Two weeks ago, the news media breathlessly announced that hackers linked to the Iranian government were said to have breached one of the industrial control systems (ICS) connected to a dam in upstate New York. The fact that this alleged breach took place two years ago did nothing to dampen interest in the story, which dominated headlines for a full news cycle. Honestly, this does sound scary, but I’m here to tell you that the risks of hacking infrastructure are ludicrously overhyped.
In the entire history of hacking, there have been only two confirmed incidents in which a cyberattack has manifested damage in the real world. The first, and most well-known, was Stuxnet – a joint American/Israeli computer virus that set back the Iranian nuclear program by damaging the centrifuges that they were using to enrich uranium. The second incident, taking place in late 2014, involved a German steel plant. Hackers from an unidentified organization (almost certainly a government) were able to shut down a blast furnace and cause significant damage. Some security researchers believe that these attacks augur a future in which hackers regularly cause power outages, traffic jams, and industrial accidents. They’re wrong.
Industrial control systems are one of the main drivers of hysteria where infrastructure hacking is concerned. Simply put, they’re easy to hack, and they control infrastructure. On the face of it, this is a huge problem, because you get this mental image of your average reddit troll suddenly pwning your local electrical substation.
Here’s where we find our silver lining: Your average reddit troll is not an electrical engineer. He doesn’t have a degree in civil or mechanical engineering, he’s probably not a factory foreman, and his knowledge of manufacturing probably extends to watching “How It’s Made” videos while stoned. Furthermore, ICS devices have been known to go haywire without any interference from hackers. This is why physical installations are designed with redundant safety systems. Screwing around with an ICS might be able to cause a nuisance, absent any knowledge of engineering. More likely, however, you will trigger a physical failsafe that is completely unconnected to any electronic device whatsoever. Causing physical damage doesn’t just mean hacking an ICS, but also finding a plant with a pre-existing weakness in its physical systems. Of the hackers currently in business, 99.9 percent of them won’t have the required expertise to carry this off. Of the ones that do, 100 percent of them will be employed by the world’s governments.
This brings us back to Iran. You might think, “just because most hackers won’t be able to damage our infrastructure, the fact that some governments can is reason enough for concern.” Well, maybe. Hacking a country’s infrastructure is statecraft. It isn’t done for the lulz. Hacking infrastructure sends a clear message, one that could be interpreted as an act of war. And if you really want to be worried about war with Iran, there are several other things you should concern yourself with.
[Post image via Shutterstock]