70% of IT and operational technology professionals are concerned that cyber attacks could cause physical damage to computer and industrial systems, which not only requires significant financial resources for disaster recovery but can also threaten lives in severe cases.
In March of this year, U.S. agencies warned that Russian government entities were conducting extensive attack activities against critical infrastructure in the U.S., aiming to establish a foothold in the most sensitive networks.
Attackers leveraged spear-phishing emails and watering hole attacks to compromise victims’ computer systems. According to warnings issued by the U.S. Department of Homeland Security and the FBI, once these malicious actors gain a foothold in the victim’s network, they proceed to conduct cyber reconnaissance, collecting information such as usernames and passwords, and utilizing additional hosts.
These agencies warned infrastructure providers that the infiltration activities of Russian government hackers should be seen as a preparatory step for wreaking havoc and causing economic damage to the U.S.
The U.S. Department of Homeland Security and the FBI noted in a notification released in March that, “The Department of Homeland Security and the FBI characterize this activity as a multi-phase intrusion campaign organized by Russian government cyber actors, targeting the networks of small commercial facilities where they install malware, conduct spear-phishing, and gain remote access to energy sector networks. After gaining access, Russian government cyber actors conduct cyber reconnaissance, move laterally, and collect information about industrial control systems.”
As critical systems become increasingly connected to the internet, the risks and impacts of cyber attacks on physical infrastructure—known as “cyber-physical attacks”—are growing. In many cases, the operational networks that connect the digital and physical worlds contain more outdated and legacy technologies, making them more vulnerable and harder to update technologically.
Galina Antova, co-founder and business development head of operational network security provider Claroty, stated, “When we talk about critical infrastructure, it is not just the power grid, but everything that operates on industrial networks worldwide. From a cybersecurity perspective, these networks are often run on legacy systems, making their security quite fragile.”
This fragility has been repeatedly proven in the real world. The Ukrainian power grid has been shut down by Russian attackers; hospital operations have been plagued by ransomware attacks; manufacturers and transport companies have been forced to halt operations due to ransomware; hackers have even flooded wetlands with sewage, causing steel plants to shut down and damaging furnaces.
Mounir Hahad, head of the threat lab at Juniper Networks, stated, “Whether we like it or not, we live in an interconnected world. This means the attack surface for cyber attacks is constantly growing and intertwining more closely with the real world. Furthermore, the political instability around the globe and the difficulty of clear attribution provide fertile ground for offensive cyber capabilities to operate with relative impunity.”
Here are five typical cases of cyber attacks on industrial control systems:
1. Attack on the Ukrainian Power Grid
Some countries’ attack intentions are to establish a foothold in the power grid of competitor nations. The two recent successful attack incidents are related to Russia, affecting the normal operations of Ukrainian power companies and causing severe power outages in the country.
In December 2015, cyber attackers used their foothold in the Ukrainian energy network to shut down three power distribution companies, an incident known as “oblegnergos,” resulting in 225,000 users being left without power during the cold winter. Although the attackers disrupted the power company’s attempts to investigate the incident, the blackout lasted only a few hours.
A year later, attackers struck again at a Ukrainian energy company, causing a power outage in parts of Kyiv for about an hour.
It is not hard to understand why a survey of 151 security professionals in the energy sector showed that 70% of respondents were concerned about “catastrophic failures” caused by cyber attacks.
Tim Erlin, vice president of product management and strategy at Tripwire, stated, “Energy companies have accepted the reality that digital threats can have real consequences. Moreover, this view may be exacerbated by some recent attacks aimed at affecting actual operations.”
2. WannaCry and NotPetya Ransomware Attacks
In 2017, two ransomware attacks that spread rampantly worldwide—WannaCry and NotPetya—caused exceptionally heavy losses to the international community. WannaCry, released in May 2017, affected the systems of hospitals and clinics in the UK, leading to the cancellation of over 20,000 appointments and the shutdown of a factory owned by French car manufacturer Renault.
