Even as most Americans are still learning about the hacking-for-cash crime of ransomware, the nation’s top homeland security official is worried about an even more dire digital danger: killware, or cyberattacks that can literally end lives.
The Colonial Pipeline ransomware attack in April galvanized the public’s attention because of its consumer-related complications, including long lines at gas stations, Homeland Security Secretary Alejandro Mayorkas said in an interview with USA TODAY's Editorial Board last week.
But, "there was a cyber incident that very fortunately did not succeed," he added. "And that is an attempted hack of a water treatment facility in Florida, and the fact that that attack was not for financial gain but rather purely to do harm.”
That attack on the Oldsmar, Florida, water system in February was intended to distribute contaminated water to residents "and that should have gripped our entire country,” Mayorkas said.
It’s no surprise that it didn’t. USA TODAY and others reported on that hack, but it came amid a flurry of reports of other, bigger cyberattacks such as the SolarWinds intrusion of U.S. government agencies, technology firms like Microsoft and cybersecurity companies. .
But Mayorkas and other cybersecurity experts say the Oldsmar intrusion was just one of many indications that malicious hackers increasingly are targeting critical parts of the nation's infrastructure – everything from hospitals and water supplies to banks, police departments and transportation – in ways that could injure or even kill people.
“The attempted hack of this water treatment facility in February 2021 demonstrated the grave risks that malicious cyber activity pose to public health and safety," Mayorkas told USA TODAY in a follow-up exchange. "The attacks are increasing in frequency and gravity, and cybersecurity must be a priority for all of us.”
Like Mayorkas, private-sector computer security experts recently have begun issuing warnings that so-called cyber-physical security incidents involving a wide range of critical national infrastructure targets could potentially lead to loss of life. Those include oil and gas manufacturing and other elements of the energy sector, as well as water and chemical systems, transportation and aviation and dams.
And with the rise of consumer-based products like smart thermostats and autonomous vehicles, Americans are now living in a “ubiquitous Cyber-Physical Systems world” that has become a potential minefield of threats, said Wam Voster, senior research director at the security firm Gartner Inc.
In a July 21 report, Gartner said it was seeing enough evidence of increasingly debilitating and dangerous attacks that by 2025, “cyber attackers will have weaponized operational technology environments to successfully harm or kill humans.”
“The attack on the Oldsmar water treatment facility shows that security attacks on operational technology are not just made up in Hollywood anymore,” Voster wrote in an accompanying article.
Another example, Voster wrote, was the Triton malware that was first identified in December 2017 on the operational technology systems of a petrochemical facility. It was designed to disable the safety systems put in place to shut down the plant in case of a hazardous event.
“If the malware had been effective, then loss of life was highly likely,” Voster wrote. “It is not unreasonable to assume that this was an intended result. Hence ‘malware’ has now entered the realm of ‘killware.'"
So far, few incidents have come to light in which hackers succeeded in shutting down parts of the nation’s critical infrastructure in ways that might have contributed to someone’s death or serious injury.
However, U.S. officials are especially concerned about the rash of ransomware attacks on hospitals, which have had to divert patients and cancel or defer critical surgeries, tests and other medical procedures, as was the case in a nationwide cyberattack on Universal Health Services, one of the nation's largest health care providers, in September 2020.