer operating system. In April 2014 the XP operating system will no longer be supported by Microsoft and yet 38% of computers worldwide still use XP.

So how should organizations still running XP approach the end of support milestone. I believe that there are 3 items to discuss at the very highest level in the organization:

  1. The Risk. The primary risk is that when XP stops being supported, Microsoft will no longer issue security patches for discovered vulnerabilities. So how many vulnerabilities remain in XP and how serious is it when they are exploited? The Stuxnet worm (used to destroy uranium enriching centrifuges) used 4 previously undiscovered vulnerabilities. It is a fair bet that someone out there has discovered more vulnerabilities and is waiting until end of support to deploy them and maximize return on investment.The end of support for XP is particularly attractive to hackers. You could end up with malware that is almost undetectable and provides hackers access to systems long after XP has disappeared from your network.
  2. The resources required. There are 3 areas that will cost (and often dearly) – new licenses (either for the operating system or to update old software that does not run on 7); – testing for all the existing applications (almost guaranteed that some will not work first time); and the change project (including designing and deploying the new components and training). $1200 to $2000 per computer is the Gartner estimate, and I ran a project for 900 seats at $1.2M.
  3. The technology options. It is really too late to start an enterprise upgrade project and have it completed inside a year. Even if you get organized internally, the integrators have their resources fully committed to enterprises that have started before you. The situation is particularly serious if your desktop management systems are not up to date.I suggest that you need to look at procuring a cloud based managed desktop. Talk to a few vendors to get a pilot up and running while you develop your procurement documents. Identify and prioritize application testing and ensure that there are nominated business reps to own the test outcomes. Start working with the HR department on a bring your own computer strategy. Most importantly, write a business case that frames exactly what you are trying to achieve and minimize the scope to tackle the core issues, leaving the “nice to haves” until the new technology is bedded in.

One last piece of advice – if your organization “simply does not have the money” for an upgrade, secure your superannuation and check out Seek.com. In the end, upgrades are non-negotiable for anyone except NASA!

Don’t get comfortable, the internet of things is coming

Flat out
Flat out

The role of a chief information officer in a large company has its challenges. They have to intermediate between the messy world of business and the even messier world of IT. Their focus is on the risks, costs and opportunities of today and they have few resources to prepare for the future.

I would argue that the next big challenge in IT is something that most CIOs are not ready for. This is the integration of information technology (IT) with operational technology (OT). It is a question of how we manage the internet of things – devices communicating over the internet without human interaction.

To give a personal example, as CIO I supported the operation of a newly purchased ore crushing machine (OT) at a remote mine site. The machine needed to run optimization software that was hosted on the vendor’s computers. This meant connecting the machine through our corporate network (IT) to the vendor. The vendor had no security accreditation and did not offer the security tools that we insisted on from our regular IT suppliers.

The machine had been purchased and the investment in a second communications link was substantial. In the end we accepted an increased security risk, given the costs of mitigation.

There are 3 big challenges with the internet of things:

  1. Security. As soon as we connect devices to the internet, there is massively increased opportunity for malicious attack. Hackers from anywhere in the world may obtain access, as highlighted by Mandiant. Many suppliers of OT do not have the resources to invest in properly secured systems.It is just a matter of time before serious mechanical or safety incidents occur. The Stuxnet virus destroyed hardware used to enrich uranium in Iran, but also infected over 200 Australian based devices. The Australian Government Computer Emergency Response Team found that 35% of attacks were non-targeted and indiscriminate.
  2. Integration. As the complexity of internet of things devices increases, so does the ability to store and utilize data. This data needs to be exchanged efficiently with corporate IT systems, however there are few standards.One example I came across recently was from an engraving firm. They had a web site through which customers could place their orders. To get the details into the connected engraving machine required them to rekey all the data, leading to errors and wasted time.
  3. Purchasing. The people buying OT hardware and software have a focus on the performance of the system. They are often less expert at understanding the license conditions and costs of ongoing support. It is not uncommon to see the same corporate license purchased more than once in an organization.

Some organizations are taking the bull by the horns. At the Australian Broadcasting Corporation, they have put the engineering services for recording and digital editing under the CIO. The critical infrastructure providers such as the utilities and airports have invested in professional approaches to OT. For many however, this is another problem just waiting to happen.

Do you have any plans for the internet of things?