Cybersecurity is making waves in the news again with a number of high profile hacks happening around the world. Chemistry World first reported six years ago that network security experts were warning critical control systems at chemical plants – and other important infrastructure – were vulnerable.
Fast forward to today and incidents targeting industrial facilities are no longer a hypothetical scenario. The stuff of fictional dystopian futures is now a reality. We’ve seen attacks on critical infrastructure such as power stations in Ukraine, chemical plants in Saudi Arabia and Europe, and last year parts of the US government were hit by the SolarWinds hack.
In recent weeks we’ve seen other kinds of attacks, including attempts to steal data on Pfizer’s Covid-19 vaccine – blamed on North Korea – and the unauthorised access and encryption of grant application files at umbrella funding agency UK Research and Innovation. Most worrying of all the control system of a water treatment plant in Florida was broken into and the amount of sodium hydroxide that is normally added to the water supply was increased 100-fold. One chemical engineer estimated that the pH of the water could have risen to in excess of 12 making it dangerous to drink. Fortunately, this attack was caught by a quick-thinking plant operator on site who sounded the alarm.
So what can be done? As with any multi-faceted problem there’s no silver bullet to see off the threat. We can, of course, all play our part by brushing up on good network security hygiene – checking email attachments, using strong, unique passwords and two-factor authentication on important accounts. But with so many breaches the result of bad actors exploiting flaws in software the need for action goes beyond the individual.
Around the world industrial facilities such as chemical plants are already taking this problem seriously too. However, the rise of remote working in response to the pandemic has offered attackers new avenues into critical systems. This was the case in the hack of the Florida water plant, and it was avoidable: the backdoor for remote access hadn’t been secured or even used for six months. So while personal and private responsibility for this problem matters, governments must step in to plug one of the biggest acknowledged holes: public infrastructure, such as water treatment plants, often have little or no expertise in network security. Governments’ other important role is simply getting all the stakeholders around the table. Let the talking begin.