As we wrote about last month, cyberattacks are getting both more complex as well as destructive. For so many people, this has only meant credit card companies sending you replacement cards from time to time, or possibly Equifax offering you free credit monitoring for a year after allowing a massive data breach, or an inkling that your social security number might be on the dark web (newsflash, it probably is). But what happens when the attacks go ever further beyond the digital or financial to the physical? Infrastructure hacking is a real and growing threat in this country, and it could remake the digital security apparatus for years to come.

From the digital to the physical

Penetrating a digital database or system is no longer national news in and of itself — it’s far too common to cause that much commotion unless the stakes are really, really high. It matters very much for the entities affected, obviously, but it’s all too common in today’s day and age. And as Russian-linked groups have honed their hacking chops targeting regional rivals Ukraine (and others), the top notch hackers are moving beyond digital and financial intrusions to actual physical, infrastructure-grade attacks.

Infrastructure hacking is real, and it’s only going to get more prevalent from here.

The first widely recognized example of this was actually the U.S.’s doing (a combo-effort by the NSA & CIA, along with Israeli, too) and went by the name Stuxnet:

Stuxnet, as it came to be known, was unlike any other virus or worm that came before. Rather than simply hijacking targeted computers or stealing information from them, it escaped the digital realm to wreak physical destruction on equipment the computers controlled.

The U.S. and Israeli infected Iranian uranium centrifuges with the digital virus; this caused those centrifuges to fail. But now, other foreign powers have taken notes on the precedent and gone about building their own versions of physically destructive computer code.

Where are we feeling infrastructure hacking now?

According to a November piece in the New York Times, the answer might be our water systems: “America’s water supply is increasingly digitized, and increasingly vulnerable” the subtitle read.

The lead paragraph painted the situation at a North Carolina plant in pretty dire terms:

When hackers went after the Onslow Water and Sewer Authority last month, it was the second cyberattack on a North Carolina utility within a year. The hackers, who timed this attack for the aftermath of Hurricane Florence, caused “a catastrophic loss” by encrypting databases and locking out employees. Rather than pay a ransom to the hackers, the utility is rebuilding its information technology systems from scratch.

It makes sense why aging systems and their system directors would want to automate and improve processes in things as crucial and costly as water treatment and delivery. But, as is true with any system, the more it’s digitized, the more vulnerable it becomes.

What can we do, and what does it all mean?

So what? Hackers attack physical infrastructure all the time — what am I supposed to do about it? This is an understandable mindset to find oneself in given how pervasive and seemingly uncontrollable digital bad actors have become. But it’s also the type of mindset that exposes systems, companies, and industries to the ravages of hostile hacking. Diligent companies absolutely can protect themselves from these types of physical attacks (and the digital ones too). For a lot of folks, this will come by hiring a managed service provider like us. For others, it will require building an in-house cyber defense team (that breakdown usually depending on firm size and available resources).

You have to be thinking in terms of cyber defense at all times of day and night now — the cost of failure is simply too high and the ubiquity of the threat is undeniable. The authors of the NY Times piece did lay out a few prescriptions for the utilities to follow, and I think they’re instructive to end on:

Many water utilities still need to adopt “defense in depth” approaches that create multiple layers of security, instead of relying on passive defenses like antivirus software, email filters and firewalls. The post-air-gap environment requires constant scanning for anomalous network activity as well as rigorous patch management and security upgrades. Utilities need to segregate their consumer and industrial control networks as much as possible and develop contingency plans for operating water systems without computers.

Not every computer will need to be quite so ‘hard core’ about air gapping all their critical systems, but it’s a conversation you definitely need to be thinking about. And if you’re not quite sure where to start, give us a call!