The massive Distributed Denial of Service (DDoS) attack last month on Dyn, the New Hampshire-based Domain Name System (DNS) provider, was mostly an inconvenience.
While it took down a portion of the internet for several hours, disrupted dozens of major websites and made national news, nobody died. Nobody even got hurt, other than financially.
But the attack, enabled by a botnet of millions of Internet of Things (IoT) devices, inevitably led to speculation on what damage a DDoS of that scale or worse could do to even a portion of the nation’s critical infrastructure (CI).
Clearly it could go well beyond inconvenient. Businesses, households, emergency services, the financial industry and yes, the internet, can’t function without electricity.
That has already been demonstrated on a relatively small scale. Earlier this month, a DDoS attack took down heating distribution in two properties in Lappeenranta, a city in eastern Finland.
The disruption was only temporary, but as local media noted, with below-freezing temperatures, “a long-term disruption in heat will cause both material damage as well as the need to relocate residents elsewhere.”
Also, in a recent paper titled “IoT Goes Nuclear: Creating a ZigBee Chain Reaction,” researchers reported that they were able to demonstrate, using Phillips Hue smart light bulbs, “a new type of threat in which adjacent IoT devices will infect each other with a worm that will spread explosively over large areas in a kind of nuclear chain reaction …”
Using the bulbs’ ZigBee wireless connectivity, the researchers said the attack, “can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes, enabling the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDoS attack.”
If that kind of attack could also be used to take down heat, water, sewer, traffic control and other basic services for any length of time, the risks of chaos and physical harm grow rapidly.
As author, blogger security guru and Resilient Systems CTO Bruce Schneier put it in a recent post, “security flaws in these things could mean people dying and property being destroyed.”
But could a DDoS attack really cause a long-term disruption of Industrial Control Systems (ICS), which operate or monitor much of the nation’s CI?
Experts have mixed views on the topic. Some say the nation’s ICSs are distinct enough from the consumer IoT that they would not be as vulnerable to a DDoS, while others say those systems are indeed connected enough to be a component of the IoT.
DDoS attacks are nothing new – they have been around for decades and are not considered sophisticated. They work by overloading websites and other internet-connected systems with junk traffic that prevents legitimate traffic from getting through, and can also cause the sites to crash.
What made the Dyn attack relatively unprecedented was its use of millions of “zombie” IoT devices like “smart” cameras, digital video recorders etc. instead of computers. The scale of the attack, at 1.2Tbps was unheard of as recently as a year ago. Now it is the norm, and is expected to increase rapidly.
Meanwhile, the nation’s CI remains notoriously insecure. Earlier this year, the FBI and Department of Homeland Security (DHS) launched a national campaign to warn US utilities and the public about the danger from cyber attacks like the one last December that took down part of Ukraine’s power grid.
This past September, at the Security of Things Forum in Cambridge, Mass., a panel of security experts agreed that attackers, likely from hostile nation states, are probably already inside the nation’s ICS.
Paul Dant, chief strategist and managing principal at Independent Security Evaluators, said at that discussion that more attacks are inevitable. “To think that stuff is not vulnerable is a complete fallacy,” he said.
Still, some in the industry say a DDoS is not a direct threat to major CI, because ICSs are not a part of the IoT in the way consumer devices are. Ben Miller, director of the Threat Operations Center at Dragos, said while, “at face value (ICSs) may seem similar” to IoT devices, “an industrial controller with input from a thermostat has a vastly different technology stack, use case, evolution, and capability than the Nest (consumer) thermostat on a wall.