10 minute read
Executives don’t understand software and that’s a problem – Robert Howe
Robert Howe is an independent management consultant.
Executives don’t understand software and that’s a problem
Advertisement
For the last years, I’ve been testing out the postulate that the higher you look inside an organization, the less understanding there is of software. In that time, I’ve encountered a fair amount of confirmation, but mostly based on anecdotes or opinion. Recently, I was involved in a project at a non-Dutch multinational that has provided me with first-hand evidence, not only of the reality of the postulate, but also of its rather shocking scope.
Before we get into the details, it’s probably worth discussing why a lack of understanding of software at executive level is an issue. Simply put, as hardware has become increasingly powerful, cheap and commoditized, it’s software that’s becoming the more significant creator of value. And the thing with software is that it changes the business game. Perhaps the simplest-to-explain example of how software is changing business is the shift from the right-to-own a product to the right-to-use it. Owning a product is a capital expense that implies investment and risk. Using it is an operating cost that comes out of the bottom line. Guess which one most businesses would prefer and, if you guessed rightly, you’ll understand why servitization business models are the next hot potato.
What we’re talking about here, of course, is digitalization in general and Industry 4.0 in particular. You only need to read McKinsey, Deloitte or any of the other manic street preachers of business to realize that every company needs to be playing the digitalization game or they won’t be a company for much longer. But here’s the thing: software is the medium through which digitalization is expressed. If you don’t understand software, you have no hope of coming up with a decent digitalization strategy. And who is it that sets strategy for an organization? Indeed, executive management.
The multinational-who-shall-notbe-named, to which I referred earlier, had got this message, which is a very good thing. They realized that a lack of understanding of software
was getting in the way of business. Therefore, they instructed their training department to come up with a course aimed at educating their top 150 executives in software. In keeping with their national stereotype, the training department came up with a course that addressed everything about software and software engineering. I got involved because, together with two colleagues familiar to you from the pages of Bits&Chips, I was asked to review the course. For two days, twelve different instructors presented summaries of the material that they had included in the course, hundreds of slides in fact. I can tell you that, even though little of the material was new to me, at the conclusion of the review my head was fit to burst.
Our advice to them was straightforward: way too much information, way too much detail. Having paid for this advice, they took it and drastically simplified the content, to a degree that they felt that they’d left out essential information. Then they ran a pilot course for selected executives. In the words of the head of training, the results were disastrous: most of the executives very quickly got lost. When I spoke to him afterwards, he was disconsolate. He kept repeating that he couldn’t believe how little the target audience understood about software and how huge the gap is between what his audience actually knows and what they need to know.
From a Brainport perspective, I take some consolation from the belief that our executives are more au fait with software. But not so much that we’re in a stronger position to lead the way in digitalization. We need to find ways to help our business leaders better understand the nature of the medium of digitalization. If we can, our industry will go from strength to strength.
Where the hack is my mobile robot going?
The Fontys research group High Tech Embedded Software has analyzed several industrial SME environments and found multiple cybersecurity vulnerabilities. One of the case studies concerns an AGV. Second-year ICT & Cybersecurity students have shown how lacking authentication and encryption allow them to take over navigation control.
Casper Schellekens Teade Punter Ron Mélotte Tom Broumels Lake Lakeman Overview of vulnerabilities in AGVs.
With the digital transformation towards Smart Industry, cybersecurity becomes much more important in industrial environments. Many threats and attacks are imaginable. ink of malware, ransomware, targeted attacks by cybercriminals or state-sponsored hackers, script kiddies exposing system vulnerabilities or denial-of-service attacks.
Logistical robots are increasingly applied in industrial settings. Second-year Fontys ICT & Cybersecurity students have, under the supervision of a teacher, set up and performed a security vulnerability analysis on an automated guided vehicle (AGV). ey uncovered several serious problems.
Vulnerabilities
An AGV is a logistical robot that’s controlled by so-called eet manager software. is eet manager sends transport orders to the robot, ie the coordinates for a mission. e AGV can navigate with the help of maps stored in its memory. It has safety systems such as contact bumpers and lidar to prevent it from running into obstacles or humans on the way.
One of the students’ ndings was that the communication between the eet manager software and the AGV was unencrypted and without any authentication mechanism. is allows for man-in-the-middle attacks and injection of coordinates. As a result, the robot could be sent to arbitrary locations.
