Hackers could have opened the floodgates on a dam in New York in 2013, but the gates were offline for maintenance.
Another hacker was in the process of trying to poison the water supply in a Florida town in February when a worker noticed and stopped it.
Rather than risk a spill or other pipeline disaster after a ransomware attack last month, operators of an East Coast pipeline shut it down, leaving millions waiting in long fuel lines.
Such close calls ratchet up fears about how vulnerable the nation’s infrastructure is to cyberattacks. Experts said there are more to come and the attacks could be far more devastating than anything seen so far unless the United States girds its critical systems against a growing onslaught of digital intrusion.
That worst-case scenarios haven’t played out already, experts said, comes down to a combination of luck and the fact that hackers have focused on making quick money using relatively unsophisticated attacks.
The U.S. Department of Homeland Security identifies 16 “critical infrastructure sectors,” vital parts of everyday life, such as transportation and drinking water, at risk of disruptions that would hurt the nation’s security, health or safety. Last week, President Joe Biden handed a list of the sectors to Russian President Vladimir Putin and told him they’re off limits for cyberattacks.
Think of all the automated systems that people rely on every day, said Paul Rosenzweig, who formerly worked on cybersecurity policy for Homeland Security: “Traffic lights for our cars, natural gas for our houses, water for our homes, clean water and sewage, electricity to power our houses, our metro rail systems that many of us use.”
16 Critical Infrastructure Sectors
Chemical Commercial Facilities Communications Critical Manufacturing Dams Defense Industrial Base Emergency Services Energy Financial Services Food and Agriculture Government Facilities Healthcare and Public Health Information Technology Nuclear Reactors, Materials, and Waste Transportation Systems Water and Wastewater Systems
All of those systems can be hacked, he said.
Therein lie the worst-case scenarios, said Tatyana Bolton, a former Homeland Security official who led development of strategies for strengthening U.S. cybersecurity.
“If any of (these industries) are attacked and taken offline, it would create massive repercussions across the United States,” she said.
Despite repeated warnings, she said, cybersecurity in these critical sectors hasn’t improved much.
“You can look back at videos and events and papers from 10 years ago,” Bolton said. “And the arguments that we were making then are the arguments we're trying to make now, which shows you how little focus we've gotten from Congress and support from the administration in terms of resources and funding and people.”
That might change after hacks at Colonial Pipeline and meatpacker JBS Foods.
Deputy Attorney General Lisa Monaco issued a plea to the nation’s CEOs this month to batten down the digital hatches against devastating ransomware attacks.
“You’ve got to be on notice of the exponential increase of these attacks,” Monaco told them.
Experts said the scariest scenarios involve a hacker either purposefully or inadvertently changing the operations of an industrial control system, such as that for a pipeline, a dam or a water works.
Such an intrusion could lead to prolonged outages, destroy infrastructure and even kill.
When Iranian hackers broke into the computer system that controls the Bowman Avenue Dam in Rye Brook, New York, in 2013, they snooped on passwords and usernames but didn’t seize control of the computerized floodgates, which were disconnected for maintenance.
They proved they could sneak into critical infrastructure systems and if they wanted to hijack any one of hundreds of flood control systems in the USA, sending potentially fatal floods toward downriver cities, or wipe out hydro-electric power and water supplies to millions – they could do it.
Sen. Chuck Schumer, D-N.Y., called it a wake-up call in 2015 when revelations about the breach became public. The nation's critical infrastructure is vulnerable to criminals and needs to be strengthened, he said.
"This cyberattack surely serves as a bucket of ice water to the face,” Schumer said.
But it didn’t.
Six years later, cybersecurity experts are still warning of the same potential worst-case scenarios and real-world attacks are proving them right with increasing frequency.
Colonial shut down its pipeline out of an abundance of caution. Hackers locked up the company’s corporate computer system – possibly affecting email, billing and payroll. The criminals did not access the computer system that controls the flow of fuel through more than 5,000 miles of pipeline, but the company was worried that system might not be completely separate, experts said.
"Imagine loss of control of the pipeline itself and what could have resulted,” said Mark Ostrowski, head of engineering for the East Coast at Check Point Software Technologies.
Here are six more scenarios experts outlined:
An intrusion into the Oldsmar, Florida, water system in February highlighted vulnerabilities in the water treatment industry.
