A new report turns cyberpunk into cyberreality.
It’s the plot line of many movies – but it would well be a reality quicker than we think. A new report by Gartner forecasts that cyber attackers will have weaponised operational technology (OT) environments to successfully harm or kill humans by 2025. The rise of the robots has long been a fear presented in Hollywood blockbusters that show runaway technology damaging all that goes before it, but the reality appears to be catching up to what was previously thought of as science fiction or a cyberpunk future.
So prevalent and present is the risk that Gartner advises that the looming future potential is more of a worry than information breaches and thefts for large organisations concerned about their place in the world. It’s the attacks of tomorrow that we need to prepare for today.
“In operational environments, security and risk management leaders should be more concerned about real world hazards to humans and the environment, rather than information theft,” said Wam Voster, senior research director at Gartner. “Inquiries with Gartner clients reveal that organisations in asset-intensive industries like manufacturing, resources and utilities struggle to define appropriate control frameworks.”
Targeted cyberweapons
We already call the tools used to launch present-day attacks on infrastructure cyberweapons, and incidents like the Pegasus breach by NSO Group have been highlighted as an example of Israel’s Uzi diplomacy for the modern era. (Israel managed to build its presence on the global stage in decades past by selling its new type of machine gun to competing powers, and there are those who believe it is doing the same in the 21st century with cyberwarfare weapons.)
So far, such offensive cyberattacks have had – at best – tangential connections to real world ramifications.
Relatives of the murdered journalist Jamal Khashoggi were found on databases of those victims of the Pegasus attacks, with the implication that the two things may have been connected. And attacks against physical infrastructure that were launched through cyberattacks – such as the taking offline of Iranian nuclear enrichment facilities by the Stuxnet worm – have perhaps taken offline key sources of power that have disrupted people’s lives, but not likely ended them.
Gartner’s pessimistic and fearful forecast for the future estimates something different is happening. That there is a step change in cyber offensives that could have real world ramifications and end people’s lives directly as a result.
What is the goal of such attacks?
Security incidents in OT and other cyber-physical systems (CPS) have three main motivations, say Gartner. The first is actual harm to people or organisations, the second is what they term commercial vandalism (reduced output), and the third is an attempt to wreak reputational vandalism – that is, making a manufacturer untrusted or unreliable so that they are unable to do future business.
The first such approach – actual harm – could be a highly costly exercise, Gartner forecast. The financial impact of CPS attacks resulting in fatal casualties will reach over $50 billion by 2023. “Even without taking the value of human life into account, the costs for organisations in terms of compensation, litigation, insurance, regulatory fines and reputation loss will be significant,” they say. That’s before even getting into the idea of attribution and apportionment of blame for letting such an attack happen.
Gartner believe that CEOs will be personally liable for each and every death.
As a result, Gartner say that organisations and those leading them need to take off the rose-tinted glasses and wake up to the reality of the world in which they are living. They need to ensure that they are adequately prepared to tackle any issues should they arise, and to head off cyber incursions that result in real-life death and destruction ahead of the 2025 deadline the company forecasts is likely for such incidents to become commonplace. The company’s OT Security Control Framework contains a 10-step plan for people to avoid the pitfalls likely to befall those who don’t prepare adequately.
