Dealing With the Physical Threat of Cyber-Attacks

By Thomas Boyden

There has long been concern about a “cyber 9/11” that could cripple the country’s financial, energy and transportation networks. A debilitating attack late last year on electrical grids in western Ukraine has given the United States new cause for concern.

The incident, the first known power outage caused by a cyber-attack, disrupted electrical transmissions, leaving 80,000 customers without power for several hours. This watershed event in cyber-security is not only the latest example of hackers causing physical harm—it’s also a clear indicator of things to come if we don’t work now to minimize the physical threat of cyber-attacks.

The veil between virtual and physical attacks was lifted as early as 2007, when the U.S. Department of Homeland Security launched a complex cyber-attack on a diesel-powered electric generator in eastern Idaho. The remote attack from a DHS terminal took over the computerized controls of the generator and forced it to do the equivalent of shifting a car into reverse while barreling down a highway. The undue stress on the generator’s mechanical components caused it to shake violently, spew out black smoke and explode.

Since then, we’ve seen the Stuxnet worm trick 1,000 Iranian centrifuges into self-destructing, the Shamoon virus corrupt 30,000 systems at Saudi Aramco, and this latest episode that downed Ukraine’s electric grid. Unfortunately, this is only the beginning.

The nexus between virtual threats and physical damage occurs at the electronic controls of mechanical processes: the computer screen at the nuclear plant where employees monitor temperature and pressure, or the interface on your console that puts your car into self-parking mode or—one day soon—self-driving mode. With the right sequence of code, a cyber-terrorist could wreak indiscriminate and widespread havoc by exploiting vulnerabilities in the ever-increasing connectivity of smart devices and their mechanical counterparts.

For the time being, the complexity involved in physical cyber-attacks make it much more likely that large industrial systems, such as power plants or factories, will be targets rather than personal electronic devices. After all, a skilled counterfeiter wouldn’t waste his time making $1 bills when he could be making $100 bills.

Such an attack might involve hacking into an industrial control system through a “backdoor.” This tactic exploits the fact that many of these systems are connected to the Internet, but they haven’t been updated with security patches since the machinery was installed—often years before.

The newly introduced malware could cause equipment to overheat, overload or even self-destruct, while engineers who are watching compromised computer screens are none the wiser. This scenario could put employees at risk and lead to damaged systems, interrupted operations, expensive repairs and lost productivity costs.

However, the exponential growth of connected smart devices—the Internet of things (IoT)—will eventually expose even ordinary machinery to the same kind of risk, and with even more points of entry. Engineered auto accidents exploiting your car’s connectivity with your phone or your watch could become as plausible as the manufactured blackout that hit western Ukraine last year.