When the Virtual Becomes Physical

on January 20, 2012 at 7:00 AM

Rarely does a week pass that yet another data breach appears on the Privacy Rights Clearinghouse website, and those are only the breaches that are publicly disclosed.

What’s interesting to note is that data breaches are exactly that: an egress of data. Of course, this is nothing new; for over a decade now, we’ve heard countless stories of bank accounts emptied through surreptitious keystroke loggers and successful phishing scams (who can forget such gems as, “I represent the Central Bank of Nigeria, and I have a lucrative proposal for you…”), healthcare data breached due to poor security controls, and systems brought down for extended periods via denial of service attacks from zombie hosts managed by vast-reaching command-and-control systems.

While these types of attacks and breaches are certainly something to be concerned about, they’re limited to the virtual world. Here in 2012, however, we’ve finally reached the point in our interconnected world where everything from mobile devices, to home appliances, to stepper motors in energy distribution systems are connected to networks, from closed-loop systems to the global Internet. Unfortunately, this also means that we’re forced to face the difficult reality of systems that aren’t separated by an air gap: these technologies which bridge the virtual and physical worlds are targets for extremely complex and intricate attacks, just like every other system attached to a network.

At the recent International Conference on Cyber Security in New York, FBI executive assistant director Shawn Henry pointed out the fact that while we haven’t yet seen any known injuries or fatalities as a result of an attack on physical infrastructure launched from the virtual world, it’s only a matter of time.

Today, systems that control energy generation, transportation, food manufacturing, and water distribution are more connected than ever. While this has provided us with a safer, more consistent way of life, it comes at the price of connecting these systems to others via networks – usually IP-based networks, and often, the Internet.

Much media attention over the past year has been focused on groups such as Anonymous, which have utilized data breaches and denial of service attacks targeted against specific organizations; and yet to date, Anonymous has yet to claim responsibility for, or be implicated in, an attack on physical infrastructure. As Mr. Henry pointed out, the real concern is over state or state-sponsored actors, known terrorists, and organized criminal enterprises providing “hacking-as-a-service” (HaaS) to one or more of the former. Stuxnet was the first volley in this round of the war, but it certainly won’t be the last.

So what can be done to mitigate the risk of virtual attacks affecting the physical world?

In the first wave of interconnected networks of the 70’s and 80’s, it’s clear that many network technologies were focused on academic and research pursuits. The idea of a true, globally-connected Internet where any individual with some basic protections could anonymously connect to any other host was clearly not the end game, and as a result, many of the underlying protocols and tools of the Internet – DNS, SMTP, TCP/UDP, and others – lacked native security capabilities. On these open standards, the entire Internet was born. While we’ve been spending the past several decades trying to either patch these technologies or wrap them within cryptographic protocols (SSL, TLS, IPsec, etc.), we’ve learned the right compensating controls to minimize risk, and ensure that – if properly secured – an Internet-connected system today has a better chance than ever of repelling attack.

While it’s not likely that we’ll see the base protocols of the Internet re-engineered to support improved security controls anytime soon, OEMs and integrators of Internet-connected physical infrastructure need to take the lessons of the past to heart and ensure that – moving forward – they engineer appropriate preventative, detective and corrective security measures into their physical machines. Unless good security controls are engineered into the new vanguard of wired physical devices, we’re doomed to repeat the same history of frequent, successful attacks that we’re reaping today for our lack of vigilance. Only this time, the target won’t be data – and the stakes will be much, much higher.

John Linkous is vice president, chief security and compliance officer eIQnetworks, Inc.