The interplay of humans, data, and embedded intelligence in modern weapons systems is blurring the lines between physical and digital warfare. If an adversary can control a power grid, an industrial line, or a nuclear submarine by hacking software or reverse-engineering a device, the potential physical damage could be just as lethal as many acts of conventional warfare.
The event that defined that potential was the 2010 attack of Stuxnet, a computer worm that reportedly destroyed numerous centrifuges in Iran’s Natanz uranium enrichment facility by causing them to burn themselves out. It demonstrated what an orchestrated and targeted attack on an adversary’s facilities could accomplish — or destroy, depending on your perspective. According to McAfee, the original Stuxnet malware attack aimed to cripple the automation of machine processes by targeting programmable logic controllers (PLCs). This was the first time a virus was known to take down hardware; its creators appear to have been the U.S. National Security Agency, the CIA, and Israeli intelligence.3
There will never be another Stuxnet attack, according to Martin Libicki, author of Cyberspace in Peace and War, because it was a zero-day threat lasting exactly four days. But even though it is now a known threat, other groups were able to modify the virus to target other facilities across the globe, including water treatment plants, power plants, and gas lines.4 More than anything, Stuxnet’s effectiveness underscored the potential for future warfare: If a targeted attack could take down a nuclear power plant, imagine what an attack designed to inflict widespread, uncontained damage could do. Any cyber-physical system — a nation’s power grid, an unmanned drone, a telecommunications network — is only as strong as its most vulnerable element.
With the right weapons, a determined adversary can cross the digital-physical divide. Russian intelligence agents were indicted in 2020 for the 2017 NotPetya malware campaign that crippled shipping giant Maersk. They are also charged with causing the 2015–2016 blackouts in Ukraine — the first known instance of a cyberattack disrupting a power grid. Cyber experts have described Ukraine as Russia’s test bed for future attacks.5
Common Vulnerabilities and Exposures (CVEs) reported to government agencies tripled between 2016 and 2019 to reach more than 17,000, according to the Mitre Corporation.6 But an attack can work from the other direction, too. Gartner forecasts that 25 billion connected things will be in use before 2021 is over, producing an immense volume of data. However, the biggest security threat to an embedded system is not from the cyber end; it’s from device failure or takeover, according to a recent Wind River® survey of executives, managers, and developers.7
What Are Your Biggest Security Threats?
SourceWind River Cybersecurity for Embedded Development, June 2020
The military relies on ever more intelligent and autonomous systems, as do critical infrastructure and industrial operations. They are dependent on the smooth interplay between those devices and the intelligence that runs them. Add to that two new dynamics: the growing connectivity required by many advanced cyber-physical systems and the intelligence that runs them. “Vehicles are on the road now communicating through cell towers or satellites, communicating with other cars and with their manufacturers. It becomes a system of systems that requires its own security analysis,” explains Thompson at Wind River.
Both the number and the nature of threat vectors will expand as 5G takes hold. Gartner estimates there are about 3.5 million 5G IoT devices as of 2020.8 The research firm predicts that the 5G IoT endpoint installed base will grow to around 49 million units by 2023, vastly increasing the potential scope of devices that can communicate with one another. Security is clearly a top concern already9 — and those concerns are likely to increase.
“Imagine a world of AI-powered devices ingesting information through electronic eyes and ears, like humans do,” says Paul Shomo, an independent digital forensics analyst and writer for Dark Reading and eWeek. “Then consider how many surrounding 5G networks these devices may leak data through. 5G is shaping up to be a black hole of data exfiltration.”10
The growing number of connected devices that are worn, ingested, or implanted for health and enhancement are also potential threat vectors. Many devices already in use across the broad population in the form of insulin pumps and pacemakers are able to connect or be connected, even if their users are not aware of that connectivity. A team at Virginia Tech demonstrated recently how these devices, some of which have easily exploitable Bluetooth capabilities, can pose a threat to the intelligence community’s secure workspaces.11 The RAND Corporation has detailed military uses of cutting-edge transhuman technologies — and the vulnerabilities they bring — in the “internet of bodies.”12
“Militaries have shown an interest in IoB technologies to track the health and well-being of service members, enhance their cognitive and physical abilities, improve training, and enable enhanced warfighting capabilities — for example, with augmented-reality headsets or technology-infused exoskeletons that track warfighters’ physical characteristics and possibly also their state of mind,” according to RAND.
Most Important Performance
Measures of 5G
Percentage of survey respondents who identified the following as important:
SourceWind River, 5G and Industry 4.0: Where Promise Meets Reality
New advances in neuro-devices could enable control over physical systems such as an aircraft. The capabilities are stunning. Picture this scenario described by the RAND Corporation: “Three drones lift off, filling the air with their telltale buzz. They slowly sail upward as a fleet — evenly spaced and level — and then hover aloft. On the ground, the pilot isn’t holding a remote control. In fact, he isn’t holding anything. He’s just sitting there calmly, controlling the drones with his mind. This isn’t science fiction. This is a YouTube video from 2016.”13 Such capabilities could enable faster battlefield decisions, but they would also introduce new risks if a cyberattack could directly affect a soldier’s brain.
To realize the potential of the intelligent edge, security professionals must think beyond the traditional ways of hardening a system. Protecting software, hardware, data, and communications networks as well as limiting access is still a starting point. But it is not enough. “By nature, a complex system of connected devices opens many new attack vectors, even if each device is secure when used independently. Since a system’s most vulnerable point determines its overall security level, a comprehensive, end-to-end approach is required to secure it,” according to McKinsey.14
11 Zoe Chen, Paul O’Donnell, Eric Ottman, Steven Trieu, Dr. Alan J. Michaels, “An Invisible Insider Threat: The Risks of Implanted Medical Devices in Secure Spaces,” Hume Center for National Security and Technology, Virginia Polytechnic Institute and State University, August 2020