Cyber security

Internet of Things creates new avenues for attacks

The cyber attack on the Ukrainian power grid in the recent past has drawn attention to the explosive growth of the Internet of Things, and consequent security questions. About six billion devices are now connected to the internet and many of these work without human supervision. All sorts of things from home appliances like smart fridges and futuristic smart cars to vast global banking networks, national taxation systems, and national power grids are hooked to the internet. But smarter systems are also more vulnerable to cyber assaults. As of now, critical infrastructure such as toll roads, telecom networks, railway and metro networks, power grids, port installations, and civil aviation navigation networks are all vulnerable to cyber attacks.

On December 23, 2015, at least six power companies in western Ukraine were targeted in concerted assaults. Their grid-management computers were taken over by malware. The hackers then remotely opened circuit breakers before erasing critical files and destroying the grid management system. The hackers simultaneously overloaded the call centres, preventing companies from even assessing damage via customer complaints. Consumers were blacked out for many hours. Technicians had to physically inspect sub-stations and manually flip switches to put the power on again. A Russian hacker group, Sandworm, is suspected of orchestrating the attack. This is the first time a power grid has been hit. But there have been earlier cyber assaults on physical infrastructure. The most famous of these was the Stuxnet worm, which specifically targeted Iran's nuclear infrastructure and reportedly caused severe damage to centrifuges.

Cyber assaults of this nature are likely to be used increasingly both by terrorists and criminals - but also by hackers working for governments. Cyber assaults are relatively cheap and easy to pull off and therefore very tempting in an era of asymmetric warfare. There are many soft targets. A high level of damage and disruption can be caused while maintaining deniability. The task of protecting infrastructure from cyber attacks is very difficult and likely to become even harder as more devices come online. Much of the infrastructure is in private hands and controlled by different companies. The hardware is often legacy and the software may be written for antiquated operating systems with many vulnerabilities. Ironically however, the cyber attack could have hurt even more if the Ukraine's power grid had been fully automated with no manual controls.

India, like every other nation, must find ways to harden its infrastructure against such assaults. As of now, whatever security exists is piecemeal. A programme is required for educating all classes of users about the need for basic security and also the deployment of disaster recovery processes across mission-critical systems. In addition, any serious cyber defence will involve developing offensive capacities since that may be the only way to shut down a hacker assault. So there is a serious need for a coherent national security architecture, with both defensive and offensive capacity as well as strong disaster-recovery mechanisms. Creating a specialised agency on the lines of the US National Security Agency, which plays both operational and advisory roles, may be worth consideration. Of course, such an agency would require carefully drafted legislation for due enabling and oversight, but it would be worth the effort. This is now an urgent requirement since the Ukraine assault is likely to inspire copycat efforts.