The massive Distributed Denial of Service (DDoS) attack last month on Dyn, the New Hampshire-based Domain Name System (DNS) provider, was mostly an inconvenience.
While it took down a portion of the internet for several hours, disrupted dozens of major websites and made national news, nobody died. Nobody even got hurt, other than financially.
But the attack, enabled by a botnet of millions of Internet of Things (IoT) devices, inevitably led to speculation on what damage a DDoS of that scale or worse could do to even a portion of the nation’s critical infrastructure (CI).
Clearly it could go well beyond inconvenient. Businesses, households, emergency services, the financial industry and yes, the internet, can’t function without electricity.
That has already been demonstrated on a relatively small scale. Earlier this month, a DDoS attack took down heating distribution in two properties in Lappeenranta, a city in eastern Finland.
The disruption was only temporary, but as local media noted, with below-freezing temperatures, “a long-term disruption in heat will cause both material damage as well as the need to relocate residents elsewhere.”
Also, in a recent paper titled “IoT Goes Nuclear: Creating a ZigBee Chain Reaction,” researchers reported that they were able to demonstrate, using Phillips Hue smart light bulbs, “a new type of threat in which adjacent IoT devices will infect each other with a worm that will spread explosively over large areas in a kind of nuclear chain reaction …”
Using the bulbs’ ZigBee wireless connectivity, the researchers said the attack, “can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes, enabling the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDoS attack.”
If that kind of attack could also be used to take down heat, water, sewer, traffic control and other basic services for any length of time, the risks of chaos and physical harm grow rapidly.
As author, blogger security guru and Resilient Systems CTO Bruce Schneier put it in a recent post, “security flaws in these things could mean people dying and property being destroyed."
But could a DDoS attack really cause a long-term disruption of Industrial Control Systems (ICS), which operate or monitor much of the nation’s CI?
Experts have mixed views on the topic. Some say the nation’s ICSs are distinct enough from the consumer IoT that they would not be as vulnerable to a DDoS, while others say those systems are indeed connected enough to be a component of the IoT.
DDoS attacks are nothing new – they have been around for decades and are not considered sophisticated. They work by overloading websites and other internet-connected systems with junk traffic that prevents legitimate traffic from getting through, and can also cause the sites to crash.
What made the Dyn attack relatively unprecedented was its use of millions of “zombie” IoT devices like “smart” cameras, digital video recorders etc. instead of computers. The scale of the attack, at 1.2Tbps was unheard of as recently as a year ago. Now it is the norm, and is expected to increase rapidly.
Meanwhile, the nation’s CI remains notoriously insecure. Earlier this year, the FBI and Department of Homeland Security (DHS) launched a national campaign to warn US utilities and the public about the danger from cyber attacks like the one last December that took down part of Ukraine's power grid.
This past September, at the Security of Things Forum in Cambridge, Mass., a panel of security experts agreed that attackers, likely from hostile nation states, are probably already inside the nation's ICS.
Paul Dant, chief strategist and managing principal at Independent Security Evaluators, said at that discussion that more attacks are inevitable. “To think that stuff is not vulnerable is a complete fallacy,” he said.
Still, some in the industry say a DDoS is not a direct threat to major CI, because ICSs are not a part of the IoT in the way consumer devices are. Ben Miller, director of the Threat Operations Center at Dragos, said while, “at face value (ICSs) may seem similar” to IoT devices, “an industrial controller with input from a thermostat has a vastly different technology stack, use case, evolution, and capability than the Nest (consumer) thermostat on a wall.
“Industrial control system processes generally do not rely on Internet-based services,” he said.
Matt Devost, managing director at Accenture and CEO of FusionX, sees it much the same way. “The DDoS attack is most effective against targets that are inherently dependent on internet communications and the ICS/SCADA (Supervisory Control and Data Acquisition) environment is just not engineered to operate with that sort of dependency,” he said.
According to Gabe Gumbs, vice president of product strategy at Spirion, “the IoT should be strictly defined as consumer-connected devices. Much of critical infrastructure is connected, but it is not consumer-grade technology. Organizations that own things like SCADA systems are invested in securing them, in stark contrast to the consumer end of the spectrum.”
And Robert M. Lee, CEO of Dragos, said while there are still ICS assets on the internet – “too many, to be honest” – a lot of them are not. “These devices are instead forming a network of data and end points that is new and comprehensive in these locations. A DDoS styled attack would not be able to significantly disrupt critical infrastructure sites in the ICS community,” he said.
