The industrial hack is a well-known trope of the silver screen. In just a few keystrokes, an evil computer whiz with a vague accent gains access to a sensitive system. They press enter, a nuclear power plant explodes—and you reach for another handful of popcorn.
In reality, malicious hackers are breaking into industrial computer networks all the time; they just don’t usually put on a show. These hackers are more into quietly siphoning off sensitive data, or subtly sabotaging an industrial process. It might be months or years before they’re discovered, but they’re there, and their ranks are growing. There were 295 reports to US authorities last year of operational technology and industrial control system (ICS) attacks, according to consulting firm Booz Allen Hamilton, a 20% increase over the year before. A third of those attacks targeted “critical manufacturing”—facilities that produce steel, construction machinery, or electrical generators, for example.
“There’s a lot more of the background stuff going on than you would think,” says Jason Larsen, industrial control systems principal at cybersecurity firm IOActive.
Ghosts in the machine
Some ICS attacks involve overt “ransomware,” which takes over a system and asks for a fee before control is returned to the user. But others simply gain access or exfiltrate data, and they can be hard to spot. Larsen says that when the price of oil peaked a few years ago, IOActive researchers discovered increased evidence of hacking and espionage at oil refineries and pumping stations.
“Everybody that got into the core networks running those [installations] could wreck the place,” he says. “But they wanted really, really detailed information about the price of oil.” That intelligence could help hackers predict when the price was going to crash—which it later did.
Larsen offers another example: a US manufacturing plant with a long and complicated assembly line that included industrial machines cutting, bending, and drilling materials.
“What the attacker had done is he had gone in there to the controller and put a random number generator in there,” Larsen says, “[so that] a certain number of products were out of spec.” Not quite the stuff of Die Hard movies, but this type of hacking is a surreptitious and low-overhead way to sabotage a competitor, and could easily be employed to much larger effect.
“We’re seeing a tremendous rise in attacks in the ICS environment,” says Brad Medairy, a senior vice president at Booz Allen.
Of course, hackers do get noticed when they want to. An extremely sophisticated cyber attack on a Ukrainian power plant in December left 230,000 people without power for up to six hours, and a subsequent investigation found that attackers had planned the operation for months. A Booz Allen report on the incident described it as part of “a steady, deliberate attack against Ukraine’s critical infrastructure”.
As hackers increasingly target operational systems over corporate suites, security researchers and intelligence officials alike are worried that power plants, factories, and utility stations could be at risk. In April, a German nuclear power plant discovered malware that could steal login credentials on employee computers; just a month earlier, the control system at a New York dam was accessed by a hacker. In 2015, 12 documents with personally identifiable information were stolen from a South Korean light-rail operator. Larsen himself says he has broken into the same UK energy company four times in a row when asked to do so as part of a security review.
But hackers aren’t necessarily drawn to big, cataclysmic cyber strikes. Apart from not always being profitable for the attacker, such offenses risk being interpreted as “an act of war” on the part of a nation state, notes Eric Cornelius, director of critical infrastructure and control systems at cybersecurity firm Cylance.
While many bits of physical infrastructure may be vulnerable to attack, he adds, trying to take control of these systems is also far more technically difficult. “It requires a substantial amount of effort on behalf of the threat actor,” Cornelius says.
Larsen does have some good examples of what can be accomplished, though, with the right skills. He’s shown how valves in water systems, many of which are now controlled by computers, can be closed quickly to create a buildup of pressure known as a water hammer. You have to know exactly what valves to close and when, but if you do, the results can be dramatic.
“If you scale the physics of that up into a 12-inch pipe at 60 feet long, you have enough water in there that it weighs more than a car,” Larsen says.
It’s important to remember that physical infrastructure and computer networks are not mutually exclusive; in fact, they’re increasingly less so. In September, customers at a Romanian bank were unable to withdraw money after the bank’s data center was knocked offline during a routine test of the fire extinguisher.
For now, Cornelius isn’t too worried about highly destructive attacks on physical infrastructure, at least not from hackers. But he notes that cyber weapons, like regular weapons, are most dangerous when they fall into the wrong hands.
“An individual may copy and paste the code as many times as they want,” he says. “As these attacks become more common—and they undoubtedly will—that code will become available on the open market.”