Ever since the Stuxnet computer virus crippled the Iranian nuclear facility in Natanz, Iran, cyber threats to physical systems have been a major concern for anyone involved in homeland and physical security. The fact that a few lines of computer code could create such an impact is disturbing to any security professional. The belief that physical security methods such as walls and barriers, coupled with electronic surveillance means like video monitoring, access control, and professional manpower is enough to secure even the most sensitive facilities has been shattered. Subsequent attacks with even more disastrous results, like the melting of a steel mill in Germany or knocking offline large parts of the Ukrainian power grid, have demonstrated that this was not a one-time event, and that defensive measures must be implemented to provide security for critical infrastructure.
And indeed, during the last decade, and especially during the last five years, considerable efforts have been made to secure national critical infrastructure from cyber threats. Special programs are in place to boost security for the power grid, factories and utilities. This is conducted through regulation, education and enforcement. For example, the UK-government has recently stated that energy, transport, water, health and other critical services firms could be fined up to £17 million (more than $22 million in U.S.) if they fail to have the most robust safeguards in place against cyber-attacks. Even though these efforts are slowly improving the security posture of this sector, there is still much work to be done, and utilities are still vulnerable. The FBI admitted as much earlier this year when they acknowledged that government entities and multiple U.S. critical infrastructure sectors, including energy, nuclear, commercial facilities, water, aviation, and critical manufacturing have been targeted by Russian threat actors. But even if we secure the sensitive assets and prevent cyber-attacks from targeting power stations and factories, there are new attack vectors that are just starting to unfold -- ones for which it is much harder to provide an answer.
IoT- A New Attack Vector
Consider the power plant. It is in one physical location, secured by physical security means, connected to the outside world via a firewall-secured connection, and monitored by network security and intrusion prevention and detection systems. Blunt access attempts from unknown locations are easily detected and blocked, and subtler malicious activity running on the network (such as malware introduced by hackers or insiders, as was the case with Stuxnet) can be identified by analyzing the internal network traffic and abnormal behavior of IT and OT entities. This requires many resources, as well as skilled IT security personnel, but at least the power plant management is aware of the risk and actively investing in mitigating it with, until now, considerable success; there are no recorded incidents of successful attacks on power production facilities. This is true in general for the entire power infrastructure, including production facilities, transformation, sub-stations, etc.
However, as more and more IoT devices enter our lives, so does the opportunity for a bad actor to utilize them for grid-disturbing cyber-attacks. Internet of things (IoT) is a general name for a myriad of connected devices. They can be as large as a refrigerator or as small as a sensor. They are all connected to the internet, either via the home Wi-Fi, a SIM card or through a dedicated gateway and perform certain pre-programmed functionalities. Connected devices, a.k.a. “smart devices”, are the next step in the connectivity revolution that started with computers connected to each other, then the world wide web, and finally smartphones which are “always connected.” They promise us greater automation, savings and convenience. As such, they have made their way into millions of homes, enterprises and factories, but there is one caveat that is not yet fully understood: the connectivity of these devices. They’re essentially small computers, which makes them vulnerable to cyber threats. In addition, their distributed nature means that providers must monitor millions of devices for cyber-attacks. This is exceedingly difficult, as was demonstrated by the devastating Mirai botnet attack, which infected hundreds of thousands of devices and used them for the world’s largest denial of service attack.
Hackers are now starting to understand how the IoT can be utilized to attack and disrupt our way of living. The potential impact is frightening.
Power Grid Demand Manipulation
As discussed above, attackers must be very proficient to successfully target a single power plant, and even if production is disrupted or completely halted at one station, there are built-in backups and redundancies in the grid to compensate. So, to generate a nation-wide or even regional blackout, the attackers would need to execute a well-coordinated attack on multiple facilities. This is not impossible; Russia allegedly conducted a coordinated attack against the Ukrainian power grid, during which multiple substations were switched off and about 230,000 people left without electricity for a period from one to six hours. In total, 73 MWh (0.015 percent of daily electricity consumption in Ukraine) was not supplied.
This is no trivial attack, but even this sophisticated hack was quickly rectified and did not result in permanent damage. But what if, instead of preventing power from being manufactured and distributed, a sophisticated attacker was to increase the demand or manipulate it? A foreign power without the means to hack dozens of power plants and substations could instead hack millions of smart devices connected to a power supply and use them to manipulate power consumption, creating spikes in local and regional consumption that in turn could damage power transformation and carrying infrastructure. Power companies are aware that spikes in power consumption happen, and they try to predict them with analytical tools and statistical analysis of past behavior. For example, by reviewing historical data, they can predict increased demand caused by households boiling kettles at half-time breaks during World Cup soccer matches. But hacked devices can be manipulated to consume more power late at night when no one is expecting a surge in demand. Without standby power to cope with this demand, outages are unavoidable.
