The next frontier in cyberwar: Embedded devices
Mission-critical embedded systems are insufficiently protected, which gives bad actors ample incentive to invest their time, resources and innovation into compromising them.
Embedded devices control satellites, the nation’s electrical grid, communities' water supply and advanced automotive capabilities. These critical systems are not secure. We know it and our adversaries know it.
Ransomware and other cybercrime incidents targeting the nation's critical infrastructure have soared in recent years, affecting millions of citizens and the economy. Although deeply concerning, this trend has had the silver lining of increased awareness and action taken to protect personal devices, bank accounts and other gateways to our digital identities.
Individuals are still mostly oblivious to all sorts of computers that live in the devices that control electrical grids, industrial infrastructure, satellite communications and electronic control units in cars. These computers operate more or less the way a laptop does. And they are also vulnerable to malware and can be knocked offline when they’re most needed.
Yet overwhelmingly, these devices have only basic access controls, and they lack defenses similar to the antivirus and email filtration capacities that are built into a PC or mobile phone. They are missing protections that the cybersecurity industry calls a “host-based defense,” which simply means protections that are built into the device rather than around it.
Attacks that compromise data and IT systems remain serious concerns. But the front line of the cybersecurity war is moving, and embedded devices increasingly are the primary target. Why? They are mission-critical (entire systems depend on their consistent and safe operation) and insufficiently protected, which provides bad actors with ample incentive to invest substantial time, resources and innovation into compromising them.
And attackers are doing just that, as evidenced by the proliferation of attacks against the operational technology (OT) systems in the nation’s critical infrastructure, where so many of these devices are deployed.
Industry leaders and the Biden administration are taking the threat to OT systems seriously. Yet even informed analysis rarely includes the actual devices in the threat framework. This oversight leaves a critical element of OT systems dangling.
It’s only logical to expect bad actors to home in on neglected devices. Yet many device manufacturers and end-users are not responding to this threat, typically due to one of these false assumptions:
- Embedded devices are too isolated to attack or too difficult to compromise.
- Attackers have no motive for targeting embedded devices.
- There is little or no incentive to create or use more secure devices.
Once these assumptions are disproved, the rationale behind attacks on embedded devices inevitably becomes clear. The following realities can drive a new evaluation of the nation's approach to cybersecurity.
Reality 1: There are practical methods for accessing and attacking embedded devices
Hackers can’t attack what they can’t see unless they physically interact with the device. Historically, most embedded devices were not connected to the internet. They did their job on assembly lines, in electrical transformers, oil refineries and other deployments while maintaining “security through obscurity.”
But increasingly, end users want to remotely access devices to harvest data, provide maintenance or support or enable communication with controllers or other connected devices. Use cases include everything from smart home thermostats to car telematics to sensors in complex building management systems. The end-user could be a homeowner, a building operator, a device manufacturer -- or a bad actor.
Cyberattacks at the device level take technical sophistication, resources and innovation, a combination that helps sustain the idea that they are not worth an attacker’s effort.
But there is already evidence that punctures this assumption. Stuxnet, which broke device security controls; Triton, which changed application memory in a safety instrumentation system; the Ukraine grid attacks, which overwrote device firmware; and the Mirai botnet attack, which exploited Linux-based devices with weak passwords, are more than sufficient evidence that these devices can and will be accessed — and compromised.
Reality 2: Attacking embedded devices is profitable
Many experts still believe that attacking embedded devices is not profitable. Some of these arguments focus on data, the typical objective of most cyberattacks on IT systems. Embedded devices typically have little data, and what they do contain can usually be recovered through a download of the original code.
But attackers have other motives for attacking the OT systems in which millions of embedded devices are operating, including reputational damages to companies, ransom payments, cyber warfare and terrorism. Gartner predicts that attacks on OT systems will result in human casualties and billions of dollars in losses over the next few years.
Consider just ransomware attacks. An attacker that compromises critical devices in an OT system could feasibly demand a ransom to return normal device operation. Until recently, this situation seemed impractical, but research has confirmed that ransomware can be loaded onto embedded devices.
Now, imagine the value of compromising controls of satellites that are critical to military communications, telecom functionality or even just video streaming services? Many devices represent a “single point of failure,” meaning that many other devices and services depend on their operation.
Reality 3: User and manufacturer inaction is incentivized
In addition to attackers having a method and motivation for targeting embedded devices, the makers and owners of those devices too often reject the threat their insecurity presents.
Updating the security posture of embedded devices will be an expensive and time-consuming proposition. Partly this is a practical consideration for device users. Many devices can’t be taken offline and upgraded due to their ongoing engagement with mission-critical systems.
Device manufacturers also contribute to the inertia since they rarely face any profound consequences when their products turn out to have exploitable vulnerabilities. Reputational damage typically falls on the device user, and regulations around misuse or negligence rarely extend to device manufacturer.
Result: Ask when, not if, embedded device cyberattacks will occur, and act accordingly
Like most other crimes, cyberattacks are opportunistic. If history is any guide, attackers put a great deal of effort into compromising embedded devices. The benefit is obvious, and the conditions are ripe due to a lack of preparation and motivation.
But the outcome is not set in stone. Researchers must do more work to demonstrate the feasibility of these device-level attacks and create host-based defenses that do not depend on the reactive model of software patching.
End users and the public must demand that manufacturers pursue a higher security standard for the devices they sell, and regulatory bodies need to extend standards to the embedded device layer.
These solutions are not without effort, but without action, we are leaving it up to the nation-states and bad actors of the world to provide the motivation for change.