The Terminator movies depicted a scenario where AI decided to exterminate humans to bring peace to the world. And now Gartner has announced that such an apocalyptic vision of the future might not be too far off the mark — at least on a small scale. The firm has introduced the concept of malware that is built to kill people, known as killware.
“Weaponized software-defined threats and attacks have been occurring for some time on non-operational and operational life-dependent, and critical safety assistances systems and technologies,” said Greg Schulz, analyst with StorageIO Group.
“From what appear to be standalone vehicles, systems, command control, sensors, monitors, SCADA and the wide world of IoT devices, to the seemingly innocent electronic doorbell web assistant that can order and do things for you, all are vulnerable.”
Dangerous Malware Is Nothing New
There are more than a few historical precedents for life-endangering malware:
- The Maroochi Shire incident in 2000 in Australia, where hackers managed to spill raw sewage into the local rivers
- Stuxnet in 2009, where malware caused breakdowns in nuclear energy processes
- Industroyer in Ukraine in 2016, which cut off power to the city of Kiev
- Triton malware in 2017, which impacted the OT systems of a Saudi Arabian oil refinery and disabled the safety system designed to shut down the plant in case of a hazardous event
- Most recently, the attack on the city of Oldsmar water supply system in Florida
“What’s new and different from in the past are that electronics and technologies, both of which require hardware and software, have become commonplace and more sophisticated, as have the software defined attacks on these edge and end-point devices, Schulz said. This introduces new vulnerabilities and risks to users.
He pointed out that the channels of entry into the enterprise have multiplied of late, as has the opportunity for mischief. If something has a battery, plugs into a wall outlet or is otherwise networks and can control or command things, it can be a point of vulnerability and pose a safety risk.
Malware Causes Death Indirectly — for Now
In one case, a patient at University Hospital Düsseldorf, died in the aftermath of a ransomware incident. The malware didn’t directly cause the death by some means such as shutting down vital medical equipment. Instead, it caused the hospital to close, and patients to be transferred elsewhere. On the way, the person passed away.
Gartner gives it a few years before such efforts will be stepped up considerably.
“The world has seen real incidents where events originating in the digital world had an impact on the physical world,” said Wam Voster, an analyst at Gartner. “By 2025, cyber attackers will have weaponized operational technology environments to successfully harm or kill humans.”