The Expert's View

Internet of Things: Calamity in Making? Imagining a Cyber 9/11
Internet of Things: Calamity in Making?
Robert Bigman

Imagine this: It's 8:40 a.m. on Friday, Sept. 11, 2015, and eastbound trains speeding along the Long Island Railroad and New York City subway lines switch tracks, causing scores of fatal, head-on collisions. Though alerted by sensors, transit personnel monitoring rail traffic couldn't override the track switching.

See Also: Mitigate Risks and Protect Your Users from Cyberattacks, Avoid the Yahoo Data Breach

Two-hundred and fifty miles to the south, at Dulles International Airport outside Washington, D.C., the computer in the cockpit of a departing Boeing 757 flight bound for Los Angeles receives orders to switch to runway 1L/19R, unknown to traffic controllers, and begins its takeoff as a Boeing 767 from Zurich lands on the same runway.

Will America's infatuation with the Internet of Things eventually result in momentous losses of life? 

An hour later, President Obama appears on national TV, announcing that cyberterrorists caused the catastrophes in New York and northern Virginia, comparing the day to Sept. 11, 2001.

An unnerved public knows that the attacks nearly 12½ years ago were localized events carried out by terrorists who could be seen and heard. But the latest incidents were carried out by unseen and silent cyberterrorists who exploited the same Internet in which their own lives are connected.

Hysteria spreads quickly beyond New York and Washington as Americans refuse to fly or take mass transit. Media reports of blackouts, and unconfirmed Internet postings claiming that nation's power grid will be taken down, cause citizens to hoard gasoline, food and home supplies. Banks experience runs on their ATMs. Cybersecurity experts, appearing on news programs, begin to discuss the death of the Internet of Things, a web of devices embedded with sensors.

Reality Setting In

What went wrong when everything seemed to be going so right? The White House and other senior government officials had loudly praised the implementation of cybersecurity framework a year-and-a-half earlier as a watershed moment in improving the security of industry-operated critical IT infrastructure. Indeed, the number of successful penetrations of private and public organizations had fallen as a few misinformed cyberpundits predicted "the decline of the easy hack."

Then came 9/11/2015 and reality set in. While the security of traditional government and business IT systems improved, the infatuation with the Internet of Things soared. In fact, the appeal of the Internet of Things proved too much for some members of the nation's transportation network critical infrastructure. In response to corporate demands on IT staffs to "do more with less," these organizations exploited the Internet of Things to interconnect transportation monitoring and control systems to their corporate networks, which were connected to the Internet.

All these networks satisfied the recommendations in the cybersecurity framework, a set of IT security best practices developed by the government and business (slated to be released next month) that critical infrastructure operators can voluntarily adopt. All these networks secured their interfaces to the monitoring and control networks with sophisticated cybersecurity software protection measures and employed the latest cyber-intelligence services and products. All these networks, however, were "hacked" and accessible to cyberterrorists.

What went wrong?

First, the cybersecurity framework was only a high-level collection of risk management security suggestions, without mandatory standards.

Second, and more importantly, even before America's infatuation with the Internet of Things, it was clear that we had not solved the underlying problem - that the computer systems, networks and applications that constitute the Internet are inherently insecure.

Infatuation with the Internet of Things

Today's commercial and open source operating systems still cannot, for example, secure critical kernel processes. TCP/IP networks remain vulnerable to even fairly simple man-in-the-middle attacks. While no system can ever be 100 percent secure, these security risks have been with us since the introduction of the microcomputer.

Nearly two decades ago, the Internet exposed these operating system and network security frailties. Twenty years later, expanded connectivity of these very same insecure systems continues to result in significant financial losses. Will America's infatuation with the Internet of Things eventually result in momentous losses of life?

Obviously, the catastrophic scenarios described above are presented for effect, and these transportation services may or may not be at risk. Yet, if we do not pursue truly purposeful security standards for our critical infrastructure and greatly enhance the security of our commercial and open source operating systems and networks, then leaping blindly into the Internet of Things could open the door to these types of disasters.

So far we haven't learned this lesson. Reports surfaced earlier this month about a computer network at the fast breeder reactor in Monju, Japan, being infected with malware that originated out on the Internet. Hmmm.

* * *

Robert Bigman, president of the IT security consultancy 2BSecure, worked at the Central Intelligence Agency for 30 years, including 15 years as the agency's chief information security officer.



About the Author




Around the Network