Fall is Here But Blended and Complex Threats Never Left – NSCAM Edition

By Omar Tisza

National Cybersecurity Awareness Month (NCSAM) is in full swing and there could not be a better backdrop for continuing our series on blended and complex threats and the complicated landscape in which these operate. While the articles below will span the critical infrastructure gamut, there are several vital commonalities in how threats and incidents tend to cross boundaries that were traditionally treated as separate fields: physical and cyber security. A cyberattack in a hospital, for example, has potential to impact the critical infrastructure supporting health delivery and protected health information in systems and devices; and may turn away patients because of a ransomware infection (impacting the physical security and health of patients). As the proliferation of interconnected devices and systems continue to make business operations more efficient, they may also increase the vulnerabilities within our critical infrastructure. As a result, security may require a comprehensive strategy that marries both physical and cyber realms into a single risk management approach.

We use the term blended and complex threats to account for threats that operate within and cross-over physical and cyber boundaries. The following is a simple refresher of complex and blended threats definitions:

We’ve defined blended threats as natural, accidental, or purposeful physical or cyber dangers that have or indicate the potential to have crossover impacts and harm life, information, operations, the environment, and/or property.

Complex threats are two or more separate attacks aimed at the same general or specific target(s) or objective(s). A key distinction of blended threats is the crossover component– one attack, with crossover effects; a threat that originates in one domain and that has impacts across to another domain.

Ransomware Harming Patient Safety

Ars Technica: “Ransomware forces 3 hospitals to turn away all but the most critical patients” 01 Oct 2019 by Dan Goodin (@dangoodin001). “Ten hospitals—three in Alabama and seven in Australia—have been hit with paralyzing ransomware attacks that are affecting their ability to take new patients… [a]ll three hospitals that make up the DCH Health System in Alabama were closed to new patients on Tuesday as officials there coped with an attack that paralyzed the health network’s computer system. The hospitals—DCH Regional Medical Center in Tuscaloosa, Northport Medical Center, and Fayette Medical Center—are turning away “all but the most critical new patients” at the time this post was going live. Local ambulances were being instructed to take patients to other hospitals when possible. Patients coming to DCH emergency rooms faced the possibility of being transferred to another hospital once they were stabilized.”

“From airside systems and vehicles to automated baggage claim, there is a high concentration of OT in airports and diverse attack surfaces for threat actors to potentially sink their teeth into”

Securing the Airport Environment

PenTestPartners: “Mapping the Attack Surface of an Airport” 11 Oct 2019 by Ken Munro (@PenTestPartners). “The biggest single challenge [to securing airport environments] is the sheer volume of different entities that need access: passengers, crews, airline staff, security personnel, Police, Customs and other government agencies, freight, meal service and many more.” From airside systems and vehicles to automated baggage claim, there is a high concentration of OT in airports and diverse attack surfaces for threat actors to potentially sink their teeth into. Without an adequate security posture, many of the systems that facilitate airport transit and operations can be vulnerable. Considering the blended components that form part of aviation critical infrastructure, securing both physical and cyber assets can ensure that our airports won’t be wiped out by ransomware anytime soon.

Identity and Access Management from a Blended Perspective

SecurityIntelligence: “When Digital Identity and Access Management Meets Physical Security” 03 Oct 2019 by George Platsis (@gplatsis). “[I]dentity and access management and physical security tasks need to be dealt with as one joint task, not two separate ones… don’t overlook the human component when facing the digital/physical security challenge. Humans are the glue that connect these two realms — and a critical part of successful digital transformation.”

As enterprises and security minded organizations keep contending with the physical and cyber components of security, the merging of both physical and cyber realms necessitates a similar security approach to strengthen and maintain the foundations of our critical infrastructure.

