Breaking Down the Wall between Physical and Cyber Security

By Omar Tisza

Are the physical and cyber security of our critical infrastructure fated to merge into a blended and complex risk management approach? In this update on threats that are neither entirely comprised of physical or cyber parts, known as blended and complex threats, we explore their complexities and consequences as they become relevant to the security and resiliency of our critical infrastructure.  

We use the term blended and complex threats to account for threats that operate within and cross-over physical and cyber boundaries. The following is a simple refresher of complex and blended threats definitions:

We’ve defined blended threats as natural, accidental, or purposeful physical or cyber dangers that have or indicate the potential to have crossover impacts and harm life, information, operations, the environment, and/or property.

Complex threats are two or more separate attacks aimed at the same general or specific target(s) or objective(s). A key distinction of blended threats is the crossover component– one attack, with crossover effects; a threat that originates in one domain and that has impacts across to another domain. 

Below are examples of the terms above contextualized in recent incidents and vulnerabilities:

The Cost of Cyber-insecurity

Canadian Underwriter: “When cyber breaches can kill” 15 May 2019 by Greg Meckbach (@CU_Greg). In a not-so-distant past, information security used to be about securing laptops, desktops, and a few other devices. Nowadays, however, “cars, appliances, power plants and medical devices are at increased risk from hacking attacks,” placing these never before cyber-vulnerable goods under the scope of information security. Computers used for “spreadsheets could have the same type of operating system and central processing unit as one with an embedded heart monitor… and therefore the same method can be used to attack both.” Cybersecurity is vital for the physical security of our critical infrastructure as the separation between the cyber and physical worlds keeps tumbling down. From healthcare providers to construction equipment, the consequences of an infected medical device or a compromised crane can lead to destructive consequences for individuals and the critical infrastructure that supports our communities.

Homes at Risk of Cyber Attacks

Help Net Security: “Smart home security devices most at risk in IoT-targeted cyber attacks” 13 June 2019 by Help Net Security (@helpnetsecurity). Smart home security cameras are the most susceptible to hacking among commonly used “smart” house devices, according to research by SAM Seamless Networks. “Other findings reveal the USA and China are the foremost countries for both executing attacks and being targeted. The average home receives five attempted attacks per device per day via smart networks.” Increasingly, “the target of attacks is no longer just enterprises.” Homes are now on the radar of cyber criminals who can act on behalf of a nation-state. “During the first week of May 2019, researchers witnessed a massive amount of remote access attempts, originating primarily from three countries: China, USA and Iran, 50% of which were by botnets.” Eventually, robust physical security measures will no longer be sufficient to secure private residences as vulnerable smart home devices and IoT are increasingly targeted. 

Hotel Group Cyber Attack and Data Leak

SecurityInfoWatch: “Physical security at risk as cyberattacks target vulnerable systems” 14 June 2019 by Steve Lasky (@SecInfoWatch). The Pyramid Hotel Group was hit with a cyberattack that leaked information from an unsecured server which exposed “critical IT data as well as physical security systems such as key cards, video cameras, motion detectors, and other devices that ensure guest and employee safety,” further underscoring a need for a risk management approach that incorporates an understanding of blended threats. “[T]oo many organizations still keep physical security data isolated from infosecurity data. In many cases, a physical wall literally separates a Network Operation Center (NOC) and physical security teams from sharing intelligence.” This separation can become a security posture weakness concerning web connected systems, including access controls, which are meant to control access to business-sensitive data and protect human assets. 

Protest Crackdown with Complex & Blended Measures

TechCrunch: “Telegram faces DDoS attack in China… again” 13 June 2019 by Jonathan Shieber (@jshieber). “The popular encrypted messaging service Telegram is once again being hit with a distributed denial of service (DDoS) attack in Asia as protestors in Hong Kong take to the streets. For the last several days, Hong Kong has been overrun with demonstrators protesting a new law that would put the municipality more directly under the control of mainland China’s authoritarian government. One of the tools that organizers have turned to is the encrypted messaging service, Telegram, and other secure messaging technologies, as they look to evade surveillance measures by government officials.” This is an example of a nation-state deploying a distributed denial of service, in addition to physical measures, to affect the outcome of a protest. Hong Kong protesters are experiencing complex and blended threats from the Chinese government in an effort to squash civil unrest. 

Transforming Cybersecurity with Cyber-Physical Systems

ComputerWeekly: “Building a cyber-physical immune system” June 2019 by Shantanu Rane (@shantanudrane). In order to better understand cyber-physical attacks, researchers are dabbling into the study of cyber-physical systems, which are systems managed by a cyber component but deeply integrated with the physical world “such as industrial assembly lines or the power grid.” The objective of this research is to develop “a cyber-physical immune system,” akin to the human immune system and its “extraordinarily self-aware… protective mechanisms, such as fighting infections by means of white blood cells, proceeding to repair wounds by clotting, and so on.” By harnessing knowledge from multiple disciplines, the security field can better understand anomaly detection and “deviations from safe and secure behavior,” which will further shine a light on mitigating the risks of blended and complex threats. 

