Nothing Is Too Big To Hack Any More

The industrial control systems that literally run our entire world are wide open

Photo Illustration: R. A. Di Ieso
Jul 13, 2016 at 11:26 AM ET

Big chunks of industrial infrastructure in both the public and private sector are more vulnerable to cyber attack than they’ve ever been, according to a new report. Because the systems that run pretty much every aspect of life are now so interconnected (think electricity, pharmaceuticals, food production, aerospace, and banking, to start) the opportunities for cyber attackers to access and exploit the networks that run them continue to rise.

As electronic systems take over where mechanical systems once reigned (think: heating systems vs. modern, integrated climate control) more and more devices are hooked up to online networks. A new report from Kaspersky Security Intelligence finds that the number of vulnerabilities in components used in industrial control systems increased to the second-highest amount in nearly 20 years in 2015 and that nearly half of them could be classified as “critical.”

Attacks on industrial control systems like these have the potential to be devastating. In 2015, one security researcher discovered that cyber attackers had found a means of accessing online networks responsible for running the U.S. power grid. Recently, Iranian hackers were convicted of hacking into the control system of a small dam in New York, which could have easily enabled them to remotely operate its gate. The case recalled another 2015 breach in which still-unknown attackers accessed and manipulated a water treatment facility that served several counties in the U.S.

“We now live in a world where devastating attacks on our financial system, our infrastructure and our way of life can be launched from anywhere in the world, with a click of a mouse,” said U.S. Attorney Preet Bharara said at the indictment of the dam hackers. (Basically, “Mr. Robot”-style hacking of Steel Mountain’s climate control system, IRL.)

While 85 percent of these types of vulnerabilities have already been identified and addressed, most of the remaining ones are high-risk enough to be a cause for alarm.

These systems are meant to be physically and technically secure, but making them impenetrable has proven near impossible. The Kaspersky report says that traditional precautions are no longer enough because of the myriad ways external systems and networks can be compromised, including unauthorized connection via smartphone or modem and infected hard drives or USB sticks. As the infrastructure systems become more advanced, they require more parts to function properly, with every link in the constantly-expanding chain adding additional vulnerability.

And in all likelihood, the complexity of industrial control systems is only going to intesify. As technology continues to evolve and the Internet of Things gains in popularity, these systems will become increasingly used for more elaborate purposes, like running smart cities, homes, and cars.