But Yoni Shohet, cofounder and CTO of SCADAfence said ICSs are, “definitely part of the IoT, since the industry is transforming from physical systems to cyber physical systems. The connectivity between industrial environments and external networks has increased in the past few years. These environments are exposed more than ever to external attacks.”
Stewart Kantor, CEO of Full Spectrum, has seen the same thing. “Since we’re seeing critical infrastructure initiating automation efforts through IP-based communications over public cellular data networks to smart devices, it’s becoming part of the broader IoT that incorporates consumer and mission-critical technologies alike,” he said.
But he doesn’t entirely disagree with those who say ICS is not part of the IoT, since some utilities have detached from the public internet through the creation of, “their own separate and private IoT using software-defined radio technology over a private network that is owned and operated exclusively by the utility.”
Kantor added that there are a number of US utility companies, along with industry research and trade associations that include the Electric Power Research Institute and the Utilities Technology Council, “that are supporting an amendment to an existing wireless communications standard to address reliability, coverage and security concerns of critical infrastructure networks or what they refer to as Field Area Networks (FANs).”
Lee also said he has seen an encouraging focus on security. “I've seen some critical infrastructure companies, such as in energy, that are extremely well prepared and could have detected targeted threats that have attempted to breach their organizations.
“As a community we need to ensure that this isn't the 5 percent of the community and is more widespread. But there are great successes,” he said.
Miller said there are “serious efforts” being made to improve ICS security. “In 2014 the US Department of Energy issued guidance for energy delivery systems and US ICS-CERT issued similar guidance for ICS procurement way back in 2009.”
But he acknowledged that vendors of ICS equipment are selling in a global market, where security pressures are not as great as in the US. And, as has been widely reported, large generators and other ICS equipment can cost well into six figures, cannot be easily retrofitted with security and are meant to last for 25 years or more.
The reality is that the ICS industry has a long way to go,” he said.
Gumbs agreed. “Security hasn’t always been viewed as a priority,” he said. “They don’t have the skills needed to keep up with attackers. They don’t have ability to hire or retain talent.
“It isn’t trivial to detect a sophisticated attack and it requires a large amount of people, skill and technologies in place to properly defend against them. Because the industry is just now prioritizing security, it will take some time before they can provide a formidable defense against sophisticated cyberattacks.”
Of course, a DDoS is not considered a sophisticated attack. It could still cause some significant disruption – Devost noted that, “if millions of IoT thermostats in homes and smart grid devices in commercial buildings are compromised and ask for maximum AC on a day in which there is excess demand in the grid, what would the impact be?”
But Gumbs said he thinks CI in the US is resilient enough to respond to such an attack without catastrophic disruption.
“A cyberattack on the scale that we’re talking about could be compared to a natural disaster, maybe,” he said, “and we’ve shown that we are fairly resilient when facing hurricanes, floods, earthquakes and more.”
He said a crash of the financial system would be worse. “This would undermine the trust we have in walking to an ATM and withdrawing cash, even paying for provisions if we were in an actual disaster.”
[ ALSO ON CSO: Security convergence in a utility environment ]
Kantor said he believes most utilities take security seriously. But he acknowledged that, “given the size and scope of the electric utility industry – there are more than 3,300 electric utilities in the contiguous US distributed over three million square miles – there are many areas of vulnerability, both physical and remotely.
“Infiltrating the critical communications infrastructure is the easiest and most anonymous way to cause major disruption. We’re now facing a world where hackers are getting smarter and hacker communities exist where knowledge and advancements in DDoS code is shared.”
So, lowering the threat of a DDoS against utilities or other CI may require an improvement in IoT security. And some experts say the market won’t do it – that it will take a push from government.
Schneier, in his recent post, said there is, “a market failure at work” when it comes to IoT security, because neither the sellers nor the buyers of devices really care about it.
“It’s a form of invisible pollution,” he wrote, “and, like pollution, the only solution is to regulate,” with things like minimum security standards and/or making it easier to sue manufacturers if their products are used in DDoS attacks.
“The details would need to be carefully scoped, but either of these options would raise the cost of insecurity and give companies incentives to spend money making their devices secure,” he wrote.
That may be under way soon. U.S. reps. Frank Pallone Jr. (D-NJ) and Jan Schakowsky (D-IL) wrote a letter dated Nov. 3 to Federal Trade Commission Chairwoman Edith Ramirez “urging” the agency to, “use all the tools at its disposal to ensure that manufacturers of IoT devices implement strong security measures to best protect consumers from cyberattacks.”