Looking into the cybersecurity future through the past

The past informs the present when it comes to cybersecurity and what we once thought of as fanciful is becoming a reality. What people are willing to do will inform our future.

By Chris Vavra June 21, 2021

Hackers, with the backing of a foreign power, infiltrated the Pickett Gap water treatment facility in Tennessee with a remote viral attack. Thankfully, plant managers were able to avert the crisis and prevent thousands of people from being sickened by contaminated water. This attack is the latest in a long string of cybersecurity attacks against critical infrastructure across the United States.

You might be wondering when this happened because it wasn’t on the news. Well, that’s because it happened 19 years ago in a video game. Tom Clancy’s Splinter Cell, originally released for the Microsoft Xbox in November 2002, dealt with the topics of information warfare and cybersecurity attacks. The only person to save the world from disaster was Sam Fisher, voiced by Michael Ironside, in what would become a successful video game series over the next decade.

The series often dealt with information warfare and cybersecurity as the backdrop for these titles. The parallels, though, are eerie given the recent cyber attacks against water filtration plants in Oldsmar, Florida, and San Francisco. That second attack happened in January, but wasn’t reported on until June. Luckily, no one was injured in either attack.

Back then, these kinds of hacks seemed fanciful. Or at least the stuff you’d see in a big-budget movie like 2001’s Swordfish or 1999’s The Matrix. Hacking into a computer from thousands of miles away with weaponized algorithms through a remote server? Yeah, right. Dream on. That could never happen. Now it can and is.

The advent of the Industrial Internet of Things (IIoT) has changed the nature of how we operate in so many ways. Everything is connected now. You almost have to take that literally. The Simpsons made light of this in a 1999 Treehouse of Horror episode where everything has a computer chip — including the milk carton — in a spoof of Y2K hysteria. Now? Well, maybe not the milk carton, but…

Computers are connected to everything on a plant floor. Almost every device, robot, control panel, human-machine interface (HMI) and anything else you can think of is connected to the internet. Many of the devices used on the plant floor were created well before cybersecurity was even a notion. This is our reality. It’s made manufacturing facilities more efficient and smarter. There’s no question about that. The advent of big data, artificial intelligence (AI) and machine learning (ML), combined with the IIoT, will make them even smarter. The trade-off is all these devices are vulnerable and can be exploited by a cybersecurity attack.

This string of cybersecurity attacks against operational technology (OT) facilities and the resulting near-misses are not a fad, either. They have been going on behind the scenes for a long time. If you’ve seen our series of Throwback Attacks, written by senior editor Gary Cohen and contributor Daniel Capano, this has been a long-standing issue. A lot of the attacks, though, slipped under the radar because of foreign politics or because they didn’t have a direct effect on the average person. If they did, the impact was so nebulous it didn’t register.

Attacks against water filtration plants and pipelines? Those have gotten people’s attention. Particularly in the latter case with the Colonial Pipeline because gas prices went up as a result. These cybersecurity hacks and ransomware attempts are going to continue. Why? Because they’re effective and profitable. It’s the equivalent of low-hanging fruit. Hackers know they can break in because many of our workers in these facilities do not have the proper training or awareness. An NBC News article drove the point home by saying, “If you could imagine a community center run by two old guys who are plumbers, that’s your average water plant.” If you have the acumen, skills and a particular bent toward money or chaos, it almost seems like a given. Why work in IT when you could make tens of thousands of dollars by exploiting people’s ignorance?

There is no overnight solution. It’s going to take a humongous collective effort on the part of everyone to do better. Education and cybersecurity training have to be at the forefront. People need to be better prepared and vigilant.

Splinter Cell predicted cyberattacks against water facilities 20 years ago. The late Tom Clancy, who allowed the franchise to bear his name, also had a rather startling prediction in 1994’s novel Debt of Honor. He wrote of a suicide attacker using a plane to crash into Congress during a joint session and nearly wipe out the entire government. Seven years later, a (thankfully) less awful scenario happened, but it still changed the world and changed how we view things. So did the COVID-19 outbreak last year.

Here’s the problem, though: Most people are not going to be galvanized into action because it doesn’t directly affect them. The water filtration hacks and ransomware against Colonial were very startling, but those were mere blips. Unfortunately, it will likely take a 9/11-style attack to really get everyone on board and realize this is our new reality. Computers have changed the world and made things better in a lot of ways. It could be paradise, but it could also destroy the world with the right motivation.

Chris Vavra, web content manager, CFE Media and Technology, which includes Industrial Cybersecurity Pulse, cvavra@cfemedia.com.

Original content can be found at www.industrialcybersecuritypulse.com.


Author Bio: Chris Vavra is web content manager for CFE Media and Technology.