REUTERS/David Mdzinarishvili

For years, government security specialists have predicted the inevitable "cyber 9/11," an event originating as a digital attack that spills over into other aspects of society, causing widespread harm to people and the global financial sector. Former NSA head Admiral Michael Rogers told CNBC last month that "nothing is beyond the pale of possibility" for cyberattacks. Fear sells. So it can be hard to know what experts really fear might happen, versus hype meant to market a new cybersecurity product or service, or drum up attention on social media. But there are some nightmare scenarios that have precedent. These are the scenarios that truly concern independent cybersecurity experts. They fall into three common themes: physical attacks that shut off or damage some aspect of critical services, financial attacks that spin out of control and lead to bank runs, and hackers changing data in a way that erodes trust in the economy and critical institutions.

Knocking out basic services

Cyberattacks that cause major disruption to public services have happened many times in the real world. Some of them are very old news, in fact. But it's easy to imagine how a similar attack could shut down basic services, like electricity or water, that affect millions of people. In 2000, a disgruntled sewage treatment plant worker in Queensland, Australia hacked into his employer's industrial control system to unleash torrents of raw sewage onto public grounds, flooding the city's local Hyatt hotel. The perpetrator was sentenced to two years for the attack. In 2007, the country of Estonia was subject to widespread outages in its entire telecommunications network, following a cyberattack stemming from a dispute with Russia over a military statue. The incident was so damaging, it led to a decision to place the North Atlantic Treaty Organization's Cyber Security organization in Tallinn, the country's capital. In 2015, Ukraine's power grid had massive outages after a cyberattack — which some officials have attributed to Russia — two days before Christmas, during a cold snap. Around a quarter-million residents were left without power, but the outages only lasted a few hours before government agencies were able to restore service. Major cyberattacks aimed at taking down official services don't need to be strictly nation-state sponsored or terrorist-backed. They can be strictly criminal in nature, or come from a malevolent backer under the guise of a criminal attack. The NotPetya cyberattacks of June 2017, known by the name of the criminal ransomware-inspired computer virus behind it, were notorious for the real-world harm they caused to companies. In Germany, consumer goods-maker Reckitt Benckiser halted shipments of numerous products. Ships belonging to logistics giant Maersk were at a standstill, and the company later said it took a $300 million hit from the attack. In the U.S., a facility owned by Merck that makes the HPV vaccine Gardasil was shut down to such a big extent, the company had to borrow hundreds of millions of dollars worth of back-up vaccines stockpiled by the Center for Disease Control. Power outages or water supply corruption are the most worrisome to Peter Beshar, general counsel for risk management firm Marsh & McLennan. Loss of electricity, he said, is just one piece of the greater risk for physical security stemming from a cyberattack. "Utilities are one vital resource. But it's not just power, water is another type of utility. If all of a sudden, the quality of drinking water is called into question, and then manufacturers who rely on using untainted water for making drugs or food is called into question. That is a potential crisis," he said.

A financial-sector attack that triggers a run

Financial regulators often talk about the risk of "contagion" as a result of an attack on banks or institutions like the New York Stock Exchange. The fear is that a cyberattack could send customers rushing to banks in a panic to pull out funds. "When you have significant impact to financial systems and people can't get to their money, they can cause just as much duress to the system as a major network outage," said Jacqui McNamara, head of cyber security services at Australia's largest telecom, Telstra, at an Oct. 23 cybersecurity conference in Australia. These scenarios are both possible and alarming enough that companies and private-sector organizations have spun up some huge projects to protect against them. "Imagine a cross-cutting attack that just ripples through the financial sector," said Beshar. "If consumers couldn't get cash out of ATM machines, if credit cards weren't functioning, that would be very problematic." One of those initiatives, Sheltered Harbor, is a not-for-profit subsidiary of the Financial Services Information Sharing and Analysis Center. It's got about 70 participants, including big names like Citi, Morgan Stanley and Goldman Sachs. The purpose is to ensure banks can pull up the right information about customer accounts and still reconcile transactions in the face of a catastrophic cyberattack. The initiative is especially focused on an event that significantly destroys data, or takes critical systems out of service for an extended period of time. For banks that are a part of Sheltered Harbor, the organization provides standards designed to back up the financial data they generate each day. This would give banks a way to restore data that's lost in any attack.

Changing data so it's wrong