The attacker stepped out from behind a hedge in the upper-class suburban neighborhood, being careful to stay in the shadows. Across the street, the last lights shining through the windows of the house had just flickered out. She tugged the bottom of her black hoodie into place and pulled the hood up over her head, casting her face deeper in shadow.
Her target sat in the driveway at the front of the house, a bright red and completely decked out SUV. Glancing up and down the street to ensure no one was looking, she slipped across the street into the driveway, ducking down between the the side of the SUV and the landscaping. She pulled a small device out of her pocket and mashed the button down for a few seconds, smiling as she heard the answering thunk of the car doors unlocking.
“Hooray for technology.”
Quickly opening the driver’s door, she reached up under the steering wheel with a gloved hand and inserted a small device into the vehicle’s diagnostic port. She quickly ducked back out of the vehicle, shutting the door and locking it behind her again. She vanished swiftly into the night.
The next morning, a federal judge sat waiting in the traffic backed up on the highway entry ramp. He was on the way to begin the first day of what was to be a landmark case in combating drug and gang violence. As he accelerated on to the highway, he passed a car sitting off on the shoulder, the directional antenna pointing out its window completely escaping his notice.
As he got up to speed, the accelerator suddenly slammed to the floor. He desperately jammed his foot on the brakes, to no effect. As he began to panic in earnest, the steering wheel turned sharply, aiming the vehicle toward the oncoming lanes of traffic…
While this situation is somewhat fictionalized, the technology and the attacks it portrays are anything but. This is the world of Cyber-Kinetic Attacks and Cyber-Physical Systems (CPS).
Defining cyber-physical systems
One of the best definitions of the term cyber-physical systems was coined in 2006 by Dr. Helen Gill of the National Science Foundation. Dr. Gill defines CPS as “physical, biological, and engineered systems whose operations are integrated, monitored, and/or controlled by a computational core. Components are networked at every scale. Computing is deeply embedded into every physical component, possibly even into materials. The computational core is an embedded system, usually demands real-time response, and is most often distributed”. This particular definition, while very broad, would not seem to easily relate to Industrial Control Systems (ICS), these being an overarching term for the systems we would normally find in control of power generation and distribution, water mains, air handling systems, building control systems, smart factories, and the like.
We might, perhaps, define cyber-physical systems as any systems in which embedded computers and networks monitor and control physical processes, with feedback loops where physical processes affect computation and vice versa. Or, even more crucially and more relevant to the focus of the Cyber-Physical Systems Security Institute (CPSSI) we could define it as:
Cyber-Physical Systems are any physical or biological systems with an embedded computational core in which a cyber attack could adversely affect physical space, potentially impacting well-being, lives or the environment
By this definition, we would include a wide variety of other existing systems such as ICS, SCADA, IoT devices, drones, smart grid, self piloting transportation (automobiles, aircraft, etc…), computer controlled artificial organs and connected medical implants, wearable technology, and numerous other similar technologies.
While debating the definition of CPS, we might also ask why, given the numerous different technologies mentioned, why it would make sense to house such a collection under the single umbrella of CPS. In this case, the question is its own answer. While this broad scope of devices and networks does indeed have a variety of differences, largely in the way each is assembled from a technology standpoint, it also has a large number of similarities. Grouping them all together under a single term enables us to discuss their shared aspects, while allowing for the differences in implementation, we ease the task of approaching them from technology and security perspectives.
Threats against cyber-physical systems
Cyber-physical systems present a tempting target for a variety of attackers. While manipulating ones and zeros in order to illicitly move money, blackmail individuals or corporations, or disrupt operations could be an effective means of accomplishing a certain set of goals, reaching out into the physical world to effect change is a different situation entirely. The actors with the desire and means to go down this path are many, including nation states, extortionists, terrorists, hackers, and criminals, just to name a few.
Nation state attacks, or those loosely attributed to nation states, against cyber-physical systems are beginning to become somewhat of a normal state of affairs. The first documented case of a nation state attack against CPS occurred with the Stuxnet malware being used to disrupt uranium enrichment in the Iranian plant at Natanz in 2010. In this case, the malware was ultimately used to interfere with the Programmable Logic Controllers (PLCs) causing the centrifuges at the plant to run at speeds alternatively above and below specifications, resulting in both damage to the equipment and improperly processed output. Stuxnet has since been attributed to a partnership between Israel and the National Security Agency(NSA) of the United States.
