Digital Actions, Lethal Consequences: A Cyber-Kinetic Risk Primer

Our physical world is becoming more connected – which makes it more dependent on the cyber world. Many physical objects around us are no longer just physical, but extend into cyberspace, being remotely monitored and controlled.

Consider the power plant or water plant that supplies your electricity and water. These systems have single-purpose computers embedded within each switch or valve. Each computer monitors system conditions and decides whether to open or close that switch or valve to keep the system running optimally.

They monitor and control systems at a level that humans would find too granular and too tedious to warrant their undivided attention. They also send a constant stream of data upward in the system to provide actionable information to more complex computers that control larger parts of the process. Because they monitor or control physical properties through logic embedded in a computation core, they are broadly described as Cyber-Physical Systems (CPS).

Or, let’s bring this closer to home. Let’s say you have a pacemaker or heart monitor or insulin pump to make up for the shortcomings of your heart or pancreas. In such a case, your body has become part of a CPS, with a mechanical device, guided by an embedded computational device, monitoring and automatically compensating for your organs’ limitations.

Here, too, the internal components are part of a larger system. They report their data to systems controlled by your doctor, who can monitor your condition remotely and adjust your devices if needed.

CPSes are increasingly prevalent in all aspects of modern life. If you drive a car with the latest safety features, they monitor traffic and apply the brakes if they detect a possible collision. CPSes control your appliances, work behind the scenes of your city’s traffic system to monitor flow and time lights to minimize gridlock, and enable entire factories of robots to build a car every minute. Shipping companies use CPSes to optimize transport routes and delivery schedules, soon to be carried out by autonomous ships. IIoT-linked wearables keep workers safe by using real-time biometric data to help avoid workplace fatigue and preempt accidents. Smart robotics, connected and self-driving transportation, autonomous drones, intelligent warehousing, connected industrial machinery, and even food delivery robots roaming our streets – the footprint of CPS (IoT, IIoT, ICS, robotics, etc.) devices and technology is rapidly growing. We are moving beyond simple automation to leverage the profound value of real-time connectivity, decision-making at the devices themselves, and increasing autonomy.

CPSes operate in virtually every aspect of your life – often without you even realizing it.

CPSes enhance your life. But, with their increased dependency on the cyber world, they carry with them multiple cyber-related risks. One category of cyber risks specific to CPSes is the risk of cyber-kinetic attacks. Cyber-kinetic attacks consist of hijacking CPSes – whether in homes, cities, factories, trains, cars or human bodies – and using them to harm people or damage the environment.

Defining Cyber-Physical Systems

One of the best definitions of the term cyber-physical systems was coined in 2006 by Dr. Helen Gill of the National Science Foundation. Dr. Gill defines CPS as:

“Physical, biological, and engineered systems whose operations are integrated, monitored, and/or controlled by a computational core. Components are networked at every scale. Computing is deeply embedded into every physical component, possibly even into materials. The computational core is an embedded system, usually demands real-time response, and is most often distributed”

Or, we might, perhaps, define cyber-physical systems as any systems in which sensors, actuators, and embedded computers (often networked) control physical processes, with feedback loops where physical processes affect computation and vice versa.

Defining Cyber-Physical Systems from the Risk Perspective

From the risk perspective, perhaps a better definition is the one I used at the Cyber-Physical Systems Security Institute (CPSSI) in the late 1990s:

“Cyber-Physical Systems are any physical or biological systems with an embedded computational core in which a cyber attack could adversely affect physical space, potentially impacting well-being, lives or the environment.”

This definition focuses specifically on a critical aspect of this technology: security. Lumping different types of systems under the umbrella terms of CPS would be mostly academic were it not for the benefits to be gained from addressing the security risks they share. ICS, IoT devices, drones, smart grid, autonomous transportation (automobiles, aircraft, ships etc), computer-controlled artificial organs and connected medical implants, wearable technology – these digital systems differ hugely in their design and application, but they have one major trait in common: they can be hijacked to affect damage in the physical world.

Defining Cyber-Kinetic Attacks

This potential for harm makes CPSes particularly dangerous. Unlike strictly mechanical systems, their cyber half also gives them the potential to be hacked remotely by attackers anywhere in the world. Those that control the cyber can then control the physical, with possibly lethal consequences.

Cyber-kinetic attacks, therefore, transcend traditional cybersecurity boundaries to directly impact the physical world putting lives, well-being, or the environment directly at risk. Such attacks extend beyond data breaches and financial losses, reaching into the realm of causing physical damage or endangering lives.