“Traditionally, cyber security has been the stronghold of security engineers, network engineers and cryptographers. But to build a cyber-physical immune system, it is necessary to engage with experts who work on its non-cyber aspects.”

The Downside of 5G

The Verge: “5G could mean less time to flee a deadly hurricane, heads of NASA and NOAA warn” 23 May 2019 by Sean Hollister (@StarFire2258). “[T]he heads of NASA and the National Oceanic and Atmospheric Administration (NOAA) warn the issue [of implementing 5G] could set back the world’s weather forecasting abilities by 40 years — reducing our ability to predict the path of deadly hurricanes and the amount of time available to evacuate. It’s because one of the key wireless frequencies earmarked for speedy 5G millimeter wave networks — the 24 GHz band — happens to be very close to the frequencies used by microwave satellites to observe water vapor and detect those changes in the weather. They have the potential to interfere. And according to NASA and NOAA testimony, they could interfere to the point that it delays preparation for extreme weather events.” 

Blended Security in Healthcare

Fierce Healthcare: “Industry Voices—Your hospital’s key card reader poses a cybersecurity risk. Here’s how to address it” 06 May 2019 by Sonia Arista (@sarista16). “Without an effective and comprehensive security strategy in place that addresses both physical and cybersecurity concerns, the costs of a major data breach that compromises this new attack vector could cripple or even kill an organization.” This new attack vector merges the physical and cyber worlds, which presents critical vulnerabilities that require an enterprise-level approach to operationalizing resiliency and security. In healthcare, the advent of the Internet of Medical Things (IoMT) has made healthcare organizations “unprepared to address the security concerns they [IoMT] are introducing… most IoMT devices lack built-in security capabilities. Not only can they not defend themselves, but many also cannot even be patched up [or] updated.” An infected medical device can have disastrous consequences on patients’ physical health. This security risk is compounded by the lack of attention to “physical security at the CEO level,” which is vital for organizational improvements. 

“In the era of digital transformation, however, where physical and cyber security solutions are being converged, executives now need to be able to measure risk and track it on a regular basis. As a result, security now needs to be elevated to a line-of-business concern for C-suite executives and boards of directors.”

Technology for University Physical Safety

EdTech Magazine: “3 Ways Technology Can Elevate Campus Safety” 08 May 2019 by Dave Doucette (@EdTech_HigherEd). “For university administrators, the number of physical threats to college campuses in 2018 demonstrated a dire need to keep safety and security a top priority. Technology can help close the gaps in physical campus security initiatives, streamlining current systems and helping to introduce new ones.” Alert systems, IP network cameras, and mobile device applications are three digital solutions that can address higher education physical concerns. Either through visual digital signage around campus or push notifications to cell phones, seamless alert systems can directly communicate pertinent information to users. Similarly, IP network cameras can live stream feeds from a local area network to a command center allowing officers more flexibility than analog CCTV. For the campus at large, mobile applications can also serve as a communications platform to inform users of relevant information and/or serve as a platform for users to contact campus security as needed. Having multiple avenues of communication during an incident can decrease the risk of a complete communications outage and increase the flow of vital information. 

The answer to the question posed at the start of this article also comes with blurred lines, just like complex and blended threats themselves. The physical and cyber realms are still their own separate disciplines. However, it is clear both realms are folding into each other, eventually necessitating a security approach that matches the inherent nature of evolving physical and cyber threats. A broad assessment of the blended and complex threat landscape will find the integration of interconnected technology, such as IoT, AI, and much more, into the daily security operations of organizations that operate and maintain our critical infrastructure. A blended and complex approach is a must to reach adequate security in a technologically fast-paced and threat-filled environment.

Omar Tisza

Omar Tisza graduated from American University in 2017 with a bachelor’s in International Relations. After a brief stint in business development on the federal market, he began his role as Jr. Risk Analyst at Gate 15 in 2018 and currently supports the Health Information Sharing and Analysis Center (H­ISAC) and the Healthcare Sector Coordinating Council – Cybersecurity under the leadership of Executive Director Greg Garcia, former Assistant Secretary for Cyber Security and Communications at DHS.

Our team includes security updates in our free daily paper, the Gate 15 SUN. We encourage readers to consider the evolving blended threat environment and to take that into consideration as you plan and conduct preparedness, security and operations. Read some of our previous posts on blended and complex threats in the links below.