While SolarWinds and the Colonial Pipeline ransomware attack were incredibly alarming to the government, industry and the public, it is the unsuccessful hack on the Oldsmar, Florida water treatment plant earlier this year that most troubles Department of Homeland Security (DHS) Secretary Alejandro Mayorkas, because of its potential to harm or even kill.
“The attempted hack of this water treatment facility in February 2021 demonstrated the grave risks that malicious cyberactivity poses to public health and safety,” Mayorkas said to USA Today, referring to a class of attacks ominously referred to as killware. “The attacks are increasing in frequency and gravity, and cybersecurity must be a priority for all of us.”
Cybersecurity professionals and government officials have long worried that cyberattacks on critical infrastructure would lead to intentional physical harm or death, but the killware moniker is relatively new.
“This is an alarming development, but not entirely unexpected. Malware, including ransomware, is a fast-growing criminal market, and over time it’s inevitable that we’ll begin to see increasing numbers of so-called ‘killware’ attacks, aimed at crippling infrastructure,” said Jack Chapman, vice president of threat intelligence at Egress.
In a few cases, ransomware attacks have already been blamed for causing deaths—including of an Alabama infant in 2019 and a German woman who was turned away from a hospital crippled by a ransomware attack. For the most part, however, these incidents are rare and relegated to movies and TV. But a recent report from Gartner brought the threat out of Hollywood and into reality.
“The attack on the Oldsmar water treatment facility shows that security attacks on operational technology are not just made up in Hollywood anymore,” Wam Voster, Gartner senior research director wrote in an article when the report came out.
“Killware as a term of art is a bit sensational—but the idea that our interconnective world increasingly places physical harm in reach of the digital arena isn’t science fiction,” said Tim Wade, technical director, CTO team at Vectra. “We increasingly rely on digital, information-driven critical infrastructure systems in sectors as diverse as energy or medicine.”
The consequences of failing to protect these systems, said Wade, “directly impacts the health, well-being and safety of real human beings that depend on them.”
Indeed, “whether we want to call it killware or something a little less flashy is secondary to the fact that, increasingly, our daily lives are reliant on the continued safe and reliable operation of many critical systems whose protection is of the utmost importance,” said Wade.
Attackers have different motives. In some cases, the motive “is more sinister than simply financial gain—they want to cause harm,” said Chapman. “In recent years, cybercriminals have increasingly targeted critical infrastructure, including public health facilities, with the aim of causing the maximum possible damage and disruption, including loss of life.”
What better place to do that kind of damage than at a water treatment plant like Oldsmar, although it is possible the attempted hack was not intentional. The attack “was largely sensationalized,” said Jake Williams, co-founder and CTO at BreachQuest. “The threat actor likely did not knowingly target critical infrastructure and it’s doubtful they understood what access they had post-compromise.”
And while Gartner’s Voster characterizes Triton malware as a means to cause loss of life because the malware is capable of manipulating industrial control systems, Williams pointed out that “Triton was written and deployed by an extremely capable, state-backed threat actor” that “would be unlikely to use that capability except in a time of war lest the usage bring on war.”
Instead, Triton should be viewed as “a prepositioned weapons system to be used only in dire circumstances, much like the U.S. strategic prepositioning of armed forces in Europe,” he said.
“The discussion of Triton as an example similar to Oldsmar is disingenuous to the average reader. Triton required millions of dollars in development and operational expertise to develop and deploy,” Williams said. “Oldsmar required someone to download a free trial of some software and search Google to find credentials exposed to the Internet. These are hardly the same.”
But that doesn’t mean the threat should be dismissed. “There is little doubt that cyberattacks can cause significant physical damage and some cases even death,” he said. And the Oldsmar hack “does highlight that intent is not a reliable predictor of impact,” he added.
“While it is certainly prudent to consider the possibility of these events and plan policies to deal with them, the vast majority of cyberattacks likely won’t have these dire impacts,” said Williams.
“A foundational consideration in these matters is defining exactly when a given cyberattack moves from being a purely criminal matter to a national security threat,” he said. “If cyberattacks, especially those perpetrated across international boundaries, regularly cause bodily harm and/or loss of life, they will obviously receive treatment as a threat to national security.”
In the face of such attacks, the U.S. government is upping the game. The government has proposed “new legislation that would require critical infrastructure owners to report attacks to CISA to enable the government to gain a better understanding of the threat,” said Chapman. “This is an important step, but it’s also up to organizations themselves to ensure they have the right technology and security protocols in place to defend themselves.”