KEYnote 26 English - Fall 2013 | Page 6

KNOW-HOW Secure Boot Micro-controllers and electronic controls govern our lives. From nuclear power plants to factories and commuter trains, they are everywhere. Less than a decade ago, most control systems were innocuous little boxes with proprietary hardware and software, completely isolated from the wider world. When one stopped working, the service technician would have to physically come to the device. Time and cost constraints have forced more and more control systems to go online, where service technicians can handle multiple incidents remotely from the comfort of their workstations. This new comfort also means a new threat: Cyber-physical attacks. Motivations for Attacks Integrity: Why should people manipulate machine controls? Is this the territory of secret services and terrorist organizations? It can be, as Stuxnet has shown the world. Saboteurs? It might sound unlikely, but what is hacking unprotected control systems if not sabotage? When control systems operate offline, the saboteur needs to be physically present to cause any damage. He needs to gain access, and might be caught in the act. A system operating online minimizes the risk for the hacker using a cyber-attack. The hacker can tap into entire pools of knowledge and even work anonymously with many likeminded attackers. The motivation is irrelevant, be it a political message, an attempted extortion, or simply a hacker showing off his skills. The facility’s operators could also try to “soup up” their machines and plants. However, operating manufacturing machinery outside 6 of its intended parameters has many risks, with more wear and tear being the least worrying scenario. The machines’ original producers want ways to stop or at least prove such manipulation for warranty and liability reasons. Confidentiality: Industrial espionage remains a risk that is too often overlooked. But the operating parameters or control concepts of manufacturing facilities are very interesting prey for competitors. Remote connections again make data theft easier. Cinema might have us believe that one could always see who is accessing what data at what time, but real-life systems often only record log-ins via protocols that are too easily manipulated. Data theft often goes by unnoticed, and the