by Uri Kreisman, COO, Bluechip Systems
On August 15th, 2012, the Saudi Arabian group Saudi Aramco suffered a malware attack called “Shamoon” that damaged about thirty thousand computers. The state-owned group runs the entire nation’s oil production, and the attack sent the nation’s entire economy into disarray. In total, eighty-five percent of Saudi Aramco’s hardware was compromised.
Shamoon highlights how a cyber attack on an energy entity could cripple an entire nation. Indeed, it’s this potential for such damage that makes them an attractive option for cyberterrorists.
Smart grids being an attractive target for cybercriminals points to a larger trend. The internet of things (IoT), powered by smart devices, gives cybercriminals the opportunity to hack devices previously unheard of even a decade ago. Since more and more homes are now attached to the smart grid through IoT, the need to secure these networks is becoming more and more vital.
All of the internet connected devices in your home that have cameras attached to them — smartphones, smart TVs, video game consoles, baby monitors, laptops — can be hacked and exploited to monitor and spy on residents and execute powerful botnet attacks all without your knowledge.
There is now an increasing need to be able to secure IoT devices that were never built to be secured in the first place. Instead of relying on manufacturer software updates, I believe that a hardware-isolated solution is a future. If you embed a low-power, highly flexible, hardware-isolated computational and storage container that isolates data inside the host architecture, you can secure data and processes independently of the host’s operating system or networking protocol and make them virtually impervious to attack; an innovation that will change cybersecurity as we know it today.
IOT pervade the entire utility and networking grid
As of today, there are 8.4 billion IoT devices currently in use: one device for every living person on the planet. This number is set to keep growing, especially as our homes become “smart” via their connection to the internet. Since the house of the future is pre-loaded with a ubiquitous number of these devices — Alexa, Google Home, Smart Fridges, smart cars, smart thermostats, automatic locks and so on — hackers can monitor and access our information when we are at our most vulnerable.
Even if you “unplug” your home and refuse to install any IoT devices, you’re still vulnerable as smart buildings are on the rise. McKinsey & Company expect the IoT installed base in smart buildings to grow by 40% until 2020. Where you work, commute and go to the gym could be exposed to hackers and used to monitor or harass.
Cyber attacks on the entire grid are becoming increasingly more common. In December 2015, three electric companies in Ukraine were targets of a cyber attack that resulted in power outages for two hundred twenty-five thousand customers. Even after power was bright back several hours later, control centers still weren’t fully operational two months later.
According to ICS-CERT statistics, energy is the second-most targeted sector. Energy companies oftentimes rely on Industrial Control Systems (ICS), which have become attractive targets for cyber terrorists for several reasons, including:
- Their longevity means information on how to program (and, by extension, hack) is readily available online.
- Many ICS protocols were developed with availability and control in mind, not security, leaving systems with innate vulnerabilities.
- Many systems are decades old. Security updates and patches are often pushed off due to fears that they would cause power outages.
- The emergence of smart grids has increased the attack surface of hacking activities.
Hardware isolation is the key to securing IOT networks
Software updates and best practices may have worked for one or two of the breaches in the history of IoT, but these tactics are no match for a more sophisticated solution that exploits the device firmware or hardware. Indeed, cybersecurity experts have increasingly been partnering and working together with IoT industry leaders to find out the ways in which we can harden devices that were never built with security in mind.
The only viable defense is one that relies on the inherent security of hardware isolation. By shifting all of the IoT processes to another processor, hardware solutions effectively sandbox important data and make them simply inaccessible from the IoT device itself.
I believe that the future of IoT security rests in the power of embeddable microchips and the power of process isolation. By inserting a Linux-powered computer into the architecture of a non-secure IoT device, you will be able to create a Hardware Root of Trust that completely seals any endpoint from man-in-the-middle attacks, effectively preventing the weaponization of such endpoint as a source of future DDoS or Mirai attacks.
This new approach to cybersecurity aims to protect an IoT device by changing the whole paradigm: if you store away data on a hardware isolated container, it cannot be accessible to an attacker. Adding an isolated self-contained layer of hardware and software protection is of paramount importance to protecting our smart energy grid and our smart homes in the future from infrastructure-level cyber attacks.
About the Author
I’m Uri Kreisman, the COO of Bluechip Systems – we’re building hybrid hardware and software cybersecurity solutions for IoT and mobile. With more than 20 years of experience in the industry, I write on emerging trends and technology in cybersecurity.
You can find me on LinkedIn and at our company website: http://www.bluechipsys.com/