America’s enemies are increasingly targeting critical infrastructure with cyber attacks, a top investigative security journalist says.
Why it matters
A cyberattack that shuts down an oil pipeline or hospital could affect millions of people and put lives at risk.
Last year’s ransomware attack on Colonial Pipeline could have been prevented if the people trying to protect its computer systems had taken basic precautions and kept their eyes open for signs of an attack, a top cybersecurity journalist said Thursday.
Investigative reporter Kim Zetter said attacks targeting the world’s oil pipelines, power and water treatment plants, and essential computer systems have risen dramatically since the discovery of the Stuxnet worm in 2010. Stuxnet reportedly destroyed numerous centrifuges in an Iranian uranium enrichment facility and was later modified to target facilities including water treatment plants, power plants and gas lines.
Zetter made the comments in a presentation at the Black Hat computer hacking conference in Las Vegas. Zetter, a longtime security reporter for Wired and other publications, is also well known for her book Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon, which detailed the attack.
The original Stuxnet attack, which is widely accepted to be the work of the US and Israel, was first discovered by a Belorussian security researcher and later unraveled by others at the cybersecurity company Symantec.
It set off a “cyber arms race” among nations, Zetter said, and “heralded the militarization of cyberspace.”
“Stuxnet demonstrated the viability of resolving geopolitical conflicts through cyberattacks, and suddenly everyone wanted in on the game,” Zetter told the crowd, adding that while only a few countries had offensive hacking programs before, others soon launched their own operations.
Attackers still see an upside in going after critical infrastructure, she said. Some parts of critical infrastructure, such as the highly regulated electrical power industry, have boosted defenses in response. But protections for much of the area have become more complicated without improving security.
The Colonial Pipeline hack is a prime example of the latter development, Zetter said.
For example, Colonial quickly paid a multi-million-dollar ransom after its computer system was taken over by ransomware, a payment that surprised observers who assumed an oil-and-gas pipeline would have sufficient backups of its data. The company, however, wasn’t prepared for such an event.
Colonial Pipeline officials later told lawmakers that its response plan didn’t cover ransomware attacks, Zetter said, despite the fact that critical infrastructure attacks had been documented for several years at that point.
“The signs were there if Colonial Pipeline had looked,” she said. Colonial didn’t immediately respond to a request for comment.
She noted that researchers at Temple University had documented hundreds of attacks on critical infrastructure the year before, while major cybersecurity companies also had reported increased targeting of these kinds of systems. In 2020, the Cybersecurity and Infrastructure Security Agency issued a report warning of ransomware attacks specifically against pipelines.
The attackers got through Colonial’s virtual private network using an employee password that had been used on another network and wasn’t protected with multi-factor authentication, which would have required those attackers to supply a second form of identity in addition to the compromised password.
After the ransomware locked up Colonial’s systems, the company was forced to shut down its operations for nearly a week. The news sparked panic buying and drove up prices for consumers, though there was no shortage.
Following the attack, CISA issued a long list of security guidelines for industrial control systems. The recommendations were similar to those given before the attack, but Zetter said the Colonial Pipeline hack had made it clear that the guidelines weren’t being followed.
A year after Colonial, Zetter said the threat against critical infrastructure remains high and now includes America’s election system. Some states still use voting machines that don’t include paper printouts that can be used in the event of a recount. Security experts have long called for voting machines to include tamper-proof redundancies, such as printouts.