A hacker broke in through remote access software and briefly increased the amount of sodium hydroxide from 100 parts per million to 11,100 parts per million. Sodium hydroxide, also called lye, can cause irritation, burns and other complications in too large quantities.
A supervisor noticed the tampering – he could see the intruder moving a cursor across the screen, changing settings – and intervened immediately to reverse it. The city said sensors and other safeguards would have caught the problem. Oldsmar, a city of 15,000 residents, is about 15 miles northwest of Tampa.
It wasn't the only recent water-related breach. In March, the Justice Department accused a former Kansas utility worker of remotely tampering with a public water system’s cleaning procedures. Last week, NBC News reported that a hacker in January tried to poison an unnamed water treatment plant serving parts of the San Francisco Bay Area.
“If you're a state actor or a highly integrated or networked group of hackers, Black Hat hackers, you can mess with the chlorine levels in your water or the arsenic levels in your water and poison the entire New York City water supply overnight,” Bolton said. “New York City wakes up, everyone has a glass of water in the morning or cooks something with water in the morning – and you poison millions of people.”
Claudia Rast, a ransomware lawyer who co-chairs the American Bar Association’s Cybersecurity Legal Task Force, said the electrical grid has long been an area of concern because of the horrible what-ifs involved in mass power outages.
“Look what happened to Texas, and that wasn't cyber,” she said. “That was just weather.”
Record cold temperatures in February froze components at power generation plants, leaving 5 million people without power and heat for days, resulting in more than 100 deaths.
Power grids have become popular targets for hackers outside the USA. The Russian government attacked Ukraine’s grid twice, the second time aiming to permanently destroy some of the country’s grid, said Brian Kime, senior analyst with cybersecurity research firm Forrester.
The attack in 2016 involved malware intended to deceive human operators into thinking that safeguards were working when they really weren't, he said. There were errors in the code that prevented the plan from working as intended, but the result could have been catastrophic for Ukraine.
The companies that make up the U.S. electric grid follow stricter cybersecurity guidelines than other industries because of regulations from the North American Electric Reliability Corp., or NERC. Because of this, experts said, the sector is less vulnerable to ransomware and other cyberattacks. Nuclear plants under the Nuclear Regulatory Commission also have a more robust regulatory framework to protect from cyber intrusion.
A cyberattack on the global positioning satellites that help guide aircraft, ships and other transportation could cause mayhem.
“Looking at things like GPS, you know how dependent we are on an accurate position,” Kime said. “If I manipulate GPS signals, somehow degrade them or disrupt them or actually manipulate them … I could have two aircraft or two ships appear to be farther apart, when in reality they are closer.”
Pilots have faced frightening situations when the GPS on their commercial aircraft was jammed, according to reports on NASA’s Aviation Safety Reporting System, where pilots share near misses and safety tips.
A pilot attempting to land at the El Paso, Texas, airport last year reported a loss of GPS signal during a military jamming test at the nearby White Sands Missile Range. After missing the approach on one runway because of changing weather conditions, he was forced to make a manual, visual landing on a runway in mountainous terrain.
He landed safely but is one of 11 pilots to report issues with GPS jamming near White Sands in recent years.
Including more than 2 million farms, 935,000 restaurants and 200,000 registered food production facilities, the food and agriculture sector makes up about a fifth of the nation’s economic activity, according to Homeland Security. It cuts across other sectors including water, transportation, energy and chemicals.
As Big Agriculture has computerized many of its production systems, the possibilities for digital mayhem are endless. Security professionals have worried about the potential impact of an attack on the country’s food supply long before the JBS hack, which led to a brief shutdown of nine of its beef plants, Rast said.
Just tampering with the computerized settings on a vast farm’s planting equipment could mean massive losses, Rast said.
“When you realize that come spring planting, the depths that you plant a seed is really critical to the ability of that seed to germinate,” Rast explained. “And if the software that is part of that planting season is adjusted or reconfigured so the seed is planted either too deep or not deep enough, you could have whole crops not even germinate and you lose that whole season.
“That could have some pretty catastrophic impacts.”
The immediate aftermath of the Sept. 11, 2001, terrorist attacks showed what a catastrophe in the nation’s financial system looks like. Experts fear that a ransomware attack against the same target could be far more cataclysmic.
When suicide hijackers crashed planes into both of the World Trade Center towers and knocked them down, they knocked some major Wall Street banks offline.
