Jun 20, 2018The adoption of Internet of Things (IoT) technologies is gaining traction, and IoT devices are becoming a common feature in homes, offices and factories, as well as on streets. Given how massive the IoT is expected to become in several years, one cannot help but think about the ramifications of a large-scale cyber-attack aimed at smart devices. Since IoT devices are physical devices deployed in the real world, hacking these could have potentially catastrophic physical consequences.
Power grid security has received the appropriate attention in recent years, thanks in part to large-scale cyber-attacks on grids around the world. But what if, instead of hacking secured power plants, some nation-states were to hack millions of smart devices connected to a power supply—and, at will, turn them on and off? That would create spikes in local and national power consumption, which could damage power transformation and carrying infrastructure—or, at the very least, have a substantial economic impact since power companies try to balance consumption loads by forecasting peak consumption times.
In the United Kingdom, spikes in demand are predictable during half-time breaks in soccer matches, and at the end of the popular soap opera Eastenders—both of which add an additional 3 gigawatts of power for the roughly three to five minutes it takes a kettle to boil. The surge is so big that backup power stations must go on standby across the country, and there is even additional power made available in France just in case the U.K. grid cannot cope.
But since no one can anticipate an IoT on-off attack, no one can prepare standby power, and outages are thus expected. In addition, power production, transportation and storage costs related to the concept of a smart grid could be considerable.
Burn the Devices—or the House
Smart-home appliances are all the rage, but if someone were to manipulate a device that produces heat—such as a kettle, stove, central heating unit or water boiler—it could incinerate the device (just turn on a kettle indefinitely, for instance; after the water has boiled, the device will catch fire or burn). If the manipulation were conducted in synch, it could even start a fire throughout an entire building. What about those automated fire-extinguishing systems? They could be taken offline, too—or, worse, be manipulated to increase air intake to fuel the fire, since building automation and HVAC systems are also connected nowadays.
The first cyber-attack on physical devices happened a long time ago, at the break of the new millennium. But the methods used could still be applied today: by attacking Internet-facing utility devices, such as sewage and water-flow sensors and actuators, attackers could have a significant impact without having to penetrate more robust IT or OT networks.
Having a connected urban infrastructure is a terrific thing. The problem is that once you are used to relying on it, there is no turning back. If the traffic lights, traffic-monitoring cameras and parking sensors (all connected) are offline or manipulated, cities can suffer large-scale interferences to their inhabitants' daily lives. This scenario will become even more critical as a greater number of connected cars take to the roads; these are dependent on communicating with other vehicles and the surroundings, and such interferences could cause massive traffic jams or even accidents.
Since we are all now aware of the potential impact of a devastating cyber-attack, it would not take much to invoke large-scale hysteria. Just imagine someone hacking street signage and altering it to display messages from a country's enemies. Similarly, interfering with emergency systems and triggering warning sirens on a crowded weekday could result in panic and casualties.
The scenarios described above present an interesting mind-shift in both attack and defense methodologies. Attackers will acknowledge that it is easier to hack multiple, smaller and seemingly insignificant targets, but with destructive cumulative power. Defenders must also acknowledge that the paradigm of "securing the crown jewels" behind multiple layers of security simply isn't valid anymore. New, cheap and scalable security solutions need to be employed to secure numerous devices—and to identify the attacks and mitigate them as they unfold—before millions of devices are infected.
Yotam Gutman, a retired lieutenant commander with the Israeli Navy, has filled several operational, technical and business roles at defense, HLS, intelligence and cybersecurity companies. Following a successful consulting career in which he supported multiple cybersecurity startups in marketing and business development activities, he joined IoT security company SecuriThings, where he now heads global marketing activities.