Urban infrastructure these days is not only about isolated nodes installed for the functioning of a community or society, but it is an interconnected realm of human interaction, deemed critical because of its impact on people’s lives and livelihoods. We have come a long way from when infrastructure was merely about roads, transportation, communication lines and other services that had made life simpler, however, at present time technology has transitioned radically by anchoring itself with these nodes that play a vital role in our existence. Physical devices have become smart and connected through embedded sensors, processors, and software, and the internet is what binds them together. The Internet of Things (IoT) has great potential for automation and analysis and promises a tremendous future but it possesses the potential of a security disaster too. Evidently, critical infrastructure sectors can be categorized very broadly and can enclose every aspect of daily life, but the cyberspace that enables the connectivity of this infrastructure is massive and with no visible boundary or demarcation. This makes it even harder to decide what needs to be protected and how.
It is known that there is no overarching authority over a state, and due to this international anarchy, Australia’s critical infrastructure security is its very own responsibility. If physical facilities, transportation, supply chain, IT, and networks are destroyed or rendered unavailable for an extended period of time, then it would impact not only Australia’s national well-being but also its ability to conduct national defense and ensure the security of its citizens. Even though Australia’s national ambitions for long-term city resilience are realized through cyber-securitization of its critical infrastructure enabled through IoT, the dependency on multiple critical assets and the exposure of each asset to uncountable vulnerabilities, decreases the overall cybersecurity of critical infrastructure in Australia.
This essay aims to describe how vulnerabilities in IoT systems of critical infrastructure have led to the denial of service attacks in the past and analyze the significance of IoT cybersecurity for Australia with respect to international anarchy.
Critical Infrastructure
Infrastructure comprises services and facilities that are used by people to make their life easier and can be stipulated as critical by understanding the consequences should the infrastructure be destroyed or disabled for just an instance or an extended period of time. The vulnerabilities of the nodes that make up this critical infrastructure system depend on several factors such as location, relationality, and dependency. More often than not, these nodes are interconnected and dependent, which is why if one node fails, it leads to a domino effect on other assets and facilities impacting a greater number of livelihoods than estimated. For instance, electricity is a very crucial part of urban infrastructure and deeply affects the majority of sectors of the system.
Some of the commonly known risks to critical infrastructure can arise from climate change, terrorist activities, trade wars, and other such implicit or explicit disruptions. To understand how and for whom infrastructure is critical, we need to understand a) Privatisation and b) Securitisation aspects of urban infrastructural assets.
Privatization:
Most critical infrastructure in Australia is privately owned or operated through complex systems of public-private partnerships (PPP) involving government agencies, government-owned corporations, and private firms. The private sector has the ability to pay for infrastructure and gain benefits from the return on investment, unlike the public sector which focuses on the public good. Privatization of infrastructure can be argued as a political or pragmatic policy and due to this shared ownership of assets, there is the problem of attribution. Shared ownership leads to aggravated risks because recovery of infrastructure after disruption becomes complicated; and the responsibility for rebuilding is tossed between the private sector and public sector. However, the overall weight is more towards the private sector which will be most impacted if there was a threat to critical infrastructure in Australian cities.
Securitization:
Securitization answers the question of how critical is infrastructure and is basically about understanding the significance of protecting the citizens of a country and the value of one life against another. If infrastructure is destroyed, it can be rebuilt or recovered but such is not the case with human lives, therefore using lethal force to protect it is not the right solution. Therefore, the security policies that are framed by the government have to be carefully mandated and executed such that disruption of infrastructure does not harm human life.
For example, in Australia, more than any other threat, climate change is what is disrupting human life at rapid levels leading to extreme weather events such as droughts, bushfires, sandstorms, and hail. These risks are likely to disrupt physical infrastructure in cities and affect the health of citizens too. Therefore, the security approach to resolving or handling this risk is not limited to states or supra-state levels but a human/environmental security approach has to be taken from the central government to protect and empower it.
In this sense criticality within urban infrastructure is both: a function of importance and vulnerability within current settlement patterns in the face of climate change; and a politico-economic discourse and role framed by policies, regulations, markets, and resource availability.
The Internet in the Internet of Things
As we very well know, the Internet is a global system that interconnects computer networks that use standard TCP/IP protocol. These days, it is used by billions of users across the globe connecting a broad spectrum of private, public, business, academic, and government sectors. The Internet has become a commodity and is no more expensive than before. Therefore this ubiquitous nature of the internet has made it possible to expand the scope of its application and transform the nature of businesses and critical infrastructure. What was only used to connect the computers with other networks, is now being used to connect things too; both living and nonliving.
