More than one in 10 data breaches now involve “physical actions,” according to a recent report. These include leveraging physical devices to aid an attack, but also hacks that involve breaking into hardware and remote attacks on physical infrastructure.
The stat underscores the realities of a shrinking gap between physical and cyber infrastructures. And, according to security professionals, one that should be forcing individuals, businesses and governments to combine both cyber- and physical security efforts, experts say.
“When your door lock, when your burglar alarm, when your fire suppression system is computerized, networked and on the internet, you have no choice but to integrate them,” said Bruce Schneier, security expert. “Integration is happening because computers are moving into a space that was only physical.”
But for all the advantages of integration, there are the security downsides. From hotel door card systems, to surveillance cameras and even cooling and heating systems, each of these devices are open to vulnerabilities and to hacking.
“There’s an acknowledgement among many organizations that this is a very real threat,” said Ali Neal, director of international security solutions at Verizon. Industrial and manufacturing businesses, he said, are looking at ways to isolate devices and segment their networks. But anyone using Internet of Things devices faces a problem.
“Developers need to ensure security is built in by design,” Neal said. “Software platforms need to be designed so these devices are secure from the get go.”
One example of a cyber-threat turned physical includes the BlackEnergy APT’s 2015 attacks against the Ukraine, which damaged the county’s critical infrastructure. More recently researchers identified a vulnerability in electronic vehicle charging stations that could allow an attacker to adjust the maximum current that can be consumed during charging which could result in a fire due to wires overheating. In November, code-execution vulnerabilities were discovered in a range of IoT connected home cameras made by Yi Technology.
Act Now, Before the Machines Take Over
Governments and government agencies, are starting to act.
Cyber is now viewed as a Tier One threat, according to the UK government. But keeping systems secure is harder than it was, warned Mike Gillespie, managing director of security consultancy Advent IM, and a speaker at the recent International Security Expo in London.
Until the 1990s, most critical infrastructure – including power, water and transportation – was in the hands of a few large businesses, often state controlled.
“What we are seeing is that some systems, and automation of systems, are introducing a cyber threat,” said Lyn Webb, a partner in the security practice at professional services firm Deloitte.
The situation is forcing organizations to take a different, and more joined-up, approach to their security. As Webb explains, vulnerable physical security systems pose a threat to IT system security. But weak cybersecurity can equally pose a threat to an organization’s physical infrastructure – or to its people.
“Over the last three years, we’ve been invited by firms to review their physical security, such as gate guards,” she said. “But when we have the conversation, it is as often about behavior; leaving an unlocked laptop on the desk or the password on a note … you need to have a culture where cyber- and physical security weave together.”
As Webb points out, sectors such as defense, oil and gas and energy, and financial services are more likely to have a strong corporate security culture. That culture covers information security but also personnel vetting and behavior monitoring, and a greater focus on insider threats. They are also more likely to train staff to avoid high-risk behaviors, both online and in the physical world.
But, when it comes to the Internet of Things, even security-conscious businesses and governments are still feeling their way. Organizations need to balance the benefits of connectivity – including improved uptime, lower running costs and a richer stream of information – with the risks of putting smart devices online.
At the International Security Expo in London, one manufacturer of security equipment for the aviation industry – which asked not to be identified – conceded that it had removed the option for remote diagnostics from its products. Buyers felt that the security risks outweighed the benefits.
Is Regulating Security the Solution?
For most devices, though, removing connectivity is not an option. Instead, as Schneier suggests, industry needs to improve security for connected devices. If industry fails to act, then Schneier is calling on governments to regulate the sector.
Regulation, though, will take time. For now, organizations need to act to improve their own cyberphysical security, and look again at the type of equipment they buy.
“When the default is to connect everything, you have to commoditize what you are doing,” said David Atkinson, founder and CEO of UK specialist security firm Senseon. “You are connecting devices that are done cheaply, and are mass produced. Code review is one of the first things to go on IoT. There is a real risk of a pandemic of devices that have very little security protection.”
If buyers press for more security and better privacy protection in devices, then industry might respond. But at the very least, CISOs and technology buyers – particularly those outside IT – need to be aware of the risks posed by devices that cannot be secured, patched or often, managed.
