Cyber-Physical Attacks: A Growing Invisible Threat
by George Loukas
ISBN ISBN 978-0-12-801290-1 .
Reviewed by Richard Austin 11/17/2015
The media is ahype (a new word that you saw here first) with the wondrous benefits and opportunities that will come from connecting everything to everything else via the Internet. Self-parking cars, refrigerators that automatically restock, new medical appliances, etc. However, there is a darker side which reflects the focus on convenience, features and safety to the neglect of security. While I've reviewed other books dealing with embedded systems and IoT security, Loukas generalizes the subject to cyber-physical attacks which he defines as breaches in cyberspace that adversely affect physical space (p.12). This is an interesting change in viewpoint as it shifts the target from information or services to effects in physical space.
Just to get this out of the way, Loukas's book is a textbook and is written for students and non-experts (p. 16) not seasoned security professionals, so there is a lot of introductory text and tutorial material. However, most security professionals have little familiarity with embedded systems, SCADA systems, etc., so the tutorial material on these subjects is more than welcome. My advice is to ignore what you already know and focus on the material that is new to you.
Loukas opens his presentation with a good introduction to the "Cyber-Physical" world (chapter 1) that introduces the concepts and terminology used in later sections of the book. A gem is the security-relevant definition of embedded systems as "computers masquerading as non-computers" (p. 7). He also provides a useful distinction between the "IoT" and "cyber-physical systems" by noting that the IoT focusses on "machine to machine communication" while cyber-physical systems focus on "interaction with the environment" (p. 9).
Chapter 2 ("A History of Cyber-Physical Incidents") provides grim reminders that this is not merely an academic discussion as there have already been incidents in the wild. I was disappointed to see him mention the infamous "Siberian pipeline explosion" as an example (p. 23) but he does note that it may or may not have occurred. Of special note is the timeline of cyber-physical security incidents on p. 55.
The next two chapters delve deeply into the workings of cyber-physical attacks on implants and vehicles (Chapter 3) and industrial control systems (Chapter 4). These chapters introduce the essential technologies used in the different classes of devices and how they can be tampered with to produce real-world effects. Equally important is that the reader starts to get a feel for the background behind the sometimes poor security-relevant decisions. For example, a weak encryption solution was deployed because the capacity overhead for a better one was thought prohibitive (p.99). Understanding these decision factors is critical for our profession if we are ever going to provide credible guidance to the teams designing these systems.
Chapter 5 (Cyber-Physical Attack Steps) provides a good overview of how an attack is mounted. Some of the steps (e.g., reconnaissance) will be familiar but there is much more exotic material (e.g., the concept of sleep deprivation applied to battery powered devices that use a sleep mode for recharging, p. 175). Of particular note are the many tables of entry points for attacks on various cyber-physical systems ranging from insulin pumps to smart homes.
After a solid grounding in how bad the situation currently is, Chapter 6 (Protection Mechanisms and Secure Design Principles) provides guidance on how to make things better. Though some concepts such as authentication may be familiar, Loukas provides solid coverage of the "complications" involved in using them in the cyber-physical world. For example, we usually don't think in terms of being constrained by available battery power in designing our security measures but resource constraints are a fact of life in cyber physical systems. Loukas notes (p. 211) that if a security measure consumes a lot of battery power in its operation, we've actually expanded the attack surface if an adversary can arbitrarily trigger the security measure.
Chapter 7 (Physical-Cyber Attacks) turns the subject around by examining what types of things can be done in the physical realm that achieve cyber effects. An obvious example would be physical destruction of some piece of cyber infrastructure. However, Loukas describes less obvious attack vectors such as power analysis and other methods for exploiting the emanations from an operating device.
In general, there's pretty broad consensus that there is a train-wreck coming in the area of cyber-physical systems because of the little attention being paid to security in this area. It's even pretty common for security professionals to joke around the coffee pot about the "stupidity" of engineers who deploy network-connected systems without even rudimentary defenses. However, if we're going to prevent the coming train-wreck, we're going to have to learn how to talk to the people designing these systems and they speak a different language than us. Loukas' book goes a long way toward equipping the security professional to enter this mysterious world and begin to effectively interact with its denizens. Definitely a recommended read.
As this is the last review of 2015, I wish you and yours a joyous holiday season followed by a healthy, happy and prosperous 2016!