Critical Infrastructure and the Internet of Things

Karen McDowell is an information security analyst at the University of Virginia.

The Internet of Things (IoT) interests and excites people for a number of reasons, not the least being that these Internet devices, ranging from industrial sensors to complex CT scanners, can make our lives easier, ensure more efficient delivery of goods and services, and give us more control over the environment than we ever thought possible. Businesses, "on the cusp of an explosion in the potential and adoption of IoT,"1 are also vitally interested in the IoT because of the great potential in revenue growth and innovation, and long term sustained value.

The IoT, also known as the Industrial Internet, the Internet of Everything, and the Internet of Nouns, is a new term for many of us. We generally know it refers to devices in our environment that connect to the Internet, but what's the difference between a computer and a thing in the IoT? Not much. Computers and other devices all connect to the Internet via their IP address. Embed a sensor, actuator, or system on a chip into an ordinary physical object like a baby monitor, and voila! it connects to the Internet just like a computer. It can also perform many of the same input-output functions.

According to Gartner, there will be nearly 26 billion devices on the Internet of Things by 2020,2 and some estimate at many as 30 billion devices by that time. This exponential growth, which British Prime Minister David Cameron calls a "new industrial revolution,"3 is fueled partly because of the "rapidly falling cost of manufacturing power-efficient wireless chipsets capable of sending and receiving Wi-Fi and Bluetooth low-energy signals."4

Yet, certainly as it applies to critical infrastructure, the vulnerability of the IoT is growing equally as fast. Hackers now have potentially unparalleled access to essential services, like water, power, and communications. As recently as February 2014 CIA Director John Brennen warned,

"… [W]e are seeing a greater interest on the part of our cyber adversaries in critical infrastructure. The systems that help manage oil and gas pipelines, water distribution networks, and electric power grids are attractive targets for cyber-attacks. Some of the newer systems include safeguards that help protect against the threat, but a large amount of the 'legacy' infrastructure is vulnerable. A successful attack on these systems could disrupt lives and have a significant impact on our economy."5

Legacy systems include earlier generation SCADA (supervisory control and data acquisition) systems, which serve as the cerebral cortex of nuclear powered facilities, electrical grids, transportation utilities, and other critical infrastructure essential to the basic operation of a modern society. SCADA systems are particularly vulnerable to hacking because many were built with only physical safety in mind, before the Internet came into common use.

Many systems also run outdated versions of Microsoft Windows and Linux, which frequently are unpatched and subject to compromises. They have common security holes, including weak passwords or default and hardcoded vendor passwords like "1234" or "admin," as well as no authentication controls and embedded web servers or administrative interfaces, which make controlling and manipulating the equipment relatively easy.

Some systems are so old it is impossible to update them. "[SCADA] systems are extremely old and very difficult to upgrade," according to Jamil Farshchi, who is the senior business leader for strategic planning and initiatives for Visa and was the chief information security officer at Los Alamos National Laboratory through 2011. "New systems aren't really tailored to the requirements of critical-infrastructure management. So the legacy systems are still essential. Without them, you'd shut down the whole operation."6

Routine patching is also logistically complex, because these systems operate in real time. We shudder to think about the implications, for example, if an update were not to work properly and a nuclear plant or electrical power grid crashed.

Complicating this situation are rigid compliance mandates; the difficulty of training operator engineers, some of whom have a hard time adjusting to the advanced level of technical training newer systems require; and the overall expense involved. Finally, SCADA security changed dramatically after the Stuxnet attack on a SCADA system showed us how a little malware can do a disproportionate amount of damage.

These systems, however, are only part of the problem. Many hospital devices, which have the exact same security holes, also connect to the IoT. It's not difficult for a hacker to manipulate medical IoT devices, like drug infusion pumps for delivering chemotherapy and antibiotics, Bluetooth-enabled defibrillators, or heart monitors. Physicians for former VP Dick Cheney decided in 2007 to disable the wireless capability of his defibrillator to prevent terrorists from manipulating the device to kill him. Think about the human (and legal) implications of an unpatched heart monitor that becomes infected with malware and sends erroneous information to the medical staff, or a chemotherapy pump that is manipulated to change the dosage. It’s "insanely easy to hack hospital equipment," noted Kim Zetter of Wired magazine earlier this year.7

Millions of other devices connected to the IoT include objects we use every day, like baby monitors, thermostats, air conditioners, lights, power outlets, TVs, webcams, garage door openers, and wearable devices. In agriculture irrigation systems, vineyards, dairy farms, and even eel farms8 are now part of the IoT. These share many of the same security holes as found in SCADA systems or hospital equipment. A recent Hewlett-Packard study found that "70% of the most commonly used IoT devices contain vulnerabilities,"9 which means they can be hacked. Further, 80% of these devices raised privacy concerns regarding the collection of data, such as the user's name, e-mail, and home address, date of birth, credit card, and health information.

