1. Nuclear Facilities: The US National Nuclear Security Administration who are responsible for managing and securing their nation's nuclear weapons stockpile, experienced 19 successful cyber attacks during the four-year period of 2010 - 2014. Also as many of you are aware, in June 2010, Stuxnet, a nasty computer worm designed to attack industrial programmable logic controllers (PLCs), was discovered. PLCs allow the automation of electromechanical processes like centrifuges (which are used separating nuclear material). The Stuxnet attack was purportedly launched to sabotage the uranium enrichment facility in Natanz, Iran, and many experts believe that Stuxnet destroyed up to 1,000 centrifuges (10%) before it was discovered and removed. Stuxnet, in the view of many, set the template for future attacks not only on nuclear facilities, but on everything that uses PLCs, from factory assembly lines to amusement park rides. (The wild rollercoaster rides that dot amusement parks worldwide just got a whole lot scarier...)

2. Steel Mills: Germany’s Federal Office for Information Security (BSI) recently issued a report that confirmed that hackers had breached a steel plant in their country and compromised numerous systems, including components on the production network. As a result, mill personnel were unable to shut down a blast furnace when required, resulting in “massive damage to the system.” The BSI report stated, “The know-how of the attacker was very pronounced not only in conventional IT security but extended to detailed knowledge of applied industrial controls and production processes.” (Makes one wonder if this breach was perpetrated by a former, disgruntled employee. That would bring a whole new [chilling] meaning to the term “going postal...”)

3. Energy Grid: According to a June 2015 Congressional Research Service (CRS) report, attacks on the U.S. power grid system are “increasing,” with hackers stepping up efforts to penetrate critical systems and to implant malicious software that could compromise the power grid and result in a nationwide crisis. Attackers successfully compromised U.S. Department of Energy computer systems more than 150 times between 2010 and 2014. (What really took down the Northeast power grid in Canada and the US back in 2003? The blackout was attributed to software bug in the alarm system. Was it really a “bug?” Or, could it have been a virus embedded by a dangerous cybercriminal?)

4. Water Supply: I had mistakenly referenced false reports on an Illinois water pump hack from 2011 and John McNabb was kind enough to correct me. Thank you John. Read about the comedy of errors that led to the false ‘Water-Pump Hack’ Report.

5. Hospitals: Recently a news bulletin revealed that hackers had broken into the massive hospital network of the University of California, Los Angeles, accessing computers with sensitive records of 4.5 million people. That is worrisome, but it seems that the public reaction is akin to news about other reported cybercrimes that have led to the extraction of personal records. Joe Public said, “It feels like a daily occurrence, and unless I’m personally impacted, I don’t really care.” (I get that, and maybe it takes something even more personal to raise Joe’s concern level when it comes to a hospital being hacked. How about this, Joe?) In an unprecedented move, last month the US FDA directed hospitals to stop using Hospira's Symbiq Infusion System because it can be remotely accessed by hackers, allowing the unauthorized user "to control the device and change the dosage the pump delivers, which could lead to over - or under-infusion of critical patient therapies.” (Imagine resting in a hospital bed and being attacked by an invisible enemy thousands of miles away...)

6. Building Infrastructure: The Department of Homeland Security recently disclosed a 2012 breach in which cybercriminals managed to penetrate the thermostats of a state government facility and a manufacturing plant in New Jersey. The hackers exploited vulnerabilities in industrial heating systems, which were connected to the Internet and then changed the temperature inside the buildings. (On the surface, that might seem harmless, but think about the damage that cybercriminals could do with unfettered access to the controls that govern most major buildings today. The smart building might not seem so smart if for example, the bad guys activate the water sprinkler systems in a data centre or mess with the elevators.)

7. Oil Rigs: According to a 2014 Reuters report, hackers shut down a floating oil rig, by tilting it, while another rig was so riddled with computer malware that it took 19 days to make it seaworthy again. The report notes that while the number of known cyber attacks at sea is currently low, the industry is likely to become a serious target due to its size and scale:  90 percent of global trade is estimated to be sea-bound, and increased container ship size means that company losses could exceed $1 billion for a single vessel. (Picture a cruise ship being hacked and sent on a direction that would leave its passengers “lost at sea” with no way of returning to port under their own power).

8. Firearms: TrackingPoint makes a smart rifle that lets you digitally "tag" a target, and then locks the trigger until the gun is perfectly positioned to hit it (from up to a half mile away). It also connects to smart phones or tablets so a buddy (or accomplice) can view what the shooter sees in the scope. Now, security researchers have discovered software flaws in the computerized rifle. Anyone near enough for a Wi-Fi connection to a rifle can remotely tinker with its controls. In the worst case, a hacker could force a police sniper to miss while shooting directly at a hostage-taking criminal -- and hit the hostage instead. Or a hacker could simply lock the rifle's controls, rendering it useless. (Now, imagine all law enforcement weapons connected in the emerging IoT world - and all easily hacked by the bad guys because the manufacturers embedded dated [or no] security. It’s not a pretty picture.)

9. Airplanes: I did refer to the serious breach of an airplane while in flight earlier in this post and hadn’t intended to provide much more insight into this breach as I referred to it in an earlier blog. But something is bugging me, so I have to throw it out there. Debris from the wreckage of Malaysian Air Flight MH370 has now being discovered, indicating that the plane and its 239 passengers went down in the Indian Ocean. What’s still unknown is what caused the plane to alter its flight path. The investigations into the pilot, co-pilot and other crew members turned up nothing to suggest that they were responsible for the crash. So, what then? (Could this be a case where somebody hacked into the aircraft controls while on the flight or from afar, and took the plane down? That is a terrifying scenario that nobody is talking about. Well, maybe Chris Roberts - the guy who commandeered the United Airlines Flight after hacking into the flight control system through the entertainment system and who also claims to have altered the temperature on the International Space Station.)  

10. The Kitchen: Yes, one might argue that this is not as big a threat as the first 9 breaches on this list, but I just couldn’t resist adding it. After all, we are talking about a place associated with one of the key components of the physiological layer in Maslow’s Hierarchy of Needs – food. This breach that recently occurred in the UK boggles the mind. Hackers attacked IoT-connected devices in kitchens across the country, with almost comical outcomes. Smart toasters are forcing consumers into reconsidering eating habits by refusing to toast any bread that isn’t considered ‘healthy’. Smart Fridges and freezers across the UK are shutting down as soon as ice cream is detected. (The message is abundantly clear. Leave that white bread on the grocery store counter and stock up on whole wheat, and while you’re there, put down those high-fat/high-calorie frozen goodies in favour of good old wholesome fruit)

So, what do these horrific breaches have in common? The devices hacked were “things,” and in my view foretells a dangerous situation going forward if we don’t collectively adopt better security technology for the IoT, that is inherently impenetrable. (Translation, if we’re relying on yesterday’s technology to protect the emerging IoT world from cyber-invasion, we are in trouble. The path for IoT security must be identity-based, provide authentication and eliminate the requirement to manage tens of billions of certificates. Luckily, there is technology that does all this - IBE 3.0). 

IBE 3.0 is patented as Certificate-less Authenticated Encryption (CLAE) by Connect in Private. While positioned as ideal for IoT, IBE 3.0 is a security ingredient that can be baked into any existing connected solution, replacing dated, broken technology.

For more information on IBE 3.0/CLAE, please connect with me on LinkedIn.

This article was originally posted on LinkedIn.