Back in 2007, a group of scientists at the Idaho National Labs conducted a cyber attack test against a 2.25MW diesel power generator and they succeeded in destroying the generator in roughly 3 minutes. (DHS Unclassified Aurora Documents and DHS Unclassified Video)
This test was a real eye opener for the authorities at the time because physical devices were being augmented with digital interfaces to allow better control of the device. In practice adding digital controls is a good thing (better control, better visibility, better management, etc) but what they failed in was not making security a forethought, and rather, an afterthought. You have to understand that the engineers as smart as they were, weren’t thinking about cybersecurity, they were thinking about functionality. They were tasked with building a digital interface and they delivered just that feature.
After the test, the government moved to mitigate the security risks that were uncovered. They made new legislation and regulations (NERC CIP, US CIP, DoD CIP, ISA, IEC, ANSI). They forced Industrial device manufacturers to run cyber tests on their products. They levied heavy penalties, fines, and jail time to those who do not comply with the new legislation. Because protecting power generators from cyber attack is absolutely critical to national defense.
Fast forward to today, the phenomenal growth of the “Internet of Things” is spawning network stacks in phones, cameras, flash drives, lightbulbs, thermostats and yes even cars, buses, and airplanes. The need to have convenient control over and easy access to your data, your lights, your car is inherently a noble pursuit but… it seems we haven’t learnt from 2007; security is still an afterthought and so you read about cars being hacked, webcams being hacked, lightbulbs being hacked, airplanes being hacked, the list goes on and on. The government, it seems, when it comes to the consumer market (some new legislation have been made for automotive and airline industries), isn’t really interested in making new regulations. It’s pretty much buyer beware when you buy that wi-fi enabled camera!
So what are we left with… well to the engineers and programmers of today please think about cyber safe and secure processes, lifecycle and development, it shouldn’t be an afterthought. Work in your companies to test and check code regularly, set end of life dates for your products and fix any security problems that come up in that time. Communicate with the consumer when a problem is uncovered and work with them to fix it. Together we can make things safer for everyone, one network stack at a time.
Cybersyrup Information Security blog 