Utilities and industrial equipment
Computer systems are universally employed throughout all telecommunication companies, the national power grids, water and gas systems, and even nuclear power plants and due to the fact that the internet is the primary potential attack vectors through which cyber-criminals move, all of these institutions are at constant risk of being hacked.
However, in section “4. Malicious Software” the Stuxnet worm and its successors were shown to even affect devices not connected to the Internet.
In 2014, the Computer Emergency Readiness Team, a division of the Department of Homeland Security, investigated 79 hacking incidents at different U.S. energy companies. Vulnerabilities in smart meters (many of which use local radio or cellular communications) can cause problems with billing fraud.
At present, the vast majority of industries, governments and people invariably use and heavily rely upon complex computer systems, all of which are susceptible to cyber-attacks of dissimilar severity.
Financial systems
The computer systems and digital infrastructure of both commercial and investment banks, financial regulators and all other types of financial institutions like the U.S. Securities and Exchange Commission (SEC) or Society for Worldwide Interbank Financial Telecommunication (SWIFT), are prominent hacking targets for cyber criminals interested in effectively manipulating the markets to making illicit gains.
Websites, apps and certain micro-financial structures which store credit card details, bank account information and brokerage data in their digital repositories, no matter how sophisticated the encryption is, these online platforms are currently the biggest hacking targets due to the alluring potential of making immediate financial gain from transferring money, making purchases, or selling the information on the black market.
Last but foremost, numerous in-store payment systems around the world, such as ATM machines, have been hacked and are currently a prominent target for cyber-criminals.
Aviation
It’s self-evident that the aviation industry is largely dependent on a series of highly sophisticated computer systems which, regardless of air proximity, can also be attacked.
If not the case of a targeted aircraft attack, then the repercussions of a simple power outage at any given airport can be devastating, even at a global scale. The vast majority of the aviation’s communication system relies on radio transmission which could easily be disrupted, and controlling aircraft over oceans is especially dangerous because radar surveillance only extends 175 to 225 miles offshore.
The consequences of successful aviation cyber-attack can range from airplane damage to numerous casualties.
In Europe, with the (Pan-European Network Service) and NewPENS, and in the US with the NextGen program, air navigation service providers are moving to create their own dedicated networks.
Consumer devices
Another extremely common target for cyber-criminals are personal and home devices, such as laptops, desktop computers, phones and tablets which store passwords and other sensitive financial information.
Wearable devices, such as smartwatches, activity trackers and even smartphones who contain sensors such as compasses, accelerometers, cameras, microphones and GPS receivers could be exploited to gain leverage on private information, including sensitive health-related data.
Wi-Fi, Bluetooth, and cell phone networks on any of these devices could be used as attack vectors, and sensors might be remotely activated after a successful breach.
Large corporations
All large corporations are common targets. The attacks are almost always aimed at financial gain either through identity theft or data breaching.
The quintessential example of cyber-attacks aimed at large corporations are the Home Depot, the Staples, the Target Corporation, and Equifax cyber-attacks.
Nevertheless, not all attacks are financially motivated. In 2011, the hacktivist group Anonymous retaliated, attacked and incapacitated the entire computer network of the security firm “HBGary Federal”, only because the security firm claimed they have infiltrated the anonymous group.
In 2014, Sony Pictures were attacked and their data was leaked with the motive being only to cripple the company by exposing their upcoming projects and wiping all workstations and servers.
A certain percentage of online attacks are carried out by foreign governments, which engage in cyber warfare with the intent to spread their propaganda, sabotage, or spy on their targets.
Last but foremost, medical records have been targeted in general identify theft, health insurance fraud, and impersonating patients to obtain prescription drugs for recreational purposes or resale.
Additionally, medical devices have either been successfully attacked or had potentially deadly vulnerabilities demonstrated, including both in-hospital diagnostic equipment and implanted devices, including pacemakers and insulin pumps. There are many reports of hospitals and hospital organizations getting hacked, including ransomware attacks, Windows XP exploits, viruses, and data breaches of sensitive data stored on hospital servers. On 28 December 2016 the US Food and Drug Administration released its recommendations for how medical device manufacturers should maintain the security of Internet-connected devices – but no structure for enforcement. Although cyber threats continue to increase, 62% of all organizations did not increase security training for their business in 2015.
Automobiles
Vehicles are increasingly computerized, with engine timing, cruise control, anti-lock brakes, seat belt tensioners, door locks, airbags and advanced driver-assistance systems on many models. Additionally, connected cars may use Wi-Fi and Bluetooth to communicate with onboard consumer devices and the cell phone network. Self-driving cars are expected to be even more complex.
All of these systems carry some security risk, and such issues have gained wide attention. Simple examples of risk include a malicious compact disc being used as an attack vector, and the car's onboard microphones being used for eavesdropping. However, if access is gained to a car's internal controller area network, the danger is much greater – and in a widely publicized 2015 test, hackers remotely carjacked a vehicle from 10 miles away and drove it into a ditch.
Manufacturers are reacting in a number of ways, with Tesla in 2016 pushing out some security fixes "over the air" into its cars' computer systems.
In the area of autonomous vehicles, in September 2016 the United States Department of Transportation announced some initial safety standards, and called for states to come up with uniform policies.
Government
Government and military computer systems are commonly attacked by activists and foreign powers. Local and regional government infrastructure such as traffic light controls, police and intelligence agency communications, personnel records, student records, and financial systems are also potential targets as they are now all largely computerized. Passports and government ID cards that control access to facilities which use RFID can be vulnerable to cloning.
Internet of things and physical vulnerabilities
The Internet of things (IoT) is the network of physical objects such as devices, vehicles, and buildings that are embedded with electronics, software, sensors, and network connectivity that enables them to collect and exchange data and concerns have been raised that this is being developed without appropriate consideration of the security challenges involved.
While the IoT creates opportunities for more direct integration of the physical world into computer-based systems, it also provides opportunities for misuse. In particular, as the Internet of Things spreads widely, cyber-attacks are likely to become an increasingly physical (rather than simply virtual) threat. If a front door's lock is connected to the Internet, and can be locked/unlocked from a phone, then a criminal could enter the home at the press of a button from a stolen or hacked phone. People could stand to lose much more than their credit card numbers in a world controlled by IoT-enabled devices. Thieves have also used electronic means to circumvent non-Internet-connected hotel door locks.
Energy sector
In distributed generation systems, the risk of a cyber-attack is real. An attack could cause a loss of power in a large area for a long period of time, and such an attack could have just as severe consequences as a natural disaster. The District of Columbia is considering creating a Distributed Energy Resources (DER) Authority within the city, with the goal being for customers to have more insight into their own energy use and giving the local electric utility, PEPCO, the chance to better estimate energy demand. The D.C. proposal, however, would "allow third-party vendors to create numerous points of energy distribution, which could potentially create more opportunities for cyber attackers to threaten the electric grid.