Beyond being scary, inconvenient and expensive, ransomware attacks that have hit New Zealand to date - from Lion to Fisher & Paykel Appliances to the Reserve Bank to the Waikato DHB have all had one thing in common.
The hackers have targeted an organisation's IT systems, Dr Simon Lovatt said. That is, the computers that control the likes of ordering and management systems.
But Lovatt said it is only a matter of time before hackers infiltrate infrastructure and manufacturing systems with potentially dire consequences.
The startup Lovatt chairs, First Watch, has designed a cyber security system to protect vital infrastructure like electricity lines and waste water systems, plus major manufacturing facilities, from cyber attacks.
He said it could save those running critical infrastructure from paying millions in ransom to hackers - as Colonial Pipeline in the US just experienced in a May cyberattack that led to a regional emergency declaration for 17 states and Washington, D.C. to keep fuel supply lines open - or people suffering days or weeks of disruption to the likes of power or wastewater as industrial control systems are reset and restored.
The systems that run established infrastructure are often decades old. "The first rule of big infrastructure is, 'If it ain't broke, don't fix it'."
The industrial control systems used to run the likes of dams and gas lines often look like they're from the set of a 1950s movie, but they work - and they've had the tremendous cyber-security benefit that they were developed in pre-internet times. They're standalone, and offline. Or, they were.
In the age of cloud computing, infrastructure control systems are increasingly being connected to other systems like accounting and ERP, and through those, to the internet.
"It all makes great sense from an efficiency perspective," Lovatt said. "But at the same time, it's making things more vulnerable." Many have already digitised and connected control systems to the internet. Within a couple of years, it will be common.
Already, control systems for hydroelectric power plants in the US and Norway have been compromised, along with those of multinational beef producer JBS until it paid a US$11m ransom.
First Watch was born out of research at Waikato University, and has been spun out of the varsity's commercialisation arm, WaikatoLink (of which Lovatt is a director), with support from KiwiNet, which helps to commercialise research and development from universities and Crown Research Institutes.
WaikatoLink has a minority stake in First Watch, and most shares are held by the startup's commercial partner, the Hamilton-based CTEK Combined Technologies - the largest locally owned installer of industrial control systems.
First Watch's launch comes as companies are increasingly faced with paying millions of dollars in ransom to cyber attackers.
Pilots have recently been completed with a local wastewater utility and a major manufacturing industry player, and Lovatt said First Watch is now discussions with various NZ water and energy companies, as well as other manufacturing companies.
Potential clients in Australia, the US and Southeast Asia are also in talks, Lovatt said, and the Government Communications Security Bureau (GCSB0 has been monitoring developments and is in discussions with First Watch over its technology, too.
He does concede that First Watch is not the first to this party, however.
"There are quite a number of competitors," the chairman said.
"They have two major strategies: protecting the periphery of a company and stopping the bad guys from getting in, or monitoring traffic to detect suspicious activity inside the network.
"But sufficiently persistent attackers will always get in eventually so protecting the periphery is no good, and monitoring network activity throws up lots of time-consuming false positives."
First Watch's system loads a generic piece of security hardware with its custom software.
"Our approach locks down the core of a control system, thereby making it essentially impossible for the system to do anything other than what it was originally intended to do.
"It also makes it more difficult for a legitimate user to make a change to the system. But our pilot customers think that that's a worthwhile trade-off."
He elabourates. "First Watch was designed to work at the core of an industrial control system creating a zero-trust environment, scanning for any data that should not be on the system and refusing to respond to it.
"It stops the system doing anything different than its day-to-day operations unless any new directions are fully and properly authenticated."
The system was also designed to take a complete inventory of all assets on a network and identify any that have not been updated or pose a risk.
"That's important because staff might connect to the system from a laptop at home and
unknowingly introduce a virus," Lovatt said.
Colonial Pipeline attack shows threat is real
Brett Callow, a threat analyst with Emsisoft, an NZ-based company that helps victims decrypt systems hit by ransomware, agrees that the threat to critical infrastructure is ominous and growing.
"As the Colonial Pipeline incident demonstrated, ransomware represents a very real risk to operational technology and industrial control systems," he tells the Herald.
"Even if ICS is not specifically targeted in a particular attack, it may nonetheless be impacted. Organisations, especially critical infrastructure providers, should ensure that best practices have rigidly adhered and that OT [operational technology] and IT are segmented.
"Organisations should also plan for the worst and ensure ICS can continue to be operated in the event of IT being compromised and unavailable," Callow said.
The subtle differences
The threat to ICS [industrial control systems] from ransomware is real but is subtly different to ransomware in the world of regular Windows-based business systems, say Jeremy Jones, head of cybersecurity for Theta.
"Firstly, industrial control systems are way down the hierarchy of operational technology - known as the Purdue model - and often run on proprietary software [that is, custom-made or niche software, not Windows]," the ex-RAF officer and UK Ministry of Defence advisor said.
"This makes attacking them directly quite hard. Such an attack would probably be a highly targeted one by a determined adversary using specifically designed malware.
"We have seen this before with the cyber attack against Iranian uranium enrichment facilities at Natanz and although this wasn't a ransomware attack, it required detailed knowledge of those specific industrial control systems."
Iran claimed the hack, which occurred in April this year and led to a blackout within hours of the country's uranium enrichment centrifuges being spun-up, was the result of infiltration orchestrated by a state actor - namely, Israel (in the same manner that the US, allegedly, used the Stuxnet worm to target Iranian nuclear plants a decade ago). No state claimed responsibility for the attack.
"A more likely attack is higher up the hierarchy against what is known as the 'Human Machine Interface' or HMI," Jones said.
"This is typically in a control centre where human operators supervise the wider industrial process - for example, electricity generation or manufacturing etc)."
The computers there are more likely to be standard Windows or Linux workstations which we have seen can be relatively easily damaged with ransomware, Jones said.
By disrupting the HMI layer, an attacker could effectively require the industrial control systems below it to be shut down for safety reasons.
This is broadly what happened in the Colonial Pipeline cyber attack." Jones said.
"They couldn't be sure of the integrity of the pipeline operation so it was shutdown."
NZ systems exposed
Jones sent the Herald screen grabs of two industrial control systems connected to the internet.
One was a monitoring system for a petrol station.
"t's fairly benign, with a bit of prodding someone may be able to do a bit more than 'monitoring', especially if they haven't changed their default passwords to the ICS system," Jones said.
The other was a refrigeration unit somewhere in New Zealand that was connected to the internet.
"They've been very helpful and put the username and password in the text," Jones said.
"Honestly, we make it pretty easy for cyber adversaries sometimes so it's no surprise the world is alight with cyber attacks."
The tech skills squeeze is an ongoing problem for all NZ tech companies, First Watch's Lovatt said.
To help top up the funnel and get more people interested in the industry, Waikato University is staging the NZ Cyber Security challenge this weekend, with support from the NZ Police cybercrime unit and private security companies Endace, Insomnia and Security Lit.
Around 150 contestants will try to solve a series of puzzles - no deep cybersecurity knowledge required - with the winner taking away a $1000 prize.
Registration (now closed) was open to all-comers, from secondary school and varsity students to anyone interested in trying their hand as a cybersleuth.