Thought Leadership
The series Zero Day deals with the current cyber threat landscape and addresses the consequences of a large-scale cyberattack in the USA. For exactly one minute, electricity, mobile networks, server systems, traffic control systems, and air traffic control systems fail simultaneously across the entire country. The attack costs over 3,000 human lives and has major consequences for society. How realistic is this scenario?
Zero Day addresses a highly current topic: After numerous attacks, cyberattacks have increasingly come into public focus in recent years. The series was clearly inspired by the real threat of cyberattacks, capitalizes on the relevance of the topic, and paints a dark and threatening picture after a large-scale attack. The scenario of a cyberattack on the power supply, mobile network, or transport, traffic, and air traffic control systems is fundamentally realistic. However, the idea that all systems and infrastructures nationwide could be paralyzed in a single attack is extremely unrealistic and greatly exaggerated for dramatic purposes.
In recent years, we have experienced several attacks against critical infrastructure. Real cyberattacks on critical infrastructure, however, unfold differently than shown in the series. For example, if the power supply is attacked, a power outage can be expected – but only in a specific region, not across an entire city or country. In practice, even limited cyberattacks on critical infrastructure and the associated power outages require considerable effort to recover: systems must be analyzed, vulnerabilities closed, and control regained – a process that often takes hours or days, not seconds.
Moreover, it’s exaggerated that all critical infrastructures could be successfully attacked simultaneously in a single strike. A country’s infrastructures are decentralized; in the USA, for example, there are over 3,000 different power suppliers. Their networks are protected in various ways, and the security measures of different providers never exactly match. An attack of the magnitude shown in the series would therefore require enormous resources to find entry points and exploitable vulnerabilities for all the different networks.
It would certainly be possible to find a vulnerability that occurs across multiple utility companies. This could involve, for example, the same version of hardware. However, it’s unrealistic that a single exploitable vulnerability would exist across all power suppliers as well as all other nationwide systems affected by the cyberattack in the series. Therefore, all systems and networks nationwide cannot be attacked and shut down simultaneously.
Such an attack would also require extensive knowledge about each individual security architecture. Discovering which vulnerabilities make IT, IoT, or OT networks attackable requires significant personnel and time resources. Since network systems and potential vulnerabilities constantly change through patches, gathered intelligence can quickly become outdated. Conducting such vulnerability mapping not just for one system but for several thousand systems nationwide and then attacking them all simultaneously seems more than unrealistic.
Dramatic exaggerations against a consistently reality-based scenario
As an exciting thriller, Zero Day addresses current issues and creates a captivating scenario with direct references to real events. However, the realistic feasibility of such a large-scale cyberattack on nationwide critical infrastructure appears more than doubtful. While Zero Day is inspired by real events and headlines, as an entertainment format, the series takes narrative liberties for greater suspense and drama.
Some elements from the series do have a real background – besides actual cyberattacks on critical infrastructure, there are highly specialized cyber operations like Tailored Access Operations or publications from Vault 7. Whether the attacks shown in the series could actually be implemented in this form, however, remains highly questionable and implausible.
Ultimately: Real cyberattacks on critical infrastructure are often less spectacular but just as dangerous. In reality, attackers spend hours analyzing logs instead of plunging a country into chaos at the push of a button – a less exciting but more realistic portrayal of cybercrime.
