By Brennen Schmidt
ALEUS Technology Group
and Allan Bonner
Troy Media columnist
In the same way that shopping online is convenient, terrorism and sabotage are becoming easier. A terrorist, hacker-for-hire or deranged person can gain remote control of power grids, water works, hospitals, industrial operations, self-driving cars and traffic lights.
The Internet of things (IoT) is helping. This is the Internet in which machines control other machines, using a combination of wired and wireless connections to perform specific functions.
Imagine the 9/11 in which the hijackers are not on the planes but in a camp half way around the world, working on a computer. Imagine the Ocean Ranger oil rig sinking off Newfoundland – not because of human error, but deranged intervention by someone who doesn’t like drilling in oceans.
Anti-abortionists could shut down a hospital wing, wreaking havoc on access to electronic patient records or surgical management systems. Animal rights protesters could stop trucks containing pigs and set them free. Advocates for have-not countries could show a few hundred million people in developed countries what life is like without power or water.
This may appear to be a dim view of humankind. Yet many hundreds died in America’s armed labour conflicts known as the Coal Wars. That’s just in labour-management disputes. Many more died in accidents.
In Canada in 1992, gold-mining industrial sabotage killed nine workers at the Giant Mine in Yellowknife. During a labour dispute, an employee put a bomb in the mine and killed strike-breakers and replacement workers.
Today, that criminal could probably do worse from his home computer, even if he’d long stopped working in the mine and retired to Florida.
Industrial security in the cyber age must include more than an outdated line of concrete, fences, guns and guards. France learned from this during the Second World War when the Germans just drove around the Maginot Line to invade. Industrial security needs to be more than an easily-circumvented line.
Here’s why more and better security is needed right now. A Canadian Press report quotes the chief executive of Precision Drilling Corp., Canada’s largest drilling contractor, as saying they detect attempted intrusions into their networks “almost daily.” The CEO of Canadian Natural Resources Ltd. says “we get attacked all the time.” Happily, these two companies have layers of security that have prevented problems.
What won’t help is peering into cyberspace and neglecting another real threat down the hall in the lunch room. It’s often easier to count on garden-variety incompetence or human frailty than high technology.
Too many industrial passwords use the word ‘password’ or ‘1234.’ Few industries use multi-factor verification – checking the users’ passwords, the users’ permissions and even their mobile devices. Even though these security measures exist, there still remains a lot of high-tech, interconnected things at work every day. Not addressing these vulnerabilities is akin to leaving the back door unlocked.
A solution is testing, simulations and training – the high-tech version of mystery shoppers. But even this poses a danger. Too many simulations or tests can confuse the computer and cause a real failure. An unplanned simulation may also have unintended consequences for interconnected IoT systems – disconnecting elements either temporarily or permanently.
Worse yet, far too few organizations have an updated disaster response and supporting communication strategy to implement if such simulations did cause real-world problems without notice.
Then there’s human frailty. This is a topic as varied as human personality. The gambler who needs money or the worker with a mysterious past are susceptible to bribery and blackmail. People can also be tricked, either through a belief in a specific cause or through the simple action of clicking on a malicious link in an email. A malicious link may con the employee into thinking it’s from a supplier, colleague or the boss, but clicking on it downloads a dangerous payload.
Or, in the case of social experiment exercises, official websites are set up specifically to imitate the victim’s organization. These websites ask users to enter specific pieces of information – their work username or password, or personal information. They may be enticed either by the threat of a deadline from their ‘boss.’ Or the fake website could be from a favourite coffee shop offering all employees a gift card.
Such cases are a result of what those in the information security space call social engineering. It entails various techniques designed to manipulate people into doing things, including giving out information they shouldn’t.
As long as there are people, there will be vulnerabilities and people who can be tricked.
Finding out the average worker’s username and password may not seem like a huge breach of security, but it may be. What if that person’s information could be used to approve or authorize a specific function, command or action that could compromise the organization? What if knowing several employees’ information might allow a hacker to trigger overload and crash a system?
What’s helpful to the perpetrator, in such cases, is that the police would likely investigate the individual first – rather than the ones behind the hack. After all, the command came from an authorized account holder. This buys the cybercriminal time.
Today’s ticking time bomb is a combination of ones and zeros, coupled with explosive materials. It’s time to start paying attention to cyber threats.
Dr. Allan Bonner, MSc, DBA, is a crisis manager based in Toronto. His forthcoming book is Cyber City Safe. Brennen Schmidt (BEd, Certiftied PR, CUA) is principal of the ALEUS Technology Group, a boutique digital communications firm in Regina.
The views, opinions and positions expressed by columnists and contributors are the author’s alone. They do not inherently or expressly reflect the views, opinions and/or positions of our publication.