On Jan. 24th, 2012, Kim Zetter wrote for Wired on US critical infrastructure and industrial control systems (the computer systems that control physical machinery, often in critical infrastructure like power grids). Zetter chronicled the efforts of a security researcher who "was able to locate and map more than 10,000 industrial control systems hooked up to the public internet." Some, but not all, of these industrial control systems were hooked up to critical infrastructure systems in the US.
What's notable about this researcher mapping industrial control systems? Well, the article notes that many critical infrastructure owners believe that their industrial control systems are air-gapped (not connected to the internet). Believing that their ICS systems are air-gapped, critical infrastructure owners have argued that they don't need to do security testing "because the systems are never connected to the internet." However, these findings indicate that a number of ICS systems for critical infrastructure are online, and the owners aren't even aware.
The article went on to explain that after mapping the ICS systems, the researcher was able to access 83% of the systems without authorization. Oh, and this cybersecurity researcher? He's just a student. The article notes that if a student can do this, what can a nation-state do?
You can find the Wired source article here.
Leave a Reply