EXECUTIVE SUMMARY
After several decades of hiding in plain sight throughout Industrial Control Systems (ICSs), PLCs and other IoT/IoE devices were suddenly exposed as a result of the 2009 deployment of an IP address search engine called Shodan. As more and more devices were discovered, analysts realized that many devices that control the country’s vital infrastructure were potentially vulnerable to hackers. With nuclear power plants, dams, power stations, and oil rigs on the list of potentially vulnerable targets, immediate and thorough action is necessary to ensure the safety and security of the American People.
- An estimated 30 billion connected devices will be part of the Internet of Things (IoT) by the year 2020. That number could double by 2024.
- Many of these devices, including Programmable Logic Controllers (PLCs) used in Industrial Control Systems (ICS), remain discoverable and vulnerable to cyber-attack.
- These devices control vital infrastructures such as nuclear power plants, dams, the power grid, and oil rigs. Cyber-attacks on facilities like these are potentially catastrophic.
This proposed three-pronged approach will find vulnerabilities before new products are deployed, hide them once they have been deployed, and make it nearly impossible for malware attacks to penetrate our IIoT devices.
INTRODUCTION
The “Internet of Things” (IoT), and the more broadly defined “Internet of Everything” (IoE), have revolutionized human-computer interaction in the last decade. Gartner, a leading IT research and advisory firm, estimated that 6.4 billion internet-connected devices would be in use worldwide in 2016 (Gartner, 2015). Statista, an online statistics, market research, and business intelligence agency, estimates that the number could climb to more than 30 billion devices by the year 2020, and more than double that by 2024 (Statista, 2018a). But while most people think of the growing number of wearable devices that stock the shelves of every electronics retailer, a large portion of IoT devices are hidden in plain sight; used by millions of people every day without them even knowing. According to David O’Brien, a senior researcher at Harvard University’s Berkman-Klein Center for the Internet and Society, “When you say ‘Internet of Things,’ the first devices most people think of are Apple Watches or Fitbits. They’re not thinking about programmable logic controllers or other infrastructure devices” (Wright, 2017).
Programmable Logic Controllers (PLCs) are special-purpose computers that make automated decisions based on conditions read into them by sensors and according to pre-programmed algorithms. They can control anything from turning the lights on when someone walks into a room and turning them off when the person leaves to automatically opening a spillway to bypass a hydroelectric dam when water levels above the dam get too high. We use them to control switch tracks in mass transit systems, the centrifuges and cooling systems in nuclear power plants, and the rotating blade assemblies on windmills.
Alan Morris, a consulting engineer at Morris and Ward, explains that Industrial Control Systems (ICS) control local equipment while Supervisory Control and Data Acquisition (SCADA) systems are used to control equipment in a wider geographic area. PLCs are the basic elements of the ICS and were developed in the early 1970s as the control systems for automotive assembly lines. For each new model year, the PLC memory would be rewritten, and the new parts would be manufactured and assembled (Morris, 2016).
PLCs, the Industrial IoT (IIoT) and the wider IoE automatically control a wide array of technologies that keep us fed, safe, and moving freely through our lives. And yet according to a growing number of reports, from the Government Accountability Office to various trade-focused publications, this technology is woefully vulnerable to hacking.
In 2016, hackers used a drone to infect network-controlled light bulbs with a virus that made the lights flash on and off, spelling out the international distress signal, “SOS,” in Morse Code. While this seems trivial, it is important to understand the potential consequences if the devices that hackers take control of could have far more catastrophic outcomes.
Perhaps the most popular attack on IoT devices was the Stuxnet attack, discovered in 2010, in which hackers were able to take control of the PLCs that controlled the centrifuges at a nuclear power plant in Natanz, Iran. Without having to visit the power plant or use conventional military weapons, hackers were able to destroy 1000 of the plant’s centrifuges, rendering them completely inoperable. In the months and years to follow, researchers discovered a wide variety of potentially vulnerable PLCs in nuclear power plants, oil rigs, dams, and other vital infrastructure resources.
This paper seeks to present a brief history of attacks on IoT/IoE devices that are common for industrial use, provide some analysis on the current state of information security best practices, and finally to make some recommendations for how device manufacturers could get in front of these security vulnerabilities.
IoT’S SHOWDOWN WITH SHODAN
Figure 2, Shodan Search Engine Heat Map (Wright, 2017)
HIDDEN IN PLAIN SIGHT
Beginning in the 1970s, PLCs exploded in popularity. Repetitive tasks could be programmed into an inexpensive special-purpose computer to perform a small number of tasks without any variance in their outputs. Instead of a human worker staring at a gauge to ensure that a system didn’t pass beyond some point of failure, the PLC could perform that task at minimum cost and without human fatigue that could compromise the safety of the system. And since these devices were reprogrammable, they could be updated, repurposed, and reprogrammed as the requirements changed.
These devices continued to gain popularity and even began to find their way into our homes in the form of programmable thermostats, ice makers housed in freezers, and even security systems to help ensure the safety of our loved ones. For more than three decades we lived the automated future, and life was good.
