Securing cyber-physical systems
- By (ISC)2 Government Advisory Council Executive Writers Bureau
- Sep 06, 2016
The Internet of Things is the convergence of computers, networking technologies, sensors and wearables with physical processes resulting in cyber-physical systems. As the IoT continues to evolve, there is a growing need for education, innovation, research and multidisciplinary collaboration across industries, cultures and borders to address the inherent vulnerabilities in these systems. CPS security is not a national issue -- it’s a global one.
IoT convergence means that an adversarial attack or networking error could have real-world physical ramifications -- from human injury or death to environmental damage and even economic consequences.
There are at least three known examples to date of cyberattacks affecting physical systems. First, Stuxnet caused significant damage to Iran’s nuclear program. This malware program varied normal operational parameters of the nuclear centrifuge rotations and replaced the variant operational data with normal data so that the human operators were not notified. The second example is the German steel mill that fell victim to a cyberattack that made it unable to regulate the shutdown of a blast furnace, resulting in an explosion. The third and most recent disruption, which affected power distribution facilities in the Ukraine, is most disturbing because it was coordinated attack to corrupt firmware, destroy hard drives, disconnect uninterruptable power supplies and deliver denial-of-service attacks against the help desk to prevent recovery efforts. As these examples illustrate, a deliberate attack, fault or natural disaster in connected systems can have significant ramifications in the physical realm.
The IoT connects humans, sensors, mobile devices, vehicles, buildings and robots. These systems are distributed, heterogeneous and may include a variety of wireless protocols, such as Bluetooth, Wi-Fi and radio frequency, among others. Because of its reach, the IoT creates a much larger attack surface. While physical security efforts have traditionally been based on boundaries -- property lines, laws, regulations and cultural norms -- the reality today is that cyber connections have made the physical realm an unbounded environment that has no limits and no controls.
The number of CPS continues to grow as manufacturers make products “smart” by adding sensors, actuators, controls and connectivity. They are being developed and fielded even as early adopters grapple with the challenges of open and insecure protocols, integration with legacy devices and software, hardware, and firmware that are vulnerable to attacks.
Defense of the IoT requires an approach that is not restricted to perimeter security, but includes proactive, multidisciplinary capabilities. Everyone is now a stakeholder, because everyone is at risk. Security awareness must be part of the skillset for every person that relies on, leverages and builds upon information technology.
In a world where the number of internet-connected devices are projected to reach 50 to 100 billion, government agencies must move away from a boundary-based security mentality to a much more coordinated, proactive defense. Products cannot be moved into market without proper security testing. Lawmakers and enforcers must have a better understanding of cybersecurity technology and, perhaps most importantly, the general workforce and public must become more cyber aware.
Members of the (ISC)2 U.S. Government Advisory Council Executive Writers Bureau include federal IT security experts from government and industry. For a full list of Bureau members, visit https://www.isc2.org/About/Advisory-Council#