About a week ago, as we were coming out of the initial concerns relating to the WannaCry ransomware outbreak, I shared the following thought on LinkedIn: “WannaCry brings up a thought I often have – what is the best way to capture cyber incidents with physical impacts? I catch myself using ‘cyber-physical’ but that can’t be the best term.” A number of teammates and colleagues shared thoughts on LinkedIn and directly. That was really appreciated as it is important to gain others’ input into such things as terminology. And, it is important to have a common terminology to clearly and concisely communicate our thoughts in a way others can certainly understand what we mean (turns out, there really were valid reasons for those vocab exercises we all loved in grade school…).
So, the question is what do we call incidents (not accidents, but deliberate incidents) that blend cyber and physical components. I’m not sure those behind WannaCry intended to put patients’ lives at risk but we saw the potential for that when the UK’s National Health Service (NHS) was hit with 40 NHS trusts across the UK having confirmed they were dealing with WannaCry infection. According to SC Magazine, “NHS England confirmed that hospitals were hit by a simultaneous cyber-attack which affected units all over the country.” The disruption resulted in forced cancelations of routine procedures, the diverting of some emergency patients, and lost the blood sample records for over 1,100 patients. Some of the additional frustrations hospital staff and patients experienced have been captured by the Guardian. This incident didn’t result in loss of life, but the potential for serious physical consequences resulting from cyberattacks is very real. And the potential for cyberattacks to target critical infrastructure is something that we’ve caught glimpses of on multiple occasions (Stuxnet, in Ukraine, in Germany…). There is also the other side of the cyber-physical coin – the potential for physical attacks to target information systems. Whether something like an angry employee conducting a simple assault of his office damaging computer devices or servers, to something bigger, like a deliberate attack on a data center. These attacks can have both cyber and physical impacts – some low-level and some potentially devastating and life-threatening. We should be able to describe such an incident with common lingo.
So, to start, I grabbed some of the suggested terms and have included slightly modified versions of definitions pulled from Merriam-Webster online.
- Kinetic: of or relating to the motion of material bodies and the forces and energy associated therewith.
- Complex: a whole made up of complicated or interrelated parts.
- Hybrid: a car used in a non-fatal attack in the Office; a person whose background is a blend of two diverse cultures or traditions (hey, that’s me!).
- Converged: to tend or move toward one point or one another; come together.
- Blended: to mingle intimately or unobtrusively; to combine into an integrated whole; or, to produce a harmonious effect.
- Combined: to bring into such close relationship as to obscure individual characters.
- Sabotage: destruction of an employer’s property; destructive or obstructive action carried on by a civilian or enemy agent to hinder a nation’s war effort; or, an act or process tending to hamper or hurt.
- Attack: to set upon or work against forcefully.
In looking at those terms, and giving thought to what really makes sense. Several of the terms fit, but maybe not really well, or perhaps not as well as others.
The increasingly interconnected nature of cyber and physical systems, and the mutual dependency and increasing potential for attacks impacting both, are captured in the idea that these cyber-physical attacks represent a converged threat.
But attacks themselves are probably better captured as either Blended or Combined. The meanings are close and either probably works. On LinkedIn, I exchanged a few comments with Jory Maes, who provided some really valubale input into this. We discussed the use of the term “Complex Coordinated Terrorist Attacks (CCTA),” which are “acts of terrorism that: involve synchronized and independent team(s) at multiple locations sequentially or in close succession, initiated with little or no warning, and employing one or more weapon systems: firearms, explosives, fire as a weapon, and other non-traditional attack methodologies which are intended to result in large numbers of casualties.” (think, the 2015 Paris attacks). Jory kindly shot down my thoughts on related terms to describe cyber-physical incidents. With that, just to help differentiate, it may make sense to use blended vs. combined, just to get away from the chance for any confusion. So, “blended” serves the purpose of describing the blending of cyber and physical.
We’re left then with how to describe the incident itself. I really liked the use of the term sabotage but, I think the simple use of attack is clearer and more precise. Sabotage is very correct but – and maybe its just me -always hints to mischievous scheming, whereas attack is very straightforward. Whether it is one nation plotting to disrupt the critical infrastructure of another nation or a yahoo just wanting to cause trouble and see what he can do, the term attack makes the point.
So, there it is. Blended Attack. A Blended Attack is deliberate, aggressive action that causes harm to both cyber and physical systems.
For the purpose of having an understandable term to use, I’m throwing Blended Attack out there and running with it unless someone can convince me of a more precise term or definition (which I’m certainly open to!).
Among others who shared input and ideas, I’d like to particularly thank Jory Maes and Jennifer Kazy.
- Jory is the Infrastructure Protection Program Manager with the Colorado Division of Homeland Security & Emergency Management. For more information link to: dhsem.state.co.us; www.readycolorado.com; www.coemergency.com; and on Twitter: @COEmergency @READYColorado and Facebook: COEmergency READYColorado.
- Jennifer is a Cybersecurity Risk Analyst at Gate 15, where she puts up with me and other equally difficult teammates. For more on Jennifer, find her on our website and on LinkedIn, or follow her on Twitter, @BasicILY and follow our team on Twitter: @Gate_15_Analyst, and LinkedIn: https://www.linkedin.com/company/gate-15!
Gate 15 provides intelligence and threat information to inform routine situational awareness, preparedness planning, and to penetrate the decision-making cycle to help inform time-sensitive decisions effecting operations, security, and resources. We provide clients with routine cyber and physical security products tailored to the individual client’s interests. Such products include relevant analysis, assessments, and mitigation strategies on a variety of topics.
This blog was written by Andy Jabbour, Gate 15’s Co-Founder and Managing Director. Andy leads Gate 15’s risk management and critical infrastructure operations with focus on Information Sharing, Threat Analysis, Operational Support & Preparedness Activities (Planning, Training & Exercise). Andy has years of experience working with partners across the critical infrastructure and homeland security enterprise to support national security and client business needs.
Referenced articles can be hyperlinked to above.