The changing face of cyberattacks on OT environments

By Rochelle Fleming, COO of Sapien Cyber

Cybersecurity awareness has largely Increased In recent times, yet the primary focus has been around IT. While IT is still a big target for cybercriminals, what's more worrying Is the large Increase In attacks on operational technology (OT) environments.

Attacks on OT environments can affect far more than Information theft, they have the power to cause damage not just to organizations but to society and even human life.

Attacks on OT have evolved from immediate process disruption such as shutting down a plant, to compromising the integrity of industrial environments with intent to create physical harm. In fact, according to future predictions from Gartner, by 2025 cyber criminals could have weaponized OT environments to successfully harm or kill humans.

Unclear intentions and future possibilities

What’s most worrying is that we only know about attacks where the cybercriminals have been caught. Let’s take the recent Colonial Pipeline attack, for example. If the cybercriminal wanted to get kudos as a nation state or extort the maximum amount of money possible, they would get deeper and deeper into an organization, sit there, and wait. If this is true, the cybercriminals behind the Colonial Pipeline attack did not intend to make their attacks visible.

Take a city’s critical infrastructure. This will include water utilities, electricity, telecommunications, hospitals and all the other organizations that make up a city’s most important operations. To create the most dramatic and devastating effect on a city or even an entire country, cybercriminals will create a coordinated targeted attack that affects all these systems at once.

Exploiting the human element

One area where IT and OT cybersecurity run parallel is how vulnerabilities are commonly caused through human error. Most OT environments involve some element of human input.

If we consider the recent Florida Water attack, the way the attackers infiltrated the system was through an application called TeamViewer. An employee used the software during the pandemic to reduce the amount of time spent on site, allowing them to log in to the computer remotely to fix issues.

This was clearly an innocent move, but by connecting the OT to such a system (and only using one password to access it), they unknowingly opened the Florida Water supply to cybercriminals.

Instead of adding 100 parts per million of a chemical, the attacker simply added a one at the front, turning the drinking water for the entire state into poison. By some small miracle, an employee spotted the error before it was too late. But this goes to show how potentially deathly OT attacks can be.

The cold reality of ransomware

It’s not just the potential damage of OT attacks that should worry us. OT attacks are life threatening and have caused fatalities. It’s happening now.

Hospitals are a key target for attackers. One hospital in Alabama experienced a ransomware attack during the birth of a child, taking all equipment offline. There was a slight complication in the birth, and as the doctors didn’t have the equipment at their disposal, the baby unfortunately died.

The devastating, life-threatening impact of these attacks is only set to grow and our ability to catch the criminals behind them is also becoming more and more difficult. They’re occurring in their own homes, writing lines of code entirely remotely, without taking a step in the building, city or even country where the attack is occurring.

A disquieting simulation of the future of attacks

The ability to attack a country’s infrastructure entirely remotely opens new, horrifying possibilities, recreating physical attacks through the digital space.

A disturbing example of this is 9/11. The only difference here is that the cybercriminal has the power to recreate it at a far greater scale and from an entirely different country, i.e., no geographical boundary. In fact, this was a key concern for many Manhattan-based companies and building operators in September 2021, the 20^th anniversary of the attack on the Twin Towers.

To paint a vivid picture of how this would be possible, imagine a 40-storey office block (commonplace in New York). Automation runs throughout, and workers need a key card to enter. There are fire exits and fire alarms, a sprinkler system, lighting, HVAC controls and other general equipment used to run an office block, all controlled in the basement of the building through an automation system.

If a cybercriminal was able to access that system, if they issue the correct commands, they have control over all of these technologies. In isolation, this doesn’t seem like much.

But imagine if the cybercriminal fail safe shut all of the doors, switched all of the lights off, turned up the HVAC system to the hottest it could possibly get, turned the sprinkler system on and switched the fire alarm on. You have thousands and thousands of people locked in an unescapable 40-storey office block. It’s dark, hot, humid, and loud. Equipment is sparking. It’s clear to see how this would create confusion, panic, and mass hysteria on every floor, potentially bringing the building down, and all through the internet.

We’ve reached a point where almost anything can be done in the cyber world now. For advanced cybercriminals, their imagination is their only limit.

The need for awareness

Recent events such as the Colonial Pipeline ransomware attack have highlighted the need to have properly segmented networks for IT and OT environments. While it’s great that danger to IT environments is being recognized and mitigated, much more needs to be done to protect OT environments before something serious or deadly occurs. 

Follow