By Jeffrey Esposito, Kaspersky Lab.
There is no escaping the fact that the Western world is joining the digital age with a voracious appetite. There doesn’t seem to be a single corner of our world that isn’t touched by technology and, alongside it, its bed-partner, connectivity.
Of course, the benefits of fast, efficient and cost effective access and control are huge motivating factors; as is consumer demand. From smartphones to lifestyle monitors, cars and fridges to live monitoring of CCTV by the security forces, everything is becoming connected.
Smart city tech is the next wave of this phenomena; from security to traffic control systems technology is helping to keep the country safe and moving.
The concern for security professionals is just how much attention has been paid to keeping these systems secure. The implications of just one traffic light being hacked could cause devastating consequences; the idea of a whole network of traffic signals, power stations, train lines and communications being compromised is all too terrifying to contemplate.
A far fetched notion cooked up by conspiracy theorists?
Sadly not. The truth is that the security of much of the infrastructure governing the control of these systems is not where it should be.
The deployment of this incredibly useful technology has been low-cost and easy but is not manufactured with in-built security; that is the responsibility of the user. And this is the sticking point because, unlike the hardware itself, building a robust security network is more costly and time-consuming. The result is that the cart is ahead of a horse that hasn’t even woken up yet.
Whilst the average Joe on the street isn’t concerned with this, the security industry is wakening up to the realisation that Stuxnet isn’t an isolated digital weapon; Swedish air traffic control, the German steel mill and Black Energy malware are all good examples of smart tech being exploited at the heart of what should be robust industrial control systems (ICS).
It is now accepted that ICS is part and parcel of the infrastructure of the critical systems of the modern world. What is also accepted that the defence of these systems is a fundamental responsibility of those in governance to keep secure. So, just how secure are they?
Brian Bartholomew, a researcher at Kaspersky Labs, believes that there are many instances of essential and pivotal services that are vulnerable and unsecured. Responding to a similar question in a recent Q&A, Bartholomew commented:
“This isn’t a mythological unicorn any longer. It’s been done before and will only get worse.”
And he isn’t alone. Vitaly Kamluk, also of Kaspersky, added:
“Honestly, I don’t want to think about it. Last time I thought about the possibility of malware crossing the border between virtual and physical worlds to destroy a physical object, Stuxnet happened just the next month.”
But Kamluk and Bartholomew must think about it because they are in a powerful position to influence change.
The fundamental truth is that policy makers are lagging far behind in the race to provide adequate protection for ICS. Not only is there a lack of funding and drive behind these issues but a general lack of understanding.
Those that make the decisions have a limited understanding of just who is in control of these systems and how fragile that relationship is when there are vulnerabilities in the defence.
So, what can be done?
The general consensus of the experts is that despite the average Joe knowing little about these issues it is in their control to ensure that those elected on their behalf get behind the matter…and soon.
More people, from all walks of life, need to be made aware of, and be concerned about, the risks of sensitive systems remaining unprotected. Just as you wouldn’t walk past a suspicious package in the street without alerting the authorities no-one should allow these gaps in our defences to remain unplugged. And this package is ticking.
Without being a harbinger of doom, I’ll leave you on this final comment. If every one of us shared this news with friends and colleagues even one tenth of the amount that we re-tweeted or shared a funny picture on Facebook then the general public would be aware within hours and awareness is the key to change.