Daniel dos Santos told express.co.uk that vulnerabilities found in “operational technology” (OT) could give hackers access to things like automatic door systems in airports and schools or even control the heating and air conditioning in hospitals. Mr Santos is the Head of Security Research at the cyber security company Forescout.
Mr Santos warned that OT controlled everything from manufacturing to commercial shipping and many of the systems were vulnerable to attack.
Attackers don’t need to hack into these major systems to cause havoc, however. Forescout found major vulnerabilities in building automation controllers – a tech term for things like automated thermostats and security door controls.
Mr Santos said: “If it is a device that is controlling the HVAC – the heating, ventilation, the air conditioning – if it has a temperature set point and it’s supposed to keep that specific set point, an attacker could hack that and change that setpoint.
“You could turn the heat way up or turn the temperature way down, depending on the scenario.”
Mr Santos suggested that hospitals could be particularly vulnerable to this type of attack.
He said: “Hospitals have to be kept cool for a reason right? To prevent the spread of airborne infections and to keep biological material or vaccines at a certain temperature.”
Mr Santos said that the vulnerabilities were not easy to fix and that many of the devices would need to be taken offline for some time or replaced altogether.
He said many of the outdated devices may not even have a username and password, leaving them severely unprotected.
He said: “We can also mention incidents like the Oldsmar attack in the beginning of 2021. It was a smaller water treatment facility where somebody had access to a human machine interface that was controlling the level of chemicals in the water, chemicals that are used for water treatment.
“The attacker could change and, basically, drive the levels way up. In that specific case the operators could see the changes and revert [the changes].”
He noted that in other cases the hackers may have gone undetected, causing serious damage.
The attackers in the Oldsmar attack specifically increased the levels of sodium hydroxide, otherwise known as caustic soda or lye, in the water to extremely dangerous levels.
Mr Santos added: “There are a lot of things going on. Many of them do become public knowledge in terms of large nation states, big cyber criminal activity, but many others fly under the radar and people don’t become fully aware of those attacks.”