San Francisco’s Municipal Railway (MUNI) riders got to ride for free over the last weekend (Nov 25th-26th), after what appears as a ransomware hit the agency’s payment system. The alleged attack sought $73,000 in ransom for stolen city data.

“Personal information of MUNI customers were not compromised as part of this incident,” Paul Rose, a spokesperson for the San Francisco Municipal Transit Authority (SFMTA), said Monday. “We’ve never considered paying the ransom,” he added, “because we have in-house staff capable of recovering all systems, and we’re doing that now.”

Despite Rose’s guarantee, the alleged malware attacker issued a new threat to MUNI via news agencies claiming customer data was compromised.

Regardless of which side of the story is bluffing, the MUNI attack is yet another example of how fragile our daily lives are when malware moves from the virtual world into the physical world.

In this case, the attackers said they are not attempting to gain control of train operations – but what if they would? How difficult would it have been for an attacker to recreate the 1994 movie – “Speed”, where instead of a bus being held hostage by a bomber, there were an attacker controlling a speeding train full of frightened passengers threatening to derail it if his demands are not met?

Well, apparently a similar case already happened in the city of Lodz, Poland in 2008 when a Polish teenager allegedly turned the tram system in the city into his own personal train set, triggering chaos and derailing four vehicles in the process. Twelve people were injured in one of the incidents.

Why are these attacks possible? How difficult is it for attackers to succeed in the next physical attack? And what does IoT (Internet of Things) have to do with this?

One of the reasons the move to the physical worlds is easier than one would expect has to do with something called ICS – Industrial Control Systems.

So what is ICS?

ICS is around us and most days we do not even notice; supplies the water when we turn on the faucet and takes waste away when we flush the toilet, powers our lights and electronics, ensures our aircraft run on time and do not collide mid-air, dispatches our emergency services and ship cargo around the world by sea, land, and air.  It even ensures that our traffic flows smoothly, automates manufacturing and helps manage natural resources.

ICS is the backbone of our nation’s economy, security and health.

So what’s the problem then?

Well, this comes down to how these ICS systems were designed – and more importantly – when they were designed. Many of these systems are legacy systems using old operating systems which are not supported anymore (Windows 2000, Windows XP, DOS). These systems also include small dedicated computers called PLCs – Programmable Logic Controllers, which use special protocols which were not designed with security in mind – and therefore are vulnerable.

In the MUNI case, the alleged attacker wrote they gained access through a Windows 2000 PC server at the SFMTA.

And what has IoT to do with this?

Well, apparently history repeats itself when it comes to security. In the hasty process to come out with the next cool device, security is almost always left behind. The focus is first on innovation, and “we’ll deal with security later”.

Earlier this past October, a massive Internet attack against large number of Web sites was launched with the help of hacked “Internet of Things” (IoT) devices, such as CCTV video cameras and digital video recorders.

It’s already happening.

We cannot afford to handle security “later.” Later is now. Cyber security should be an essential part of any new device coming into the market, and older systems MUST be protected with state of the art “threat prevention” techniques which can protect them from inherent vulnerabilities.

ICS, IoT must be one step ahead of the attackers, or else it’s not only our virtual life which will be at risk. It’s our physical life too.