A targeted cyber-attack on mission-critical infrastructure will kill somebody by 2025, an analyst firm has warned, as the increasing compromise of industrial interests takes the cyber security threat to a whole new level.
The warning – which comes as petroleum megalith Saudi Aramco rushes to deal with a ransomware attack that could see 1TB of sensitive data sold online if the ransom isn’t paid within four weeks – came as analyst firm Gartner foreshadowed massive consequences from the exploitation of industrial firms’ operational technology (OT) environments.
OT refers to the various industrial control systems (ICS) that use technologies like SCADA to monitor and control physical operations – for example, pressure gauges, conveyor belt operations, gas and water valves, and more.
Unlike its counterpart, information technology (IT) – where data security has long been a primary concern – many OT systems have few or no security controls because they were designed to operate on a standalone basis.
In an Internet of Things (IoT) era where such systems are being connected to online and cloud systems faster than ever, however, many legacy OT systems are ripe for the hacking.
“In operational environments, security and risk management leaders should be more concerned about real world hazards to humans and the environment, rather than information theft,” said Gartner senior research director Wam Voster as the firm issued guidance about the security controls needed to protect OT systems.
Discussions with the company’s clients, it said, “reveal that organisations in asset-intensive industries like manufacturing, resources and utilities struggle to define appropriate control frameworks.”
Such failures are rapidly becoming business liabilities in a cyber security climate where researchers and cybercriminals are finding potential weaknesses in OT systems faster than ever.
A recent report by Nozomi Networks, which specialises in OT cyber security, found that the discovery of new vulnerabilities in critical manufacturing systems had increased by 148 per cent in the first half of this year alone – with energy equipment, CCTV cameras, medical devices and other life-sustaining systems all in the firing line.
Far from hypothetical
Although most cyber attacks have been designed to extract money or sensitive information from victims, their potential to cause major problems – particularly during a time of conflict or increased tensions between nation states – has been a refrain from the security community since the 2010 discovery of Stuxnet, a specialised worm designed to interrupt Iran’s nuclear enrichment program by modifying the operation of critical centrifuges.
Despite the widely acknowledged threats, however, highly specialised equipment can be difficult or impossible to upgrade with appropriate security fixes – leaving operators with difficult decisions and few clear solutions.
“ICS environments are mission critical by definition and an attack on an ICS system could lead to devastating consequences,” Simon Hodgkinson, a former CISO with petroleum giant BP, said in a recent Cybercrime Magazine interview.
“Securing OT is a really specialist area, and it has been area where the engineering community and cyber security community have never really come together to work as one. And that’s what we actually need.”
A worst-case scenario – sensationalised in the 2007 film Die Hard 4.0 – would see hackers gaining control of, and shutting down, power, gas, distribution, traffic control and other key systems on a widespread basis.
That scenario – which cyber security figurehead Eugene Kaspersky once described as “a user guide for cyber terrorists” – has inched toward reality as emboldened hackers successfully compromise critical infrastructure such as the Colonial Pipeline operations in the US, and the critical food supply chain of Australia-US meat processor JBS.
The breach of Saudi Aramco is in its early days so its resolution has yet to be seen.
However, if sensitive industrial schematics or details of OT systems are sold to malicious hackers or nation-state groups, the breach could ultimately expose the $310b ($US230b) petroleum operator to further targeted attacks – with fatal consequences.
“If the aim of an adversary is to cause significant physical damage and potentially loss of life,” – the Australian Strategic Policy Institute warned in a 2019 analysis that called damaging attacks “a real possibility” – “it is conceivable that they could compromise the integrity of the systems not only by sabotaging control systems but by modifying monitoring systems to override fail-safe mechanisms and alarms.”
Improving the security of critical infrastructure is a key part of the Australian government’s 2020 Cyber Strategy, which expanded the range of critical services to include facilities such as data centres.