No person or company wants to be faced with a cyber intrusion in their systems. But physical consequences? These are a company’s worst nightmare. Given the right motivation, a threat actor could work their way into your systems and take control of your plant floor devices, building automation systems and more.
ICS Pulse interviewed Dr. Jesus Molina of Waterfall Security about the rising physical consequences of cyberattacks. To listen to the podcast, click here.
The following has been edited for clarity.
ICS Pulse: Tell us about some of your former exploits as a hacker. I know of one at a luxury hotel. We can start with that. If there’s anything else you want to talk about, we can hit those, too.
Dr. Jesus Molina: Right now, I’m currently working for Waterfall Security, and I have been doing that for five years. Perhaps the interesting thing is how I got there and how I started working in industrial security. To your question about the exploit at the hotel, when I was 22 or so, I went to the U.S. to do my Ph.D. I did my Ph.D. in intrusion detection systems. After that, I went to the West Coast, and I worked for Fujitsu Labs. There, I did basically hardcore research on cybersecurity.
I started consulting and became an offensive researcher. I worked on many different projects about smart meters, programmable logic controllers (PLCs) and internet of things (IoT) devices. One time, I was a guest in a hotel, and this hotel is beautiful. It’s a hotel in Shenzhen. The hotel spans the 20 top floors of a skyscraper, the biggest building in Shenzhen. I was there and the room had an iPad, and the iPad controlled the room. I decided to check how this works, how this iPad can do all these things. After a couple of hours, I was able to create a Python script on my laptop that was able to control my room. I was able to open the blinds, set the temperature of the room. It was bare bones, but I was able to do it.
But then another question arose, and that’s a big exploit there is that, if I can do this in my room, maybe I can do that in every room of the hotel. After a couple of days, I was able to control the whole hotel. I was able to create a script that I was able to say, “Open blinds on room 255,” and it opened the blinds. I was able to take control of the outside lights and make little movements.
ICSP: I was in Las Vegas recently and did have an iPad in my room that controlled everything. Hopefully, there wasn’t somebody like you in the room next to me controlling my room.
Molina: Even five years later, these people are still contacting me and saying, “Oh, I was able to replicate what you did in my hotel,” which is interesting. But many hotels now use that, and they encrypt the communications. They put more controls. That one was one of the first doing that. That was six years ago. And, again, the interesting thing is that this was a big hotel — it was not a small hotel — so that’s why they must use this industrial protocol that is used in airports. It’s used in many building management systems. It’s a very common industrial protocol.
ICSP: I know you’re doing some research and thought leadership into the idea of cyberattacks with physical consequences. Around the time of Stuxnet in 2010, you never saw that. That was the one that I think opened everybody’s eyes. For years, there weren’t many cyberattacks with physical consequences. But if you look in the last few years, the number of those attacks is rising exponentially. Why is that, and why should we be worried about that at this point?
Molina: You had Ben Miller in your podcast, from Dragos, and they do something extremely useful for the community, which is the review, and he discussed it. We wanted to give something to the community, too. And what we did is we look at all attacks that have happened since 2010, looked at these attacks by the consequences. These attacks that were directed at operational technology (OT) or they affected OT, did they have physical consequence? So we went to all the attacks that happened. Obviously, there’s hundreds of them, so there was quite a bit of work. Interesting is that, again, as you said, last decade we had only I think 14 attacks with physical consequences.
Most of these attacks, we all know about them. There are some that are a little bit less known, but there are only 12 or 14. Now, what happened in these decades, starting in 2020 is, in 2020, we already saw 10 attacks with physical consequences. In 2021, we saw 22 attacks with physical consequences. In 2023, we have seen already between 50 and 70 attacks with physical consequences. What we’re seeing is exponentially growing attacks with physical consequences. And some of the attacks are famous, like the Korean pipeline in 2021 and the attack to the plant in Iran that caused a fire in 2022. But most of them are quite anonymous. We have attacks that everybody talks about them for one or two days, and they forget about them, and this is a reason for that. The reason for that is most of these attacks are ransomware that, for some reason or another, they affected the physical systems.
Why are there physical consequences? Usually, it’s because the ransomware encrypts a historian. The historian is used to use machines, so the machines cannot continue working and they must stop. It’s because of informational technology (IT)/OT dependencies. That’s why the physical consequence arise. A lot of people ask me if this is a good thing: the fact that these are not attacks that target OT systems directly, but there is a consequence and physical consequence. We are not seeing any attack or many attacks with payloads that focus on OT systems. These attacks that affect and create physical consequences, even not having a payload, are quite concerning. As you know in 2022, Pipedream arrived. And Pipedream has all these different payloads, with IC6.850. It is a little bit concerning.