By Omar Tisza
As our lives continue to accrue an increasing dependence on web-enabled goods and services, many seem too willing to put security and resiliency by the wayside–and at an increasinlgy high cost. Security and resilience within our critical infrastructure are a complex puzzle to solve. The diverse public and private stakeholders involved in operating, maintaining, consuming, and even regulating critical infrastructure must not only coordinate amongst each other, but also take into account both the cyber and physical realms–in tandem, not independently–as the genesis for existential threats that could have cascading consequences across industries.
We use the term blended and complex threats to account for threats that operate within and cross-over physical and cyber boundaries. The following is a simple refresher of complex and blended threats definitions:
We’ve defined blended threats as natural, accidental, or purposeful physical or cyber dangers that have or indicate the potential to have crossover impacts and harm life, information, operations, the environment, and/or property.
Complex threats are two or more separate attacks aimed at the same general or specific target(s) or objective(s). A key distinction of blended threats is the crossover component– one attack, with crossover effects; a threat that originates in one domain and that has impacts across to another domain.
Below are examples of the terms above contextualized in recent incidents and vulnerabilities.
Attack of the USBs
Kaspersky: “Weaponized USB devices as an attack vector” 17 April 2019 by Alex Perekalin (@couldstrafe). “USB devices are not limited to flash drives” when it comes to exploiting a USB port as an entry point for a cyber attack. “Human interface devices (HIDs) such as keyboards and mice, charging cables for smartphones, and even things like plasma balls and thermal mugs, can be tampered with to target” victims with inadequate USB security. The most recent generation of weaponized USB devices brings the “WHID Injector” and “Bash Bunny” tools which can be trojanized to “execute commands and run apps” in laptops that are “not connected to any networks by USB, Ethernet, or Wi-Fi.” Preventing this issue is a multidimensional approach that “ensure[s] physical security first, so that unauthorized personnel cannot plug in random USB devices,” once again, exemplifying a need to understand the breadth of complex and blended threats and how these can harm the physical and cyber dimensions of unsuspecting organizations.
Killer USB on College Campus
U.S Department of Justice: “Former Student Pleads Guilty to Destroying Computers at The College of St. Rose” 16 April 2019 by the U.S. Attorney’s Office Northern District of New York (@TheJusticeDept). “[Vishwanath] Akuthota admitted that on February 14, 2019, he inserted a ‘USB Killer’ device into 66 computers, as well as numerous computer monitors and computer-enhanced podiums, owned by the college in Albany. The ‘USB Killer’ device, when inserted into a computer’s USB port, sends a command causing the computer’s on-board capacitors to rapidly charge and then discharge repeatedly, thereby overloading and physically destroying the computer’s USB port and electrical system.”
“when inserted into a computer’s USB port, sends a command causing the computer’s on-board capacitors to rapidly charge and then discharge repeatedly, thereby overloading and physically destroying the computer’s USB port and electrical system”
Additionally, “his actions caused $58,471 in damage, and [he] has agreed to pay restitution in that amount to the College [of St. Rose].”
Malware and Industrial Plants: Physical Vulnerabilities
Malwarebytes Labs: “Malware targeting industrial plants: a threat to physical security” 17 April 2019 by Pieter Arntz (@MetallicaMVP). “If malware breaches a manufacturing organization and gains control of certain processes, there are some immediate threats to the physical security of those inside and around an industrial plant.” Some of these include extreme heat, radioactivity, and dangerous chemicals, which are used in industrial processes. Internet connections and “the proliferation of Bring Your Own Device (BYOD)” create potential entry points within the industrial ecosystem for cyber threat actors. “Another point of concern might be the use of connected devices under the Industrial Internet of Things (IIoT) for existing industrial control systems,” which can also be high value targets. In order to avoid physical harm to personnel in industrial environments during a cyber incident, “there should be a fail-safe to shut down the plant to a state where no dangers can come into play.” However, there must also be preventative cybersecurity measures to keep the consequences of blended and complex threats from industrial environments and mitigate the risks associated with a potential incident of this kind.
