Trainhacking

By Roel van Rijsewijk

 

Inspiring conversations with Daniël Wunderink – (CISO) GVB in Amsterdam

 

This time my guest at my kitchen table has a name I love but I seem to pronounce it wrong: in German, like ‘wunderkind’. “A common mistake”, Daniël Wunderink says with a smile, with the ‘u’ of ugly, Chief Information Security Officer (CISO) of GVB in Amsterdam. It breaks the ice. And while my wife pops her head around the corner to say bye, we start this cyber conversation to the cadence of the dishwasher running in the background. A sound that actually reminds me of a moving train on the track. This already provides us our first analogy.

 

Born to hack
But before I talk to Daniël about his work as Security Officer for one of the Netherlands’ largest public transport companies, I want to talk about Daniël as a person. I have heard that he is rooted in the hacker world. I ask him where his story and fascination for cyber begins. And that turns out to be at an early age, as it is for almost all hackers.

 

“When I was about eight years old, two older cousins studied computer science. At that time, we also got our first PC at home, an old 8086 Intel. I myself would have preferred a Nintendo, because you could not play games on a PC. But with the help of my cousins and some books from the local library, I managed to program the PC. That’s where the seed was planted.”

 

“And are you a real hacker?”, I ask curiously. “And by that I mean that you not only understand how it works, but also want to see what happens if you do something with the system that it wasn’t designed for?”

 

Daniël thinks about this question for a moment. “To be able to program a simple game, you need to know a lot about the system, but apart from that, I was also breaking and making stuff in the physical world. I recognize that behavior in my son. It is really a mindset; that you want to know how things work and tinker with it to see what else you can do with it. That indeed is a common thread in my life.

 

That triggers me: “So you are born as a hacker? With a fascination for how things work and what else you can do with them?”

 

Daniël laughs: “Otherwise you’re not a real hacker, then you just learn some tricks.” Fascinated, I continue to listen to his story, because there must be a moment when Daniël realizes that it is a skill that can be used with good and the bad intentions.

 

“I remember that moment very well,” he says, while I cannot help but notice a little twinkle in his eyes. “I was studying and analyzing Linux, Unix, Solaris and things like that, until one day two policemen and a network administrator walked in the class room and arrested the guy sitting next to me. All the administrator said was “it was him”. And even though I never knew what it is he actually had done, in my mind he had hacked. That was the decisive moment for me when I realized that you could also do bad things, cross the line. Before that, I considered it fun and games; opening each other’s CD drawers from a distance and so on. From about 2000 onwards, I also discovered SQL databases and xp_cmdshell for hacking systems and I realized there was still so much to learn and discover. That’s when I really became a ‘hacker-hacker’”.

 

Black Hat, White Hat, Grey Hat
The conversation gets more and more exciting. I ask him what type of hacker he was. A ‘white hat’, meaning someone who always works with permission and good intentions, a ‘black hat’, who doesn’t have permission and has bad intentions, or a ‘grey hat’, someone who breaks into systems without permission but not necessarily has bad intentions.

 

“Biology and medical science have made me a better IT person.”

 

“To be honest, I never defined what I did in those terms, because back then nobody made those distinctions yet. Yes, I was messing around on other people’s stuff, but back then you didn’t need permission. There were no passwords either; you just grabbed your modem, started making calls and if you were in, you were in. Until someone was arrested,” he adds, laughing.

 

I recognize what he says. There is still a complex relationship between companies and the hacker community. Do you call the police because a hacker broke your systems, or do you say thank you for what he discovered because you can learn from it?
“Coming in through the backdoor is different than ringing the doorbell,” he replies. “For me, the moral boundaries are that you have to respect other people’s property and don’t break anything. That is also the line I draw when I am dealing with ‘grey hats’. I thank them for the information, but I have to admit that I also ask them to please not do it again. Because at GVB there is a whole operational system behind it that is intended to ensure safety in public transport. A system where you cannot always oversee the consequences of a hack.”

 

The biology of cyber
A nice bridge to talk about his work as a CISO, but I’m going to cross that bridge later. The next steps in his career are decisive for the work he does now. It turns out that Daniël did not study computer science, as you would expect, but biology.

