Page 24 - Cyber Warnings
P. 24
Why Manufacturers Are on the Frontlines of the Next Cyber
Battleground
By: Aviv Grafi, CTO and Co-Founder of Votiro
Cyber-security experts – and concerned citizens, including the President of the United States
himself – believe that a major cyber attack on critical infrastructure in the US is just a matter of
time.
Sooner or later, a hacker is going to send out the “right” kind of spear-phishing message that
someone at an electricity provider or a water infrastructure firm is going to click on, spreading
malware that will shut down the power, poison the water, or otherwise cause pain, suffering, or
even worse to millions of people.
But critical infrastructure systems – controlled by SCADA systems and legacy software and
hardware – are hard to get at, because those systems are usually kept separate from data
networks where users are likely to click on links or attachments that hackers use to spread their
poison.
As was the case with Stuxnet (or so the story goes), you usually need to physically access a
critical infrastructure system in order to take it over.
Although there are always exceptions, the difficulty in reaching those systems may be one
reason why we have not seen the rash of infrastructure attacks that the experts have been
expecting.
But what if hackers were to target a manufacturing infrastructure system? Instead of taking a
chance that the victim of a spear-phishing attack will take the right steps – access a targeted
server, or take another required action – to allow their malware to hit power plant or water
filtration systems, hackers could get a lot more mileage out of a spear-phishing campaign at a
factory that manufactures, for example, brakes for vehicles.
Since the data and administrative networks and the manufacturing systems are well-integrated
in such places, hackers would be able to much more easily compromise a manufacturing plant
than a critical infrastructure site.
Possibly the headlines wouldn't be as big, but the damage could be enormous, and the hackers
– cyber-criminals or cyber-terrorists – could much more readily achieve their goals.
If, for example, hackers were able to get access to a system that calibrates the brakes that go
into new cars – changing the shape or size of a disc so that it does not meet standards – they
could wreak havoc, by either keeping quiet while brakes are installed in vehicles (with the
attendant tragic results) or extort the company for millions, by withholding information about
batches of bad brakes that were shipped, potentially exposing the manufacturer to millions in
lawsuits.
24 Cyber Warnings E-Magazine – May 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
