The Internet of Things is expected to grow to 25 to 50 billion devices by 2025, creating a vast, byzantine sprawl of connected devices distributed all over the globe, affecting the lives of everyday individuals and revolutionizing every aspect of the industrial supply chain. With this exponential increase in interconnectedness comes a greater “attack surface area”, according to researchers at the Georgia Institute of Technology’s Institute for Information Security and Privacy, who released a white paper entitled Cyber Threats Report 2016.
The report notes, with some alarm, that “transportation, health, robotics– everything is being converted to the cyber-domain and that increases the number of entry points for attack.” Equally alarming is that manufacturers have yet to seriously invest in or provide adequate security and encryption protocols for the IoT-enabled devices that they are producing.
For instance, the report points to a test conducted by Symantec in 2014 that found that a $75 scanner could capture private information from exercise trackers and other wearables. The problem lies in part with the fact that consumers have not provided manufacturers with an incentive to ramp up their security offerings — essentially, consumers have not yet demonstrated a willingness to shell out more money for a more secure product.
This is not so much the case with enterprise consumers, who stand to gain — or lose — billions from the efficacious use of IoT in augmenting their productivity. Industrial control systems, which have both cyber and analog physical dimensions, have experienced exploitation of vulnerabilities with increasing frequency over the years. With the growing adoption and integration of industrial control systems into various industries, the need for security and vulnerability mitigation capabilities has also grown acutely.
Part of the solution, as conceptualized by the researchers at Georgia Tech, lies in creating a means by which trustworthiness can be verified by devices as they communicate increasingly frequently with other appliances and systems (M2M trust). Such verification protocols must be established throughout the entire supply chain:
“Today, trusting hardware, devices and data boils down to establishing a chain of trust, from the provider of the device or data to the method of delivery to the administrator of the asset. Each step requires verification, vigilance and the ability to detect changes to processes or devices. In the physical world, those activities have to be audited to ensure only trusted parties are handling the device or data. In the digital world, trust is established through digital certificates, encryption and other information-security technologies.”
One such method for establishing machine-to-machine trust in a cyber-physical system was recently unveiled by Georgia Tech researchers at the Network and Distributed System Security Symposium in San Francisco.
How Device “Fingerprinting” Can Help Secure Cyber-Physical Networks
Researchers at Georgia Tech have developed a device fingerprinting technique that can help bolster the security of electrical control grid networks and beyond. The innovative solution uses the unique electronic “voices” or “fingerprints” generated by a device in order to identify and determine whether the signal is coming from a legitimate source or from a potential intruder.
It is able to identify whether the signal is coming from a possibly malicious source because the electronic “voice” is uniquely determined by the physical configurations and composition of the control device that is generating it. The analogous principle that the researchers put work in this case are that human voices and fingerprints have unique characteristics that are determined by and keyed to an individual’s physical attributes.
This approach could be used to protect not only critical infrastructure that functions on a network such as electrical and oil and gas, but it also has positive implications for the future of industrial IoT security as well. What makes this approach so effective is that it addresses the cyber-physical nature of systems and responds to the unique security challenges that they pose by taking advantage of the unique physical properties of the grid. Security devices are able to listen to the signals that are travelling through the grid and determine whether it has been produced by a foreign device.
The solution provides a much needed security upgrade to networked systems such as the ones running the U.S. electrical grid because they lack the ability to run modern encryption. Raheem Beyah, a professor at Georgia Tech who worked on the project, noted that the implications for critical infrastructure were immense:
“We have developed fingerprinting techniques that work together to protect various operations of the power grid to prevent or minimize spoofing of packets that could be injected to produce false data or false control commands into the system. This is the first technique that can passively fingerprint different devices that are part of critical infrastructure networks. We believe it can be used to significantly improve the security of the grid and other networks.”
How It Works
The security solution takes advantage of the physical aspect of cyber-physical systems. Devices such as circuit breakers can be instructed to open or close and they then report the actions that they have taken. Because the time required to take that action is determined by the physical configuration of the device, if an acknowledgement that the action has been taken arrives too quickly (i.e. in less time than the breaker is physically capable of), then network security administrators can learn that suspect activity is afoot.
Beyah explained that “device fingerprinting is a unique signature that indicates the identity of a specific device, or device type, or an action associated with that device type. We can use physics and mathematics to analyze and build a model using first principles based on the devices themselves. Schematics and specifications allow us to determine how the devices are actually operating.”
The research team partnered with mechanical engineering professor Jonathan Rogers, also of Georgia Tech, in order to build computer models of utility grid devices that demonstrate how they operate. The model utilized black box techniques — which monitor how information enters and exits the system — and white box techniques that utilize the physical schematics of systems. Based on their findings, the team was able to successfully test their research in two electrical substations. Thus far, their device fingerprinting technique covers the protocol governing about 50% of the devices operating on the electrical grid.
Applications to IIoT
The solution is also eminently adaptable to IoT, which has tremendous overlap with cyber-physical systems. For instance, some IoT devices lack the capacity to run modern encryption and other basic security tools. Moreover, IoT networks pose a similar security challenge in that they are distributed over vast areas and can often be located in remote sites.
“The issue with IoT is the smaller devices are often embedded systems and it’s really hard to add security to those because of resource constraints – no storage, no anti-virus. If you think of using 2G or 3G, if these devices are compromised — and it’s a given, since they don’t have security — now they can easily saturate these low-band links,” says Beyah.
Because IoT networks involve devices with measurable physical properties, that perform physical actions, and are controlled by specific signatures that switch them on and off, device fingerprinting is applicable.