In March, U.S. agencies warned that Russia government actors were targeting U.S. critical infrastructure in widespread attacks aimed at securing a foothold in the most sensitive networks.
The attackers were using spear-phishing emails and watering-hole attacks to compromise victims’ computers. If they gained a foothold, they next conducted network reconnaissance, gathered user names and passwords, and exploited additional hosts, according to an alert published by the U.S. Department of Homeland Security and the Federal Bureau of Investigation.
The agencies warned infrastructure providers that the infiltration by Russian government hackers should be as a first step toward preparing to wreak havoc to cause economic damage to the United States.
“DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber-actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks,” the two agencies stated in a join alert in March. “After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems.”
As critical systems become increasingly connected to the internet, the risk and impact of a cyber-attack on the physical infrastructure—a so-called cyber-physical attack—have both grown. In many cases, the operational networks that connect the digital world to the physical world contain older—and thus, more vulnerable and harder to update—technology.
“When we talk about critical infrastructure, that is not just the electric grid, but everything else in the world run on industrial networks,” said Galina Antova, co-founder and chief of business development for Claroty, a security provider for operational networks. “From a cyber-security posture perspective, because of the legacy systems running on those networks, they are actually quite behind the security for IT networks.”
This vulnerability has already been demonstrated repeatedly. Ukrainian power grids have already been shut down by Russian attackers. Hospital operations have been hobbled by ransomware attacks. Manufacturers and shipping firms have suffered stoppages due to ransomware. And hackers have flooded wetlands with sewage and caused a steel mill to shut down, damaging the furnace.
“Whether we like it or not, we live in a connected world,” said Mounir Hahad, head of the threat labs at Juniper Networks. “This means that the cyber-attack surface is constantly growing and becoming more intertwined with the physical world. In addition, political instability around the world and the difficulty of definitive attribution have created a fertile ground for offensive cyber capabilities to be exercised with relative impunity.”
Here are five incidents that show the potential for chaos that cyber-attacks could have on physical systems.
1. Attacks on Ukraine power grid
A number of countries have focused on gaining a foothold in the power grids of rival nations. Two recent successful attacks were linked to Russia and affected Ukrainian power generation companies, causing significant outages in that country.
In December 2015, cyber-attackers used their foothold in Ukraine’s energy networks to shut down three power distribution companies, known as “oblegnergos,” resulting in 225,000 customers losing power in mid-winter. While the attackers disrupted the power companies’ attempts to investigate the attacks, the outage only lasted a few hours.
A year later, attackers hit Ukrainian energy companies again, blacking out part of the city of Kiev for about an hour.
Little wonder, then, that a survey of 151 security professionals in the energy sector found that 70 percent were worried about “catastrophic failures” hitting their networks.
“Energy companies have accepted the reality that digital threats can have tangible consequences,” Tim Erlin, vice president of product management and strategy at Tripwire, said in a statement. “This perception is perhaps heightened by recent attacks that were specifically designed to affect physical operations and have proven capable of doing so.”
2. WannaCry and NotPetya ransomware attacks
In 2017, two widespread ransomware attacks, WannaCry and NotPetya, caused significant losses to international businesses. WannaCry, which struck in May 2017, disrupted systems at hospitals and clinics in the United Kingdom, leading to more than 20,000 canceled appointments and shutdown factories of auto manufacturer Renault in France.
Less than two months later, a ransomware attack known as NotPetya compromised a number of large, multinational firms, cause hundreds of millions of dollars in losses. FedEx estimated that the disruption caused $300 million in damages, while drug maker Merck estimated that the attack cost it $135 million in lost sales and $175 million in damages for a single quarter, and it expected the final tally would double those damages overall.
With an increasing number of business-critical systems connected to the internet, attacks such as ransomware will have an increasingly real impact on businesses.
“Attacks like NotPetya are dangerous because they can spill over into business and industrial networks,” said Claroty’s Antova. “The malware can make its way across these boundaries causing damage as a side effect.”
3. The father of cyber-physical attacks: Stuxnet
The United States and Israel kicked off the race to turn cyber-attacks into real world damages when the two countries collaborated on Stuxnet, an attack that used a foothold into Iran’s nuclear processing facilities to overload the centrifuges needed to refine uranium. The effort paid dividends by delaying Iran’s nuclear ambitions by four years, according to the head of Israeli’s intelligence agency.
The attack, however, demonstrated to the world the scale of physical damage cyber-attacks could inflict on industrial networks. In only a few years, Iran compromised systems at Saudi Aramco—the state-owned oil producer of its regional rival in the Middle East, Saudi Arabia—encrypting thousands of hard drives. In 2017, similar code attacked Sadara, a joint chemical partnership between Aramco and Dow Chemical. In August 2017, another attack targeted a firm in Saudi Arabia and could have caused an explosion, except for an error in the code.
The attack “crossed a new line because its intent was to cause an explosion in the plant,” said Juniper’s Hahad.
4. Foul play at Australian water treatment plant
Foreshadowing many of the types of attacks we see today, a disgruntled consultant’s attack on Maroochy Shire’s water treatment and waste management facility in Queensland, Australia in the early months of the year 2000, took control of the operational network to dump millions of liters of sewage into the local parks and rivers.
The consultant, Vitek Boden, used a wireless network to connect to the facility’s supervisory control and data acquisition devices to take control of some 140 pumping stations in one of the first compromises of a critical-infrastructure network. Boden was later sentenced to 2 years in prison for the hacking spree.
“Marine life died, the creek water turned black and the stench was unbearable for residents,” Janelle Bryant, investigations manager for the Australian Environmental Protection Agency, said at the time.
5. “Massive damage” at a German steel mill
In another compromise of an operational system, attackers used phishing emails to gain access to operational systems at a steel mill in Germany in 2014, according to report released by German’s Federal Office of Information Security. The attackers had familiarity with the systems and were technically adept, suggesting that they were likely nation-state actors.
Once inside the operational network, the attacker caused the plant’s control network to fail, and the company—which the German agency did not name—had to perform an emergency shutdown that caused significant damage.
With other nations targeting industrial and critical infrastructure, companies have to take a more proactive stance on cyber-defense, Claroty’s Antova said.
“I don’t think that the government can do much, other than what they are currently doing, which is incident response,” she said. “I think what is already happening in the right move—companies need to defend their own networks and improve security.”