The next frontier in cyberwar: Embedded devices

GettyImages/Gunter Marx Photography

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By Ang Cui,
CEO, Red Balloon Security
 

Connecting state and local government leaders

By Ang Cui

|

Mission-critical embedded systems are insufficiently protected, which gives bad actors ample incentive to invest their time, resources and innovation into compromising them.

Embedded devices control satellites, the nation’s electrical grid, communities' water supply and advanced automotive capabilities. These critical systems are not secure. We know it and our adversaries know it.

Ransomware and other cybercrime incidents targeting the nation's critical infrastructure have soared in recent years, affecting millions of citizens and the economy. Although deeply concerning, this trend has had the silver lining of increased awareness and action taken to protect personal devices, bank accounts and other gateways to our digital identities. 

Individuals are still mostly oblivious to all sorts of computers that live in the devices that control electrical grids, industrial infrastructure, satellite communications and electronic control units in cars. These computers operate more or less the way a laptop does. And they are also vulnerable to malware and can be knocked offline when they’re most needed. 

Yet overwhelmingly, these devices have only basic access controls, and they lack defenses similar to the antivirus and email filtration capacities that are built into a PC or mobile phone. They are missing protections that the cybersecurity industry calls a “host-based defense,” which simply means protections that are built into the device rather than around it. 

Attacks that compromise data and IT systems remain serious concerns. But the front line of the cybersecurity war is moving, and embedded devices increasingly are the primary target. Why? They are mission-critical (entire systems depend on their consistent and safe operation) and insufficiently protected, which provides bad actors with ample incentive to invest substantial time, resources and innovation into compromising them. 

And attackers are doing just that, as evidenced by the proliferation of attacks against the operational technology (OT) systems in the nation’s critical infrastructure, where so many of these devices are deployed. 

Industry leaders and the Biden administration are taking the threat to OT systems seriously. Yet even informed analysis rarely includes the actual devices in the threat framework. This oversight leaves a critical element of OT systems dangling. 

It’s only logical to expect bad actors to home in on neglected devices. Yet many device manufacturers and end-users are not responding to this threat, typically due to one of these false assumptions:

  • Embedded devices are too isolated to attack or too difficult to compromise.
  • Attackers have no motive for targeting embedded devices.
  • There is little or no incentive to create or use more secure devices. 

Once these assumptions are disproved, the rationale behind attacks on embedded devices inevitably becomes clear. The following realities can drive a new evaluation of the nation's approach to cybersecurity.

Reality 1: There are practical methods for accessing and attacking embedded devices

Hackers can’t attack what they can’t see unless they physically interact with the device. Historically, most embedded devices were not connected to the internet. They did their job on assembly lines, in electrical transformers, oil refineries and other deployments while maintaining “security through obscurity.” 

But increasingly, end users want to remotely access devices to harvest data, provide maintenance or support or enable communication with controllers or other connected devices. Use cases include everything from smart home thermostats to car telematics to sensors in complex building management systems. The end-user could be a homeowner, a building operator, a device manufacturer -- or a bad actor. 

Cyberattacks at the device level take technical sophistication, resources and innovation, a combination that helps sustain the idea that they are not worth an attacker’s effort. 

But there is already evidence that punctures this assumption.  Stuxnet, which broke device security controls; Triton, which changed application memory in a safety instrumentation system; the Ukraine grid attacks, which overwrote device firmware; and the Mirai botnet attack, which exploited Linux-based devices with weak passwords, are more than sufficient evidence that these devices can and will be accessed — and compromised. 

Reality 2: Attacking embedded devices is profitable

Many experts still believe that attacking embedded devices is not profitable. Some of these arguments focus on data, the typical objective of most cyberattacks on IT systems. Embedded devices typically have little data, and what they do contain can usually be recovered through a download of the original code. 

But attackers have other motives for attacking the OT systems in which millions of embedded devices are operating, including reputational damages to companies, ransom payments, cyber warfare and terrorism. Gartner predicts that attacks on OT systems will result in human casualties and billions of dollars in losses over the next few years. 

Consider just ransomware attacks. An attacker that compromises critical devices in an OT system could feasibly demand a ransom to return normal device operation. Until recently, this situation seemed impractical, but research has confirmed that ransomware can be loaded onto embedded devices.

Now, imagine the value of compromising controls of satellites that are critical to military communications, telecom functionality or even just video streaming services? Many devices represent a “single point of failure,” meaning that many other devices and services depend on their operation. 

Reality 3: User and manufacturer inaction is incentivized

In addition to attackers having a method and motivation for targeting embedded devices, the makers and owners of those devices too often reject the threat their insecurity presents.

Updating the security posture of embedded devices will be an expensive and time-consuming proposition. Partly this is a practical consideration for device users. Many devices can’t be taken offline and upgraded due to their ongoing engagement with mission-critical systems. 

Device manufacturers also contribute to the inertia since they rarely face any profound consequences when their products turn out to have exploitable vulnerabilities. Reputational damage typically falls on the device user, and regulations around misuse or negligence rarely extend to device manufacturer. 

Result: Ask when, not if, embedded device cyberattacks will occur, and act accordingly

Like most other crimes, cyberattacks are opportunistic. If history is any guide, attackers put a great deal of effort into compromising embedded devices. The benefit is obvious, and the conditions are ripe due to a lack of preparation and motivation. 

But the outcome is not set in stone. Researchers must do more work to demonstrate the feasibility of these device-level attacks and create host-based defenses that do not depend on the reactive model of software patching. 

End users and the public must demand that manufacturers pursue a higher security standard for the devices they sell, and regulatory bodies need to extend standards to the embedded device layer. 

These solutions are not without effort, but without action, we are leaving it up to the nation-states and bad actors of the world to provide the motivation for change. 

NEXT STORY: How much damage could a Russian cyberattack do in the US?

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.