When we read about hacking, malware, the latest vulnerability and cyber warfare; Generally, our thoughts turn towards what everyone understands as a security breach: exfiltration of personally identifiable information (PII), ransomware, and the theft of intellectual property.
However, many in the information security community knew it was only a matter of time before hacking would take on a life or death dimensionality and could prove it.... without question, that time is now. In August 2017 a petrochemical plant in Saudi Arabia was subjected to an attack designed to sabotage plant operations and trigger an explosion. The attack would have succeeded if not for a mistake in the computer code.
Worse yet, this almost-successful attack could be handily replicated in many other facilities since many other plants relay on the same computing platforms. Given the breadth and sophistication of the attack it’s almost certainly the work a state sponsored threat actor.
Additionally, last year the Wolf Creek Nuclear plant in Burlington Kansas was targeted by unknown threat actors conducting a cyber-attack. The attack was so severe - attempted mapping of the network, presumably for a later attack - that the Department of Homeland security and the Federal Bureau of Investigation issued an urgent warning.
Most critical infrastructure facilities are controlled by supervisory control and data acquisition (SCADA) systems which are architected into critical infrastructure to provide control and data analysis on facility operation. Such devices are commonly referred to in a class of systems called operational technology - systems that can affect physical processes through direct or indirect control.
From a cyber security perspective, the permeability of such operational technology as SCADA systems is a proven fact. Part of their inherent risks are related to the era during which many of these devices were created, long before most manufacturers could conceive of today's modern security risks. Only the very best cyber security practices coupled with continuous vulnerability scanning, monitoring, reevaluation of architecture and technologies to match the threat landscape can, most likely, prevent the successful execution of an attack with life or death outcomes.