Iranian cybercriminals managed to hack into the control system of a dam 20 miles from New York City just two years and two weeks ago. The dam had been officially opened only two years before.
“We have seen cyberincidents that are not disclosed because companies are worried about the damage they could do to their brand name,” explained CEO of Indegy Barak Perelman.
“I can tell you that 50 percent of the facilities we visit say they’re air-gapped but zero percent are actually air-gapped.” Perelman asserted.
“Air-gapped” refers to a state that many infrastructure-related companies attempt to create in which their control systems are not connected to the public Internet.
“There’s always come connection to the internet,” he continued. “There’s always that technician who doesn’t want to drive to a facility at all hours of the night for emergencies and plugs in a modem so he can connect from home.”
“If a hacker gets into one of those industrial networks, he can do whatever he wants to do in that network,” warned Perelman.
The hackers that took control of the New York dam’s control system did not actually damage any control systems, which Perelman labeled as a “matter of choice and not capability.”
That said, the successful hack still constitutes a major threat. Hackers tend to leave behind viruses that may activate and wreak havoc in the future.
“They leave behind a ‘red button’ capability,” explained Perelman. “if they need that capability in the future for either negotiation or an act of aggression, they can press the button and cause physical damage.”
This is an especially prevalent issue among industrial systems, as officials in this field tend to be less open to upgrading software. Often the same industrial controllers that were installed din the 90’s are still at play, making it that much easier for hackers to learn about and move through the system.
“These controllers were designed when security wasn’t in anyone’s state of mind,” he explained.
Compare that worldview to companies like Microsoft that are constantly patching their products and releasing new updates, and you can see how much more vulnerable industrial companies allow themselves to be. This is not great news considering many of these companies control the electrical power for schools, airports, hospitals, grocery stores, and other facets of our society that are completely necessary for progress to continue.
Security-minded companies are investing more and more money into CDOs or Chief Data Officers. CDOs can monitor who has access to data and who should actually have access, an excellent way to perform damage control when a breach does occur. CDOs can impose data regimens that reduce the risk of sensitive information leaking into the public eye or worse, into the hands of a hacker.