The attacker stepped out from behind a hedge in the upper-class suburban neighborhood, being careful to stay in the shadows. Across the street, the last lights shining through the windows of the house had just flickered out. She tugged the bottom of her black hoodie into place and pulled the hood up over her head, casting her face deeper in shadow.
Her target sat in the driveway at the front of the house, a bright red and completely decked out SUV. Glancing up and down the street to ensure no one was looking, she slipped across the street into the driveway, ducking down between the the side of the SUV and the landscaping. She pulled a small device out of her pocket and mashed the button down for a few seconds, smiling as she heard the answering thunk of the car doors unlocking.
“Hooray for technology.”
Quickly opening the driver’s door, she reached up under the steering wheel with a gloved hand and inserted a small device into the vehicle’s diagnostic port. She quickly ducked back out of the vehicle, shutting the door and locking it behind her again. She vanished swiftly into the night.
The next morning, a federal judge sat waiting in the traffic backed up on the highway entry ramp. He was on the way to begin the first day of what was to be a landmark case in combating drug and gang violence. As he accelerated on to the highway, he passed a car sitting off on the shoulder, the directional antenna pointing out its window completely escaping his notice.
As he got up to speed, the accelerator suddenly slammed to the floor. He desperately jammed his foot on the brakes, to no effect. As he began to panic in earnest, the steering wheel turned sharply, aiming the vehicle toward the oncoming lanes of traffic…
Though this tale does not describe an actual event, its ingredients are far from fictional. The technology described is very real, as are the attacks it facilitates. This is the world of cyber-kinetic attacks and cyber-physical systems (CPS), and it is growing more dangerous by the day.
Defining cyber-physical systems
Cyber-physical systems have been by described Dr. Helen Gill of the National Science Foundation as:
physical, biological, and engineered systems whose operations are integrated, monitored, and/or controlled by a computational core. Components are networked at every scale. Computing is deeply embedded into every physical component, possibly even into materials. The computational core is an embedded system, usually demands real-time response, and is most often distributed
Though this is a useful definition, it doesn’t technically incorporate Industrial Control Systems (ICS), those systems we would normally find in control of power generation and distribution, water mains, air handling systems, building control systems, smart factories, and the like.
A more inclusive and relevant definition is provided by the Cyber-Physical Systems Security Institute (CPSSI):
Cyber-Physical Systems are any physical or biological systems with an embedded computational core in which a cyber attack could adversely affect physical space, potentially impacting well-being, lives or the environment
Why is this definition more relevant? Because it focuses specifically on a critical aspect of this technology: security. Lumping different types of systems under the umbrella terms of CPS would be totally academic were it not for the benefits to be gained from addressing the security risks they share. ICS, SCADA, IoT devices, drones, smart grid, self-piloting transportation (automobiles, aircraft, ships etc), computer controlled artificial organs and connected medical implants, wearable technology – these digital systems differ hugely in their design and application, but they have one major trait in common: they can be hijacked to affect widespread damage in the physical world.
Threats of cyber-kinetic attacks against cyber-physical systems
Cyber-physical systems offer attackers a unique opportunity to go beyond the ‘traditional’ hacking of digital systems used to obtain information, steal money, extort money or bring down networks. The nation states, extortionists, terrorists, hackers, and criminals targeting CPS are doing so because they have the ability to reach into and manipulate physical environments.
Nation state attacks against cyber-physical systems are becoming routine. The first documented case of a nation state attack against CPS occurred with the Stuxnet malware being used to disrupt uranium enrichment in the Iranian plant at Natanz in 2010. In this case, the malware was ultimately used to interfere with the Programmable Logic Controllers (PLCs) causing the centrifuges at the plant to run at speeds alternatively above and below specifications, resulting in both damage to the equipment and improperly processed output. Stuxnet has since been attributed to a partnership between Israel and the National Security Agency (NSA) of the United States.
Malware of a similar nature has been used in numerous attacks since. The Dragonfly/Crouching Yeti attacks, estimated to have taken place from 2011 to 2014, were espionage campaigns against targets in the aviation and defense industries in the US and Canada, and various energy industry targets in the US, Spain, France, Italy, Germany, Turkey, and Poland. Similar tactics could be seen in the BlackEnergy malware causing power outages in the Ukraine in 2015.
But acts of aggression against CPS are not confined to major industrial targets or exclusively carried out by nation states with immense resources. For a less glamorous example of cyber-kinetic attacks we need only look as far as Vitek Boden. Boden, then in the employ of Hunter Wartech, an Australian installer of SCADA controlled sewage valves, had a difficult relationship with both his employer and the city council of Maroochy Shire, where he had installed equipment. As an act of retribution for the perceived slights, Boden remotely took unauthorized control of the valve network, spilling over 800,000 liters of raw sewage into area parks, rivers, and businesses.
Closer to home, the connected devices and equipment we use every day have increasingly been shown to be susceptible to cyber–kinetic attacks. Security researchers at Tesla and Jeep automotive systems have pointed out vulnerabilities enabling attackers to alter a variety of systems in increasingly automated vehicles. Such incursions could include activating the brakes rather suddenly or disabling the engine while at speed, either of which could have fatal repercussions.
Finally, to get to the heart of the threat, so to speak, we should consider hacks of medical devices. Pacemakers and other wireless implantable medical devices are clear candidates for CPS strikes. In 2007, doctors for then US vice president Dick Cheney had the wireless functionality for his implanted defibrillator disabled due to concerns around terrorists using it to assassinate him. But nearly any hackable medical technology is cause for great concern. Serious security vulnerabilities have been demonstrated in sending overdoses to drug pumps, changing the level of radiation output by CT scanners, and similar issues in a number of other such devices.
