In a world where more and more processes are connected, the risk of cyber-attacks against critical infrastructure increases. Sweden is a country with a lot of nature and relatively accessible public networks. With the ease of connecting almost everything today, the risk is that security takes a back seat, and we open the back door to the wrong visitors.
Thousands of IoT-attacks every day
Every week we are exposed to 100,000 cyberattacks in Sweden alone. In the first half of 2021 alone, there were 1.5 billion attacks on IoT devices, and this trend will not slow down on its own. There are plenty of examples of attacks in the present day. We have heard of municipalities in Sweden being exposed and forced to be offline for days. The supermarket Coop was offline out for several days.
Internationally, there are many significant attacks worth mentioning. Here are a few. At the end of June 2017, Ukrainian organisations, including banks, ministries, newspapers and electricity companies, were hit by malware attacks. Shortly afterwards, similar malware infections were reported in European countries, Australia and the US. Hackers permanently damaged large numbers of computers. Hackers deleted essential data. Many organisations, including Chernobyl radiation monitoring systems, banks, airports, and the metro, were affected.
In 2016, 250,000 were left without power
A week before Christmas 2016, hackers attacked the power grid in Kiev, shutting down a fifth of the grid’s capacity. Just an hour later, capacity was restored. This outage didn’t damage the country that much, but experts say it was just an exercise to see how much damage could be done to the power grid. Back in 2014, a similar incident was discovered in the US, but it never caused any damage.
Okay, these numbers are not current, but the threats we face every day are just as relevant. New mobile devices can be quickly located by automated BOTs pinging IP addresses connected to mobile networks, for example, until a device responds. The BOT then attempts to gain access to the device by logging in with known default usernames and passwords. This kind of attack can be executed remotely in just a few minutes the first time a router attaches to the mobile networks.
Cyber attacks in the process industry can be severe
Here in Sweden, the process industry accounts for almost half of Sweden’s net exports and is thus a success factor for the Swedish factory. With the advent of the internet of things, the process industry is moving from monitoring and controlling its processes to ensuring that different systems and functions interact. The systems are found both within and outside its organisation. It is practical to be able to see entire processes and have systems interconnected, but new ways of working require new technology and new security solutions.
The process industry is, of course, essential to us. So are water, sewage and electricity. These are targets for hackers who want the bragging rights for the next disaster.
My advice to those of you who are thinking about digital upgrades: the new ways of connecting machines and processes are inspiring, and I urge you to keep up with the trends. I think you should jump on the bandwagon. But don’t let security become a tick box in a tender document. Make sure security is a central part of your procurement.
Then I strongly recommend sticking to encryption between the system’s endpoints and basing your design on hardware that follows open standards. There are magic encryption boxes on the market with proprietary systems. The problem with proprietary solutions is that security vulnerabilities will not be widely known. So I think you should look at another solution. An open and popular standard will be updated safely for another ten years. The magic encryption box may stop being produced if you are unlucky. Proprietary systems always carry a risk. I assess that the future is connected, and I know it holds many possibilities.