IoT Security: Discerning What’s Alarmist and Truly Alarming
Increased operational intelligence and productivity. Improved safety and asset management. Expanded automation. The Internet of Things has promised all of the above, but with that potential comes with opportunities for abuse. Cyber-adversaries who breached, for instance, a smart factory could find a treasure trove of information for industrial espionage, while malware recently discovered in the Middle East underscores the potential of industrial IoT attacks to cause physical destruction and create risk to workers within industrial facilities. The discovery of that malware, known as “Trisis” or “Triton,” however, was in itself not the first events driving home that risk. In 2007, researchers at the Idaho National Laboratory showed a cyberattack targeting an industrial turbine could ultimately cause it to self-destruct. The famous 2010 malware “Stuxnet” showed the feasibility of such an attack in the real world — at a nuclear enrichment facility in Iran. Similarly, a 2014 report from a German government body stated a steel mill in that country was hit with an advanced persistent threat attack that began with a spear-phishing and sophisticated social engineering ploy. The IoT security breach resulted in massive damages after the adversaries gained control over an oven at the steel mill. And then there was the 2015 Black Energy attack that shut down a portion of Ukraine’s power grid.
While warnings of the potential ills of industrial IoT attacks can, at times, sound alarmist, there is a growing amount of evidence that even theoretical-sounding attacks are not as fanciful as they seem.
While IoT security exploits such as the Mirai botnet and the time cyber researchers Charlie Miller and Chris Valasek hacked a Jeep Cherokee in transit have garnered considerable attention, it can be difficult to develop a comprehensive sense of just how large the attack surface of the Internet of Things is. Consider, for instance, cyberattacks on satellites. In 2017, a GPS spoofing episode in the Black Sea caused some 20 ships there to display as being located over land — some 25 miles away from their actual position.
It’s an understatement that much of the world depends on GPS, a technology susceptible to Y2K-like rollover events.
Many satellites are vulnerable to cyberattacks and software bugs, said William Malik, vice president, infrastructure strategies at Trend Micro in a session at RSA earlier this year. “The U.S. government spends money looking at vulnerabilities, they had a big task force that did a survey of satellite vulnerabilities in 2002,” Malik said. That survey had a list of unintentional problems that could hit satellites such as a natural disaster at the transmission site or a power outage. “And then they had another list of intentional things that could happen to satellites like jamming the signal, taking over the command and control so the satellite moves to a place where you don’t want it to be,” Malik said. “But out of that list, they completely left out any kind of design problems or software vulnerabilities.”
The fact that satellites have Y2K-type problems echoes a similar mentality across the industrial controls system landscape, where the engineers developing industrial protocols and software apparently followed the inverse of Murphy’s Law, assuming: “Everything that can work, will work.” One example of this principle in action can be found in Modbus, the serial communications protocol widely used for industrial electronic devices, which offers no cybersecurity features.
Similarly, the developers of satellites have a “blind spot” for software vulnerabilities, Malik said. “Much of [the communication] between the Earth and satellites is not encrypted.” The fact that satellites’ still have Y2K-type problems is another glaring example of a lax approach to cybersecurity in satellites. “There’s a 10-bit counter that keeps track of how many weeks there are since the beginning of time, which, if you’re a PC, is January 1, 1980,” he explained. That 10-bit counter enables a computer to count up to 1,023 weeks, which amounts to a few months shy of 20 years. “The counter rolled over in the fall of 1999, and it wasn’t a big deal, because there weren’t a lot of satellites then that used this mechanism,” Malik said. “But since then, we’ve deployed a whole bunch of GPS satellites, which use this date to figure out where they really are.” It rolled over again on April 6. While the event didn’t cause pandemonium, it did cause New York City’s NYCWiN internal wireless network, dedicated to what the city terms “public safety and other essential City operations,” to go offline for 10 days. The network could have averted the crash via a software upgrade
It’s not just software bugs on their own, however, that are causing satellite-related problems. Symantec’s 24th version of their “Internet Security Threat Report,” released in February, describes a cyber espionage group known as “Thrip” targeting satellites as well as telco and defense companies. The unit compromised a satellite communications operator, according to Symantec, while also “infect[ing] computers running software that monitors and controls satellites.”
The growing attack surface the Internet of Things creates gives computers a growing ability “to affect the world,” as cyber-guru Bruce Schneier wrote in his 2018 book “Click Here to Kill Everybody.” While the title of Schneier’s book is tongue-in-cheek, it is becoming steadily more difficult to simply dismiss IoT-enabled cyber-vulnerabilities as remote risks, given the potential of internet-connected medical devices, satellites, critical infrastructure and so forth to be sabotaged by malware. Added to that, is the growing amount of nation-state-backed cyber armies, which include both hackers directly employed by governments and what amounts to essentially freelance cyber adversaries. China has anywhere from 50,000 to 100,000 people in its so-called “hacker army.” “Russia has in the tens of thousands,” Malik said. North Korea’s Bureau 121 reportedly has 1,800 individuals within it.
Perhaps related to the growing involvement of nation-states in cyber operations is the uptick in targeted attacks that destroy or disrupt business operations. According to Symantec’s research, such attacks were up 25% in 2018 over a year prior.
And while the threat of catastrophic and outlandish cyber-events, which Schneier has long termed “movie-plot threats,” may be remote, the reality that so many such attacks are becoming possible should serve as a reminder for IoT developers and implementers to work to bolster the security of the entire ecosystem. As Schneier noted in his book: “As with fighting terrorism, our goal isn’t to play whack-a-mole and stop a few particularly salient threats, but to design systems from the start that are less likely to be successfully attacked.”