Stuxnet set the stage for a variety of subsequent events, including a series of incidents involving malware of a similar nature. The Dragonfly/Crouching Yeti attacks, taking place of an estimated time period ranging from 2011 to 2014, were a more espionage-driven counterpoint to Stuxnet’s sabotage oriented goals. These attacks were brought to bear against targets in the aviation and defense industries in the US and Canada, and various energy industry targets in the US, Spain, France, Italy, Germany, Turkey, and Poland. Similar attacks can be seen in the BlackEnergy malware causing power outages in the Ukraine in 2015.
Lest we think CPS attacks are confined to major industrial targets and carried out by nation states with immense resources, we have only to look to the example of Vitek Boden. Boden, then in the employ of Hunter Wartech, an Australian installer of SCADA controlled sewage valves, had a difficult relationship with both his employer and the city council of Maroochy Shire, where he had installed equipment. As an act of retribution for the perceived slights, Boden remotely took unauthorized control of the valve network, spilling over 800,000 liters of raw sewage into area parks, rivers, and businesses.
Likewise the hacks by security researchers of Tesla and Jeep automotive systems in 2016 and 2015, respectively, pointed out vulnerabilities enabling attackers to alter a variety of systems in increasingly automated vehicles. Such attacks included activating the brakes rather suddenly and disabling the engine while at speed[10,11], either of which could be life threatening when carried out in the middle of busy traffic, or perhaps at a train crossing.
Finally, to bring the potential impact of hacking CPS home, we can look at hacks of medical devices. Much of the focus in this area has been on wireless implantable medical devices but nearly any medical technology being hacked would be cause for great concern. Serious security vulnerabilities have been demonstrated in sending overdoses to drug pumps, changing the level of radiation output by CT scanners, and similar issues in a number of other such devices. In 2007, doctors for then US vice president Dick Cheney had the wireless functionality for his implanted defibrillator disabled due to concerns around terrorists using it to assassinate him.
Thus far, all of the widely reported medical device hacks have taken place at the hands of security researchers, however, it seems like only a matter of time before we see such attacks happening in the wild. According to a 2016 report by Forrester, the number one security threat for 2016 is ransomware in medical devices.
Securing cyber-physical systems
“In contrast to cyber security, the goal of cyber-physical security is to protect the whole cyber-physical system”. Planning security for CPS need to take into account aspects of both information security and physical security, accounting for the weaknesses of both.
Threat, Vulnerability, and risk (TVR) assessments of Cyber-Physical Systems differ from those conducted against enterprise information systems in many ways, key being that we need to focus on the potential impact to the lives and well-being of those using the systems, as well as potential impact to the environments in which they are used. Understanding factors such as the full extent of the risk, potential risk exposures, and dependencies between the systems is crucial to planning technology deployments, deciding on cyber security investment, and so on.
Penetration testing and vulnerability assessment also need to be approached differently because of the potential to reach out from cyber systems into the physical space. Penetration testing, if performed in the same way as is currently being done for business information systems, could pose significant risk to CPS. At a minimum it might cause network performance issues. Worse, it could render some CPS components inoperable, alter data sent from sensors, or even provide an avenue for unintended or unauthorized changes to physical systems. Clearly the risks of all these are even larger when human safety or well-being could be impacted.
Although this risk to physical space could be minimized by using experienced penetration testers, carefully setting rules of engagement, and testing in a methodical fashion, they can never be fully eliminated. We could also help mitigate risk by executing penetration testing only on the cyber portions of systems, however, focusing only the cyber or the physical portions of the systems in isolation during such assessments, will lead us to miss the issues occurring at the interface of the two areas. When we test, we need to ensure our testing environments represent both sides of the equation and we have to develop new and innovative way to assess the security such as developing comprehensive testbeds.
Physical security is also a concern. We regularly consider physical security of our information systems (data centers, etc). However, in the context of CPS the industry very often misses the fact that the remote control system, or an IoT device could potentially also act as an entry point for breaching the business side of the network. Physical systems have traditionally not been secured well, but such ancillary access points have begun to see a higher level of scrutiny after incidents such as those that led to the Target breach in 2013.
In addition to TVR assessments, other portions of our security programs need to be tailored when dealing with cyber-physical systems. Security monitoring, incident readiness and response, forensics, and a host of others all have specific challenges we need to address.
