Could a roller coaster be the target of a cyberattack? The short answer is “yes” along with other theme park rides, public amusements and attractions. With a significant need to ensure public safety, theme park attractions can be considered a form of critical infrastructure that rely on industrial control systems (ICS) to operate effectively similar to those found in transportation systems, power generation and transmission, water supply and treatment and other industries. In the case of theme park rides, often the controllers, sensors and I/O devices are mounted on the rides themselves and are less interconnected but cyber risks still exist.
While this article discusses theme park rides and attractions in general, it is interesting to note that research conducted in 2016 shows that the most desired attraction, for the majority of amusement and theme parks across the globe, was a roller coaster (Ref 1.) so they are somewhat emblematic of theme parks overall.
Traditionally, many of the control networks that underpin theme park rides have been isolated or in the form of some kind of darknet and therefore regarded as impervious to the outside world. With the need to undertake remote diagnostics, systems management and reporting however, these networks are becoming increasingly interconnected and with that comes heightened exposure to external access. The risk is further exacerbated by COVID-19 and the resulting travel restrictions which have necessitated more remote access by vendors than might ordinarily be expected.
This article is not intended to be alarmist but rather, to draw attention to an area of public entertainment that is not normally mentioned alongside cybersecurity and to bring the appropriate focus on risk management.
Cybersecurity best practices including awareness, monitoring and response are just as important at theme parks as they are in other industries. Human safety is paramount for a theme park and the risk to the operator’s reputation is significant should an adverse event occur. Even a short delay to the operation of a major ride creates a negative perception in the mind of the public irrespective of whether it is a cyber-related outage or a mechanical breakdown.
While it is difficult to gauge the actual number of cyberattacks on theme parks around the world, the fact that many ICS systems are not inherently secure is cause for heightened awareness. Figure 2 below shows the number of reported incidents for different critical infrastructure networks and industry types for process control, industrial automation or SCADA systems between 1982 to 2014. It should be noted that based on reports in the data set, the industry type, “Other” includes facilities such as roller coasters, amusement park rides, hospitals, emergency services and military.
In the constant quest to deliver ever-more exciting rides, designers incorporate sophisticated automation systems within the ride. In theme parks and industry more generally, there is a growing adoption of intelligent automation and control systems and while this no doubt contributes to a ride’s physical safety, it potentially opens up vectors for cyberattack.
Stuxnet, a malicious computer worm first seen in 2010, specifically targets programmable logic controllers (PLC) which facilitate the automation of electromechanical processes such as those used to control machinery for factory assembly lines and the hydraulics and other operational equipment used in amusement park rides.
In considering theme park cybersecurity and risk, it is important to be mindful of the typical vulnerabilities that exist within the park’s environs. These include:
Like other forms of critical infrastructure, we recommend that cybersecurity threat and anomaly detection systems be incorporated into the internal, or external Security Operations Centres (SOC) at theme parks to monitor any technical systems that allow remote access and/or internet-connectivity. This may include certain rides and other park infrastructure (for example, Building Management and Access Control systems). Such systems can also monitor and alert on internal anomalies within the underlying networks.
Data diodes which are small network security appliances might be also be considered for segmenting networks and restricting access to critical systems. Data diodes are used extensively within the critical infrastructure world to segment operational technology (OT) networks from corporate IT networks. These devices enable management reporting and diagnostic information to be extracted from operational systems while mitigating the risk of inbound cyberattacks.
The large number of staff and contractors working in a theme park also present risk and we suggest that effective cybersecurity coverage also considers Badge Card Access Systems for vendors, not only guests. Cyber threats may not only come from external sources. Staff and vendors with access to critical systems can cause damage – either with malicious intent or in performing activities without the appropriate skills and experience.
Again, threat monitoring systems can be put in place to alert operators when events such as firmware updates or configuration changes are made to operational devices and assets. This is highly recommended in situations where the operator has a high dependency on third party contractors. Secure remote access (SRA) systems are available that ensure those who access your network remotely are verified and use a secure connection with the ability for the operator to log activities performed and even capture video of the session.
Visitor Enrolment and Vendor Authentication systems that enable the operator to check visitors and their identification documents against a variety of watchlists is also a prudent consideration to enhance physical security. These systems are common in casinos and at the entry point to other critical infrastructure and provide an automated way of scanning and checking the backgrounds of visitors and personnel coming to site and the integrity of their identification documents.
Automated entry and access control systems comprise software, ID readers, cameras, badging and training to enable the operator to monitor visitors, staff and others entering their facilities. Such access control systems should be customizable to individual requirements and can function as a standalone or optionally be integrated into existing security or building access systems.
The Department of Homeland Security also recommends the following cybersecurity measures (Ref 3.):
While the risk of a major cyberattack on a theme park ride is relatively low (notwithstanding the fact that reliable statistics are hard to come by), the impact of such an attack if successful is significant. As we have seen, industrial control systems when connected to the outside world have the potential to be externally manipulated or compromised and with the increasing move towards more remote vendor access to critical networks, there is clearly a need to reassess the level of cyber risk exposure. It is hoped therefore that this article serves as a timely reminder to make this risk assessment and ensure that the appropriate mitigations are in place.
DDE Technology has considerable experience advising customers and deploying cybersecurity software and hardware solutions including threat monitoring systems and site entry authentication solutions for industrial, IoT and ICT domains across a range of industries including power generation and transmission, water supply and treatment, aviation, casino resorts, defence, oil and gas and banking and finance. Contact us to learn more about our cybersecurity solutions and industry experience.