Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?



The Time to Focus on Critical Infrastructure Security is Now

The Software That Controls our Infrastructure is Vulnerable to Attack

The Software That Controls our Infrastructure is Vulnerable to Attack

The world has once again been reminded that the threat of cyber attacks on critical infrastructure systems remains very real. Last month, Britain’s defense secretary, Gavin Williamson, iterated that Russia held the potential for wide disruption and “thousands of deaths” through such attacks. His announcement was the latest indication of increased chatter regarding attacks on critical infrastructure, such as power grids and other systems, by Russia and other nation-states.

Unfortunately, it appears that the general populace either wishes to ignore the warnings or has bought into a sanitized and nonthreatening version of such attacks based on the version found in Hollywood. 

Is the world becoming desensitized to cyber attacks?

Television has shown us examples of our own government using nonkinetic warfare, shutting down power in specific regions to demonstrate our strength and resolve. On screen, elected officials stare grimly at satellite images as large areas glowing from electric light slowly grow dark.

This is not a new idea. I grew up with war and espionage movies that always included a “cut the power” part of the mission. That is because disruption of infrastructure is a key element of sound military strategy. Except in these movies, someone had to physically disrupt the power—someone had to be on-site. What is new is the ability to cut the power from a safe distance with the stroke of a key or the click of a mouse. No bombs, no missiles, no exotic kinetic devices.

Hollywood has painted an image of infrastructure attacks that are bothersome but ultimately benign. In these simulated dramatized attacks, a security breach functions as a remote on/off switch. Turn the switch back to “on,” and all is restored to how it was before the attack. We are inconvenienced for sure, but there are no lasting effects. While this is certainly a possibility in the real world, there also exists the possibility for long-lasting damage to the infrastructure. 

RelatedLearn More at SecurityWeek’s ICS Cyber Security Conference

Let’s step away from Hollywood for a moment and consider a real-life scenario of a far less benign attack.

What does a real infrastructure attack look like?

In 2009, the Sayano-Shushenskaya hydroelectric plant, near Sayanogorsk in Khakassia, Russia, was destroyed, providing a taste of what an infrastructure attack could accomplish. To be clear, this disaster was not caused by a cyber attack, but given that the root cause was traced to a software failure, it provides insight into the havoc such an attack could cause. There was a human cost as well, as 75 people perished in the event.

In the morning of Aug. 17, the 900-plus-ton rotor of the number 2 turbine of Sayano-Shushenskaya tore from its moorings and rose into the main turbine room. The combined force of that much metal spinning at a high rate and the torrent of water that followed ripped through the ceiling of the turbine room and cut a wide path of destruction. Pictures taken after the accident show what looks like the effects of a bomb blast.

Sayano-Shushenskaya Blast Damage

The failure of the plant cut power to a large geographic region, and the inhabitants were affected for years while the plant was repaired. This was no momentary shutdown of power for dramatic effect—this was a real, long-term interruption in infrastructure.

Turbine 2 had a long history of vibration issues, and special regulating software had been employed to help regulate the problems. An investigation into the disaster showed that this software was not properly functioning at the time of the event. The failure of the regulating software and accumulated metal fatigue eventually combined to create the chain of events that crippled the facility.

Initially, there was concern that the software failure may have come at the hands of an outside agent, but ultimately it was traced to a series of communication issues across multiple plants.

The fact that this event was not caused by an outside agent does not blunt the lesson to be taken away: A strategically placed cyber attack could create long-term disruption to critical infrastructure by infiltrating key command and control software.

Is the software controlling our critical infrastructure really that vulnerable?

Need more proof that cyber attacks are not artificially constrained to being remote kill switches? Remember Stuxnet, the famous attack on the Iranian nuclear program? The attack targeted programmable logic controllers on the centrifuges being used to process nuclear material. By infiltrating these controllers, the attackers were able to force the centrifuges to spin beyond their operating limits, causing vibrations (where have I heard that word before?) that would ultimately tear the devices apart. It is believed that over 1,000 centrifuges were destroyed in the attack.

We now know that someone can infiltrate a car and turn off critical systems, such as the brakes. It is not a leap to believe that the same thing could happen to an element of our critical infrastructure. It is also not a reach to see that infiltration of strategic systems and software could create consequences that go beyond a temporary blackout.

It is time to take the security of our critical infrastructure seriously. The software that controls our infrastructure is vulnerable to attack, and the potential results are far more destructive and pervasive than even science fiction would have us believe.

RelatedLearn More at SecurityWeek’s ICS Cyber Security Conference

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.


Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.


More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...


Siemens and Schneider Electric address nearly 100 vulnerabilities across several of their products with their February 2023 Patch Tuesday advisories.


White hat hackers received $180,000 at Pwn2Own Miami 2023 for exploits targeting widely used ICS products.