The James Bond movies of the sixties introduced death rays that took out entire cities. In the late seventies, Star Wars brought us immense Death Stars that could destroy planets in seconds. And now analyst firm Gartner is scaring the bejeebies out of us with the concept of deathware — malware designed to actually kill people. According to Gartner®, “By 2025, cyber attackers will have weaponized operational technology (OT) environments to successfully harm or kill humans.” Further, Gartner states, “Attacks on OT – hardware and software that monitors or controls equipment, assets and processes – have become more common. They have also evolved from immediate process disruption such as shutting down a plant, to compromising the integrity of industrial environments with intent to create physical harm. Other recent events like the Colonial Pipeline ransomware attack have highlighted the need to have properly segmented networks for IT and OT.”¹ “In operational environments, security and risk management leaders should be more concerned about real-world hazards to humans and the environment, rather than information theft,” said Wam Voster, senior research director at Gartner.¹ According to Gartner, “security incidents in OT and other cyber-physical systems (CPS) have three main motivations: actual harm, commercial vandalism (reduced output) and reputational vandalism (making a manufacturer untrusted or unreliable).”¹ Gartner goes as far as predicting that “the financial impact of CPS attacks resulting in fatal casualties will reach over $50 billion by 2023. Even without taking the value of human life into account, the costs for organizations in terms of compensation, litigation, insurance, regulatory fines and reputation loss will be significant. Gartner also predicts that most CEOs will be personally liable for such incidents. As well as lives being lost, compensation, litigation, insurance, regulatory fines and reputation loss will mount up fast. To make matters worse, the analyst firm predicts that CEOs will be personally liable for these incidents.”¹ Sensational, but true Yes, an element of sensationalism is apparent in such pronouncements. But there is an element of truth woven into it. Consider the autonomous vehicle: Hackers can already scan and steal entry credentials from keyless entry systems with relative ease. There have also been instances of people managing to take over control of someone else’s vehicle remotely. Once autonomy enters into this landscape, it is conceivable that someone could create chaos by messing with driving algorithms. A handful of deaths have been reported from self-driving cars. Taking it a stage further, Greg Schulz, an analyst with StorageIO Group, noted that planes, trains and transit systems are becoming more and more automated. As that trend progresses, a successful hack opens up all sorts of opportunities for those with terror in their hearts. Schulz mentioned additional pathways to destruction that could be introduced via drones, Alexa or Google devices, smartphones, computers, garage door openers, home heating ventilation air conditioning (HVAC) and other building control systems such as elevators. Further, factory floor systems, warehouses and industrial facilities are getting increasingly populated by robots. Movies such as iRobot highlighted the consequences of robotic automation run amuck. How about using an infected robotic programming or a corrupted drone to bring about someone’s demise? “It could be possible to use a drone to kill somebody directly, but what’s more likely is a death due to operator error due to flying recklessly,” said Schulz. “Perhaps the most serious repercussions that could threaten life might be felt due to attacks on 911 dispatch, traffic lights or air traffic control. There is also the possibility of harm by infecting IoT and SCADA systems that control power, water and gas networks.” Water system poisoning incidents have already taken place. “The attack on th...
続きを読む
一部表示