Hackers could have opened the flood gates on a dam in New York in 2013, but the gates were offline for maintenance.
Another hacker was in the process of trying to poison the water supply in a Florida town in February when a worker noticed and stopped it.
Rather than risk a spill or other pipeline disaster after a ransomware attack last month, operators of an East Coast pipeline shut it down, leaving millions waiting in long fuel lines.
Such close calls are ratcheting up fears about how vulnerable the nation’s infrastructure is to cyberattacks. Experts say there are more to come and the attacks could be far more devastating than anything seen so far unless the United States girds its critical systems against a growing onslaught of digital intrusion.
That worst-case scenarios haven’t played out already, experts said, comes down to a combination of luck, and the fact that hackers have focused on making quick money using relatively unsophisticated attacks.
The U.S. Department of Homeland Security identifies 16 “critical infrastructure sectors,” vital parts of everyday life such as transportation and drinking water that are at risk of disruptions and would hurt the nation’s security, health or safety. Last week, President Joe Biden handed a list of the sectors to Russian President Vladimir Putin and told him they’re off limits for cyberattacks.
Think of all the automated systems that people rely on every day, said Paul Rosenzweig, who formerly worked on cybersecurity policy for Homeland Security: “Traffic lights for our cars, natural gas for our houses, water for our homes, clean water and sewage, electricity to power our houses, our metro rail systems that that many of us use.”
Chemical Commercial Facilities Communications Critical Manufacturing Dams Defense Industrial Base Emergency Services Energy Financial Services Food and Agriculture Government Facilities Healthcare and Public Health Information Technology Nuclear Reactors, Materials, and Waste Transportation Systems Water and Wastewater Systems
All of those systems can be hacked, he said.
And therein lie the worst-case scenarios, said Tatyana Bolton, a former Homeland Security official who led development of strategies for strengthening U.S. cybersecurity.
“If any of (these industries) are attacked and taken offline it would create massive repercussions across the United States,” she said.
Despite repeated warnings, she said, cybersecurity in these critical sectors hasn’t improved much.
“You can look back at videos and events and papers from 10 years ago,” Bolton said. “And the arguments that we were making then are the arguments we’re trying to make now, which shows you how little focus we’ve gotten from Congress, and support from the administration in terms of resources, and funding and people.”
That might be changing after hacks at the Colonial Pipeline Co. and meatpacker JBS Foods.
Deputy Attorney General Lisa Monaco issued a plea to the nation’s CEOs earlier this month to batten down the digital hatches against an expected onslaught of devastating ransomware attacks.
“You’ve got to be on notice of the exponential increase of these attacks,” Monaco told them.
Experts say the scariest scenarios involve a hacker either purposefully or inadvertently changing the operations of an industrial control system, such as that for a pipeline, a dam or a water works.
Such an intrusion could lead to prolonged outages, destroy infrastructure and even kill.
When Iranian hackers broke into the computer system that controls the Bowman Avenue Dam in Rye Brook, New York in 2013, they snooped on passwords and usernames but didn’t seize control of the computerized flood gates, which were disconnected for maintenance.
They proved they can sneak into critical infrastructure systems and if they wanted to hijack any one of hundreds of flood control systems in the U.S., sending potentially fatal floods toward downriver cities, or wipe out hydro-electric power and water supplies to millions — they could do it.
Sen. Chuck Schumer, D-N.Y., called it a wakeup call in 2015 when revelations about the breach became public. The nation’s critical infrastructure is vulnerable to criminals and needs to be strengthened, he said.
“This cyberattack surely serves as a bucket of ice water to the face,” Schumer said.
But it didn’t.
Six years later, cybersecurity experts are still warning of the same potential worst-case scenarios and real-world attacks are proving them right with increasing frequency.
Colonial Pipeline Co. shut down its pipeline out of an abundance of caution. Hackers locked up the company’s corporate computer system – possibly affecting things like email, billing and payroll. The criminals did not access the computer system that controls the flow of fuel through more than 5,000 miles of pipeline, but the company was worried that system might not be completely separate, the experts said.
“Imagine loss of control of the pipeline itself and what could have resulted,” said Mark Ostrowski, head of engineering for the east coast at Check Point Software Technologies.
