In 1999 a technology manager called Kevin Ashton coined the phrase “The Internet of Things”.
It was to convey the fact that not everything connected to the Internet generates data via humans tapping on keyboards. Today, these “things” now include elements of our critical national infrastructure via what are called SCADA (Supervisory Control And Data Acquisition) systems or ICS (Industrial Control Systems). Unfortunately, these systems can be just as vulnerable to attack as our laptops.
Security through obscurity has helped to protect these systems until recently as they are not obvious to regular Internet users. However, there is no longer anywhere to hide. Many know that search engines such as Google, if queried in using “advanced operators”, can reveal exposed equipment. This became even simpler with search engines such as Shodan which are specifically to help locate exposed webcams, routers, etc but which can just as easily reveal SCADA systems.
Lack of direct connection to the Internet is no guarantee of security either. More often than not, unprotected control systems can be reached indirectly using the “swivel chair interface” where a human can be convinced to transfer something from the Internet to automated systems, or vice versa.
In 2010 we saw how even the most secure “air gap” can be breached when theIranian nuclear reprocessing plant at Natanz was infected with the Stuxnet virus. This appears to have been achieved when an operator plugged in an infected USB stick to an isolated PC that was used to communicate with the embedded computers that controlled and reported upon the centrifuges producing enriched uranium. The Stuxnet virus simultaneously caused the centrifuges to malfunction whilst reporting that all was well to the operators. Leave a USB stick lying around with what looks like a free game, and you’d be surprised how many users will plug it into the nearest computer.
Since this incident there has been a growing realisation that various elements of a critical national infrastructure are similarly vulnerable. They use similar, if not identical, embedded computer systems as were used at Natanz. The initial thought was one of defending the realm against foreign aggressors. After all, it was an obvious way to cripple a country without firing a physical shot. Why launch missiles if you can switch out the lights and turn off the water. It’s cheaper too. So much so that this form of attack has become a great leveller, allowing small nations to potentially punch well above their weight.
For a while there were detractors who have said that this type of threat is nonsense, and that it simply could not happen. However, tests were already being conducted at research institutes such as the Idaho national laboratories (known as Aurora) by the time Stuxnet was released. Such tests showed that access to these SCADA systems could not only turn off equipment that we all rely upon but it could cause the equipment to self-destruct.
Hence, embedded computing needs to be kept updated and have protection just as much as the computers with which we are all more familiar. Unfortunately, keeping embedded computers updated can be problematic. Perversely, although they may be vulnerable to remote attacks, updating their software (known as firmware if it cannot be accessed routinely by a remote computer) can require visits to the physical devices. This takes time and effort, and when coupled with a history of complacency about their risk of attack, many systems remain vulnerable for significant periods after a vulnerability is reported.
via Scientific American – Alan Woodward
The Latest Streaming News: Risks of Intelligent Infrastructure updated minute-by-minute
Bookmark this page and come back often