Blending Threats into a Complex New Year

By Omar Tisza

As 2019 turns into 2020, technologies and threats that impact daily operations and data security persist in blended and complex ways. The convergence of both physical and cyber domains increase the productivity and value of businesses and critical infrastructure at large, but introduce new and evolving risks that can harm assets and individuals when the line between IT and physical risks are no longer crystal clear. However, in 2019, blended and complex threats on this recurring blog post seem to have been increasingly understood and acknowledged by security practitioners. While many critical infrastructure owners and operators still find their organizations short of an ideal blended and complex security posture, continuing to shape and improve organizational risk management, preparedness and resilience  – both from an incident response or steady state standpoint – indicates a level of maturity and commitment to improving security within the organization and throughout the broader critical infrastructure community.

“Today, we face a hybrid threat. There are very few cyber-only or physical-only incidents,” – Brian Harrell, Assistant Director for Infrastructure Security at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency

We use the term blended and complex threats to account for threats that operate within and cross-over physical and cyber boundaries. The following is a simple refresher of complex and blended threats definitions:

We’ve defined blended threats as natural, accidental, or purposeful physical or cyber dangers that have or indicate the potential to have crossover impacts and harm life, information, operations, the environment, and/or property.

Complex threats are two or more separate attacks aimed at the same general or specific target(s) or objective(s). A key distinction of blended threats is the crossover component– one attack, with crossover effects; a threat that originates in one domain and that has impacts across to another domain.

DHS CISA Tackling Complex and Blended Threats

Homeland Security Today: “Utilities’ Participation Up 200 Percent in GridEx V Cyber, Physical Attack Training,” 20 November 2019 by Bridget Johnson (@BridgetCJ). “Today, we face a hybrid threat. There are very few cyber-only or physical-only incidents,” explains Brian Harrell, Assistant Director for Infrastructure Security at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). “As our world grows more interconnected, and our infrastructure grows more interdependent with other systems and functions, we must look at our risks from both a cyber and a physical perspective.” This Gate 15 blog post applauds CISA and DHS for shining a spotlight on blended and complex threats at the critical infrastructure level.

Strobing Lights Attack on Epilepsy Foundation

The New York Times: “Epilepsy Foundation Was Targeted in Mass Strobe Cyberattack,” 16 Dec 2019 by Manny Fernandez (@mannyNYT). “Hackers sent videos and images of flashing strobe lights to thousands of Twitter followers of the Epilepsy Foundation last month in a mass cyberattack that apparently sought to trigger seizures in those with epilepsy, the foundation said on Monday.” The impact of this cyberattack on epileptic followers of the twitter site is unclear, but weaponizing social media as an attack on epileptic individuals is a clear example of how destructive and sinister blended threats can be.

ransomware attacks… were not simply expensive inconveniences; the disruption they caused put people’s health, safety and lives at risk. – Emisoft

Relentless Ransomware

Emsisoft: “The State of Ransomware in the US: Report and Statistics 2019,” 12 Dec 2019 by Emsisoft Blogs (@emsisoft).  “In 2019, the U.S. was hit by an unprecedented and unrelenting barrage of ransomware attacks that impacted at least 948 government agencies, educational establishments and healthcare providers at a potential cost in excess of $7.5 billion… [t]he incidents were not simply expensive inconveniences; the disruption they caused put people’s health, safety and lives at risk.” Among the consequences, there was severe impact to the quality of healthcare delivery, emergency services, business operations, and overall critical infrastructure.

A Homeland Security Approach to Blended Threats

Homeland Security Today: “CISA to Work with Stakeholders, ‘Influence a Culture of Security Convergence’ During NCISRM,” 01 Nov 2019 by Bridget Johnson (@BridgetCJ). November was National Critical Infrastructure Security and Resilience Month (NCISRM) and a timely opportunity to shape the nation’s approach in maturing the security and resiliency posture of our critical infrastructure. Assistant Director for Infrastructure Security Brian Harrell explained that “[t]oday’s threats are a result of hybrid and blended attacks utilizing Information Technology (IT), physical infrastructure, and Operational Technology (OT) as the enemy avenue of approach. Highlighting this future threat landscape will ensure better situational awareness and a more rapid response.” Approaching blended and complex threats as part of NCISRM brings critical infrastructure closer to a comprehensive security approach that mitigates risk across multiple domains.

