We need to start thinking of sci-fi and fantasy as educational instead of fictional. We have already been using them as inspiration for years. The first flip phones certainly looked a lot like the communicators from classic Star Trek. But are we looking at them to anticipate the nefarious schemes the bad guys might come up with?
A recent attempt on February 5th, 2021 to poison the water supply of a town near Tampa, Florida is straight out of the bad guy handbook. In fact, Computer Weekly directly made the comparison between this recent attack and villain’s plans from the Batman Begins movie which was released in 2005. The attacker in the Florida incident was trying to remotely access the water supply control system and increase the amount of lye, which is poisonous if ingested. In Batman Begins, the bad guy was trying to get hallucinogens into Gotham City’s water supply.
Fictional writers have been using the theme of bad guys attacking our utility companies for years. One of the New York Time’s best sellers, Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath by Ted Koppel, is based upon the idea of a cyberattack taking down the electric grid.
While the likelihood of a cybercriminal taking out the entire electric grid or poisoning the entire water supply of a country like the United States is unlikely because many of these systems are locally controlled. The likelihood of a local water or electricity provider being taken down is much higher. Local utility companies need to ensure they are controlling access at every entry point. As our own global data protection officer, Niamh Muldoon has advised: “This targeted attack appears to have started by the bad actor getting access to a vulnerable network/system and working their way through the network trying to find the next weak access point while gathering data and understanding how the organisation operates along the way. In this instance, understanding the information assets, applying not only multi factor authentication [MFA] but enhanced multi factor authentication, would have reduced the risk of this unauthorised attack materialising.”
The water supply incident in Florida is only one recent example. In March of 2019, a part of the US power grid was hacked and even though there were no massive blackouts, there were periodic blindspots along the grid. As utility companies have become more digital and interconnected, security needs have not always been fully planned out. Locking down firewalls, increasing authentication requirements are all very basic steps that can be implemented to prevent some of these attempts. The fictional world can become a reality if utility companies don’t start putting security at the top of their priority list. It won’t take much more effort on the part of the bad guys to turn these near misses into direct hits.