By Dr. Randy Boyle, Associate Professor of Information Systems & Security
We’ve all seen hacker movies that feature utterly preposterous situations and technology. We’re looking at you, Hackers, Swordfish, and The Net.
But Blackhat, a high-tech Bourne-type thriller is surprising plausible, and seems almost rooted in reality.
The plot is fairly straightforward: formerly incarcerated Nick Hathaway (Chris Hemsworth) is pitted against a malicious hacker causing nuclear disasters, stock market crashes and other mayhem. If Hathaway catches this “blackhat” hacker, his criminal record is wiped. The chase is on, and it makes for an exciting movie.
The thing is: the situations described are very real, and even likely. Some of them have already happened.
SPOILER: Don’t read further if you want to stay away from movie details
SCADA Systems
In the movie, a malicious hacker (called a “blackhat”) infiltrates industrial computer systems and plants malware to take control of critical internal infrastructure. These systems are typically referred to as SCADA (supervisory control and data acquisition) systems, or industrial control systems, and they run everything. We’re talking power, water, oil, communications, manufacturing, transportation—basically everything that keeps our economy moving. In the real world, defending these industrial control systems is a major concern for U.S. security agencies.
At the start of the movie the blackhat uses his malware to force a water pump failure at a nuclear power station. This results in a reactor meltdown. Sensational for sure, but how likely is it that something like this could happen? Well, it already has.
Stuxnet
In 2010 thousands of nuclear centrifuges at Iran’s Natanz uranium enrichment facility started to spin too quickly and were damaged, and the country’s nuclear enrichment program experienced significant setbacks. The cause behind the damage turned out to be a piece of custom-written malware named Stuxnet.
Stuxnet was probably written by the United States or Israel. It likely spread to the Natanz computer network via an infected USB drive, and was written such that it would only deliver its payload if it was on a computer in Iran, running a specific type of industrial control software, and was using variable-frequency drives. This was software written for a very specific purpose—to slow down Iran’s ability to make a nuclear bomb.
Just like in Blackhat, custom-written malware can be used to damage critical infrastructure. It’s difficult and expensive to do, but it has happened. It’s also probable that these types of events will occur in the future.
And if you think we’ve got a handle on cyber security, you need only look at news reports of data breaches at Target, Home Depot, Adobe, JP Morgan Chase, Ebay, TJ Maxx, the US military, or the 2014 Sony data breach—the largest hack in history—to know that the fight is ongoing.
Internet of Things
The vulnerability of industrial systems becomes even more concerning when you consider the Internet of Things. IoT is the idea that more “things” (like centrifuges, water pumps, heaters, air conditioners, eye glasses, watches, refrigerators, etc.) are going to have the ability to connect to networks. They’ll be able to send and receive data, receive updates and be remotely configured.
From a consumer’s perspective, this is great news! Everything will be smart, just like your phone. The great thing about smart phones, of course, is that they operate more like a pocket-sized computer than simply a telephone. The downside: they’re also a lot more vulnerable to blackhat hackers.
Blackhat deals with larger threats to national security, but what if hackers decide to target individuals: What happens when your new smart car or smart house gets hacked?
No, all you luddites out there, the answer isn’t to abandon all technology and stick with “dumb” things. The answer is to build security into products (software with security in mind), behave more securely (why would you ever put a strange USB into your computer?), follow reasonable security advice like using strong passwords and support laws that strengthen the security of critical industrial systems.
The movie gives us a realistic look at the vast implications of cyber security threats—threats that are more real that most people probably realize. Which could make the movie not so much a thriller but a horror film.