Over the past decade, we’ve seen a proliferation of smart devices that possess the capabilities of information processing and network connectivity. The defining characteristic of the Internet of Things (IoT) is that devices, previously restricted to their physical environment, are now connected to a computer network. This network could be a home network, an industrial intranet or even the whole internet. This means that a device, or a gateway that connects a device to the network, is accessible by someone who presents the right credentials, or bypasses the credentials altogether.
As computation and connectivity have become commoditized, they have spawned a plethora of solutions that automate, improve and simplify key tasks in industrial control — from gathering sensor readings on the performance targets of a conveyor-based motor car production line, to verifying the freshness of a food shipment in a smart supply chain, to programming a CNC machine to precisely cut a block of metal into the right shape. They have also, unfortunately, exposed a rich attack surface that can be exploited by malicious hackers.
Consider, for example, the infamous Stuxnet worm that was used to attack Iranian nuclear installations. A malicious program was inserted into the unit that controlled the operation of the centrifuges in the nuclear reactor. This program caused infrequent changes in the speed at which the centrifuges rotate, which, over a period of time, would cause the centrifuges to deteriorate and fail. What made Stuxnet extremely hard to detect was that the telemetry from the centrifuges was spoofed, i.e., whenever the controller was asked to report the speed of the centrifuges, it would still report benign, expected values rather than the altered velocities induced by the worm.
Designed-in security is a worthy objective, but hard to achieve
It is often claimed that the way to address this new set of cyber-physical security challenges is to construct systems that are “secure by design.” This requires a system designer to develop an understanding of an attacker’s incentives and the various ways in which he or she can compromise the operations of the system. In the recent Mirai botnet attacks, for example, the adversaries accessed their targets using commonly used default passwords, which had never been altered by their users. This simple attack infiltrated tens of thousands of devices.
The goal of designed-in security is to incorporate measures and protocols that will prevent as many known attack scenarios as possible. A bigger challenge for the security engineer is figuring out how to deal with attack methods that are hitherto unknown, and to design the system in such a way that it can mitigate the negative consequences of such novel attacks. This is a precarious undertaking, and for many IoT systems, this type of designed-in security may be hard to achieve. That’s because many systems — think of the smart power grid, portions of which may have been in operation for decades — contain legacy equipment with old processes and protocols that must be brought up to date with current security best practices, a task easier said than done.
It’s not just legacy devices that are hard to secure
Some industrial and enterprise applications require a new class of lightweight, low- power, cheap sensors that are deployed in swarms of hundreds or thousands. These devices may power up intermittently or be passive and draw power from other devices in their vicinity. They might engage in opportunistic communication with listening devices in their neighborhood but could remain silent most of the time. The secure communication and storage mechanisms that are typically deployed in cybersecurity solutions are far too complex to be implemented on such lightweight devices. In addition to the conventional protocols for secure communication, secure data storage and key management, we need security approaches that inter-operate across a vast range of device capabilities.
Ersin Uzun, Vice President, Director of System Sciences Laboratory, PARC, a Xerox company