Cyberattacks against infrastructure

Once a cyberattack has been initiated, there are certain targets that need to be attacked to cripple the opponent. Certain infrastructures as targets have been highlighted as critical infrastructures in times of conflict that can severely cripple a nation. Control systems, energy resources, finance, telecommunications, transportation, and water facilities are seen as critical infrastructure targets during conflict. A new report on the industrial cybersecurity problems, produced by the British Columbia Institute of Technology, and the PA Consulting Group, using data from as far back as 1981, reportedly has found a 10-fold increase in the number of successful cyber attacks on infrastructure Supervisory Control and Data Acquisition (SCADA) systems since 2000. Cyberattacks that have an adverse physical effect are known as cyber-physical attacks.

Control systems
Control systems are responsible for activating and monitoring industrial or mechanical controls. Many devices are integrated with computer platforms to control valves and gates to certain physical infrastructures. Control systems are usually designed as remote telemetry devices that link to other physical devices through internet access or modems. Little security can be offered when dealing with these devices, enabling many hackers or cyberterrorists to seek out systematic vulnerabilities. Paul Blomgren, manager of sales engineering at cybersecurity firm explained how his people drove to a remote substation, saw a wireless network antenna and immediately plugged in their wireless LAN cards. They took out their laptops and connected to the system because it wasn't using passwords. "Within 10 minutes, they had mapped every piece of equipment in the facility," Blomgren said. "Within 15 minutes, they mapped every piece of equipment in the operational control network. Within 20 minutes, they were talking to the business network and had pulled off several business reports. They never even left the vehicle."

Energy
Energy is seen as the second infrastructure that could be attacked. It is broken down into two categories, electricity and natural gas. Electricity also known as electric grids power cities, regions, and households; it powers machines and other mechanisms used in day-to-day life. Using US as an example, in a conflict cyber terrorists can access data through the Daily Report of System Status that shows power flows throughout the system and can pinpoint the busiest sections of the grid. By shutting those grids down, they can cause mass hysteria, backlog, and confusion; also being able to locate critical areas of operation to further attacks in a more direct method. Cyberterrorists can access instructions on how to connect to the Bonneville Power Administration which helps direct them on how to not fault the system in the process. This is a major advantage that can be utilized when cyberattacks are being made because foreign attackers with no prior knowledge of the system can attack with the highest accuracy without drawbacks. Cyberattacks on natural gas installations go much the same way as it would with attacks on electrical grids. Cyberterrorists can shutdown these installations stopping the flow or they can even reroute gas flows to another section that can be occupied by one of their allies. There was a case in Russia with a gas supplier known as Gazprom, they lost control of their central switchboard which routes gas flow, after an inside operator and Trojan horse program bypassed security.

The 2021 Colonial Pipeline cyberattack caused a sudden shutdown of the pipeline that carried 45% of the gasoline, diesel, and jet fuel consumed on the East Coast of the United States.

Wind farms, both onshore and offshore, are also at risk from cyber attacks. In February 2022, a German wind turbine maker, Enercon, lost remote connection to some 5,800 turbines following a large-scale disruption of satellite links. In April 2022, another company, Deutsche Windtechnik, also lost control of roughly 2,000 turbines because of a cyber-attack. While the wind turbines were not damaged during these incidents, these attacks illustrate just how vulnerable their computer systems are.

Finance
Financial infrastructures could be hit hard by cyberattacks as the financial system is linked by computer systems. Money is constantly being exchanged in these institutions and if cyberterrorists were to attack and if transactions were rerouted and large amounts of money stolen, financial industries would collapse and civilians would be without jobs and security. Operations would stall from region to region causing nationwide economic degradation. In the U.S. alone, the average daily volume of transactions hit $3 trillion and 99% of it is non-cash flow. To be able to disrupt that amount of money for one day or for a period of days can cause lasting damage making investors pull out of funding and erode public confidence.

A cyberattack on a financial institution or transactions may be referred to as a cyber heist. These attacks may start with phishing that targets employees, using social engineering to coax information from them. They may allow attackers to hack into the network and put keyloggers on the accounting systems. In time, the cybercriminals are able to obtain password and keys information. An organization's bank accounts can then be accessed via the information they have stolen using the keyloggers. In May 2013, a gang carried out a US$40 million cyber heist from the Bank of Muscat.

Transportation
Transportation infrastructure mirrors telecommunication facilities: by impeding transportation for individuals in a city or region, the economy will slightly degrade over time. Successful cyber attacks can impact scheduling and accessibility, creating a disruption in the economic chain. Carrying methods will be impacted, making it hard for cargo to be sent from one place to another. In January 2003 during the "slammer" virus, Continental Airlines was forced to shut down flights due to computer problems. Cyberterrorists can target railroads by disrupting switches, target flight software to impede airplanes, and target road usage to impede more conventional transportation methods. In May 2015, a man, Chris Roberts, who was a cyber consultant, revealed to the FBI that he had repeatedly, from 2011 to 2014, managed to hack into Boeing and Airbus flights' controls via the onboard entertainment system, allegedly, and had at least once ordered a flight to climb. The FBI, after detaining him in April 2015 in Syracuse, had interviewed him about the allegations.

