Cyber attacks don’t just affect the virtual world: they can have concerning real-world consequences for everyone, and a recent incident seemingly involving a near miss has demonstrated just how disruptive they can be.
South Staffordshire Water, which provides drinking water for over 1.6 million people in the UK, was hit by what it described as “a criminal cyber attack” which caused disruption to corporate IT networks.
Crucially, despite claims by the Clop ransomware group that they had access to industrial systems that control chemicals in the water, the company said this wasn’t the case and a government statement said there was no impact on South Staffordshire Water’s ability to safely supply drinking water.
Clop also claimed that despite gaining access to the network, they didn’t encrypt any data, citing that they “do not attack critical infrastructure.” Nonetheless, the hackers said they stole over 5TB of data and attempted to extort a ransom payment in return for not releasing it.
It’s still unclear how the situation was resolved, but the attack raises a worrying question: what would’ve happened if cyber criminals had managed to encrypt the networks that control water supplies?
For starters, it’s a particularly bad time for something like this to happen: dought has been declared in many areas of the UK following months of heatwaves, and a restriction to the water supply could’ve made things much worse.
SEE: A winning strategy for cybersecurity (ZDNET special report)
Then there’s the prospect of what might have happened if cyber criminals really were able to change the chemical balance of the water. In this case, it’s unclear if they would’ve had the power to do so – but it’s not a theoretical form of cyber attack, because hackers have already demonstrated they can do this.
One such infamous case of this took place at a water treatment plant in in Florida last year, when an unidentified hacker was able to tamper with chemical levels in the water supply to the extent it would’ve been poisonous to drink. Thankfully, the incident was caught before any contaminated water left the plant – but the consequences could’ve been dire.
Critical infrastructure is often vulnerable to cyber attacks and cyber criminals know it. Just look at last year’s Colonial Pipeline ransomware attack, an incident that panicked people into rushing to gas stations and attempting to hoard it for themselves: another case of a cyber attack influencing real-world actions.
These networks can be decades old, relying on old operating systems that are unable to receive security updates anymore, making them prime targets. In addition, these networks are increasingly being connected to Internet of Things devices and sensors, which can also leave them vulnerable to attacks.
Pipelines, power grids and water supplies, transport, and even hospitals – all critical infrastructure vital to keep everything running, and therefore all tempting targets for hackers, be they ransomware groups out to make money, or nation-state-backed hacking groups looking to cause disruption.
“We can limit both the likelihood and impact of these threats by: safeguarding our networks, considering the way they are technically structured and who has access to them,” says advice from the National Cyber Security Centre (NCSC) which warns that an attack could result in “major detrimental impact on the availability, delivery or integrity of essential services, leading to severe economic or social consequences or to loss of life.”
SEE: Attacks on critical infrastructure are dangerous. Soon they could turn deadly, warn analysts
In order to protect networks – and people – from the consequences of attacks, which could be significant, many of the required security measures are among the most commonly recommended and often simplest practices.
These include ensuring that default or easy-to-guess passwords aren’t being used to secure networks and that multi-factor authentication (MFA) is applied, particularly to critical systems. For critical infrastructure and other organisations, actions like this can help protect against most attacks.
Cybersecurity can become more complex for critical infrastructure, particularly when dealing with older systems, which is why it’s vital that those running them know their own network, what’s connected to it and who has access. Taking all of this into account, providing access only when necessary can keep networks locked down.
In some cases, that might mean ensuring older systems aren’t connected to the outside internet at all, but rather on a separate, air-gapped network, preferably offline. It might make some processes more inconvenient to manage, but it’s better than the alternative should a network be breached.
Incidents like the South Staffordshire Water attack and the Florida water incident show that cyber criminals are targeting critical infrastructure more and more. Action needs to be taken sooner rather than later to prevent potentially disastrous consequences not just for organizations, but for people too.
ZDNET’S MONDAY OPENER
ZDNET’s Monday Opener is our opening take on the week in tech, written by members of our editorial team.