Here are six more scenarios the experts outlined:
An intrusion into the Oldsmar, Florida water system in February highlighted vulnerabilities in the water treatment industry.A hacker broke in through remote access software and briefly increased the amount of sodium hydroxide from 100 parts per million to 11,100 parts per million. Sodium hydroxide, also called lye, can cause irritation, burns and other complications in too large quantities.It wasn’t the only recent water-related breach. In March, the Justice Department accused a former Kansas utility worker of remotely tampering with a public water system’s cleaning procedures. And last week, NBC News reported that a hacker in January tried to poison an unnamed water treatment plant serving parts of the San Francisco Bay Area.
“If you’re a state actor, or a highly-integrated or networked group of hackers, Black Hat hackers, you can mess with the chlorine levels in your water or the arsenic levels in your water and poison the entire New York City water supply overnight.” Bolton said.
“New York City wakes up, everyone has a glass of water in the morning or cooks something with water in the morning – and you poison millions of people.”
Claudia Rast, a ransomware lawyer who co-chairs the American Bar Association’s Cybersecurity Legal Task Force, said the electrical grid has long been an area of concern because of the horrible what ifs involved in mass power outages.
“Look what happened to Texas, and that wasn’t cyber,” she said. “That was just weather.”
Record cold temperatures in February froze components at power generation plants, leaving 5 million people without power and heat for days, resulting in more than 100 deaths.
Electrical workers repair a power line in Austin in February. Cold weather took down the electricity grid in Texas this winter, but it showed how deadly a cyberattack that did the same thing could be. More than a hundred people died during the Texas outages.
In recent years, power grids also have become popular targets for hackers outside the U.S. The Russian government attacked Ukraine’s grid twice, with the second attack aimed at permanently destroying some of the country’s grid, said Brian Kime, senior analyst with cybersecurity research firm Forrester.
The 2016 attack involved malware intended to deceive human operators into thinking that safeguards were working when they really weren’t, he said. There were errors in the code that prevented the plan from working as intended, but the result could have been catastrophic for Ukraine.
The companies that make up the U.S. electric grid follow stricter cyber security guidelines than other industries because of regulations from the North American Electric Reliability Corporation, or NERC. Because of this, experts say the sector is less vulnerable to ransomware and other cyber-attacks. Nuclear plants under the Nuclear Regulatory Commission also have a more robust regulatory framework to protect from cyber intrusion.
A cyberattack on the global positioning satellites that help guide aircraft, ships and other transportation could cause mayhem.
“Looking at things like GPS, you know how dependent we are on an accurate position,” Kime said. “If I manipulate GPS signals, somehow degrade them or disrupt them or actually manipulate them … I could have two aircraft or two ships appear to be farther apart, when in reality they are closer.”
In fact pilots have faced frightening situations when the GPS on their commercial aircraft was jammed, according to reports on NASA’s Aviation Safety Reporting System, where pilots share near misses and safety tips.
A pilot attempting to land at the El Paso, Texas, airport last year reported a loss of GPS signal during a military jamming test at the nearby White Sands Missile Range. After missing the approach on one runway due to changing weather conditions, he was forced to make a manual, visual landing on a runway in mountainous terrain that has known crash threats.
He landed safely but is one of 11 pilots to report issues with GPS jamming near White Sands in recent years.
With more than 2 million farms, 935,000 restaurants and 200,000 registered food production facilities, the food and agriculture sector makes up about a fifth of the nation’s economic activity, according to Homeland Security. It cuts across other sectors including water, transportation, energy and chemicals.
So as Big Agriculture has computerized many of its production systems, the possibilities for digital mayhem are endless. Security professionals have worried about the potential impact of an attack on the country’s food supply long before the JBS hack which led to a brief shutdown of nine of its beef plants, Rast said.
JBS says it was the target of an “organized cybersecurity attack.”Just tampering with the computerized settings on a vast farm’s planting equipment could mean massive losses, Rast said.“When you realize that come spring planting, the depths that you plant a seed is really critical to the ability of that seed to germinate,” Rast explained. “And if the software that is part of that planting season is adjusted or reconfigured so the seed is planted either too deep or not deep enough, you could have whole crops not even germinate and you lose that whole season.“That could have some pretty catastrophic impacts.”
The immediate aftermath of the Sept. 11, 2001 terrorist attacks showed what a catastrophe in the nation’s financial system looks like. But experts fear that a ransomware attack against the same target could be far more cataclysmic.
When suicide hijackers crashed planes into both of the World Trade Center towers and knocked them down, they also knocked some major Wall Street banks offline.
Bolton, the former senior DHS Cybersecurity and Infrastructure Security Agency official, said authorities realized in horror that the financial outages – which lasted for days – crippled many aspects of regional and even national commerce in ways they hadn’t anticipated.
