Transforming Infrastructure into a Weapon: The Impact of Digital Sabotage
The recent blackout was not caused by bombed transmission towers or severed power lines. Instead, it resulted from a precise and invisible manipulation of the industrial control systems that manage electricity flow. This blend of traditional military action with advanced cyber warfare marks a new chapter in international conflict, where lines of code that manipulate critical infrastructure are among the most powerful weapons.
To grasp how a nation can extinguish an adversary’s lights without firing a shot, one must delve into the controllers that regulate modern infrastructure. These digital brains are responsible for opening valves, spinning turbines, and routing power. For a deeper understanding, check out this video from “Wired” on infrastructure cyber attacks.
Historically, controller devices were viewed as simple and isolated. However, grid modernization has transformed them into sophisticated internet-connected computers. As a cybersecurity researcher, I monitor how advanced cyber forces exploit this modernization, using digital techniques to control the machinery’s physical behavior.
Hijacked Machines
My colleagues and I have showcased how malware can compromise a controller to create a split reality. This malware intercepts legitimate commands from grid operators, replacing them with malicious instructions designed to destabilize the system.
For instance, malware could command circuit breakers to rapidly open and close, a technique known as flapping. This can physically damage massive transformers or generators, causing them to overheat or fall out of sync with the grid, potentially leading to fires or explosions that take months to repair.
Simultaneously, the malware calculates what sensor readings should appear if the grid were operating normally, feeding these fabricated values back to the control room. Operators may see stable voltage readings on their screens, even as transformers overload and breakers trip in the physical world. This disconnect leaves defenders blind, unable to diagnose or respond until it’s too late.
Historical examples of such attacks include the Stuxnet malware that targeted Iranian nuclear enrichment plants, destroying centrifuges by causing them to spin dangerously fast while feeding false data to operators. Another notable case is the Industroyer attack by Russia against Ukraine’s energy sector in 2016, which directly opened circuit breakers to cut power to Kyiv.
More recently, the Volt Typhoon attack by China against U.S. critical infrastructure, exposed in 2023, focused on pre-positioning. Unlike traditional sabotage, these hackers infiltrated networks to remain dormant, gaining the ability to disrupt U.S. communications and power systems during a future crisis.
To counter such attacks, the U.S. military’s Cyber Command has adopted a “defend forward” strategy, actively hunting threats in foreign networks before they reach U.S. soil.
Domestically, the Cybersecurity and Infrastructure Security Agency promotes “secure by design” principles, urging manufacturers to eliminate default passwords and implement “zero trust” architectures that assume networks are already compromised.
Supply Chain Vulnerability
Today, vulnerabilities lurk within the supply chain of the controllers themselves. Analyzing firmware from major international vendors reveals a heavy reliance on third-party software components for modern features like encryption and cloud connectivity.
This modernization comes at a cost. Many critical devices run on outdated software libraries, some years past their end-of-life support, creating shared fragility across the industry. A vulnerability in a single, ubiquitous library like OpenSSL can expose controllers from multiple manufacturers to the same attack method.
Modern controllers often host their own administrative websites, presenting overlooked entry points for adversaries. Attackers can infect these web applications, allowing malware to execute within the web browser of any engineer or operator managing the plant. This execution enables malicious code to bypass firewalls and issue commands to physical machinery without needing to crack the device’s password.
The scale of this vulnerability is vast, extending beyond the power grid to transportation, manufacturing, and water treatment systems.
Using automated scanning tools, my colleagues and I have found that the number of industrial controllers exposed to the public internet is significantly higher than industry estimates
The success of recent U.S. cyber operations raises difficult questions about the vulnerability of the United States. The uncomfortable truth is that the American power grid relies on the same technologies, protocols, and supply chains as compromised systems abroad.
Regulatory Misalignment
This domestic risk is compounded by regulatory frameworks that struggle to address the realities of the grid. A comprehensive investigation into the U.S. electric power sector revealed significant misalignment between compliance with regulations and actual security. While regulations establish a baseline, they often foster a checklist mentality, diverting resources away from effective security measures.
This regulatory lag is particularly concerning given the rapid evolution of technologies connecting customers to the power grid. The widespread adoption of distributed energy resources, such as residential solar inverters, has created a large, decentralized vulnerability that current regulations barely address.
Analysis supported by the Department of Energy has shown that these devices are often insecure. By compromising a small percentage of these inverters, my colleagues and I found that an attacker could manipulate their power output to cause severe instabilities across the distribution network. Unlike centralized power plants protected by guards and security systems, these devices are often located in private homes and businesses.
Accounting for the Physical
Defending American infrastructure requires moving beyond compliance checklists that currently dominate the industry. Defense strategies must now match the sophistication of attacks, implying a fundamental shift toward security measures that consider how attackers could manipulate physical machinery.
The integration of internet-connected computers into power grids, factories, and transportation networks is blurring the line between code and physical destruction. Ensuring the resilience of critical infrastructure necessitates accepting this new reality and building defenses that verify every component, rather than blindly trusting software and hardware—or the green lights on a control panel.
This article is republished from The Conversation under a Creative Commons license. The Conversation is an independent and nonprofit source of news, analysis, and commentary from academic experts. The original article can be accessed here.