Even our traditional models for discussing security need to be updated in order to adequately cover CPS. When we examine information security issues, we typically turn to the old standby of the CIA triad; Confidentiality, Integrity, and Availability. We can indeed compare CPS against these concepts, and we will likely find our primary concerns largely lie in the areas of integrity and availability. If we are not able to maintain integrity in the data inputs and outputs of our systems, particularly in the case where we are interacting with or controlling physical objects, this is very clearly problematic. Likewise, if our systems are not available, this is a large issue. Confidentiality may play a role as well, given some of the information housed in, or used by, the system may be harmful outside of its intended use, but typically confidentiality is much less of a concern for CPS. Let’s look at some examples:
CIA concept is useful and sufficiently comprehensive for business information systems, but may not leave us with a complete picture for CPS. In order to enhance the model of the CIA triad, we can look to the Parkerian Hexad. This builds on the traditional CIA, by adding Possession or Control, Authenticity, and Utility. Possession or control refers to either physical loss of, or loss of control of the item in question. Authenticity refers to the truth regarding claims of origin of the item. Utility refers to the usefulness of the item. Taking all of these factors into account, we can revisit the vehicle attack example from the beginning of this article.
- Confidentiality – We briefly touch on confidentiality in this situation. In theory, the inner workings of such a device should be held confidential. In this case, they were not.
- Possession or control – The operator of the vehicle was definitely no longer in control of it.
- Integrity – The configuration information of the vehicle and its internal signaling between systems had lost integrity.
- Authenticity – The origin of the signals being sent to the various vehicle systems were not authentic.
- Availability – The vehicle was not available for the operator to use as intended.
- Utility – The vehicle was no longer useful for its intended purpose as it cannot be safely driven.
Examples of special security considerations for cyber-physical systems can be found nearly anywhere we look. Even so simple a security concept as regular patching has exceptions in the CPS world. Where critical physical systems are being controlled, patching can become much more difficult or even impossible. If our CPS is controlling an artificial organ or the systems of a submarine a thousand feet under the ocean, the idea of patching it while in use becomes almost ludicrous. At the very least, we would require long term planning and extensive testing, or perhaps we would even consider just replacing the system entirely. Additionally, we may need to conduct this effort over multiple generations of legacy systems, as CPS are often intended to have long lifetimes.
(To learn how blockchain could help secure CPS, check my other article: Cybersecurity of blockchain and blockchain for cybersecurity.)
In order to plan for the security of cyber-physical systems and the safety of those who will be using them or working around them, we must recognize that cyber-physical systems are inherently different from systems operating purely in the cyber or physical realms. We need to model security for them in a more broad manner, test them more carefully and thoroughly in order to uncover the various ways in which an attacker might misuse or abuse them, and recognize where some of our traditional security practices or controls may be rendered less effective or may not work at all. The interfaces between the cyber and physical realms will only continue to increase, and it is vital we secure these systems properly in order to protect lives, well-being and the environment.
1. This Time, Miller & Valasek Hack The Jeep At Speed. In: Dark Reading [Internet]. [cited 29 Sep 2016]. Available: http://www.darkreading.com/vulnerabilities—threats/this-time-miller-and-valasek-hack-the-jeep-at-speed/d/d-id/1326468
2. Greenberg A. Watch This Wireless Hack Pop a Car’s Locks in Minutes. In: WIRED [Internet]. 4 Aug 2014 [cited 29 Sep 2016]. Available: https://www.wired.com/2014/08/wireless-car-hack/
3. Lee E. The Past, Present and Future of Cyber-Physical Systems: A Focus on Models. Sensors . Multidisciplinary Digital Publishing Institute; 2015;15: 4837–4869. doi:10.3390/s150304837
4. Edward A. Lee and Sanjit A. Seshia. Lee and Seshia, Introduction to Embedded Systems, Second Edition [Internet]. 2015. Available: http://leeseshia.org/index.html
5. Avag R. Did Stuxnet Take Out 1,000 Centrifuges at the Natanz Enrichment Plant? | Institute for Science and International Security. 2010; Available: http://isis-online.org/isis-reports/detail/did-stuxnet-take-out-1000-centrifuges-at-the-natanz-enrichment-plant
6. Anderson N. Confirmed: US and Israel created Stuxnet, lost control of it. In: Ars Technica [Internet]. 1 Jun 2012 [cited 26 Sep 2016]. Available: http://arstechnica.com/tech-policy/2012/06/confirmed-us-israel-created-stuxnet-lost-control-of-it/
7. Emerging Threat: Dragonfly / Energetic Bear – APT Group [Internet]. [cited 26 Sep 2016]. Available: http://www.symantec.com/connect/blogs/emerging-threat-dragonfly-energetic-bear-apt-group
8. Ongoing Sophisticated Malware Campaign Compromising ICS (Update E) | ICS-CERT [Internet]. [cited 26 Sep 2016]. Available: https://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-281-01B
