Cyber-Physical Systems are all around us today. Operational Technology (OT), a subset of the concept of Cyber-Physical Systems, has been used for decades in asset intensive industries like Oil & Gas and Manufacturing. It also plays a key role in Critical National Infrastructure like energy, water, transport and dams. The rise of consumer based Cyber-Physical Systems like smart thermostats and autonomous vehicles led to a ubiquitous Cyber-Physical Systems world.
Digital transformation and the optimization of business processes drive organizations to evolve the connectivity between IT and the OT, the industrial control systems. This creates business benefits but it also increases the risk. For some time, we have been at the beginning of an era in which this risk includes loss of life.
Gartner research suggests that by 2025, cyber attackers will have weaponized operational technology (OT) environments to successfully harm or kill humans. Gartner predicts that the financial impact of cyber-physical attacks resulting in fatal casualties will reach over $50 billion by 2023. Even without taking the value of human life into account, the costs for organizations in terms of compensation, litigation, insurance, regulatory fines and reputation loss will be significant.
The attack on the Oldsmar water treatment facility shows that security attacks on operational technology are not just made up in Hollywood anymore. The world has seen real incidents where events originating in the digital world had an impact on the physical world.
A short glimpse in recent history shows us that attacks on OT are nothing new. Just think about the Maroochi Shire incident in 2000, Stuxnet in 2009 or Industroyer in 2016. A stark example is the Triton malware first identified in December 2017 on the OT systems of a petrochemical facility. Its purpose was to disable the safety instrumented system (SIS) built to shut down the plant in case of a hazardous event. If the malware had been effective then loss of life was highly likely. It is not unreasonable to assume that this was an intended result. Hence “malware” has now entered the realm of “killware”
How does Killware Work?
Many of the attacks we see in the news these days are related to ransomware. The OT environment is not often the prime target of the ransomware – it is more like collateral damage. Unfortunately, we also see more and more attacks on OT environments where the OT is not the objective of the attack, but the means.
The actual objective of the attacker is to cause harm to humans by using killware in an OT environment. This can be a chemical plant, an air traffic control system, a dam or anything similar. It just a matter of time before killware will have made its first victim, an outcome uppermost in the contemplation of law enforcement agencies. It is likely that by 2025 operational technology environments will have been weaponized to successfully harm or kill humans.
Some national governments realized these risks and are creating legislation. For example, the European NIS Directive or the Cybersecurity and Infrastructure Security Agency Act of 2018 in the US. There are also standards that organizations use to improve the security of their OT environment: the NIST SP800-82 and the IEC62443.
Rather than focus on protecting confidentiality, integrity and availability, they should implement an OT security control framework to include controls to safeguard the safety of their OT systems. This is to prevent incidents in the digital world from having an adverse effect in the physical world, including fatalities.
Security and risk management leaders must ensure that their organizations adopt a robust framework of controls that exists to enhance the security posture while meeting security standards.
Most organizations have lived for too long in denial. Risk practitioners are often asked by skeptical executives whether specific risk outcomes have occurred previously.
There has not, yet, been a proven outcome of fatality caused directly by a malicious OT compromise. This is now reasonably foreseeable and killware will have made its first victim.
The author is Wam Voster, Senior Research Director at Gartner, Inc.