VULNERABILITIES ARE DISCOVERED
Then, in 2009, John Matherly launched an experimental search engine named “Shodan.” In a 2016 interview, Matherly explained how his search engine works:
“There are about 4 billion possible public addresses that a device could have on the internet. Shodan randomly picks an IP address, goes there, and then asks if it is running software that can be accessed online. If the device responds and essentially says ‘yes I am,’ Shodan notes that and moves on to the next random IP address. It's a scattershot approach, but it can find everything connected to the internet in just a few hours” (Matherly & Baraniuk, 2016, para. 3).
Suddenly, and unexpectedly, all of these devices were widely and freely visible to anyone who was savvy enough to use the Shodan search engine. These devices, which for several decades had been hidden in plain sight, were now discoverable by anyone.
IT CAN FIND ANYTHING… IN HOURS
Since the launch of Shodan, as Wright points out, users have discovered vulnerabilities in a nuclear reactor, a water treatment plant, electric power generators, an oil rig, and a crematorium (Wright, 2017, p. 17). And while he points out that simply being online doesn’t mean that just anyone could attack them, Matherly does state that, “[T]here's no good justification for having power plants accessible like this in the first place” (Matherly & Baraniuk, 2016, para. 6).
Matherly wasn’t saying that these devices should not be connected to the Internet, but rather suggests that these devices should not be discoverable and accessible with a simple search engine. He explains: “Let's say you run a wind farm with many wind turbines. If you want to fix a software bug, you don't want to send a technician to every location. That is a complete nightmare, and expensive. Being able to access the turbines over the internet is an obvious solution” (Matherly & Barniuk, 2016, para. 7).
EXPOSED, AGING AND VULNERABLE
Chances are very good that in order to read this paper, you had to log into some system. Social media, school and work networks, and even many online publications require you to register with, at a minimum, a username, and a password in order to access the information contained within. It’s referred to as “user authentication,” and at its most basic the reason is very simple: the system wants to protect the information and to ensure that only those who should have access actually get that access.
If you have to authenticate yourself before getting into a social media account, then it should stand to reason that you should also have to authenticate yourself when trying to access the control systems of hydroelectric turbines or the centrifuges at a nuclear power plant.
When asked why the devices would be openly accessible, Matherly explains, “These control systems often don't have any authentication. The software they run is usually proprietary and very often was designed 15 to 20 years ago. As such, it doesn't include user authentication or security because it was only designed to be accessible locally. When you see such systems on the internet, it often means you have complete administrative access” (Matherly & Barniuk, 2016, para. 8).
You wouldn’t want to give access to your email account to just anyone, and yet that’s exactly what we’re doing with the ICS devices that control our most critical infrastructure.
OVERSIGHT, OR BOTTOM LINE?
But these are not just technical failures, according to David O’Brien. “It’s a technical problem, but it’s also closely tied to business interests. These days, the way companies tend to look at security is as a loss leader” (Wright, 2017).
Matherly’s examples illustrate the convenience and the economy of scale of having connected devices. However, it also brings to light the security vulnerabilities that, until very recently, have been an afterthought throughout the IoT/IoE ecosystem. He says, “We keep deploying new devices that are insecure-by-default. The vulnerable IoT devices of today that get installed are going to stick around a long time and they have access to the internal networks of many homes and businesses” (Wright, 2017, p. 17).
LOOKING FORWARD
With the growing number of IoT/IoE exploits, it is imperative that device manufacturers take immediate steps to address security vulnerabilities from a wide range of threat actors. With the number of IoT/IoE devices projected to rise exponentially in the coming decade and the growing tensions between nation-states and other threat-actors across the globe, manufacturers cannot afford the devastation to their profits if they do not take such action.
Throughout history, criminals have proven themselves to be clever and determined. The very nature of the business requires them to be one step ahead of the law at all times. Companies such as BitDefender, AVG, and Malwarebytes all offer free malware software to consumers. And each of these companies must issue near-constant updates to ensure that their software is able to respond to even the most recent malware attacks.
Cybercriminals will continue to search for and exploit vulnerabilities, and so must we be ever vigilant in protecting our nation’s infrastructure from attack.
HISTORY REPEATS ITSELF
One example of an innovative approach to device security came in the style of the Old West.
In October 2013, Google revived a practice believed to have been started by Netscape in 1995. Their “Bug Bounty” program entices ethical hackers with hefty monetary rewards for finding security vulnerabilities in their products. In 2017, Google paid a total of $2.9 million in bug bounties (Miller, 2018, para. 1).
Google’s Android operating system (OS) had a market share of 87.7% in the second quarter of 2017, which amounts to more than 100 million devices in active use (Statista, 2018b). With that many users depending on their OS to safeguard their data, it’s easy to understand why Google would be willing to pay a hefty price to discover and fix these vulnerabilities up-front, rather than having to clean up after an attack and lose customers.
Bug Bounties typically range from $500 to $100,000 or more. Miller says that “The largest award of the year was $112,500, a nice chunk of change, for tracking down a Pixel phone exploit as part of the Android Security Rewards Program” (Miller, 2018, para. 3). These figures are not just a great way to attract top talent to get out in front of these vulnerabilities, but they also save the company both money and customers by reducing later incidents.
