Remember Stuxnet?

In 2010, an ambitious covert operation was discovered and exposed: in Iran, a computer virus was causing hardware used to enrich uranium gas to fail. This was wreaking havoc on Iran’s nuclear program. Built as a joint American-Israeli operation, the virus succeeded at destroying one-fifth of Iran’s nuclear centrifuges by making them spin out of control.

The virus was called Stuxnet, and it was declared “the most menacing malware in history.” It was so menacing because it was unlike any other virus or worm ever before seen. It went beyond the digital to have a real impact in the physical world.

As Kim Zetter, the author of a book on Stuxnet, said:

“Rather than simply hijacking targeted computers or stealing information from them, it escaped the digital realm to wreak physical destruction on equipment the computers controlled.”

When it comes to cyberattacks and security, most people think about computer network security and data. They worry about identity theft or fraud. While these are real risks, cyberattacks are starting to reach into the physical world, too.

Stuxnet was the first example, but there have been others. Here are some of the ways cyberattacks have affected our physical world, and what experts warn hackers may target next.

From a Nuclear Centrifuge in Iran to a Steel Mill in Germany

This year, we learned Stuxnet was only one part of a much larger cyberattack plan to target Iran’s air defenses, communications systems, and power grid. Any physical infrastructure can be the target of a cyberattack.

In Germany, attackers targeted a steel mill. They infiltrated the steel mill’s business network by sending people working at the mill an email which appeared to come from a trusted source, in order to trick them into opening a malicious attachment or visit a malicious website and download malware onto their computer.

From there, attackers were in the system and able to work their way through the company’s networks, compromising numerous systems. The result? Attackers disrupted the mill’s control systems so that mill employees could not shut down the blast furnace, causing significant damage.

According to the German report on the incident, the attackers knew what they were doing. “The know-how of the attacker was very pronounced not only in conventional IT security but extended to detailed knowledge of applied industrial controls and production processes,” the report said.

It’s scary to imagine employees at a steel mill or a manufacturing plant losing control of their machinery and systems. It’s even scarier to imagine losing control of a power plant, air traffic control tower, water treatment facility, chemical facility or hospital. Such an attack could lead to incredible damage.

Yet experts warn it’s not farfetched to imagine attacks on these kinds of infrastructures. In fact, it’s already happening.

Targeting Dams, Power Grids and Cars

Bowman Avenue Dam is a small dam in New York state that was targeted by Iranian hackers. Its sluice gate, which controls the flow of water, is operated through a computer program that measures the water temperature and levels, and adjusts the flow accordingly. That computer program was penetrated by Iranian hackers.

Luckily, at the time of the intrusion, the sluice gate had been manually disconnected from the system, so it couldn’t be manipulated by the hacker. There was no damage in this case, but there could have been. Had the attackers been able to open the sluice gate, it could have led to a flood that would have affected nearly 200 homes.

Of course, the damage would be much worse if a dam like Hoover or Grand Coulee were attacked. Not only would the flooding have a devastating impact on homes and the environment, but such an attack would also significantly disrupt the hydroelectric power supply.

Utilities are attractive targets for attackers conducting cyberwar, both in the United States and in other countries. In 2008, the CIA confirmed a power outage in Louisiana had been the result of a cyberattack in New Orleans. In 2015, a malware attack on a power grid in Ukraine caused a blackout in more than 100 Ukrainian cities.

These attacks are sobering. A power outage or a malfunctioning dam is not merely an inconvenience or a nuisance; in many cases, they also threaten the physical safety of people.

This is one of the major vulnerabilities of the Internet of Things (IoT); anything that’s connected to the internet can, in theory, be hacked. The implications of this are serious.

For instance, many automobile companies are eagerly making their vehicles into computers on wheels. Uconnect is an internet-connected computer feature in hundreds of thousands of Chrysler vehicles that acts as a media hub, controls navigation, talks to Siri, and even offers a Wi-Fi hotspot.

Uconnect is convenient when you want to place a phone call without taking your eyes off the road. It’s less convenient when it enables a wireless carjacking.

Hackers have found ways to remotely kill a car’s engine, take over the dashboard controls, and engage or disable the brakes. Not a fun experience, even if you’re expecting it, as a WIRED reporter discovered when he agreed to have two hackers take control of his Jeep while he was driving it.

He describes the moment when he dropped “any semblance of bravery,” reached for his phone, and called the hackers to beg them to stop.

Cyberattack has moved from the realm of the digital to the real world. Given our reliance on utilities and electronic devices (and the anticipated acceleration of IoT), we are all vulnerable to the real physical effects of a digital cyberattack.

Hopefully, it won’t take a catastrophic event to inspire change and for governments and businesses to understand how important it is they take security seriously. Prevention is a small measure compared to dealing with the aftermath of a serious cyberattack targeting the physical world.

This article was originally published in our monthly newsletter, Today's Cybersecurity Leader. You can subscribe here.