Cyber-Attacks to Real-World Terrorism? Could the IoT Enable New Vectors of Attack?
Cyber-attacks are by no means a new thing. They’ve existed almost since computers started being repositories of potentially valuable – and potentially damaging – information. As computers, servers and cloud infrastructure began to become the digitally ineffable home of not only the brain of many companies, but also their nervous systems, ransomware and email scam attacks have gone through the roof.
They’ve become an almost familiar, factored-in reality of doing big business in the modern world. By the year 2025, cyber-attacks are predicted to cost the world’s business community no less than $10.5 trillion per year, compared with just $3 trillion in 2015.
The combination of the colossal overall figures for cyber-attacks, and the potential size of any individual ransomware attack – a 2021 attack by REvil netted the criminals no less than $70 million in Bitcoin – makes cyber-attacks the piracy of the 21st century. Factor in the laxity of some companies when it comes to taking adequate precautions to protect their digital assets, and the likelihood of big companies to pay rather than risk losing the nervous system of their enterprise, and there’s every good reason in the world for people with enough knowledge to try to milk the market for every last drop of profit they can.
The Next Big Prize?
But, while there’s clearly an effective profit motive to keep doing what they know, there’s also a slowly developing market in cyber-attacks that has yet to fully impress itself on business enterprises. As the Internet of Things becomes more and more crucial to the way businesses run, the idea of cyber-attacks transferring into real-world damage and consequences becomes ever more possible.
A group of “hacktivists” calling themselves Predatory Sparrow just allegedly combined a standard issue cyber-attack, spilling lots of documents including confidential emails, with a real-world fire at the Mobarakeh Steel Company’s premises in Iran.
It’s worth stressing the “allegedly” in that sentence – news broke of the event on July 11th, and as of early August, no-one seems to have any harder evidence of the attack than what the group itself has put out. But assuming it took place as the group insists, it’s the first notable use of a cyber-attack to affect real-world, three-dimensional, physical damage to a cyber-victim facility through code.
And for the most part, while you can probably start fires by shutting down safety protocols in computer systems and leaving them to ramp up and up and up, the bridge between cyber-attacks and real-world damage is likely to be the Internet of Things. It’s the hybrid element between systems and realities, and, at least until we reach a point where robots are ubiquitous, it’s likely to be the most straightforward way to hold physical buildings – and potentially people – for remote ransom.
The Scope of the IoT
So how big is the Internet of Things right now? Conservative estimates – and yes, we’re dealing in estimates, because collating the data on sales of Internet of Things components is ridiculously difficult – puts it at 20 billion items right now. Some probably overexcited estimates put the figure at more like 100 billion.
Just for scale, there are equally estimated to be a hair under 8 billion human beings on Earth right now. There are estimated to be 19 billion chickens on the planet. Roughly 1 billion sheep. So even by conservative estimates, that’s a lot of units – the Internet of Things is not a crazy, out-there, one-day science fiction concept. It’s real in the here and now. What will grow as time goes on is both the size of the Internet of Things, and the range of things it will be able to do as more and more smart devices are linked into its nervous system.
The Horror Movie Premise
It’s worth dialling down the sci-fi threat, though – the IoT includes most phones, health-tracking wristbands, refrigerators, etc. And right now, probably the most an IoT cyber-attack on your Alexa is going to do is lose you your favorite playlists and gut your bank balances by accessing your payment methods.
Yes, as more and more domestic systems get connected, there’s the potential danger of being locked in your house by a smart lock attack, and slowly sweltered or frozen or potentially starved until you follow instructions, such as transferring bank balances into bitcoin accounts. The flipside of that coin of course is that if you put all your eggs into a house secured with smart locks, and then someone hacks the smart locks, or the facial recognition entry system, you’re about as secure as a hairpiece in a hurricane.
But while we’ll leave the home-invasion-by-remote scenario for the horror movie writers of next year, the impact on businesses of a growing market in Internet of Things hacks is likely to be significant. More and more warehouses are using AI automatic systems to order, move, and stack up stock. More and more server farms are using IoT cooling systems and maintenance management systems to maintain their up time – and with it, the security of the data housed in them. The need for these systems to lower energy costs and maintain up time is paramount in the current – and likely, the future – economic and ecological climate.
And while companies are all too aware of the need to protect their central computer infrastructure with the best cybersecurity they can afford, it’s unlikely as yet that they feel the pressing need to make the security on their heating, cooling, ordering, or smart sprinkler systems that good, despite these systems becoming increasingly critical in the maintenance of their business – especially as the drive towards digital transformation creates narrower and more refined subsidiary systems on which the main operation of the business depends.
Narrower and more refined subsidiary systems mean just one thing to cyber-attackers – weak points in the system. Until the tech industry comes up with affordable ruggedization techniques and products for such subsidiary systems, the Internet of Things may yet prove to be an easier target for hackers looking to hold a business’ core systems to ransom for the next generation.
2 December 2022