By Michael Welch, Managing Director, MorganFranklin Cyber
Cyberattacks against critical infrastructure and other cyber-physical systems have increased for years. These attacks are particularly concerning because they pose a real threat to peoples’ lives, health, and safety.
As the Internet of Things (IoT) continues to expand, society also becomes increasingly dependent on cyber-physical systems. Properly securing these systems is essential to managing the risks that they pose to owners, managers, and the general community.
Cyber-Physical Attacks Are Not Theoretical
Cyber threat actors have had the capabilities to access critical infrastructure for a long time. However, in recent years, security incidents in power grids and other infrastructure have moved from proof of concept to actually harness this access.
Some examples of high-profile cyber-physical attacks include:
- Stuxnet, one of the most famous cyberattacks to date, used malware to disrupt and damage centrifuges.
- Multiple cyberattacks against the Ukrainian power grid caused a loss of power to hundreds of thousands of residents.
- A ransomware attack in February 2020 caused a two-day shutdown of a US-based natural gas operator.
- The recent cyberattack against a water treatment plant in Oldsmar Florida could have resulted in a poisoned water supply if not detected and reversed in time.
However, while critical infrastructure threats result in some of the most visible and wide-reaching cyber-physical attacks, they are not the only area to consider. Research has demonstrated numerous potential attack vectors against pacemakers and other personal health devices, which could be exploited to cause personal harm or used for ransomware attacks. The increased use of IoT devices in manufacturing, transportation, and similar sectors makes it possible for cyberattacks to cause industrial accidents, train derailments, and similar incidents.
Addressing Cyber-Physical Security Challenges
Cyber-physical systems have many of the same cybersecurity challenges as their traditional IT counterparts. Although, these systems also pose additional enterprise cybersecurity risks for several different reasons.
Operational technology (OT) systems include all of the cyber-physical systems that make up critical infrastructure. This includes both specialized components (like power generation equipment) and the computers that control them.
OT cybersecurity is challenging because of the industry’s unique situation. Previously, most OT devices were physically separated from IT networks, making them more difficult to access and attack. In recent years, a push for increased efficiency and centralization has eroded this air gap, suddenly connecting many devices to the internet that were not designed for external access.
These security challenges are exacerbated by the high availability requirements of OT environments. It is not feasible to shut down a power grid for a couple weeks to perform widespread updates. As such, critical infrastructure components are also only updated during tight maintenance windows, leaving systems largely out-of-date and lacking adequate protection against modern threats.
Internet of Things Devices
IoT devices are extremely convenient for personal and professional use. The ability to centrally monitor and manage remote sites offers substantial cost-savings for organizations, and employees commonly deploy “smart” solutions in the office. This trend has only accelerated with the transition to remote work.
However, IoT devices also create significant security risks for organizations. IoT security is notoriously poor, which prompted the creation of the California Internet of Things Security Law to help ensure a baseline level of device security. Unfortunately, this regulation is not enough to ensure the devices are actually secure against exploitation.
While IoT devices create widespread digital security risks to organizations, they hold physical security risks as well. Many “smart” devices are given positions of trust within the home or office, such as controlling the temperature, managing access to doors, detecting smoke and carbon monoxide in buildings, and similar functions. A cyberattack against these devices could easily cause property damage or harm to a building’s residents.
Personal Healthcare Devices
Personal healthcare devices like “smart” pacemakers and similar systems provide a higher level of patient care than was previously available. The ability to continually monitor and manage these devices allows them to be better tuned to a patient’s needs.
However, the numerous ransomware attacks against healthcare providers in 2020 demonstrated that cybercriminals have no reluctance for targeting healthcare systems. These same attacks could also be aimed at personal healthcare devices. Security researchers have already demonstrated that pacemaker vulnerabilities could be exploited to deliver painful electric shocks. Similar vulnerabilities could install ransomware on these devices – forcing victims to pay for medical treatment – or performing additional attacks.
Personal healthcare devices are specialized types of IoT devices and carry many of the same security challenges. A lack of security research and investment by manufacturers, combined with the difficulty of installing updates on these devices, leaves patients vulnerable to attack.
Inconsistent Regulation and Enforcement
For critical infrastructure, cybersecurity regulations come from the government agency responsible for that utility, but the agencies responsible differ from one to another. For example, water distribution falls under the EPA, the power grid is under the Department of Energy, and transportation is regulated by DHS and the Department of Transportation.
With different organizations directing cybersecurity needs across the sectors, cybersecurity regulations and enforcement differ as well. This can result in vulnerabilities when a particular utility lacks stringent cybersecurity regulations, or the requirements are not effectively audited or enforced.
Best Practices for Securing Cyber-Physical Systems
Most cyber-physical attacks take advantage of lacking security sophistication. The targets of these attacks have often not gained the same level of cybersecurity research and development as traditional IT systems. Some cyber-physical systems (like parts of the power grid) predate the Internet, while others (such as IoT devices) are manufactured by companies that do not have backgrounds in IT system design and cybersecurity.
Managing these types of cybersecurity risks requires taking proactive security measures. Some best practices for protecting cyber-physical systems include:
- Perform a Risk Assessment: Adding IoT and other internet-connected devices to an organization’s network can increase convenience at the expense of security. Before deploying these devices, perform a risk assessment to determine if the cost to organizational security outweighs the benefits.
- Implement Network Segmentation: IoT devices, OT systems, and other cyber-physical systems should be located on a separate segment of an organization’s network. This helps protect the organization against compromise via IT networks and from being used as an entry vector into its environments.
- Enforce Access Controls: Cyberattacks like the Oldsmar water treatment plant hack take advantage of poor access controls. Access to these systems should be restricted based on the principle of least privilege and use multi-factor authentication (MFA) to help prevent unauthorized access.
- Apply Updates Promptly: Many cyberattacks against cyber-physical systems also take advantage of unpatched vulnerabilities in these devices. Regularly testing and applying updates can help mitigate the impact of security issues in these devices.
- Use Real-Time Protection: Real-time protection solutions run on a device and attempt to identify and block attacks against it. This approach can also help lessen the impact of unpatched devices on enterprise cybersecurity.
As the world becomes ever more connected, cyber-physical threats will increase in tandem. It is vital to understand how to incorporate these systems with sound cybersecurity strategies to minimize their cyber risks.
About the Author
Michael Welch is responsible for supporting new business relationships and spearheading cybersecurity consulting initiatives for MorganFranklin. A leader in cybersecurity and technology with over 20 years of experience in risk management, compliance, and critical infrastructure. Mike previously served as a global chief information security officer for OSI Group, a privately-owned food processing holding company that services some of the world’s best-known brands throughout 17 countries. In addition, he has worked with Burns & McDonnell, Duke Energy Corp. and Florida Power & Light, among other companies. He is an accomplished CISO, senior manager, and security consultant, leading teams of InfoSec engineers, architects, and analysts to deliver complex cybersecurity transformations.
Michael can be reached online at https://www.linkedin.com/in/michael-welch-93375a4/ and at our company website https://www.morganfranklin.com/cybersecurity/