When code kills: The rise of kinetic cyberattacks

Have you seen the recent Netflix series “Zero Day,” starring Robert De Niro? (I’m only up to the fourth episode, so no spoilers, please.) 

In case you haven’t, the plot centers on a massive cyberattack that affects basically every computerized system in the US. Everything gets turned off for one minute, then everything is restored. But the result is that thousands die, as planes and trains crash, industrial plants explode, and so on. 

The real-world destruction and loss of life puts this imagined attack in the category of kinetic cyberattacks. And while the specific nature of the fictional attack—simultaneously bypassing every security strategy and affecting every type of operating system, from cell phones to industrial control systems—makes it extremely unlikely, the fact is that kinetic cyberattacks are on the rise. 

And despite fifteen years having passed since the first kinetic cyberattack, experts warn that critical industrial and infrastructure systems remain insufficiently protected against such attacks.

Real-world kinetic attacks

Stuxnet

In 2010, the first known instance of a kinetic cyberattack took place when security professionals identified a piece of malware called Stuxnet. It is generally agreed that the malware was developed by Israeli and US government forces. It was deployed against elements of Iran’s nuclear weapons development program, exploiting several previously unknown Windows vulnerabilities.

Stuxnet was specifically designed to destroy the centrifuges that Iran used to enrich uranium. By altering the programming of specific types of programmable logic controllers (PLCs), it caused the centrifuges to spin irregularly, which ultimately caused them to destroy themselves. It’s estimated that the attack set back Iran’s weapons program by at least two years.

Perhaps most importantly, the discovery of Stuxnet announced to the world that critical infrastructure could be damaged or destroyed using nothing more than malicious code.

Colonial Pipeline

In 2021, Colonial Pipeline was struck by a ransomware attack that prompted the company to shut down its oil and gas pipeline operations. The industrial control systems (ICS) that managed the pipelines were not segmented away from the company’s data systems, leaving open the possibility of a catastrophic failure if the ransomware migrated from one to the other.

Ultimately there was no damage or destruction of the physical systems, however, the shutdown had a strong and immediate effect on energy prices and availability and is believed to have put the US at strategic risk.

Florida water treatment plant attack

Also in 2021, a cybercriminal was able to access the water treatment facility for Oldsmar, Florida using a long-dormant, password-secured remote-access software platform. The attacker adjusted the controls to add 100 times the normal amount of sodium hydroxide, aka lye, to the water.

Fortunately, an operator who was online noticed the attack in progress and reset the control before any damage could be done. It’s terrifying to wonder what might have happened if the attack had taken place at night when no legitimate operators might have been online.

Securing vulnerable systems

There are many more examples of kinetic cyberattacks in recent years. And there’s no reason to expect that they will not continue to proliferate. 

Cyber-physical systems (CPS)—computerized systems that are connected to the internet as well as to physical and mechanical systems—are all around us. From ICS and critical infrastructure systems down to ordinary IoT devices—think refrigerators and pacemakers—we benefit immensely from this technology.

But while both government and industry have increasingly accepted the need for robust security to protect traditional data and networks, many of the most vulnerable CPS systems—including critical infrastructure that could cause massive damage and even death if attacked—continue to be inadequately protected. 

What should administrators of these systems do to better protect them against attack?

1. One of the first, and most important steps is to implement robust segmentation of CPS systems to prevent attackers from using data networks to penetrate and compromise them. If possible, they should be air-gapped, that is, completely physically separated from the internet and from other networks and systems.

2. Another important step is to implement very strong access controls, such as zero-trust systems, using least-privilege principles to ensure that only those who have an absolute need to access CPS systems have the authority to do so. 

3. Invest in advanced security systems—including network and application firewalls—on at least the same level as they invest in security solutions for their traditional, data-centric networks and systems.

4. Conduct frequent security audits to ensure that all software is up to date and that all known vulnerabilities are patched promptly. In addition, make sure that any temporary access routes granted to contractors or outside technicians are eliminated as soon as they are no longer needed.

The stakes have always been high when it comes to cybersecurity. But as the frequency and severity of kinetic cyberattacks goes up, those stakes grow immeasurably.