Under attack in cyberspace and with little defense, critical infrastructure poses one of the most urgent challenges to engineers of the 21st century.
BY MATTHEW McLAUGHLIN
While it is often the case for television and film to be hyperbolic in their depiction of a great many things, the warnings of numerous experts, politicians, and others indicate such is not the case when it comes to the dangers posed by cyberattacks on infrastructure. There is no shortage of outlandish events that take place in the 2007 Bruce Willis film Live Free or Die Hard, but a team of skilled hackers knocking out critical infrastructure is not one of them.
Even films about cyberattacks set in the near future don't seem farfetched any longer. A government computer virus getting loose and attacking critical infrastructure around the world sounds like something pulled from today's headlines in light of reports on U.S. and Israeli involvement in developing the Stuxnet worm. In actuality though, it is the plot of the 2009 animated Japanese film Summer Wars.
"Through cyber alone it is possible to bring the grid down for nine to 18 months," says NSPE member Joseph Weiss, P.E., author of Protecting Industrial Control Systems from Electronic Threats and managing partner of Applied Control Solutions, an industrial control systems security consulting firm. "That is technically possible to do today, period. I'm an engineer, not a threat analyst. I can't tell you why [someone] would or they wouldn't, but I can tell you today it is absolutely possible to do this."
"It is possible to blow up the natural gas pipeline systems in this country, easily," Weiss adds as an example. "Cyber can affect the physical world."
Unfortunately, when it comes time to fight back or defend against cyberattacks, the world of television and film begins to strain credulity. In the real world, we can't expect a single cop to stop a sophisticated cyberattack with the help of one stereotypical computer nerd, or by relying on a middle-age Bruce Willis-like character to singlehandedly take out fighter jets and helicopters. The challenge of securing cyberspace and critical infrastructure is one that will require both the innovation and hard work of this century's engineers.
Our entire industrial infrastructure was built on analog.
We've migrated to digital and we've created bumps in the road."
— Joseph Weiss, P.E.
A Grand Challenge
In recent years, the challenge of securing cyberspace and critical infrastructure has become both more recognized and more urgent, but before reports showing U.S. infrastructure is under daily attack and before President Obama issued an executive order to improve the cybersecurity of that same infrastructure, a number of forward thinking individuals recognized the importance of securing cyberspace.
A 14-month National Academy of Engineering project completed in 2008, the Grand Challenges for Engineering brought together a panel of the world's most accomplished engineers and scientists to identify the greatest challenges and opportunities for engineering in the 21st century. After review and input from other engineers, scientists, and the public, a total of 14 grand challenges were identified, among them securing cyberspace.
It was clear to the panel and others that in the 21st century an individual's personal privacy and national security depend on a secure cyberspace. "From controlling traffic lights to routing airplanes, computer systems govern virtually every form of transportation," states a 56-page booklet published by NAE following the announcement of the 14 grand challenges. "Radio and TV signals, cell phones, and (obviously) e-mail all provide vivid examples of how communication depends on computers—not only in daily life, but also for military, financial, and emergency services. Utility systems providing electricity, gas, and water can be crippled by cyberspace disruptions. Attacks on any of these networks would potentially have disastrous consequences for individuals and for society."
Since 2008, of course, the need for a more secure cyberspace has only grown. "Because we are increasingly doing our work and commerce in cyberspace, its security is similarly increasingly important," says NAE President Charles Vest. "In the developed and developing worlds, society, infrastructure, and commerce are highly dependent on digital interaction. This interaction is made possible by the Internet and World Wide Web, both of which have a lot of inherent openness and designs predicated on trust. Predictably, they also provide opportunity for nefarious invasions of personal privacy, disruption of commerce and security, and outright theft. Huge amounts of intellectual property are being stolen from companies, credit card fraud is being perpetrated, identity theft is a cottage industry, and hacking and the Stuxnet virus have major geopolitical significance."
"Not only are we becoming more and more dependent on computing devices and the Internet but, probably not surprisingly, nefarious activity in cyberspace has increased at least as rapidly," adds Randy Atkins, NAE director of communications and media as well as the Grand Challenges for Engineering project. "The threats range from inconvenience to economic disruption to even loss of lives. In the 21st century—and we really have to get moving now, early in the century—engineers need to focus as much on securing cyberspace as they do on more visible infrastructures. The average person doesn't see the dangers as easily as when it's a crumbling bridge, so public awareness is one of the most important hurdles with this particular challenge."
Why So Insecure?
Engineers hoping to protect critical infrastructure from cyberthreats will need to overcome other hurdles besides public awareness. The foremost challenge is one of the reasons cyberspace is so insecure—its design and even the design of some computer systems.
Much of critical infrastructure was not built, designed, or conceived of to include computers, says Terry Benzel, deputy director of the Computer Networks Division at the Information Services Institute, a unit of the University of Southern California's Viterbi School of Engineering. "The problem is that they are now being completely managed, monitored, and controlled by computers."
"Our entire industrial infrastructure was built on analog," Weiss says. "We've migrated to digital and we've created bumps in the road."
But even parts of critical infrastructure that were designed to include computer control or monitoring systems can pose a problem, because they weren't designed to include network and Internet connections. "You now have very open systems," says Associate Professor of Reliability Engineering Michel Cukier, director of the University of Maryland's Advanced Cybersecurity Experience for Students and associate director for education of the Maryland Cybersecurity Center. "You have a lot of software that was built in a nonsecure fashion because it was not one of the requirements."
"Things that weren't supposed to ever have computers have computers, and places where we have computers that we thought were embedded controllers are no longer just embedded controllers," Benzel says. "That's how we've gotten ourselves into trouble."
