"Cybersecurity experts said Iran, China, Russia the United States and Israel had the technical sophistication to launch such attacks. . "
Oh? No mention of North Korea? Haven't the DPRK hacked a bunch of things lately? Didn't they blame Jong Un for the SONY hack? But NO - the NY Times being a good government shill wants all eyes on Iran, for. . reasons. It's important for Americans to hate Iran, and the drumbeat continues. What about it, NYT?
Investigate, determine the culprit then use the old school technique of targeted assassination against the programmers themselves with the intent of dissuading future would be hackers.
1
This is why I minimize my web presence (including no social media) and will never use home automation or a self-driving car. It is also why I’m designing a completely self-contained and off -the-grid home, with no internet connected functioning. In my case (Puget Sound area), potential massive earthquake survival is a consideration. Cyberwarfare will increase in scale and sophistication. The drive to weaken western democracies through comprehensive disruption and fear is a major goal of the Russians and others. A national solarization/wind infrastructure project, with emphasis on home systems, is badly needed. What do you do if Russia puts out the lights but hasn’t used conventional military weapons? Are we able to retaliate in kind? I would assume so but I don’t know the state of Russian defenses against our cyber reprisal. Would you want to retaliate with a nuke? Nuke warfare with Russia is the end of the world. They know it and we know it. Russia’s plan is death by a thousand small physical and psychological cuts.
7
One more reason to airgap your power plants (and centrifuges), and keep the oil in the ground.
If we really need so much plastic, technology to make it from grown plants instead of good ol'petrol shows promise. We can advance bioplastics' usability and safety, and their better biodegradability, over time.
3
President Trump may be a Putin asset.. think about that.
3
It would give ostriches an undeserved bad name to compare Americans to them. Even as the unavoidable vulnerability of the internet becomes more and more apparent, we wallow in greater and greater connectivity, endangering not merely our bank accounts, privacy, and personal security but, more importantly, the security of our infrastructure, productive capacity, and government communications, as well as the military's command and control.
We went to war in Iraq over phony claims of weapons of mass destruction. What happens when an enemy is able to take over targeting or launch control of our own very real WMDs?
3
Look at the Times story today about Russia hacking into U.S. nuclear power plants.
Probably everyone, but our Putin-loving President, sees the obvious connection between the attempted attack in Saudi Arabia and the infiltration of the U.S. power systems.
2
Even as the unavoidable vulnerability of the internet becomes more and more apparent, we wallow in greater and greater connectivity, endangering not merely our bank accounts, privacy, and personal security but, more importantly, the security of our infrastructure, productive capacity, and government communications, as well as the military's command and control. We went to war in Iraq over phony claims of weapons of mass destruction. What happens when an enemy is able to take over targeting or launch control of our own very real WMDs?
It would give ostriches an undeserved bad name to compare Americans to them.
3
I used to be a software engineer, now I work in the field of cybersecurity;
1 - Most systems are made poorly.
2 - Most computer systems are way to complex.
-------
Switching subjects slightly, people in the industrialized world are much to reliant on electricity.
5
Stuxnet made attacking controllers popular. Now we start paying the price.
8
Unfortunately, due to a serious lack of understanding of the vulnerabilityof systems probably the only way to secure critical facilities will be to physically disconnect them from the internet. This will mean inconvenience and added expense, but that will be a trivial cost compared to the loss of an electrical generating plant, an oil refinery or a chemical manufacturing facility, to name but a few potential targets.
It would be a good bet that should we attack North Korea there would be a massive hacking response, with untold consequences.
