Death rays, Death Stars and deathware?
The James Bond movies of the sixties introduced death rays that took out entire cities. In the late seventies, Star Wars brought us immense Death Stars that could destroy planets in seconds. And now analyst firm Gartner is scaring the bejeebies out of us with the concept of deathware — malware designed to actually kill people.
According to Gartner®, “By 2025, cyber attackers will have weaponized operational technology (OT) environments to successfully harm or kill humans.”
Further, Gartner states, “Attacks on OT – hardware and software that monitors or controls equipment, assets and processes – have become more common. They have also evolved from immediate process disruption such as shutting down a plant, to compromising the integrity of industrial environments with intent to create physical harm. Other recent events like the Colonial Pipeline ransomware attack have highlighted the need to have properly segmented networks for IT and OT.”¹
“In operational environments, security and risk management leaders should be more concerned about real-world hazards to humans and the environment, rather than information theft,” said Wam Voster, senior research director at Gartner.¹
According to Gartner, “security incidents in OT and other cyber-physical systems (CPS) have three main motivations: actual harm, commercial vandalism (reduced output) and reputational vandalism (making a manufacturer untrusted or unreliable).”¹
Gartner goes as far as predicting that “the financial impact of CPS attacks resulting in fatal casualties will reach over $50 billion by 2023. Even without taking the value of human life into account, the costs for organizations in terms of compensation, litigation, insurance, regulatory fines and reputation loss will be significant. Gartner also predicts that most CEOs will be personally liable for such incidents. As well as lives being lost, compensation, litigation, insurance, regulatory fines and reputation loss will mount up fast. To make matters worse, the analyst firm predicts that CEOs will be personally liable for these incidents.”¹
Sensational, but true
Yes, an element of sensationalism is apparent in such pronouncements. But there is an element of truth woven into it.
Consider the autonomous vehicle: Hackers can already scan and steal entry credentials from keyless entry systems with relative ease. There have also been instances of people managing to take over control of someone else’s vehicle remotely. Once autonomy enters into this landscape, it is conceivable that someone could create chaos by messing with driving algorithms. A handful of deaths have been reported from self-driving cars.
Taking it a stage further, Greg Schulz, an analyst with StorageIO Group, noted that planes, trains and transit systems are becoming more and more automated. As that trend progresses, a successful hack opens up all sorts of opportunities for those with terror in their hearts. Schulz mentioned additional pathways to destruction that could be introduced via drones, Alexa or Google devices, smartphones, computers, garage door openers, home heating ventilation air conditioning (HVAC) and other building control systems such as elevators. Further, factory floor systems, warehouses and industrial facilities are getting increasingly populated by robots. Movies such as iRobot highlighted the consequences of robotic automation run amuck.
How about using an infected robotic programming or a corrupted drone to bring about someone’s demise?
“It could be possible to use a drone to kill somebody directly, but what’s more likely is a death due to operator error due to flying recklessly,” said Schulz. “Perhaps the most serious repercussions that could threaten life might be felt due to attacks on 911 dispatch, traffic lights or air traffic control. There is also the possibility of harm by infecting IoT and SCADA systems that control power, water and gas networks.”
Water system poisoning incidents have already taken place.
“The attack on the Oldsmar water treatment facility shows that security attacks on operational technology are not just made up in Hollywood anymore,” said Voster. He called attention to historical precedents: the Maroochi Shire incident in 2000, Stuxnet in 2009, Industroyer in 2016 and Triton malware in 2017, which impacted the OT systems of a petrochemical facility. It effectively disabled the safety instrumented system (SIS) designed to shut down the plant in case of a hazardous event.
There is even one recorded death, partially attributable to malware — a patient at University Hospital Düsseldorf died in the aftermath of a ransomware incident. When malware shut down systems at the hospital, the person died while being transported to another facility.
Blessing in disguise?
The 2021 Gartner report, “Reduce Risk to Human Life by Implementing this OT Security Control Framework,” may be somewhat alarmist as it states,” The increase in attacks on operational technology environments causes risks to the environment and to human life.”² But such reports, as well as the current rash of ransomware attacks infecting almost every vertical, may turn out to be a blessing in disguise. Industry, healthcare, education and even local government have tended to be relatively oblivious to the need for real IT and OT security. With them now seeing their peers paying out large ransoms, they are scrambling to erect proper security measures.
By the time the “killware” phase has been entered, it is hoped that most of them will have erected sufficient protections to be at low risk for such an extreme outcome.
- Gartner Press Release, “Gartner Predicts By 2025 Cyber Attackers Will Have Weaponized Operational Technology Environments to Successfully Harm or Kill Humans,” July 1, 2021
- Gartner, “Reduce Risk to Human Life by Implementing This OT Security Control Framework,” Wam Voster, June 17, 2021
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission.