We hear about denial of service attacks, leaked user accounts, passwords and credit card numbers, and how different organizations spy on each other, on companies and citizens of the world. These are not surprising news, ICT evolves and it is being used for various purposes, both legal and illegal. Yet, a much more serious and lethal crisis is just around the corner, we are just waiting for the first major events to really happen.
Our modern society is totally dependent on ICT. All our digital systems and services are becoming intertwined and connected to the Internet. Power grids are becoming intelligent, smart, and water delivery is digitally controlled with various remote access functions. Our road and air traffic is controlled with digital systems and communication networks. The production of goods, even power, is automated and handled with digital systems.
One only needs to use an Internet search engine for a few minutes to find tens, if not even hundreds, of reports of industrial control systems (ICS) that have serious security flaws and security holes built on purpose to ease their daily maintenance. We can easily find in the Internet also various exploits to use against those systems, to take them down from anywhere and at any time. Some of these vulnerabilities are simple enough that a schoolboy can hack the system and cause it to fail.
The scientific community had a good reminder of the scale of this problem when an MSc. thesis from the University of Cambridge used the Shodan search engine to find thousands of vulnerable industrial control systems in the world. This work was since then continued by many groups, including Project Shine, which has so far found 1 million industrial control systems on the Internet.
At the Aalto University, we tried to find out the scale and significance of the problem using Shodan at a national level. We found thousands of industrial control systems in Finland. Many of the targets had, for example, no secure login installed or the administrator password openly available. Some of the found systems were easily identified as misconfigured or otherwise vulnerable. But we could not go very deep in our study due to the fear of breaking the Finnish law and becoming criminals ourselves. Thus, we can relatively easily find targets but can not fully say which of these systems should be openly available and which should not; it would be safe to assume that most of the systems must not be there for the whole Internet community to connect to.
There seems to be the same naïve thinking in the industrial control systems community as the Internet community had about 20-25 years ago: who would want to harm us? Back in the early days of the Internet, people and users knew each other and the concept of security was somewhat of an afterthought; it isn’t anymore.
In the industrial control community, system vendors and their customers have neglected to take the security of their environments seriously; many have been on the right track, but so many are still lost or simply exercising the classic wishful thinking.
However, the kind of systems we see connected openly to the Internet even in Finland is frightening: power plants, water delivery, hospitals, jails, railway track control systems, gas stations, grocery stores, building automation, and so forth. The vast majority of these systems will only harm a small group of people, e.g., in one office building, but there are systems that if taken down will cause casualties either directly or in due time.
In addition to the networked targets, we have industrial and automation systems that are not connected to the Internet. A direct connection is not, however, mandatory, as was evident with the Stuxnet strike on the Iranian nuclear program; the break-in happened with a USB stick.
In our modern globally connected digital society, we do not have the option to simply hope for the best. We have to find all these vulnerable systems today, make an assessment of their use, and start fixing the problems. We have not yet seen a crisis caused by an attack on a major civilian infrastructure, but it is only a matter of time, when the first incident will be reported. Hopefully, governments and the industry at large have enough evidence to start acting now, before we see the first catastrophic event. A further challenge is that in the digital world new weapons and exploits are manufactured at the speed of light.
Aalto University School of Electrical Engineering
Department of Communications and Networking