The opposite scenario is also problematic; turning multiple devices off at the same time could cause a drop in consumption and would require the power grid to “absorb” the extra power produced (which in itself could initiate automatic disconnection mechanisms to kick in, creating additional disturbances in “the force”). The psychological effects of such blackouts can be substantial and could serve to stir political or diplomatic tensions, especially since the source of the attacks would be difficult to determine. Unlike the attack against Ukraine, an IoT-based attack would be hard to identify and attribute because there isn’t one entity that “owns” the devices and monitors their behavior. As such, it could take authorities considerable time to understand the source of this strange consumer behavior, and even after figuring out the cause, it would be very hard for them to reach all the infected devices and “wipe” the malware. The long-lasting effects of such campaigns could be significant.
Power Drainage
A short-lived blackout can have substantial psychological effects, but a nation can also suffer from a more covert form of warfare: economic warfare against its corporations and economy. Connected domestic appliances consume notoriously high amounts of power. If hacked, they could be made to look as if they are in sleep mode or shut down when in fact they are consuming costly energy, ultimately amounting to hundreds of dollars wasted per device per year. Even today, about a quarter of all residential energy consumption can be attributed to devices in idle power mode - the equivalent of 50 large power plants’ worth of electricity, costing more than $19 billion in electricity bills every year. Although this cost is borne by consumers, it still has an impact on the economy, infrastructure and environment. Imagine the financial and environmental impact of attackers increasing this cost by just 10 percent through the manipulation of connected devices.
Municipal Mayhem
The effects of IoT attacks could also trickle down to the municipal level, which has an even greater impact on inhabitants’ lives. By attacking Internet-facing utility devices such as sewage and water flow sensors and actuators, attackers could cause significant disturbance to urban living without having to penetrate robust IT or OT networks. Take traffic lights, for example. If hacked, the result is chaos and gridlock, bringing the city to a standstill. It has already been proven that autonomous vehicles can be fooled by signs that have been tampered with, and when they start to be adopted en masse, this problem will only increase.
There are also examples of emergency sirens being hacked so that they start wailing in the middle of the night. Even simpler hacks can cause considerable damage, like the first recorded cyber-physical attack, dating back to 2000, which resulted in insecure sewage pumps spilling filth into the streets in Maroochy Shire, a small town in Queensland, Australia. Even if physical damage (or a bad smell) isn’t inflicted, it is easy for an IoT hacker to cause reputational damage and destroy citizens’ sense of personal and public safety and security. It does not take a lot of imagination to devise a hoax in which street signs suddenly display all sorts of inappropriate messages, from funny to cunning to offensive.
Domestic Terror
Perhaps the simplest hack to perform is that of the smart home. This can have a very deep psychological impact on an individual or if conducted on a large scale, the entire population. As more households and apartment buildings adopt smart devices, the potential for hacking increases. To date, most of the cyber activities involving the smart home have focused on filming and eavesdropping on the inhabitants. However, more nefarious hackers have been known to interfere with domestic activities to create disturbance and panic. Examples include taking control of lights and turning them on and off at will, even locking people in their apartments and manipulating the air conditioning or heating systems to cause discomfort.
It is also possible to cause physical damage to domestic environments by starting fires. Smart kettles are known to have weak security and could easily be exploited to boil until all the water has evaporated and the appliance starts to melt and catch fire. Similarly, fire detection and extinguishing systems also connected and could be shut down exactly when they are called into action, heightening the impact of the previously described hacks.
Conclusion
The more connected our nations, cities, neighborhoods and homes become, the more vulnerable we will become. Unlike the traditional security solutions provided for critical infrastructure, which have central directive operations, supervision and management, connected devices are sold in the millions and deployed in homes, offices and streets, where nobody really knows their status. To date, hackers have only superciliously exploited these devices for their computing power or to launch denial of service attacks, both of which are financially motivated. Given the immense footprint of such devices, their diverse functionality, and their unfortunate lack of security, it is to be expected that nation-state hackers, hacktivists and politically motivated hackers will begin to exploit this fertile ground for operations in the very near future (if they are not already doing so now). It is up to national security leaders to attend to this problem, by the following means:
- Education. The industry must raise public awareness of IoT cyber threats and their potential impacts.
- Regulation. Vendors must be forced to ship secure products without built-in vulnerabilities.
- Accountability. IoT service providers must be held accountable for the security of the devices or services they provide. They must deploy dedicated monitoring solutions that can identify and mitigate attacks in real time, before the hacke is able to recruit millions of devices. Visibility and awareness are key in preparing for the next wave of destructive cyber-attacks, which will target not nations, but devices.
About the author: Yotam Gutman is the VP Marketing for SecuriThings. SecuriThings provides comprehensive security for cloud-based IoT solutions. Utilizing big data and advanced machine learning combined with IoT cyber intelligence feeds, the system can analyze human and machine behavior to detect threats in real-time. This layer of real-time security allows IoT providers to enable policies and constantly monitor their IoT services to mitigate attacks. Gutman is a former Lieutenant Commander, specializing in C4i applications, maritime domain awareness and Maritime intelligence for the Israeli Navy.
