Securing the spectrum - why information management alone won’t keep a 4iR world safe

In cities across Europe, car thieves are using GSM-jamming devices to disable vehicle security systems.

1440x900-4iR-CITY

In London a city-based bank was recently the target of a blackmail attempt where the use of electromagnetic disruptors was threatened against its IT systems. In St Petersburg, a criminal robbed a jewellery store by defeating the alarm system with a repetitive radio frequency generator no more complex than a home microwave oven. And at Newark Airport a jamming device caused major disruption when it interfered with vital airport management systems based on GPS technology. While cyber security has traditionally been seen as an information management activity, the digital world on which we have come to rely is underpinned by radio spectrum access. It is this part of our ‘soft’ critical infrastructure that lacks appropriate resilience and which is rapidly becoming the widest open door for anyone who wants to disrupt critical services.

Radio spectrum access is essential to modern global society. It underpins economies and provides significant social value by enabling access to a huge range of applications and services. Our radio spectrum enables surveillance systems and radars, Bluetooth device connectivity, Wi-Fi hotspots, car alarms, and mobile voice/data. It powers our ability to seamlessly share information wirelessly today, and its importance is growing as it becomes the technical foundation for the Internet of Things, which sits at the heart of society’s vision for smart cities, smart health, smart agriculture, smart energy, and autonomous vehicles. Given the breadth of our reliance on the radio spectrum today and the emergence of new integrated and interconnected systems to enable future services, we need to redefine cyber security as a joint information management and electromagnetic resilience challenge. And we need to do so quickly. The timeframe for addressing this gap is narrowing. Disruption from denial of spectrum attacks is on the rise and there is a suggestion that this is only going to accelerate as 4iR takes hold:

  • The rising demand and reliance on spectrum for most new applications, and the increased interconnectivity of those applications in a 4iR world, means that a disruptive cyber-spectrum event may impact multiple systems and have wide ranging ‘ripple’ effects that cascade throughout society
  • The growing availability of open source platform design and highly reconfigurable cost effective technologies is handing the opportunity to disrupt critical services to a wider group of people. Married with a cadre of increasingly sophisticated adversaries this is resulting in a greater level of experimentation, customisation, and deployment of disruptive tactics
  • Increased automation and autonomous system reliance on wireless sensors and data transfer in a 4iR world is increasing the scale of the threat and the number of opportunities to disrupt services
  • There is a lack of user awareness about reliance on wireless technologies because spectrum access is ‘hidden’ and embedded rather than overt. This will only become worse as more integrated, interconnected services come into play

There is no doubt that appropriate electromagnetic security to build spectrum resilience must be instilled in our approach to building an assured 4iR capability that can enable the next phase of societal development. While defence and security environments are finding it challenging to identify ways to deploy commercially developed 4iR technologies with suitable assurance and resilience, when it comes to securing the underlying spectrum itself, they are well versed, well positioned and well-practised in delivering secure radio systems in critical environments. But in the corporate world, the spectrum resilience challenge simply doesn’t have the profile at board level that information security has achieved. It is therefore imperative that as infrastructure providers delve deeper into the 4iR toolbox and start to explore the art of the possible, they learn lessons from the successful approach of defence and security organisations to accelerate assured spectrum use. They should:

  • Recognise that spectrum resilience is inherently linked to traditional information cyber effects. As a result, they need to test for cyber security at a system level, not an information level. That means testing both information security and spectrum security together as one construct. Not only does this increase awareness of the potential weaknesses within spectrum usage, but it facilitates a better understanding of the rippling impacts of a disruption in spectrum availability.
  • Test spectrum resilience against approved frameworks. There is a role here for governments, users, and service providers to collaborate and design appropriate robust frameworks built on proven test and evaluation methods that can facilitate future security. Building this on a global scale will be far more effective in a 4iR environment than a series of individual national stances.
  • Require organisations to report spectrum attacks in the same way they have to report data security breaches. By building a portfolio of examples that demonstrate where weaknesses were exploited, worldwide knowledge about how to build up our electromagnetic security will grow, reducing the opportunities for adversaries to disrupt critical services.

The emergence of 4iR is already expanding the scope of connected devices and services and we seem to be making a rather obvious mistake. By following the traditional cyber pathway of prioritising information management, we are missing the very essence of what makes cyber threats so ubiquitous – the underlying connectivity which offers a point of access. By making spectrum security a secondary issue we are placing all our chips on the perceived value of information as our biggest risk. That perception is likely to change when the ability to access that information is reduced or removed by malicious spectrum disruption. By which time it may be too late to act.