10
I'd read about this in trade mags before. there wasnt new info here. first, know NERC in US has been on this for a long time with whats called CIP standards at least for power plants.
next, SOME fire-eyes burner management system components, specifically flame failure sensors. they look at a flame optically for proof at start and for continuous monitoring. loss of flame should shut down fuel supply and begin post-purge for an orderly shutdown. I'm GUESSING if you overrode this you could lose process control of a frac tower, reformer, cat cracker, heater, furnace or any of a dozen other types of equipment. it could get ugly real quick esp in say an ethylene or ammonia plant.
note these processes ALWAYS have redundant safety systems, ie if you lose flame, a secondary system shuts fuel supply. if it tries to run away, you have sensors that trigger auto shut down on say hi temp, pressure, flow changes.
but note this; thats why there are human operators who monitor a central system called a DCS 24/7. they *usually* can catch a process upset early but trip automatically if critical processes goes out of the operating envelope.
what worries me is if they accessed a critical safety system that talks to a DCS, they have full process access. THAT worries me alot more. air-gaps alone arent enough anymore.
I still think this requires physical access, say impersonating an OEM tech. know thats how our govt determines if a plant is making pesticides or nerve agents like in london.
6
I recall not long ago - prior to Stuxnet - where someone claimed, in no less a publication than Harvard Magazine, that fears of disabling physical devices thru viruses and hacking were overblown because such feats were impossible.
Now this has probably become the greatest threat - the first salvo if real war were to break out, by taking down entire systems, (electrical, network) without which little else would function
3
"...the Iranian government has denied any involvement in such attacks..."
I'm shocked, shocked I tell you, that people might possibly look towards Iran.
Best,
--Keith
@KeithDPatch
1
We are all enablers. We could all be disabled. Easily. Our civilization may not end with a large explosion, but begin to end ever so marginally then grow until it has its own life and voracity. What will you do when the banks, gas stations grocery stores no longer function. Closed systems. No portals. Raise your hand if you know what a buggy whip is. How about a pencil.
3
Sadly when our “leaders” decided to hand everything over to hackable computers they ignored the very real risks. I’m sure someone tried to tell them and was summarily dismissed and now we all will pay the price for shortsightedness and the desire to hand over billions to buddies in the tech industries.
4
Could this have been a response to Stuxnet?
4
"The Triconex system WAS BELIEVED to be a “lock and key operation.” In other words, the safety controllers could be tweaked or dismantled only with physical contact."
Security shouldn't be a matter of faith.
2
Hi Renata--
Yes, hope and prayer are not a basis for sound engineering.
Best,
--Keith
@KeithDPatch
2
watch Alex Gibney's film Zero Days, another attack on the same facility is covered in it which was a response to the US's Stuxnet attack on Iran's Natanz nuclear facility. Fascinating and terrifying.
4
I don’t care. Cyber attacks on Saudi Arabia is nothing next to their Bin Laden absolutely supported attacks on 911. His money came from them. Barbarians with oil money. Their a viscous lot of oil tribes now jailing their fellows. I’m remembering 911 every time they are mentioned. It’s sickening that we let Kushner be involved in an unprecedented military deal with them. The news of them seeking nuclear capability is terrible.
2
Note that the words "inside job" were used in the article. Separating the system from the Internet isn't going to stop the inside job attack. It's likely that the program was introduced on portable media such as a memory stick or a disk. One of the necessary parts of real security with these systems is disabling all inputs other than those needed for the job. If necessary, a "nothing in, nothing out" policy needs to be enforced, with all personal items left outside the secure zone and, if necessary and possible, people passing in and out in "minimal" clothing (they can always keep work clothes in lockers on the secure side).
Harsh? Yes, but technology has gotten to the point where massive amounts of data fit on a piece of plastic the size of your thumbnail. A memory stick doesn't have to be the kind you buy in the store. If you take some of them apart you find that the guts are just a small plastic tab with some contacts on it. It could easily be concealed in the mouth and plugged into a computer when nobody is looking. That's why all unnecessary inputs to a computer need to be disabled.
3
"Cybersecurity experts said Iran, China, Russia the United States and Israel had the technical sophistication to launch such attacks." - How could Iran enter into the top echelons of cyber-sophistication, even above Europe, Canada, and Scandinavia, without Russia's help?
