Amidst numerous publications covering the recent information leak at the US Pentagon, one report delves into a potential security breach of a Canadian pipeline. The report details an email exchange between Zarya (Russian for “Dawn”), a Russian nation-state sponsored hacking group, and the Russian FSB. Zarya claims to have successfully infiltrated the Canadian pipeline operator’s network and boasts the ability to manipulate valve pressure, disable alarms, and initiate an emergency shutdown of the facility. An FSB officer instructed Zarya to maintain their network access and remain on standby for further instructions, anticipating that a successful operation could lead to an explosion at the gas distribution station. According to the leaked documents, the FSB is allegedly monitoring Canadian news reports for any indication of an explosion resulting from the potential security breach by Zarya. The documents also suggest that Zarya claims to have already caused enough damage to the pipeline operator to result in a profit loss, but insists that their intention is not to cause harm to human life, but rather economic damage to Canadians. However, as none of the Canadian pipeline operators have confirmed these claims and given that some of the leaked documents have been altered by the Russian FSB, it is uncertain whether these claims are true. Thus, for now, these reports must be considered unverified and potentially false. Nevertheless, this incident serves as an important example of the possible consequences of cyber-physical risks. The suggestion of a possible explosion is especially concerning, as similar claims were made in the past, including in 2008 (Turkey), 2014 (Ukraine), and more recently in 2022 (by Ukrainian threat actors). Despite the lack of concrete evidence, the possibility of a cyber-physical attack is very real, especially if the attacker manages to infiltrate the control system. In addition to considering the potential consequences of an attack, it is also important to discuss how to respond if such a claim is made, even if there has been no actual attack. These are interesting topics that I like to explore in more detail in this blog.