“That’s how some of this [infrastructure protection] work started way back after 9/11,” she said. “They realized very quickly that the financial sector is so critical because it processes absolutely everything.”
The attack disrupted a key banking function, largely unknown to the public: In nightly bulk transfers, banks send one another trillions of dollars to cover the thousands of individual transactions their clients make each day.
“Every minute the system was offline… they lost $6 billion,” according to some estimates, Bolton said. “It was insane. It was like they were counting hour by hour, trying to get those bulk payment systems back online, to make sure our economy was running. Because the minute that stops, it has untold domino effects throughout the economy and the country.”
Ransomware attacks on hospitals delay care as doctors switch from electronic records to old-school pen and paper, and lose access to critical medical records stored in their systems.
Universal Health Services, one of the nation’s largest health care providers with more than 25 hospitals and hundreds of other facilities, was hit in September with some facilities having to turn away ambulances as a result.
At least one death was attributed to a hospital ransomware attack in Germany last year when University Hospital Dusseldorf had to shut down its emergency room and divert patients.
One woman the hospital turned away was rushed to a hospital about 20 miles away, delaying her treatment by about an hour, according to European news reports. Authorities blamed her death on the delay.
Critical industries and infrastructure are vulnerable to these attacks because their computer systems, including those for industrial control functions, are increasingly connected to the internet. Every computer represents a possible entrance for a hacker to implant code that could change how machinery functions or how computers do their jobs.
It’s possible for hackers to then steal information, lock down the system as happens in a ransomware attack, or to wrest control from the company.
The most secure computers systems limit this danger by following best practices such as air gapping, where various computer systems are kept physically separate from each other – and the internet – so that a breach is isolated to one system. Other best practices include encrypting sensitive data and requiring a secondary means to confirm each user’s identity when they log in with their password.
But companies in many critical industries are far behind on such safety measures.
The Transportation Security Administration announced new rules for pipeline cybersecurity following the Colonial hack. But different agencies oversee other industries that remain vulnerable to the same kinds of attacks and have not adopted similar rules, experts told USA TODAY. If companies are unwilling to voluntarily beef up their security, some experts said its time for federal regulation to force them to do it.
“We do need to definitely look at where it’s appropriate for governments to come in and force more basic security,” Kime said.
A ransomware attack on the Colonial Pipeline Co. has raised awareness that cyber assaults could have serious consequences. A sign marking the location of the Colonial Pipeline is posted in Charlotte, N.C.Forrester survey data shows industries that have been forced to comply with more federal regulations also have systems that have been fortified to make them more difficult to breach. Kime cited the U.S. electric grid, regulated by NERC, and the financial sector, regulated by the Securities and Exchange Commission as examples of “more mature” cybersecurity systems.At best, industry has been reluctant to foot the bill for better security. At worst, it has actively resisted attempts to regulate, the experts said.“You could hear from industry, ‘Yeah, we would do more but then you have to pay more for gasoline or pay more for hamburger patties or something else.’ And no one wants to hear that answer,” said Joe Slowik, senior manager with IT security company Gigamon whose experience also includes security work with the departments of Energy and Defense.Corporations, including those in critical infrastructure industries, have never been required to even report ransomware and other hacking incidents to the federal government.But after the attack on Colonial, President Joe Biden ordered all companies that contract with the federal government to report cybersecurity breaches to the Cybersecurity and Infrastructure Security Agency (CISA), an arm of the Department of Homeland Security.A 2020 bill would require that all U.S. companies report breaches to CISA.But since the Colonial attack, Congress has so far not passed any new laws on cybersecurity.Top national security officials warned the Senate in 2012 that the country’s crucial infrastructure was highly vulnerable to a major cyberattack. They urged Congress to pass a White House-backed cyber-security bill that would have better regulated privately owned companies such as pipelines.The U.S. Chamber of Commerce and other business groups lobbied hard against the effort to regulate.The bill, which also included information-sharing provisions, failed to overcome a Republican filibuster and died.Bolton said legislation on this issue is rare because Congress isn’t focusing on it and critical infrastructure industries are focused laser-like on making sure that Congress doesn’t regulate it.“It’s a little of both,” she said.Also, she said, there are few members of Congress that know anything about cybersecurity.“I mean, you can name them, literally name them, on two hands,” Bolton said. “But I think the time has come that some smart targeted regulation is absolutely necessary.”
This article originally appeared on USA TODAY: Colonial Pipeline, JBS ransomware attacks raise cybersecurity fears