Cybersecuring railway systems from potential attackers must become paramount in the digitization that those systems currently undergo. Their cybersecurity is too closely interlinked with the railway safety to leave the door open to disruption. To make matters worse, they are increasingly being targeted.
Targeted cyber attacks against critical infrastructure (CI) are increasing on a global scale. Despite the common misconception in Canada, Canadian CI operators are being targeted too. Increasingly so. Canadian government and its agencies tasked with cyber securing the critical infrastructure are making great strides recently, but, in my opinion, they still lack behind Canada’s peer countries.
IoT security also has to become contextual and adaptive; capable of changing to support rapidly morphing threat and business use cases; and has to cut across traditional silos of cybersecurity, health and safety, engineering and others. In the world in which after few decades of effort we are still losing cybersecurity battles daily, how can conscientious companies move forward with addressing new and significantly more complex IoT security threats?
With so many critical services enmeshed with smart cities, the attack surface is enormous and extremely vulnerable. The more technology is involved, the greater the vulnerability to infrastructure and city services. The time to act on securing our smart cities is now. The more that systems with vulnerabilities are incorporated, the greater is the risk to which city dwellers are exposed – and the more that we will have to catch-up in the future.
As IoT adoption continues to proliferate, manufactures and adopters are increasingly aware of cybersecurity risks to IoT. Yet, even among the IoT security professionals, one significant potential remote attack vector is often overlooked: intentional electromagnetic interference (IEMI).
Railways are becoming increasingly vulnerable to cyber-kinetic attacks as they move away from strictly mechanical systems and bespoke standalone systems to digital, open-platform, standardized equipment built using Commercial Off the Shelf (COTS) components. Fully cyber-enabled railway systems offer attackers a range of vulnerabilities perhaps unmatched by any other type of industrial control system. And potential attackers are well aware of their opportunities, as few examples below demonstrate.
As our cities, our transportation, our energy and manufacturing – our everything – increasingly embrace Internet of Things (IoT) and Industrial Controls Systems (ICS), securing its underlying cyber-physical systems (CPS) grows ever more crucial. Yet, even among engineers and cyber security specialists, one potential attack trajectory is often overlooked: Intentional Electromagnetic Interference (IEMI).
Making physical objects or systems “smart” is all the rage today. Terms like smart houses, smart cars, smart cities, smart grids, smart refrigerators and even smart hairbrushes pop up everywhere. But there’s something not smart in the way this trend is progressing. Securing smart systems is being often overlooked.
As we approach the 10th anniversary of when Stuxnet was (likely) deployed, it is worthwhile to examine the effect it still has on our world. As the world’s first-ever cyberweapon, it opened Pandora’s box. It was the first true cyber-kinetic weapon – and it changed military history and is changing world history, as well. Its impact on the future cannot be overstated.
The maritime industry faces a not-so-distant future when ships will be completely autonomous, using navigation data that they receive to plot their own courses with only minimal input from shoreside control centers. The efficiencies this could bring are massive, but before this happens, cybersecurity issues must be addressed. Not only are many vessels configured in ways that invite cyberattacks, but security practices also need to be improved before the industry can safely navigate its future.
Connecting physical objects and processes to the cyber world offers us capabilities that exponentially exceed the expectations of science fiction writers and futurists of past generations. But it also introduces disquieting possibilities. Those possibilities reach beyond cyberspace to threaten the physical world in which we live and – potentially – our own physical well-being.
Stuxnet was the first true cyber-kinetic weapon, designed to cripple the Iranian – and perhaps also the North Korean – nuclear weapon programs. It succeeded in slowing the Iranian program, although it was discovered before it could deal the program a fatal blow. Its significance goes far beyond what it did. It marks a clear turning point in the military history and in cybersecurity. Its developers hoped for a weapon that could destroy strategic targets without civilian damage possible in traditional warfare. Instead, it opened the door to cyberattacks that can deliver widespread disruption to the very civilian populations it was designed to protect. Stuxnet has, years ago, disappeared from the digital world. Its unintended release beyond its target, though, made its code readily available to other nations, cybercriminals and terrorist groups, providing them with a wealth of advanced techniques to incorporate into their own malicious cyber efforts. Its impact on the future cannot overstated.