The connected world in which we live could suffer a catastrophic blackout unless critical infrastructure is secured, warns Eugene Kaspersky founder and CEO, Kaspersky Lab.
The ramifications of a blackout, like the one recently experienced in Ukraine, are deep reaching. During a blackout none of the devices connected to the Internet of Things would be able to ‘talk’ to each other. By a cyberattack on critical infrastructure taking control of a country’s power grid, simply nothing would work. No urban facilities, no water, no air conditioning, no elevators, no Internet, no mobile network.
“Unfortunately this scenario is very real. The world we live in is based upon technologies and ideas which were made 50 years ago. Many of them rely upon an architecture that pre-dates the era of cybercrime. The hackers simply didn’t exist then,” explains Kaspersky. “As we increasingly depend on technology as the backbone of our civilization, we need to ensure our critical infrastructure is built upon a robust architecture that is not only secure, but immune. If we don’t adopt a security first approach, we will face a very uncertain future.”
Kaspersky Lab experts recently revealed that more than 13 thousand industrial control systems (ICS) hosts are exposed to the Internet, most of which probably belong to large organizations. More than 90 percent of these ICS hosts have known vulnerabilities that can be exploited remotely, the majority of which are located in the US (around 30 percent) and Europe (around 14 percent).
Kaspersky warns that to fully appreciate a connected world, a redesign needs to take place to protect the critical infrastructure at its core. All the while critical infrastructure continues to run over vulnerable platforms, it remains at high risk of being attacked. A ‘security first’ framework, where information security is implemented from the very core, is the best strategy for the future. Although, with the burgeoning skills gap, the industry is at danger of not being able to fulfil such a future requirement, so needs to do all it can to train up the next generation of cyber security experts.
“It is my dream to live in a world of unhackable devices and I think it is now possible. We have the technologies, we have the solutions, we have the ideas and we have the platforms to be able to design a new generation of software that can keep critical infrastructure secure,” adds Kaspersky; “But we need the cyber security talent to bring it to fruition.”
Source: ContinuityCentral
Eugene,
Thanks for an interesting and timely blog.
However, in terms of crisis management, although malicious cyber attack is certainly a realistic scenario (and increasingly a high-likelihood one), from the perspective of hyper-complex crisis management , which this would certainly come under, the triggering event is actually insignificant. It is just as likely that the cause of the catastrophic critical national infrastructure failure will be technical failure, human error, a programming fault, or the consequences of a relatively insignificant initial event (or more likely, a congruence of two insignificant failures that together trip a series of catastrophic cascading consequences).
As an example, in the North Eastern US blackout in 2003, affecting 45m people in 8 US States and 10m people in Ontario, Canada, the initial triggering event was overloaded power lines hitting unpruned tree foliage, causing a local cut-out. The blackout’s primary cause was a software bug in the alarm system at a control room of the FirstEnergy Corporation, located in Ohio. Separately, unimportant. Together – instantaneous catastrophic total systems failure.
The pre-event planning, prevention and mitigation process is critically important – but from my side of the game, we just presume that someone, somewhere will get it wrong, and then the question is how to deal with the resulting mess.
Best regards,
David