1
Reportedly, the CIA did this to the USSR's Siberian gas pipeline system in 1985, causing a massive explosion.
4
It was 1982 according to this article from 2009, but your point is spot on.
https://pgjonline.com/2009/11/17/hacking-the-industrial-scada-network/
Exploiting multiple vulnerabilities of these systems has been going on for decades, as has ignoring many of those risks during the planning, permitting, and construction phases of each new project. The consequences are foreseeable if not entirely predictable.
4
All I can say is thank goodness for the low quality products Micro$oft produces. If they were as reliable is *nix's we'd not have much work.
Go Solar!!!
3
Self-drive cars anyone?
6
The list of possible suspects is suspect. Iran has the capability to orchestrate the attack but Japan, North and South Korea, and Taiwan don’t? We can pick a continent and find cyber security know how. The question should be who has the motive instead of who has the capacity. The Middle East is riddled with complex layers of motives.
1
No critical system should ever be physically interfaced with the public internet, period. Whether via a human weakness or programming error, the mere fact that there is a physical connection to a unpoliced, global network leaves the door wide open to trouble. It used to be that critical computer interfaces were made across “private line” connections obtained from the phone company. They were relatively slow and expensive, but also highly secure and isolated from the general public. A second physical internet will need to be eventually built for a world filled with robots and self driving cars. Companies will resist spending the money, continuing to claim they have solutions to secure the current system. Despite these claims, a network that no unidentified and unverified person is allowed to attach to will inevitably need to be constructed. As with many other things human, it may take a few unfortunate catastrophes to drive this fact home.
3
In many systems, radio, satellite, or microwave links between primary control servers and remote sensing and signaling stations in challenging terrain are used. Interrupting the data flow in some of these designs is relatively trivial with low tech methods, even in a system completely disconnected from the Internet, having no portable storage or audio input or output devices, and being securely housed and guarded. Taking control of the remote stations through radio, satellite, or microwave is a bigger challenge that carries a greater risk of being caught, but if a remote station takes hours to reach by service personnel, just interrupting data flow at a critical moment can do significant damage with minimal investment or risk.
We are relying on vulnerable systems. Every fix brings more expense and new vulnerabilities. At some point, appeasing would attackers, possibly by including them as stakeholders, must be a consideration. To the extent that is not possible because the system owners and constituents are engaged in some level of warfare with potential attackers, one must recognize the wisdom of the old maxim, "live by the sword, die by the sword." There is no easy way out of such a predicament.
1
Every such critical system should be air gaped or at least require a call back to a known and secure number to be accessed by any network. Hard wire internally with fiber as well.
I was a consultant to many utility companies and agencies that had SCADA systems vulnerable to the Y2K bug. Although it was known that a failure of systems responsible for controlling the water, sewer, and hydropower operations was imminent, it was still a struggle to get the various supervisorial and management boards to commit upgrading their hardware and software before their primitive systems risked failure because they lacked the ability to store and process four digit year values in their databases. Even after getting a commitment to correct that vulnerability, coming to a decision on what else to upgrade and how far into the future to plan for was often a long and emotional process driven as much by egos and competing pet projects as with calculations of future costs and needs.
It is easy to point out the many vulnerabilities of these systems and all the ways they can be improved. Much of the trouble stems from the fact that the users, administrators, and managers rarely face a recognizable security challenge, so they become complacent or even cynical about the need to invest system upgrades, training, and drills necessary to protect existing vulnerabilities.
Without regulations and enforcement requiring better security, many energy and utility systems, especially in smaller organizations, will remain vulnerable until predictable disasters make the headlines. Then, as with Y2K, the struggle to decide on projects and budgets will begin while the risk lingers.
10
Note the length of time before this incident was reported: 5 months for the last one (though it was ignored by the press). 15 months from the earlier attack. Why the delay? Considering the spread of investigators involved, from private firms to gov't agencies of multiple countries, the silence was impressive. But why? Wanting to get the story straight? Preventing potential panic, more likely.