After some guessing, the students found the control messages to be composed of an X and Y coordinate and a rotation, stored as hexadecimally formatted 64-bit double values. Using simple scripts, the AGV could be fully controlled in an automated way. With this, the logistical process in a Smart Industry setting could be compromised, or the AGV could be stolen. Other attacks were also possible, such as adapting or removing map information or adding missions to the vehicle consisting of several destinations that are stored and then executed independently. ere was authentication to access the eet manager software, but this was sent over the network in plain text. An attacker listening in on the network could capture the password and get into the eet manager soft-
Unencrypted authentication of the fl eet manager software.
ware, enabling him to control the settings and management of the whole AGV eet. e operating system and con guration of the AGV system also su ered from security weaknesses. Access to the system was allowed through SSH, Telnet and FTP. However, the last two communication protocols are both insecure because of lacking encryption and authentication. Using password attacks, the students could obtain Telnet and FTP access. With FTP access, the stored maps could be compromised, allowing attackers to give the AGV a false understanding of its environment. ere were also unused services running on the system, such as a web server with a couple of web pages. is web functionality wasn’t listed in the system documentation and didn’t seem to serve any purpose. Unneeded system services increase the attack surface and the risk of exploitable software vulnerabilities.
All found vulnerabilities were communicated to the developer of the AGV, who has taken action to improve security. e wireless router on the mobile robot has been con gured to block unneeded ports and guidelines have been added to the user manual, including advice on the use of strong passwords and network segregation. is doesn’t x the unencrypted communication itself but does lower the probability that an attacker can get access to the network and the AGV. e software and component suppliers were also contacted with the request to improve communication and system security.
Security improvement
e growing use of robots in industrial and logistical settings causes new cybersecurity- related requirements and challenges. Smart Industry developments, in general, impose more and more requirements on internet
An encoded but unencrypted message from the fl eet manager to the AGV.
Coordinates in a remote control message to the AGV.
connectivity and data protection. Industry is used to work with formal safety management to prevent physical damage, environmental damage and human injury, but if security cannot be guaranteed, safety can also be compromised. erefore, standard IT security principles, security processes and security controls must be applied in these operational technology (OT) environments, from authentication and strong password policies to rewall protection and secure remote management.
It is noted that available options and solutions to security threats are di erent in OT and IT environments. In OT, real- time performance is important, maintenance windows are often small and scarce, and software updates and update processes are much more uncommon. With these limitations, security relies more on additional security controls such as network segregation with strict rewall ltering between IT and OT networks. Security monitoring and intrusion detection will also help to protect, even without interfering with real-time performance, but starting this from scratch takes time and e ort.
Key components of security improvement are security awareness in all organization layers, regular penetration testing, risk analysis, incident registration and a plan-docheck-act security management cycle. is security analysis also shows that it’s a combined responsibility of component suppliers, system integrators and the operational organization using the AGVs. Security vulnerabilities were found, but with this input, actions were also taken to improve security.
Casper Schellekens, Teade Punter, Ron Mélotte, Tom Broumels and Lake Lakeman are part of the High Tech Embedded Software research group at Fontys University of Applied Sciences in Eindhoven.
Edited by Nieke Roos
LIGHT IS LIFE!
If 2020 has made us realize anything, it’s how much of life’s purpose and pleasure comes from relationships and human connections. We need people around us; it’s just the way we’re built. The buzz, the joy, the community, those we love. Close by and far away. Technology in many ways enables this. And therefore life! Especially in this disorienting year, it’s important to celebrate that we’re all connected. But the famous Glow light art festival in the city of Eindhoven was canceled, like so much else...
Connecting the dots This year, Glow created something unforgettable: a gigantic artwork for all citizens of the world. An artwork that came to people and connected them without anyone having to leave their homes. “Connecting the dots” was a city-wide project and worldwide livestream with three central elements. The first was a spectacular blue night sky – a blue dome projection by Finnish light artist Kari Kola. An uplifting warm-blue blanket that wrapped around and embraced the city. Second, a sea of beautiful red dots floating throughout the city – 1,000 LED-powered balloons, designed by light artist Ivo Schoofs, spreading light inside and out.
From (the children of) Eindhoven to the world
20,000 special “Glow Dot” lamps made by children completed the masterpiece. A project of 20,000 artists, led by artist Hugo Vrijdag and the Inventors team of the Discovery Factory. The result was a beautiful blue sky speckled with fixed and floating red dots, lighting up the city to create an unforgettable, moving experience for everyone to enjoy.
Children’s passion for technology
The art festival was the perfect inspiration for children to create their own tech-based products. With the soldering and coding workshops of The Inventors, they contributed to this large and beautiful work of art, which they’ll never forget. Meanwhile, they learned about their own passion and talents for tech. And exactly that’s The Inventors’ mission. Therefore, a large thank you on behalf of all children goes out to Glow Eindhoven, ASML and Signify, sponsors of this immense project.
Text: gloweindhoven.nl
The Inventors programs are there to inspire youngsters for a future in design and technology. Projects are supported by tech companies such as ASML, Brainport Industries, Daf Trucks, Frencken Europe, Hager, High Tech Campus Eindhoven, NTS Group, Philips, Prodrive, Stam en De Koning and VDL Group, and by Bits&Chips as the media partner.