While many think that smart products exist because of the evolution of the internet, the internet is actually just a mechanism for transmitting information. What makes smart, connected products fundamentally different is not the internet, but the changing nature of things. The newfound capabilities of things to generate data and connect to a network of other things have unleashed a new era of competition. The Internet of Things can be considered as a global network that allows communication between human-to-human, human-to-things, and things-to-things, which is anything in the world by providing a unique identity to each and every object.
Architecture of IoT
The IOT structure is basically divided into the above 4 layers and at the top of the Application Layer is the Business Layer which is used for the overall management of the IoT system including applications and services for analysis as well as building strategies.
The Perception layer is the lowest layer that consists of the actual physical objects and sensor devices. The sensors used can be RFID, NFC, 2D barcode, or infrared sensors and are basically used for the identification of devices. The Network layer or the Transmission layer is where the information from sensors is transmitted to processing systems. This layer uses the Internet, Bluetooth, Infrared, and ZigBee as transmission mediums.
The Middleware layer is where the link to the database exists. This is where information is processed and automatic decisions based on the results are taken for actions to be performed on different devices. The Application layer helps in the global management of the entire IoT application system through the information processed in the Middleware layer. IoT applications can be for health, smart city, home, farming, oil and gas refinery, and other industries.
Thus, physical devices in the IoT system are connected through wired and wireless networks often using the same Internet Protocol that connects the Internet. These systems produce massive volumes of data for business analysis and assist in understanding the complexity of systems and responding to them more efficiently.
Impact of IoT on Cyber Security of Critical Infrastructure
Let us discuss the security triad- CIA for IoT architecture:
- Data Confidentiality: For IoT-based devices, the physical sensor nodes of the devices need to be protected such that data collected by these nodes is not transmitted to unauthorized readers. Data encryption, biometric verification, and two-step verification are a few of the common mechanisms that can be used for achieving confidentiality in IoT systems.
- Data Integrity: It is also important that the data transmitted from sensors is not altered before it reaches the middleware layer and this could be affected by various factors beyond human control. To ensure the accuracy and integrity of data, mechanisms such as Checksum, Cyclic Redundancy Check(CRC) and hashing can be used.
- Data Availability: Since IoT is mainly about making data available to users and application builders, it is very important to ensure that authorized personnel and parties have access to information resources not only in normal conditions but in disastrous conditions as well. A denial of Service (DoS) attack is one of the most common attacks on IoT systems by cybercriminals where data is made unavailable to authorized users.
In an IoT system of critical infrastructure, every aspect is crucial and due to its architecture, security must be implemented not only at the device level but also through the network, cloud, and back-end database systems. Also, once the data is transmitted to the database, it is still not secure and continuously needs to be monitored for unauthorized modifications. Situations like unauthorized physical access, insufficient processing power for security mechanisms, and code developed by the inexperienced developer without following cybersecurity best practices can lead to major vulnerabilities in the system.
As a result, there are several risks of poor implementation of cybersecurity in IoT systems such as theft of data from systems, danger to health and safety of human life, loss in efficiency of the compromised system, exposed privacy details and valuable information, loss in reputation of state and non-compliance with national policies and regulations. IoT systems create critical dependencies and can expose the owner of critical infrastructure to malicious attacks and exploitation.
The Mirai Botnet and Distributed Denial of Service Attack
The internet is a very powerful innovation but is inherently vulnerable to massive security issues that can be used to carry out Distributed Denial of Service (DDoS) attacks. IoT can be considered as an interwoven fabric connecting multiple devices and this massive connectivity has made DDoS attacks more and more popular among the cyber-criminal community.
The year 2016 is still remembered as the year of Mirai in the world of IoT devices when a powerful malware struck and infected a stupendous number of connected devices exploiting a very simple vulnerability or rather ignorance of developers, through default login credentials. On 22nd September 2016, Mirai malware was used to conduct one of the largest DDoS attacks on French internet and cloud service provider OVH peaking at 1.1 Tbps. Only 8 days later on 30th September 2016, it was used to conduct yet another attack on Brian Krebs’s website, KrebsOnSecurity blog with 620 Gbps of traffic which is way too high in magnitude to knock off most websites. The public release of Mirai’s source code by its creator led to more hackers offering the botnets for rent with as many as 400,000 simultaneously connected devices. Following this release, more attacks occurred and one of the most significant DDoS attacks was on 21st October 2016 where the Mirai malware took down the Dyn DNS service that knocked off hundreds of popular websites for several hours such as Netflix, Twitter, Reddit, and GitHub.
The Mirai botnet is developed to attack IoT devices such as webcams, routers, DVRs, and other connected devices. It conducts a brute force attack by guessing the administrative credentials using a small dictionary originally of 62 pairs of login-password details. It exploits the incautious nature of users who continue to use the default credentials after purchasing the device from vendors and do not take the effort of resetting the details. Once the credentials match, it takes on control of the server and infects other devices connected to the IoT system. The botnet can then be used by the attacker to conduct several types of DDoS attacks exploiting a wide range of web protocols. Currently, the Mirai botnet served for the mutation of several such malware that continue to proliferate damage using original methods with inconsiderable modifications.
