The World is Getting Scarier

by Hank Berkley
Contributing Editor

This blog and most cyber security reporting have focused on the financial ramifications of breaches. We speak of loss of business, loss of customers, loss of reputation and direct loss of money; but over the last few years there has been a group of threats that have been uncovered which have much more serious consequences. These are cyber-attacks with physical outcomes. The motives may still be to achieve financial benefits, such as collecting a ransom or stealing intellectual property, but the collateral damage can be significantly worse.

The first known incident was in 2010 when the U.S. and Israeli governments were able to plant software known as Stuxnet in the control electronics in Iranian centrifuges and physically destroy them by having them spin out of control. Most people saw this as an interesting and sophisticated attack but did not see applicability in their own situations. That perception is beginning to change.

In 2013, a small dam in Rye, New York was hacked by people contracting for the Iranian government. For several reasons the attack failed, and had it succeeded the likely damage would have been limited because of the nature of the dam itself. Despite the size of the attack, the Bowman Avenue Dam incident brought into focus the soft infrastructure of the US. Although electric and water utilities had been talking about possible cyber attacks for several years, this made it more than an academic topic.

In 2014, an unknown group caused a furnace in a German steel mill to destroy itself when they were able to remotely override the safety controls. The following year 30 power plants in the Ukraine were shutdown by Russian hackers.

In 2017 security researchers were brought in to examine a large, middle east oil operation that had shutdown automatically when equipment appeared to have failed. The investigators ultimately found malware they named TRISIS in the older model Schneider Electric Triconex safety equipment. Fortunately, a software bug in the malware caused the system to trigger a failure, shutting down the operation. If it had not been detected, the perpetrators could have overridden safety controls with potentially tragic results.

The Trisis event demonstrated that even equipment that is not connected to the internet is susceptible to infection. In this case they believe that it likely started with something as simple as a phishing email that was able to place malware onto an engineer’s laptop.

More recently an Israeli security firm demonstrated software that took advantage of inherent security weaknesses in how MRI and CT scan equipment store images. They were able to make fake tumors appear and real growths vanish from pictures presented to radiologists and fooled the professionals almost all of the time.

Like the Triconex equipment, these imaging devices were not necessarily connected to the internet. In the feasibility test the software was installed by a person disguised as a repairman. (It was done with the permission of the hospital administration.)

A commonality among the cases cited here is that the equipment was older, designed and built at a time when security was not given the same level of consideration as it is today. Newer Triconex controllers and the documented procedures for handling them significantly reduce risks – but they are not eliminated. Newer infrastructure is designed with security in mind. But it is not likely that hundreds of billions of dollars of equipment will be replaced any time soon. This leaves us having to defend what is in place today.

What should you do? Understanding where vulnerabilities exist is always the first step. Then develop additional processes around those risks such as limiting physical access, logging all activity, requiring better identification for those using the equipment and working with manufacturers to be sure you have the safest configuration possible. As it happens these are the same steps that you should already be following around all of your resources. Its just that the costs of a failure might be higher.

If you didn’t take cyber security seriously before, this is a good time to reevaluate your position. These days it may be more than just an economic decision you are making when establishing a security budget.