Help! Is This a Cyber or Physical Threat?

1 March 2019

By Omar Tisza

As cyber-adversaries become sophisticated in their attacks against critical infrastructure, we see the level of sophistication between nation state and criminal threat actors increasingly blur as both groups seem to use many of the same tools and tactics to incapacitate systems with ransomware, exfiltrate sensitive data, and cause other harm. With IoT, building automations, wearables and other new technology, more and more devices are constantly being plugged into the web, adversaries’ techniques have a higher window of opportunity to inflict damage to the physical world. 

To shine the spotlight on effects of cyberattacks that merge into the physical world and increase awareness of complex and blended threats, we have compiled a list of recent noteworthy incidents and articles that highlight a need to understand the security and resiliency facets of threats that operate in both the physical and cyber domain.

Following is a simple refresher of complex and blended threats definitions:

We’ve defined blended threatsas natural, accidental, or purposeful physical or cyber dangers that have or indicate the potential to have crossover impacts and harm life, information, operations, the environment, and/or property.

Complex threats are two or more separate attacks aimed at the same general or specific target(s) or objective(s). A key distinction of blended threats is the crossover component– one attack, with crossover effects; a threat that originates in one domain and that has impacts across to another domain. More detailed definitions can be found here.

Re-thinking Security with Complex and Blended Threats 

Threat Post:“When Cyberattacks Pack a Physical Punch.”18 Feb 2019 by Stephen Pritchard (@s_pritchard). “Physical security goes hand in hand with cyberdefense. What happens when – as we see all too often – the physical side is overlooked?” A lack of physical safeguards on cyber threats and vulnerabilities can lead to cascading effects that have the potential to proliferate on a widespread level. “One example of a cyber-threat turned physical includes the BlackEnergy APT’s 2015 attacks against the Ukraine, which damaged the county’s critical infrastructure. More recently researchers identified a vulnerability in electronic vehicle charging stations that could allow an attacker to adjust the maximum current that can be consumed during charging which could result in a fire due to wires overheating.” Governments are starting to address the intersection of physical and cybersecurity–innovations such as IoT–with a security and resiliency mindset, but the best-case scenario is for industry itself to drive more secure technologies through best practices, industry-developed standards and consumer-driven market shifts. The alternative would be government regulation and the imposition of guidelines to mandate critical infrastructure and device security. 

Cybersecurity as a Physical Concern

Federal News Network“Federal threat information sharing gets a more enterprise mindset.” 26 Feb 2019 by By Amelia Brust (@abrustWFED). Suzanne Spaulding (@SpauldingSez), former under secretary for the formerly named National Protection and Programs Directorate (now CISA) at the Department of Homeland Security (DHS), explained “it’s inevitable that physical and cybersecurity integrate under a single entity. In particular, she said, the internet of things has made this abundantly clear. Whether it’s a business or a mission that needs protecting, an understanding of the continuity of operations is crucial. This in turn moves the issue of cybersecurity further up the organization chart and groups must think of it like a risk management effort, she said.”

“it’s inevitable that physical and cybersecurity integrate under a single entity”

From industry to government, cybersecurity can no longer sit in the IT silo alone. With everything short of our existence being hosted on a virtual and web connected platform, cybersecurity must be analyzed with a wide risk management lens because “cyber breaches can also cause physical damage.”

UK Fears Major Critical Infrastructure Attack

London Underground, UK

Info Security Group: “Most UK IT Security Leaders Fear CNI Attack.” 27 Feb 2019 by Phil Muncaster (@philmuncaster). “Over two thirds (68%) of [survey] respondents claimed that security teams in charge of physical and digital systems never collaborate. These siloes can be particularly damaging as IT and OT converge, for example with the proliferation of IoT in heavy industry.” This gap in security operations can be detrimental to critical infrastructure during and in the aftermath of a significant incident in the UK. Still attached to the EU, the UK is one of the largest economies in the Europe and a large-scale attack on its critical infrastructure may have rippling effects across Europe and the US. “The increasing convergence of cyber and physical environments is inevitable, but managing them in a cohesive way will strengthen enterprise security.”

“The increasing convergence of cyber and physical environments is inevitable…”

Assessing security with one foot in the cyber and another in the physical world, even in environments outside US critical infrastructure, is a step forward in mitigating risk and vulnerabilities across industries.

Transforming IT and Physical Security in Higher Education

EdTech:“Partnerships Between IT and Physical Security Improve Campus Safety.”22 Feb 2019 by David Hutchins (@EdTech_HigherEd). The rapidly increasing adoption of interconnected technology in daily security operations leaves the door open for cyber-threats and vulnerabilities in almost every environment, even college campuses. The Research and Education Networking Information Sharing and Analysis Center (REN-ISAC, @renisac) Executive Director, Kim Milford, @kabuz, observed, “In this new world we’re in, the threat is not physical or cyber — it’s both, most of the time.” EdTech writes, “Today, protecting these [campus] communities requires close coordination between IT and physical security teams. Campus safety officers now rely heavily on technology to do their jobs. The border is blurred between two departments that, in the past, could operate independently.” 

“In this new world we’re in, the threat is not physical or cyber — it’s both, most of the time.”

While physical security is paramount on college campuses, there are cybersecurity vulnerabilities in security technology that can harm the physical security of students, faculty, and staff. In order to bolster the security and resiliency of campuses, “IT and physical security must coordinate campus crisis response.” As colleges continue to use technology to improve the campus experience (by “the integrating of student IDs into Apple Watches,” for example) more consideration must be given to the security and resiliency dimensions of higher education particularly in terms of complex and blended threats.

