This is might come as a surprise, but a hacker can actually kill you.
For a skilled few, a laptop can be used as a powerful weapon system – one that’s more lethal and accurate than any firearm I carried while I was in the military.
Luckily, most of these hackers don’t want to kill you. They mainly just want your money, your intellectual property or data they can sell. So instead of killing you, they prefer to just rob you.
Does that make you feel better?
Throughout my career in and out of the military, I have worked with critical infrastructure and key resources, and what can be done with a poorly developed, insecure Industrial Control Systems (ICS) is very scary.
We have ignored the security of critical infrastructure and key resources for so long that our way dealing with these archaic systems is to tell people they do not need to worry…because not even we know how they work. That may have worked in the past, but ignorance cannot and should not be our “security plan” as we move forward with new technologies.
Fortunately, the security of critical infrastructure and key resources is covered and thoroughly audited, and we have a lot of brainpower working on solutions. Yet this doesn’t address the very real possibility of poorly developed and insecure systems causing accidental deaths.
Just like a hacker can change the cycles in a centrifuge (think Stuxnet), or open a damn up on your local town. The same is true on everyday systems that help dispatch the local fire department, control a patient’s blood sugar or keep planes in the air. Malware, vulnerabilities and threats on trains, airplanes or medical devices can turn something meant to help you into something that kills you.
With all of the interconnected transportation systems and new IOT technologies, these threats to are not just a cyber issue anymore. They are a public safety issue. These systems need to be inspected for physical cyber safety issues the same way we inspect breaking systems and track grade. We need to train safety inspectors to look for physical cyber safety defects that could be as devastating as faulty train brake pads.
Physical cyber safety is something we should all be working on. Unfortunately, most organizations are approaching them like an ostrich – by sticking their heads in the ground and hoping they will pass. The other approach – which is frequently used by the government and many industries — is to deny responsibility or attack those who identify cyber safety issues.
Physical cyber safety a real issue and it will take the cooperation of industry, government and even hackers to find a solution. We also need to put some teeth behind physical cyber safety. In other words, the government needs to step in and start regulating and inspecting. I know no one wants the government to tell them what to do. But let’s be real. Would you speed like crazy if you had no chance of getting in trouble? Of course you would. Now, would organizations build software and hardware without any regard for cyber security and privacy if they knew they’d be heavily penalized for it? Probably not.
The following are ten key cyber safety areas that we need to pay attention to in the coming year. My criterion for this list was simple: If threats, malware or vulnerabilities of the system components or aggregate system components could result in deaths, it made the list.
- Weapon systems, drones
- Police, fire and emergency telecom / systems
- ICS – nuclear
- ICS – electrical grid
- Medical devices
- Transportation systems – air, ground and sea
- ICS – water filtration systems
- ICS – industrial robotics
- ICS – farming industry
- ICS – safety-testing equipment
- Emergency call / 911 centers
- ICS – pharm
- ICS – food industry
For the risk assessment methodology, I used the good old NIST process: risk = threat X vulnerability X impact. Initially I wanted to develop a list with rankings from the highest to lowest probability. However, my calculations all came out the same. They were all high. Yes, it really is that serious.
Thinking I missed a few?
You’re right. However, my objective here is simply to start a discussion about the lack of physical cyber safety – not create an exhaustive list. That’s something that should happen moving forward as we work to address our nation’s critical need for physical cyber safety, and protect innocent lives from being lost.