Cyber – Where virtual and physical meet
If we are concerned about the grid being destroyed by coronal mass ejection (CME) electro-magnetic pulse (EMP), we need to pay attention to “the cyber threat” as well.
I recently presented to a group of vendors in the ICS space and my key point was: operational technologies (OT) is where cyber meets physical. I’ll explain:
In the Industrial Control System (ICS) verticals (power, water, manufacturing, mining, oil & gas) historically human beings were used (“take ‘at shovel, and put ‘er to some good use!”) in a process to produce gold, oil, a car – whatever. Then we started adding mechanical components like engines to speed things up (you might have heard the story of John Henry going head-to-head against a steam drill – and winning… but losing).
Today – we use robots to put bolts in holes, and we use computers to control these robots and monitor processes like: mixing chemicals, measuring temperature, pressure, vibration, etc, and these computers often run WINDOWS!
In a practical example, consider the origin of the Stuxnet malware. It was first discovered as the root cause for the Iranian nuclear program “setbacks”. Check out the movie Zero Days if you want to learn more, but essentially, centrifuges that spin too slow or too fast tend to blow up, which is bad for soft squishy stuff in immediate proximity – like humans.
What do you think happens if chemicals are mixed wrong (have you ever mixed ammonia and bleach in the bathroom and wondered why you started feeling funny?), or the vibration/pressure sensor is either disabled or reports that “everything is fine” right up until it explodes? How happy were the 800k people who lost power in the Ukraine about 2 years ago because they got infected? I bet there was at least SOME unpleasant impact beyond a few people having to huddle around a candle until the power came back on.
Additionally, these systems tend to be fragile. When they are being assessed, you can’t even do a basic discovery scan on them because you might cause a device to burp when it’s say, pouring molten metal into a form. This is the equivalent of not being able to take something through a damp room to test if it is water proof.
For numerous reasons, this is the prevalent state for many OT environments out there, not just our grid and critical infrastructure. Shockingly, the healthcare industry is often way behind the curve on cyber security. This is yet another example of where the potential impact in an incident will be loss of life.
The idea is not to incite panic, but we likely won’t seek change for things to which we are ignorant.
Story of John Henry
Movie: Zero Days