The worst cyberattacks can kill people, but there are ways to fight back
A criminal gang conspires to hijack a city’s water supply, putting harmful chemicals into the water and dispersing them to residents, bringing mayhem and death. If you’ve seen “Batman Begins,” you know that’s a key plot point of the movie. What you might not know is that a similar attack failed last February in Oldsmar, Fla. It wasn’t quite as theatrical, and Batman didn’t swoop in to save the day. Fortunately, the attack failed, but it could have had disastrous consequences. More than the usual problems that cyberattacks bring (data breaches, theft, and shortages of crucial resources), this attack could have killed people. Also troubling, according to Homeland Security Sec. Alejandro Mayorkas, is that the “killware” attack “was not for financial gain, but rather purely to do harm.”
A Ticking Clock
The attack on Oldsmar’s water system may have failed, but it’s only a matter of time before a killware assault achieves its aim. A Gartner study from last July concluded that “by 2025, cyber attackers will have weaponized operational technology environments to successfully harm or kill humans.”
Cyber defenses need to adapt their focus to respond to the threat. “In operational environments, security and risk management leaders should be more concerned about real world hazards to humans and the environment, rather than information theft,” Wam Voster, senior research director at Gartner, said. “Inquiries with Gartner clients reveal that organizations in asset-intensive industries like manufacturing, resources, and utilities struggle to define appropriate control frameworks.”
The attacks are becoming more serious and more frequent, Mayorkas said, making improved cybersecurity paramount.
A Triton malware attack at a Saudi petrochemical facility in 2017 strove to disable emergency shutoff systems.
“If the malware had been effective, then loss of life was highly likely,” Voster wrote. “It is not unreasonable to assume that this was an intended result. Hence ‘malware’ has now entered the realm of ‘killware.’”
Cyberattacks on hospitals have already led to deaths, with nurses at an Alabama hospital in 2019 failing to notice a change in a baby’s heart rate that would normally have been displayed on a monitor that had been disabled, and a German woman dying in 2020 after she had to go to a second hospital to seek urgent care because the first hospital had an IT failure.
The motivation of killware hackers is a vexing problem. If it’s not financial, what is it? Identifying that can be key to identifying the attackers. The motive can be political, often an indication that a foreign government is behind the attack, either directly or by sponsoring it, making sure to leave enough doubt as to have plausible deniability. To borrow a phrase from the Batman franchise, “some men just want to watch the world burn.” That’s what made the Oldsmar attack so alarming.
“U.S. cybersecurity officials have long known that water facilities and other critical infrastructure have been vulnerable for many, many years,” a senior Homeland Security speaking on condition of anonymity told USA Today. “What made this one different was that there was an intruder who consciously exploited that vulnerability with malicious intent.”
To do the most damage, killware attackers will target systems that reach a lot of people, like city water supplies, or where people are most vulnerable, like hospitals. The Cybersecurity and Infrastructure Security Agency (CISA), FBI, and the Department of Health and Human Services issued a special warning to hospitals in 2020 about the growing threat.
An Ounce of Prevention
Given the severity of the killware threat, how do organizations protect their cyber systems? It starts with an assessment of the various ways to access those systems. In the Oldsmar incident, the hacker used old remote login credentials that should have been disabled but weren’t. At a Kansas water facility, a former employee used credentials that had also not been disabled. Simple maintenance could have prevented both incidents.
But often there are other vulnerabilities, and vigilance is necessary, and often a good deterrent.
“Cybercriminals have historically prospered in low risk-high reward behaviors in cyberspace in large part due to gaps in detection capabilities and, at least in the United States, shortfalls in legislation. If anything, the onslaught of cybersecurity incidents has heightened awareness and action by lawmakers,” Jonathan Brandt of the Information Systems Audit and Control Association wrote in assessing ISACA’s State of Cybersecurity 2021 report.
Legacy systems, even those that are only a few years old, need updating. Improving these is a fortunate side effect of COVID’s acceleration of digitization. Mixmode and other AI systems monitor network activity in real time and adjust what is considered expected behavior. That way, when something out of the ordinary happens, defenders are ready to respond and stop the threat. Killware presents all kinds of danger, and fighting it head-on is of vital importance for operations of all kinds.