In a recent 2022 Pwn2Own ethical hacking competition, two security researchers breached ICONICS Genesis64, a software designed for operators to use industrial machines, in mere seconds. In contrast, it took them three weeks to hack an iPhone way back in 2012.

Considering that major, multimillion-dollar companies and industries own these apps, many are surprised to learn how it's much easier to attack than most modern smartphones.

So why is our critical infrastructure in danger? And why does upgrading it take too long?

A Brief History of Targeting Critical Infrastructure

oil refinery running outdated computer systems

In the past, cybercriminals typically attacked individual users or general private businesses. And while these attacks were a cause for concern and led to millions of dollars in damages, they usually didn't earn the attackers much.

However, recent developments like the Colonial Pipeline and JBS Foods ransomware attacks showed that systems critical to public order and safety are more likely to be profitable. Furthermore, aside from monetary gain, cyberattacks on critical infrastructure can also be politically or militarily motivated.

For example, hours before Russia invaded Ukraine in 2022, there were several attacks on Ukrainian cyber infrastructure. These were designed to destroy or hamper communications between government units. Another example is the Stuxnet computer worm, which was intentionally deployed to attack a uranium enrichment plant in Iran.

Who Hacks Key Infrastructure?

A hacker wearing a hoodie surrounded by visible data.

Several groups have claimed responsibility for recent ransomware cyberattacks. These include DarkSide (Colonial Pipeline), Conti/Wizard Spider (UK's Health and Safety Executive), and Egregor. Most of these groups are made up of private individuals who are mostly after profits.

The other, more dangerous kinds of hacker are those sponsored by nation-states. These operators target other nations' critical infrastructure so that their home country can gain an advantage on the world stage. They can even use their skills to attack private companies they deem a threat to their sovereignty, like North Korea's alleged attack on Sony in 2014.

Why Infrastructure Is Easy to Target

Unbeknownst to most of us, many industrial systems are horribly outdated. While most consumer computers now run Windows 10 or Windows 11, you'll find systems in different factories across varying industries still running Windows 7, or worse, Windows XP. This means their operating systems are highly vulnerable, with several well-known security loopholes that can't be patched.

And while many of these systems are air-gapped, meaning they're not physically connected to the internet, a careless employee who plugs an infected computer or USB drive into the network can take down the system.

The Challenge With Updating Systems

a city traffic system at night

Unfortunately, updating all these systems isn't as easy as downloading updates from Microsoft and restarting computers. First of all, as the name suggests, these are critical infrastructures. That means they can't go offline at all. Consider this—what would happen if all the traffic lights in New York City went out for an hour because of an update? That will be utter chaos.

Another issue critical systems must contend with is that they are generally specialized or run embedded operating systems. That means no one-size-fits-all update will work for an entire swathe of industry. For example, different nuclear power plants constructed by different companies will use varying hardware systems. So, a hardware update on one plant will not work on another.

Also, the air-gapped protection of these systems is both a blessing and a curse. While it protects the system from external attacks, ensuring that you have to be physically connected to the system to access it, it also means that updates can't be easily sent by their suppliers. So, if a hardware supplier creates new firmware for a factory with six different locations nationwide, their employees must physically travel there and install the update manually.

One other thing companies must deal with is specialized equipment. For example, say you're a food manufacturing company and bought a supply chain system running on Windows XP in 2009. Unfortunately, the company that provided your system closed. You don't have the budget to get a new supply chain management software, and neither do you have the time to retrain your personnel. This is how companies end up with computers running Windows XP well into the 2020s.

How Are Consumers Affected by This?

airplane taking off from an airport

As a consumer, you might think that this is not your problem. After all, you think you're okay as long as you can get to where you're going and your life isn't disrupted. Unfortunately, this cannot be further from the truth.

Consider the Colonial Pipeline attack. Although the damage was limited, the ensuing panic caused long gas lines at several stations. CNBC reported that airlines in Hartsfield-Jackson Atlanta International Airport, which Colonial Pipeline directly supplied, had to fly in extra fuel from other airports to supplement the local supply or make extra stops for long-haul flights to refuel.

While the incident didn't cause delays in the system, it would have caused a significant problem if it hadn't been resolved in one week.

Another example is the cyberattack on Ukraine's power grid in 2015. This incident put half of the Ivano-Frankivsk region in the dark for six hours. And while these could cause inconveniences and monetary losses during normal times, these attacks could have graver consequences when executed before an invasion.

What Can We Do?

a congressional gathering talking about cybersecurity

Unless you're working in these specific industries as a senior executive, most ordinary individuals cannot do much to fix this issue. You can make your voice known by reaching out to your congressional and senate representatives in their offices, but that's about it.

But if you're a board member or C-suite executive in any of these industries, it's high time you review your company's cybersecurity systems. While upgrading your infrastructure and machinery might be costly, an attack on your most vulnerable systems would be far more expensive.

When you upgrade your hardware, you not only patch any potential vulnerabilities in your system, but you also get the chance to have a more efficient operation.

We Must Protect Our Critical Infrastructure

The breach of ICONICS Genesis64 shows that it's not enough to react to every cyberattack on our infrastructure; instead, we should be proactive in catching vulnerabilities and fixing them. If we let cybercriminals and other actors have free reign over our industries and utilities, the damage they cause could be far greater than the cost we have to pay to keep our systems safe.