Swarms of hacked, internet-connected devices have menaced core parts of the web and put utilities on edge.
On Friday, millions of Americans awoke to find they couldn’t access many popular websites, including Twitter, Spotify and Github. Hackers had overwhelmed the cyberdefenses of Dyn, a New Hampshire-based company that manages web traffic for thousands of U.S. sites. The outages lasted, on and off, for several hours.
"[Domain name service] providers like Dyn provide one of the fundamental backbones of the internet," said Nabeel Hasan Saeed, who tracks trends in denial-of-service attacks at cybersecurity firm Imperva. He likened the service Dyn provides to that of the U.S. Postal Service, noting that by "taking down a big DNS provider like Dyn, you are fundamentally handicapping the ability of traffic to resolve to its appropriate address."
Dyn often finds itself in hackers’ crosshairs. But "this attack was different," the company’s chief strategy officer, Kyle York, said in a statement Saturday. The company’s servers were flooded with traffic from "tens of millions" of Internet protocol addresses, in what the cybersecurity industry terms a distributed denial-of-service, or DDoS, attack (EnergyWire, Oct. 17).
What made the attack stand out for York was not only its size and scope but its source: a digital army of webcams, CCTV devices and other "smart" electronics that had been infected with the Mirai malware.
In other words, at least part of the online traffic that took down Dyn came from the "internet of things," a fast-growing category of devices that has already taken the energy industry by storm.
"Compare the security measures of a webcam you can buy at Walmart to a multinational bank," said Saeed, who works as product marketing manager for Imperva’s Incapsula security line. "People are figuring out that you don’t need to target the actual bank itself, because it can be dependent on other pieces of the internet, which, if you bring those down, can have ripple effects around the internet-connected community.
"What [the attack] lacks for in sophistication, it makes up for in pure volume," he added.
Department of Homeland Security officials, who say they are investigating the attack on Dyn with the FBI, have warned that some smart-grid devices could be inadvertently swept up into attacks on other websites or key internet infrastructure.
Utilities "are potentially victims, just like everyone else on the internet," said Ben Miller, director of the threat operations center at industrial cybersecurity firm Dragos Inc.
Miller said that grid devices such as smart meters are normally isolated from the internet and thus are less likely to be drafted into the Mirai botnet, which seeks out low-hanging fruit. The worm’s authors directed it to scour the web for devices that use default or easily guessable passwords, skipping over sensitive networks such as those bookmarked for General Electric Co. or the Department of Defense.
Mirai is not designed to dig deeper into control rooms or substations, and Miller assessed that it is unlikely to affect North American grid reliability.
"Standard office gear that a utility may have — things like printers that are internet-exposed, CCTV cameras or other equipment — could, if not properly set up, become a victim and join the botnet," said Miller, who previously led the threat analysis team at the Electricity Information Sharing and Analysis Center, operated by the North American Electric Reliability Corp.
NERC issued a non-public cyber alert on the subject earlier this month in a post titled "Internet of Things (IoT) Used for High Bandwidth Distributed Denial of Service (DDoS) Attacks." A NERC spokeswoman did not respond to a request to review the document.
While Miller cautioned that he’s no longer clued into internal NERC business, he said the internet-of-things issue "definitely resonates with utilities — and they were being proactive on getting the information out."
Days before the Oct. 11 NERC alert, a Mirai-fueled cyberattack on journalist Brian Krebs’ website claimed headlines for its record-breaking ferocity.
"The cat’s out of the bag," Miller said. "My fear is that … these sorts of DDoS attacks will continue to happen, and possibly get a lot more polished over the next year or so."
‘Not yet a priority’
"Smart" devices are ushering in an era of convenience, efficiency and raw analytical power never before seen online. But in an effort to tamp down costs, experts say, many device manufacturers have cut corners when it comes to securing new technology from hackers.
Ted Harrington, executive partner at Independent Security Evaluators, organized an "IoT Village" at a major hacking conference in Las Vegas this year, where researchers uncovered 47 new security vulnerabilities across nearly two dozen devices, including "smart" locks and internet-connected solar panels.
"Security professionals like us have for years been articulating the dangers of deploying such connected solutions without adequate security considerations — those warnings have largely gone unheeded," he said in an emailed response to questions. "However, the DDoS attack against Dyn has certainly captured the mainstream attention, and that is fostering some very positive and productive conversations about what to do about it."
The U.S. government has launched several initiatives aimed at better securing the internet of things, and DHS officials say they are working on strategic guidelines for device manufacturers.
But Harrington said that despite government and industry efforts, huge DDoS attacks may not disappear anytime soon.
"IoT adoption is expanding rapidly, while security concerns are largely not yet a development priority for many manufacturers," he said. "This will lead to an increasingly expanded pool of connected devices that could easily be leveraged in attacks that are not only similar, but are likely even larger."