The cloak-and-dagger scenarios that swirl in the imagination when you hear of cyberattacks feel like new-world problems. But the first documented wireless hack occurred in 1903. Guglielmo Marconi, the Italian inventor and electrical engineer, was demonstrating his new wireless system, which he claimed could securely send messages over a long distance. To exhibit, Marconi planned to send a wireless message to a colleague who was giving a lecture 300 miles away at the Royal Institution in London. While the lecture was wrapping up, the wireless receiver sparked to life, and it appeared that Marconi’s claim was true. Upon closer inspection, the Morse-code printer repeatedly printed out the word “Rats” followed by a limerick: “There was a young man from Italy, who diddled the public quite prettily.” Marconi’s secure system had been hacked.
A few weeks after the incident, The Electrician, a London-based trade journal, ran an article documenting the breach.
“I should have thought that the theater which has been the site of the most brilliant lecture demonstrations for a century past would have been sacred from the attacks of a scientific hooliganism of this kind,” Marconi’s colleague said of the hack.
And therein lies the problem then and now: The assumption that systems and places are safe from attack.
This issue’s cover story, “Fight Back or Pay Up,” examines cybersecurity challenges several chemical companies face and their strategies to protect themselves.
Most cyberattacks are crimes of opportunity: someone found a back door into a facility through malware, passwords posted in public forums or simply poor physical security.
As the lead story points out, in the case of Colonial Pipeline — where hackers gained access to the company’s system and demanded a $4.4-million ransom in addition to tarnishing the company's name and interrupting the fuel supply chain (Colonial had to shut down its pipeline because its billing systems were stymied) — multifactor authentication could have helped prevent that incident. The attackers stole a password from a former employee.
A few years ago, I interviewed Eric Byres, professional engineer, ISA fellow and CEO of aDolus Technology Inc. and a source in this month’s story, for a podcast on cybersecurity. He noted that attackers generally fall into five classes: vandals, burglars/bank robbers, hoodlums, spies and saboteurs.
“They don't care if it's a pipeline or a food plant,” Byres says. “If it's got cash, they want the cash. Their techniques are going to be very bank robberish.”
Like Jesse James and his gang, the crew behind the pipeline hack held up the company for several days and caused gas prices to increase — all from one mismanaged password.
Joseph Blount, Colonial’s then-president and CEO, told The Wall Street Journal why he handed over the ransom. "It was the right thing to do for the country." Adding, "I know that's a highly controversial decision."
There was a literal silver lining in all of this. The Public Relations Society of America awarded Colonial the Silver Anvil Award of Excellence for its communication response during the siege.
For the Marconi hack, the hooligan was a saboteur named Nevil Maskelyne. Maskelyne was a competitor of Marconi’s and was involved in a few patent disputes with him. The temptation to sully his rival's reputation was too good to pass up. He noted in The Electrician article, “Personally, I am quite satisfied with the results obtained. And when it is complained that my action in the matter resembles ‘getting in at the back door,’ I merely rejoin that the fault lies with those who had not left the front door open.”
While Marconi survived the Morse-code fiasco, he certainly learned his lesson on ensuring security for future hackers. It behooves your facility to check all the doors before the vandals, burglars/bank robbers, hoodlums, spies and saboteurs start rattling the knobs.
