In 1999 a technology manager called Kevin Ashton coined the phrase “The Internet of Things”. It was to convey the fact that not everything connected to the Internet generates data via humans tapping on keyboards. Today, these “things” now include elements of our critical national infrastructure via what are called SCADA (Supervisory Control And Data Acquisition) systems or ICS (Industrial Control Systems). Unfortunately, these systems can be just as vulnerable to attack as our laptops.
Security through obscurity has helped to protect these systems until recently as they are not obvious to regular Internet users. However, there is no longer anywhere to hide. Many know that search engines such as Google, if queried in using “advanced operators”, can reveal exposed equipment. This became even simpler with search engines such as Shodan which are specifically to help locate exposed webcams, routers, etc but which can just as easily reveal SCADA systems.
Lack of direct connection to the Internet is no guarantee of security either. More often than not, unprotected control systems can be reached indirectly using the “swivel chair interface” where a human can be convinced to transfer something from the Internet to automated systems, or vice versa.
In 2010 we saw how even the most secure “air gap” can be breached when the Iranian nuclear reprocessing plant at Natanz was infected with the Stuxnet virus. This appears to have been achieved when an operator plugged in an infected USB stick to an isolated PC that was used to communicate with the embedded computers that controlled and reported upon the centrifuges producing enriched uranium. The Stuxnet virus simultaneously caused the centrifuges to malfunction whilst reporting that all was well to the operators. Leave a USB stick lying around with what looks like a free game, and you’d be surprised how many users will plug it into the nearest computer.
Since this incident there has been a growing realisation that various elements of a critical national infrastructure are similarly vulnerable. They use similar, if not identical, embedded computer systems as were used at Natanz. The initial thought was one of defending the realm against foreign aggressors. After all, it was an obvious way to cripple a country without firing a physical shot. Why launch missiles if you can switch out the lights and turn off the water. It’s cheaper too. So much so that this form of attack has become a great leveller, allowing small nations to potentially punch well above their weight.
For a while there were detractors who have said that this type of threat is nonsense, and that it simply could not happen. However, tests were already being conducted at research institutes such as the Idaho national laboratories (known as Aurora) by the time Stuxnet was released. Such tests showed that access to these SCADA systems could not only turn off equipment that we all rely upon but it could cause the equipment to self-destruct.
Hence, embedded computing needs to be kept updated and have protection just as much as the computers with which we are all more familiar. Unfortunately, keeping embedded computers updated can be problematic. Perversely, although they may be vulnerable to remote attacks, updating their software (known as firmware if it cannot be accessed routinely by a remote computer) can require visits to the physical devices. This takes time and effort, and when coupled with a history of complacency about their risk of attack, many systems remain vulnerable for significant periods after a vulnerability is reported.
The combination of dramatic tests such as in Idaho and the public analysis of Stuxnet, brought home the full potential of such attacks if mounted on a nationwide scale. This was reinforced when new viruses began to appear on the Internet which were related to Stuxnet along with copies of Stuxnet itself and documents and videos of how to use it. The fact that sons-of-Stuxnet began appearing so quickly showed up a shortcoming in this type of weapon: it is the only weapon that you voluntarily give to the enemy, who can then use it right back at you. Rather like biological warfare, once released you had better have a defence against your own weapon.
Some governments have recognised the danger and are marshalling their cyber forces to understand the threat and, hopefully, prepare for any attack. The UK Government has established the Centre for the Protection of Critical National Infrastructure which specifically addresses cyber threats. This was one result of the UK Government declaring cyber-attacks as a “Tier 1 Threat” to the UK national interest. However, not all countries are as advanced in their thinking. It is made particularly difficult in countries that do not have, for example, a National Grid, and where critical national infrastructure is almost exclusively provided by private businesses with little oversight.
Much of the preparations being made, if they are being made, assume that the threat comes from nation states. But, they are not the only actors in this play. What happens when criminals gain the ability to mount such attacks?
Imagine something akin to the current attacks with “ransomware” where your computer is locked and will only be released when you pay a “fine”. What is to stop criminals holding elements of our critical national infrastructure hostage? The unappealing vision of cyber protection rackets starts to emerge. With criminals becoming bolder every day in their Internet escapades, this is something for which we need to be prepared.
Everyone has a part to play: it’s not just government. Whether it’s the smart meter in your home, machines used by your customers and patients, or something for which you are responsible on an industrial scale, we all need to remember that we live in an increasingly interconnected world, sometimes interconnecting “things” we may not even have considered.
To paraphrase John Philpot Curran, technology is giving us an increasingly connecting world but the price is eternal vigilance.
SCADA image (#2) by Ecava, other images in public domain.