Tech analyst firm Gartner reckons that hackers will have turned computer systems into weapons to the point that they could injure or kill humans by 2025, and that beyond the human tragedy it will cost businesses $50 billion to remediate across IT systems, litigation and compensation.
Past malware attacks, such as Stuxnet, which is believed to have been the work of the NSA, have demonstrated that malware create real world damage, not just scramble data. And cyber-attacks have long had real-world implications such as the ransomware attacks on organizations like Colonial Pipeline and hospitals in the US and Europe. The UK’s NHS struggled for days after the 2017 WannCry ransomware attack, which was blamed on North Korean state-sponsored hackers.
Gartner reckons that by 2025, hackers will have weaponized operational operational technology (OT) environments to “successfully harm or kill humans”.
By OT, Gartner means “hardware and software that monitors or controls equipment, assets and processes.” It also calls them cyber-physical attacks (CPS): examples of that might be attacks on electronic medical equipment or physical infrastructure.
“In operational environments, security and risk management leaders should be more concerned about real world hazards to humans and the environment, rather than information theft,” says Wam Voster, a senior research director at Gartner.
More worrying Voster went on: “Inquiries with Gartner clients reveal that organizations in asset-intensive industries like manufacturing, resources and utilities struggle to define appropriate control frameworks.”
Gartner breaks down OT and cyber-physical threats into three categories: actual harm; commercial vandalism, which reduces output; and vandalism against an organization’s reputation, which renders unreliable and untrustworthy as a manufacturer.
Gartner expects that the financial impact of CPS attacks that kill or injure people will reach over $50 billion by 2023.
The costs to organizations will be significant and include compensation, litigation, insurance, regulatory fines and reputation loss, Gartner says.
However, it should be noted that this figure is small compared to overall global spending on IT, which Gartner expects to reach $4.2 trillion in 2021.
Fortunately, Gartner does have some practical advice for organizations that control operational technology, such as appointing an OT security manager for each facility, security training and awareness for staff, and testing incident response capabilities.
Given the perennial threat of ransomware, it also urges organizations to implement adequate backup, restore and disaster recovery capabilities.
It also recommends managing portable media, such as USB sticks, that may be connected to OT systems: “Only media found to be free from malicious code or software can be connected to the OT,” it says. Companies need to have a current inventory of IT and OT assets; real-time logs and detection capabilities; secure configurations, and a formal patching process.