Author(s): Jesse Roman. Published on February 8, 2021.

Big Targets

MOST ORGANIZATIONS that fall victim to cyberattacks aren’t keen on advertising it to the world because such events can hurt stock prices, brand perception, customer security, and are simply embarrassing. “The attacks reported in the media are the ones that are really big, that a lot of people know about, and that can't be contained,” said Phil Owen, a cybersecurity expert with the firm M.C. Dean. Here are a few of the largest that involved building systems.

Target breach
In May 2013, hackers stole the log-in credentials of a third-party HVAC vendor and used them to infiltrate the customer database of retailer Target. Some 40 million payment card records were stolen, along with 70 million other records with customer information including addresses and telephone numbers.

Nuclear sabotage
A sophisticated computer worm called Stuxnet was deployed on an Iranian uranium enrichment plant in 2007. A first-of-its-kind “digital weapon,” the program secretly collected information on the plant’s control systems and caused widespread damage to its centrifuges until it was finally discovered in 2010. The Israeli and US governments are widely believed to have carried out the attack, though neither has acknowledged or confirmed it.

Industrial attack
Cyber attackers used an email phishing scheme to infiltrate and seize control of “a multitude” of systems at an undisclosed German steel mill, according to a 2014 report from Germany’s Federal Office for Information Security. As a result, the plant was "unable to shut down a blast furnace in a regulated manner," resulting in "massive damage to the system."

Hospital hacks
A historic wave of ransomware attacks in September and October 2020 impacted more than 200 US hospitals, crippling facilities in the midst of the coronavirus crisis. Doctors from New York to California told news outlets that they were forced to resort to pen and paper, that patient files couldn’t be accessed, and that many critical systems such as X-ray machines, CT scanners, and telemetry monitors were dark. Wait times at emergency rooms ballooned to more than six hours in some hospitals. Although details of breaches in hospitals are rarely disclosed, experts have said that hackers are increasingly targeting medical devices and buildings systems as a means to gain entry.

Utility power grid
In 2015, a cyberattack on a Ukraine utility company cut power to nearly a quarter million people for up to six hours. The hackers infiltrated the utility’s system through an email phishing attack and were able to cut power to about 30 substations and disable the company’s automated systems, forcing workers to fix the systems manually. It was the first known successful attack on a power grid. A year later, a similar attack cut power to more than 200,000 people near Kiev.

—Jesse Roman