Hacks have been making headlines this year, including ransomware attacks that go after victims’ money. However, experts say cyberattacks could soon include “killware” aimed at taking lives.
Homeland Security Secretary Alejandro Mayorkas told USA Today that an attempted cyberattack on a water treatment facility in Oldsmar, Fla. earlier this year could have been one of those incidents. He explained that this attack wasn’t aimed at getting hackers a payout – it was only meant to cause harm by distributing contaminated water to residents.
“The attempted hack of this water treatment facility in February 2021 demonstrated the grave risks that malicious cyber activity pose to public health and safety,” Mayorkas said. “The attacks are increasing in frequency and gravity, and cybersecurity must be a priority for all of us.”
Homeland Security officials would not comment on who might have been behind the Florida attack, including whether it was linked to a foreign power, according to USA Today.
As the attack came in with a flood of other high-profile cyberattacks, such as the SolarWinds intrusion of U.S. government agencies and Microsoft hack, many people may not have heard of it.
Mayorkas and other cybersecurity experts say the Oldsmar hack was just one of many signs that “killware” may target other critical parts of the nation’s infrastructure. It could impact banks, law enforcement agencies, hospitals and transportation in addition to water supplies.
Apart from government experts such as Mayorkas, private-sector computer security experts have also started sounding the alarm about potentially fatal physical cybersecurity threats, said USA Today.
With the rise of consumer-based products like smart thermostats and autonomous vehicles, Americans are more vulnerable than ever to cyber threats, said Wam Voster, senior research director at the security firm Gartner Inc. In a July 21 report, Gartner said “cyber attackers will have weaponized operational technology environments to successfully harm or kill humans,” by 2025.
“The attack on the Oldsmar water treatment facility shows that security attacks on operational technology are not just made up in Hollywood anymore,” said the firm in an article.
Even before the incident in Oldsmar there were hacks that could have led to deaths or physical harm.
“U.S. cybersecurity officials have long known that water facilities and other critical infrastructure have been vulnerable for many, many years,” a senior Department of Homeland Security official said, according to USA Today.
For example, an Iranian hacktivist group claimed responsibility in 2015 for a cyberattack two years earlier that gave it access to the control system for a dam in the suburbs of New York in order to change water treatment chemical mixtures to unsafe levels. Facility staff thwarted the event.
According to Justice Department criminal indictment, seven hackers penetrated the dam’s computer-guided controls on behalf of Iran’s military-affiliated Revolutionary Guards Corps. It was part of a broader attack against 46 large U.S. financial institutions.
Iran, Russia and China have all penetrated key elements of U.S. critical infrastructure, but rarely act, USA Today said.
Related
Another example of potentially fatal malware, according to Voster was the Triton malware designed to disable safety systems identified in late 2017 in operations technology of a petrochemical facility.
“If the malware had been effective, then loss of life was highly likely,” said Voster. Malware has now entered the realm of “killware,” he added.
Looking forward, U.S. officials are especially concerned about the rash of ransomware attacks on hospitals, said USA Today. Already, attacks have forced patients to cancel or defer procedures, including critical surgeries. A nationwide cyberattack on Universal Health Services, occurred in September 2020.
USA Today said authorities believe hospital attacks could be an even bigger problem than we now understand due to underreporting. Earlier this year, a woman sued a hospital in Alabama, alleging that its failure to disclose a cyberattack on its systems resulted in diminished care that caused her baby’s death.
Gartner estimated that the financial impact of cyber-physical security attacks resulting in fatal casualties will reach over $50 billion within a few years.
Related
