That’s the real, $64 question we’re all wondering, isn’t it? “Can cyber attacks break physical stuff?” And the answer is, yes. The fact that a cyber attack can have physical consequences is not exactly breaking news. It has happened a number of times over the years, and it goes farther back than you might think. Even back to the mid-eighties.
Stuxnet. Stuxnet was precedent-setting. It was one of the most complex pieces of malware ever created. Kaspersky Lab estimated that it took a team of 10 coders two to three years to create it.
By the time it became public in 2010, Stuxnet had caused the destruction of nearly a thousand of the centrifuges at Iran’s Natanz nuclear enrichment facility. This set back their nuclear program by at least 18 months.
Eventually, most reports ended up saying it’s “widely accepted” that Stuxnet is a cyber weapon created by Israeli and U.S. intelligence agencies.
It also crossed a line. Instead of being used merely to hack computers and steal the data on them, it was used to cause physical destruction. And boy did it.
Stuxnet was also significant because it got into the Natanz computers even though the systems were “air-gapped.” They gained access by using USB thumb drives to plant the malware on the systems of third-party companies that had a connection to the Iranian nuclear program.
The malware caused the Iranian centrifuges to spin out of control and destroy themselves before anyone could react to prevent it.
Stuxnet was never intended to spread beyond Natanz. However, the malware did end up on internet-connected computers and began to spread to the outside world, thanks to an extremely sophisticated and aggressive design.
Pen Test Partners documented how easy it would be for a motivated hacker to capsize a cargo ship by hacking into its ballast pump controllers and causing them all to pump from port to starboard ballast tanks.
And Forbes reported recently on a couple of hackers in Italy who, armed with nothing but their laptops, prepared exploit code and radio hardware to transmit that code. Then, they took control of construction cranes, excavators, scrapers and other large machinery.
Another example of a cyber-threat turned physical includes the BlackEnergy APT’s 2015 attacks against Ukraine. They damaged the county’s critical infrastructure. Recently, researchers identified a vulnerability in electronic vehicle charging stations that could allow an attacker to adjust the maximum current that can be consumed during charging which could result in a fire due to wires overheating.
The new reality
“There’s an acknowledgement among many organizations that this is a very real threat,” said Ali Neal, director of international security solutions at Verizon. Industrial and manufacturing businesses, he said, are looking at ways to isolate devices and segment their networks. But anyone using Internet of Things devices faces a problem.
“Developers need to ensure security is built in by design,” Neal said. “Software platforms need to be designed so these devices are secure from the get go.”
The threat posed by connected devices is pervasive. That’s because internet-connected devices are pervasive. Equipment that was isolated, “air gapped,” or simply not connected, let alone the internet, now is. And as we’ve seen, even being air-gapped is no guarantee of safety. Connectivity is so cheap that it will soon be hard to buy unconnected devices
Even more cheeringly, Gartner thinks that by 2025, hackers will have weaponized operational technology (OT) environments to “successfully harm or kill humans.”
Who’s most at risk?
Operational technology is the main target. That includes hardware and software that monitors or controls equipment, assets and processes. SCADA-type stuff. The idea is that control frameworks for actual things are infiltrated and used to cause harm. Businesses in manufacturing, resources and utilities are the ones that most need to pay attention.
The fact is, more than one in 10 data breaches now involve “physical actions,” according to a recent report. These include leveraging physical devices to aid an attack. But it also includes hacks that involve breaking into hardware and remote attacks on physical infrastructure.
Experts emphasize many of the same safety measures we are already familiar with. Basic cyber-hygeine such as using strong passwords is important. So is minimizing the reuse of passwords. (A password manager can help with both.) Install software updates and patches ASAP. And turning on two-factor authentication for logins and backing up computers will go far.
And be on guard against phishing attacks and to avoid clicking links and attachments you didn’t expect to receive.
So, be careful out there, but don’t be afraid. Use common sense. And if you have any questions about any of this, email us or call Corporate Armor at 877-449-0458. With brands like Fortinet, Sophos, Check Point, Palo Alto and more, we have many weapons for your war against the IT threatscape, and we are ready and able to help! Thanks for reading!