This attitude - don't tell the public, it will cause panic - is common among leaders. Churchill, according to the Darkest Hour, didn't want to reveal France's defeat to the British for that reason. Another 2017 movie, the Post, shows Secretary McNamara convinced truth will doom the war effort. Cyber conflict is especially unnerving, so secrecy may rule.
On that note, it's interesting how quickly explanations for the 2013 Super Bowl power outage were forgotten, unchecked. If a foreign or malevolent hacker wanted to test cyber power, what better way than disrupt this country's most watched event. That's nothing without evidence, but with secrecy ruling, would there be any?
1
A technology expert speaking in a recent documentary pointed out that governments and their citizens openly discuss the kinetic capabilities of traditional military weapons--tanks, bombers, aircraft carrier groups, ballistic and cruise missiles, and nuclear weapons, but governments don't talk to their citizens about cyber warfare and its predicted results. We read about the Stuxnet virus loosed by the U.S. and Israel against Iranian nuclear centrifuges (which virus unintentionally spread beyond Iran's nuclear facilities is now being used by everybody against everybody), but we citizens have no real idea what these weapons will do when fully deployed against water, sewage, electrical generation, and natural gas facilities.
My suspicion is that the more dependent a society is on technology, the greater the damage that can be inflicted on such society. Asymmetrical warfare. So, yeah, an off-the-grid solar electricity generating/storage capacity and a good water well might be a good idea for those who can afford it. And I wonder what will happen when stocks and bonds can't trade for weeks on end.
7
The major problem with the cyber-war is that it's carried out in secret. There can be no resolution to this problem until incidents such as these and the methods for carrying them out, are made available to the general public. Until that happens, we all remain prisoners of the electronic systems that have invaded our lives over the past twenty years.
6
I have worked in this field for years. The widespread use of digital industrial process controls has been around since the 1960s and gained a huge amount of traction in the 1970s. It's extremely rare for anything other than digital controls to be used for these systems today. This won't change because they have too many advantages in comparison the to the old ways of controlling complex processes. The down side, of course, is that these systems are always vulnerable to hacking and programming errors. In my training, going back over 30 years, the emphasis was on "defense in depth." In other words, using physical (often mechanical) fail-safe components to prevent accidental or deliberate mis-operation from causing a catastrophic problem. Cyber security is rightfully the first line of defense against hackers trying to sabotage industrial facilities through their digital control systems. My concern is that we have migrated away from the defense-in-depth philosophy, thinking that the digital systems can be both the first and last line of defense. This is unacceptable for critical or dangerous facilities like power plants, petro-chemical plants, and a wide range of others.
44
This is certainly unsettling but it underscores two points. Systems run by a computer are vulnerable and systems run by a company whose major purpose is to make money are vulnerable. Consider the disaster of the Japanese nuclear plant when hit by the tsunami. It was well known that this could happen and that the nuclear waste at the plant was vulnerable but the ownership chose not to spend the money. Not related to cybersecurity? Of course it is. This is about investment in items that don't generate a profit. It is about paying your employees well and ensuring that training is continuously upgraded so the probability of them being bribed to put the bug in the control system is lower.
I see comments here about not connecting to the internet. I am pretty convinced that sooner rather than later, an unconnected system will be hackable through satellite controls. And when I think of driverless cars and even the computer software in my 2011 car, I realize that the software is continuously upgraded - thus connected to the net. And thus readily exposed to sophisticated hacks. Just imagine a freeway of driverless trucks suddenly losing all their controls - or more likely, instructed to crash into other vehicles or structures. We can see only too well that investments in items, that don't add to a business's quarterly growth or profit lines are put off too far into the future.
And the off button on the system may prevent hacking but won't keep the plant running.
17
A properly air gaped system can never be hacked unless you get physical contact with the system. That can happen as you can bribe people.
