On 14 August 2003, residents of two major cities in USA and Canada - New York, and Toronto - could never have predicted the blackouts that were about to befell them. In a matter of seconds power stations shut down with cascading effects. Phone lines and water systems failed, and thousands of people were trapped in elevators and subways. What was the cause?
Just three days earlier someone released one of the most damaging computer viruses ever written. The virus was called 'blaster', and written by Jeffrey Lee Parson, who was then 18 years old. It was a new type of virus that did not require other programs or human activation. Whether the blaster virus caused the 2003 blackout remains a contentious issue, but after the incident no one doubted that online viruses can cause real-life damages. These types of online viruses propelled themselves and were self-activating. For a computer to be infected it simply had to be connected to the internet. This increased the chances of cyber-attacks on computers that control critical infrastructure without notice.
If there is evidence that connecting critical infrastructure to the internet is putting them at risk, why not leave them unplugged?
The answer is that organisations are looking for business efficiency. Transnet, a South African state-owned company that manages national rail, ports, and pipelines, like many other firms in the sector, introduced the Navis container operating system.
The system is a proprietary software system that helps port operating companies to optimise the releasing and accepting of containers. Without this system port operators would have to use paper-based systems to clear containers between the sea, yard, and land sides of the ports. The paper-based system increases the time that containers spent in one section of the ports. Thus, digital systems that reduce this dwell-time are sought after.
The urge for efficiency through digitisation of business operations and process has however opened opportunities for hackers. From as early as 2000, hackers have been attacking the internet with impactful tools. Michael Calce, also known as Mafiaboy, from Toronto, Canada, is one of the notorious hackers of that time. He developed a program that attacked Yahoo website, at the time when the internet company was at its peak-generating a significant amount of revenue from its online business.
On 07 February 2000, Calce harnessed the power of powerful computers and released an online virus that made inordinate number of requests on Yahoo's servers. The heightened traffic eventually crashed Yahoo's servers. This form of attack is called denial of service attack and is one of the oldest cybercrime strategies. Hacking is now growing because it is also a lucrative business. Unlike in the past when hackers were just eager to display their skills, they are now using their skills to extort cash from big businesses.
Recently there has been many incidents of new types of cyber attacks accompanied by ransom demands. The WannaCry ransomware attack is arguably one of the severe cyber-attacks against individuals and organisations. In 2017 an online virus from Asia caught the world by storm for a duration of four days. It encrypted data of organisations and then required a ransom payment from the affected company to decrypt their data. The program targeted a known weakness in the Windows operating system. At the time of the attack many businesses were still assessing whether the new Windows updates that closed the vulnerability was compatible to their systems before updating. The WannaCry ransomware infected more than 230,000 computers across 150 countries. Users were required to pay ransom of $300-$600 which had to be paid via bitcoin cryptocurrency.
At the end of the attack, big companies such as Nissan and Renault announced that they had to put their business operations on hold. Companies usually do not provide detailed reports about cyber-attacks. To date, details about Transnet's cyber-attack remain scant. The attack could be a result of computer, operating system, or network vulnerability. Further, the type of attack could have been one of the attacks shown in the diagram above.
Companies do not share these details because they want to minimise the reputational damage and legal liability they may suffer if they disclose more details. They can lose their customers' trust for their inability to build robust system that are secure against cyber-attacks. Finally, it will be within their client's right to make claims on their losses if it is found that the fault was with the company concerned.