Meditations on Icelandic tomatoes and the challenge of raising cybersecurity awareness

Raising the awareness for a cybersecurity practitioner about the vulnerabilities of IT and Industrial Control Systems to today’s threats emanating from cyberspace can sometimes resemble the hopeless task of Sisyphus(1). The practitioner has the knowledge but it is not an easy thing to convey the concerns to higher management that may not be as technically savvy (perhaps also lacking imagination) in a way that will initiate productive action leading to mitigation of the threat. As Alexander Solzhenitsyn wrote in one of his novels “how can a man who is warm understand a man who is cold” (2). Recently my family visited Iceland. We did a 7 day drive on Route 1 which goes around the perimeter of this island country. In the evenings I re-read an old Tom Clancy novel “Red Storm Rising” which used Iceland as a setting for much of the plot. Some of Clancy’s novels were prophetic as with one plot line where he ended one of his books with a 747 crashing into the US Capital. Clancy, however got it wrong I think in saying that the sheep in Iceland smell. Saw a lot of sheep in Iceland and did not notice any smell. Interesting way the story starts with a terrorist attack on the control systems (remotely opened and closed valves) of the largest oil refinery in the Soviet Union. Can leave reading the rest of the book to others if interested.

I was enjoying the natural wonders of the landscape and geology and almost forgot about cybersecurity. Almost that is until acting on a recommendation we visited a tomato farm ( ) for lunch. The farm consists of greenhouses that through the use of high and low tech provides a tomato crop throughout the year. Low tech comprised the importation of bees from Holland and the use of the natural geothermal resources to supply heat and water. The high tech was comprised of systems that managed the geothermal resources to heat and provide electricity for the operations of the farm. Weather was monitored, water supply, and heat are regulated using an automated system that monitored and maintained optimal conditions that allowed for growing tomatoes. Even during the long polar nights. Very impressive use of technology indeed and good example of how it can be used to contribute to the economy of a country not naturally suited to grow cash crops. However I stopped in my tracks while reading the poster describing the operations of the farm next to our table. The key part read like this (names have been xxxx out):

“Modern technology
Each greenhouse is equipped with a climate-control computer system for temperature, humidity, carbon dioxide and lighting. The computer is connected with a fertiliser mixer, which waters the crop according to a programmed system. On the roof a weather observation unit provides data on wind speed and direction, temperature and light. When the sun comes out, and natural light reaches a certain level, the lights are automatically switched off – and come on again when the light level falls. All the systems are linked into a mainframe computer connected to the internet – so xxxxx and xxxx can monitor and adjust the systems at xxxxxxx, wherever they are in the world. “ .

I looked around to see if the owners were about and did not see them. If I did I sure would have asked them some questions about their cybersecurity policies behind the use of their IT and ICS systems. What measures are taken to secure their Internet connections when they monitor and adjust their systems remotely while on a trip? Have they heard of terms like Stuxnet and Shodan? Have they heard what happened at a German steel mill and about what happened in Ukraine last winter. My chief take-away from my visit was a further confirmation of the pervasiveness of IT and the Internet in the world today. There is a great deal of wonder found in today’s technology and one cannot blame the owners for displaying their pride and skill in putting this new technology to use in their family business. However I really wonder how much the owners are aware of the vulnerabilities that also come with the application of these enabling technologies. The same can be said for the designers and manufacturers of these systems. How much are they aware of these vulnerabilities when they design and build these systems? Do they have security by design policies in place or do they take the traditional IT industry route of putting the product out to market first and then adding security updates/patches after a flaw has been discovered or after an attacker has taken advantage of them? How much care do they take in informing their customers about the safe use of these technologies that go beyond just fire and electrical safety and extend to cybersecurity information? One of the key issues is raising awareness and this cannot be done solely by the cybersecurity practitioner alone. These questions need to get the attention of decision makers who together with practitioners, management, manufacturers, and customers work toward the design and manufacture of a cyber safer and marketable solution. Until then the work for the security practitioner may feel like heaving a huge rock up a hill.

Photos: V. Butrimas, Iceland

tomato farm greenhouse iceland

raising3 heaving awareness

NOTE: The views expressed within this blog entry are the authors’ and do not represent the official view of any institution or organization affiliated thereof. Vytautas Butrimas has been working in information technology and security policy for over 30 years. Mr. Butrimas has participated in several NATO cybersecurity exercises, contributed to various international reports and trade journals, published numerous articles and has been a speaker at conferences and trainings on industrial cybersecurity and policy issues. Has also conducted cyber risk studies of the control systems used in industrial operations. He also collaborates with the International Society of Automation (ISA) and is member of ISA 99 Workgroup 13 that is developing Micro Learning Modules on the ISA 62443 Industrial Automation and Control System Security Standard and Workgroup 14 on security profiles for substations.