Death rays, Death Stars and deathware?
The James Bond movies of the sixties introduced death rays that took out entire cities. In the late seventies, Star Wars brought us immense Death Stars that could destroy planets in seconds. And now analyst firm Gartner is scaring the bejeebies out of us with the concept of deathware — malware designed to actually kill people.
According to Gartner®, “By 2025, cyber attackers will have weaponized operational technology (OT) environments to successfully harm or kill humans.”
Further, Gartner states, “Attacks on OT – hardware and software that monitors or controls equipment, assets and processes – have become more common. They have also evolved from immediate process disruption such as shutting down a plant, to compromising the integrity of industrial environments with intent to create physical harm. Other recent events like the Colonial Pipeline ransomware attack have highlighted the need to have properly segmented networks for IT and OT.”¹
“In operational environments, security and risk management leaders should be more concerned about real-world hazards to humans and the environment, rather than information theft,” said Wam Voster, senior research director at Gartner.¹
Phishing simulations & training
According to Gartner, “security incidents in OT and other cyber-physical systems (CPS) have three main motivations: actual harm, commercial vandalism (reduced output) and reputational vandalism (making a manufacturer untrusted or unreliable).”¹
Gartner goes as far as predicting that “the financial impact of CPS attacks resulting in fatal casualties will reach over $50 billion by 2023. Even without taking the value of human life into account, the costs for organizations in terms of compensation, litigation, insurance, regulatory fines and reputation loss will be significant. Gartner also predicts that most CEOs will be personally liable for such incidents. As well as lives being lost, compensation, litigation, insurance, regulatory fines and reputation loss will mount up fast. To make matters worse, the analyst firm predicts that CEOs will be personally liable for these incidents.”¹
Sensational, but true
Yes, an element of sensationalism is apparent in such pronouncements. But there is an element of truth woven into it.
Consider the autonomous vehicle: Hackers can already scan and steal entry credentials from keyless entry systems with relative ease. There have also been instances of people managing to take over control of someone else’s vehicle remotely. Once autonomy enters into this landscape, it is conceivable that someone could create chaos by messing with driving algorithms. A handful of deaths have been reported from self-driving cars.
Taking it a stage further, Greg Schulz, an analyst with StorageIO Group, noted that planes, trains and transit systems are becoming more and more automated. As that trend progresses, a successful hack opens up all sorts of opportunities for those with terror in their hearts. Schulz mentioned additional pathways to destruction that could be introduced via drones, Alexa or Google devices, smartphones, computers, garage door openers, home heating ventilation air conditioning (HVAC) and other building control systems such as elevators. Further, factory floor systems, warehouses and industrial facilities are getting increasingly populated by robots. Movies such as iRobot highlighted the consequences of robotic automation run amuck.
How about using an infected robotic programming or a corrupted drone to bring about someone’s demise?
“It could be possible to use a drone to kill somebody directly, but what’s more likely is a death due to operator error due to flying recklessly,” said Schulz. “Perhaps the most serious repercussions that could threaten life might be felt due to attacks on 911 dispatch, traffic lights or air traffic control. There is also the possibility of harm by infecting IoT and SCADA systems that control power, water and gas networks.”
Water system poisoning incidents have already taken place.
“The attack on the Oldsmar water treatment facility shows that security attacks on operational technology are not just made up in Hollywood anymore,” said Voster. He called attention to historical precedents: the Maroochi Shire incident in 2000, Stuxnet in 2009, Industroyer in 2016 and Triton malware in 2017, which impacted the OT systems of a petrochemical facility. It effectively disabled the safety instrumented system (SIS) designed to shut down the plant in case of a hazardous event.
There is even one recorded death, partially attributable to malware — a patient at University Hospital Düsseldorf died in the aftermath of a ransomware incident. When malware shut down systems at the hospital, the person died while being transported to another facility.
Blessing in disguise?