Another significant challenge of securing cyberspace, whether trying to protect intellectual property, personal information, or critical infrastructure, is the advantage held by attackers. "We refer to it as an asymmetric threat," Benzel says. "The attackers have the ability to study our systems unbeknownst to us, undetected by us. They have as much time as they want to sit there and poke and probe and look, and we are at the losing end because we can't do anything until they attack us. We're constantly at the losing end of this battle because it's attack [and] react."
The advantage held by attackers truly becomes scary, however, when one looks at recent reports and statistics for cyberattacks. At a May hearing of the House Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, representatives of the National Protection and Programs Directorate Office of Cybersecurity and Communications and the National Cybersecurity and Communications Integration Center testified that the U.S. Computer Emergency Response Team processed approximately 190,000 cyberincidents involving federal agencies, critical infrastructure, and the department's industry partners in 2012, a 68% increase from 2011.
Also in May, House Reps. Ed Markey (D-Massachusetts) and Henry Waxman (D-California) released a report indicating the U.S. electric grid is the target of numerous and daily cyberattacks. The report notes one utility indicated it was the target of roughly 10,000 attempted cyberattacks every month.
Of course, these statistics reflect only known or detected cyberattacks. Something that seriously concerns Weiss is the unknown—cyberattacks that go undetected. If a cyberattack is not discovered in cyberspace, it is unlikely it will be discovered at all, he explains. Engineers have no way of determining whether something in the physical world happened as a result of something in cyberspace from physical evidence.
"In our world you know when something has happened—lights go out, a plant shuts down, a train crashes," he says. "What we don't know in our world is if cyber played a role."
Divided We Fall
"If we ever are to have people who routinely think of the cyber implications of everything they're doing from the beginning, then I think you have to teach that along with teaching those first classes in mathematics or physics." — Terry Benzel
As grand as the challenge is, as high as the obstacles to achieving it are, many engineers are taking the first steps toward a future where critical infrastructure is safer from cyberattacks, as are computer scientists, politicians, educators, and others. Those at colleges and universities, for example, are doing their part to ensure design does not continue to be a problem.
Nationwide, cybersecurity courses and programs are being offered to students across various disciplines. Securing cyberspace will undoubtedly require cybersecurity experts, but not everyone needs to be one. What is important to Cukier and other college and university professors is that future designers design for cybersecurity, rather than try to make their designs secure after the fact. "That's what I'm trying to do with the students in my class," he says.
"I think we also need to be educating all the way back into at least high school, if not even elementary school," Benzel says. "If we ever are to have people who routinely think of the cyber implications of everything they're doing from the beginning, then I think you have to teach that along with teaching those first classes in mathematics or physics."
By offering a cybersecurity class without any prerequisites, Cukier also hopes to ensure the involvement of people with varied disciplines in the future of cybersecurity. "I don't want only computer scientists in the room, but I want engineers, I want social scientists, I want people from the business school," he says. This he believes will encourage the creative solutions needed to create a more secure cyberspace.
Bringing everyone to the table is something Weiss too believes necessary for the advancement of cybersecurity. In fact, he is holding a conference in October at the Georgia Tech Research Institute to bring together two groups in particular—IT professionals and ICS professionals. "Our problem is when you say the word cyber, IT jumps in and says that's our domain," he says. "The area of [ICS] cybersecurity was essentially hijacked from the control systems community." Two of the major subjects covered at the conference will be what IT professionals don't understand about control systems and what control systems engineers don't understand about security threats.
Needed: Fresh Ideas
New approaches to cybersecurity are key to protecting infrastructure from cyberattacks. Some possibilities include more diversity among operating systems and finding ways of disguising systems to take away the advantage currently held by attackers. "The next phase is changing the playing field so the attacker doesn't have this ability of constantly studying my system and learning its weaknesses and vulnerabilities," Benzel says. "We need to be chameleons."
Helping engineers and computer scientists test such technologies is the Cyber Defense Technology Experimental Research (DETER) project, of which Benzel is the technical project lead. Funded by the Department of Homeland Security, the National Science Foundation, and the Defense Advanced Research Project Agency, the project provides cybersecurity researchers with a remotely accessible testbed, a place where they can run experiments to see how new technologies perform. "This is about leading edge, new technology that's being developed," Benzel says. "If someone has an idea about how they could actually prevent worms or how they could change spam or phishing, they can bring that technology here into DeterLab and run hypothesis [and] science-based, repeatable experiments."
The real value of DETER is it has put an end to guesswork in cybersecurity. "For many years in cybersecurity the science was 'I didn't get attacked so I must be secure,'" Benzel says. DeterLab allows its thousands of users to actually see how their cybersecurity solutions interact with cyberthreats.
DeterLab is exactly the sort of place where a recently developed software algorithm that is set to move forward with additional testing might do so. Developed by North Carolina State University researchers, the algorithm can detect when an individual agent in a distributed network control system is compromised by a cyberattack. The algorithm then protects the rest of the system by isolating the compromised agent, allowing the system to continue functioning normally.
"In addition, our security algorithm can be incorporated directly into the code used to operate existing distributed control systems, with minor modifications," says Mo-Yuen Chow, a professor of electrical and computer engineering and coauthor of a paper on the algorithm. "It would not require a complete overhaul of existing systems."
Much more work and many more people are likely still needed to improve the security of critical infrastructure in cyberspace. One thing is clear though: The real world is much better off than fictional ones. Sure the handful of protagonists from films like Live Free or Die Hard and Summer Wars blow things up or get the girl, but when it comes to protecting critical infrastructure from serious cyberthreats, the odds of success are much more in favor of thousands of engineers, computer scientists, educators, and others dedicated to the task.