Industrial Control Systems (ICS) one of the last CyberSecurity frontier – Stop!

Over the last 4 weeks I’ve witnessed a least 3 near fatal motor vehicle collisions outside the doors of my office at an intersection notorious for accidents. As I watched in amazement as they unfolded in one instance my feet were barely on the sidewalk when the collision happened. Thoughts of the movie The Italian Job and the scene where Lyle (played by Seth Green) hacked the traffic control system in L.A. to route and armored truck along a specific route rushed to mind. At the same time, I remembered about the recent all island power outage.
How are these three events connected? My security brain somehow made them connect and I got to thinking what would be the outcome of a compromise to Industrial Control System(ICS) in Jamaica.

Like divine intervention I was drawn to the movie/documentary Zero Days, which chronicled the development, distribution and effects of the STUXNET virus in 2010. I spent 2hrs later that night renewing my fascination with something I was already familiar with, but I now look at it with a different set of eyes.

The loss of life because of Cybersecurity incidents are relatively low. People lose money, their jobs and other related/connected material possession, but very rarely are people killed as a direct result of Cybersecurity incidents. A compromise of ICS changes this argument dramatically. Let’s look at our intersections regulated by traffic lights. Imagine a hack of the control systems where the hacker gain control over the system and uses that access to intervene in the timing and sequencing of Green, Amber, Red. In such an instance, accidents will certainly happen and the loss of life moves from probable to almost certain. Imagine the intersection of Waterloo, Hope and Trafalgar Roads busy and all the lights suddenly switch to green by someone who managed to hack the system. Is it farfetched? In today’s world? No!
The traffic control systems are just one example where a hacker could cause havoc and loss of life if they were successful in compromising it.

Let’s look at another example. In this country, we generate power largely with the use of turbine engines, which must operate in a very precise manner to be both efficient and safe. These engines are fitted with an array of sensors to monitor and regulate the operation, these sensors are all electronically controlled. There was a time when the fact that they are not directly connected to the Internet made them relatively safe from Cyber-attacks. However, that’s not the case today, they can still be exploited. How? The software/ machine code running on the Programmable Logic Controllers (PLCs) at some point will need to be updated/upgraded. An engineer will need to connect to download/upload data, make changes, etc. This is the point the compromise can happen. A hacker will compromise the laptop or other intelligent device used to make the connection to the PLCs before it was ever connected to the PLC. The malicious code is uploaded to the PLC causing it to operate in an abnormal manner and ultimately damaging/destroying it. Again, I draw my reader’s attention to Zero Days.
Imagine engineers at our power company monitoring the plant and the equipment is displaying as running normal, but turbines are unexpectedly starting, stopping or even catching fire because incorrect data was fed to the sensors. It’s easy to see the catastrophic loss of life that could happen.
I know there are readers saying these systems have built-in fail safes to prevent this from happening. I will counter that by saying if as a hacker I have managed to compromise your primary systems why wouldn’t I compromise the fail-safe as well to ensure I’m successful. Especially if I’m in the system undetected for a long period of time.

The rate of evolution of Cyber threat today makes it safe to say that if it is electronic its hackable.

If the recent event of the attack on the Internet by a Botnet of Internet of Things (IOT) devices is anything to go by then ICS are fair game. The impact of the loss of money is one thing but when the potential for the loss of life is in play then Cybersecurity incidents have truly transcended the Cyber world.

So, owners of ICS systems, are these being evaluated in ways that are similar to traditional IT systems? Are they subject to technology risk assessments and audits? Similarly, to how physical access in many instances are strongly enforced are there similar controls in place for the technology component of these systems. These are just some of the questions to ask yourselves.

Technology permeates every facet of our personal and business lives. Nothing is off limits to a hacker and that includes Industrial Control Systems.

By John Gibson, Senior IT Security Officer