Back in April 2015, WIRED.com ran a story on agricultural equipment giant, John Deere.
It concerned ownership of its equipment by farmers and the fact that they don’t. Yes, that’s right, the farmers don’t own it, they pay for it as an implied licence, at least that is what John Deere say and the company is enforcing this status by using copyright law, based upon the computer coding that is used in its vehicles.
It appears one of their fears is that users may use their equipment to pirate music on their tractors. Stay with me.
Apparently, this is a big concern for them. While it is very noble of John Deere to protect the world from those heinous music-pirating farmers, they have inadvertently created another problem: the proliferation of rogue Ukrainian jailbreak software among those farmers.
Not to download Katy Perry track or the latest Hollywood blockbuster. No, this software is to ‘jailbreak’ management systems that have been allegedly locked down by John Deere, so farmers cannot access parts of those systems in order to carry out repairs.
If you are still reading, you will no doubt be wondering where on earth we are going with this. Well, we are going down the cyber security path, of course.
Ukrainian jailbreak software
Because the issues raised by these events got us thinking. Agricultural equipment is pretty robust, physical stuff, required to carry out robust and physical work. If this equipment malfunctions, the user (obviously, given the above we can’t say owner, as that is apparently, John Deere) may be a long way from safety, never mind repair.
Locking down areas of repair that then require the users to return the equipment to a registered dealer or repair source is a lot more serious in a tractor than it is in an iPod or a broken phone. The concept of denying access to a device or service might be familiar if you have experienced or read about ransomware, which does something similar but without the protection of copyright law.
When you start arbitrarily blocking access to areas, networks and applications or tools that users genuinely need, they’ll find a way around and it themselves and you probably won’t like the fix they find
(There is a distinction in the UK with car ownership, in that cars have a ‘registered keeper’ rather than an owner. This, however makes it simpler given the increasing number of cars that are leased and not bought.)
So, farmers with clear frustration have turned to the cyber world for a solution and this murky world has responded. If US farmers are now using Ukrainian software to jailbreak their own tractors and equipment in order to expedite the repairs, they are taking a risk.
Business ethics aside, surely it is poor practice if it means your users go to such lengths not to mention risk, in order to carry out repairs? Using unknown software is always a risk, but it happens. This however, is an unusual situation.
Agility
Stepping away from US tractors for a moment, poor security looks and feels a lot like this; security says “no”, so users find ways around the policy, software or process to do the job or task they need to do. They may be looking to increase agility or build in greater efficiency.
Good security should enhance agility and efficiency not hinder it. In fact, it should enable greater agility by being proportionate and well planned, meaning that legitimate users are able to access what they need, when they need it, and know it is secure, accurate and complete.
When you start arbitrarily blocking access to areas, networks and applications or tools that users genuinely need, they will find a way around the problem themselves, and the chances are, you will not like the fix they find. Like the tractor users breaking into their own tractors, they make take risks or compromise security to get the result they need.
It’s the one-size-fits-all approach that leads to security saying “no”. Being thoughtful and proportionate in how access is decided and permitted will lead to much better results and reduce the likelihood of users taking risks
Understanding risk, risk appetite and tolerance and how to assess risk is vital in business and when it comes to security, it can mean the difference between well informed and enabling security that comes as a cultural fingerprint and the risk-averse, fear-led ‘security says no’ approach that causes situations such as we have described above.
Of course, it is completely understandable how businesses find themselves with this kind of negative culture. There is a lot of threat out there and any businessperson who has read a cyber security research paper in the last seven years will tell you the biggest threat comes from within; the insider threat.
This is completely true but at the same time, business moves just as quickly as threat and needs to stay on top of any agile systems and practices that enable its users to perform at their best. When you understand the need for access to these ‘risky’ platforms, apps or data, then you are at the start of finding ways for legitimate users to exploit them, as they should in order to be effective.
One size fits all
It’s the one-size-fits-all approach that leads to security saying “no”. Being thoughtful and proportionate in how access is decided and permitted will lead to much better results and reduce the likelihood of users taking risks to achieve the results they need.
This of course does not apply to non-legitimate users of certain services. Making policy clear enough for everyone to understand what is expected of them and enforcing that policy after you have thoroughly educated it through, will help.
While it is true some people will always try to break the rules, at least having worked out who should not be blocked from a service or data and who should be blocked and will abide by this policy, reduces the number of people you need to be concerned about and so your resources will be better spent identifying and rectifying those situations.
Back to the tractors and the risk. There is a lot to be said for using only authorised software from dealers. We are all connected now. If it’s web-enabled then it’s hackable and we don’t have to look very far to see what happens when malware is let loose in both the cyber and the physical world.
Malware was showcased at a recent convention which was specifically designed to attack physical systems and we have seen several vehicles hacked to great effect and with great press coverage over the last couple of years.
The trouble with living in an interconnected age, is that when you take a cyber risk, you are taking it for more than just yourself; you are taking it for whoever you are connected to as well.
So when applying security principles such as blocking or disabling platforms, data or services, we need to be certain we have done this from a solid understanding of the genuine risk.
Only through doing this will we start to mitigate the risk from the accidental insider threat.
Ellie Hurst – as well as Advent IM’s MD Mike Gillespie – is confirmed as a speaker at IFSEC International, Europe’s largest annual security trade show, which takes place between 20-22 June 2017 at London ExCeL. Get your free badge now.
Ellie will be speaking about recent high-profile CCTV hacks and the rise of ransomware as a tool to attack physical systems in the Installer Theatre. She will also provide a free glossary for those who need to return to their businesses and talk to their cyber security specialists.
Advent IM’s managing director, Mike Gillespie, will be in the Borders & Infrastructure Theatre, addressing the subject of ‘Security by obscurity in critical national infrastructure’.
Listen to the IFSEC Insider podcast!
Each month, the IFSEC Insider (formerly IFSEC Global) Security in Focus podcast brings you conversations with leading figures in the physical security industry. Covering everything from risk management principles and building a security culture, to the key trends ahead in tech and initiatives on diversity and inclusivity, the podcast keeps security professionals up to date with the latest hot topics in the sector.
Available online, and on Spotify, Apple Podcasts and Google Podcasts, tune in for an easy way to remain up to date on the issues affecting your role.
