Cybersecurity & Tech

The Internet of Very Cold Things

Brian Nussbaum, Unal Tatar, Benjamin Yankson, Gary Ackerman, Brandon Behlendorf
Wednesday, March 31, 2021, 10:13 AM

Space and the polar regions are remote environments, but they are also geopolitically important arenas of competition among both countries and major corporations.

A residential area in Antarctica. (Ronald Woan, https://tinyurl.com/azezrjhr; CC BY-NC 2.0, https://creativecommons.org/licenses/by-nc/2.0/)

Published by The Lawfare Institute
in Cooperation With
Brookings

Much of the public discussion around the Internet of Things (IoT) focuses on smart cities and how the IoT is revolutionizing urban services such as parking, lighting and transportation. But less discussed is how the IoT is moving into and changing the nature of remote environments. Deserts, oceans, and space present harsh conditions for mundane activities, let alone for the use of remote technology. Despite these challenges, progress in such austere environments—and specifically in the Arctic and Antarctic regions—has been greater than might be imagined. IoT operations in the polar regions present opportunities for researchers and industry in terms of how to assess distinctive cyber risks and their implications for future operations.

IoT applications are proliferating in these regions for the same reasons they are everywhere else: cost savings from automation, increased focus on optimization and efficiency through data analytics, and a growing need to understand industrial and commercial operations through large-scale data collection. Moreover, the computerization of Arctic petroleum extraction is occurring for the same reason that the computerization of parking and lighting systems is occurring on Main Street in many dense urban areas—to improve the quality of services and operations provided by firms and governments, and to better understand complex phenomena using data.

The IoT infrastructure in Antarctica and the Arctic are often tied to particular industries, like mining, petroleum extraction, maritime, shipping, telecommunications and others. The combination of such industries and remote environments creates complex physical, economic and regulatory environments. Businesses and technologists can learn from these developments, and insights relevant to both remote and traditional technology environments have already been illustrated. Microsoft’s experiments with a data center that spent two years underwater have provided a further understanding of how data centers might be more reliably managed based on different gas blends and limited human interaction. That is, it appears that data centers can be made more reliable by adjusting their internal environment and by reducing their contact with humans.

Neither is it too soon to start thinking explicitly about the unique cyber vulnerabilities and threat landscapes facing Arctic and Antarctic IoT implementations. Cataloging and detailing the unique challenges around IoT implementations in these remote, unusual environments will contribute to an understanding of a portfolio of risks that need management across the various computing implementations—commercial, industrial, research and scientific, governmental—present in the Arctic and Antarctica. These findings will help inform future public and private polar operational decision-making in the short term, as well as resourcing, training, and program development decisions in the longer term.

To understand these challenges, it’s useful to compare the polar regions against another strategically critical remote setting—space. Both of these remote environments—space and the polar regions—involve growing strategic competition among great, as well as regional, powers. Additionally, both environments have limited accessibility, a strategic adversarial environment, and austere conditions—and insights from the strategic space domain could inform future polar decision-making and risk management. Space and the polar regions are remote environments, but they are also geopolitically important arenas of competition among both countries and major corporations.

First, any assessment of IoT vulnerabilities in space and the polar regions must begin with an analysis of technical vulnerabilities of the hardware and software, the use and security of data collected by the devices, and the operational and service impacts of disruptions to such devices. Power and network outages, which occur even in developed regions, will be even more challenging in remote environments. Devices must be more autonomous and resilient than their equivalent devices in less austere conditions or remote locations.

Second, while smart cities focus on sectors clustered around population centers, such as transportation and public services, remote-environment IoT applications are concentrated in a small number of resource extraction, safety, and geostrategically important industries. Sector-level risk analyses of important industrial sectors in the polar regions—mining, petroleum extraction, maritime, shipping and tourism—and in the space domain—communications, information technology, and imaging and sensing—will be key for informing aggregate understanding of cyber risk in these environments. An overarching similarity between the polar and space industries is that most industries operating in them are not consumer-facing but, rather, are focused on natural resources, safety and national security interests. As a result, these industries are unlikely to be able to benefit from quickly decreasing costs and the “move fast and break things” approach that has been dominant in some other technology sectors.

