Zero Day Vulnerabilities - the consequences of a large-scale cyber attack

The scenario: For exactly one minute, the entire country simultaneously loses power, the mobile network, server systems, traffic management systems and air traffic control systems. After 60 seconds, all networks and systems are up and running again, and a message is sent to all smartphones throughout the country. The attack costs over 3,000 lives and has a major impact on society.

But how realistic is the scenario shown in the series of a comparable cyberattack on critical infrastructure with nationwide repercussions really?

A commentary by Emily Austin, Security Researcher at Censys

Emily Austin, Censys © Censys

"Zero Day deals with a highly topical subject: following numerous attacks, cyberattacks have increasingly become the focus of public attention in recent years. The series was clearly inspired by the real threat of cyber attacks, picks up on the topicality of the subject and paints a bleak and threatening picture after a large-scale attack. The scenario of a cyberattack on the power supply, the mobile phone network or transportation, traffic and air traffic control systems is, of course, fundamentally realistic. However, the fact that all systems and infrastructures are paralyzed nationwide in a single attack is extremely unrealistic and greatly exaggerated for dramaturgical reasons.

In recent years, we have seen a number of attacks against critical infrastructures. However, real cyberattacks on critical infrastructures are different from those shown in the series. If, for example, the power supply is attacked, a power outage is to be expected - but in a specific region and by no means in an entire city or even a whole country. In practice, even limited cyberattacks on critical infrastructures and the associated power outage entail a significant recovery effort: systems need to be analyzed, vulnerabilities closed and control regained - a process that often takes hours or days, not seconds.

It is also an exaggeration to assume that all critical infrastructures can be successfully attacked at the same time in a single attack. A country's infrastructures are decentralized; in the USA, for example, there are over 3,000 different electricity suppliers. Their networks are also protected in different ways, and the protection of the various suppliers never matches exactly. An attack on the scale shown in the series would therefore require very large resources to find entry points and exploitable exploits for all the different networks. It would certainly be possible to find a vulnerability that occurs at multiple utilities. For example, it could be the same version of a piece of hardware. However, it is unrealistic for a single exploitable vulnerability to occur at all utilities and all other nationwide systems affected by the cyberattack in the series. Therefore, not all systems and networks nationwide can be attacked and shut down at the same time.

Such an attack also requires extensive knowledge of each individual security architecture. Finding out which vulnerabilities can be used to attack IT, IoT or OT networks requires a great deal of human and time resources. As network systems and potential vulnerabilities are constantly changing due to patches, the knowledge gained can quickly become outdated. Carrying out such vulnerability mapping not just for one system, but for several thousand systems across the country and then attacking them all at the same time also seems more than unrealistic.

Dramaturgical exaggerations in front of a consistently realistic scenario

As an exciting thriller, Zero Day addresses current issues and creates a gripping scenario with direct references to real events. However, the realistic feasibility of such a large-scale cyberattack on nationwide critical infrastructures seems more than doubtful. Zero Day is inspired by real events and headlines - but as an entertainment format, the series takes narrative liberties to create more suspense and drama.

Some elements from the series do have a real background - in addition to actual cyber attacks on KRITIS, for example, highly specialized cyber operations such as Tailored Access Operations or publications from Vault 7. However, whether the attacks shown in the series could actually be carried out in this form remains highly questionable and implausible.

Ultimately, real cyberattacks on critical infrastructure are often less spectacular, but just as dangerous. In reality, attackers spend hours analyzing logs instead of plunging a country into chaos at the push of a button - a less exciting but more realistic depiction of cybercrime.