Salesforce Security CTO: How A DDoS Attack Can Impact A Smart Grid

October's distributed denial-of-service attack may have only influenced websites like Netflix and Twitter, but the security attack has much higher stakes, said Salesforce CTO Taher Elgamal.

The denial-of-service attack was launched through Internet of Things consumer devices, including webcams, routers and video recorders, to overwhelm servers at Dynamic Network Services (Dyn) and led to the blockage of more than 1,200 websites. But Elgamal, speaking Tuesday at IEEE World Forum of IoT this week in Reston, Va., said the attack could have even more dire consequences in another scenario.

"What does it mean to mount a denial-of-service attack on a power grid? If the energy grid is down for 15 minutes … that affects the entire society," he said. "All of a sudden the threats that we used to care about but not too much come front and center. What happens if you could inject data into something? … We could actually modify the readings off these meters.’

October's attack has deepened the industry's concerns over the security risks in the Internet of Things.

The attack on Dyn came from tens of millions of addresses on devices infected with malicious software codes, knocking out access by flooding websites with junk data.

To keep up with the changes that users will face from IoT, security experts need a new way to approach threat modeling, argued Elgamal. For instance, security specialists need to think of a threat model that is asset-centric rather than attack-centric, since assigning "value" to losses may be difficult in many cases of IoT.

"Crossing into the physical world of IoT is taken very lightly – but it shouldn't be," he said. "As a society we need to build systems that are better and that aren't open so that hackers can access them."