Finally, while perhaps expected with the strategic nature of remote environments, but more so in the case of polar regions and space, state actors play an outsize role in the cyber threat picture. States have occupied this unique role of preeminence in such environments for both political and financial reasons, but their near-monopolies have been eroding recently in both environments. Both space and the polar regions are currently the sites of frenzied geostrategic jockeying and competition for access to resources and political influence.

There is a clear need for any company or state operating in these environments to be concerned with strategic state-level cyber threat actors. This includes traditional threats like espionage, or having data or infrastructure attacked, but also encompasses additional concerns such as the misinterpretation of one state’s physical access or exploration of certain areas as a front for espionage or attack by another state. While criminal concerns and concerns about commodity malware certainly exist, they may be less pronounced than in environments dominated by consumer goods, mobile devices, payment systems or traditional computers. Because remote environments have limited commercial traffic and limited network infrastructure, targeting those systems with commodity cybercrime doesn’t—in general—seem like a winning strategy for criminals. That said, the increasingly devastating consequences of attacks, such as those caused by ransomware, combined with the difficulties of making repairs and updates in remote environments, mean potential criminal threats are a real concern to systems and infrastructures in remote locales. The theft and breach of data is a problem, but attacks on the availability of data and systems (as with ransomware and denial of service attacks) are especially consequential when it’s challenging to access the hardware and software needed to make improvements, as is the case in remote environments.

There are additional concerns unique to such remote cybersecurity contexts. The disproportionately important role of data integrity (compared with confidentiality) to ensure that systems function safely is key in many industrial or operational technology environments. Monitoring such systems to ensure this integrity is more challenging in remote environments than in accessible ones. The need for remote environment IoT systems to fail into safe modes and remain usable when power or network connectivity are disrupted is even more important when such disruptions are more common, or when such systems are tougher to reach for maintenance and repair. The inability of IoT owners and operators to easily rely on physical access for updating software and replacing hardware makes remote IoT environments more challenging to protect. This is true of attacks on these systems (whether digital or physical) and of accidental failures resulting from misconfiguration or weather damage.

Finally, remote environments have seasonal (polar regions) and orbital or cosmic (space) changes in accessibility, with implications for both deployment and maintenance. It is key to effective risk management to incorporate such unique characteristics and the implications of those characteristics for risk. The polar regions are not necessarily a hospitable environment for IoT implementations, but such deployments are happening and will only continue to grow. It is imperative to begin systematically assessing and mitigating these risks now, if only to prevent minor disruptions from cascading into interstate tensions in this highly contested, and highly challenging, environment.


Dr. Brian Nussbaum is an Assistant Professor at the College of Emergency Preparedness, Homeland Security, and Cybersecurity (CEHC) at the University at Albany. He is also an affiliate scholar with the Center for Internet and Society at Stanford Law School. He formerly worked as an intelligence analyst with New York State's homeland security agencies.
Dr. Unal Tatar is an Assistant Professor at the College of Emergency Preparedness, Homeland Security, and Cybersecurity (CEHC) at the State University of New York at Albany. He is the former coordinator of the National Computer Emergency Response Team of Turkey. He also worked as an academic advisor to the NATO COE-DAT on cyber terrorism issues.
Dr. Benjamin Yankson is an Assistant Professor of Cybersecurity at the College of Emergency Preparedness Homeland Security and Cybersecurity. He has over 15yrs experience in various technical leadership roles in Information Technology security within Healthcare and Education.
Dr. Gary Ackerman is an Associate Professor at the College of Emergency Preparedness, Homeland Security, and Cybersecurity (CEHC) at the University at Albany. He is also the founder and Director of the Center for Advanced Red Teaming (CART) at the University at Albany.
Dr. Brandon Behlendorf is an Assistant Professor in the College of Emergency Preparedness, Homeland Security, and Cybersecurity at the University at Albany (SUNY). Dr. Behlendorf's research utilizes interdisciplinary approaches to address policy-relevant problems within homeland and national security, drawing on theories and methods from social and computational sciences

Subscribe to Lawfare