Why Malicious Attacks are Targeting America’s Infrastructure

On January 31, 2024, FBI Director Christopher Wray appeared before the US Senate and delivered a stark warning:

“PRC (Chinese) hackers are targeting our critical infrastructure. Our water treatment plants, our electrical grid, our oil and natural gas pipelines, our transportation systems...and the risk that poses to every American requires our attention, now.”

Cyberattacks perpetrated by China and Russia are certainly nothing new, with American infrastructure being targeted by organized nation-state hackers, along with smaller organized groups and lone wolf criminals, for over two decades. In recent years, the number, scope, and sophistication of these attacks has continued to escalate, as evidenced by the urgency of Wray’s comments. “Let’s be clear,” he warns, “Cyber threats to our critical infrastructure represent real world threats to our physical safety.”

Why has critical infrastructure become a prime target for malicious attacks, and what can be done about it? For nation-states, the ability to induce political turmoil or service disruptions to erode public trust (while avoiding a direct military confrontation) makes infrastructure targets tempting. For private hackers and terrorist groups, the potential for ransomware demands and outright data theft are viewed as lucrative financial opportunities.

New levels of hacking sophistication

In December of 2023, Chinese hackers utilized botnets to spread malware to hundreds of U.S.-based small office/home office (SOHO) routers linked to critical infrastructure including communications, energy, transportation, and water sectors. The targeted routers were vulnerable since they had reached “end of life” status and were therefore no longer supported by the manufacturer’s software patches and other security updates. Although this plot was thwarted by the FBI and National Security Agency, it demonstrated an alarming combination of technological sophistication and support on the ground.

Digital meat for the cyber-butcher

The thwarted botnet attack is just one example in an unbroken chain of alarming incidents, including the massive SolarWinds attack in 2020, and the shocking cyber breach of the Colonial Pipeline network in 2021. JBS, a meat production company that handles distribution from the United States to Australia, was also targeted in 2017. While this didn’t usher in an apocalypse of beef shortages, the attack signaled a trend of cyber attacks directed at infrastructure, with averted consequences ranging from famine to power outages to factory shutdowns. Thus far, we have been both lucky and good.

Additional noteworthy cyber attacks directed at infrastructure in recent years (worldwide) have included:

• NotPetya (2017)
• WannaCry (2017)
• Dragonfly 2.0 (2017)
• TRITON (2017)
• Ukrainian Railway System (2022)
• Japan Space Agency (2023)
• DP World Australia (2023)

The DP World Australia cyberattack demonstrated the vulnerability of large ports when the attack temporarily crippled operations in Sydney, Melbourne, Brisbane, and Fremantle. The attack caused the movement of 30,000 shipping containers to come to a standstill, with an obvious downstream impact on the supply chain.

New attack opportunities

It’s more than financial incentives or the ability to stir international conflict without the use of military intervention. The reality is that the technology we rely on can now be used against us. The integration of AI, automation, and IoT-based devices has created a foundation for modern life and modern business. While companies continue to expand their reliance on tech, they also expand the number and types of attack surfaces and pathways available to hackers.

As industries, tech, and infrastructure become more intertwined, it only stands to reason that sophisticated actors will continue to develop more sophisticated methods in addition to conventional hacking tactics such as:

• Phishing attacks on employees.
• Social engineering for access.
• Malware distribution.
• DDoS attacks.
• Credential theft.
• Man-in-the-middle attacks.
• Zero-day exploits.

The US power grid is increasingly at risk from cyberattacks. Distribution systems are more vulnerable due to the increasing complexity of industrial control systems. Threat actors have several methods at their disposal to access those systems and disrupt operations.

Water treatment systems are also highly vulnerable, as we witnessed in 2021 when a hacker in Florida attempted to increase the sodium hydroxide content in the local water supply from 100 parts per million to 11,100 ppm, but was prevented from causing widespread harm when an alert utility worker quickly spotted and rectified the issue.

Raising the threat bar

More alarming are trends that could spell widespread calamity by escalating beyond food, water, and power infrastructure. When the network of a nuclear power plant was compromised in 2017, it set a dangerous precedent that required no further explanation. The “business side” of the Illinois-based nuclear plant was breached by hackers, rightfully setting off an investigation to uncover how any portion of the attack surface was allowed to be exposed.

It wasn’t until after the Colonial Pipeline attack that stricter regulatory measures were taken. Enforcement of rules and polices by executive action superseded the rules managed by the Certified Information Systems Auditor (CISA). However, those regulatory actions were contained to the pipeline and transportation sector, not the large-scale cybersecurity apparatus for the rest of the United States.

Smart factories, smarter attacks

The internet of things (IoT) is gradually being woven into all facets of everyday life, with a significant impact on manufacturing, healthcare, construction, transportation, utilities, agriculture, and countless other industries. IoT sensors can act as early warning systems to prevent and contain critical infrastructure tampering, but each IoT device also acts as an endpoint that expands the attack surface.

Cybersecurity is a paramount concern for the IoT, since a single lapse can give hackers complete control of infrastructure systems, including military operations that continue to lean in to IoT devices and technology. Either within the confines of the military or the private sector, infrastructure made more vulnerable to cyberattacks through the integration of IoT devices includes:

1. Building Infrastructure: Critical systems, including security, electricity, and environmental controls, are prime targets. Breaches in security devices within the IoT can lead to unauthorized access, while disruptions to electricity and environmental controls can impact building safety and functionality.
2. Industrial Infrastructure: Cybersecurity is crucial for safeguarding the industrial base connected to the IoT. Production resources, factory environments, and computer-driven machinery are linked through the IoT. Attacks on these systems can disrupt or derail essential manufacturing processes.
3. Communications Infrastructure: Communications systems, including routers, computers, and phone systems, are frequent targets for hackers. In the defense industry, unauthorized access to the IoT through these systems could escalate into significant national security concerns over exposed intelligence.

The implications, and what should be done?

With the potential for in cyber-based infrastructure attacks increasing each day, what does the future hold? Will we see routine disruptions and shortages of essential supplies on a monthly basis? Those are big questions with (as yet) no definitive answers. Despite the rise in attack frequency, we have yet to face the dire consequences articulated by FBI Director Wray and other experts. That may be owed to equal parts diligence, luck, and technology, but staying the course will required sustained focus on:

• Securing civilian networks
• Strengthening the resilience of critical infrastructure
• Continually assessing new threats
• Improving surveillance methods

Ransomware is among the most dangerous tools used by nation-states or “private” hackers to bring critical infrastructure to a standstill. The CISA has published guidance on preventing ransomware attacks aimed at critical infrastructure, using a strategic process of preparation, detection and analysis, containment and eradication, and recovery.

Our reliance on new technology in national and global markets will force us to continually deploy more rigorous cybersecurity standards. Even with proper measures taken, complex and robust hacking attempts will continue to target infrastructure for both payout and political purposes.

Facing the new era of infrastructure cybersecurity

The dawn of the internet of things signaled a transition from digital information transfer and security to a complete coupling between the physical and digital realms. Critical infrastructure in the United States, including our power grids, water treatment, transportation systems, and military, are now among the countless “things” monitored and managed over an ever-expanding grid. This paradigm shift is creating exciting new services and benefits, along with new dangers and risks.

Staying one step ahead of infrastructure hackers requires the same dedication and diligence in the physical realm we have established for the digital world. Thwarted attempts by infrastructure hackers should serve as a cautionary tale, and lead to further action by Federal, State, and local governments. Unlike the digital variety of attack, the potential for disaster is almost unlimited. As Director Wray rightly concluded, “We cannot afford to sleep on this danger.”