But let me step back. Several terms are used to describe the intersection of cyber and physical realms for malicious purposes. Understanding the nuances between these terms is crucial, as their similarities can lead to confusion. To effectively classify these threats, it’s helpful to categorize them based on the domain from which the threat originates and the domain where its impact is felt.

• A physical-cyber attack is one that begins in the physical domain and has consequences in the cyber domain. Typically, such an attack targets physical infrastructure to disrupt cyberspace functionalities. For instance, damaging servers or network infrastructure disrupts access to and functionality within the cyber world. This category also includes actions like tampering with sensors to render them unable to transmit accurate data. The hallmark of this attack type is the physical damage to equipment, leading to compromised cyberspace operations. A subset of these attacks might also fall under the category of Intentional Electromagnetic Interference (IEMI) attacks, which target the analog aspects of electronic communications and computer processing, rather than the digital or cyber aspects.
• Conversely, a cyber-physical attack originates in cyberspace and affects the physical world, particularly impairing cyber-physical systems’ ability to monitor and control physical processes. This broad category encompasses a range of motives and methods, from hackers launching Denial of Service (DOS) attacks on CPS to demonstrate vulnerabilities, to cybercriminals manipulating smart meters to fraudulently reduce electricity bills, or cybercriminals impacting operations in CPS-operating organizations in order to ransom the victim. Goals can vary widely, including financial goals, industrial or political espionage, or hacktivism aimed at coercing targets into compliance with the attackers’ demands. The defining characteristics of cyber-physical attacks are their initiation in cyberspace, targeting of CPS, and impact on the physical operations.
• Cyber-kinetic attacks are a subset of cyber-physical attacks with a more narrowly defined objective: to inflict tangible, physical damage. For example, state-cyber-warriors or cyber-terrorists hacking into a power plant and causing generators to fail could leave millions of people and businesses without power, with not only massive inconvenience, but also significant economic damage. Other examples include cyber-terrorists attacking connected or autonomous vehicles to cause a crash; cyber-terrorists, cyber-warriors or cyber-spies assassinating people by attacking embedded medical devices; or – the holy grail of cyber-terrorism – causing explosions and/or environmental damage by remotely attacking nuclear power plants, chemical or gas installations, oil pipelines or other physical targets whose failure could cause catastrophic physical damage. These attacks aim to cause physical harm, disrupt critical services, or even lead to loss of life through the exploitation of vulnerabilities in information systems and processes. We are focusing in this article on cyber-kinetic attacks, given their direct impact on physical safety.

A definition I previously suggested is therefore:

“Cyber-Kinetic Attacks target Cyber-Physical Systems and cause direct or indirect physical damage, injury or death, or environmental impact solely through the exploitation of vulnerable information systems and processes.”

Although cyber-kinetic attack is a relatively new term, an apocryphal story suggests that the concept of such an attack was conceived as far back as the 1980s. The story goes that the U.S. Central Intelligence Agency learned in 1982 of Soviet efforts to steal natural gas pipeline control software from a Canadian company. In response, the CIA supposedly introduced defects into the software so that the version the Soviets stole would cause pipeline pressure to build until pipes ruptured. According to the story, this eventually occurred in a Siberian pipeline in an explosion so massive that it could be seen from space. Although the story has never been confirmed by any other source, it shows that the concept of cyber-kinetic attacks was understood long before our world became so ubiquitously cyber-connected.

As far back as 2015, Charlie Miller, a security researcher at Twitter, and Chris Valasek, director of Vehicle Security Research at IOActive, proved the havoc that could be wreaked by hackers commandeering CPSs. In a now-famous exercise for Wired magazine, the duo used remote access to hack into a car driving on the highway. From 10 miles away they were able to control the vehicle’s air conditioning, radio, windscreen wipers. But they were also able to cut the engine and take over the steering.

Now imagine the same scenario extrapolated across a network of driverless cars traveling at over 100 miles an hour in perfect precision. That’s pretty much what one of my teams did many years ago – demonstrated to a car manufacturer how we were able to take control over all of the cars of a particular new model that were connected at the time, anywhere in the world. The potential damage that could be done instantly by malicious cyber attackers who infiltrate the network, or even just one car, is harrowing to consider. That is the nature of cyber-kinetic risk.

