A threat actor took over a machine at a Florida water plant and raised chemical levels to a potentially dangerous amounts. Physical well-being can absolutely be affected by a cyberattack.
Every day there are new threats and groups of threat actors trying to gather information. The type of information they obtain is irrelevant. There are different price tags for different forms of information, but the goal is to get the information in the first place. The more, the better to line their pockets. But what happens when a threat actor can cause physical harm, not just to a person or business, but to an entire city?
Information security, Cybersecurity take on a whole new connotation when the threat moves from data to physical well-being. No one WANTS to have their information stolen or their identity compromised. No business wants a threat actor inside its walls doing damage to systems using stolen credentials. But both of those things happen. We accept that because we have not yet found an effective way to stop threat actors from pursuing nefarious activities through technology. But when it comes to physical harm, people tend to sit up straight and be on the edge of our seats, the hair on the backs of our necks and on our arms standing up in fear.
When our physical well-being is threatened, we have a classic fight or flight response. But when it’s a cybersec threat actor with intentions of physically harming someone, there’s no way for the general population to know they are in danger.
Take the attack on the water plant in Oldsmar, Florida. A threat actor got into their system and remotely adjusted the chemical levels in the water to potentially dangerous levels. An employee managed to catch it and fix it, so no one was ever in danger, but that someone got into their systems is bad. Attacks on critical infrastructures can have dire consequences for public safety and physical well-being. According to Threatpost:
“With so much emphasis recently placed on hacks for the health care and financial services industry, an infrastructure hack such as this tends to hit much closer to home as it regards our physical safety,” noted Tom Garrubba, CISO of Shared Assessments, in an email to Threatpost.
Indeed, given past attacks on the U.S. critical infrastructure such as the power grid, water systems and nuclear plants, organizations in control of these systems should take the latest attack in Florida as a call to action, observed Hitesh Sheth, president and CEO at Vectra, a San Jose, Calif.-based provider of AI for detecting cyberattacks, in an e-mail to Threatpost.
“Protecting these critical facilities, and upgrading their cyber defenses, should be a far higher priority,” he said.
Yes, protecting critical infrastructure, its facilities and ensuring security is tight should be a high priority. It should be that way for any business. If the spike in attacks at the end of 2020 didn’t open your eyes to the need to review your security protocols, maybe this will. An entire city population could have been made very sick, and likely some would have died due to the increase in chemicals at this plant.
You may not consider an attack on your business to cost someone their life or to injure them in any way, but you really do not know the repercussions an attack is going to have. A ransomware attack on a healthcare facility for critically ill patients can have literal fatal results. An attack on a business, while maybe it doesn’t cause multiple people physical harm, it could. You don’t really know.
The bottom line is, no matter how expensive it is or how much time it takes, you MUST address the security of your business. Whether the likelihood of an attack on your business will lead to physical injury really doesn’t matter. The emotional and mental distress felt by those who are impacted is just as important as their physical well-being. Review your security. Fix it. Secure your business. Doing so will not just help you sleep at night, but help your security team sleep, too.