Within two months, a ransomware named NotPetya swept through many large multinational companies globally, causing hundreds of millions of dollars in losses. According to FedEx, this attack cost them $300 million; pharmaceutical company Merck estimated sales losses of up to $135 million, with a quarterly loss of $175 million, and final claims expected to double the overall losses.
As more critical business systems connect to the internet, attacks like ransomware will increasingly impact businesses.
Antova from Claroty stated, “Attacks like NotPetya are very dangerous because they can spread into commercial and industrial networks. As a side effect, malware may cross these boundaries and cause damage.”
3. The Father of Cyber-Physical Attacks: Stuxnet
The collaboration between the U.S. and Israel on the Stuxnet virus (reportedly developed by the NSA and Israeli military intelligence) successfully transformed cyber attacks into real-world physical damage. It is said that someone deliberately discarded a USB drive containing the Stuxnet virus for Iranian nuclear facility employees to find, and when they plugged it into a computer, the computer was immediately infected. Subsequently, the internal network of the facility was gradually controlled, causing thousands of centrifuges to overload and resulting in physical destruction. According to the Israeli intelligence agency, this attack ultimately delayed Iran’s nuclear weapons development program by four years.
However, this attack also demonstrated the scale of physical damage that cyber attacks can inflict on industrial networks. Within just a few years, Iran also attacked the systems of Saudi Aramco, the state-owned oil producer of Saudi Arabia, encrypting thousands of the company’s hard drives. In 2017, similar code attacked Sadara, a joint chemical partnership between Aramco and Dow Chemical. In August 2017, in another attack on a Saudi company, a flaw in the code could have triggered an explosion if not for its presence.
Hahad from Juniper stated, “This attack once again crossed the line of cyber-physical attacks, as its goal was to detonate a plant rather than merely infect systems or steal intelligence.”
4. Malucca Wastewater Treatment Plant Breach in Australia
In March 2000, the newly built Malucca wastewater treatment plant in Queensland, Australia, experienced a malfunction, losing wireless connection signals, causing the sewage pumps to operate abnormally, and the alarms to fail. Initially thought to be a problem with the new system’s adjustment, it was later discovered that it was a deliberate act of revenge by a former engineer, Vitek Boden, who was unhappy with the rejection of his contract renewal.
It is reported that this former engineer controlled about 140 sewage pumping stations using a laptop and a wireless transmitter; over three months, a total of one million liters of untreated sewage were directly discharged into local parks and rivers, causing severe environmental damage. Ultimately, Boden was sentenced to two years in prison for this breach.
Janelle Bryant, investigation manager at the Australian Environmental Protection Agency, stated at the time, “This incident caused the death of a large number of marine organisms, and the river water began to turn black, with a stench that made it unbearable for nearby residents, potentially endangering their health.”
5. German Steel Plant Suffered ‘Significant Damage’
At the end of 2014, the Federal Office for Information Security in Germany (BSI) released a “2014 Information Security Report,” which disclosed a cyber attack on IT security critical infrastructure that caused significant physical damage. The target of the attack was a steel plant in Germany, which suffered from advanced persistent threat (APT) attacks. The attackers used spear-phishing emails and social engineering techniques to gain access to the steel plant’s office network. The attackers were highly skilled and very familiar with these systems, suggesting they might be state-sponsored threat actors.
It is reported that after gaining access to the steel plant’s office network, the attackers managed to penetrate the production network of the steel plant using this network. Their actions caused the control components of the industrial control system and the entire production line to be forced to stop, resulting in significant damage to the steel plant due to the abnormal shutdown of the steel furnace.
Antova from Claroty stated that as other countries’ threat actors increasingly focus on industrial control and critical infrastructure systems, companies must adopt a more proactive stance on network defense. She said, “We cannot rely entirely on the government, which can only respond to incidents and assist in investigations after they occur. We must take the right measures to defend our company’s network systems and strengthen their security proactively.”
Related Articles
Ten Years of Overcoming Industrial Control Security Gaps
Industrial Control Systems/Critical Infrastructure Security Year is Approaching
To Ensure Control Security, Answer These 8 Questions!