Wells Fargo Web Outage

CNBC:“Wells Fargo reports outage on mobile app and online banking.”07 Feb 2019 by Liz Moyer (@LizMoyer). Wells Fargo apologized to its customers for the online service outage caused by “a power shutdown at one of our [data center] facilities, initiated after smoke was detected following routine maintenance.” While no injuries were reported, this small incident further illustrates the need for a heightened awareness and understanding of complex and blended threats. In this case blended threats were particularly showcased by the physical power shutdown which produced smoke and inevitably led to the crash of a critical Wells Fargo data center used in support of its online banking services. This incident only affected online services but blended threats have the potential to affect a multitude of goods and services within our vital critical infrastructure, not only online banking. Read the story below on how smoke can threaten the availability and integrity of data stored in hard drives. 

California Trailblazes on IoT Cybersecurity Regulation

JD Supra: “California Enacts First U.S. Law Requiring IoT Cybersecurity.” 12 Feb 2019 by Burns and Levinson LLP (@burnslev). “[B]eginning January 1, 2020, California state law will require manufacturers of Internet of Things (‘IoT’) devices to equip such devices with ‘reasonable’ security features that protect the device and any information it contains from unauthorized access, destruction, use, modification, or disclosure. While ‘reasonable’ can be difficult to assess, the new law specifically notes that if a connected device is equipped with a means for authentication outside a local area network, reasonable features would include (1) assigning unique preprogrammed passwords, and (2) security features that require a user to generate a new means of authentication before access is granted to the device for the first time. Notably, once the California law goes into effect, it will be the first U.S. law to specifically regulate IoT cybersecurity.”

IoT Tops the Exploits Charts

Security Week: “Cyber and Physical Convergence Opens Doors for Attackers: Report.” 20 Feb 2019 by Kevin Townsend (@kevtownsend). “2018 saw the convergence of three separate threat trends — two that have evolved over the last few years, and one that came to the fore during 2018. These are the merging of IoT botnets, destructive malware and cryptojacking. IoT botnets have grown through easy access to malware, poor security in the devices, and the sheer number of devices that can be compromised. Fortinet’s Q4 2018 Threat Report states that half of the top 12 detected exploits around the world — and three of the top five — target IoT devices.” IoT is the quintessential example of complex and blended threats because of its web-connected physical qualities and risks. However, “The top two detected exploits concern long-patched vulnerabilities, but demonstrate that criminals are aware of generally poor patching habits around the world.” This shows, once again, how a significant proportion of cyber incidents and breaches can be prevented through disciplined patching and simple remediation. 

Damaging Hard drives… with Smoke?

Welivesecurity:“Smoke damage and hard drives.”18 Feb 2019 by Aryeh Goretsky (@goretsky). Most of the security and resiliency of our cyber assets is assessed in terms of malware, and cyber-threat actors, which can divert the focus from the physical security and integrity of information. While data breaches and IoT compromises may seem to dominate the cybersecurity headlines, there are serious physical concerns with smoke filtering through hard disk drives. Smoke particles, which “under a microscope they often look like jagged rocks,” can enter the hard drive “through the air pressure equalization hole,” bounce on the delicate spinning disks–instrumental in reading and writing data–and damage information by repeatedly scratching the surface of the disk. Some modern hard drives are pressurized and completely enclosed, which makes this vulnerability less likely, but smoke exposure may lead to corrosion on the hardware and threaten data integrity. 

Breaking into iCloud

Motherboard: “How Hackers and Scammers Break into iCloud-Locked iPhones.”06 Feb 2019 by By Joseph Cox (@josephfcox) and Jason Koebler (@jason_koebler). “In a novel melding of physical and cybercrime, hackers, thieves, and even independent repair companies are finding ways to ‘unlock iCloud’ from iPhones.” iCloud is designed to make iPhones useless if stolen. “Find my iPhone” and the original owner’s exclusive ability to log in and out of iCloud are barriers to deter criminals from stealing iPhones. In other words, iPhones cannot be stolen and re-sold unless iCloud credentials are secured. To circumvent this, criminals are resorting to “iCloud unlock,” which is “a scheme that involves a complex supply chain of different scams and cybercriminals. These include using fake receipts and invoices to trick Apple into believing they’re the legitimate owner of the phone, using databases that look up information on iPhones, and social engineering at Apple Stores” in order to con Apple employees into unlocking stolen iPhones, something only Apple stores can do if the legitimate iPhone owner can’t. “There are even custom phishing kits for sale online designed to steal iCloud passwords from a phone’s original owner.” A by-product of this practice is the negative backlash that legitimate iPhone repair shops suffer as a consequence. These businesses could thrive if Apple granted third parties the ability to unlock iCloud and offer complimentary services, but the illicit industry makes this highly unlikely. 

Industries across our critical infrastructure are inching closer and closer to an all-encompassing approach to the surge of complex and blended threats. Accounting for physical impacts of a cyber incident (and vice-versa, as well as taking natural hazards and health threats into account) leaves security professionals with a challenging new set of risks and vulnerabilities that are not exclusively in the physical or cyber domain, but a blend of both. In a world where soon our cars will predict the weatherand fill the gaps in rainfall patterns, understanding how the cyber world can impact the physical world has become more relevant than ever.

Omar Tisza graduated from American University in 2017 with a bachelor’s in International Relations. After a brief stint in business development on the federal market, he began his role as Jr. Risk Analyst at Gate 15 in 2018 and currently supports the Health Information Sharing and Analysis Center (H­ISAC) and the Healthcare Sector Coordinating Council – Cybersecurity under the leadership of Executive Director Greg Garcia, former Assistant Secretary for Cyber Security and Communications at DHS.

Our team includes security updates in our free daily paper, the Gate 15 SUN. We encourage readers to consider the evolving blended threat environment and to take that into consideration as you plan and conduct preparedness, security and operations. Read some of our previous posts on blended and complex threats in the links below.