Taking a smarter approach to creating “smart everything”
Making physical objects or systems “smart” is all the rage today. Terms like smart houses, smart cars, smart cities, smart grids, smart refrigerators and even smart hairbrushes pop up everywhere. But there’s something not smart in the way this trend is progressing. Securing smart systems is being often overlooked.
Cyber-physical systems and the smartification of our world
Smartification of our world depends on cyber-physical systems (CSP) — technologies such as the internet of things and industrial control systems (ICS), whose primary purpose is to sense and actuate the physical world.
The benefit of this is enormous. Think of all the cyber-connected objects in your life: recent model year cars have cyber-enabled safety features that help prevent accidents. Home management devices let you turn lights on or off in your home, adjust heating or air conditioning and much more simply by giving a voice command. Apps let you adjust functions of your home or car from miles away. Some can even alert you that someone has rung your doorbell — even if you are half a world away — and can show you who that person is.
CPSes also make distribution of essential services, such as power and water, more efficient. Sensors embedded in distribution systems detect imminent failures before they happen and dispatch repair personnel to the location to fix the problem before consumers are inconvenienced. Traffic control systems monitor traffic patterns and adjust traffic light timing to optimize traffic flow. Many other city services are cyber-connected, too, to maximize efficiency. These, too, are run by IoT or ICS.
Sensors in factory equipment monitor and take action to enhance productivity. Sensors even enhance how our food is grown; sensor-connected systems in the dirt of many large agricultural operations administer proper balance of water and nutrients in the soil.
These technologies play a role in healthcare, too. No one who has seen the high-tech equipment used to diagnose and treat patients in a hospital would be surprised to hear how much of it is cyber-enabled. Perhaps more surprising, though, is how frequently cyber-enabled devices are being implanted in people’s bodies. Cyber-enabled pacemakers, heart monitors, defibrillators and insulin pumps enable doctors to remotely monitor patients’ conditions and make adjustments as necessary. That makes each patient part of a smart cyber-physical system!
Cyber-kinetic attacks: The unintended consequence of smart technologies
There’s no debate that IoT provides many benefits. Yet, a downside exists to cyber-connectedness: the growing threat of cyber-kinetic attacks. Even though IoT and ICS technologies are very different in their implementation, from a security perspective they share many similarities. The physical layer common for both allows for attacks in which manipulation of physical processes is the target. Cyber-kinetic attacks hijack ICSes or IoT devices and use them to control physical elements of our world in ways that can hurt people or damage the environment. We better learn from ICS mistakes as we keep rapidly putting more and more of our physical processes under the control of IoT and keep opening ourselves up to increasingly devastating cyberattacks.
Consider the consequences of an attack that releases toxic chemicals into a region’s water distribution system or that disables the mechanism that prevents unsafe pressure buildup on a dam or that manipulates pressure in an oil pipeline so it explodes.
The attacks described above are real. Only the inexperience of the attackers and the quick work of responders prevented catastrophic damage.
Even in small-scale systems, the results of someone compromising the system are serious. A November 2016 attack on apartment buildings in Finland left residents without heat or water for days before technicians could undo the damage.
A bored teen took control of his city’s tram system and rerouted trains recklessly for his entertainment. His “game” of rerouting trains eventually caused a collision — with a dozen people injured.
A disgruntled former waste management contractor took revenge on the town that terminated him by manipulating the system to discharge more than 264,000 liters of raw sewage across town for months before he was caught. Environmental damage was massive, not to mention the nuisance experienced by those who lived near the discharge points.
Those attacks are only the tip of the iceberg as to what has been accomplished by attackers or demonstrated by researchers to be possible. Some researchers have demonstrated vulnerabilities that can allow a hacker to take partial control of cars that contain cyber-connected functions. Other researchers have demonstrated vulnerabilities in implanted medical devices that could allow an attacker to remotely kill the person in whom it is implanted. The list of vulnerabilities is endless. I have been tracking many key cyber-kinetic attacks and incidents. Other researchers track 1,000+ such incidents and attacks and claim to be able to link 1,000+ deaths to date to cyber-failures and vulnerabilities in cyber-physical systems.
Not-so-smart security practices and the vulnerabilities they cause
How did we reach this point where so many cyber-physical systems are poorly protected? It starts with benefits that people see in cyber-connecting our physical world.
In the rush to connect, security is placed in the realm of wishful thinking. This thinking goes, “Hackers are interested only in high-profile targets, like the Pentagon or government or major banks. With so many more attractive targets, why would they target us?” This rationalization leads to — at best — installing only basic security and trusting that their best defense is the obscurity of their system.
“Security by obscurity” is illusory, though. Ransomware attacks, one of the fastest-growing forms of cyberattacks, seek any system that has vulnerabilities rather than seeking predetermined targets. This makes the common argument of “who would want to target us?” not only irrelevant, but irresponsible. Vulnerabilities put any system that has them at risk.
The unique security challenges of IoT
Unfortunately, the nature and purpose of IoT complicates security further. Someone hacking a traditional information system generally wants to extract information. Someone attacking IoT devices generally wants to manipulate what they do. That expands the scope of attack vectors from protecting just data to protecting the myriad elements that an attacker could use to alter the underlying physical process. New approaches to IoT security need to be interdisciplinary and connect traditional engineering domains, wireless communications, systems engineering and cybersecurity.
In addition, not all traditional security testing processes can be used to test IoT devices. Penetration testing is designed to find system failure points. But with systems controlling critical physical processes that cannot afford interruption, such processes are worthless. Thus, security protocols and testing processes must be rethought and redesigned to meet the new reality.
Recognizing growing threats
The common approach of relying on the statistical improbability of a given IoT device being targeted is the same logic behind Russian roulette. And to make this approach even worse, the number of hackers is growing.
Nations are increasingly building armies of trained cyberwarfare specialists. Organized cybercrime groups are shifting their attention to IoT (and CPSes in general) for ransomware and other imaginative nefarious purposes. Terrorist organizations increasingly turn to cyberspace for targets that can disrupt the states they target. And many disaffected youths learn advanced hacking skills on the dark web.
Consider this sobering fact: When my research team assesses critical infrastructure systems in various countries for vulnerabilities, we rarely find one that hasn’t already been breached. We almost always remove some form of malware or backdoor that would let the hackers who placed them there return whenever they want to trigger them.
While the Russian roulette approach has worked for many vulnerable CPSes so far, the number of cylinders in the revolver is increasingly being filled with potential devastation. Ensuring that IoT is properly secured is essential.
Where do we go from here?
No one would suggest we go back to when our physical world and the cyberworld were separate entities. The benefits of connecting them are too great.
Cyber-kinetic attacks are real, though, and their numbers are growing. Wishful thinking is not a defense. Additionally, IoT technologies present new challenges that do not exist in traditional information systems.
To keep our increasingly smartified world safe, we must get serious about securing IoT technologies. Security must be addressed from the start of the IoT development — not left to chance, not patched on as an afterthought.
And security professionals must address the new challenges that IoT creates. Traditional security protocols and testing processes must be rethought and revised to catch up to current technologies. Only by securing the growing world of IoT can our smart technologies truly be as smart as they need to be.
Originally published on IoT Agenda on 14 December 2017