Any machine, if it’s connected to the internet, can be hacked; including the automated equipment controlling dams, steel mills and nuclear power facilities.
As we previously reported here, criminals were able to take control of a German steel mill’s computerized production system, forcing an unscheduled shut-down causing “massive damage” in 2014. Likewise, in 2010, a cyberattack was able to disable Iran’s uranium enrichment centrifuges by targeting the software installed in the electronic equipment.
This week, the Wall Street Journal reported that in 2013, Iranian computer hackers accessed the control system of a 22-foot flood-control dam in the Rye Brook suburb of New York City. See Iranian Hackers Infiltrated New York Dam. Attackers of US infrastructure could gain access to control systems controlling water flow in pipelines, water releases and drawbridges, and, in theory, could cause an explosion, flood or traffic jam.
With over 57,000 automated computer systems connected to the Internet in the United States, security experts caution that many “industrial control systems” lack basic security features, and are wide open for attack. See Cyber Risk Isn’t Always in the Computer. Industry leaders are well-advised to accept that isolation of automated equipment is the best security measure available in the Internet Age, and take steps to minimize network connectivity whenever possible. If a company is unable to or does not want to take critical infrastructure offline, however, it must add infrastructure access as part of the company’s cyber incident response plan.