Editor’s note: This story has been updated (9 Apr. 2021)
Cyberattacks are no longer just a matter of cybersecurity, they directly threaten a country’s national security. Cyberattacks alter the character of warfare—much like nuclear weapons once did, allowing adversaries to potentially cross enemy lines to harm large numbers of innocent civilians.
Today’s malicious actors can now seek to cause physical damage from remote locations through digital channels, wreaking devastation on a country at levels that previously would have required a kinetic attack.
On February 8, 2021, hackers breached the Bruce T. Haddock Water Treatment Plant in Oldsmar, Fla. using known software vulnerabilities in an attempt to poison the local water supply with sodium hydroxide—also known as lye. They accessed the plant through its industrial control system (ICS)—a system designed to allow for remote control and supervision of the plant. Taking over the plant’s controls, hackers increased parts of the chemical, used to adjust the acidity and remove metals from drinking water, to one hundred times over the normal level. The system used an old version of Windows, was accessible with a shared password, and had no firewall protection against intrusions. Thankfully, a supervisor noticed the dangerous change in time whilst working remotely, averting a crisis that may have caused chemical burns and blindness among those exposed to the toxic chemical.
U.S. government officials have recently expressed concerns about similar vulnerabilities across water and energy sectors and other critical infrastructure including health, emergency services, food and agriculture, and transportation systems. The cyberattack on the water plant occurred just a week before a major winter storm led to a widespread blackout and water crisis across Texas. More than five million went without power and running water for several days, illustrating the fragility of such interconnected infrastructure and the physical devastation that could be caused in the event of a cyberattack targeting the grid.
Critical infrastructure is not alone in its vulnerabilities to cyberattacks with physical implications—supply chains are also at risk. For at least a span of months (if not years), hackers have exploited vulnerabilities in software from Microsoft, VMWare and the Texas-based company SolarWinds to compromise data security in at least 200 organizations in the U.S. government and other agencies around the world.
Although the SolarWinds attack appears to be a case of classic espionage by Russia via the U.S. supply chain, there are aspects of the attack that also illustrate the potential for achieving physical effects via digital channels. As early as March 2020, Russian hackers breached the Orion network management software designed by SolarWinds, a federal contractor, and planted malicious code likely intended to gain access to sensitive information. Evidence of malware was first detected in December by a cybersecurity company that also uses the Orion software. The impact of the SolarWinds cyberattack spanned thousands of networks at nine federal agencies and 100 private sector companies, including the Department of Energy’s National Nuclear Security Administration (NNSA), which is responsible for overseeing the U.S. nuclear weapons stockpile.
Although NNSA claims there was no impact to classified systems, officials found evidence of attempted intrusion in unclassified systems—although, according to the NNSA Public Affairs office, the system in question was used for business purposes, not for transport of nuclear weapons and materials. The agency also detected attempts to gain access to servers at the Los Alamos National Laboratory—one of three nuclear weapons labs. NNSA immediately disconnected the software from relevant networks, removing the possibility for deleterious effects. While hackers were not likely targeting the transport of nuclear weapons, the vulnerabilities of nuclear weapons while en-route between secure locations are well known.
The exact objectives for the SolarWinds cyberattack remain unclear, but the vast extent of its reach may demonstrate to U.S. adversaries the significant potential of cyberattacks for achieving physical ends, including the possibility of stealing nuclear weapons. However, the incident is not the first major one from which malicious actors have deduced such capabilities—consider the lessons from the NotPetya attack in 2017. Russian hackers spread malicious code through a popular accounting software developed by a Ukrainian business across many countries in Europe, eventually infecting tens of thousands of computers around the world. In addition to rendering infected computers useless, the attack shut down the global operations of the Maersk shipping company and caused major traffic congestion on the roads near ports in the United States. It also slowed operations of Merck & Co, Inc., a major producer of drugs and vaccines in the U.S., reducing production capacity for a short period of time. Even a classic espionage or sabotage incident may carry significant potential for physical damage.
The Biden administration has already issued guidance for shoring up vulnerabilities in U.S. supply chains, but much more needs to be done to protect critical infrastructure and dissuade malicious actors from exploiting digital channels to achieve physical ends. In an era of hybrid and gray zone warfare, cyberattacks are attractive to nations seeking to undermine their adversaries due to challenges of attribution and the associated benefit of deniability. In the future, these nations may also come to see cyberattacks with physical effects as a new form of warfare—a Trojan horse in the form of their adversary’s own infrastructure or supply chains. In so doing, they can cross enemy lines and cause damage and destruction without defeating any military forces.
Dr. Natasha Bajema is the Director of the Converging Risks Lab at the Council on Strategic Risks and an IEEE Spectrum contributor. She has held long-term assignments at the National Defense University, in the U.S. Office of the Secretary of Defense, and at the U.S. Department of Energy’s National Nuclear Security Administration.
Correction: According to a spokesperson for the NNSA, the SolarWinds attack did not target any computer systems involved in the transport of nuclear weapons and materials, as Spectrum had previously reported. According to that spokesperson’s statement, “NNSA’s Office of Secure Transportation has a highly trained security force; significantly modified and secure vehicles that effectively enhance self-protection and deny unauthorized access; a 24/7 communications center; and a specialized cadre of support professionals to safely and securely carry out its mission. Since its creation in 1975, OST has accumulated more than 200 million miles of over-the-road transportation of national security cargo with no accidents causing a fatality or release of radioactive material.”