These findings aren’t theoretical; they are very real. Computer researchers at the University of Michigan hacked into "smart" traffic lights and quickly seized control of an entire system of almost 100 intersections in an unnamed Michigan town using nothing more than a laptop and basic radio broadcast equipment.10 The system uses wireless radios to save on installation costs and improve flexibility, which is a common configuration in traffic systems. It doesn't take much to imagine the possibilities, if hackers turned all the lights green in rush-hour traffic.

Hackers at the Black Hat security conference, where hacking smart devices was a big theme this year, compromised a Nest thermostat in front of a live audience.11 In truth this hack requires direct physical access to the device, but hackers could compromise these devices and sell them on eBay, and hacking them remotely may be only a matter of time.12 What about the new lock and access system that allows people to send a virtual key to anyone they choose? Hackers will likely find that an attractive target.

There are many accounts just like this, but all point to one reality: the need for security. We need to build security into the IoT now, before the "gold rush" to build and sell these devices abates even a little.

The potential for a massive security disaster is very real, since these devices are ubiquitous, and no one security patch will protect every device. In addition, an attack on one might well be carefully configured to trigger a damaging ripple effect, infecting and disabling all the other devices on any given network.

Public opinion isn't going to lead the push to better security, since most consumers aren't aware of the security issues and don't even know they are at risk, let alone understand the risk to critical infrastructure.

One of the scarier aspects of this problem is the ease with which hackers, using a search engine called "Shodan," can find unprotected critical infrastructure and other unprotected things in the IoT. Described as "terrifying," Shodan is just like Google, only it crawls the Internet looking for devices instead of websites. Though the Shodan interface is not intuitive, many a researcher and hacker use it to find insecure devices, systems, and critical infrastructure. As Forbes staffer Kashmir Hill reported in 2013, "Last year an anonymous user took control of more than 400,000 Internet-connected devices using just four default passwords and used them to build a data set much like Shodan, calling it the Internet Census 2012."13

Who will take control first, those who would hack our critical infrastructure or those who would secure it? What will it take to advance security and effect change in the IoT? All the experts agree that we have an opportunity now to build in security, or, in the case of existing critical infrastructure, harden it.

In creating the National Cybersecurity and Communications Integration Center, the Department of Homeland Security has developed a promising approach to solving these problems. The NCCIC is a 24/7 operational organization that actively collaborates with public and private sector partners every day, including responding to and mitigating the impacts of attempted disruptions to the nation’s critical cyber and communications networks. Among other things, it has issued more than 10,000 actionable cyber alerts that recipients used to protect their systems and has deployed 78 onsite teams for technical assistance. That’s valuable hands-on assistance, particularly given that the private sector owns and operates the majority of the nation’s infrastructure.

Above all, we must remember that protecting critical infrastructure is a shared responsibility. Each of us has a role. We can report suspicious activities; encourage cybersecurity awareness at the community, local, and state levels; participate in national decisions by staying informed; and let our elected representatives know what we expect them to do. DHS provides an excellent resource to these ends in its "Critical Infrastructure Protection and Resilience Toolkit," which is readily available on the Internet.

Notes

1. Deloitte Insights, "Internet of Things—Unlocking the Business Value of Connected Devices: Weekend Reading," Deloitte Risk Journal, August 29, 2014.
2. Gartner press release, "Gartner Says the Internet of Things Will Transform the Data Center," March 9, 2014.
3. David Cameron, Prime Minister David Cameron’s Speech to the CeBIT Trade Fair, in Hanover, Germany, January 9, 2014.
4. Sunil Maulik, "Trends in Infrastructure: The Internet of Things," Profit Magazine, January 2014.
5. John Brennan, "Remarks by Central Intelligence Agency Director John O. Brennan as prepared for delivery at the President's Associates Dinner at the University of Oklahoma," February 26, 2014.
6. George Kamis, "Resolving the Critical Infrastructure Cybersecurity Puzzle," Signal Online, March 1, 2014.
7. Kim Zetter, "It's Insanely Easy to Hack Hospital Equipment," Wired, April 25, 2014.
8. Mat Smith, "Korean carrier upgrades eel farm, makes the Internet of (slimey) Things," Engadget, September 2014.
9. Daniel Miessler, "HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack," HP Fortify, July 29, 2014; last edited September 5, 2014.
10. Lee Hutchinson, "Researchers find it's terrifyingly easy to hack traffic lights," Ars Technica, August 20, 2014.
11. Yier Jin, Grant Hernandez, and Daniel Buentello, "Smart Nest Thermostat: A Smart Spy in Your Home," presentation at the 2014 Black Hat security conference.
12. Dean Takahashi, "Hello, Dave. I control your thermostat. Google's Nest get's hacked," VB News, August 10, 2014.
13. Kashmir Hill, "The Terrifying Search Engine That Finds Internet-Connected Cameras, Traffic Lights, Medical Devices, Baby Monitors And Power Plants," Forbes, September 23, 2013.

© 2014 Karen McDowell. The text of this EDUCAUSE Review blog is licensed under the Creative Commons Attribution 4.0 license.