IT can fail. It often does. We restart IT, and life goes on. Hackers can also compromise these same IT systems creating disruptions and causing theft of credentials. All manners of serious consequences result from these compromises.
When Operations Technology (OT) fails, the consequence is of a different nature – arguably far more significant and far more serious. Decades of safety systems developed to keep OT from failing work – most of the time. That’s the good news. The bad news is that these OT systems and their parallel safety systems were not designed to stop the present threat of hackers whose intent would be to make them fail in catastrophic ways – including task 1 to turn off the safety systems.
A state of geopolitical competition
Consider also that we are now in the time of cyber as a tool of geopolitical competition. That is a nice way to say “nation-state” attacks – the same thing. It is time to consider, with utmost urgency, the cyber protections needed for the installed base (legacy) of OT systems and the future base of innovations that will surely bring more of this kind of automation into our daily lives. The installed base of OT is a much longer topic – for another time. The future base of OT is the topic of this piece.
About smart cars
Smart cars make sense when we also consider smart roads and a smart IT/OT infrastructure. We are at the start of the age of smart transportation, roads filled with sensors to interact with autonomous cars in ways to control flow and enhance safety. Smart cars and smart roads go together. They connect by means of a computer network.
For smart transportation to succeed, it will need all three parts: autonomous capabilities in cars + smart roads + an IT infrastructure that connects them together. Together, they combine to make smart transportation. That is the future. 2018 will serve as the year where this future accelerates.
We should make them secure from the start – all parts. Consider this scenario. Someone hacks a car. It makes the news. The impact was – a hacked car and possibly a traffic accident. The sale of cars vulnerable to these hacks is undiminished. We’ve seen this scenario already. But accidents happen all the time. Now consider if it were the “smart road” that is hacked, and the hacker navigates up the network into the applications and the databases. This can’t happen – right? For those who make their living doing ethical hacking, the question is typically, how much time do I have?
OT failure paired malicious intent
Coupled with other malicious intentions in this geopolitically motivated time we are in, the scenario just described takes on far more significant importance. We don’t have to think too hard to know what can happen when OT fails.
The failures of the Deepwater Horizon oil spill into the Gulf in 2010 did incalculable damage. It is a manifestation of this OT failure in an extreme case where the combination of failed processes, sensors plus human error created this perfect storm. It is prudent to ask the question, can these kinds of events be intentionally perpetrated by human actors working to hack the system, allowing them to learn enough of the control processes to orchestrate this kind of catastrophic failure? In the year just starting and the years to come, we are likely to find that the answer is the same – how much time do I have?
What do we do? We start to recognize these very possible issues and become skilled in cybersecurity for both IT and OT systems, for smart transportation and all the other OT industries. That is the start – with urgency.