2
Interesting that we are mobilizing all defenses in recognition of the risk of a cyber attack on fossil fuel and petrochemical infrastructure, and yet, we portray our domestic "valve turners" who literally and openly interfere with fossil fuel infrastructure - with success- as environmental heroes.
2
In the cyber world, grey hat hackers serve a useful purpose by exposing security vulnerabilities and demonstrating the ease with which they may be accessed and exploited. Often, that is what it takes to motivate companies to invest in security necessary to protect customers, the public, and the companies themselves. Environmental activists who sabotage vulnerable infrastructure that threatens public safety and resources because of an underinvestment in safety and security operate similarly.
In both cases, the way to avoid unwanted tampering is to get out in front of the problem by doing a good job of planning and executing sound safety and security precautions. Taking shortcuts to improve the bottomline while keeping fingers crossed that predictable failures will not happen (until the responsible parties have moved on to their next gig) leads to memorable disasters like Deepwater Horizon, the Texas City Refinery Explosion, the Chevron Refinery Explosion, Exxon Valdez, Fukushima, Three Mile Island, and too many oil train, pipeline, and coalmine crashes, leaks, collapses, and explosions to count.
I don't recall seeing the grey hat operators who try to make it unprofitable to gamble with public health and safety being portrayed as heroes, but to the people whose lives, livelihoods, health, and communities are put at risk by such endeavors, I suppose they might be more appropriate than calling them "eco-terrorists."
Safety first. Anything less is reckless.
3
Get every Windoze machine out of there. Use Macs or Unix boxes, extremely limit login credentials to critical systems, and cut off access by vendors and contractors.
Easily deceived low-level people with too much access are the problem.
4
I think it’s easily deceived high level people who are happy to ignore the risks so that money can continue to flow.
2
Lock down, disconnect. Think of it as as slogan like loose lips sinks ships. Lock down your companies laptops, then disconnect from the internet. Besides email seems to be preventing rather than helping. Especially when your being copied on everything. Do your employees really need to go through a couple hundred emails and texts each day? Sounds pie in the sky, but the dark web is winning here and companies are losing.
6
When will the IT idiots learn to keep things off-line?
Target stores lost data on millions of sales - credit card numbers and other ID because someone thought it would be “neat” to send reports on every store’s energy use straight to its mainframes via Internet.
Nobody ever thought that the companies making Heat Ventilation and Air Conditioning controllers weren’t too concerned with security of their low-importance data.
Instead of sending daily e-mails to an energy use central system, and checking for bombs before sending it to the Big Box, they just connected the cheap insecure systems and ...
Why would anyone ever put dangerous machinery on-line. If you do, it can be cracked and literally blown up from a laptop anywhere in the world.
If it’s off- line, attacks are limited to “inside jobs”, and a check of those inside is easier than checking the world, controlling who gets inside equally easier.
It’s the same reason you don’t use the Internet for National or your home’s security, but it makes life easier for bureaucrats and homeowners worldwide -so the former doesn’t have to use a secure phone to check in, and the latter can turn on the air conditioning (and unlock doors) from anywhere - just for the sake of convenience.
Blasts and burglaries result.
12
Before spreading panic and loathing about insidious dark forces attacking our infrastructure it’s important to recognize that these petrochemical production complexes have always been liable to horrible and unfortunate accidents. Volatile chemicals are being processed under extraordinary temperatures and pressures in vast quantities to make ingenious and ordinary products that support modern life. Highest level safety, regulation, training and maintenance are non negotiables for the business owners to extract profit from the enterprise.
4
Re: "...Highest level safety, regulation, training and maintenance are non negotiables for the business owners to extract profit from the enterprise..."
That was why I mentioned 'Texas', above...
Tx has gotten rid of, (allegedly, 'burdensome'...), regulations, like...mandatory requirements to be able to identify EVERY chemical / product on site, resulting in serious additional hassle-/-hazard when police/fire/E.M.S./E.P.A./N.T.S.B., etc., respond...