Car2Gone: Chicago Heist
Motherboard: “Thieves Somehow Stole 100 Car2Go Cars in Chicago” 17 April 2019 by Lorenzo Franceschi-Bicchierai (@lorenzofb). “Thieves have stolen 100 cars from the car sharing company Car2Go in Chicago using a ‘mobile app,’ according to the Chicago Police Department. Car2Go confirmed in a statement to Motherboard that 100 cars were taken and added that the company is working with law enforcement to ‘neutralize a fraud issue.’ The company also clarified that this was not a ‘hack,’ but did not elaborate about how the cars were stolen. Car2Go offers Smart cars and Mercedes Benz vehicles in Chicago. Normally, the cars are unlocked with an app. We don’t yet know whether the thieves found a vulnerability in the app that allowed them to unlock the cars en masse.”
Four More Reasons to Fear Flying
Dark Reading: “Airports & Operational Technology [OT]: 4 Attack Scenarios” 02 April 2019 by Edy Almer (@DarkReading). Keeping in mind that the following aviation systems operate as OT and that “these are not theoretical risks,” below are four attack scenarios that could harm the aviation sector. First, baggage handling systems are vulnerable to “OT-specific malware” that can keep a bag from secondary security checks and arriving at its correct destination–opening the door for destructive materials to by-pass airport security. Second, aircraft tugs–used for moving the plane to the bridge and other equipment–can also be hijacked if connected to the web by crashing jets into airport infrastructure. Third, OT de-icing systems keep ice off the plane’s body, which are necessary for aircraft maneuvering and aerodynamics; and in a cyber attack, hackers can alter the application of de-icing substances to cause a crash. Fourth, OT fuel pumps can also be hacked to cause “the wrong type or mixture of fuel to be pumped into a plane, resulting in anything from engine problems to an explosion.” Thankfully, these vulnerabilities have caught “the attention of dozens of airport CISOs.”
Diversifying IoT Attacks
Symantec: “ISTR 2019: Internet of Things Cyber Attacks Grow More Diverse” 04 Apr 2019 by Dwight B. Davis (@symantec). In the past, the bulk of IoT cyber-attacks have involved DDoS. 2018 has seen the diversification of attacks on IoT infrastructure. These include the “VPNFilter [malware, which] is able to carry a range of payloads that can, for example, capture and exfiltrate data or steal credentials” and Telnet protocol exploitation, which is dated and highly vulnerable to password attacks. According to Symantec, “The top password attackers used to access IoT devices in 2018 was ‘123456,’ which was used in one-quarter of all attacks.” IoT is closely linked to the physical world by the design; and, if hacked for nefarious ends, they could have serious consequences on our increasingly interconnected and web-dependent lives.
“The top password attackers used to access IoT devices in 2018 was ‘123456,’ which was used in one-quarter of all attacks.” IoT is closely linked to the physical world by the design; and, if hacked for nefarious ends, they could have serious consequences on our increasingly interconnected and web-dependent lives.
Even though “the potential of attackers to shut down or corrupt the actions of IoT devices that control equipment or interact in some other way with the physical world has long been the source of many nightmarish scenarios… the threat of attackers causing real-world damage or danger is very real.”
The Psychology of Cyber and Physical Security
Security Infowatch: “Cyber threats invade the physical security world” 12 Mar 2019 by Joel Griffin (@SecInfoWatch). Consider the following blended and complex threats scenario: “a cybercriminal taps into the printers at an office building and forces them to overheat and burst into flames. But rather than just stop there, the attacker proceeds to reroute their voice-over-IP (VoIP) phone systems to prevent 911 calls and hijacks their fire panel to circumvent any type of alarm from sounding.” This is just one of the many possible scenarios that involve cyber and physical controls, which threat actors can easily manipulate to inflict damage on a specific target. While there is a myriad of actions that can mitigate this risk, John Gomez, CEO of Sensato Cybersecurity Solutions, makes the argument that “about 90 percent of cybersecurity, or even physical security, is your psychology.” One of the most significant factors that threat actors take advantage of is the victims’ rationalization of the attack itself. The victim “will click a link or take some action that on the surface may seem harmless or even like the right thing to do but leads to a security breach.” Arming individuals with knowledge of how attacks are carried out may reduce the psychological setbacks that exacerbate an incident.
