In a previous note, I wrote of the critical mass types of cybersecurity disasters concerning the massive growth in IoT devices, which can potentially lead to many devices being attacked and also potentially used to attack other devices through something like a worm.
However, also enterprise attack surfaces could be subject to mass attacks. We know that many enterprise-level devices, such as firewalls, load balancers, and other control systems, are now commonly deployed with web-facing interfaces.
Of course, this is designed to simplify remote management and offer the modern conveniences of the connected world to enterprises. It also can save organizations time and money, requiring fewer bodies to manage large numbers of devices. But this comes with a cost.
What is particularly alarming about these interfaces is that they often control systems designed to protect networks and configure critical infrastructure safety systems. As this recent article states, many of these interfaces are deployed by default, often with default credentials meant to be changed by the user.
A wide-sweeping attack on a given system type could lead to a massive number of protection systems being taken down. Even worse, they could become reconfigured to make them appear to be functioning normally. Meanwhile, an attacker pillages the entire enterprise.
For years we have witnessed the creation of cyber-physical systems that integrate networked computing with physical processes. From an environmental disaster perspective, this can be even worse. If the management interfaces control systems such as fire suppression systems, municipal water supply, or safety systems in refineries, attacking such systems could lead to an ecological disaster. The truth is that many of these systems are very easily exploited once bad actors have access to the network.
In 2014 an attack against a steel mill in Germany led to physical destruction at the mill. The attackers gained access through a spear phishing attack, so a person had to be exploited. If we expose management interfaces to the internet, that human safeguard can be skipped. Systems facing the internet are far more vulnerable to such attacks.
While, in many cases, it might be considered an indirect consequence, I would argue that in industrial environments, a cybersecurity failure can often lead to biological disasters. When we think about this in terms of a cyber-physical attack, we can claim that the cybersecurity issues here are potential physical environmental issues. This link leads us to conclude that the requirements to monitor potential environmental problems, which are currently addressed to a great degree under current laws, could and potentially should extend to cybersecurity issues that may lead to ecological disasters.
Arguing that failures of control systems that directly control the production of either food, medicine, or chemicals can lead to natural environmental disasters may be a way to leverage existing regulatory structures to move this concept from an idea to a reality.
It's a thought worth pondering.