Stink ‘n Haul, a garbage hauling company, transports garbage between states on behalf of government entities.
Its “self-driving” trash barges were built with remote override capability for “safety.” Because of this IoT(rash) capability and one human on each barge, the company tells its investors that accident risk and litigation risk is low.
The company is a public company and one of three dominant haulers in its market. No officers or directors inquire regularly about security in meetings.
The company does not have a dedicated security team; they have a small IT team that “does security” and patches some of the systems, some of the time. Regular threat modeling does not happen. The IT team has been asking for new budget and claims it is inadequately resourced and understaffed.
The company’s slogan is “Be trashy! Our cyberbarges keep it safe!” and ads feature raccoons putting garbage into a safe with blinking lights floating in a swimming pool. The security budget is less than 1% of the marketing budget.
A Stink n’ Haul trash barge named The Putrid operates along the Atlantic coast. It lacks patched endpoint protection and is staffed by Saul Notgoodman, a captain with a history of accidents and drinking on the job. One remote shore attendant monitors The Putrid along with 12 other barges at the same time.
Attackers exploit a CVSS 7.0 vulnerability in the navigation system. The vulnerability has been known for over a year, and there are exploits in the wild. The attackers send the barge off course. Neither Saul nor the remote attendant notice.
The Putrid crashes into a container ship carrying thousands of rubber duckies full of pink soap, which now float in a harbor causing a soap bubble fiasco that kills wildlife (including some that is threatened), stops commercial traffic into the harbor, and may impact local drinking water. Tons of garbage from The Putrid is dumped into harbor.
WHO SHOULD PAY FOR WHAT HARM?
SHOULD ANYONE BE CRIMINALLY RESPONSIBLE?