KNOW-HOW
Secure Boot
Micro-controllers and electronic controls govern our lives. From nuclear power plants to factories and commuter
trains, they are everywhere. Less than a decade ago, most control systems were innocuous little boxes with
proprietary hardware and software, completely isolated from the wider world. When one stopped working, the
service technician would have to physically come to the device. Time and cost constraints have forced more and
more control systems to go online, where service technicians can handle multiple incidents remotely from the
comfort of their workstations. This new comfort also means a new threat: Cyber-physical attacks.
Motivations for Attacks
Integrity: Why should people manipulate
machine controls? Is this the territory of secret
services and terrorist organizations? It can be,
as Stuxnet has shown the world. Saboteurs?
It might sound unlikely, but what is hacking
unprotected control systems if not sabotage?
When control systems operate offline, the
saboteur needs to be physically present to
cause any damage. He needs to gain access,
and might be caught in the act. A system
operating online minimizes the risk for the
hacker using a cyber-attack. The hacker can tap
into entire pools of knowledge and even work
anonymously with many likeminded attackers.
The motivation is irrelevant, be it a political
message, an attempted extortion, or simply a
hacker showing off his skills.
The facility’s operators could also try to “soup
up” their machines and plants. However,
operating manufacturing machinery outside
6
of its intended parameters has many risks, with
more wear and tear being the least worrying
scenario. The machines’ original producers
want ways to stop or at least prove such
manipulation for warranty and liability reasons.
Confidentiality: Industrial espionage remains
a risk that is too often overlooked. But the
operating parameters or control concepts of
manufacturing facilities are very interesting
prey for competitors. Remote connections
again make data theft easier. Cinema might
have us believe that one could always see
who is accessing what data at what time,
but real-life systems often only record log-ins
via protocols that are too easily manipulated.
Data theft often goes by unnoticed, and the