Rubicon Labs Q&A Series*
Karl Levitt, a leading cybersecurity researcher, Professor of Computer Science at the University of California at Davis, and National Science Foundation program manager responsible for computer security and research (2005-2009) speaks out on why IoT security is “scary”, how attacks on connected thermostats could impact the power grid, and why he’s optimistic cars will be less prone to hacks in the future
Q: You co-authored a seminal paper in 1978 that showed a computer could overcome failures through redundancy by replicating tasks. Will cyber-security flaws ever be “solved” in the same way computer reliability was made into a non-issue?
A: One can say that back in the 1970s we developed a computer system that was resilient to hardware faults but (hopefully) had no software errors.
Using a similar approach to assure that a computer system is resilient to cyber attacks is an active research activity. One major difficulty is that in the cyber security world there is an intelligent adversary who is the attacker rather than a regularly behaving “nature” as is the assumption in the fault-tolerance world. An attacker will try to discover and exploit design flaws but at a success rate that is difficult or impossible to predict.
The approach to addressing zero day attacks is to employ artificial diversity in a similar way redundancy is used to achieve fault tolerance against the threat of naturally occurring hardware faults. An “artificially-diverse” computer system will be capable of tolerating an attack on one or more single components but due to the diversity, a particular attack is unlikely to succeed against multiple components; in a sense, this approach avoids the monoculture associated with a system of computing systems all running the same operating system or employing the same protocol stack.
A warning: the artificial approach depends on a designer’s ability to be sure there is no single attack that can avoid the diversity scheme to attack all computers; in the fault-tolerance world we safely assume that hardware failures are independent. Given the difficulty of determining the probability of an attack that succeeds despite the deployment of artificial diversity, it will likely be all but impossible to predict how vulnerable a system of this kind is to previously unseen cyber attacks.
Q: As someone on the front lines of cyber-security research, what is the likelihood we’ll ever see a Mirai style of attack that can rapidly spread and be easily duplicated across hundreds or thousands of automobiles?
A: Mirai-style attacks depend on the presence of many vulnerable computer systems that are connected to the Internet and can be successfully attacked to become bots under the control of a master. Currently, automobiles are vulnerable to this kind of attack because
- They have serious security vulnerabilities,
- There are many of them all running the same CAN bus protocol, and
- Through the infotainment application and, maybe, patching applications the automobiles are Internet connected.
Q: With millions upon millions of IoT devices connected to each other and to an enterprise network, how serious is the security risk and what can be done to make IoT devices or the network more secure?
This is a scary problem. There is the specter of every sneaker having an embedded computer to achieve some goal— we can only guess what that might be. LED bulbs will have embedded computers and some of these embedded systems will operate with low power and have minimal security, and hence be attractive targets to become part of botnets. Other IoT devices, such as thermostats, could however be used for more nefarious purposes by attackers, such as to cause health hazards to home occupants or even to cause serious drains on the power grid if all of the thermostats in a community are attacked so as to cause excessive power usage.
Certainly, even providing minimal security in these devices, such as authentication of users and of the devices themselves, when communicating with other devices or the cloud, will help. Also, when networked the devices’ activity can be monitored by other devices or by the network itself to detect behavior indicative of a device under attack. Since the behavior of these devices is reasonably predictable, anomalous behavior indicative of an attack is detectable and should enable an attacked device(s) to be disconnected from the network.
An important additional topic is privacy, as many of the deployed IoT devices divulge information that the users of these devices consider sensitive. Building on the ideas of differential privacy, it should, in principle, be possible to design these devices to divulge data that respects the owner’s privacy but also achieves the goal of utility for the owner and others having access to the data. Block chains is one approach but not the entire solution.
Q: The Ukraine electric grid and a dam in New York were hacked in the past year. On a scale of 1 to 10, how vulnerable is U.S. infrastructure, and what are the best ways to defend against attacks against — for example — the U.S. electric grid?
This is a serious topic since the power grid is likely to be a target of interest to attackers as a way to hit humans but also to cause physical damage to expensive grid components, such as generators, transformers, or power lines. Beyond local attacks, there is the specter of an cyber-enabled attack that propagates across one of our nation’s grids, essentially exploiting the features of the grid that adjust power generation and utilization in response to disturbances. Although not caused by cyber activity, our grids have periodically experienced serious propagation attacks.
It is essential for utilities to become more familiar with standard security practices, such as password management, device-device authentication, and access control. There remains the need to address unknown attacks that exploit previously undiscovered security vulnerabilities. My “hammer” is intrusion detection, more specifically monitoring of critical components to detect behavior that is unexpected and/or a possible threat to grid operation. I see this as the only way to detect zero-day attacks. There remains the need to respond to a (suspected) attack once detected so as to preserve grid operation to the extent possible while stemming the attack.
Karl Levitt from the University of California Davis is a Director at The Computer Security Lab at UCDavis. The mission of the lab is to improve the current state of computer security, through research and teaching.
* Editor’s Note: This is part of a series of Q&As with cyber-security thought leaders and innovators who share their views on the high stakes of living in a connected Internet of Things (IoT) world.