Terror of the SCADA and IoT: coordinated attacks on critical infrastructure

  • Ageing systems are a security nightmare
  • Hacked water treatment plants could infect millions of people
  • Even connected medical devices are potential weapons
  • As more and more medical devices are connected, the danger grows increasingly acute

Communicating freely, smart devices joined by the IoT promise great things. For instance, they allow Supervisory Control and Data Acquisition (SCADA). A SCADA system enables its users to monitor complex data streams and regulate the sources of that data to maximise efficiency. You can find SCADA systems in everything from hydroelectric plants and water treatment facilities to hospitals.

It’s the command and control features of SCADA systems that make them attractive for critical infrastructure. Because you can measure, say, flow rates in a water treatment facility and adjust them in real time, or regulate and control power output in a nuclear plant, SCADA systems are ubiquitous and important. But they’re also frighteningly vulnerable. As Tom Simonite reports in the MIT Security Review, those most in the know are the most concerned. Experts worry that the hyper-connectivity of the IoT-linked SCADA offers an easy target for malicious software and hackers. This is no small problem, and it’s not unlikely that we’ll see coordinated, simultaneous attacks on critical infrastructure in the future.

Ageing systems are a security nightmare

In March 2016, Eduard Kovacs reports in Security week, relatively unsophisticated hackers were discovered by Verizon to have penetrated the SCADA systems of a water utility. Taking advantage of the utility’s antiquated hardware, first acquired in 1988, the hackers moved from customer and payment information to industrial control systems after discovering that “the internal IP address and admin credentials” were stored on the server. They were then able to adjust the flow rate and chemical treatment of the water. Fortunately, human monitors at the utility noticed before damage was done.

But as Kovacs warns, “…the attackers likely had little knowledge of how the flow control system worked. The attack could have had far more serious consequences if hackers had more time and more knowledge of the targeted industrial control systems (ICS).” Had they been more sophisticated, and had the monitors been automated and digital, they could have tricked the plant into pumping tainted water without anyone being the wiser. These ageing systems are a security nightmare, and terrorists in the know are measuring the potential for a crippling attack.

A recent example of this kind of vulnerability came late in 2015, when a team of hackers disabled a power plant in Ukraine and plunged 80,000 residents into darkness. Writing for Wired, Kim Zetter notes that the attackers were clever enough to ‘freeze’ the screens of monitoring stations to trick them into thinking everything was normal. It’s this kind of clever, savvy attack that has security experts losing sleep. These outdated security systems are like ticking bombs. The high cost of upgrading entire systems has kept old tech in place long past its ‘best by’ date. High tech terrorists find it easy to crack security last upgraded in 1988.

A yellow shock warning sign overlaid over powerlines
A recent example of this kind of vulnerability came late in 2015, when a team of hackers disabled a power plant in Ukraine and plunged 80,000 residents into darkness.

Hacked water treatment plants could infect millions of people

If these murderers gain access to a water treatment facility, their goal won’t be to steal information about bill payers but rather to ensure that the water goes untreated for as long as possible. This may sound benign, but it’s a disaster of epic proportion. For instance, 8.7 million people depend on just five water treatment plants in London. If terrorists were able to compromise the SCADA systems in just one of them, allowing untreated water to mix with the clean outflow while tricking the monitors into thinking everything was normal, they could infect millions of people with everything from typhoid to hepatitis A to Giardia lamblia. Everyone, including emergency workers, physicians, and nurses would be infected. The hospital system would be overwhelmed with the sick, and we would expect thousands, if not tens of thousands, of the young, old, and already ill to die. This is nothing less than sophisticated biological warfare. Rob Joyce from the National Security Agency says: “SCADA security is something that keeps me up at night.” Very similar sentiments come from Nicholas Weaver at the International Computer Science Institute. He says: “I don’t do SCADA research because I like to sleep at night.”

We’re completely unprepared and this is cause for worry.

Even connected medical devices are potential weapons

Advances in medical technology are giving people longer, fuller lives. For instance, diabetics can now be fitted with a continuous glucose monitor and an insulin pump that adjusts to fluctuations in blood sugar, mimicking the action of a healthy pancreas. Heart patients can now have pacemakers attached to Bluetooth enabled devices that measure and manage their heart rate. Much like the command and control systems for critical infrastructure, these medical devices are like SCADA for the body, connected via the Internet to physicians who monitor, assess, and treat their patients remotely. And in the most advanced medical centres of the next decade, patients’ monitors will be wirelessly connected via a central hub, allowing nurses and physicians real-time access to vital signs and treatment options.

The terrorists of the future are paying attention, and the consequences are almost too frightening to consider. When a doctor can increase the drip rate on an intravenous bag or administer a dose of morphine, so too can a determined hacker. According to Kim Zetter at Wired, a well-known ‘white hat’ hacker and security expert started doubting the security of intravenous pumps during a recent hospital stay. Though the hardware systems allowing access to the pump for updates and the firmware that runs the device are ‘separate’ systems, they are connected by a serial cable. This connection allows a hacker to access the pump’s settings. Rios discovered that not only could a determined hacker change the amount of insulin (or antibiotic, or chemotherapy, or morphine, etc.) that the pump was delivering, but someone with the right skills could also trick the device’s display into reporting the normal dosage. What Billy Rios found was troubling, and comes as no surprise given what we know about other SCADA vulnerabilities and the recent attack on the Ukrainian power plant.

As more and more medical devices are connected, the danger grows increasingly acute

The terrorists of the future won’t just seize control of SCADA systems, they’ll also trick the monitors into believing that it hasn’t happened. This will vastly increase the time to discovery and allow terrorists to do more damage than they otherwise might. Kaspersky Lab confirmed the same vulnerabilities in hospitals that Verizon discovered in water treatment facilities: they routinely use unsupported, legacy operating systems like Windows XP. It wouldn’t take much for sophisticated terrorists to gain access to these devices, delivering high doses of radiation, for instance, from X-ray equipment. As more and more medical devices are connected, the danger grows increasingly acute.

The greatest danger we see is that terrorists of the future might launch sophisticated, simultaneous assaults on critical infrastructure. By compromising water treatment, power, and hospitals simultaneously, they could sicken millions, overwhelming the system. By joining this biological attack with broad power outages and hospital hacks, they could kill hundreds of thousands of people.

Inspired by this article? Download our free e-book “Terror tech – the future on fire”, containing 80 pages of mind blowing facts, quotes, expert opinions, videos and case studies about the future of terrorism.

Terror Tech The future on fire

This article is written by Richard van Hooijdonk

This article is written by Richard van Hooijdonk

Trendwatcher, futurist and international keynote speaker Richard van Hooijdonk takes you to an inspiring future that will dramatically change the way we live, work and do business.

All lectures