When it comes to computer security, my friends think I’m a Chicken Little. I use robust, unique passwords for every Internet-facing entity (websites and email accounts), aided by a secure password manager program that syncs across multiple devices. Access to each of my computers, tablets and other personal devices is locked with a password, which means I must unlock these devices sometimes multiple times each day. My less security-conscious friends like to point out that the person I most (and perhaps solely) inconvenience with these measures is myself. And while I do at times find them inconvenient, their modeled alternative — using my dog’s name as the password for every website I visit in a laissez-faire mindset of “If they want it, they’ll get it anyway” — would render me bald and sleepless.
Perhaps it is my experience with industrial facilities that drives me to be so security minded. Industrial cybersecurity is so important that entire organizations, including the International Society of Automation, are working on standards and methodologies for it daily. Industrial ransomware, where data itself or the access to it is held hostage via malware or “cryptovirology leakware” until a ransom is paid, is a real and growing threat. Though researchers at Georgia Institute of Technology were careful to note that no real ransomware attacks have been publicly reported on the process control components of industrial control systems, the risks for industrial systems are clear.
Imagine what could happen if vulnerabilities in control systems used to manage manufacturing processes, via PLCs or other industrial controls, were compromised. While entities such as hospitals risk disclosing medical records and retail establishments can expose financial information if hit with cyberattacks, the controls in industrial facilities and wastewater plants can be turned against us to display false readings, modify recipes and even obscure product losses and thefts.
The fact that industrial control systems have not yet been widely targeted is not reason enough to assume they won’t be. Researchers at Georgia Tech simulated the role that ransomware could play on industrial control networks as part of a presentation at RSA Conference, an annual cybersecurity conference. The researchers noted that vulnerabilities in industrial control systems have been known for more than a decade, but ransomware serves as a way for cybercriminals to exploit these vulnerabilities for profit.
It makes you wonder whether your IT team has changed the firewall password on your industrial network, doesn’t it? I think I’ll go check my home network too.