Cyberattacks that cause major disruption to public services have happened many times in the real world.
Some of them are very old news, in fact. But it's easy to imagine how a similar attack could shut down basic services, like electricity or water, that affect millions of people.
In 2000, a disgruntled sewage treatment plant worker in Queensland, Australia hacked into his employer's industrial control system to unleash torrents of raw sewage onto public grounds, flooding the city's local Hyatt hotel. The perpetrator was sentenced to two years for the attack.
In 2007, the country of Estonia was subject to widespread outages in its entire telecommunications network, following a cyberattack stemming from a dispute with Russia over a military statue. The incident was so damaging, it led to a decision to place the North Atlantic Treaty Organization's Cyber Security organization in Tallinn, the country's capital.
In 2015, Ukraine's power grid had massive outages after a cyberattack — which some officials have attributed to Russia — two days before Christmas, during a cold snap. Around a quarter-million residents were left without power, but the outages only lasted a few hours before government agencies were able to restore service.
Major cyberattacks aimed at taking down official services don't need to be strictly nation-state sponsored or terrorist-backed. They can be strictly criminal in nature, or come from a malevolent backer under the guise of a criminal attack.
The NotPetya cyberattacks of June 2017, known by the name of the criminal ransomware-inspired computer virus behind it, were notorious for the real-world harm they caused to companies. In Germany, consumer goods-maker Reckitt Benckiser halted shipments of numerous products. Ships belonging to logistics giant Maersk were at a standstill, and the company later said it took a $300 million hit from the attack. In the U.S., a facility owned by Merck that makes the HPV vaccine Gardasil was shut down to such a big extent, the company had to borrow hundreds of millions of dollars worth of back-up vaccines stockpiled by the Center for Disease Control.
Power outages or water supply corruption are the most worrisome to Peter Beshar, general counsel for risk management firm Marsh & McLennan. Loss of electricity, he said, is just one piece of the greater risk for physical security stemming from a cyberattack.
"Utilities are one vital resource. But it's not just power, water is another type of utility. If all of a sudden, the quality of drinking water is called into question, and then manufacturers who rely on using untainted water for making drugs or food is called into question. That is a potential crisis," he said.