Bolton, the former senior DHS Cybersecurity and Infrastructure Security Agency official, said authorities realized in horror that the financial outages – which lasted for days – crippled many aspects of regional and even national commerce in ways they hadn’t anticipated.
“That's how some of this [infrastructure protection] work started way back after 9/11,” she said. “They realized very quickly that the financial sector is so critical because it processes absolutely everything.”
The attack disrupted a key banking function, largely unknown to the public: In nightly bulk transfers, banks send one another trillions of dollars to cover the thousands of individual transactions their clients make each day.
“Every minute the system was offline … they lost $6 billion,” according to some estimates, Bolton said. “It was insane. It was like they were counting hour by hour, trying to get those bulk payment systems back online, to make sure our economy was running. Because the minute that stops, it has untold domino effects throughout the economy and the country.”
Ransomware attacks on hospitals delay care as doctors switch from electronic records to old-school pen and paper and lose access to critical medical records stored in their systems.
Universal Health Services, one of the nation's largest health care providers with more than 25 hospitals and hundreds of other facilities, was hit in September, and some facilities had to turn away ambulances.
At least one death was attributed to a hospital ransomware attack in Germany last year when University Hospital Dusseldorf had to shut down its emergency room and divert patients.
One woman the hospital turned away was rushed to a hospital about 20 miles away, delaying her treatment by about an hour, according to European news reports. Authorities blamed her death on the delay.
Preventing a cyber catastrophe
Critical industries and infrastructure are vulnerable to these attacks because their computer systems, including those for industrial control functions, are increasingly connected to the internet. Every computer represents a possible entrance for a hacker to implant code that could change how machinery functions or how computers do their jobs.
It’s possible for hackers to steal information, lock down the system in a ransomware attack or to wrest control from a company.
The most secure computer systems limit this danger by following best practices such as air gapping, in which various computer systems are kept physically separate from each other – and the internet – so a breach is isolated to one system. Other best practices include encrypting sensitive data and requiring a secondary means to confirm users' identity when they log in with their password.
Companies in many critical industries are far behind on such safety measures.
The Transportation Security Administration announced rules for pipeline cybersecurity after the Colonial hack. Different agencies oversee other industries vulnerable to the same kind of attacks and have not adopted similar rules, experts told USA TODAY. If companies are unwilling to beef up their security, some experts said, its time for federal regulation.
“We do need to definitely look at where it's appropriate for governments to come in and force more basic security,” Kime said.
Forrester survey data shows industries forced to comply with more federal regulations have systems fortified to make them more difficult to breach. Kime cited the U.S. electric grid, regulated by NERC, and the financial sector, regulated by the Securities and Exchange Commission as examples of “more mature” cybersecurity systems.
At best, industry has been reluctant to foot the bill for better security. At worst, it has resisted attempts to regulate, the experts said.
“You could hear from industry, ‘Yeah, we would do more, but then you have to pay more for gasoline or pay more for hamburger patties or something else.’ And no one wants to hear that answer,” said Joe Slowik, senior manager with IT security company Gigamon who has worked with the Departments of Energy and Defense.
Corporations, including those in critical infrastructure industries, have never been required to even report ransomware or other hacking incidents to the federal government.
After the attack on Colonial, President Joe Biden ordered all companies that contract with the federal government to report breaches to the Cybersecurity and Infrastructure Security Agency (CISA), an arm of the Department of Homeland Security.
A 2020 bill would require that all U.S. companies report breaches to CISA.
Since the Colonial attack, Congress has not passed any laws on cybersecurity.
Top national security officials warned the Senate in 2012 that the country’s crucial infrastructure was highly vulnerable to a major cyberattack. They urged Congress to pass a White House-backed cybersecurity bill that would have better regulated privately owned companies such as pipelines.
The U.S. Chamber of Commerce and other business groups lobbied hard against the effort to regulate.
The bill, which included information-sharing provisions, failed to overcome a Republican filibuster and died.
Bolton said legislation on this issue is rare because Congress isn't focused on it and critical infrastructure industries are focused laser-like on making sure Congress doesn't regulate it.
“It’s a little of both,” she said.
She said few members of Congress know anything about cybersecurity.
“I mean, you can name them, literally name them, on two hands,” Bolton said. “But I think the time has come that some smart targeted regulation is absolutely necessary.”
Critical infrastructure sectors
This article originally appeared on USA TODAY: Colonial Pipeline, JBS ransomware attacks raise cybersecurity fears