To date, securing the Internet of Everything has been a largely theoretical exercise, perhaps because of the IoE’s low current utility and level of development. As Trend Micro threat research Robert McArdle noted earlier this year, the IoE lacks a “killer app” to drive mainstream adoption, despite the best efforts of companies such as Google.
Still, enterprises and security providers are mindful of the many risks inherent in widening the Internet’s reach by extending connectivity to a growing number of embedded sensors and appliances. For now, though, their cybersecurity efforts have remained mostly confined to PCs, mobile devices, servers and networks, while the IoE is still spoken of just as a large potential market rather than a rapidly emerging reality. Cisco has pegged the IoE as a $19 trillion dollar opportunity, but will cybersecurity evolve to adequately cover the new computing landscape?
North Carolina Department of Transportation road sign hacks highlight new IoE risks
One of the distinguishing traits of the IoE is its incorporation of endpoints not traditionally construed as “computers.” Take highway road signs for example. Although they have electronic displays – albeit primitive ones compared to today’s smartphones and tablets – few individuals actually interact with or even pay attention to them – they seem more like billboards than hackable devices.
Signs operated by the North Carolina Department of Transportation were recently compromised by a hacker who changed them to read “Hacked by Sun Hacker Twitt Wth Me” (inviting drivers who saw the text to engage with him on Twitter). The message hardly sounds menacing, but the operation is part of a troubling trend with important implications:
- As far back as 2009, sites such as Jalopnik illustrated how easily road signs could be hacked. Observers pointed to the lack of physical security to prevent tampering, as well as the widespread usage of default passwords such as “DOTS.” Previous incidents since then have involved sign text being altered to “Warning, Zombies Ahead.”
- Highway signs are public safety assets. Hacking into them could feed false information to motorists and result in traffic snarls and accidents. The messages in this case were self-promotional rather than materially misleading, but the opportunity is there to cause real damage.
- The release of the blockbuster home console video game “Watch Dogs” may have inspired the North Carolina incident and future copycats. “Watch Dogs,” set in futuristic Chicago, emphasizes hacking infrastructure such as road signs. In his post, McArdle also noted the gamer space (on the verge of being flooded with gadgets such as the Oculus Rift) as a bellwether for adoption of IoE technologies.
The technical details of the attack are unclear to the public. Sun Hacker, via Twitter, claimed that the change required hacking into a NCDOT VPN, while investigators of similar attacks around the U.S. has pointed to possible exploits of Simple Network Management Protocol messaging. Hackers may also have taken the opportunity to alter the passwords of compromised modems, making fixing the issue more difficult. The NCDOT claims that it knows how its systems were compromised and that is is working to patch the vulnerabilities.
“We’re taking this cyber event very seriously,” stated NCDOT chief information officer David Ulmer. “We’re not only working with the authorities to investigate this serious incident, but we’re also doing multiple security scans on our equipment and our IT infrastructure to make sure we close any further vulnerabilities.”
Critical infrastructure hacking: How dangerous could it become?
As security expert Brian Krebs noted on his blog, this recent trouble with road signs is likely to re-ignite conversations about the exposure of critical infrastructure to coordinated attacks. Last year, ABI Research estimated that security spending on critical infrastructure would rise to $46 billion, up more than $4 billion from 2012. Countries such as the United States and South Korea have prioritized their efforts in this area, incorporating them into national security strategies and driving robust growth in cybersecurity investments.
The perpetrators behind the road sign incidents do not seem like experts on the payroll of any nation-state or multinational organization. Krebs noted that Sun Hacker seemed to be an amateur website vandal, while also downplaying the potential of concerted cyberwarfare.
A truly damaging attack, he argued, was likely to emerge from the tinkering of a skilled hacker who simply recognized and took advantage of vulnerabilities. North Carolina’s road signs demonstrate that plenty of opportunity remains.
Siloing cybersecurity functions heightens risks to infrastructure security
Together, the ongoing digitization of critical infrastructure and the rise of the IoE increases the cybersecurity burden on enterprises. While few are likely to deal with road signs directly, there are more endpoints to defend than ever.
Efficiently dealing with threats to infrastructure - from zero-day software exploits to lax physical security - obviously requires cross-organizational effort. It isn’t enough to install a single patch and assume that everything is now safe:
- Proactive monitoring is essential for combing through network activity to find anomalies.
- Data centers and network infrastructure – like road signs – have to be physically secured with barriers and access controls.
- Personnel have to be equipped with the right skills to accurately identify and report risks.
Speaking to TechTarget in late 2012, UBS AG director of cyber threat intelligence Sean Tierney argued that despite the growing interconnectivity of devices and services via the Internet, enterprises were siloing their cybersecurity functions, neglecting fundamentals and failing to coordinate their overall efforts.
“During the past five or six years, organizations have moved away from doing the fundamentals properly in a lot of spaces” stated Tierney. “In the late 1990s and early 2000s security was a new space, and so you had innovation at all levels. But I think that, economics being what they are today, we tend to operationalize. Now we don’t have individuals at the lowest levels with the right skill sets across all critical infrastructure sectors to be able to truly [assess] the threats and respond to them.”
Learning from the North Carolina road sign attacks will require reassessment of security postures. Enterprises must consider technical solutions but also examine organizational culture to ensure that everyone pitches in when it comes to cybersecurity.