The 2021 Gartner report, “Reduce Risk to Human Life by Implementing this OT Security Control Framework,” may be somewhat alarmist as it states,” The increase in attacks on operational technology environments causes risks to the environment and to human life.”² But such reports, as well as the current rash of ransomware attacks infecting almost every vertical, may turn out to be a blessing in disguise. Industry, healthcare, education and even local government have tended to be relatively oblivious to the need for real IT and OT security. With them now seeing their peers paying out large ransoms, they are scrambling to erect proper security measures.
By the time the “killware” phase has been entered, it is hoped that most of them will have erected sufficient protections to be at low risk for such an extreme outcome.
ChatGPT training built for everyone
Sources
- Gartner Press Release, “Gartner Predicts By 2025 Cyber Attackers Will Have Weaponized Operational Technology Environments to Successfully Harm or Kill Humans,” July 1, 2021
- Gartner, “Reduce Risk to Human Life by Implementing This OT Security Control Framework,” Wam Voster, June 17, 2021
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission.
ChatGPT training
In this Series
- Death rays, Death Stars and deathware?
- Digital identity management: Balancing usability, security and privacy
- Why aren’t more women in cybersecurity, and how can we fix it?
- ChatGPT and the strengths and limitations of cognitive AI
- Cybersecurity automation: Tips to do it right in your organization
- Advancements in online safety: Combating cyberbullying and protecting vulnerable communities
- How small and medium businesses (SMBs) can fast-track a disaster recovery plan
- What it takes to qualify for the US Cyber Games team
- The changing role of a ransomware negotiator
- Protecting K-12 schools from cyber threats: The case of Vice Society
- A deep dive into GitHub's security strategies
- Data storage security isn't working: Here are 5 ways to improve
- Protect your data with zero-trust networks
- 3 cybersecurity automation tools that your IT department needs now
- One phishing attack could expose your entire hospitality network
- Privacy compliance and security: Are you collecting too much data?
- API security best practices: What you need to know
- Considerations when using open source to build an identity system
- Security as a service: 11 categories you should know
- The impact of open source on cybersecurity
- Cybersecurity jobs are in demand. C-level IT executives needed!
- 6 cybersecurity truisms the industry needs to rethink
- 2022 cybersecurity spending trends: Where are organizations investing?
- Will corporate support for Fast ID Online [FIDO] mean mass adoption? If so, what does that mean for security and identity?
- Twitter’s cybersecurity whistleblower: What it means for the community
- Top 5 cybersecurity questions for small businesses answered
- What Is zero-trust security, and should your business adopt it?
- What’s next in cybersecurity: Predictions from Andrew Howard
- How training employees about ransomware can mitigate cyber risk
- Today’s IT job market: Beyond fear, uncertainty and doubt
- Third-party authentication (OAuth): Good or bad for security?
- Two basic actions that reduce enterprise cyber risk by 60%
- 4 key takeaways from the 2022 Verizon DBIR report
- Four examples of human error in cybersecurity — and how to fix them
- Five ethical decisions cybersecurity pros face: What would you do?
- How to become an ethical hacker: Tips from Offensive Security CEO Ning Wang
- Shaking up security awareness: How one organization is building a culture of security
- Security Culture: TikTok CISO says this trend is here to stay
- IT skills advice from IDC's IT education and certifications expert
- Managing a security awareness program: Carrots, sticks, and repeat offenders
- Reducing IT’s carbon footprint: Good for business as well as the environment
- How Booz Allen Hamilton keeps their security team secure and compliant in a hybrid world
- 5 tactics to improve cybersecurity hiring results
- Top 9 effective vulnerability management tips and tricks
- SOC integration: Creating a well-built portfolio vs. a frankenstack
- Cybersecurity hiring: Why employer and higher ed collaboration is key
- After certification: Investing in employees' cybersecurity career pathways
- Where do ransomware, cyber education and cyber insurance intersect?
- Could psychology be the key to cybersecurity awareness? Research points to yes
- How IT pros can keep their organization on the cutting edge
- Cyber talent diversity: It's time to redefine the face of security
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
Industry insights
Digital identity management: Balancing usability, security and privacy
Industry insights
Why aren’t more women in cybersecurity, and how can we fix it?
Industry insights
Industry insights
Cybersecurity automation: Tips to do it right in your organization