9. Malicious Control System Cyber Security Attack Case Study– Maroochy Water Services, Australia.
10. Tesla releases more details on the Chinese hack and the subsequent fix. In: Electrek [Internet]. 27 Sep 2016 [cited 27 Sep 2016]. Available: https://electrek.co/2016/09/27/tesla-releases-more-details-on-the-chinese-hack-and-the-subsequent-fix/
11. Greenberg A. Hackers Remotely Kill a Jeep on the Highway—With Me in It. In: WIRED [Internet]. 21 Jul 2015 [cited 27 Sep 2016]. Available: https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
12. Zetter K. Hacker Can Send Fatal Dose to Hospital Drug Pumps. In: WIRED [Internet]. 8 Jun 2015 [cited 27 Sep 2016]. Available: https://www.wired.com/2015/06/hackers-can-send-fatal-doses-hospital-drug-pumps/
13. Zetter K. It’s Insanely Easy to Hack Hospital Equipment. In: WIRED [Internet]. 25 Apr 2014 [cited 27 Sep 2016]. Available: https://www.wired.com/2014/04/hospital-equipment-vulnerable/
14. Dick Cheney’s heart [Internet]. [cited 27 Sep 2016]. Available: http://www.cbsnews.com/news/dick-cheneys-heart/
15. Predictions 2016: Cybersecurity Swings To Prevention [Internet]. [cited 27 Sep 2016]. Available: https://www.forrester.com/report/Predictions+2016+Cybersecurity+Swings+To+Prevention/-/E-RES117390
16. Cyber-Physical Security: A Whole New Ballgame – IEEE Smart Grid [Internet]. [cited 28 Sep 2016]. Available: http://smartgrid.ieee.org/newsletters/november-2012/197-cyber-physical-security-a-whole-new-ballgame
17. Target Hackers Broke in Via HVAC Company — Krebs on Security [Internet]. [cited 29 Sep 2016]. Available: https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/
18. Parker DB. Fighting Computer Crime [Internet]. Scribner Book Company; 1983. Available: http://books.google.com/books/about/Fighting_Computer_Crime.html?hl=&id=BVxsAAAAIAAJ
19. J&J warns diabetic patients: Insulin pump vulnerable to hacking. [cited 4 Oct 2016]. Available: http://www.reuters.com/article/us-johnson-johnson-cyber-insulin-pumps-e-idUSKCN12411L
Cyber-Physical Systems Security Institute (CPSSI) is a non-profit independent research and educational organization focused on practical and theoretical solutions to the cybersecurity challenges facing Cyber-Physical Systems (CPS).
Marin Ivezic is a Cybersecurity Partner in PwC and the Chairman of the Cyber-Physical Systems Security Institute. For over 25 years Marin has been focused on the security of critical infrastructure and financial services – sectors with the highest cyber risk exposure. He held various roles in law enforcement, industry and consulting including cybersecurity leadership roles in organizations such as IBM, Accenture and Cyber Agency. He is a sought-after speaker and a regular contributor on the topic of security of Cyber-Physical Systems security.
Dr. Jason Andress (ISSAP, CISSP, GPEN, CISM) is a seasoned security professional with a depth of experience in both the academic and business worlds. In his present and previous roles, he has provided information security expertise to a variety of companies operating globally. He has taught undergraduate and graduate security courses since 2005 and conducts research in the area of data protection. He has written several books and publications covering topics including data security, network security, penetration testing, and digital forensics. Jason is a co-author of Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners (Syngress, ISBN-9781597496384)
For over 30 years, Marin Ivezic has been protecting critical infrastructure and financial services against cyber, financial crime and regulatory risks posed by complex and emerging technologies.
He held multiple interim CISO and technology leadership roles in Global 2000 companies.