You may be surrounded by more targets than you think.

You’re ready to put up that that book shelf. You grab your drill and pull the trigger. But instead of spinning the bit, your drill plays music—the Imperial March, Darth Vader’s theme from Star Wars.

Oh, and it bursts into flames.

This is no accident. Instead, a hacker planted malware on your drill to cause you harm. And it’s a sign of how attackers may try their next wave of hacks on big targets in the U.S.

“Who knew you could re-program a drill?” asked Monta Elkins—a security architect with cybersecurity company FoxGuard Solutions—who engineered the drill hack as a demonstration. “Who knew there was a computer in it?”

But that is the key, according to Elkins: computers hidden inside things you don’t consider to be computers that could allow attackers a foothold in their siege of the castle—a power plant, a water plant, an oil rig, a shopping mall.

“There are computers everywhere. We can’t keep up with where they are,” he told Archer News. “You have to watch out for a lot more than you think you do.”

Attack in depth

In the past, attackers online would often strike a target once.

“It used to be one-and-done,” Elkins said.

Now, cyber crooks are trying a barrage of coordinated strikes, not just getting in to the system, but also doing damage on the way in—and out.

“You knock it over and you hold it down with multiple attacks,” he said.

People fighting to defend the big targets, like power plants, smart cities and factories, have often turned to “defense in depth,” or layers of security, to keep attackers at bay. They may try multiple levels of tricks, traps and alarms, just as a bank will put a lock box inside a vault behind locked doors with an alarm system. 

Now, as Elkins explained at the EnergySec cybersecurity conference in Anaheim in August, the bad guys are using “attack in depth”—layer after layer of their own tricks and traps to try to steal the goods.

“If one of your attacks fails, you have multiple attacks to make sure the job gets done,” Elkins said.

Ukraine

An attack in depth took out power in Ukraine last year, leaving more than 200,000 people in the dark.

Attackers shut down power to people in Kiev, as well as other cities in Ukraine in December 2015.

The hackers got into the power system’s computer network and flipped the switches. They made several other moves to damage the system and make it harder to recover. And they used some things you might not think of as computers to do some of their dirty work, according to Elkins.

For example, they burrowed into the power supply units, or UPSs, that give emergency power in case of an outage—not what you would call a computer, but, as the world learned, still hackable.

“This is your wake-up call,” Elkins said. “It’s time to start looking at these things as computers.”

The back of a UPS, or uninterruptible power supply. Image via Wikipedia.

Ping of death

IT specialist and engineer Chuck Reilly is seeing the change at Southern California Edison, one of the country’s largest electric utilities according to its website. 

“When we first started, it was the simple attacks. It was the ‘ping of death’ [sending an oversized packet of data to a computer], denial of service attacks, maybe viruses and worms,” he said. “Very unsophisticated attacks.”

The cyber attacks on utilities, once like hammers, may turn into games of malicious chess.

“We’ve been thinking about that,” Reilly told Archer News. “The concept of assault-in-depth. To start expanding our planning, our defenses.”

“To look at these moves as three-dimensional chess, and what’s happening and trying to figure out what the counter move would be,” he added.

Who will be the better player? If the hackers win, you will spend more time in the dark, hoping for the lights to go back on.

Reilly is working to prepare his team, in case the hackers break through.

“To minimize the damage, so we don’t end up like Ukraine, you know, days, weeks, months later, still having services not available,” Reilly said.

Fire drill

Elkins’ ‘fire drill’ may not be the weapon of choice for most malicious hackers. But he said they will go after devices that people do not usually consider to be computers, like radios, monitors, televisions, appliances and tools.

“Absolutely,” he said. “Because that’s where you’re not looking for it.”

Do you have anything that you can plug in or put batteries in and has been made in the past five or ten years? 

“That’s a computer,” Elkins said. “It’s at least one. It might be several.”

That may seem overwhelming, especially if your job is to protect a big target from cyber attackers. You now have to worry about thousands more devices than before.

“It’s way too much to keep up with,” he said. “I know it’s way too much stuff. And so do the attackers. They know it’s too much stuff. So that’s why the attacks are moving to these devices.”

Fight back

The best way to fight back? Think of these devices as computers, Elkins said. 

“These are computer systems. As much as possible, treat them like your other computer systems,” he said.

“You know certain things to do with those systems. You watch out for their passwords, and you watch out for their firewalls and you watch out for their patching and their firmware updates,” he added.

You may not need to worry about a flaming drill attack in your garage. But paying more attention to security for your smart TV could keep the hackers out—and ransom money in your pocket, instead of theirs.