This year has opened with new concerns over ransomware as the major cybersecurity threat facing government bodies and businesses. For example, the US FBI reported that the Play ransomware gang hacked approximately 300 organizations worldwide from June 2022 to October 2023. The areas targeted include critical infrastructure sectors.
This comes atop of two serious cybersecurity incidences. With the first, which occurred in the U.S., a NJ ransomware attack diverted ambulances and emergency vehicles. This incident, which seriously disrupted medical services, took place towards the end of 2023.
With the NJ Hospital Attack, Nicole Sundin, CPO at Axio, explains to Digital Journal just how serious the ramifications are: “When ransomware targets critical infrastructure, the human impact extends beyond disrupting services and businesses facing ransom demands.”
Furthermore, Sundin cautions: “Diverting emergency services becomes an attractive attack vector for cybercriminals because businesses often find themselves in a bind—either pay the ransom to resume critical services or risk operating without them.”
Putting this event in context, Sundin sets out the seriousness of launching an attack against a healthcare institution: “Comparing a hospital ransomware attack to, let’s say, MGM, the human impact is catastrophic. While MGM suffered financial losses and guests were inconvenienced (unable to access hotel rooms, play slots, or check in), the human impact remained relatively low. Hospitals are another story altogether. Their systems are complex due to the distributed nature of sites and also the combination of IT, OT, and IoT infrastructure. This complexity makes them more vulnerable from an attack vector perspective.”
This period also saw an Iranian-linked cyber army taking partial control of Aliquippa’s water system.
Richard Caralli, Senior Cybersecurity Advisor, also from Axio, similarly highlights why an attack on a utility raises the level of seriousness: “Municipal water is an under-appreciated attack target. It has several challenges: limited cybersecurity budget and staff, significant third-party dependencies, and one of the most direct vectors for causing wide-spread effects on life, safety, and health.”
Furthermore, Caralli states: “They are also effective targets to draw attention to causes, such as the Israel/Hamas conflict, as people tend to pay attention when their vital needs are under attack—and people don’t handle “boil water” announcements very well.”
He adds: “Life, safety, and health is a very strong motivator to capture attention, evident in how the local Pittsburgh news carried the story as breaking news, normally reserved for major incidents impacting lives.”
With the specific incident, Caralli sets out how it was addressed: “The engineers saved the day in this hack because they had older equipment and knew exactly how to prevent operational and collateral damage to the water system. This demonstrates that operational resilience is a combination of what you can prevent (through understanding your weaknesses and improving controls) and what you can sustain (limiting the damage through recovery and restoration plans that have been tested). For a small organization, both sides of this equation have to be operating effectively.”