Connecting physical objects and processes to the cyber world offers us capabilities that exponentially exceed the expectations of science fiction writers and futurists of past generations. But it also introduces disquieting possibilities. Those possibilities reach beyond cyberspace to threaten the physical world in which we live and – potentially – our own physical well-being. That’s the threat of cyber-kinetic attacks.
Our physical world is becoming more connected – which makes it more dependent on the cyber world. Many physical objects around us are no longer just physical, but extend into cyberspace, being remotely monitored and controlled. Increasingly, our factories, cities, homes, cars and, perhaps, even bodies are part of vast cyber systems created to run our physical world more efficiently.
Does that sound like the premise of a science fiction story? It shouldn’t, because it describes our current world. Does it sound a bit chilling? That’s because society’s rush to give us more ability to cyber-connect our world opens vulnerabilities that give others ability to use our physical world to harm us.
The growing reality of Cyber-Physical Systems (CPSes) such as Internet of Things (IoT) and Industrial Control Systems (ICS)
As you approached your car this morning, its door automatically unlocked. You found your engine running and your car interior at a comfortable temperature. As you drove, your car’s safety systems monitored traffic; they warned you if you strayed outside your lane; they would even apply your brakes themselves if they detected a potential collision. While you drove, cyber-connected traffic monitoring systems adjusted traffic light timing to reduce congestion.
These examples are the tip of iceberg regarding physical objects enhanced with cyber-connections.
Your water and power delivery depend on similar CPSes. Our civilization already runs on industrial control systems (ICS). As if that’s not enough, we are adopting internet of things (IoT) technologies ever so faster. CPSes can even include your body, as implanted devices such as heart monitors, defibrillators and insulin pumps are cyber-connected to medical personnel who can adjust them as needed.
The growing threat of cyber-kinetic attacks
CPSes enhance your life. But they carry with them the risk of cyber-kinetic attacks. Cyber-kinetic attacks consist of unauthorized personnel hijacking CPSes – whether in homes, cities, cars or human bodies – and using them to harm people or damage the environment.
Such attacks have already occurred, with physical damage inflicted on nuclear power plants, water facilities, oil pipelines, factories, hospitals, transit systems, apartment buildings and more. Only their scattered nature has prevented them from gaining more attention. I’ve been tracking many of them here.
Finding CPSes that provide peoples’ critical needs compromised with malware or backdoors is not rare. When my research team assesses critical CPSes for vulnerabilities, it is rare when we don’t find the systems already infected and ready to be exploited by the adversaries whenever they choose.
The rush to market
Connecting physical systems and devices to the cyber-world has obvious benefits. The process of connecting them, however, has consistently skipped a crucial step: making sure that critical CPSes are secure from unauthorized access.
Factories, water management facilities and power providers find great benefits in enabling administrators to monitor systems remotely. Their thoughts about security, though, often go only so far as wishful thinking that their systems are not attractive enough or are configured too obscurely for hackers to want to breach them.
Yet history tells us otherwise. Numerous incidents of disgruntled former employees seeking revenge, terrorists or state actors seeking disruptions or cybercriminals launching attacks have been reported.
Similarly, implanted medical devices have good reason to be cyber-connected to doctors for monitoring and adjustments. While those devices are rigorously tested to ensure they perform as designed, rarely are they tested for their ability to prevent unauthorized access. Manufacturers assume that, even though security flaws have repeatedly been demonstrated, no one would bother to exploit them.
Only when a person implanted with a cyber-connected medical device has been deemed to be a prominent enough target – such as former U.S. Vice President Dick Cheney in 2007 – have device manufacturers considered the potential dangers that inadequate cybersecurity in their devices poses.
Rethinking traditional security paradigms
Complicating the problem of preventing cyber-kinetic attacks is the fact that what needs protection in CPSes is different from what needs protection in traditional information systems. That calls for rethinking security approaches.
Traditional information systems protect sensitive information, so it doesn’t fall into the hands of those who would use it against the system owners. With CPSes, having unauthorized persons access their information is the least of administrators’ worries.
Keeping someone who breaches a nuclear power plant CPS from knowing system components’ temperature or pressure pales in significance compared to keeping them from compromising the system and destroying critical components. Similarly, keeping someone from knowing the insulin level of a person’s implanted insulin pump pales in significance compared to keeping them from causing the pump to administer a harmful dose.
Add to this the fact that security testing processes for information systems are not suitable for critical CPSes. Penetration testing can cause brief, but often acceptable system failures when searching for vulnerabilities in enterprise IT. In CPSes on which the well-being of an entire city or the life of a single patient depend, even a momentary failure could be devastating. Thus, new CPS testing approaches are needed.
Dealing with cyber-kinetic attacks
Concerns about cyber-kinetic attacks are not merely hype. They happen, and are increasing. Despite evidence that cyber-kinetic attacks are rising, those who drive adoption of increased cyber-connectedness overlook security, trusting that system flaws simply won’t be exploited.
Yet the numbers of hackers are growing. Hackers trained in cyber-armies sponsored by unfriendly countries are discovering more profit in choosing their own targets than in working for their homelands. Ransomware attacks that, only months ago, were known only to their few early victims and the security community have now vaulted into the headlines. And the dark web is training a growing number of disaffected “script kiddies” in how to make their mark on the world.
Our current crossroad
Our journey into a more cyber-connected world offers a utopian view of placing control of the physical objects and services we rely on literally at our fingertips. But the way that security is overlooked adds dystopian undertones of placing control of critical physical systems within reach of those who would disrupt our physical well-being.
In a world where cyber-kinetic attacks on critical CPSes are a reality, ignoring the potential for people to use our physical world against us is not an option. Security for the growing number of CPSes must be addressed to ensure that their benefits – and not their risks – are what define our future.
Originally published on CSO Online on 2 January 2018
For over 30 years, Marin Ivezic has been protecting people, critical infrastructure, enterprises, and the environment against cyber-caused physical damage. He brings together cybersecurity, cyber-physical systems security, operational resilience, and safety approaches to comprehensively address such cyber-kinetic risk.
Marin leads Industrial and IoT Security and 5G Security at PwC. Previously he held multiple interim CISO and technology leadership roles in Global 2000 companies. He advised over a dozen countries on national-level cybersecurity strategies.