Cybernetics for the Future
Cybersecurity professionals are well versed in the Confidentiality, Integrity, and Availability (CIA) of information as a foundational concept. But, critical infrastructure is a horse of a different color. As cyber attacks on critical infrastructure become commonplace, it’s clear that more is at risk than just information; lives are at stake.
What is Cybernetics?
Cybernetics, is a term that was first coined in the 1940s by mathematician Norbert Wiener. In his book of the same name, he delves into the science of what he called “cybernetics” or as described by the book’s subtitle, “control and communication in the animal and the machine.” Although the term cybernetic is not often used, the concept of automated control is integrated into almost every aspect of our lives, from critical infrastructure to the medical industry to your refrigerator. In this and subsequent books, Wiener worked to advance the science and understanding of automation and control systems. Also a philosopher, he drew some logical conclusions about where all this automation could lead.
“Those of us who have contributed to the new science of cybernetics thus stand in a moral position which is, to say the least, not very comfortable. We have contributed to the initiation of a new science which, as I have said, embraces technical developments with great possibilities for good and for evil.”
How did we get here?
Gradually, perhaps invisibly for most, software is eating the world. The same is true for the domain of cybernetics. When Wiener first defined cybernetics seventy years ago, it did not imply, let alone require software. In those days, control or the execution of control logic, such as for the power grid, train switching or other critical infrastructure, was primarily performed by hardware. Since then, software, because of its inherent flexibility, has become ubiquitous and even synonymous with modern control systems that are embedded in critical infrastructure around the world. Implementing automated control has brought myriad benefits. However, connecting software-based systems to the Internet has become a serious global scale problem. This fact has been illustrated quite vividly in our interconnected world by a recent Russian military cyber attack called NotPetya, labeled by the U.S. Government as the most destructive and costly cyber attack in history.
Enter von Neumann
At about the same time that Wiener was developing his ideas on cybernetics, the complementary and seminal work of John von Neumann was setting the stage for an explosion of general-purpose machines. von Neumann published his paper on what has become known as the von Neumann architecture in 1945. The basic structure proposed in his writing contains memory, a processing unit, and a control unit and remains as the basic architecture of every computer, PC, tablet, smart phone, or industrial controller on the planet. The beauty of von Neumann machines is they can be repurposed by simply loading new software. But, beauty is in the eye of the beholder, as the increased flexibility of software also introduced additional risks that are now becoming apparent. Like the Sword of Damocles, software running on general purpose machines has brought unimaginable luxuries to life, but it has also created unimaginable opportunities for nefarious actors to bring misery. Once repurposed with new software— or malware—, the machine will simply do what it is told without a conscience. The evidence of this can be seen regularly in the headlines as criminal hackers focus their attention on the electric grid and the nuclear power industry in addition to financial institutions. Even the ‘good-guy’ hackers have sounded alarms about the vulnerabilities of hyper-connectivity and the emergent risks. As a society, we have yet to learn the lessons of what can go wrong when we connect all these von Neumann machines together via the Internet. Although von Neumann was clearly ahead of his time, he might be surprised at his architecture being described as the root cause of our cybersecurity problems.
The Attack of the Toasters!
Many will not feel threatened by innocuous remotely programmable household devices (e.g., refrigerators, toasters, digital video recorders), that have gone rogue. However, malicious actors can aggregate and repurpose the computing resources of any Internet connected device to include Internet of Things (IoT) devices into what are called botnets. In other words, the aggregate risk is much greater than the sum of its parts. For example, the Mirai botnet, at its peak reached 400,000 devices and launched a Distributed Denial of Service (DDoS) attack that impacted Amazon, Netflix, Reddit, Spotify, Tumblr, and Twitter. Thus far, DDoS attacks represent a major nuisance, but have not resulted in physical destruction of equipment or the death of people. However, as nefarious actors turn their attention toward critical infrastructure, DDoS attacks or other more targeted cyber-attacks, could have grave consequences. The ability to compromise and repurpose systems (including industrial controllers and IoT) on a global scale, enabled by the von Neumann architecture, makes determining risk difficult for individuals, organizations or even nation states.
What Can Be Done?
We need system designs that can limit or eliminate the primary vulnerability (i.e., remote programmability) of software-based systems used to operate and protect critical infrastructure and society at large. System designers will need solutions that are as easy to use and as cost effective as existing software-based systems. The goal is to develop a new class of systems embedded within critical infrastructure that will in fact be unhackable while providing the same level of functionality as software-based systems. Not just theoretically unhackable, but provably unhackable. Inflexibility, once a major drawback of old-school hardware-based systems, represents a key feature that could provide the last line of defense against criminal hackers.
Cybernetics for the Future
Having seen a few technical advancements over the course of my career, I am encouraged by the willingness of scientists, system engineers and private entities to embrace old ideas recast with new technology. Perhaps part of the reason these ideas are being embraced now is because other digital options have reached a point of diminishing return. Just one more black box to watch all the other black boxes is not as appealing as it once was. Together, with the right policies, strategies and an equal dose of persistence we can avoid the evil that Wiener predicted by designing cybernetic systems from the ground up to do what they are designed to do, and nothing else.