Critical Infrastructure Can be Hacked by Anyone
Well that is not a comforting thought.
Cybernews is reporting that using an Internet of Things search engine (like Shodan, but they don’t say which), they were able to scan big swaths of the Internet. In their case they were looking for exposed IoT systems.
Not just any IoT, but critical infrastructure IoT. Here is just a sample of what they found.
This represents an onshore oil well and it looks like they could change flow from this interface.
This system seems to control five different off-shore wells.
Perhaps you would prefer to control the water supply instead.
Or perhaps you would like to drinking water undrinkable.
If you would prefer to mess up the other end of the process, maybe you could make this poop plant poop in the wrong place.
These hacks did not require a great deal of skill. They did not exploit zero day vulnerabilities that only nation states have access to. Sure it took some work, but these guys are journalists, not master hackers.
Only the electric grid as **BEGUN** to take these threats seriously and they are only taking baby steps.
In Europe, Facebook can be fined 125 million Euros for for not taking down a piece of terroristic content within an hour.
Have any of these companies been fined anything? I don’t think so.
Maybe hackers don’t want to start a fighting war, but for anarchists, who knows. Let’s say there is an anarchist in Iowa. Are we going to bomb Des Moines?
What if the hacker *WAS* in Des Moines but took over a computer in Germany to launch the attack. Are we going to attack Germany? Anarchists would like us to do that.
Needless to say, this is a bit of a mess and these are only samples of what they were able to do.
One of the problems that the critical infrastructure industries have is that many of their control systems were designed when people were still painting pictures on cave walls with ground up plants. Well, not exactly, but in technology terms, pretty much exactly.
If the government doesn’t FORCE these companies to pass security tests like the DoD is beginning to force contractors to deal with under the threat of not getting any contracts, nothing will improve.
Since most of these companies are regulated, their regulators need to approve the rate increases necessary to fix the problems and, for most regulators, this is a theoretical problem. After all, no one was provably killed by my decision not to force utilities to improve their security.
And since most legislators have trouble starting a Zoom conference without help from their millennial intern, I would not hold out a lot of hope for those same people understanding the complexities of industrial internet of things devices.
I just hope that it won’t take a Bhopal-style disaster to get their attention.