Monday, November 26, 2012

Thoughts on the Explosive MI6 OT Breach in Skyfall


Have you seen the new 007 movie yet, the third of the series that features Daniel Craig as Bond? Called Skyfall, one of its key plot drivers occurs when the evil mastermind blows up part of British spy headquarters, MI6, in London, with a handful of deft key strokes. By the way, OT in the title of this post = Operational Technology, as differentiated from business information technology or IT.

Stuxnet this is not, but it is clearly depicted as a cyber attack on physical assets, and others who have weighed in on the plausibility/authenticity of this depiction (see HERE and HERE) cannot help but point to Stuxnet as the real world proof of concept.

To free up more time for mayhem, Javier Bardem's well played psychopath might have started with Shodan, the online search engine that helps both good guys and charismatic bad guys quickly locate internet-connected control systems.

The SimplySecurity site provides some good context for all of this:
Between 2005 and early 2010, when Stuxnet was first discovered, analysts observed just nine confirmed ICS or SCADA vulnerabilities. That figure suddenly spiked to 64 vulnerabilities in 2011, while an additional 98 were highlighted in the first eight months of 2012. What's more, 50 of the exploits discovered between 2011 and September 2012 were freely published across cybercriminal forums. As report authors noted, these security loopholes could compromise everything from public transit systems and water supplies to gas pipelines and nuclear power plants. And with more than 40 percent of the observed ICS/SCADA systems containing components that face the open Internet, film fiction could quickly become regrettable reality. Just this month, Chevron became the first U.S. company to admit that its systems had been infected by a mutation of the Stuxnet virus.
Chances are, evil geniuses will have better luck targeting SCADA and control systems in water or gas utilities where cyber security has been given less attention than the British equivalent of the CIA. And should they target environmental control systems in government buildings, it's possible but unlikely that they can cause explosions that will kill multiple persons and create fireballs that will blow the walls off (as above).

Nevertheless, the risks and potential harms involved with operational technology (OT) cybersecurity are substantial, and merit everyone's prompt and continued attention ... right after the next martini, that is.

Photo credit: Business Insider