Once again, the fundamental nature of the Internet is changing. Moving far beyond the original scope of the Internet, in the early 1990s, the World Wide Web dramatically changed its purpose. We now find ourselves on the cusp of yet another dramatic change, as the Internet of computers gives way to an Internet of things. Unfortunately, that concept also means that this relatively new phase of the Internet opens up a whole new set of devices to cyber attacks.
This "Internet of things"—which goes beyond traditional general-purpose computers to include appliances, measurement devices, personal entertainment devices, and more—has opened up a new frontier of attack vectors. Today, threats can create incursions into the real world, from programmable logic controllers (PLCs) used in energy production and distribution to more familiar components such as thermostats, refrigerators, and other home appliances. At RSA 2014, several speakers will be addressing this topic, from Sam Curry and Uri Rivner's "Science Fiction is Here!" session, to Eric Vynke's "Internet of Things... Promising, but Let's Not Forget Security Please!" Clearly, the problem is real, and it's on the minds of security professionals.
When Stuxnet first hit in 2010, many of us in the security community saw the attacks of this malware as the first to truly bridge the virtual and physical worlds. Unlike malware that came before it, the goal of the Stuxnet payload didn't lie in the capture of data, but in the potential to control—and damage—real-world things. In the case of Stuxnet, these things were PLCs, and the specific target was energy production infrastructure. For the first time we knew of, malware was targeted at actually manipulating a tangible device, potentially causing real, physical harm.
Of course, industrial PLCs within public infrastructure environments are not the only potential targets for this type of real-world incursion, through cyber attacks, malware, or other methods. In both the US and abroad, we've seen energy companies rapidly adopting customer premise equipment that moves away from traditional electro-mechanical equipment and toward "smart meters" based on commoditized hardware and common software stacks. While this may be a good thing for the energy companies from a centralized monitoring and management perspective, it also means that these devices are now subject to the same types of attacks that are successful on common technology platforms.
Exacerbating this problem, there is news of a lab proof-of-concept in which commands have been successfully sent over a non-traditional "network" —sound waves over the air—and captured through a computer microphone, where they have been processed by pre-installed malware. While this was a highly controlled lab experiment and makes a lot of assumptions about the environment, it does demonstrate that malware can bridge the traditional "air gap" that security professionals have relied on to segregate systems and eliminate the risk of infection or attack.
So what does all this mean? Ultimately, it means that the traditional approaches to information security can't be just focused on "information" anymore. We need to change our way of thinking about security to focus on potential damage that can be done by connecting all these devices to the Internet of things, as well as protecting any interfaces on those devices that collect data, regardless of whether they're digital or analog. Today, we've only seen a few real-world incursions of cyber attacks and a handful of proof-of-concept tests to demonstrate that the air gap can be circumvented. But if Internet-age technology has taught us anything, it's that feasibility leads to a market. Just as a black market exists today for the commoditization of tools to exploit and capture data (think credit card information and healthcare data), so too will a market eventually exist for sophisticated malware and other tools to exploit real-world infrastructure for the purposes of damage. The difference, of course, is that the users of this technology will not be following the money; they're much more likely to be either state-sponsored actors or groups intent on causing damage to infrastructure, assets, and people. As we expand the boundaries of the Internet of things, the ability of cyber attacks to affect not only systems and data, but also the physical world, is already here.