Getting smart about security in smart systems
Smart used to be something we called people or pets. It wasn’t a term one would use to describe one’s hairbrush. That is changing, of course, in an era of accelerating digital transformation. Now we have smart homes, smart cities, smart grids, smart refrigerators and, yes, even smart hairbrushes. What’s not so smart, though, is the way the cybersecurity and cyber-kinetic security risks of these systems are often overlooked, and with new horizon technologies like 5G, these problems are set to grow exponentially.
Cyber-physical systems and the smartification of our world
Cyber-connected objects have become ubiquitous. They are so prevalent that we are already beginning to take their existence for granted, even though this was the stuff of science fiction only a few years ago. We’re all familiar with the ‘sexy’ examples of smart connectivity: cars that park themselves and warn you of other vehicles in close proximity as you drive on the highway; homes that change atmospheric conditions, lighting and music to your preferences as soon as they recognize your voice; apps that let you monitor home and vehicle security from the other side of the world; and refrigerators that let you know when you need to stock up on milk.
However, the real impact stretches far beyond lifestyle accessories. Distribution of essential services like power and water is made more efficient by smartification. Sensors detect imminent failures before they happen and dispatch repair personnel to the location to fix the problem before consumers are inconvenienced. Traffic control systems monitor traffic patterns and adjust traffic light timing to optimize traffic flow. Entire cities are able to operate more smoothly and respond to changing needs in real time.
All of this is facilitated by cyber-physical systems (CSPs) — technologies such as the internet of things (IoT) and industrial control systems (ICS), which are capable of sensing and positively influencing the physical world. In commercial terms, this shows up as factories with ‘intelligent’ machines that optimize maintenance and production cycles, or large-scale farming operations that use connected devices to maintain an optimal balance of soil moisture and nutrients.
It is probably unsurprising that the advanced diagnostic equipment found in hospitals is connected via CSPs. But when cyber-enabled devices are planted in human bodies – that’s when things start to feel more like a scene from an Arthur C Clarke novel. Cyber-enabled pacemakers, heart monitors, defibrillators and insulin pumps enable doctors to remotely monitor patients’ conditions and make adjustments as necessary. That makes each of those patients part of a smart cyber-physical system!
Cyber-kinetic attacks: The unintended consequence of smart technologies
Despite the amazing benefits they afford, CSPs like the IoT also invite significant cyber-kinetic risk: cyber-connectedness opens the door to cyber-kinetic attacks. Such campaigns use the interfaces of the digital world to make an impact in the physical one, and in this sense, IoT and ICS technologies are very similar. Their networking capabilities make acts of chaos possible in a way that never existed 20 years ago. Cyber-kinetic attacks hijack ICS or IoT devices and use them to control the physical elements of our world in ways that can hurt people or damage the environment.
Consider the consequences of an attack that releases toxic chemicals into a region’s water distribution system. Or one that disables the mechanism preventing lethal pressure build-up on a dam. Or one that manipulates pressure in an oil pipeline causing it to explode.
The attacks described above are real – only the inexperience of the attackers and the quick work of responders prevented catastrophic damage. But there are many more examples.
A 2016 attack on apartment buildings in Finland left residents without heat or water in the middle of Scandinavian winter. A teen in search of entertainment hijacked the city’s tram system and began randomly rerouting trams – a game to him but a potentially fatal event to the dozens that were injured when trams inevitably collided. When a waste management contractor felt he had been unfairly treated in a dismissal by town authorities, he manipulated the sewage system to discharge more than 260,000 liters of raw waste across town for months before he was caught. Environmental damage and risk to public health were widespread.
These attacks show that serious damage can be done at any scale, but reveal only a small slice of the potential. Researchers have demonstrated vulnerabilities that could allow hackers to take partial control of cars, or trigger device failure in medical implants, causing the death of the owner. I have been tracking many key cyber-kinetic attacks, but other researchers track 1,000+ such incidents and claim to be able to link 1,000+ deaths to cyber-failures and vulnerabilities in cyber-physical systems.
