For years, there was no call for security testing for Industrial Control Systems which connected much of our critical infrastructure, because they did not connect to the internet. Now, Eireann Leverett, a doctoral student in Computer Science at Cambridge University, has demonstrated that this claim is patently false, according to an article at Wired.com.
Using the Shodan search engine, Mr. Leverett spent two years poring over the data he found, exposing water and sewage plants physically connected to the internet. SCADA devices are widely known for their vulnerabilities, with them connected to the internet, any nation state or rogue groups of hackers could easily bring portions of a country to its knees. We are vulnerable to cyber attacks, perhaps even a cyberwar. Will this new cyber threat be properly addressed by our governments?
Wisely, Mr. Leverett shared his findings with DHS and others before publishing his findings and briefing them at the S4 Conference. Hackers, however, rely upon human error to allow them to penetrate many systems because systems administrators fail to secure their systems. Many of the owners of the systems were not even aware their system was hooked up to the internet.
This should be cause for alarm for governments and citizens alike. The critical infrastructure upon which we rely for many of our basic needs has been wide open for years, vulnerable to nefarious elements. I am certain not all the connected systems were found. How long will we accept “we don’t need to upgrade our security because we’re not connected”?