The implications of cyber-kinetic risks are profound and far-reaching. Attacks on CPSes can lead to scenarios such as:

• Critical Infrastructure Disruption: Compromising the control systems of utilities can lead to widespread power outages, water contamination, or transportation chaos.
• Endangerment of Human Lives: Attacks on connected vehicles or medical devices can directly endanger lives, turning everyday objects into potential threats.
• Economic and Environmental Damage: Cyber-kinetic attacks on industrial systems can cause significant economic disruption and environmental harm, from factory shutdowns to oil spills.

How serious is the risk?

Such attacks have already occurred, with physical damage inflicted on nuclear power plants, water facilities, oil pipelines, factories, hospitals, transit systems, apartment buildings and more. I’ve been tracking many of them here up until 2017.

Their scattered nature has prevented them from gaining more attention. They are also often kept confidential. Unlike breaches of personal data, which have reporting regulations, most jurisdictions don’t have reporting requirements for cyber-kinetic attacks. They often end up being tracked as regular industrial accidents without the general public being any wiser. My teams have investigated many such non-public incidents that resulted in injuries or fatalities but never made the news.

In my former firm, we surveyed several hundred heads of engineering, safety, and cyber leaders across large CPS-operating organizations. Conducted by an independent third-party organization guaranteeing full anonymity, the survey got a startling 7% of respondents stating that they had, at some point in the past, experienced injury or death of employees as a negative consequence of cyber attacks on their organization, and 6% reported injury or death of members of the general public.

Even though actual, serious cyber-kinetic attacks are rare, these are the types of risks where the likelihood is low, but the impacts are huge and therefore deserve serious consideration.

There is another reason why we should take these attacks seriously. When performing threat hunting within key systems of critical national infrastructure organizations in several countries with ongoing disputes with one of the cyber superpowers, we regularly found CPSes that provide people’s critical needs compromised with malware or backdoors. When my research team assessed those critical CPSes, it was rare not to find the systems already infected and ready to be exploited by adversaries whenever they chose. We’d clean the systems and implement additional security controls, only to find the systems often compromised all over again, now in a more advanced way, one year later when we returned to re-assess.

Cyber-kinetic risks, as demonstrated, have significant impacts. These risks are, in fact, far more common than what is generally reported by the media and understood by the public. With the rapid integration of cyber-physical systems into every facet of our lives, these risks are increasing quickly. It is critical for every organization to develop strategies that mitigate these cyber risks with potential safety consequences.

Cyber-Kinetic Risks: A Distinct Challenge Beyond Traditional Cybersecurity

While traditional cybersecurity risks have long been a concern for IT professionals, the emergence of cyber-kinetic risks introduces a new dimension to the digital threat landscape. These risks are not merely an extension of the cybersecurity challenges we’re accustomed to; they represent a unique category that requires a broader, interdisciplinary approach. Understanding why cyber-kinetic risks should be considered differently from traditional cybersecurity risks is crucial successfully mitigating these threats.

Every aspect of cybersecurity, from vulnerability assessment and management to hardening, monitoring, detection, and incident response, differs when applied to cyber-kinetic risks. Most traditional IT cybersecurity measures are not directly transferable to the context of CPS, as the safety outcomes of cyber-kinetic attacks require a different approach to risk assessment and mitigation.

In this section, I will outline the key differences between cyber-kinetic security and “traditional” cybersecurity. Please note that there exists a huge number of differences between IT cybersecurity and the cybersecurity of Cyber-Physical Systems (CPS), as currently applied to Operational Technology (OT) and IoT systems for protection against more conventional cyber threats. However, I will not get into those distinctions. Instead, my focus will be solely on those aspects where the embedded safety concerns requires an even more distinct approach than currently being considered for OT security.

The Multifunctional Challenge of Cyber-Physical Systems

Addressing the cybersecurity of cyber-physical systems is inherently a multifunctional challenge. It requires a fusion of cybersecurity and IT skills with disciplines such as engineering, automation, process control, and others that deal with the “physical” aspects of cyber-physical systems. The integration of these disciplines is essential for understanding and mitigating the risks associated with the interconnectedness of digital and physical systems.

When considering cyber-kinetic risks, an additional layer of complexity is introduced: safety. This requires the involvement of even more stakeholders, often from a combination of disciplines that may have never worked together before. Disciplines that have different culture, terminology, processes, reporting hierarchy, metrics, etc. The safety aspect requires an in-depth understanding of how cyber threats can translate into physical consequences, making the management of these risks significantly more challenging.

Cyber-Kinetic Incident Response

When it comes to cyber-kinetic attacks, the incident response is drastically different from “traditional” cyber attacks. In IT cyber-attacks, the Computer Emergency Response Team (CERT) / Computer Incident Response Team (CIRT) typically leads the charge, orchestrating containment, eradication, and recovery efforts. These teams are well-versed in digital forensics, malware analysis, and the restoration of IT services and are used to be in charge.