Do we all remember that cell_phone video, (...a Texas fireworks Mfg. factory caught fire, then exploded...), nearly killing the civilians, recording in the process?
3
There is a trade off between efficiency/gain and vulnerability/risk in nearly all things. The problem is that humans are good at understanding gains, but lousy at understanding risks.
Our entire society has benefited from digital controls in industrial and consumer products. This digitization trend is accelerating with the “internet of things”, driverless cars, industrial automation, etc.
Cyber attacks such as this reveal the vulnerability and risk that is inherent in these gains. If such attacks ever succeed in crippling critical infrastructure, the vulnerabilities could impact the daily lives of billions of people.
We cannot, will not, and should not reject digitization en masse. We must, however, conduct much more rigorous and systemic risk analysis for every digitized system, and then weigh the costs versus the benefits.
16
Does everything really need to be operated by computer? If there is one lesson from cyber warfare it should be that everything that is connected is a potential target. If the tools do not exist to protect major targets, perhaps those assets should not be connected to the internet. I know that sounds simple, but perhaps simplicity is the answer. Or maybe not.
11
We have been told that we are far more advanced and have the capacity to hack and destroy any country's systems with cyberattack. So, when we determine a country who has attacked us or an ally; why do I not hear a retaliation. Though we will never admit it, but it will leak out any way, and I am OK with that.
3
The U.S. doesn't use cyberattacks against other countries' commercial facilities because, first, it sets a precedent of using such attacks offensively--rather like when Reagan bombed Libya in retaliation for the Pan Am flight bombing. Once the U.S. deploys cyberattacks which result in injury and death--no doubt among civilians--then the U.S. has said it is OK for everyone else to do so as well.
Second, the U.S. is probably the most cyber-dependent society on the planet. Thus, being "wired" to the hilt, we are more open to attack than Russia or China. Once a country pushes over a cyberattack domino no one knows where it will stop.
And, finally, yes, we would hear about such an attack, and so would our enemies. Remember the Stuxnet virus? Well, because the Israelis were sloppy in their use of Stuxnet it spread beyond the Iranian nuclear-facility centerfuges initially targeted and now everyone has it. It is rather like spreading a mutated biological virus among your enemy and hoping it doesn't spread so far it gets back to you.
Messing with our power grid should not be too difficult and the results would be catastrophic. Our power company's infrastructure is extremely vulnerable and they could keep the power on if their stockholders lives depended on it. They don't reinvest any of their profits into improving the infrastructure, ever.
Trust me, as someone who has spent 3 of the past days in the dark here in New England.
11
To be secure we need to maintain vigilance all the time. Attackers only need to be successful once. Between Stuxnet and this attack it shows the need to establish good security practice. This also shows the need for continuous monitoring with controls to make sure malware is not installed. Unfortunately many control systems were developed before widespread connectivity and security is a bolt-on. Security is not as effective as a bolt-on, better to build it in from the start.
2
In spite of all it's shortcomings I know the world has got to go completely computerized and automated. I just know it.
Pretty compelling argument, no? These are heady times for hackers, the world is now their oyster. I almost envy how they get served on a silver platter.
2
If I remember correctly we made to explode a Russian oil pipeline with a faulty computer code more than a decade ago.
4
Clearly the Russians and the Chinese are practicing for attacks on the US using soft targets like the Saudis. Who cares about the Saudis? Noone. Which is why it's ok to fail over there. Still, US cybersecurity firms better step up to protect installations that count.
5
Seems like Iran has likely just taken this cyberattack from the US playbook which Iran experienced first hand 8 years ago. This wasn't a new kind of attack. The US and Israel likely perpetrated a similar attach on Iran centrifuges back in 2010 via Stuxnet. Hard to believe there was no mention of Stuxnet at all in this article. US and Israel pioneered the approach taken in this latest cyber-assualt.
66
Thank you, but this kind deliberate omission by the Times has become all too easy to believe.
