Picture this. The main government agency Mi6, which is at the forefront in cyber security and offensive hacking (allegedly) is hacked and their office is blown up. That is exactly what happened in Skyfall (Eon Productions 2012). The bad guy, played by Javier Bardem, hacks into Mi6 and turns on the gas remotely thus blowing up the building and hitting the government at its core. With advances in technology this situation is not actually as farfetched as it might seem.
For over a decade malware (viruses) haven’t really been a physical threat, settling instead for the theft and deletion of its’ targets data. However things moved on when, in 2010, the infamous Stuxnet worm was discovered allegedly targeting power stations. A large percentage of the infections were in Iran and Indonesia. This is one of the first computer virus attacks whose aim was to cause real world damage. Flame, a similar virus, was discovered in 2012 in Iran. Like all technology, viruses will continue to develop and evolve.
Increasingly SCADA (Supervisory Control and Data Acquisition), or in simple English critical infrastructure controls are plugged into the internet. As well as SCADA large companies and public sector organisations are starting to connect elements of their buildings’ infrastructure to general networks and the Internet. This means that power stations, sewage, building electricity and gas etc… have an internet connection. This causes a problem; if something is on the internet it could be accessed and tampered with.
Graeme Batsman, Security Director at EncSec, a firm which secure HNWI, Celebrities, computer equipment and communications commented: “Over the years I have heard a number of horror stories. Recently I was casually talking to the Infrastructure Manager of a large site in North England who indicated that “he or she” can control the sites’ lighting, electricity, windows and more from a single computer.
Worryingly the sites’ control PC is on their standard network and it has a normal internet connection with no extra security. Shockingly it can be accessed by the Infrastructure Managers’ personal Android phone, which is only guarded using a simple username and password, despite the potential implications there is no additional security whatsoever.”
Android is probably the least secure mobile operating system out there, with up to 95% of mobile malware aimed at it. Since the phone discussed in the above example is a personal phone there is little control when it comes to protection such as: pin, lock, self-destruct, antivirus etc... Should the PC or phone be hacked, lost or infected someone could remotely alter settings in the “real world”. Turning on the lights may scare someone but what happens if you opened all the windows or, as in Skyfall, turned on the gas? The consequences wouldn’t be too far away from what was shown in the movie.
Adding an internet connection to critical infrastructure or controls will only cause more problems. Ideally control PC’s should be on a separate network, with no internet connection or, if an internet connection has to be added, then very strong authentication should be enabled. With every device you can think of being internet enabled consumers and the manufacturers really need to think twice about available security measures.
Chapter Author
Contact Graeme
Journalists, students, potential clients or anyone else email.......
graeme@datasecurityexpert.co.uk
Something private to say?
PGP public key
graeme@datasecurityexpert.co.uk
Something private to say?
PGP public key
Cyber security: Is a real Skyfall waiting to happen?
- Details
- Category: Blog