 

“The best advice I ever got from a professor,” he explains. “At the time, computer science was very theoretical and I knew all about the practical side. I wanted to discover much more and I found that in biology. Although I also was interested in Mathematics and Physics. At the end of the nineties, there was only limited computer science applied in the science faculties, so you still had to go through the DNA code by hand in order to dissect viruses to prepare a vaccine, for example. I found it interesting to automate those kinds of processes and to design algorithms.”

 

This brings us to the next analogy in this conversation: Biology and Code. “Biology has made me a better IT person. For example, I can understand the behavior of complex networks thanks to my studies in biology. Many biological organisms are networks, so I can quickly see how things in a network relate to each other or how information flows between networks.”

 

To serve and protect public transport in Amsterdam
By now, the dishwasher in the background is beginning to sound more like an old diesel train. I switch it off and then make a jump in time to GVB, where Daniël settled about three and a half years ago after a brief stint as a teacher, training in MBA Information Management Public Governance, and a career at KPMG, where he moved via IT consultancy to an ethical hacker team, before moving on to a management role at PWC. Daniël: “And then GVB came along where I could be involved in technology and contribute to society. The best of both worlds.”

 

“Is protecting public transport more socially relevant than the work you did before?” I want to know.

 

“Yes, don’t get me wrong; breaking systems is still the most fun thing out there, but with the aim of defending it. The easiest defense, of course, is to pull the plug but that’s only the last resort. The challenge is to set up your environment in such a way that you can both defend yourself against attacks and remain agile enough to be open to your environment with connections to other systems, data streams and networks”.

 

Security drives innovation
And this is where Daniël speaks to my cyber heart. If you only look at the downside of cyber risks and see it as your job as a security officer to prevent things from going wrong, then you get something very restrictive. You can put data in a safe and lock it up. Then it’s secure but you don’t have access to it so it’s of no use. You want to run those risks because that’s where the value is: accelerated innovation, get value out of data and empowering people with information technology. “Actually, that’s what you want: as much functionality and usability as possible and therefore as little security as possible.”

 

“A common threat for public transport is a younger version of myself.”

 

“No, not less security, but enough security. Many people think of security as a limiting function, but I see it more as an enabler; as a function that makes things possible. If I relate this to my own work at GVB, we are increasingly moving towards a self-organizing landscape that acts on data. You can only do that if you can trust that data, so you can then use it to automate and manage your business processes. Therefore, in my view, it is not about restrictive policies and applying the breaks, but security more as a driving force: an engine.

 

The attack surface of trams
“Speaking of your work, how is it going with the digitization of public transport?”

Daniël starts laughing and his eyes light up again. “I’m in for a treat, because when we phased out the previous tram, the G12, we also said goodbye to DOS 3.11, a very old-fashioned operating system. So that is actually the scope of our digitization: from DOS 3.11 up to and including the most ‘bleeding-edge’ systems, such as self-operating systems, data warehousing and digital twins. Actually, we operate the entire 40-year history of IT.”

 

It is clear that digitalization in public transport is here to stay. This can only be a good thing and it also makes it safer. “But doesn’t that also make it more vulnerable to external attacks? And what are the main threats?”

 

“Yes, from the outside, but also from the inside, but that’s the fun part of such a big system. There are millions of hackers in the world, so for some of them, disrupting a system like the GVB is a piece of cake. But that is true of any system. One of the biggest threats are the criminal gangs that have been on the rise for the past three years, who can also hijack public transport systems with ransomware. But there is also the threat from countries, the so-called state actors, who might want to attack public transport systems. And there are some examples, like the US attacking public transport systems in Canada, in this case to try out their exploits.”

 

I am almost fall off my chair. Countries attacking the public transport systems of their friends and neighbors? Is the Netherlands also under attack?

“Definitely! Although we suffer sometimes from the ‘Calimero effect’; we are too small to be interesting enough. But more and more reports confirm that the Netherlands is also under attack from other countries. Recently we connected an unprotected server to the internet for five minutes. That resulted in 14,000 scans, 80 exploits and almost 100,000 different login attempts. So we are definitely a target. However, it is not always clear whether these are state actors or whether they are done by certain hacking groups. If you analyze the malware that is used, for example, you can find out whether it comes from the same group, but it is difficult to prove who exactly is behind it. Malware as a Service is also becoming more and more common these days, where a group programs some malware after which a criminal gang builds a whole infrastructure around it, including a help desk, where you can then simply rent or buy a license to carry out an attack. Moreover, there are countries that can easily deploy a division of 12,000 hackers to attack one target, and I have to defend it with my team of ten persons? That is almost impossible. Resilience means that you can react quickly, no one gets hurt and the operation can continue. So for me, cybercriminals are the biggest threat, because they will be the first ones attempting to get in when we make mistakes. Then there are the classic hacktivists, but I don’t see them as a real threat. Finally, a common threat for public transport is a younger version of myself. Someone who does it for fun, because he can, because he enjoys hacking into the public transport information boards at a train station, for example.”