At the very least, “risky” devices should be isolated or air gapped from critical systems, whether that is a business’ customer database, or an automobile’s brakes and engine management systems. “You really need to think about your security choices, and how you will do that when there are hundreds of millions, or even billions of devices,” warned Atkinson. “That is the challenge.”
“Cybercontrols have physical repercussions,” stressed Marina Kidron, director of threat intelligence at Skybox Security. “When those controls are compromised, so too is the safety of employees and communities. In critical infrastructure, cybersecurity and physical security need to go hand in hand. The leaders of both these programs need to communicate the risks – and plan their responses.”
HVAC System Leveraged in Massive Fortune 100 Firm Hack
As Schneier points out in his recent book, Click Here to Kill Everybody, the threat posed by connected devices is pervasive, because internet-connected devices are pervasive. Equipment that was isolated, “air gapped,” or simply not connected to other computers, let alone the internet, now is. Connectivity is so cheap that it will soon be hard to buy unconnected devices, Schneier argues.
This ubiquitous connectivity creates openings for opportunistic hackers. Connected devices are mostly lightly defended and a fairly simple means by which to launch ransomware or, as in the case of the Mirai botnet, DDoS attacks. But, the scope of potential attacks against the IoT is as broad as the IoT itself.
“We are seeing industrial groups, nation states, hacktivist organizations and crime groups all employing hackers,” explained IM’s Gillespie. “We are seeing denial of service as a service, and ransomware as a service.” But, he said, 11 percent of organizations operating critical national infrastructure admit that they do not patch their systems.
Connecting systems that were previously isolated or offline brings new risks. These risks threaten not just the systems themselves, but potentially the whole of the business.
The now infamous Target breach followed exactly that pattern, with a vulnerable heating and ventilation system used to make a “lateral move” into the retailer’s servers and point of sale systems.
“The threat landscape has changed significantly for operational technology (OT) environments as their connectivity to IT networks and the internet has exponentially increased,” Skybox’s Kidron said. “Today, IoT devices, like remote sensors transmitting data over Wi-Fi, have introduced millions of new access points in organizations responsible utilities, energy, manufacturing and more. Additionally, there is a greater need to connect operational technology computer, control and inventory systems to corporate IT networks to better manage the business and production.”
Blurring of the Line Between APTs and Common Cybercriminals
Technology, and opportunity, is changing security around physical devices.
“Threat actors have in the last few years put considerable efforts into breaking into OT environments to disrupt, damage or extort the organization, ranging in seriousness from cyber warfare to simple money-making schemes.,” said Kidron. “What’s changed is that you’re seeing a blurring of lines between tactics of the nation-state, APTs and common cybercriminals. NotPetya was a prime example of a nation-state threat actor in ransomware’s clothing, and it’s likely not the last we’ll see of these types of attacks.”
This is not science fiction: As well as Triton and Stuxnet, power grids saw attacks in the Ukraine in 2015 and 2016. Researchers maintain that foreign powers continue to probe power systems and other critical infrastructure in the US and her Western allies. And in many cases, private companies lack the resilience, resources and experience to defend against a sustained, nation-state attack.
But there is another twist to the story. Devices that companies – and individuals – buy to improve their security are proving insecure. It’s been a couple of years now since researchers demonstrated that they could take control of CCTV cameras. But companies continue to invest in connected security hardware, without assessing the cyber-risks.
Then there are the risks of escalation and contagion. IoT or connected systems might, in isolation, fall short of posing threats to national infrastructure, but they can do so if attacked en masse. One cellphone operator or ATM owner being attacked is costly and inconvenient, but it is not a systemic threat.
If all banks are attacked, or all mobile phone networks using a particular piece of hardware, are taken offline, then the impact of this “class break” will be much more serious. That is why governments are so concerned about electrical power. Few modern systems can operate without it, and once the power grid goes down, it is only a question of time before other systems – from telecommunications to water, and even health care – start to fail.
Security and law-enforcement agencies are just starting to appreciate how an attack against a class of low-level connected devices could be the trigger for a much deeper crisis.