However, the situation shifts dramatically when addressing cyber-kinetic incidents. In such scenarios, the response hierarchy or the Incident Command System changes, with CERT/CIRT roles becoming part of a broader, more complex response framework, and very often ending up somewhere at the bottom of response hierarchy.

The immediate safeguarding of human life and the preservation of the environment is handled by the emergency services. They control the scene at the outset of the incident.

Following the stabilization of immediate safety concerns, national security agencies and critical infrastructure protection entities often step in. Their focus is on assessing the broader implications of the attack, including potential threats to national security and the resilience of critical infrastructure. This phase may involve complex coordination between various governmental and non-governmental organizations, each with a role in safeguarding public welfare and national interests. CERT/CIRT here again might not have any role to play or even visibility.

Once the site is deemed secure from immediate threats, the responsibility transitions to the victim organization’s internal safety and security teams. These teams are tasked with ensuring that any remaining hazards are thoroughly addressed, and the environment is safe for recovery operations.

The focus then shifts to the restoration of impacted physical processes. Reliability engineers and process engineers take control of the incident with the focus on resuming normal operations as much as possible. Even if the physical processes are temporarily controlled manually. Again, CERT/CIRT teams might not have any role to play in this phase.

Finally, CERT/CIRT teams have the opportunity to engage, focusing on identifying the root cause of the cyber aspect of the attack, securing digital systems against future threats, and conducting a thorough digital investigation. However, this step is approached with caution. In some instances, the decision may be made to forego immediate cyber remediation if it poses a risk of further disrupting critical operations.

Responding to cyber-kinetic incidents demands a comprehensive, multidisciplinary approach that extends beyond the digital domain to address the physical, human, and environmental impacts. The response will work only with the effective integration of emergency services, national security efforts, organizational safety protocols, engineering expertise, and cybersecurity knowledge. The problem is – these functions never used to work together before. And they all are used to being in charge in their “traditional” silos. Getting them to learn to work together through detailed Incident Command System (ICS), response playbooks, and realistic and frequent cyber-kinetic incident simulations are prerequisites for effective cyber-kinetic incident response.

Lack of Crisis Decision-Making Information

One of the largest obstacles in managing cyber-kinetic incidents is the absence of reliable, timely information. Following the physical impact of such an incident, the immediate focus on addressing the physical aftermath, and not on validating the potential cyber origin. The lag between the incident’s occurrence and the availability of concrete evidence indicating malicious cyber activity can span weeks, leaving decision-makers in a precarious position.

This delay presents a huge challenge for Crisis Management Teams (CMT) dealing with these scnearios. The introduction of a potential cyber component disrupts established physical crisis response protocols. In case of a malicious cyber-kinetic attack, they may need to proactively shut down or disconnect other operations using the same vulnerable CPSes – something they would never consider in other scenarios. This decision must be made swiftly, but can be tough as it involves weighing potential massive operational impacts against potential further human safety impacts.

During simulations of cyber-kinetic incidents conducted with my clients, it’s common for Gold CMT members to become very frustrated about this particular aspect – making decisions on a scale that could bring the company down (massive operational downtime or allowing further injuries or fatalities) without any reliable information. However, confronting this in a simulated environment is necessary and much better than leaving these challenges for the when a genuine crisis hits.

Media Scrutiny

Market and Stakeholder Perception of the Victim

The public and stakeholder perception of victims varies significantly between traditional cyber attacks and cyber-kinetic attacks. In the wake of cyber-kinetic attacks, the perception shifts from sympathy in the case of “traditional” cyber attacks to condemnation when the physical world is impacted. The public and stakeholders are much less forgiving when the stakes involve human lives, health, or environmental well-being.

In traditional cyber attacks, such as data breaches, the victim organization often receives sympathy from stakeholders and the general public. Although the share prices of companies that fall victim to significant data breaches may initially drop, they tend to recover in a decreasingly short time frames. The media and public tend to view these organizations as victims of sophisticated and inevitable cyber threats. With the frequency of such breaches, the public has come to accept them as an unfortunate but unavoidable aspect of the digital age, much like victims of natural disasters, who are also met with widespread sympathy and support.

However, the narrative will shift dramatically in the case of cyber-kinetic attacks, where inadequate cyber controls lead to tangible impacts on lives, well-being, or the environment. In these instances, the impacted organization will not be seen through the lens of victimhood but rather as a failure. The lack of adequate cyber controls in these cases is viewed not just as an oversight but as a grave negligence that led to tangible physical impacts.

