A very dangerous cyber tool has been identified and analysed. It’s targeting industrial control systems - the hardware/software that is often running at industrial sites (like manufacturing, but also power grids, nuclear plants, and go figure). Based on these analyses, I make a big picture assessment.

Created by a nation-state actor, it is “ready for action”. But it was never detected in operational use (disruptive, destructive) as of yet. In this way, it was fortunately recovered and analysed in a highly anticipatory way. Before anything happened. Nothing was destroyed. Nobody died. Great. Considering the high-impact threat potential, this is remarkable (even if it causes this to be “less newsy”). The tool itself is modular and can be used in many ways, and against many targets. It can be employed in reconnaissance (information gathering), disruption (degrading the physical process), or destruction (paralysing the process to cause temporary or prolonged downtime), as the other analysis says the framework “... contains capabilities related to disruption, sabotage, and potentially physical destruction“. It’s a modular framework that can deliver dangerous commands/payloads to industrial systems.

The analysis also says that “it could be leveraged in attacks on safety instrumented systems". So it could potentially reach lethal effects, assuming such an intent. Not many cyberattacks have such a potential reach. Extremely rare.

During the ICRC assessment of the humanitarian cost of cyberoperations, we did discuss the risks of physical destruction or killings. While such catastrophic scenarios would be highly damaging in themselves, it is important to note that these could lead to armed conflict (or be used in this way during war already), with this report summarising the assessment (see the annex) highlighting that lethal effects may also be caused by an accident: “When it comes to the destruction of objects, specialized cyber operations against ICS appear able to cause intended or unintended physical effects (e.g. destruction or explosions), which may lead to a loss of human life (directly or indirectly). When assessing the risk, such effects would be seen as having a high severity, although the likelihood that the operation would succeed on a large scale is not clear and may be low. The difficulty of assessing the potential human cost of cyber operations against ICS is further compounded by the fact that even the malevolent actor behind the cyber operation may not have full knowledge of the facility, including its current layout, operations, and staffing. This makes it difficult even for that actor to properly assess in advance the likelihood and severity of the potential harm”. So far, and fortunately so, no threat actors were ever detected as having lethal intentions.

The problem with the cyber tools described in this post is not that they happen to be in the “wrong hands”. While you can download them today from vx-underground, “using” them  in practice requires much understanding and an operational approach:

  • gaining access to the right facilities,
  • moving through the security and network boundaries,
  • and reaching the industrial control systems layer,
  • then doing the thing.

It requires funds, expertise, tools, and intent.

Indeed, the  problem here is that their users may decide to go for different objectives than reconnaissance/surveillance - lethal objectives. Either directly or by an accident (accidents happen). Such uses of these tools may lead to further political consequences (even a war, unless one is already during an armed conflict...).