Killer Smartphone

Techworm: “Teenager Dies In Her Sleep After Smartphone Explodes During Charging” 05 Oct 2019 by Kavita Iyer (@Purplemoonkavs). In an unfortunate turn of events, “a teenage schoolgirl from Kazakhstan has died after her charging smartphone exploded on her pillow as she slept. Alua Asetkyzy Abzalbek, 14, had gone to sleep listening to music, with the phone charging next to her head on the pillow at her village home in Bastobe, Kazakhstan. However, she was found dead the following morning after the phone’s battery is said to have exploded close to her head.” While there is no indication whether the device was manipulated through cyber means to cause physical harm, her “device had been plugged to a power socket at the point of explosion” and  “[i]t was later confirmed by forensic experts that the phone had exploded in the early hours of the morning due to battery overheating leading to the girl’s death.” While smartphones can be exploited for valuable data and/or financial gain by threat actors, mobile devices may also pose a physical threat as seen in this incident (which is similar to Samsung’s battery explosions in 2016).

Vulnerable USB Access

Bitdefender: “Few Companies Restrict Use of Unencrypted or Unsafe USB Drives” 18 Oct 2019 by Silviu Stahie (@thesilviu). “Most companies neglect creation of comprehensive data security protocols for employees, allowing them to use unsafe or unsecured USB drives that could be compromised… It’s easy to see why companies don’t actively think about how employees interact with their computers, and USB drives are seldom a priority. Some 47% of organizations have established a protocol for lost USB devices, and 53% said that their company has no technology capable of detecting the download of confidential data onto USBs. The security of an organization is not only about protecting its assets from online threats. It’s also about protecting the business from [blended and complex] problems from within, and USB drives are a big part of that. Using endpoint protection is a good start for businesses, but other protocols have to be considered for a complete solution.”

Flying Drones into Planes

DRONELIFE: “Drones and Cybersecurity: An Expert Opinion on Protecting Industry Against Drone and Data Attacks” 17 Oct 2019 by Miriam McNabbon (@spaldingbarker). “[T]he appetite to attack critical infrastructure, and possibility to pivot into the operational technology (OT) or the information technology (IT) networks, has never been higher.  Hackers can deploy “attack” drones – low cost, easy to use, and hard to detect – to carry out surveillance, capture data or cause damage by collision.” Blending both physical and cyber attack vectors, drone attacks “in addition to crashing into a piece of equipment they might crash into another drone or aircraft, or hack another drones in flight, either to take control of it or embed malware.” However, there are security best practices and technologies that companies can and should adopt to secure drones and protect the OT networks hosting drone activity.

Iran Cyberattack Hits Physical Hardware

Middle East Eye: “US cyberattack struck Iran following attacks on Saudi oil facility” 16 Oct 2019 by Middle East Eye and Agencies (@MiddleEastEye). “A United States cyberattack targeted Iran’s capability to spread “propaganda” in the wake of the 14 September attacks on Saudi Arabia’s oil facilities… and affected physical hardware” according to two US officials. Due to the rapidly increasing interconnectivity of critical infrastructure, the attack targeted at Iran’s propaganda machine had far-reaching consequences across their environment and affected physical components. Using cyberattacks as a conduit for physical damage exemplify the convergence of the physical and cyber realms, and make the case for a robust cyber and physical security posture throughout our valued assets.

Austin Telecom Interference

KVUE-ABC: “Man accused of tampering with Austin radio towers in ‘extremely rare’ case” 14 Oct 2019 by Drew Knight (@drewknight92). “Police said the suspect tampered with towers that could have impacted Austin first responders’ ability to communicate.” The suspect, who was eventually captured and charged, “tampered with multiple communication towers in the Austin area” some of which may have “provided emergency communicators for the FBI and Department of Homeland Security, in addition to emergency communications of the City of Austin and Austin Police Department.” Investigations uncovered multiple similar attempts at disrupting communications in the Austin area, which further underscores the need to implement adequate security in both physical areas and cyberspace for the integrity and availability of critical infrastructure.

