Could a roller coaster be the target of a cyberattack? The short answer is “yes” along with other theme park rides, public amusements and attractions. With a significant need to ensure public safety, theme park attractions can be considered a form of critical infrastructure that rely on industrial control systems (ICS) to operate effectively similar to those found in transportation systems, power generation and transmission, water supply and treatment and other industries. In the case of theme park rides, often the controllers, sensors and I/O devices are mounted on the rides themselves and are less interconnected but cyber risks still exist.
While this article discusses theme park rides and attractions in general, it is interesting to note that research conducted in 2016 shows that the most desired attraction, for the majority of amusement and theme parks across the globe, was a roller coaster (Ref 1.) so they are somewhat emblematic of theme parks overall.
Traditionally, many of the control networks that underpin theme park rides have been isolated or in the form of some kind of darknet and therefore regarded as impervious to the outside world. With the need to undertake remote diagnostics, systems management and reporting however, these networks are becoming increasingly interconnected and with that comes heightened exposure to external access. The risk is further exacerbated by COVID-19 and the resulting travel restrictions which have necessitated more remote access by vendors than might ordinarily be expected.
This article is not intended to be alarmist but rather, to draw attention to an area of public entertainment that is not normally mentioned alongside cybersecurity and to bring the appropriate focus on risk management.
Cybersecurity best practices including awareness, monitoring and response are just as important at theme parks as they are in other industries. Human safety is paramount for a theme park and the risk to the operator’s reputation is significant should an adverse event occur. Even a short delay to the operation of a major ride creates a negative perception in the mind of the public irrespective of whether it is a cyber-related outage or a mechanical breakdown.
While it is difficult to gauge the actual number of cyberattacks on theme parks around the world, the fact that many ICS systems are not inherently secure is cause for heightened awareness. Figure 2 below shows the number of reported incidents for different critical infrastructure networks and industry types for process control, industrial automation or SCADA systems between 1982 to 2014. It should be noted that based on reports in the data set, the industry type, “Other” includes facilities such as roller coasters, amusement park rides, hospitals, emergency services and military.