New risks accompany the Internet of Things (IoT). Software attacks that produce physical effects are especially troubling.
Take the Bowman Avenue Dam attack, as an example. On March 24, 2016, the Department of Justice announced charges against an Iranian hacker who mounted a cyber-physical attack upon the supervisory control and data acquisition (SCADA) systems of the Bowman Dam, in Rye, New York. The charges are that the hacker repeatedly obtained information regarding the status and operation of the dam, including information about the water levels and temperature, and the status of the sluice gate, which controls water levels and flow rates. The hacker obtained access that, ordinarily, would have enabled him to remotely operate and manipulate the dam’s sluice gate. Fortuitously, the gate had been manually disconnected at the time of his intrusion.
This is a real-time example of exactly the kind of IoT risks that I’ve discussed in my two previous blogs for Federal Times. In the first blog, I observed that “cyberattacks upon the IoT can produce adverse consequence upon physical systems that are IoT endpoints.” Had the Bowman Dam sluice gate not been down for maintenance, the Iranian attacker could have opened the gate and produced flooding.
Federal officials, especially those at the Department of Homeland Security, are alert to cyber-physical threats to SCADA systems that control critical infrastructure. With the proliferation of IoT instrumentalities, we can expect greater interconnectivity and integration among control systems and controlled equipment. IoT endpoint devices will be employed for many purposes, including “informational” functions (e.g., status reports on condition and capacity) and those for “control” (e.g., activation/deactivation). Distinct to the now-emerging IoT “4th generation” of SCADA systems, control functionality will be increasingly automated with decisions made on a machine-to-machine basis, without human intervention.
From the federal perspective, the IoT promises optimization of infrastructure operations through interconnected SCADA systems. If properly implemented, conceivably security can be enhanced as IoT systems can accelerate receipt of information on system status and facilitate rapid response to either cyber or physical threats. However, as I commented in my second blog, “authentication, identity management and transaction processing add to exposed [attack] surfaces” for IoT systems. Positive security results for IoT-enabled SCADA systems will have to be achieved through a collaborative effort of federal authorities with relevant standards setting organizations, network architects, system engineers, equipment manufacturers, infrastructure operators and technical cyber specialists.
DHS leads the federal government’s efforts to address the cybersecurity of critical infrastructure. DoD has recognized its need to protect the cybersecurity of the manufacturing capabilities of the defense industrial base. Advanced manufacturing capabilities rely upon Industrial Control Systems (ICS). If we think of SCADA as large-scale control systems that typically cover a broad geographic area and multiple-site infrastructure systems (e.g., dams and irrigation, pipelines), ICS may be considered a subset of SCADA that refers to industrial automation and is more site-specific.
IoT instrumentalities will create new vulnerabilities for connected ICS. Endpoint devices would monitor equipment condition and utilization, for example. Resource allocation could be accomplished through communication of “status” to the host service or by peer-to-peer communication around the periphery of connected devices. Equipment could receive software updates or scheduled service based upon the condition and utilization reports. While these “conditions” can exist today, with the advent of IoT the quantity of at-risk equipment will increase as will the number and diversity of industries using connected devices. The scale of the prospective “industrial IoT” elevates the cybersecurity risk to the advanced manufacturing capabilities of the defense industrial base.
The risk is a function of threat, vulnerability and consequences of cyber-physical attacks:
- Threat: From the attacker’s perspective, an attraction of an “IoT-directed” attack is the potential for higher return on investment achieved if an attack at a single point of vulnerability produces wide and lasting impact. Some attackers (nation-states, sponsored agents or even commercial rivals) will find motivation to damage the U.S. economy, selected industry sectors, individual business rivals, particular factories or even specific equipment on a production line.
- Vulnerabilities: Potentially insecure junctures along the IoT “stack,” (i.e., applications, devices and platforms, sensors, transport, analytics and infrastructure) produce increased attack surfaces. Only one point of weak controls along the IoT “stack” is sufficient for an adversary to mount an attack to disrupt or corrupt control functions of connected equipment.
- Consequences: Connected equipment sharing control systems indicates that a targeted IoT attack, upon an ICS system at one factory (or a group of connected factories) could produce serious, long-lasting damage to critical manufacturing capabilities.
The damage from an IoT attack upon ICS might not have the immediacy or threaten physical harm to the safety of Americans as could a SCADA attack upon power grids or flood control infrastructure, but the economic damage and the impairment of defense manufacturing capabilities could be profound. Here too, there is real-world evidence of the power — and danger — of ICS attacks. Once inserted into the ICS that controlled Iran’s uranium enrichment facilities, the Stuxnet virus produced high rates of failure of centrifuge equipment and crippled Iran’s nuclear ambitions. This is an early but cautionary example of how malicious software code can be spread among ICS with devastating industrial effect.
U.S. leaders and responsible industry officials must plan for and defend against counterpart but evolved threats that will accompany the adoption of IoT functionalities in SCADA and ICS. My next blog will look at mitigation of cyber-physical risks and potential federal responses. I will also consider the role of statute, regulation and acquisition practices in the federal response.
Robert Metzger is a shareholder at law firm Rogers Joseph O'Donnell PC, where he's a member of the Government Contracts Practice Group and head of the Washington, D.C. office.