Water
Water as an infrastructure could be one of the most critical infrastructures to be attacked. It is seen as one of the greatest security hazards among all of the computer-controlled systems. There is the potential to have massive amounts of water unleashed into an area which could be unprotected causing loss of life and property damage. Even water supplies could be attacked; sewer systems can be compromised too. There was no calculation given to the cost of damages, but the estimated cost to replace critical water systems could be in the hundreds of billions of dollars. Most of these water infrastructures are well developed making it hard for cyberattacks to cause any significant damage, at most, equipment failure can occur causing power outlets to be disrupted for a short time.

In 2024, multiple US water facilities had their industrial equipment compromised by hackers to display anti-Israel messages. Although no major damage has been inflicted, it has revealed US water facilities are experiencing lack of funding and resources to patch security vulnerabilities in their infrastructure.

Waste management
In addition to water facilities, waste management facilities can also be and have been targets of cyberattacks.

In 2023, the Radio Waste Management (RWM) company, owned by the United Kingdom government, experienced an unsuccessful cybersecurity breach through the use of LinkedIn. The attack attempted to identify and access the people who are part of the business.

In 2023, Sellafield, the UK's largest and most hazardous nuclear waste disposal site, had been targeted by foreign hackers, linked to Russia and China. Sleeper malware was discovered inside of the site's networks, and it is unknown how long it had been installed or if it had been fully removed. The full extent of the weak security was exposed when staff found they could access Sellafield's servers from outside the site. Reports in 2012 and 2015 reported that the company and senior management have been aware of the security vulnerabilities but failed to report or spend resources to address these vulnerabilities. Sellafield's sensitive documents, such as foreign attack or disaster emergency defense plans and radioactive waste management, may have been compromised.

It is possible for smaller scale electronics in e-waste to become targets of cyberattacks. The PwC estimates that globally by 2030, the amount of Internet of Things (IoT) devices owned around the world would reach over 25 billion, and of that, 70 million tonnes of e-waste will be generated and disposed of. Although only based on anecdotal evidence, it's estimated the majority of this e-waste is improperly disposed of, allowing the components of these devices to retain sensitive information and personal data. Cyber criminals may target e-waste of individuals or organizations to gain access to sensitive data that isn't as securely guarded as active devices.

Hospitals and Medical Facilities
Hospital as an infrastructure is one of the major assets to have been impacted by cyber attacks. These attacks could "directly lead to deaths." The cyberattacks are designed to deny hospital workers access to critical care systems. Recently, there has been a major increase of cyberattacks against hospitals amid the COVID-19 pandemic. Hackers lock up a network and demand ransom to return access to these systems. The ICRC and other human rights group have urged law enforcement to take "immediate and decisive action" to punish such cyber attackers.

Hospitals and medical facilities have seen an increase in ransomware attacks in which criminals encode Protected Health Information (PHI) and other private identifiable information. When the ransom is paid, the money is exchanged for a key to decode the information and to return the stolen data. Access points into hospital infrastructure are often through third-party companies that hospitals may contract jobs through. The HIPAA Omnibus Rule created in 2013 requires that all business contracted to perform work for the hospital where patient information could be involved would be required to be held to the same standards of security. An increasingly common access point has been through camera and security systems that are being added to the hospitals network. As more outside companies and devices become connected through the internet, the risks for cyberattacks increases. During the COVID- 19 pandemic an increase in attacks was noted. Researchers concluded that this was the result of increased remote work in which hospital staff had more devices connected to networks increasing potential areas of vulnerability. One tactic that has been effective in preventing cyberattacks in the healthcare industry is the Zero Trust method. In this model, all users known and unknown are viewed as a potential threat and requires everyone to verify their identity with the appropriate credentials.

With an increased use of Electronic Medical Records (EMR) comes an increased need for security to protect patient information and privacy. When a hospital experiences a data breach in the United States, the facility is required to report the breach to the people impacted under the Health Information Technology for Economic and Clinical Health Act, also called HITECH ACT, as it has the Breach Notification Rule. The rule states that facilities are required to report data breaches if the facility provides patient care under HIPAA guidelines. The Health Insurance Portability and Accountability Act protects patient's right to privacy regarding their Protected Health Information (PHI). Accessing PHI can be very lucrative for cybercriminals as this information can contain home addresses, social security numbers, banking information, and other personally identifiable information.