There’s already been a very real-world application to the kind of sophisticated hack necessary to do this in the Stuxnet attack on Iran’ nuclear program. Stuxnet, which many believe may have been an attack by another nation given the military-grade cyber-attack, has already been replicated in laboratories without the necessary resources of a nation backing them. The ease with which some malcontents could cobble together a devastating hack has the world’s cyber-security professionals lying awake at night, thinking about the vulnerabilities of water systems, power grids, and infrastructure that now depend, wholly or in part, on computer systems.
One of the biggest hurdles for these would-be apoca-hackers is somehow remotely controlling a “controller box”, or the computational nerve center of heavy machinery of water turbines to nuclear coolant tanks. With the advent of Stuxnet, all of that changes. Stuxnet hacked into controllers in Iran’s nuclear facility’s turbines, telling them to turn so fast that they actually damaged the physical equipment to the point where the entire facility shut down. Stuxnet revealed to everyone, cyber-security professionals and hackers, the incredibly weaknesses of most controllers. The ones in question were developed by Siemens AG, one of the largest providers of heavy-equipment controllers in the world, and were found to have a number of vulnerabilities including weak password protections.
Security researcher Dillon Beresford reported that he was able to find over a dozen vulnerabilities in the same type of controllers with only two-months and about $20,000 of equipment. That’s 60 days and a small business loan for a maliciously-minded hacker. Siemens has reported that that issue is primarily with older controllers, and they are working with the Cyber-Security arm of the U.S. Homeland Security Department to address the problem. It should be noted that other controller issues were found in the Southern California Power Company, which serves some of the largest metropolitan areas in the country. These controllers, however, were not Siemens, which indicates an industry-wide problem with easily-hackable heavy-equipment controller boxes and very vulnerable large-scale infrastructure.