To date, all widely reported medical device hacks have been by security researchers, but it’s a matter of time before we see such attacks happening in the wild. According to a 2016 report by Forrester, the number one security threat for 2016 is ransomware in medical devices.
Concerns for CPS security grow with the imminent introduction of 5G. With a network capable of supporting a million devices per square kilometre at lighting connection speeds with super low latency, sci-fi dreams like fleets of driverless cars finally become a reality. With this infusion of the cyber and the real, the possibilities for innovation and improvement become limitless. Unfortunately, so do the opportunities for security breaches and attacks that could impact the lives of millions.
Securing cyber-physical systems
“In contrast to cyber security, the goal of cyber-physical security is to protect the whole cyber-physical system”.
Planning security for CPS need to take into account aspects of both information security and physical security, accounting for the weaknesses of both.
Threat, Vulnerability, and Risk (TVR) assessments of Cyber-Physical Systems differ from those conducted against enterprise information systems. When examining CPS, the potential impact on the lives and well-being of those using the systems, as well as potential impact to the environments in which they are used, need to be considered. This requires a full understanding of the risk, potential risk exposures, and dependencies between the systems. Without this it is impossible to plan technology deployments and decide on cyber security investment.
The interface between digital and physical realms also make CPS more difficult to test and secure. Penetration testing and vulnerability assessment need to be approached differently. If performed in the same way as is currently being done for business information systems, penetration testing could pose significant risks to CPS. At a minimum it might cause network performance issues. Worse, it could render some CPS components inoperable, alter data sent from sensors, or even provide an avenue for unintended or unauthorized changes to physical systems. Where human safety is involved these risks become unacceptable.
Best practices like using experienced penetration testers, carefully setting rules of engagement, and testing in a methodical fashion, will not eliminate the possible physical dangers from cyber-kinetic attacks. Nor will limiting penetration testing to the cyber portions of systems – the complex integration between cyber and physical that makes these systems so powerful also makes them impossible to separate. Testing environments need to represent both sides of the equation, so we have to develop new and innovative way to assess CPS security, such as developing comprehensive testbeds.
Physical security is a concern in itself. We regularly consider physical security of our information systems (data centers, etc), but in CPS the physical threat potential is far higher. The industry often overlooks the fact that something as generic as a remote control or an IoT device could be use to breach the business side of the network. Physical systems have traditionally not been secured well, but such ancillary access points have begun to see a higher level of scrutiny after incidents such as those that led to the Target breach in 2013.
In addition to TVR assessments, other portions of our security programs need to be tailored when dealing with cyber-physical systems. Security monitoring, incident readiness and response, forensics, and a host of others all have specific challenges we need to address.
Viewing cyber-physical systems through the same lenses typically used to address cyber security is insufficient, and leaves us with an incomplete picture. The standard CIA model (Confidentiality, Integrity, Availability) for assessing information security issues still has relevance but it needs to be augmented. Integrity remains critical – we obviously still need to be in charge of the data transfer points in the system, especially where they connect to the operation of physical objects. System availability also remains important in CPS, but confidentiality is less of a concern than in typical information systems.
A useful addition to the CIA triad in the context of cyber-kinetic attacks could be the Parkerian Hexad, which adds the criteria of Possession or Control, Authenticity, and Utility. Possession or control refers to either physical loss of, or loss of control of the item in question. Authenticity refers to the truth regarding claims of origin of the item. Utility refers to the usefulness of the item.
Taking all of these factors into account, we can revisit the vehicle attack example from the beginning of this article.
- Confidentiality – Not a major part of this case. Theoretically, the inner workings of a device should be confidential, but when one is dealing with the Internet of Things and objects like cars, such information is freely available.
- Possession or control – The operator of the vehicle was clearly no longer in control of it.
- Integrity – The configuration information of the vehicle and its internal signaling between systems had lost integrity.
- Authenticity – The origin of the signals being sent to the various vehicle systems were not authentic.
- Availability – The vehicle was not available for the operator to use as intended.
- Utility – The vehicle was no longer useful for its intended purpose as it cannot be safely driven.
CPS security is complicated by the fact that cyber-physical systems are as varied as they are unique. Even a standard security intervention like regular patching cannot be routinely applied in the CPSverse. Where critical physical systems are being controlled, patching can become much more difficult or even impossible. If our CPS is controlling an artificial organ or the systems of a submarine a thousand feet under the ocean, the idea of patching it while in use becomes almost ludicrous. The alternatives are not much more sensible: long term planning and extensive testing, system replacement, interventions over multiple generations of legacy systems
Winning the race to secure cyber-physical systems against cyber-kinetic attacks requires a realization that CPS’s are unique. They do not operate by the same rules as either strictly cyber or strictly physical systems. Security and testing need to be more imaginative, pre-empting the many novel ways in which an attacker might engage a cyber-physical system. Security professionals also need to be willing to let go of practices or controls that do not work in the CPS space. As we move into an era of hyper-connectivity founded on 5G and facilitated by the IoT, the risks to CPS’s will only increase, as will our responsibility to protect them.
For over 30 years, Marin Ivezic has been protecting critical infrastructure and financial services against cyber, financial crime and regulatory risks posed by complex and emerging technologies.
He held multiple interim CISO and technology leadership roles in Global 2000 companies.