By Ersin Uzun & Shantanu Rane, System Sciences Laboratory, PARC, a Xerox company
IoT systems are collections of networked components — sensors, actuators, controllers, computing devices — that connect the physical and digital worlds. Much of the world’s critical infrastructure, including smart power grids, nuclear power plants, military command centers, smart city installations and transportation systems, as well as emerging applications in smart homes and offices belong to this category.
The large industrial control systems have been assembled over many decades, with the goal of achieving a desired set of goals. Power grids, for example, must distribute electrical power across large geographical areas, balancing the supply and demand at various times of the day. To make this possible, the instruments and controllers that make up these systems have been designed to be safe, reliable, easily configurable and interoperable across different manufacturers and standards. Similarly, emerging IoT applications in homes and offices prioritize flexibility and interoperability rather than security and privacy.
Thus, securing these systems presents a unique set of challenges.
Xerox PARC researchers look at securing industrial control systems against cyberattacks.
Security for IoT systems no longer an afterthought
Until very recently, when designing the architecture of industrial control systems, SCADA (Supervisory Control and Data Acquisition), the architecture used to supervise and manage large industrial control systems, was not designed with security in mind. SCADA had evolved in the 1960s from methods that gathered and analyzed telemetry in power systems, with more industrial control applications coming later. From the point of view of network security, it was a simpler time: The ARPANET was just being deployed, and outside of military engagements, attacks on connected infrastructure were not commonplace.
Designers, operators, vendors and users of today’s IoT systems no longer have that luxury. These days, attacks on cyber-physical infrastructure are not limited to just data breaches or malware designed to make our computers unusable; they can put human lives at risk. A virus that encrypts your hard drive is a relatively minor inconvenience compared to an attack on a hospital’s electrical power supply, or an attack on robotics systems in a manufacturing plant which can endanger the lives of humans.
Why is security only now becoming an important consideration?
Over the past decade, we’ve seen a proliferation of smart devices that possess the capabilities of information processing and network connectivity. The defining characteristic of the Internet of Things (IoT) is that devices, previously restricted to their physical environment, are now connected to a computer network. This network could be a home network, an industrial intranet or even the whole internet. This means that a device, or a gateway that connects a device to the network, is accessible by someone who presents the right credentials, or bypasses the credentials altogether.
As computation and connectivity have become commoditized, they have spawned a plethora of solutions that automate, improve and simplify key tasks in industrial control — from gathering sensor readings on the performance targets of a conveyor-based motor car production line, to verifying the freshness of a food shipment in a smart supply chain, to programming a CNC machine to precisely cut a block of metal into the right shape. They have also, unfortunately, exposed a rich attack surface that can be exploited by malicious hackers.
Consider, for example, the infamous Stuxnet worm that was used to attack Iranian nuclear installations. A malicious program was inserted into the unit that controlled the operation of the centrifuges in the nuclear reactor. This program caused infrequent changes in the speed at which the centrifuges rotate, which, over a period of time, would cause the centrifuges to deteriorate and fail. What made Stuxnet extremely hard to detect was that the telemetry from the centrifuges was spoofed, i.e., whenever the controller was asked to report the speed of the centrifuges, it would still report benign, expected values rather than the altered velocities induced by the worm.
Designed-in security is a worthy objective, but hard to achieve
It is often claimed that the way to address this new set of cyber-physical security challenges is to construct systems that are “secure by design.” This requires a system designer to develop an understanding of an attacker’s incentives and the various ways in which he or she can compromise the operations of the system. In the recent Mirai botnet attacks, for example, the adversaries accessed their targets using commonly used default passwords, which had never been altered by their users. This simple attack infiltrated tens of thousands of devices.
The goal of designed-in security is to incorporate measures and protocols that will prevent as many known attack scenarios as possible. A bigger challenge for the security engineer is figuring out how to deal with attack methods that are hitherto unknown, and to design the system in such a way that it can mitigate the negative consequences of such novel attacks. This is a precarious undertaking, and for many IoT systems, this type of designed-in security may be hard to achieve. That’s because many systems — think of the smart power grid, portions of which may have been in operation for decades — contain legacy equipment with old processes and protocols that must be brought up to date with current security best practices, a task easier said than done.
More articles about cybersecurity
Insights on Data Protection on Xerox.com.
