The IES, which are rarely used in the everyday home setting but are commonplace in large-scale operations, especially those that could cause catastrophic damage in the case of a cyberattack, has a number of potential pitfalls that could prove problematic in certain scenarios. These pitfalls include the frequent use of “default passwords, hard-coded encryption keys, and a lack of proper authentication for firmware updates.” In combination with one another, these so-called “fundamental failures of security” form a hacker’s trifecta, making it relatively simple for attackers to access the systems in question.
Robert Lee, a security researcher and and active-duty U.S. Air Force Cyber Warfare Operations Officer told the Daily Dot, “Anything that the facility is capable of in its natural operating system, you’re [an attacker] capable of doing — and doing damage with if you control the network. With a power station, you can have major repercussions. With a hydroelectric dam, if you don’t monitor processes in a normal situation, it’ll spin out of control. Everything you have can be manipulated.”
While Lee is working with risk researcher Eireann Leverett to address these shortcomings and assuage public fears about such issues, the process is an arduous one. Leverett told the Daily Dot, “All these vulnerabilities are pervasive and endemic. Most vendors haven’t done the basics,” particularly because when the equipment was initially installed, many of today’s threats were simply not yet present in the cybersecurity landscape.
But now that hackings have grown ever more common and robust, the time is rife for a complete security overhaul, especially among companies and infrastructure that need it most. “What we don’t have is awareness,” said Lee. “There is a massive lack of security awareness in the industrial control systems community,” and that’s where attention needs to be focused first.
