Right before Christmas, two power companies in Ukraine were
simultaneously targeted in what’s now regarded as the world’s first
successful cyber attack on a public utility. The hackers (most likely
Russians) knocked out electricity to more than 80,000 customers for
several hours. Luckily, Ukraine’s power grid is somewhat antiquated, and
authorities were able to restore electricity in a few hours by
resetting breakers by hand. The lesson: In the age of cybercrime, the
best insurance may be analog.
As we’ve rushed to connect
everything from power plants to home thermostats to the Internet, the
risk of a catastrophic cyber attack has multiplied, because the systems
people rely on are now more complex, communicative, and concentrated.
“You’re buying a capability, but at the same time you’re buying a
vulnerability,” says Richard Danzig, former secretary of the Navy and a
senior fellow at the Johns Hopkins Applied Physics Lab. “A digital
attacker can take out all systems with one attack.” That’s why Danzig
recommends deploying physical backup hardware in the most vulnerable
places of the U.S. power grid, military installations, and other key
infrastructure. “My argument is that, if your main system is digital,
you’re stronger if your safeguard is analog.”
Danzig’s thinking
came out of the nuclear power industry, where the recent push to
digitize control systems has raised concerns among several experts. “If
all the computers fail at a plant, those analog systems kick in, the
rods go to the core, cool down the reactor, and there’s no release of
radiation,” says Perry Pederson, a former member of the U.S. Nuclear
Regulatory Commission and co-founder of the Langner Group, a security
consultant that specializes in infrastructure and large-scale
manufacturing. “You can’t lie to analog equipment. You can’t tell a
valve that it’s opened when it’s closed. It’s physics.”
What’s
lost in digitization is the concept of defense in depth, according to
Joe Weiss, managing partner of Applied Control Solutions and a
cybersecurity consultant to the power industry. “Defense in depth means
you have layers of protection,” he says. “But digital, even when it
claims to have multiple layers, is in a sense one layer. Penetrate that,
and you could potentially no longer have another layer you need to
penetrate.”
Anything that’s networked and controlled by a computer
has the potential to be compromised. Web-connected pacemakers, insulin
pumps, airplane control systems, prison door locks, and even cars are at
risk of hacks and hijackings. Stefan Savage, a computer science
professor at the University of California at San Diego, demonstrated
this in 2010 when he and colleagues commandeered a Chevy Impala by
hacking into its entertainment system. The danger, Savage says, isn’t so
much that almost all controls in a car are digitized in some way, it’s
that those digital controls are run by general-purpose computers.
Because the computer can theoretically be programmed to do anything, the
potential once you break in is practically limitless. “It’s that
general purpose that gets us into trouble,” he says.
A
particular vulnerability for manufacturing is the PLC, or programmable
logic controller. That’s the purpose-built industrial computer that sits
on just about every important piece of factory equipment, from blast
furnaces to automotive assembly robots to lighting and ventilation
systems. PLCs can theoretically be reprogrammed with different
instructions. Thus, a growing chorus of experts is calling for the
development of new analog logic controllers. The PLC of a piece of
equipment wouldn’t need to be hooked to a network vulnerable to
cyber attack. Its instructions could be changed only by manually
inserting a new circuit board, which can now be made quickly using a
3D printer.
Michael Assante, the director of industrial control
systems for the Sans Institute, an organization in Bethesda, Md., that
trains and certifies cybersecurity specialists, concedes that these
analog controllers would be more costly and less adaptable than the
all-purpose PLC. Similarly, Kathleen Fisher, a computer science
professor at Tufts University who previously worked at the Defense
Advanced Research Projects Agency (Darpa), the Pentagon’s research arm,
says the cost of adopting analog safety backups across the national
power grid would be “prohibitively expensive.” That’s why analog
redundancies would be deployed only in mission-critical systems. “This
isn’t digital backlash,” Assante says. “For 95 percent of applications,
digitizing and interconnecting will get you more benefit than not.”
Despite
the costs, many in the cybersecurity establishment are slowly coming
around to the potential of analog defenses. Last September, Darpa
launched the $36 million Leveraging the Analog Domain for Security
(LADS) program, which is attempting to create a set of electronic ears
that can detect malicious activity by monitoring the unintentional
analog emissions of digital hardware, such as heat, sound, and changed
frequencies. “The advantage of an analog approach is that there’s no way
for the malware to directly reach through air and affect the monitoring
device,” says Angelos Keromytis, who runs the program.
PFP
Cybersecurity, a five-year-old company affiliated with the LADS program,
already sells a consumer version. PFP says a major electronics brand
that it’s not authorized to name has begun placing its sensor into smart
TVs to detect breaches.
The last line of defense is what computer
security experts have long considered the first line of weakness:
humans. “For years everybody went to the notion that people were the
fallible ones who clicked on bad links and were taken advantage of,”
says Tom Field, vice president for editorial at Information Security
Media Group, an industry publisher. “What you’re seeing now is security
solutions built around the notion that humans are the ones who
understand the business processes and behaviors best, and the ones who
can detect when something isn’t quite right.”
The cybersecurity
company PhishMe trains the employees of its 700-plus global clients to
spot and flag potential malware in their e-mails. Those with the highest
threat-detection accuracy are inducted into PhishMe’s network of
trusted informants; they’ve shown better success identifying hacks than
antivirus software alone. “Our research, technology, and entire company
is built around the fact that we can operationalize human knowledge,”
says Rohyt Belani, PhishMe’s chief executive officer. “If you rely
totally on digitization, you’re in trouble.”