More articles about security on this blog.
It’s not just legacy devices that are hard to secure
Some industrial and enterprise applications require a new class of lightweight, low- power, cheap sensors that are deployed in swarms of hundreds or thousands. These devices may power up intermittently or be passive and draw power from other devices in their vicinity. They might engage in opportunistic communication with listening devices in their neighborhood, but could remain silent most of the time. The secure communication and storage mechanisms that are typically deployed in cybersecurity solutions are far too complex to be implemented on such lightweight devices. In addition to the conventional protocols for secure communication, secure data storage and key management, we need security approaches that inter-operate across a vast range of device capabilities.
Connection to the physical world demands new approaches to resilience against attacks
Speaking very broadly, there are two ways in which an adversary can compromise an IoT system. The first way is by infecting a system component or a controller that interacts with that component. Stuxnet was an attack of this type. The second way, much less investigated at the present time, is by directly compromising the physical environment of a sensor or actuator. It is possible, for example, to deceive or “spoof” the readings of a sensor. A research team at the University of Texas recently showed that, by using a powerful enough transmitter, they could spoof the GPS signal being used by a UAV for its navigation. This could force the UAV to follow an unintended trajectory, ultimately leading to its capture or destruction.
As another example, rather than hacking into a temperature sensor, an adversary might surreptitiously discharge a hot or cold gas next to it, causing the temperature sensor to report an erroneous reading to the controller. The controller, not realizing that the temperature reading has been spoofed, may then take unnecessary corrective action. In doing so, it might waste precious energy resources or cause excess wear and tear on its actuators. It might also, unwittingly, take the system into an unsafe state. Cryptographic solutions cannot address such attacks.
Where do we go from here?
To diagnose attacks caused by resident threats and attacks that originate in the physical environment, we have to move beyond classical cryptographic approaches and try to understand the behavior of the system we want to protect. If we can construct a mathematical model of the system’s behavior, then a deviation from this model would suggest that an attack is imminent or is being carried out. The operators can then try to isolate the attack, for example, by disconnecting the affected components from the network, or by revoking a set of compromised keys and so on.
How does one construct a mathematical model for a cyber-physical subsystem? A natural way to do this is to gather data from the sensors involved and applying machine learning techniques to derive a model. We can then use anomaly detection to detect deviant behavior that does not conform to the model. Unfortunately, anomaly detection based on machine learning techniques is not always feasible because there isn’t sufficient data to reliably distinguish between normal and abnormal behavior.
This strikes us as unusual because we are conditioned to believe that more data will yield more insights; however the situation itself ought not to be surprising: attacks or failures are rare and having usable data to teach those scenarios to a machine learning algorithm are even more rare.
When a purely data-driven approach fails, it might help to model the system not just from sensor data, but from the underlying physics. The magnitude and direction of the current in electrical circuits, for example, obeys universal laws. Heat diffuses in a material according to a well-specified differential equation. Using measurements of such physical quantities, it is possible to construct “physical” models of IoT systems or its individual components. Comparing the sensor telemetry against such models may provide clues toward detecting and predicting attacks, when approaches based solely on data-centric models no longer suffice. This notion of smart systems being aware of their own model is not new in mother nature; in fact, that is how smart and complex organisms evolved to be resilient and adaptive against previously unknown pathogens or recover from unexpected damages to its internal systems.
At PARC, one of our missions is to develop innovative security solutions to prevent attacks on IoT systems and cyber-physical device fleets. To do this, we focus on three research agendas:
1-Secure-by-design communications platform for IoT systems.
2-Secure interactions between humans and cyber-physical systems.
3-Security based on hybrid modeling of cyber-physical systems.
Learn more at http://www.parc.com/.
While traditional cybersecurity approaches represent a necessary starting point, they will not be sufficient to secure IoT systems of the future. These approaches, which rely on modern cryptography, will help us secure the perimeter of such systems, but they are less helpful if the adversary is already inside the system, or if he or she attacks the physical interface. Therefore, in addition to cryptographers and security analysts, it is necessary to engage with experts working on non-cyber aspects of cyber-physical systems such as physicists, chemical engineers, control theorists and application domain experts.
Being successful in creating truly resilient and adaptive IoT systems requires nothing less than a truly interdisciplinary enterprise.