Protecting cyberphysical systems against attacks

Expanded Transcript

Alvaro Cardenas is an associate professor of computer science and engineering in the Baskin School of Engineering at UC Santa Cruz.

Tell us about your research

I’m working on cyberphysical systems security and privacy. “Cyberphysical systems” is an academic term for computing systems that interact with the physical world so it includes IoT (the Internet of Things) and other embedded systems like autonomous cars.

We’re looking at the security and privacy challenges of these technologies as they become more immersed in our lives.

As one example, control systems for the power grid have existed for centuries but it’s only been the last couple of decades that they have been replaced by computer-based controls, and their communications now use computer-based networks.

And there are other new technologies like autonomous cars. As security researchers, we’re asking, what are the challenges with these cars, with a computer basically controlling all of the car’s functions? If an attacker gets access to the intelligent actions of the car or the autonomous sensor, that attacker can potentially control the car or even hijack it and cause all sorts of mayhem.

Your work was recently featured in Newsweek magazine. Can you tell us about that.

Some of my work that was recently featured in Newsweek magazine and also IEEE spectrum was trying to understand the vulnerability of IoT devices. Everyone knows IoT devices are vulnerable.

There’s a classic saying for people who study IoT security, and that’s that “the ‘s’ in IoT stands for ‘security,’” meaning they don’t have a lot of security!

What we’re doing in these papers is addressing little known risks of IoT devices and trying to raise awareness. We were looking for example at smart toys for children, essentially an Alexa for children. So a child talks to the device and the device talks back, so it’s a way for a child to interact with the toy. The device can tell them stories, help teach them basic things, and so on. And this is probably just the beginning. In the future we can expect many more of these devices.

We sat with one of these devices and looked for its vulnerabilities. We found a way to hijack, or intercept, the connection between the device and the cloud. So if we could do this, then an attacker could do the same thing, and inject himself in the middle of the connection and actually talk to the child. What we found is that there aren’t just privacy risks with these devices, but also the potential for other risks, like psychological damage an attacker can inflict by insulting the child. Or risks to a child’s safety by posing as the trusted toy, and telling the child to drink something that’s unsafe or telling the child to open the front door by imitating the voice of the child’s mother.

So these are the new threats that people may not be aware of , and our research is trying to help raise the awareness and increase digital literacy for consumers.

What are you trying to accomplish with your research?

What we want to do is enable this new set of technologies, because cyberphysical systems and IoT do have the potential to improve our way of life. They can lead to better, more energy-efficient power grids, autonomous cars, and so on, so potentially we’ll have shorter and safer commutes, reduced pollution, better use of resources, but at the same time, without securing these devices, everything can go badly, so we’re trying to enable these new technologies that can help us but at the same time develop solutions that will allow us to use the technology safely and securely.

My research covers two topics: understanding the problem, and then securing the device against the problem. So I attack systems in order to understand where the vulnerabilities are and what the risks are. Once we understand the risks, then we know how to better secure them.

What is the impact, or potential impact, of your research?

The biggest impact for us would be to be able to incorporate new technologies to all the critical infrastructures like the power grid, autonomous systems, chemical processes, drones, and IoT and enable these technologies to fulfill their promised benefits while at the same time making sure they’re secure.

In what ways does the state of California particularly benefit from this kind of research?

As one example, California is one of the leaders in the U.S. in renewable infrastructure and renewable energy, in the adoption of renewable energy into the power grid.

Renewable energy is great, but it can also place the power grid into a little bit more vulnerable state because it doesn't have the “inertia” that traditional generators have, so any sudden changes in say demand could possibly take down the grid.

One of our recent papers was on the impact attackers can have when they attack heavy-wattage IoT devices like thermostats and water heaters. We were trying to answer questions like, What impact would there be on the power grid if an attacker were to take control of 100,000 water heaters in California and turn them all on or all off at once? In general our research found that the classical power grid with a lot of inertia could survive this kind of attack, but the more renewables you integrate, the more vulnerable the power grid becomes to big changes. With more and more devices like water heaters and thermostats -- and even electrical cars -- connected to the internet, we want to understand the potential impact of dramatic sudden changes to our infrastructure.

With respect to renewable energies and the power grid, as security researchers, we want to enable new technologies so first we find the problem (potential vulnerability or risk) then we try to make sure the IoT devices are properly secured so that we can allow the adoption of these new renewable sources of energy into our power grid in a safe and secure manner.