Jeff's MCAD Blogging
Jeffrey Rowe has more than 40 years of experience in all aspects of industrial design, mechanical engineering, and manufacturing. On the publishing side, he has written well over 1,000 articles for CAD, CAM, CAE, and other technical publications, as well as consulting in many capacities in the … More »
Wakeup Call For One Of IoT’s Biggest Nightmares – Denial of Service
October 27th, 2016 by Jeff Rowe
Well, it was only a matter of time before what happened last Friday happened. I’m talking about the Distributed Denial of Service (DDoS) incident on server farms of a key internet firm, Dyn, that repeatedly disrupted access to major websites and online services including Twitter, Netflix,GitHub, and PayPal across the U.S. and Europe last Friday. The White House called the disruption malicious and hacker groups have claimed responsibility, though their assertion is not yet verified.
The event involved multiple denial-of-service (DoS) attacks targeting systems operated by Domain Name System (DNS) provider, Dyn, that rendered major internet platforms and services unavailable to large swaths of North America and Europe.
“The complexity of the attacks is what is making it so difficult for us,” said Kyle York, Dyn’s chief strategy officer. “What they are actually doing is moving around the world with each attack.”
As a DNS provider, Dyn provides to end-users the service of mapping an Internet domain name—when, for instance, entered into a web browser—to its corresponding IP address. The DDoS attack involved tens of millions of DNS lookup requests from a large number of IP addresses. The activities are believed to involve a botnet coordinated through a large number of IoT devices that had been infected with the Mirai malware.
Did IoT DDoS Take Down the Internet?
Organizations claiming responsibility said they organized networks of connected “zombie” computers (botnets) that threw a staggering 1.2 terabits per second of data at the Dyn-managed servers.
What Is A DoS Attack Anyway?
A denial-of-service (DoS) attack is a cyber-attack where the perpetrator seeks to make a machine or network resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.
A distributed denial-of-service (DDoS) is a cyber-attack where the perpetrator uses more than one, often thousands, of unique IP addresses. The scale of DDoS attacks has continued to rise over recent years, as witnessed by the Dyn attack.
According to Dyn, a distributed denial-of-service (DDoS) attack began at 7:00 a.m. and was resolved by 9:20 a.m. A second attack was reported at 11:52 a.m. and Internet users began reporting difficulties accessing websites. A third attack began in the afternoon, after 4:00 p.m. At 6:11 p.m., Dyn reported that they had resolved the issue.
The US Department of Homeland Security is investigating the attacks. No group claimed responsibility during or in the immediate aftermath of the attack. Dyn’s chief strategist said in an interview that the assaults on the company’s servers were very complex and unlike common, everyday DDoS attacks.
Dyn disclosed that the attack was a botnet coordinated through a large number of IoT devices, including cameras, home routers, and baby monitors that had been infected with Mirai malware. The attribution of the attack to the Mirai botnet had been previously reported by BackConnect, an Internet security firm. Dyn stated that they were receiving malicious requests from tens of millions of IP addresses. Mirai is designed to brute-force the security on an IoT device, allowing it to be controlled remotely. Cybersecurity investigator Brian Krebs noted that the source code for Mirai had been released onto the Internet as open-source earlier in October.
As of today, October 27, 2016, President Obama indicated that investigators still had no idea who carried out the cyber-attack.
Below are RFID tags to keg lines at Colorado’s Crazy Mountain Brewery connected to the IoT.
Jason Read, founder of the Internet performance monitoring firm, CloudHarmony, said his company tracked a half-hour-long disruption early last Friday in which roughly one in two end users would have found it impossible to access various websites from the East Coast. “We’ve been monitoring Dyn for years and this is by far the worst outage event that we’ve observed,” said Read.
The Vulnerability Of The Internet
For James Norton, the former deputy secretary at the Department of Homeland Security who now teaches on cybersecurity policy at Johns Hopkins University, the incident was an example of how attacks on key junctures in the network can yield massive disruption. “I think you can see how fragile the Internet network actually is,” he said.
“The Internet of Things sort of ran way ahead of how the Internet was architected,” Dyn’s York said, adding that there are between 10-15 billion IoT devices online.