PUT UP A WALL
With the security measures that we aim to put in place being our defense of critical civil and industrial infrastructure, bug bounties are not enough. Despite the best efforts of white-hat hackers, those on the other side of the law will always look for missed vulnerabilities and will exploit them.
Nathan Freitas, Founder, and Director of The Guardian Project, is leading research into using widely available and inexpensive devices already on the market to mask the location of these devices. Using a Raspberry Pi computer costing about $30, software from an organization called “Tor” that allows for anonymous communication, and a “driver” built on the powerful Python programming language to act as a security firewall, hiding the devices behind them by obfuscating their IP addresses. (Wright, 2017, p. 17). The Guardian Project undertook this effort as a way to secure devices used by private citizens, such as Wi-Fi-enabled light bulbs, but this would easily work on the networks that connect IIoT devices.
STOP REWRITING HISTORY
Once we’ve thoroughly tested our new defenses, and have built the digital fortifications around them, we still must expect that threat-actors will continue to seek out and exploit any vulnerabilities left unfound by our best efforts. The most critical and potentially dangerous pieces of our infrastructure can and will continue to be a target.
One method to address this inevitability is the use of PLCs that are not reprogrammable. The convenience of being able to update functionality remotely, making use of the economy of scale. However, with non-rewritable memory, additional software in the form of malware cannot later be introduced to affect the desired performance of the PLC.
As Alan Morris explains:
Stuxnet was able to alter the programming stored on the memories of the Natanz PLCs because the memories were rewriteable. PLCs with rewriteable memories were originally developed in an era that was free of malware attacks. This rewriteable characteristic is the same for the memories of all extant PLCs in industrial control systems around the world and is the same for PLCs now being produced and sold. Alternatively, a PLC memory having a non-rewritable characteristic, once programmed, cannot be written to again and will block malware from altering the programming stored on that memory (Morris, 2016, para. 5).
While non-rewritable memory can reduce the benefits of being able to update PLCs remotely, it is imperative that our most critical facilities remain safely operational. The benefit of remote updating is far outweighed, in some cases, by the vastly increased security of these inexpensive memory upgrades.
Figure 3, Centrifuges at Natanz Nuclear Facility (https://www.rferl.org/a/25146270.html)
CONCLUSION
PLCs control our lives. From the temperature in our house to the generation of the power that allows us to maintain that temperature, our lives are safer and more comfortable because of industrial IoT/IoE devices. Yet a disturbing number of these devices remain potentially vulnerable to hacking, leaving us unprotected from possibly catastrophic results.
While these vulnerabilities are sometimes just being discovered, there are three immediate courses of action that we can take to protect not just these devices, but our infrastructure and our way of life. By paying white-hat security professionals to seek out these vulnerabilities and recommend fixes, we can hopefully get one step ahead of would-be cybercriminals who would exploit these vulnerabilities. Second, we can utilize existing and inexpensive technology to better hide these devices from being discovered. And third, we can and should move to non-rewritable media to be used in PLCs that would make malware attacks exponentially harder.
This is not something that we can afford to delay on.
REFERENCES:
Burnand XH. (n.d.). Programmable logic controllers. Retrieved from http://bxh.co.uk/Products/Process-Control/Programmable-Logic-Controllers/
Gartner. (2015, November 10). Gartner says 6.4 billion connected "things" will be in use in 2016, up 30 percent from 2015. Retrieved from https://www.gartner.com/newsroom/id/3165317
Giandomenico, A. (2017, June 27). Know your enemy: Understanding threat actors. Retrieved from https://www.csoonline.com/article/3203804/security/know-your-enemy-understanding-threat-actors.html
Morris, A. (2016, July 12). How to close the PLC security gap. Retrieved from https://www.controldesign.com/articles/2016/how-to-close-the-plc-security-gap/
Matherly, J., & Baraniuk, C. (2016). The internet of unprotected things. New Scientist, 230(3073), 40-41
Miller, R. (2018, February 13). Google’s bug bounty programs paid out almost $3M in 2017. Retrieved from https://techcrunch.com/2018/02/07/googles-bug-bounty-programs-paid-out-almost-3m-in-2017/
Morris, A. (2016, July 12). How to close the PLC security gap. Retrieved from https://www.controldesign.com/articles/2016/how-to-close-the-plc-security-gap/
Radio Free Europe Radio Liberty. (2013, October 24). MP: Iran's 20-percent enrichment halted. Retrieved from https://www.rferl.org/a/25146270.html
Statista. (2018b). Mobile OS market share 2017. Retrieved from https://www.statista.com/statistics/266136/global-market-share-held-by-smartphone-operating-systems/
Statista. (2018a). IoT: number of connected devices worldwide 2012-2025. Retrieved from https://www.statista.com/statistics/471264/iot-number-of-connected-devices-worldwide/
Wright, A. (2017). Mapping the Internet of Things. COMMUNICATIONS OF THE ACM, 60(1), 16-18. doi:10.1145/3014392
Top comments (0)