As we move towards implementation of 5G technology these numbers are set to increase. With latency approaching zero, 5G networks promise a new era in connectivity and seamless real-time engagement between IoT devices. For the first time, grids of driverless cars and other autonomous objects will become a reality, opening up a whole new level of possible cybercrime. In this context, the number of vulnerabilities in IoT and ICS devices is deeply concerning, but the lack of protection around them is even more worrisome.
Less-than-smart security practices and the cyber-kinetic risks they cause
Poor protection of cyber-physical systems is sometimes due to laziness or budget restraints, but the most pervasive reason is a poor understanding of the laws of networking. Most people prioritize easy of connection over security, relying on the thinking that hackers are only concerned with high-profile targets like major corporations and national intelligence services. ‘Why would they target us?’ seems to be the general view. But this perspective is naive and outdated – a dangerous combination when it underpins a decision to install only basic protection. To rely on the statistical improbability of a given IoT device being targeted – ‘security by obscurity’ – is to play Russian roulette.
In a full-scale cyberattack, however, nobody is safe. Ransomware attacks, one of the fastest-growing forms of cyberattacks, seek any system that has vulnerabilities, not just predetermined targets. This makes the common argument of “who would want to target us?” not only irrelevant but irresponsible. Because systems today are so networked, any system with vulnerabilities accelerates the spread of the attack by opening its connections up to risk as well. Proper defenses protect you and those you are connected to.
The unique security challenges of IoT
Cyberattacks today are different from those conceived before the IoT. Traditionally, hackers are thought to break into a system to extract information, but someone attacking IoT devices generally wants to manipulate what they do. That means cybersecurity of IoT and IIoT has to expand beyond the protection of data to the protection of all the physical repercussions that could be triggered by a cyber incursion. This is a complex task that requires the consideration of multiple attack vectors. In response, IoT security needs to be interdisciplinary and connect traditional engineering domains, wireless communications, systems engineering and cybersecurity.
IoT also demands new security testing processes. Penetration testing, designed to find system failure points, is useless with systems controlling critical physical processes that cannot afford interruption. Thus, security protocols and testing processes must be rethought and redesigned to meet the new reality and related cyber-kinetic risks.
Recognizing growing threats
Traditional social and economic systems are breaking apart, breeding more and more disaffected youths who are primed to learn hacking skills on the dark web. Terrorist organizations are increasingly moving to cyberspace to engage their enemies. Social justice warriors are relying on cyberskills to level the playing fields against major corporations and government institutions. Organized cybercrime groups are shifting their attention to IoT (and CPS’s in general) for ransomware campaigns. In short, the number of hackers is growing and, though nations are building armies of trained cyber warfare specialists, they are largely on the backfoot. In a world in which billions of devices are connected to the IoT and cyber-kinetic risks are growing how does one cover every eventuality?
When my research team assesses critical infrastructure systems in various countries for vulnerabilities, we rarely find one that hasn’t already been breached. We almost always remove some form of malware or backdoor that would let the hackers who placed them there return whenever they want to trigger them. This is always a sobering experience.
While the ‘we won’t be attacked because we don’t think we’ll be attacked’ approach has worked for many vulnerable CPS’s so far, it is a dead-end strategy. Ensuring that IoT is properly secured is critical.
Where do we go from here?
Regression to a cyberless world is unthinkable, but so is a world where everyone is connected but no one is safe. Cyber-kinetic attacks are a reality and their numbers are growing, as are the complexities of the systems that require protection. If this world is to be a genuinely ‘smart’ one we must get serious about securing IoT technologies – from the start of the IoT development, not as an afterthought.
Security professionals must address the new cyber-kinetic risks that IoT creates. Traditional security protocols and testing processes must be rethought and revised to catch up to current and emergent technologies like 5G. Only by securing the growing world of IoT can our smart technologies truly be as smart as they need to be.
For over 30 years, Marin Ivezic has been protecting critical infrastructure and financial services against cyber, financial crime and regulatory risks posed by complex and emerging technologies.
He held multiple interim CISO and technology leadership roles in Global 2000 companies.