A USA Today reporter recently interviewed the guys who hacked the Jeep Cherokee last year. One of the white hats said something that was particularly distressing. He said that he wrote “four lines of python and owned [had access to] 1.4 million cars.” What gets me is not that he did it (he revealed their hack to Fiat/Chrysler before publishing), but that a hunk of metal traveling down the road at 60 or 70 miles an hour – something in which I transport my children – was manufactured without any real thought to cybersecurity. If cybersecurity was a design consideration, then surely it would take more than four lines of code to get into the car’s systems.
Unfortunately, car manufacturers are not alone in their myopic view of cybersecurity. I was recently on a plane heading to San Francisco to speak about the very topic of cybersecurity at the AFPM (American Fuel & Petrochemical Manufacturers) Annual meeting. As I looked up from my seat, I wondered if there were any hackers on board who were willing to break into the cockpit control systems as was allegedly done last year on a flight. Why have we not adopted a better cybersecurity approach within our manufacturing sector? Please tell me we don’t need a hack similar in magnitude to the Target one (but instead of financial losses we suffer lives lost) before companies take this seriously.
Of course, I’m not the only one with this concern. We hear it voiced in our conversations with every customer and at every conference. At the 2016 ARC Industry Forum, there was a lengthy panel discussion about where to invest in ICS cybersecurity when most risk scenarios are characterized as low risk but high impact. PAS founder and CEO Eddie Habibi rightly said you need to approach these just as we have always done so – by assessing ICS cybersecurity from a safety and risk perspective. When you look at the individual risk scenarios in aggregate, it is difficult to argue an approach that ignores applying basic principles of cybersecurity such as inventory, patch, and configuration management for the proprietary control systems (where a built-in cybersecurity approach to 10 to 25 year old systems just is not an option). It is clear that such measures directly address the risks presented by malicious attacks – not to mention ones from engineering mistakes. With safety absolutely in the crosshairs, how much more time do we want to give the bad guys targeting industrial control systems to write their version of “four lines of python?”