When examining major disaster events, it is interesting to look at a specific subset of events which are directly or indirectly caused by natural catastrophes such as fires, floods, earthquakes, tsunamis, etc. These initial natural catastrophes can often lead to a chain reaction causing devastating industrial accidents whose damages may eclipse the initial inciting event several times over. The Fukushima nuclear meltdown, the BP Gulf of Mexico oil spill, and the recent Suez Canal obstruction are great examples of unexpected natural events leading to significant industrial or commercial incidents with disastrous impacts.
But what if natural disaster occurrences were not the only things that could lead to these kinds of accidents? What if these very accidents were not accidents at all, but rather deliberate acts of cyber-sabotage inflicted by malicious actors?
Cyber attacks can’t replicate the inciting natural events which caused a chain reaction leading to these accidents perfectly, but they can still trigger the actual accidents themselves independently. In this scenario, it is easy to imagine that the consequences of these accidents might even be more catastrophic than what real-life natural events caused.
In order to illustrate this hypothetical, it is helpful to examine the three major catastrophes mentioned earlier as all three can be imagined in a SCADA cyber attack scenario: Fukushima, the BP oil spill, and the Suez Canal obstruction.
Supervisory control and data acquisition systems or “SCADA” in short are used in various manufacturing industries. SCADA systems perform a supervisory operation over a variety of other devices, for example, flow and temperature sensors, control valves, programmable logic controllers (PLCs control manufacturing processes, such as assembly lines, machines, robotic devices, or any activity that requires high reliability), etc.(1) A cyber attack on these systems and their associated networks, can cause severe damage to manufacturing, construction, transportation and other industrial processes.
In March of 2011, Japan was hit by a massive earthquake measuring at 9.0 MW, followed by a tsunami about an hour later. These natural events hit the nuclear power plant of Fukushima in Ōkuma, Fukushima Prefecture. Upon the detection of the earthquake, the active reactors of the plant automatically shut down their normal power-generating reactions which caused the reactors' electricity supply to fail, and the emergency diesel generators to automatically start. These generators were required to provide electrical power to the pumps that circulated coolant through the reactors' cores, but the generators were flooded by the tsunami that hit the plant an hour later and were shut down as well. The loss of reactor core cooling systems led to three nuclear meltdowns, three hydrogen explosions, and the release of radioactive contamination in the area.This was a major environmental catastrophe with reported losses estimated at $500-$600 billion.
A sophisticated cyber attack would be capable of causing all of the same events: disrupting power, disabling emergency generators, and cutting off the power supply to the pumps. These actions would have led to a nuclear meltdown in exactly the same way that the natural disaster did. However, realistically, a cyber attack of this scale and complexity would most likely be carried out by a state actor and therefore they probably would not seek to cause a full nuclear meltdown and the subsequent environmental disaster. A cyber attack in this case would be more likely to attempt to cause a power outage and possibly slight changes in speed, pressure or temperature of several measurement instruments in order to shut down the plant temporarily and disrupt its activity without destroying it completely.
Nuclear plant SCADA attacks are not unprecedented. One good example is the 2010 Stuxnet worm cyber attack on Iranian nuclear facilities where the malware forced the uranium centrifuges to change speeds and display false readouts. The worm exploited zero-day vulnerabilities in Microsoft OS and targeted specifically programmable logic controls (PLCs) - industrial electromechanical automation components used to control machinery in plants(2). It appears that the purpose of this malware was indeed disruption and not destruction, but the vulnerabilities, methodology, and level of control achieved over the SCADA systems could have quite easily been used to cause a nuclear disaster if that was the desired outcome. Another event of similar technical nature occurred in 2014 when a German steel mill was attacked by an actor that gained access to the mill’s internal network using social engineering techniques, damaged individual control components and caused the furnaces to shut down resulting in massive physical damage to the plant.
In April of 2010 a high-pressure methane gas pocket was breached by the Deepwater Horizon oil rig crew in the Gulf of Mexico, the gas expanded into the marine riser and rose into the drilling rig, where it ignited and exploded, engulfing the platform and sinking it. The explosion and sinking of the rig caused a major leak of hundreds of millions of gallons of oil into the ocean, covering over 2000 kilometers in oil(3). This event caused tremendous damage to the marine environment and ecosystem for years to come and was estimated at $60 billion dollars(4).
Once again, all of the failures above could have been deliberately caused by an attack on the SCADA systems on board the oil rig. Further, an attacker could have infiltrated the work stations and hijacked the valve, monitor and alarm systems which would prevent the offshore team from detecting and reacting to the rising pressure that led to the explosion and the leak on time, leading to an even greater fallout from the disaster.
Critical infrastructures are always at risk of an attack, due to the complexity of the networks and SCADA systems the usual suspects in such attacks are state actors. Some early examples of cyber attacks on the industry can be seen in the 1999 Gazprom attack where a trojan horse was installed in the company’s pipeline system’s network and damaged the ability to control the gas flow. A more recent example is the Kemuri water company attack in 2016 where attackers were able to manipulate the chemical control systems and alter the water treatment process by changing the level of added chemicals.
In March of 2021, a container ship travelling from Malaysia to the Netherlands lost its steering ability due to strong winds from a sandstorm, rotated and hit the wall of the Suez Canal in Egypt with no ability to move. The stuck ship obstructed the passage and blocked the way of other ships travelling through the canal for 6 days resulting in global disruption to shipping lines, private and military transport vessels which led to significant commercial and other losses estimated roughly at $54 billion as well as stunting global annual trade growth by nearly 0.5%(5)(6).
A similar obstruction could easily have been caused by a cyber attacker infiltrating a ship’s guidance and navigation systems and taking control of them, manually steering the ship into the banks of the canal, or causing a total loss of steering. Alternatively, an attacker that has successfully hacked into these systems could just feed false geographic information, potentially leading the crew to mistakenly steer the ship into shallow waters or other hazardous conditions. Over the last decade marine vessels have become increasingly automated and have incorporated more OT systems. In combination with the global growth of the shipping industry and rise in shipped goods, maritime assets are becoming more vulnerable to cyber attacks and might be a new key target for cyber criminals and state actors alike.
The presented cyber scenarios could potentially lead to similar levels of environmental and economic damage as their real life equivalents. Or, since in this case we are discussing the infiltration and manipulation of SCADA and other industrial computer systems, these attacks could be replicated and launched simultaneously (or within a short period of time) at a number of targets in disparate geographical locations. Instead of the Deepwater Horizon spill, we might be facing simultaneous explosions in all four BP oil rigs in the Gulf of Mexico, and possibly of additional ones across the world - under the assumption that they are running the same software, technological infrastructure, and are susceptible to the same vulnerabilities. In the same way, instead of a single ship blocking the Suez Canal for six days, we might be looking at a continuous targeting of passing ships in order to obstruct the Canal for longer periods of time, several times a year.
We often look at cyber events as somewhat contained attacks, even large-scale ransomware campaigns such as Wannacry, NotPetya and others which affected many companies around the world - are seen as singular problems to be dealt with because the cyber domain is mostly seen as a dimension that exists in parallel to the physical world, and revolves mostly around data and communication. But given the growing dependency we see in recent years in “smart” devices controlling different mechanical processes, these two worlds, the physical and cyber, are no longer detached, we expect to see an increase in cyber events that cause physical material damage. Cyber attacks that cause PD could potentially be modeled like any other cyber attack. This assessment would rely on mapping of the frequency of the attacks, the hazard and exposure of the vulnerable companies, and the severity of the attacks in order to assess the potential financial losses and the cost of property damage.