Killer App Kills Through Medical Devices

Wired: “These Hackers Made an App That Kills to Prove a Point” 16 July 2019 by Lily Hay Newman (@lilyhnewman). “Two years ago, researchers Billy Rios and Jonathan Butts discovered disturbing vulnerabilities in Medtronic’s popular MiniMed and MiniMed Paradigm insulin pump lines. An attacker could remotely target these pumps to withhold insulin from patients, or to trigger a potentially lethal overdose. And yet months of negotiations with Medtronic and regulators to implement a fix proved fruitless. So the researchers resorted to drastic measures. They built an Android app that could use the flaws to kill people.”

Damaging Critical Infrastructure by Hacking HVAC

McAfee: “HVACking: Understanding the Delta Between Security and Reality” 09 Aug 2019 by Douglas McKee (@fulmetalpackets) and Mark Bereza (@ROPsicle). “What does it matter if an attacker can turn on and off someone’s AC or heat?  Consider some of the industries we found that could be impacted. Industries such as hospitals, government, and telecommunication may have severe consequences when these systems malfunction. For example, the eBMGR [industrial control hardware] is used to maintain positive/negative pressure rooms in medical facilities or hospitals, where the slightest change in pressurization could have a life-threating impact due to the spread of airborne diseases.  Suppose instead a datacenter was targeted. Datacenters need to be kept at a cool temperature to ensure they do not overheat. If an attacker were to gain access to the vulnerable controller and use it to raise heat to critical levels and disable alarms, the result could be physical damage to the server hardware in mass, as well as downtime costs, not to mention potential permanent loss of critical data.”

Tesla Owners Ran Out of Luck

The Next Web: “Some Tesla owners reportedly got locked out of their cars because the app was down” Sep 2019 by Ivan Mehta (@IndianIdle). “Connected things are wonderful until they fail on you. Numerous Tesla owners allegedly experienced this today as they got locked out of the car because the app was apparently down for maintenance… While Tesla’s app helps you unlock the car, you can still use a key card, an option key fob, or the app without needing to connect to the internet. But some people who didn’t have the key card or the fob, and were logged out of the app, had to wait at the time of reporting.”

Why would Russia’s hackers build a sophisticated cyberweapon and plant it in the heart of a nation’s power grid only to trigger a one-hour blackout?

Russia Failed in Strategic Cyber-Physical Attack

Wired: “New Clues Show How Russia’s Grid Hackers Aimed for Physical Destruction” 12 Sep 2019 by Andy Greenberg (@a_greenberg). An hour later after the cyberattack on Ukraine’s national electric grid operator the power came back on, “[w]hich raised the question: Why would Russia’s hackers build a sophisticated cyberweapon and plant it in the heart of a nation’s power grid only to trigger a one-hour blackout?” Cybersecurity firm Dragos believes this attack planted a seed for a larger scale cyberattack at a later time, possibly exploiting a 2015 Siemens vulnerability that would put the electric system “in a sleep state intended for firmware updates, rendering it useless until manually rebooted.” The successful execution of this plan could have had catastrophic infrastructure consequences harming electric line workers and the electric grid. Due to mistakes made by the hackers, the plan failed, but this case further calls for a need to adopt a blended and complex risk management approach that considers both physical and cyber attack surfaces, especially when countering strategic nation state attacks such as this one.

Cyberattacks, vulnerabilities, and exploits seem to be a certainty in the digital era. The blurred lines that kept physical and cybersecurity out of each other’s environment are quickly fading and rushing in a new risk management approach that requires the blended use of both disciplines to safeguard the same critical infrastructure all of us depend upon.

Omar Tisza

Omar Tisza graduated from American University in 2017 with a bachelor’s in International Relations. After a brief stint in business development on the federal market, he began his role as Jr. Risk Analyst at Gate 15 in 2018 and currently supports the Health Information Sharing and Analysis Center (H­-ISAC) and the Healthcare Sector Coordinating Council – Cybersecurity under the leadership of Executive Director Greg Garcia, former Assistant Secretary for Cyber Security and Communications at DHS.

Our team includes security updates in our free daily paper, the Gate 15 SUN. We encourage readers to consider the evolving blended threat environment and to take that into consideration as you plan and conduct preparedness, security and operations. Read some of our previous posts on blended and complex threats in the links below.