In-brief: The Internet of Things will make “datakinesis” – the impact of data attacks on the physical world – common, says Cisco’s Marc Blackmer.
Often I am asked how real I think the cybersecurity threat to the Internet of Things (IoT) is or if the whole topic is just hype. My response is always, “The threat is real.” Three news events at the end of 2014 within the span of a month that I thought would have put that question to rest:
- Wired correspondent Kim Zetter’s book about Stuxnet, Countdown to Zero Day, was released in November, and included many examples of vulnerable and attacked industrial control system networks;
- Major news outlets reported in December that a 2008 pipeline explosion in eastern Europe had finally been publicly attributed to a cyber attack;
- Just days after these reports surfaced came the revelation by authorities in western Europe that an unnamed steel mill in the region was physically damaged by a cyber attack earlier in the year.
I really thought that this latest triumvirate of news would have been proof positive that industrial control networks, and by extension the IoT, are vulnerable. Each of these examples demonstrates something I call datakinesis: when an action taken in cyberspace has a result in the physical world.
[Read more stories by Cisco’s Marc Blackmer here.]
Physical devices perform tasks based on commands from computer-based applications as their core functionality. So how hard is it to conceive of a situation where destructive commands are sent to the same devices?
Let’s take malice out of the mix for a moment. What if an operator with the appropriate privileges sends “acceptable” commands at the wrong time, or misconfigures a device? Industrial control systems include safety systems that are meant to shut devices down to head off a potential emergency. But Stuxnet showed us that it is possible to compromise the safety system of its target by feeding it false data to fool into believing everything was running properly.
In the pipeline example cited above, the remote security cameras were the point of entry to the network due to a vulnerability within the cameras, themselves. “Noisy” attacks, such as a denial of service- or brute force attacks are bound to attract attention. In each of these cases, the attackers found the weak links, and exploited those to gain access.
It’s a tried and true technique, and when we consider this approach in context of the scale of the IoT, the magnitude of the threat starts becoming evident. For example, an attacker may have no interest in your senior executive’s personal data, but the attacker will see that Bluetooth-enabled device as a way to get on your executive’s phone to look at his or her contacts, read company emails or connect to your company’s wireless network.
Alas, sensationalizing the situation is not productive, either. Fear, uncertainty, and doubt (or FUD) is too often used as a sales or marketing technique, but only clouds the conversation. Furthermore, it is turning off those with whom we need to be having a real security conversation.
Cybersecurity for the IoT will bring new challenges – many of them to our conceptions of cybersecurity itself. Attacks will happen; they are happening. We will see the convergence of physical and cybersecurity as blended attacks proliferate, and the issues of scale and complexity will not just continue to be a formidable opponent, but will be exacerbated in the IoT.
The threat is real. Let’s dispense with semantics, and get to the substantive work that needs desperately to be done.
Marc Blackmer is a Product Marketing Manager for Industry Solutions at Cisco Systems.