The recent blackout was not caused by bombed transmission towers or severed power lines. Instead, it resulted from a precise and invisible manipulation of the industrial control systems that manage electricity flow. This blend of traditional military action with advanced cyber warfare marks a new chapter in international conflict, where lines of code that manipulate critical infrastructure are among the most powerful weapons.
To grasp how a nation can extinguish an adversary’s lights without firing a shot, one must delve into the controllers that regulate modern infrastructure. These digital brains are responsible for opening valves, spinning turbines, and routing power. For a deeper understanding, check out this video from “Wired” on infrastructure cyber attacks.
Historically, controller devices were viewed as simple and isolated. However, grid modernization has transformed them into sophisticated internet-connected computers. As a cybersecurity researcher, I monitor how advanced cyber forces exploit this modernization, using digital techniques to control the machinery’s physical behavior.
Hijacked Machines
My colleagues and I have showcased how malware can compromise a controller to create a split reality. This malware intercepts legitimate commands from grid operators, replacing them with malicious instructions designed to destabilize the system.
For instance, malware could command circuit breakers to rapidly open and close, a technique known as flapping. This can physically damage massive transformers or generators, causing them to overheat or fall out of sync with the grid, potentially leading to fires or explosions that take months to repair.
Simultaneously, the malware calculates what sensor readings should appear if the grid were operating normally, feeding these fabricated values back to the control room. Operators may see stable voltage readings on their screens, even as transformers overload and breakers trip in the physical world. This disconnect leaves defenders blind, unable to diagnose or respond until it’s too late.
Historical examples of such attacks include the Stuxnet malware that targeted Iranian nuclear enrichment plants, destroying centrifuges by causing them to spin dangerously fast while feeding false data to operators. Another notable case is the Industroyer attack by Russia against Ukraine’s energy sector in 2016, which directly opened circuit breakers to cut power to Kyiv.
More recently, the Volt Typhoon attack by China against U.S. critical infrastructure, exposed in 2023, focused on pre-positioning. Unlike traditional sabotage, these hackers infiltrated networks to remain dormant, gaining the ability to disrupt U.S. communications and power systems during a future crisis.
To counter such attacks, the U.S. military’s Cyber Command has adopted a “defend forward” strategy, actively hunting threats in foreign networks before they reach U.S. soil.
Domestically, the Cybersecurity and Infrastructure Security Agency promotes “secure by design” principles, urging manufacturers to eliminate default passwords and implement “zero trust” architectures that assume networks are already compromised.
Supply Chain Vulnerability
Today, vulnerabilities lurk within the supply chain of the controllers themselves. Analyzing firmware from major international vendors reveals a heavy reliance on third-party software components for modern features like encryption and cloud connectivity.
This modernization comes at a cost. Many critical devices run on outdated software libraries, some years past their end-of-life support, creating shared fragility across the industry. A vulnerability in a single, ubiquitous library like OpenSSL can expose controllers from multiple manufacturers to the same attack method.
Modern controllers often host their own administrative websites, presenting overlooked entry points for adversaries. Attackers can infect these web applications, allowing malware to execute within the web browser of any engineer or operator managing the plant. This execution enables malicious code to bypass firewalls and issue commands to physical machinery without needing to crack the device’s password.
The scale of this vulnerability is vast, extending beyond the power grid to transportation, manufacturing, and water treatment systems.
Using automated scanning tools, my colleagues and I have found that the number of industrial controllers exposed to the public internet is significantly higher than industry estimates
The success of recent U.S. cyber operations raises difficult questions about the vulnerability of the United States. The uncomfortable truth is that the American power grid relies on the same technologies, protocols, and supply chains as compromised systems abroad.
Regulatory Misalignment
This domestic risk is compounded by regulatory frameworks that struggle to address the realities of the grid. A comprehensive investigation into the U.S. electric power sector revealed significant misalignment between compliance with regulations and actual security. While regulations establish a baseline, they often foster a checklist mentality, diverting resources away from effective security measures.
This regulatory lag is particularly concerning given the rapid evolution of technologies connecting customers to the power grid. The widespread adoption of distributed energy resources, such as residential solar inverters, has created a large, decentralized vulnerability that current regulations barely address.
Analysis supported by the Department of Energy has shown that these devices are often insecure. By compromising a small percentage of these inverters, my colleagues and I found that an attacker could manipulate their power output to cause severe instabilities across the distribution network. Unlike centralized power plants protected by guards and security systems, these devices are often located in private homes and businesses.
Accounting for the Physical
Defending American infrastructure requires moving beyond compliance checklists that currently dominate the industry. Defense strategies must now match the sophistication of attacks, implying a fundamental shift toward security measures that consider how attackers could manipulate physical machinery.
The integration of internet-connected computers into power grids, factories, and transportation networks is blurring the line between code and physical destruction. Ensuring the resilience of critical infrastructure necessitates accepting this new reality and building defenses that verify every component, rather than blindly trusting software and hardware—or the green lights on a control panel.
This article is republished from The Conversation under a Creative Commons license. The Conversation is an independent and nonprofit source of news, analysis, and commentary from academic experts. The original article can be accessed here.
