Problems caused by physical systems in terms of cyber-attack are quite extensive, damaging systems and assets
Security experts of various disciplines agree that physical systems are increasingly being leveraged in attacks on organisational networks and supply chains. Many manufacturers maintain that security (including that of security systems) is the responsibility of the end user, which would be fine if they were only expected to maintain security and not create the security in the first place.
End users probably feel it is the responsibility of the manufacturer or installer, and the attackers don’t care who is responsible as long as the door is left open and unguarded for them to exploit the vulnerability created by the confusion and lack of cohesive response.
Need for a change in approach
Our organisational structures in terms of Security, Risk, IT and Information Security are not helping this situation. In many organisations there is a lack of board room oversight; control is still sitting in silos and Information Security is potentially even on a different Risk Register. Clearly this creates even more risk, but sometimes it is hard to see the wood for the trees and the necessary culture change has to start with behavioural change first; the behaviour then creates a new and more resilient culture.
Problems caused by physical systems in terms of cyber attack are quite extensive and the results might be damage to systems or other assets or sometimes in a data breach, an exfiltration of valuable information, possibly intellectual property. As an example, imagine an internal CCTV system in a banking chain. It isn’t protected by corporate network security as that is focused on the user system and emails etc. It isn’t protected by the same network as the exterior either but it is web-enabled and sitting on a network somewhere. Because it falls outside of the remit of IT security, it hasn’t been patched or firewalled and it has certainly never been penetration tested to check that it is secure.
Why are firewalls and anti-malware important?
Because physical security falls
Let’s imagine that this system is then attacked, probably by using a phishing email to a staff member who unwittingly allows attackers to access this internal CCTV. The attackers then spend months harvesting login credentials and studying normal system behaviour in order that they can emulate it at a later date, using the stolen logins. At the same time, having breached the network, they hack a selection of ATMs in a variety of countries. At a predetermined time, they create money and add it to a variety of accounts in a manner and at a time that their research has shown them would be considered normal and not attract unwanted attention. They then turn that invented money into cold hard cash by ejecting it at a predetermined time out of the predetermined and compromised ATMS into the hands of the gang who are waiting to collect.
Without the access to the CCTV, this could not have happened. But the important aspects of this scenario actually happened. And it happened in more than 30 countries and more than one billion dollars was created and removed in this way. The accounts they used to filter this created cash were largely unscathed and the game ran for a long time.
Another example might be a blast furnace in Germany in December 2014. The Industrial Management System was compromised and the furnace was unable to be shut down. The damage was extensive and risk to life and limb very real. Details on this are scant and we do not know if the exploit continued into the corporate network or whether the target was the furnace system itself. But this is a cyber attack on a physical system and our physical systems do not enjoy the same regular attention that our corporate networks do. This could just as easily be an attack on an air filtration system, remotely managed from a centralised platform or a heating system or even a door entry system; locking down an entire site.
So firewalling and protecting with anti-malware is a must. So are regular health checks and penetration testing but few of these systems get that attention. Many systems are built on legacy platforms never intended to be called into web enabled service and are not really fit for that purpose; no longer supported with security patching such as XP for instance.
Being the inadvertent cause of
Mitigating cyber attack risk
How do we approach mitigating the risk that our continued lack of attention is creating? Well, the impact of culture is huge and unavoidable. Culture starts from the top and the right board room attitude goes a long way to embedding a security culture into an organisation. Our security and risk functions need boardroom oversight and organisations need to step away from a project-based approach to security. Installers and maintainers need to understand the implications that physical systems can have on the resilience of their organisations and therefore training needs to be available to those disciplines. The training needs to be practical, targeted and relevant; focused on the impacts from installers and managers.
Regular testing and patching needs to be brought within oversight of IT security so it forms part of other corporate network securing cycles. Risk needs to encompass the security functions including information security and how resulting data from physical systems, such as CCTV or entry systems, needs to be securely managed through its lifecycle.
Supply chain cyber threats
Supply chains also need to be considered as a potential security vulnerability. If you need an example of why, then take a look at the Target mega breach. This was enabled by a phishing attack on their air conditioning contractor. An employee clicked on a link which delivered the malware that in turn gave them access to the managed maintenance portal - used to upload and manage tasks. If an attacker can find an easy way in through a less secure underbelly, they will naturally take it. Being the inadvertent cause of a breach at a supply chain partner could be cataclysmic for organisational reputation and can lead to lawsuits. Add in potential financial penalties and a breach has the potential to close a business.
Summing up, I would say we need to change our approach to securing our organisations to protect all of the assets in a joined-up, blended approach. Everything we do should be informed by this, and that means opening lines of communication, understanding and training between disciplines.