Right before Christmas, two power companies in Ukraine were simultaneously targeted in what’s now regarded as the world’s first successful cyber attack on a public utility. The hackers (most likely Russians) knocked out electricity to more than 80,000 customers for several hours. Luckily, Ukraine’s power grid is somewhat antiquated, and authorities were able to restore electricity in a few hours by resetting breakers by hand. The lesson: In the age of cybercrime, the best insurance may be analog.
As we’ve rushed to connect everything from power plants to home thermostats to the Internet, the risk of a catastrophic cyber attack has multiplied, because the systems people rely on are now more complex, communicative, and concentrated. “You’re buying a capability, but at the same time you’re buying a vulnerability,” says Richard Danzig, former secretary of the Navy and a senior fellow at the Johns Hopkins Applied Physics Lab. “A digital attacker can take out all systems with one attack.” That’s why Danzig recommends deploying physical backup hardware in the most vulnerable places of the U.S. power grid, military installations, and other key infrastructure. “My argument is that, if your main system is digital, you’re stronger if your safeguard is analog.”
Danzig’s thinking came out of the nuclear power industry, where the recent push to digitize control systems has raised concerns among several experts. “If all the computers fail at a plant, those analog systems kick in, the rods go to the core, cool down the reactor, and there’s no release of radiation,” says Perry Pederson, a former member of the U.S. Nuclear Regulatory Commission and co-founder of the Langner Group, a security consultant that specializes in infrastructure and large-scale manufacturing. “You can’t lie to analog equipment. You can’t tell a valve that it’s opened when it’s closed. It’s physics.”
What’s lost in digitization is the concept of defense in depth, according to Joe Weiss, managing partner of Applied Control Solutions and a cybersecurity consultant to the power industry. “Defense in depth means you have layers of protection,” he says. “But digital, even when it claims to have multiple layers, is in a sense one layer. Penetrate that, and you could potentially no longer have another layer you need to penetrate.”
Anything that’s networked and controlled by a computer has the potential to be compromised. Web-connected pacemakers, insulin pumps, airplane control systems, prison door locks, and even cars are at risk of hacks and hijackings. Stefan Savage, a computer science professor at the University of California at San Diego, demonstrated this in 2010 when he and colleagues commandeered a Chevy Impala by hacking into its entertainment system. The danger, Savage says, isn’t so much that almost all controls in a car are digitized in some way, it’s that those digital controls are run by general-purpose computers. Because the computer can theoretically be programmed to do anything, the potential once you break in is practically limitless. “It’s that general purpose that gets us into trouble,” he says.
A particular vulnerability for manufacturing is the PLC, or programmable logic controller. That’s the purpose-built industrial computer that sits on just about every important piece of factory equipment, from blast furnaces to automotive assembly robots to lighting and ventilation systems. PLCs can theoretically be reprogrammed with different instructions. Thus, a growing chorus of experts is calling for the development of new analog logic controllers. The PLC of a piece of equipment wouldn’t need to be hooked to a network vulnerable to cyber attack. Its instructions could be changed only by manually inserting a new circuit board, which can now be made quickly using a 3D printer.
Michael Assante, the director of industrial control systems for the Sans Institute, an organization in Bethesda, Md., that trains and certifies cybersecurity specialists, concedes that these analog controllers would be more costly and less adaptable than the all-purpose PLC. Similarly, Kathleen Fisher, a computer science professor at Tufts University who previously worked at the Defense Advanced Research Projects Agency (Darpa), the Pentagon’s research arm, says the cost of adopting analog safety backups across the national power grid would be “prohibitively expensive.” That’s why analog redundancies would be deployed only in mission-critical systems. “This isn’t digital backlash,” Assante says. “For 95 percent of applications, digitizing and interconnecting will get you more benefit than not.”
Despite the costs, many in the cybersecurity establishment are slowly coming around to the potential of analog defenses. Last September, Darpa launched the $36 million Leveraging the Analog Domain for Security (LADS) program, which is attempting to create a set of electronic ears that can detect malicious activity by monitoring the unintentional analog emissions of digital hardware, such as heat, sound, and changed frequencies. “The advantage of an analog approach is that there’s no way for the malware to directly reach through air and affect the monitoring device,” says Angelos Keromytis, who runs the program.
PFP Cybersecurity, a five-year-old company affiliated with the LADS program, already sells a consumer version. PFP says a major electronics brand that it’s not authorized to name has begun placing its sensor into smart TVs to detect breaches.
The last line of defense is what computer security experts have long considered the first line of weakness: humans. “For years everybody went to the notion that people were the fallible ones who clicked on bad links and were taken advantage of,” says Tom Field, vice president for editorial at Information Security Media Group, an industry publisher. “What you’re seeing now is security solutions built around the notion that humans are the ones who understand the business processes and behaviors best, and the ones who can detect when something isn’t quite right.”
The cybersecurity company PhishMe trains the employees of its 700-plus global clients to spot and flag potential malware in their e-mails. Those with the highest threat-detection accuracy are inducted into PhishMe’s network of trusted informants; they’ve shown better success identifying hacks than antivirus software alone. “Our research, technology, and entire company is built around the fact that we can operationalize human knowledge,” says Rohyt Belani, PhishMe’s chief executive officer. “If you rely totally on digitization, you’re in trouble.”
The bottom line: Security experts are coming around to the idea that physical systems provide the best insurance against cyber attacks.