The U.S.'s Stuxnet cyberattack on Iran is fully depicted in Alex Gibney's film, "Zero Days," and is required viewing for anyone interested in the genesis and history of cyberwarfare.
9
This attack is apparently new in the sense that it was remotely launched. Stuxnet is thought to have relied on an insider introducing the bug physically into the target system. A successful remote launch is obviously more threatening and points to future attacks that are harder to prevent. I agree that stuxnet could have been mentioned here, but this is not entirely derivative of stuxnet as you imply.
14
I think there is a bit of a difference between sabotaging a program to illegally advance nuclear weapons and sabotaging a plant just to blow it up.
1
"In August, a petrochemical company with a plant in Saudi Arabia was hit by a new kind of cyberassault."
Why would the author make this claim? The stuxnet virus which destroyed Iranian centrifuges was just such a cyber attack of hardware sabotage that occurred eight plus years ago.
Are we not supposed to know that the U.S. and Israelis are widely regarded as pioneers in the field?
51
It is Shamoon2, Iran is back at it attacking Saudi targets again. Getting scarier as cyber-terrorism is born, expect infrastructure risks and at some point, success in breeding a disaster.
https://www.reuters.com/article/us-saudi-cyber/saudi-arabia-warns-on-cyb...
Good article. From everything I have researched the attack on this facility was a complex, coordinated, and multistage attack. The safety system in question, fortunately, did its job and shut down the plant in a safe manner. Process safety systems are the last line of defense in process plant operations that will shut the plant down safely in the event of abnormal operation. Reprogramming a process safety system would allow abnormal situations to happen with no shutdown. The petrochemical companies really need to pay closer attention to cybersecurity at the control system level, it's not just an IT related issue. The industry's overall investment in control system infrastructure is lagging compared to their investment in IT. There are a lot of old systems installed without enough attention being paid to cybersecurity and proper pant procedures and operations.
23
Mostly agree. I'm not an alarmist by any means - but what really concerns me here is Saudi Aramco is def among the best in terms of systems investment, adherence to safety etc. for obvious reasons. Also, Triconex team is excellent... So if such vulnerability existed within these processes, a real petrochem industry catastrophe due to malfeasance will doubtless occur sooner rather than later.
2
Imagine a massive explosion at a petrochemical plant near a densely populated area of the United States that kills scores of people. Then imagine that investigators discover the explosion was triggered by a cyberattack from overseas -- and the scramble is on to determine if it was Iran, North Korea, China, or Russia. While such an attack hasn't yet happened in the U.S., the possibility isn't the stuff of science fiction. As the attack described in this article demonstrates, the threat is very real. As an author of thrillers (e.g., Lethal Code), I write about cyberattacks like this. My villains don't fail due to a mistake in their computer code. Unless we dramatically improve our cybersecurity (particularly for industrial control systems), such "fiction" could turn into deadly reality with serious consequences.
13
"Cybersecurity" is an oxymoron. Experience has shown that one can not "secure" a system that is designed to be open. The first line of defense for computer systems is (or should be) the physical security of the machine. The control systems of a chemical (or nuclear) plant can be designed to be closed: there are no access points outside the facility, and interconnection of (sub)systems is minimized.
My personal systems are rendered secure when not in use by an ingenious device called the "off switch."
34
STUXNET was believed to be introduced into the Iranian lab system via a contractor's machine, infected intentionally (and randomly) in hopes of hopping across their air-gapped system. Granted that quarantine and rigorous anti-malware checks would possibly abate that hazard, I doubt that even the off switch would render anyone "safe" today.
1
Don't be too sure. I read a hacker who said that he could break into any computer, off or on, that had power. He said, "As long as there's power, we can get in."
Many institutions of government and commerce that we depend upon as a civilization will continue to whistle past the graveyard. Instead of conducting post mortem assessments, management and governments must adopt policies of proactively addressing security loopholes and make it a primary responsibility at the highest levels of authority. The bad actors will continue to escalate and improve the sophistication of their capabilities.
14