Cyberattacks Wreaking Physical Disruption on the Rise

At least 68 cyberattacks last year caused physical consequences to operational technology (OT) networks at more than 500 sites worldwide — in some cases causing $10 million to $100 million in damages.

Unsurprisingly, these weren't Stuxnet-like events, but the opposite.

According to a new report from industrial control system (ICS) vendor Waterfall Security Solutions, which studied real-world cyberattacks on OT organizations, most of the hackers known to be targeting the OT sector these days are hacktivists. And the majority of disruptions are not caused by such direct manipulation of OT systems but are downstream consequences of IT-based attacks, most often involving ransomware.

That doesn't mean, though, that the impacts are any less severe. Incidents involving Johnson Controls and Clorox last year ended up costing those companies around $27 million and $49 million, respectively. One cyberattack that led to the temporary suspension of operations at MKS Instruments in Massachusetts cost $200 million, and one of its suppliers — California-based Applied Materials Inc. — reported losing another $250 million as a result.

The number of attacks with physical consequences increased by nearly 20% last year, according to the report.

IT Attacks With OT Consequences

In the past decade and a half, only around a quarter of cyberattacks with OT consequences were caused by actually hitting the OT network, according to the report Waterfall published in collaboration with OT incident threat database ICS STRIVE.

"A large fraction of attacks that caused OT consequences did so by compromising machines in the IT network exclusively," explains Andrew Ginter, vice president of industrial security for Waterfall, and a co-author of the report. "OT was often shut down in 'an abundance of caution' because the business was not willing to keep running powerful, dangerous physical processes with compromise only one or two network hops away."

After its attack last March, for example, the German manufacturer Hahn Group GmbH switched off all of its systems as a safety precaution. A full, clean restoration of its systems took weeks thereafter. A number of other manufacturers last year followed that same playbook, even when safety wasn't at risk, in order to contain damage to further systems, sites, and customers.

"OT was also often shut down because physical operations needed facilities on IT networks that ransomware had crippled — e.g., container-tracking systems for shipping or passenger signage for large rail stations," Ginter points out.

One prime case occurred last January, when UK Royal Mail printers were disabled and hijacked to print LockBit ransom notes. Mail export services were briefly suspended nationwide, in an event that ended up costing £42 million.

"These dependencies are something many OT practitioners do not think about," Ginter explains. An IT network compromise can also affect physical operations, even if an OT network is secured, if the OT process rely on processes in the IT network.

Cyber Threat to Water Treatment

More than half of publicly reported cyberattacks with OT consequences in 2023 affected the manufacturing sector. But if there's one sector to worry about more than the rest it's, arguably, water.

Late last November, around 180 households in the Irish villages of Binghamstown and Drum lost water for two days, thanks to a loss of water pressure at a local pumping station. The cause was a cyberattack likely carried out by Iran's Cyber Av3ngers, part of a wider campaign targeting Unitronics pump controllers.

Though such stories are still rare, water facilities combine a dangerous mix of low difficulty and high impact for hackers.

"In the USA, the vast majority of the more than 20,000 drinking water treatment utilities are tiny. Minute. The vast majority of the more than 200,000 wastewater treatment systems — same thing. And realistically, with whatever budget these utilities have, almost all of it goes to people with trucks and backhoes digging holes in the ground," Ginter explains. "Couple that with continued pressure to automate those water systems to reduce costs — a lot of these systems are regulated [because they're local monopolies], and every regulator wants to reduce costs and reduce rates, so there is constant pressure to automate. All modern automation involves computers, meaning more targets for cyberattacks."

These systems have no security budget, so with the increased threat of hacktivist attacks and pressure to automate their operations, they are in peril, he notes, creating "a growing problem for all of the small communities in the nation."