Newest Hacker Target: Larger Systems That Run Everything Else
Steven Bucci /
The “systems that control our systems” are now among the most lucrative targets for hackers. Control systems are the computer programs that run and manage other computer programs. They manage water treatment plants, they run the D.C. Metro system, and they run the multitude of systems in hospitals.
About a month ago, a pair of security researchers discovered vulnerabilities in a popular online control system, the Niagara Framework (NF). This vulnerability would have allowed hackers to breach the networks using NF and steal passwords and user names. This week, the Department of Homeland Security’s (DHS) Industrial Control System Computer Emergency Response Team announced that it felt that Tridium, a tech firm in Virginia, had fixed the security problems.
This example demonstrates that control systems have developed into the main target in the cyber world today. These ubiquitous programs essentially run everything, and they have great potential—but also great vulnerability.
NF is widely used (300,000 users in 52 countries), and chances are you have used a service that was controlled by it. NF controls systems as diverse as hospital beds, patient screening/monitoring, patient records, elevators, furnaces, and security cameras—and does it all remotely.
This is a prime example of the difficulty of “covering all the bases” in the cyber world. Every day, we add more and more of these systems to ever more complex networks. It is efficient and cost effective, but it adds incredible vulnerabilities that even middle-grade hackers can penetrate and exploit. We should not retrench to the past, but leaders in government and business had better get a lot wiser with regard to security. Just because you “haven’t been hit yet,” that does not mean you are safe. In many cases, you simply don’t know that you have been hacked. Leaders should understand that the more an online control system can do, the more attractive it becomes as a target.
We don’t need regulation (a la the Cybersecurity Act of 2012) of the cyber realm, but we do badly need leadership.