ICS Security by Design
Langner: “What Does ‘Insecure By Design’ Actually Mean For OT/ICS Security?” 03 Mar 2019 by Langer (@langnergroup). Langner concerns itself with the intersection of cyber and physical threats in OT (operational technology) and ICS (industrial control systems), also known as blended threats. The inherent insecurity with OT and the grave potential of exploits are the crux of insecurity by design. “One of the reasons why vulnerability and patch management is different in OT as compared to IT is the fact that the majority of OT products, technologies, and designs are insecure by design”–meaning that hackers and threat actors may not be required to spend large amounts of time or resources trying to break codes or infiltrate a system, when “the majority” of OT can be tampered with, even incapacitated, by simply looking at the owner’s manual and identifying vulnerabilities. OT and ICS security–or lack thereof–facilitates the existence of entry points that can harm critical infrastructure.
Vulnerable Visitor Kiosks
attackers can gain illegitimate physical and cyber access to facilities, networks, and sensitive data that could threaten internal operations and their security
IBM’s security testing group, “X-Force Red finds 19 vulnerabilities in visitor management systems” after testing for cyber and physical vulnerabilities across “five popular visitor management systems and discovered 19 previously undisclosed vulnerabilities across all the vendors” that could significantly have an effect on the security of organizations who use these systems. Deployed as interactive kiosks, visitor management systems replace the traditional receptionist and security guard “and have a role in the security of an organization.” The findings include data leakage, default admin credentials for complete control of the application, and interaction with the windows OS by breaking out of the kiosk environment. As a consequence, attackers can gain illegitimate physical and cyber access to facilities, networks, and sensitive data that could threaten internal operations and their security and resiliency all through a seemingly harmless interface.
With every published blended and complex threats blog post, there is both a cautionary tale and a silver lining. First and foremost, there are exceptional security professionals diligently working on building an effective security posture to address blended and complex threats every day. Yet, effectively addressing the issue of complex and blended threats can only take place on individual and systemic levels when the whole critical infrastructure community joins in collaboration and good faith. Every single one of the articles above, from a broad perspective, is a microcosm of potential consequences within our critical infrastructure. Robust security and resiliency are not only tackled behind closed doors and beyond reach of the public, but in the daily undertaking of securing the infrastructure we depend upon to sustain our environments and livelihoods.
Omar Tisza graduated from American University in 2017 with a bachelor’s in International Relations. After a brief stint in business development on the federal market, he began his role as Jr. Risk Analyst at Gate 15 in 2018 and currently supports the Health Information Sharing and Analysis Center (HISAC) and the Healthcare Sector Coordinating Council – Cybersecurity under the leadership of Executive Director Greg Garcia, former Assistant Secretary for Cyber Security and Communications at DHS.
Our team includes security updates in our free daily paper, the Gate 15 SUN. We encourage readers to consider the evolving blended threat environment and to take that into consideration as you plan and conduct preparedness, security and operations. Read some of our previous posts on blended and complex threats in the links below.
- Help! Is This a Cyber or Physical Threat?
- Complex and Blended Threats: Weaponizing the Cyber World
- Have a Blended and Complex New Year!
- Complex and Blended Threats: Global Cyber Attacks are Now Human Attacks
- Complex Threats: Ransomware, Hurricanes, Murder, Defacements, Bots, and Blackouts…
- Potatoes and Tomatoes: You Say Blended, I Say Complex…
- Blended Threats! McAfee Labs Addresses Digital Impacts to Physical Infrastructure
- Blended Threats: Mining Takes a Toll!
- Blended Threats (update 1.1): Understanding an Evolving Threat Environment
- Blended Threats: The Oracle Has Spoken!
- More on blended threats, some of our associated preparedness activities, and other content that may be of interest can be accessed from our blog.