Real time flames: Welcome to the Age of Cyber-sabotage

Gone are the days when data were the only target, and physical consequences were mostly reserved for movie studios’ imagination and hacking series (Hello there, Mr. Robot!). What is cyber sabotage? Cyber-sabotage is a cyber-attack with physical consequences.

This past June, the Predatory Sparrow hacking group released a shocking video, showing a steel mill in flames, recorded in real-time. They also added network diagrams and a screenshot of the operating station of the furnace, and finally released the stolen data. We have seen cyber sabotage before, in Stuxnet, Sandworm, and lately on dozens of sites. But to my knowledge, this is the first live recording of a cyber-sabotage, and it is starting to feel like these events are happening more often than the data show, specifically in targeted countries such as Iran.

There is quite a bit of discussion on who the perpetrators are, but I will focus on something more transcendent, which is the change in the payload. And it is a big deal because it signals a wide-scale transition from the age of data hacking to the age of cyber-sabotage. And there is data to back me up on this one. In the last 2 years, the attacks with physical consequences have grown exponentially, but I believe most IT practitioners are blind to one terrifying fact: in most cases, the physical consequences were a byproduct of data being encrypted or erased by ransomware, not due to a carefully crafted payload targeted to that industrial site. That is the case in the infamous breach at the Colonial Pipeline. Is this good news? NO, this is terrible news. This means attackers are affecting operations without even trying. But they will start trying and the consequences will be dire. In short, today we are facing unintended cyber-sabotage in operations.

How worried should we be?

I have been studying operational networks for a while. And I always try to understand what attackers would do if they could control the automation systems of that industry. This does not include, of course, systems that are inherently safe from an attack, such as relive valves or safety switches. I am talking about infrastructure such as energy, water, rail, manufacturing, etc. So, the question to the engineer focused on consequences remains: Can the attackers release toxics into the water? Can they derail the train? Can they make the furnace explode? The answer when I first ask this question was almost always no, it is not possible! But when I whisper to the engineer, could you do it? The answer is almost always, well, yes, but only if the attacker possesses an intimate understanding of the process network. An engineer assumes a cyber-attack will focus on the data, not on the process. This knowledge seems to be in the hands of nation-states, but not for very much longer.

Three years ago, cyber-attacks with physical consequences were rare. Now the data shows they are starting to become quite common. Now a new beast has emerged; we are talking about the transition from unintended cyber-sabotage to targeted cyber-sabotage, with a payload that intimately understands the operation process. We know now that nation-state grade attacks of today are a predictor of common attacks tomorrow. A consequence-driven analysis of the risk we are facing today is desperately needed, even more in times when nations may decide to use cyber sabotage as a form of warfare. The world of cybersecurity has changed, and we need to take note and act.

Dig deeper - get the latest report now

ICSSTRIVE threat report OT Security Incidents ebook (small)
Dr. Jesus Molina
Newsletter Signup