Author: George Loukas
ISBN No: 9780128012901
Review date: 09/12/2023
No of pages: 271
Year of publication: 29/07/2015
Cyber-Physical Attacks, 1st Edition, A Growing Invisible Threat. An introduction to cyber-attacks that have a physical impact, and how to defend against them
Perhaps you are comfortable with the idea that a cyber-attacker might take control of your car in the future; or the full-body x-ray scanner you are inside when in hospital; or traffic lights; or a medical implant inside you. If you are concerned, as a citizen, let alone as a security person, the book Cyber-Physical Attacks: A growing invisible threat, by George Loukas, takes you most usefully through the issue.
As Loukas (a senior lecturer in cyber security at University of Greenwich) sets out at the very start, a cyber attack used to be in cyberspace, to do damage to it – such as the data stored. Not any longer. An attack in cyberspace can affect the physical world, whether it strikes at the confidentiality of data, its integrity, or its availability. Hence the attack on an industrial control system does damage if it sets all the lights at red or green; or on your connected car if it unlocks the door or shuts the engine down. The attack isn’t merely on the cyber and physical security of the object, but public safety and resilience; we don’t want a power station let alone a nuclear power station out of control. Loukas defines security as ‘one of the grand challenges in designing trustworthy cyber-physical systems’. That may worry readers as designers of such software maybe more interested in making their name (and money) by writing the software as quick as they can, with security a secondary matter.
In style and content the book is commendably readable in what could have easily bogged down the non-specialist reader in computer code. As the author sets out, in a cyber-physical world, a cyber-attack can direct or have indirect consequences; if an air traffic control room is cyber-attacked, what about the aircraft in flight?! What if you cannot download a flight (or container ship journey) plan, or print passenger tickets? Or what if cashpoint machines won’t give out money; or they just spew it out?! This isn’t new; Loukas points to an Australian case in 2000 of a disgruntled man who accesses a (new) SCADA system and released raw sewage. The book goes through what can be attacked – and it’s a long list, whether implantable medical devices or unmanned aerial vehicles. Don’t rely on something being obscure, Loukas advises, such as SCADA in industrial control systems: “More than anything, ‘security by obscurity’ creates a false sense of security, which is dangerous by itself’.” Loukas covers the Stuxnet virus which he terms ‘a milestone in industrial control system security’. Interestingly we might have the same problems from poorly written or flawed software; the difference is just that the cyber-attacker exploits the flaw, for whatever reason, and by numerous well-documented methods that Loukas goes through. He gives a chapter over to ‘protection mechanisms’ and ‘secure design principles’. As Loukas sums up, a whole country might lose its internet because of one cable severed – which can be due to an accident with a ship’s anchor, besides sabotage. Disruption to services, then, is not new; but we can look forward to ever more exotic and serious losses of services, the more we use sensors and become connected in the Internet of Things.
Chapter 1: A Cyber-Physical World
Chapter 2: A History of Cyber-Physical Security Incidents
Chapter 3: Cyber-Physical Attacks on Implants and Vehicles
Chapter 4: Cyber-Physical Attacks on Industrial Control Systems
Chapter 5: Cyber-Physical Attack Steps
Chapter 6: Protection Mechanisms and Secure Design Principles
Chapter 7: Physical-Cyber Attacks