New research from Gartner has warned that hackers will use digital infrastructure to commit lethal cyberattacks by 2025.
The group noted that attacks on operational technology (OT), the systems that control industrial equipment processes, are becoming more common. The recent attack on Colonial Pipeline, which had massive repercussions for US petrol supplies, illustrates the damage a cyberattack can have on the wider economy.
In addition, Gartner warned that these attacks will cost organisations over $50 billion by 2023, even without accounting for the cost to human lives.
In a previous piece of research, the group warned that up to 75% of CEOs could be held personally liable for the consequences of attacks on their organisation’s cyber-physical systems (CPS).
While the majority of hackers ultimately have a financial goal in mind, there are a number of routes they can take to reach this. Gartner noted that OT security incidents have three main motivations: actual harm, commercial vandalism (reduced output) and reputational vandalism (making a manufacturer untrusted or unreliable).
While cybercriminals are unlikely to go out of their way to cause direct harm to people, they generally use any tactic that makes them money, whether people could potentially be harmed or not.
“In operational environments, security and risk management leaders should be more concerned about real world hazards to humans and the environment, rather than information theft,” said senior research director at Gartner Wam Voster.
“Inquiries with Gartner clients reveal that organisations in asset-intensive industries like manufacturing, resources and utilities struggle to define appropriate control frameworks,” he added.
For organisations to protect their CPS from attack, Gartner outlined a series of security controls to follow. These include ensuring that all staff have received appropriate training to recognise security risks and how to react to a security incident.
In addition, the group recommended proper backups and a robust backup culture, along with maintaining network segregation to ensure incidents can stay isolated to one system.
- Founders explain inspiration behind “Respect in Security” initiative
- Scottish fintech innovation showcased during ministerial visit
- Contributed | Five ways to protect against third-party data breaches
The first death directly resulting from a cyberattack is largely believed to have occurred last year in Germany. On September 11th, a 78-year-old woman in Dusseldorf suffering heart trouble was being taken to hospital in an ambulance.
Unfortunately, the nearest hospital had been hit by a ransomware attack, locking up their systems. They had to turn away the ambulance, and the woman subsequently died after being taken to a different hospital, delaying her treatment by an hour.
While a subsequent investigation ruled that the woman would likely have died if she had been taken to the first hospital, the case is cited as an example of the fatal side-effects a ransomware attack on critical infrastructure can have.
There have been other, narrowly avoided lethal cyberattacks in recent years – a thwarted 2018 attack on a Saudi Arabian petrochemical plant was designed to cause an explosion, potentially killing workers. And an attack on a Florida water treatment plant from earlier this year saw a hacker try to increase the amount of sodium hydroxide in the water to potentially lethal levels.