The Dark Side Of IoT
IoT devices all have their own apps and security. However, some older IoT devices weren’t built with security in mind. In fact, malware has already spread to hundreds of thousands of insecure IoT devices, which are really just computers with internet access.
This week, security researchers at Level 3 Communications (Broomfield, CO) estimated that the Mirai army had doubled in size to 493,000 IoT bots since Oct. 1. On Friday, Level 3’s chief security officer, Dale Drew, said about 10 percent of the bots were involved in Friday’s attack. “Mirai is a DDoS-for-rent environment. The person buying time on that botnet could be buying time on others as well.”
“This new botnet is compromising IoT devices and it’s a million nodes big,” said Drew, pointing to the culprit: IoT camera and digital video recorder vendors that didn’t think about security. “They weren’t really thinking about the overall ecosystem impact. The bad guy breaks into that and the password is root or admin/admin, and they get into the device. There is no way to patch it.”
Mirai was released publicly on the dark Web earlier this month, according to Brian Krebs, a cybersecurity journalist whose own site was knocked offline by the malware in September, before the public release.
Friday’s attack on Dyn left many users thinking their internet service was down. But really, Dyn was unable to keep up with the numerous requests to translate common names, like Twitter.com, into the proper numerical address. But, if users knew the numerical IP address, they could still get to the site.
How About Security Issues With the IIoT?
After last week’s security breach that had IoT devices as unwitting partners, I thought about the relative security of the industrial internet of Things (IIoT). By now, we’ve all heard about the security concerns the manufacturing space has regarding the IIoT: millions of connected devices connecting to a corporate network every day to upload customer data could give cyber adversaries the entry point they need to compromise a network and wreak havoc.
After some research, it became apparent to me that most security experts view securing the IIoT as the responsibility of the OEMs building IIoT-enabled industrial equipment. This argument is usually followed by a complaint that those same OEMs don’t know anything about cybersecurity, so securing the IoT won’t be possible in the foreseeable future. Not exactly a reassuring thought.
According to IIoT security expert, Rick Howard, this discussion is riddled with fear, uncertainty, and doubt, as well as assumptions about securing the IIoT that are either inaccurate or simply not true. Securing the IIoT is possible, and it won’t require new gains in security technology to do so. Next-generation security solutions like the Palo Alto Next-Generation Security Platform are very capable of securing the IIoT. The real challenge is getting the security industry to understand that.
The IIoT will enable many devices that have been previously “dumb” to become “smart”; in other words, become equipped with sensors that gather data and connect to the internet so that data can be shared to enable new business models and opportunities. But I think it’s unreasonable to expect the engineers who design these devices to suddenly become experts in cybersecurity. Over time, it might be doable; but to expect t immediately is unreasonable.
Data on the IIoT is no different from data on the regular Internet; it uses IP packets just like any other Internet traffic. Malware delivered via the IIoT doesn’t present any new or unique threat that would require defenses beyond those used to stop malware delivered via more common methods, such as a phishing attack. If a security architecture uses a zero trust model and policy controls that enable the proper use of applications and data, it will still be able to identify malware as it moves through the various steps in the attack lifecycle and stop it.
Howard concludes by saying that just because an attack on a network is coming from an IIoT-enabled system, and not a compromised laptop, that doesn’t mean a security architecture can’t stop it, provided it’s a next-generation security architecture designed to combat the methodologies used by today’s more advanced cyber-attackers. So, the next time the topic of IIoT cybersecurity comes up, everyone just take a deep breath and relax. With the right next-generation security platform in place, embracing the IIoT becomes a much less scary proposition.
With so much riding on IoT and IIoT, including the future fortunes of some traditional CAx companies, I asked PTC (who is especially entrenched in IoT) if they had any comments on last week’s breach. A company spokesperson supplied the following:
Nothing really specific, but at least they’re addressing major security issues.
Last week’s DDoS attack was not the first, nor will it be the last, nor will it be the only type of possible IoT attack, and that’s kind of unsettling. Like many things, the best security offense is defense, and there is a lot we can all do to make potentially catastrophic events like last Friday’s less likely and impactful.