The Mirai botnet comprises four components as shown in Figure 2. The bot is the main malware that infects devices such as webcams, DVRs, and routers. The main job of the bot is to propagate and transfer the infection to misconfigured devices and to attack a target server as a response to the attacker’s command. The person controlling the bot and sending commands is called the botmaster. The second component is the command and control (C&C) which behaves as an interface for the botmaster to manage the bots and mobilize new DDoS attacks. Usually, an anonymous Tor network is used for communication between the botmaster and C&C so as to make attribution difficult. The third component is the loader which is responsible for the distribution of executables that target different hardware and software platforms by directly communicating with the victim devices. The final component is the report server that maintains a centralized database with information about all victim devices in this botnet and communicates with the newly infected devices directly.
According to Kambourakis, the sheer volume of Linux devices directly exposed to the internet primarily for remote management purposes, along with the lack of frequent firmware updates, the ease to build IoT exploits, and the numerous already known, scalable vulnerabilities found in IoT devices, equip malicious actors with ample ammo to overpower security measures via the assembly of powerful botnets. It can be argued that much of the blame for DDoS attacks often goes to the users for not taking adequate security measures such as changing default credentials but in the case of IoT botnets, the blame also lies with the vendors who are distributing products with weak security and authorization access. The foundation of security in such devices depends on the measures taken by vendors to provide timely security updates and intervene manually and enforce changing passwords on a frequent basis. It is not only about the technical means of enforcing security anymore but the best practices and robust security standards need to be enforced by distributors as well.
Cybersecurity of Australia in Relation to International Anarchy
Within Australia, AusCERT (Australian Computer Emergency Response Team) provides cyber security services but since it is a non-government organization, it depends on the government for funding and contracts. In the past, the AusCERT community has helped to advance national security and international cooperation.
However, one of the major issues in Cyber-attacks on critical infrastructure is the attribution of attack. Since critical infrastructure is closely linked to human networks, its destruction could lead to physical damage, injury, or long-term environmental effects. “According to international law, the legal or regulatory investigation may be required, increasing the importance of attribution artifacts”. Sometimes attacks originate from a different country and due to international anarchy, makes it difficult to understand which country or law enforcement agency has the authority to investigate and under which legal framework to prosecute the cybercriminals.
Therefore in order to address the transnational issue of Cyber Warfare, peacekeeping organizations such as the UN will most likely need to perform investigations and enforce cyber laws on member states. However, it is difficult to anticipate if the Security Council of the UN will engage in enforcing cyber peacekeeping in the near future. “The US has established already after World War II the declassified 5-eyes cooperation with UK, Canada, Australia, and New Zealand and in response to 9/11 a wider cooperation the 9-eyes cooperation including Denmark, France, Netherlands, and Norway and finally the 14-eyes cooperation additionally including Belgium, Italy, Spain, Sweden, and Germany”.
Such multilateral cooperation for cyber-attack detection and attribution can help in designing an effective solution for international cyber law enforcement and protecting critical assets of member states. However, no such cooperation exists presently; therefore, the cyber security of Australia’s critical infrastructure enabled through IoT is vulnerable to attack, especially when there is no regulatory framework for the prosecution of international cyber criminals.
In conclusion, IoT and its underbelly cybersecurity have cut across critical infrastructure networks and have progressively raised the urban aspirations for smart cities in Australia. However, the fact that these devices are not exactly computer/desktop systems but regular objects from daily life, they lack computational capabilities. Apart from this, these devices are connected to the Internet which is a tsunami of vulnerabilities waiting to be exploited leading to naive security configuration and acting as a low-hanging fruit for hackers to attack on. Even though IoT has increased the efficiency of smart, connected devices and the pool of data acquired by these devices is a treasure for analysis and decision-making, it is important to understand that there is a limit to the number of security measures that can be enforced upon each device and the constant maintenance through security updates is an added overhead for owners of IoT enabled critical infrastructure. On one side the whitehat community and non-government organizations such as AusCERT can help find exploits and secure the vulnerabilities of these systems but the number of cyber criminals who already have access to botnets such as Mirai, range from adolescents or script kiddies seeking a thrill to highly sophisticated state and non-state actors orchestrating a well-defined cyber-attack or cyber espionage.
Unlike the physical boundaries of a nation, cyberspace is not clearly defined which is why, connecting a massive number of critical devices of infrastructure that impact human life and environment to cyberspace and particularly to the internet, decreases the cybersecurity of critical infrastructure in Australia.