Control systems are used to control and monitor physical processes such as heating a boiler, controlling fluids in a pipeline, moving a robotic arm, opening circuit breakers to prevent electrical damage to equipment, etc. When control systems are unintentionally or maliciously impacted by remote connectivity, kinetic (physical) damage can occur.
Pagers and walkie-talkies are still used by U.S. critical infrastructures such as power, water and oil/gas. Even unintentional cyber issues with walkie-talkies can cause significant issues. One of my first projects at EPRI was addressing the inadvertent start-up-or shutdown of nuclear power plant equipment caused by the electromagnetic interference (EMI) generated by walkie talkies affecting non-EMI shielded equipment.
It appears the compromise of the Hezbollah pagers, walkie-talkies and solar systems (Lebanon’s official news agency also reported that solar energy systems exploded in homes in several areas of Beirut and in southern Lebanon) were supply chain attacks, somewhat akin to the Farewell Dosier attack on Gazprom in 1982. Supply chain attacks may or may not be accompanied by cyberattacks. If the supply chain compromise does not require remote connectivity, it is not cyber-related.
The Hezbollah pagers and walkie-talkies needed to be remotely actuated making them a combination of supply chain and cyberattacks. According to Elijah J. Magnier, a Brussels-based senior political risk analyst, he spoke with Hezbollah members who had examined pagers that failed to explode. What triggered the blasts, he said, appeared to be an error message sent to all the devices (remote access) that caused them to vibrate, forcing the user to click on the buttons to stop the vibration. The combination detonated a small number of explosives hidden inside and ensured that the user was present when the blast went off, he said. Tuesday’s explosions were most likely the result of supply-chain interference, several experts told the Associated Press, noting that very small explosive devices may have been built into the pagers prior to their delivery to Hezbollah and then all remotely triggered simultaneously, possibly with a radio signal. That corroborates information shared from the U.S. official.
Yet there are people who don’t believe the remote attacks on the pagers and walkie-talkies were cyberattacks. As an example, according to Lucien Niemeyer in his Sept. 18 “Building Cybersecurity” blog, “At first, the unprecedented attack injuring thousands throughout Lebanon today using pagers as explosive devices could be labeled a cyberattack carried out on connected devices. But we agree with the WJS below that the more likely scenario was the placement of small amounts of explosives in each pager with a coordinated detonation.” That is, Lucian is saying, it was only a supply chain attack despite the need for these devices to be remotely activated. Lucian is not alone in not addressing this as a cyberattack.
On Sept. 18, the Aspen Institute held their AspenDigital Conference in Washington with a cast of cybersecurity luminaries. There were no presenters from critical infrastructures or the control system community. The Chinese cyber issues discussed included VoltTyphoon, which is an attack on routers, but there was no mention of the hardware backdoors in Chinese-made large electric transformers or hardware implants in Chinese-made port cranes. Additionally, the cyberattacks against the pagers in Lebanon and Syria on Sept. 17 resulting in kinetic damage and deaths and the walkie-talkies cyberattacked on Sept. 18 also resulting in kinetic damage and deaths were not mentioned even though they occurred before the AspenDigital Conference started. There was also no discussion that cybersecurity education needs to address the unique aspects of control systems including the ability to identify control system incidents as being cyber-related.
Conclusion
Critical infrastructure cyber incidents are often difficult to identify as being cyber-related including kinetic incidents causing damage and deaths. Whether the incident is considered to be a cyberattack or a supply chain attack may be less important than recognizing the ways in which these threats are converging.
