When Cyber Attacks Threaten Lives: A Candid Assessment of The Reality of OT Threats

In times of increased geopolitical tension (welcome to the 2020s), fears of vulnerable industrial control systems and life-threatening cyber attacks naturally heighten. Danny Bradbury talks to those on the front line to work out how real (and how damaging) the OT threat really is

It isn’t every day that a cyber attack on industrial control systems (ISC) darkens the skies with plumes of smoke. However, according to hacktivist group GhostSec, that’s what happened on June 23 this year when an explosion occurred at the Gysinoozerskaya hydropower plant in Russia’s eastern Buryatia region. GhostSec, which has vowed to continue attacking Russia while it occupies Ukraine, claimed responsibility a month later.

“This affected a certain type of industrial device, and we were able to overload it,” a representative for the group, using the name Sebastian Dante Alexander, told us.

This might be GhostSec’s most visually stunning attack, but the group says it has caused physical damage to many industrial systems. GhostSec targeted Israel in criticism of its stance on Palestine way before the October 7 crisis, gaining access to programmable logic controllers in the country and posting screenshots of a hacked water control system there. It has also targeted industrial control systems in Iran in solidarity with protesters.

Bucks rather than bang

While reports of attacks on operational technology appear to be growing, intrusions that result in explosions, fires, or floods are infrequent. Rik Ferguson, vice president of security research at Forescout, says that most cyber attack groups are in it for the money, so the motivation for destroying property isn’t there.

Sometimes, financial and ideological motivations overlap. GhostSec launched its GhostLocker ransomware as a service operation in October. Dante Alexander says that 70% of the proceeds help fund its activities, providing means to accompany its motive.

Those motives must be strong because attacks on ICS also carry a heavier set of risks. Ferguson highlights the US government’s response to 2022’s Colonial Pipeline attack. Even though it was a ransomware attack that targeted the company’s administrative network, its effect on the oil supply focused the lens on the groups involved.

“Attacking critical national infrastructure (CNI) or making things go boom in any way is going to put you very squarely in the sights of international law enforcement and other organisations like the NSA, CIA, and FBI that you really don’t want to mess with,” Ferguson says.

Activists are, however, sometimes willing to risk such scrutiny, looking beyond site defacement, data theft, and doxxing into physical destruction. “It’s a reason why we take OPSEC very seriously, especially after our recent attacks affecting all kinds of industrial systems,” Dante Alexander says.

These factors might all play into the relative scarcity of physically damaging ICS attacks, but one of the main reasons is that they’re not easy to carry out.

“Industrial control system attacks are rare because the research, methodology, and effort put behind it takes a lot,” Dante Alexander says. “It’s not something a lot of people would be willing to put time and effort into.”

Stuxnet in 2010, one of the most famous attacks on ICS that caused physical damage, is a case in point. The attack was so sophisticated that ICS security expert Eric Byres estimated the effort involved months, if not years.

The biggest boom of all

Stuxnet is the go-to example for cyber attacks that caused major physical damage. But another, launched not long after the first IBM PCs rolled off the shelves, was reportedly even more destructive. It delivered an explosion a fifth as large as the atomic bomb dropped on Hiroshima.

“Attacking critical national infrastructure (CNI) or making things go boom in any way is going to put you very squarely in the sights of international law enforcement” Rik Ferguson

In his 2004 book, At the Abyss, President Reagan’s special assistant for national security affairs, Thomas Reed, recounted a 1982 cyber campaign that the U.S. launched against the USSR.

The Soviets approached a Canadian company for software to control a new pipeline that would route gas from Siberia’s Urengoi fields to the West. The United States worked with the Canadian company to doctor the software, effectively turning it into a trojan. After a period of operating normally, the software began resetting pump speeds and valve settings to produce gas pressures far beyond the pipeline’s design limits.

“The result was the most monumental non-nuclear explosion and fire ever seen from space,” said Reed in his book. The three-kiloton blast occurred in a remote region, effectively taking out Russia’s ability to deliver oil for hard currency in the West, thus damaging it economically. Reed believes that this contributed to the outcome of the Cold War, which was won on essentially economic grounds.

Other damaging attacks in history

There have been other less explosive but still damaging attacks, like the 2000 ‘poo-splosion’ in Maroochy Shire, Queensland, Australia. A disgruntled engineer who had failed to get a job at Maroochy Water hacked the system and released 800,000 litres of untreated sewage into waterways and local parks.

In 2014, attackers targeted a German steel mill, using the Heartbleed vulnerability in OpenSSL to initially compromise administrative systems before jumping into the production system. From there, they triggered breakdowns in ICS components.

Triton was the first malware the world had seen with a payload explicitly focused on human harm

“The breakdowns led to the uncontrolled shutdown of a blast furnace, leaving it in an undefined state and resulting in massive damage,” said the German Office for Information Security in its postmortem.

We have seen specific classes of malware able to target ICS systems, including Night Dragon (2009), Havex (2013), Duqu/Flame (2011), and Shamoon (2012). Many focus on information gathering and causing damage to workstations rather than directly affecting ICS equipment like programmable logic controllers or remote terminal units. With that said, compromising ICS workstations or even administrative systems is often the first step in an industrial attack.

The 2015 BlackEnergy attack, in which Russia took down the Ukrainian energy grid with BlackEnergy malware, was especially disruptive. In 2016, a second successful attack on the grid used the even more sophisticated Industroyer malware. Like Stuxnet, this malware was designed purely for physical damage and disruption.

Triton (2017) was another piece of malware designed to target ICS systems. This included specific designs to switch off safety systems, which could deliberately incur a loss of life. This makes it the first malware the world had seen with a payload explicitly focused on human harm.

The future of physically damaging attacks

For now, at least one activist group seems to have a conscience. GhostSec’s Dante Alexander describes steps that it takes to prevent loss of life. Although the attack disrupted power to people in the region, he says that it purposefully designed its assault to damage systems rather than directly hurting people.

“The attack was planned to target a timing where there is less [sic] employees present in the plant,” he says. “We specifically planned out a lot and did our research before this specific attack you are talking about.”

Others in the future might not be as scrupulous, especially state actors, which are most likely behind malware like Triton developed with threats to life in mind. As hactivist groups become bolder and angrier over mounting political tensions, attacks could well increase.

“There is already a case of people following the trend of ICS and IoT hacking as a whole after our initial attacks doing it,” says Dante Alexander. “They may not be as conscientious as we were or have the same morals.”

Governments are working overtime to try and address these dangers. The UK has its NIS framework for CNI protection, revised separately from Europe’s NIS 2 directive. The United States has relied heavily on executive orders to push security measures through federal agencies. However, with much U.S. infrastructure – notably water management – operating at local levels with a distinct lack of expertise, it faces organisational challenges in pushing these changes through.

Securing industrial control systems is fraught with challenges, ranging from an increasingly internet-connected infrastructure through to core SCADA equipment that goes unpatched and unrefreshed for far longer than administrative IT systems. Nevertheless, the onus is on all countries to invest in securing these systems, lest hacktivists or nation-states come knocking.