This partially explains why the victims so far would have been reluctant to share the information about their cyber-kinetic incidents.

Preparing for this means spending more time and preparation effort on crisis PR, training the executive team on what and how to say, preparing some playbooks and ready-made statements, etc.

Rethinking the CIA Triad for Cyber-Kinetic Risks

This topic often ignites spirited debates, so brace for some passionate discourse in the comments below. My aim isn’t to claim any superior paradigm but rather to encourage practitioners to start thinking beyond the confines of their traditional cybersecurity education.

The cybersecurity of Cyber-Physical Systems (CPS) may require rethinking of many foundational elements of cybersecurity, including the basic CIA triad—Confidentiality, Integrity, and Availability—that has underpinned cybersecurity practices for decades.

• Confidentiality ensures data is kept secret from unauthorized entities.
• Integrity guarantees data remains unaltered and trustworthy.
• Availability ensures systems operate continuously, providing authorized users access to data as needed.

For the purpose of protecting the cyber side of CPSes, we can indeed compare CPS against these concepts, and we will likely find our primary concerns largely lie in the area of integrity, as opposed to confidentiality – the traditional focus of enterprise cybersecurity. The integrity of sensor data or control commands is critical; any compromise here can have dire consequences. Consider the following scenarios:

• A breach in the confidentiality of an automated insulin pump might reveal a patient’s glucose levels. However, a compromise in data integrity could lead to incorrect insulin dosages, risking hypoglycemia or even death.
• For an autonomous drone, confidentiality breaches might expose its location and battery status. But if the drone’s geofencing system integrity is compromised, it could be forced into restricted airspace, posing significant risks.
• Accessing a smart traffic light system could unveil its operational cycles. Yet, altering the system’s integrity by changing these cycles could cause catastrophic accidents.
• Information about a connected vehicle’s fuel consumption or a driver’s habits might interest a hacker. More alarmingly, tampering with the vehicle’s sensor data or system commands could lead to loss of control, accidents, or worse.

Interestingly, several OT/CPS security frameworks prioritize Availability (A) over Integrity (I) and Confidentiality (C), suggesting an A-I-C hierarchy. However, in the context of cyber-kinetic risks, I argue that Availability should not take precedence. Our primary concern is the protection of human life, assuming operational disruptions due to the data Availability issues are secondary. Moreover, my assumption is also that these days many CPS are designed to fail-safe, meaning a loss of availability should not compromise safety. Thus, I propose an I-A-C hierarchy for cyber-kinetic risk contexts.

Yet, adhering strictly to the CIA, or IAC triad may not fully address CPS security needs. While Integrity and Availability are paramount, additional considerations emerge with systems that interact with or control physical elements.

To encompass these broader concerns, we might look to the Parkerian Hexad, which expands the framework to six elements by adding Possession/Control, Authenticity, and Utility:

• Possession/Control emphasizes preventing unauthorized system takeovers.
• Authenticity ensures data originates from legitimate sources.
• Utility balances security with maintaining device functionality for authorized users.

Another concept gaining traction in OT security discussions is SRP: Safety, Reliability, Productivity, with a primary focus on “Safety.” Of course, with Safety being prioritized, I am already a fan. The difference, however, is that while CIA/IAC focus on the data or cyber aspect of a CPS, SRP offers a broader operational perspective, emphasizing the overall functioning and operational integrity of a whole CPS integrating cyber protection within a larger context of system safety and efficiency. SRP should therefore be seen as complementary to, rather than a replacement for, cyber-focused frameworks like the CIA/IAC triad or Parkerian Hexad.

The Rarity of Required Skills

The unique nature of cyber-kinetic risks, combined with the need for an interdisciplinary approach, means that the skills required to effectively manage these risks are rare in the market. Professionals who possess a deep understanding of both the cyber and physical domains, as well as safety principles, are in high demand but short supply. This scarcity of skills further complicates the challenge of protecting against cyber-kinetic threats.

Conclusion

Cyber-kinetic risks represent a special category of threats that require a distinct approach to risk management. The integration of cybersecurity, engineering, process control, and functional safety disciplines is essential for addressing the multifaceted challenges posed by these risks. As our reliance on cyber-physical systems continues to grow, developing strategies to mitigate cyber-kinetic risks will become increasingly important. Collaboration across diverse fields of expertise is key to safeguarding our interconnected world against the potential physical consequences of cyber threats.