Not long ago, the concept of killware was the stuff of futuristic, doomsday movie fare. The idea that hackers could breach systems related to basic public infrastructure and municipal services to put people’s very lives at risk seemed scary, but far-fetched. Unfortunately, that dystopian future has, at least to some degree, arrived. Cities across the globe are increasingly faced with alarming, urgent killware attacks.
At the U.S. Conference of Mayors’ 90th annual Winter Meeting in Washington, D.C. earlier this year, Jen Easterly, head of the Cybersecurity and Infrastructure Security Agency (CISA), urged mayors heading up cities across the country to take the lead on protecting against killware. “It has to be a leadership issue,” she said. “We are now seeing cyberattacks which can have physical impacts, with the potential to lead to loss of life.”
What is Killware?
The term killware is an overarching term that covers a wide variety of cyberattack types that target the real-life health of victims. While other forms of malware are usually defined by their method — think DDoS or spear phishing attacks — killware is defined by its end result, and can include any number of methods, including malware and ransomware.
The U.S. Department of Homeland Security (DHS) has recently designated killware as an emerging cyber threat even more urgent than typical ransomware. DHS Secretary Alejandro Majorkas told USA Today that killware, designed to intentionally cause death, is the “next breakout cybersecurity threat.” Gartner predicts that within the next four years, threat actors will be routinely weaponizing operational environments to intentionally harm and kill people.
DHS identifies several key potential killware targets that could put thousands of lives at risk, including:
- Municipal operations like water supplies, power grids, and public transportation
- Oil and gas supplies
- Food and basic necessity supply chains
- Police and fire departments, including dispatch operations
- Emergency response systems
Essentially, any networked community resource should be considered at risk for this type of attack. According to a blog written by Gartner senior research director Wam Voster, emerging “smart” technology is also attractive to bad actors. City workers utilizing field devices to send data back to municipal networks and IoT-connected sensors that gather information about city services are prime targets.
Has killware been successfully launched against cities?
The attack on an Oldsmar, Florida water treatment facility in early 2021 is another example of how killware is being wielded by bad actors. Here, the attackers breached the plant’s systems and boosted the level of sodium hydroxide in the water to levels far exceeding the safe limit — in fact, the level of sodium hydroxide was considered lethal, at more than a hundred times the safe limit. Luckily, an operator was able to quickly respond, but for a frighteningly long few minutes, the community’s water supply was at risk of delivering lethally contaminated water directly into the homes and businesses of 15,000 people.
In 2018, Atlanta suffered a ransomware attack that took down more than a third of its networked systems, some of which were part of critical city services. While this attack did not accelerate to the point of putting citizens’ lives at risk, it’s easy to see how a more dangerous scenario could play out. It also took the city more than a year to recover and cost taxpayers more than $17 million dollars, money that could have been spent on important city resources.
How can cities protect against killware?
It’s never been more important for security teams to have a tight handle on network behavior, including every endpoint. Full network visibility is the only hope we have for detecting potential killware attacks before they wreak havoc or create harm to individuals and communities. This means the legacy systems that may have been sufficient even a few years ago are inadequately equipped for staving off modern threat actors with the intent to harm.
MixMode uses third-wave AI to create a constantly evolving baseline of expected network behavior and examines network activity in real-time to detect unexpected deviations. Subtle, but concerning, shifts in network behavior that might be overlooked by traditional log-based SIEM or NTA systems are quickly surfaced by MixMode for further investigation. In the meantime, MixMode is smart enough to filter out hundreds of false positives, freeing up analysts’ time, so they can prioritize true potential threats, including attempted killware and zero-day attacks.
Learn more about how MixMode is protecting some of the world’s most vulnerable systems, including critical municipal and city networks against killware and a growing list of modern cyber attacks, and set up a demo today.