 

Coordinated Vulnerability Disclosure
This reminds me of a story about two boys from Poland who, out of boredom perhaps, started tinkering with a TV remote control, with which they were then able to operate the switches on a tram track. No bad intentions, but with potentially serious consequences. As we think about this for a moment, we return to a subject that we touched on briefly at the beginning. Because public transport systems are a tempting target for hackers who do it for fun. Couldn’t you use this to your advantage? With ‘responsible disclosure’, to facilitate these types of hackers to report their findings to you? Responsible disclosure’ or what is nowadays also called ‘Coordinated Vulnerability Disclosure (CVD)’ is the disclosure of ICT vulnerabilities in a responsible manner and in cooperation between the reporter and the organization.

 

“Do you call the police because a hacker broke in, or do you say thank you for what he discovered because you can learn from it?”

 

Daniël does not entirely agree. “The risk is too high to invite hackers to attack operational systems, because you cannot oversee the consequences if someone who does not know the system suddenly starts messing with it. However, you could organize ‘hackatons’, for example, invite hackers to hack a new electric bus or in a simulated environment.”

 

The digital dilemma
Another problem in the world of operational technology is that both the technology and the security of public transport are, by definition, ten years behind. A project like the ‘Noord-Zuid-Lijn’ took 15-20 years from application to completion. The developments in technology go so fast that by the time such a project is completed, everything is already out of date. “Aren’t you running an enormous security risk?”

 

“No, that is not necessarily the case. For example, a brand new tram in Amsterdam is currently running with a generation of sensors that already existed when I was twelve years old. At the same time, these are very reliable sensors, with proven technology and little interference. The current generation is not ‘hardened’ enough yet. In terms of security, you simply have to isolate the older technology. You must not want to extract any data from it, because that would make it all the more leaky. That is what makes an OT system unsafe, not the age of the system but the subsequent connection and access to such a system.”

 

“Ah, the digital dilemma,” I add to this. “Connections make a system vulnerable to attacks, but the same connections also make it easier to detect these attacks. In fact, that is the business case: investing in security to enable remote access, make connections, extract value from data and innovate. That what makes you vulnerable is actually also the foundation for guarding against that danger.”

 

Hackers are the best defenders
“Absolutely, but that danger very often comes from good intentions. For example, I have many discussions with professors who do not understand that it is not okay to allow the police to intervene in a moving Tesla, because that opens the door to very great dangers. I do trust the police, but you mustn’t build in any backdoors. The hacker community is also philosophizing about these kinds of issues. How do we apply technologies in our society and what kind of world do we want to live in?”

 

“This is the new generation of CISOs.”

 

“And what kind of future does that bring? The road to hell is paved with the best intentions!”

 

“Daniël starts to laugh. “I agree. We have to get better at defending and investing in new technology, but also realize that you can always be hacked. The technology itself is value-free, but it’s the intention of the person applying the technology that matters. You can have thought of something with the best intentions, but it can then be terribly misused. A lot of technology that was once intended for defense can also be used as a hacking tool. This awareness must be raised. Pandora’s box is open, so what are we going to do with it now?”

 

And this is a third reason, I realize, that more hackers like Daniël should be providing defense: this is the new generation of CISOs. Not only because this type of person really understands technology and can think like an attacker, but also because a hacker also thinks carefully about the ethics of new technology and that it should always serve the people and not the other way around.

 

And with this in mind, we say goodbye and I invite Daniël to come and visit Thales one day to nerd about the cool operational technology we develop there.

 

About the author
Roel van Rijsewijk is a cyber security consultant and evangelist with over 20 years of experience helping organizations become cyber resilient. He is a key note speaker and author of ‘Cyberrisico als Kans’ (The Upside of Cyber Risk).