Preparing for Physical Impact From Cyberattacks

Homeland Security Today: “How Emergency Managers Can Meet Challenges of Increasingly Complex Threat Climate,” 08 Nov 2019 by Don Hall (@HSTodayMag). “Viewing cybersecurity and physical security threats at same level: In October 2018, the Arkansas Department of Emergency Management hosted a cybersecurity exercise with more than 70 participants in attendance. Across many states, efforts are being made to train for cyber threats the same way public safety and law enforcement might train for threats to physical venues and infrastructure… Cyber attacks that impact agency workforces, as well as citizens, have evolved far beyond just being an issue for the IT department. State agencies have been upended by ransomware attacks that paralyze operations, and prevent citizen services from being accessible. Recent events in Baltimore and Atlanta demonstrate how quickly an attack can cripple operations.”

911 Services Wiped Out After Cyberattack

WTOC11: “Ransomware attack may be affecting 911, emergency dispatch in Jasper Co.,” 18 Oct 2019 by Kristen Rary (@KristenRary). “Jasper County [South Carolina] had a cyber attack on their countywide systems, including email and emergency response systems.” At first, the county reported their emergency services including 911 were unaffected, but Jasper County later found that three weeks had passed since the fire department received a call through their dispatch application. The lack of a system forced dispatchers to record emergency calls by hand which caused some calls to go unnoticed. “Learn from this is to create a back-up plan,” the article warns. This blended incident is yet another example of how cyberattacks can harm physical systems and put lives at risk.

World Wide Blended Cyberattacks

The National Consortium for the Study of Terrorism and Responses to Terrorism (START): “Signifi­cant Multi-Domain Incidents against Critical Infrastructure (SMICI) Dataset,” Dec 2019 by Steve Sin and Rhyner Washburn (@START_UMD). A new research brief highlights findings from a newly developed dataset of 130 cyberattacks against critical infrastructure worldwide dating back to 2009. The United States was the country most often targeted for cyberattacks regardless of motive, accounting for more than 19 percent of the incidents in the dataset. “Of the 130 incidents collected in the dataset, we were able to clearly identify 85 cases as either disruptive cyber-physical (21%) or cyber-operational (79%). Of the cyber-physical incidents, 50% of the incidents were attributed to state actors, 11% to non-state actors, and 39% were unattributed/unidentified.” More than half of the recorded incidents arose from blended threats, which further highlight a need to account for cyber and physical vulnerabilities in the risk management approach.

Iraq Shutdown Internet After Protesters Were Targeted

NetBlocks: “Social media partially unblocked in Iraq after 50 days,” 21 Nov 2019 by NetBlocks (@netblocks). “Iraq blocked social media platforms and restricted messaging apps on 2 October 2019. The restrictions were shortly followed by a near-total internet shutdown that cut off Iraq as protests escalated and evidence of targeted killings of protesters emerged.” It is not uncommon to see nation-state actors block social media and internet access to control the flow of information. In this case, the use of cyber measures was an additional attack on the local population on top of the physical security incidents, making this an instance of complex threats with blended components.

Rats Force Estonian Services Offline

InfoSecurity Magazine: “Pests Force Estonian Government Offline,” 26 Nov 2019 by Sarah Coble (@InfosecurityMag). In an odd turn of events, and with help from furry rodents, “[t]he government of Estonia lost internet access after hungry rats chewed through fiber-optic cable located underground near the country’s capital, Tallinn. Estonian State Portal—a secure internet environment through which the country’s residents can easily access state e-services and information—was forced offline for 5 hours as a result of the incident, which occurred last Wednesday.” This incident highlights the importance of a cyber and physical risk management approach that secures the cyber domains as well as the infrastructure that supports it, even if that means planning for and guarding against rats with an affinity for cables.

This blog post relies on articles from the broader security community to report and provide insight on specific blended and complex threats in varied industry and government sectors. In this latest installment, it’s clear that critical infrastructure owners and operators are more aware of blended and complex threats and increasingly approach risk management from a physical and cyber perspective while recognizing the security interdependencies that exist between the two domains. As Gate 15 continues to execute our Homeland Security Risk Management mission, we hope 2020 will further the struggle to place security and resiliency in tandem with and necessary components of profitability, growth, and innovation throughout critical infrastructure.

Omar Tisza

Omar Tisza graduated from American University in 2017 with a bachelor’s in International Relations. After a brief stint in business development on the federal market, he began his role as Jr. Risk Analyst at Gate 15 in 2018 and currently supports the Health Information Sharing and Analysis Center (H­-ISAC) and the Healthcare Sector Coordinating Council – Cybersecurity under the leadership of Executive Director Greg Garcia, former Assistant Secretary for Cyber Security and Communications at DHS.

Our team includes security updates in our free daily paper, the Gate 15 SUN. We encourage readers to consider the evolving blended threat environment and to take that into consideration as you plan and conduct preparedness, security and operations. Read some of our previous posts on blended and complex threats in the links below.