Imagine someone shut down all of the traffic lights in New York City at 4 pm.
That idea has been stuck in my head since Ryan Naraine mentioned it at a round table talk on securing smart cities at Black Hat.
Although the conversation was held primarily among some very technical researchers, the idea of the traffic lights failing in one of the world’s busiest cities was one that I could not shake. Nowadays, everything is connected online — your phone, TV, watch, fitness tracker, maybe even your front door. But did you know that our traffic lights, train systems, and power grid are also online?
It is actually quite scary to think about what could happen if one of the industrial systems that are vital to our everyday lives were to be turned off.
Any of those three could be quite deadly if used improperly. But as with many things, security for smart cities is not where it needs to be.
Ryan Naraine talking #smartcities and securing them #ioasis #klbh #blackhat2016
Bureaucratic red tape and development times for the systems mean security becomes an afterthought in many cases.
The conversation surrounding this issue on the security end is equally annoying. It goes in circles within the security community — and doesn’t go anywhere outside of the security world because average Joes don’t think about it at all, although they should.
When it comes to security, we often focus on the things that we personally use day to day: computers, mobile devices, fitness trackers, and so forth. But those items, as essential as they may feel, are really luxuries, not daily necessities. It’s a huge pain when they get hacked, but they are not typically something that could, say, kill you.
Hacking electricity, water, and food https://t.co/puKzqEPXTa #ICS pic.twitter.com/L4ibbptbXM
— Kaspersky Lab (@kaspersky) July 15, 2016
During our AMA a few weeks back, one questioner asked: I was wondering if you had any predictions with regards to when we will start seeing mass casualties and perhaps even death from hacking into ICS [industrial control systems]? Is it possible now? Following from the German steel mill attack, the Black Energy malware, and the Swedish air traffic control attack it feels like we’re on the brink of something but not quite there yet.
Brian Bartholomew answered: Great question and a tough one to ask to the experts. In my opinion, it’s a matter of time before someone, somewhere decides to cross that line and cause casualties. If you look at all the critical systems that are still unsecured and vulnerable to attacks, all it would take is one crazy person and a general understanding of how ICS works to inflict damage to the masses.
This is why securing ICS should be the number 1 thing policy makers and other experts in the field should be focusing on right now. We need more voices like yours out there asking these tough questions to the appropriate people. Regarding who does it… well, again in my opinion, no one is doing it “well.” Well isn’t good enough. It needs to be impenetrable, and right now, that’s not the case. This isn’t a mythological unicorn any longer. It’s been done before and will only get worse.
Black Hat and DEF CON: Hacking a chemical plant – https://t.co/KSnCTtLt5U
— Kaspersky Lab (@kaspersky) August 19, 2015
Vitaly Kamluk answered: Honestly, I don’t want to think about it. Last time I thought about the possibility of malware crossing the border between virtual and physical worlds to destroy a physical object, Stuxnet happened just the next month. I was thinking only about “why so soon?” back then. I feel same strange feeling every time I hear about sudden disasters such as crashed planes, derailed trains, etc.
A security researcher widely known as halvarflake said earlier this year (reconstructed from my memory): “Physical objects can be owned and/or possessed by you. Computer systems have an additional dimension, which is control: You may own a computer, possess a computer, but with current systems design you can never be sure who is in control.”
This is what wakes me up at night, because this illusion of control we have over computer systems opens infinite possibilities to create tragedies by people who use their power against others.
So, what can be done about this troubling issue?
For starters, as global citizens, we can — and must — pay attention to what our elected officials are doing to keep us safe.
Before #Stuxnet, there was little thought about proactively securing industrial facilities https://t.co/2r3pXlbf7Z pic.twitter.com/vvj9ChCHAb
— Kaspersky Lab (@kaspersky) November 18, 2014
Education and awareness are vital. This conversation needs to grow beyond the security realm and hit the prime time news. A hack of these very sensitive systems could be nothing less than disastrous. It really is something that we should be focusing on more than, say, a celebrity scandal or a dating site hack.