The threat of physical damage to company assets – or worse, people – must be taken seriously
Data breaches, financial losses, business interruptions, reputational harm – mitigating these alarming risks is the focus of traditional cybersecurity strategies. But while it may sound like science fiction, a new nightmare scenario is emerging that’s keeping many IT leaders up at night. Cyber-attacks that cause physical damage to people or property is a real threat that many cybersecurity experts fear is being badly underestimated by companies.
Even if cyber-attacks don’t start out with destructive intent, it doesn’t take much for something as simple as a systems failure to escalate to dangerous or even deadly consequences. Incidences of deliberate cyber-physical attacks are increasing as well, with private companies finding themselves caught in the crosshairs of malicious nation-states.
At the heart of this cyber-physical risk is the simple fact that computers now control the majority of mechanical processes. Cars have essentially become giant computers. Manufacturing plants are increasingly automating their production lines. Even office buildings are becoming smart – with equipment like thermostats, HVAC systems, and locks woven together on interconnected computer systems.
That means any attack that impairs a company’s computer systems now has the potential to disable safety systems, cause factory robots to destroy rather than assemble products, or block access to critical resources like power, water, and coolants. And as the attack surface of connected systems and devices continues to grow at an exponential rate, the risk of physical cyber-attacks is spreading across industries from health care and manufacturing to utilities.
In fact, companies with industrial control systems (ICS) like manufacturers or energy suppliers are considered to be especially vulnerable for attacks intended to cause physical damage. These systems feature components that rely on communication between separate computer networks – providing many opportunities for cybercriminals to sneak in.
For instance, hackers could send false data that tricks sensors on refrigerated trucks into believing inside temperatures are at proper levels, ruining entire shipments of frozen goods. Or they could force cyclical behaviors that cause machinery to wear out, blow fuses, or in the worst cases, catch fire or explode.
Since there is little regulation requiring companies to report physical damage from cybercrime, many businesses don’t understand the scope of the threat. But Verizon’s 2018 Data Breach Investigations Report asserts that more than one in 10 data breaches in the previous year included a physical component.
Attacks that lead to bodily harm are the biggest concerns. A teenager injured 12 people, for instance, when he used a homemade transmitter to derail four trains in Poland. A disgruntled security guard threatened the safety of patients, drugs, and other medical supplies at a Dallas hospital when he used malicious software to attempt to seize control of its HVAC system.
But cyber-physical attacks also have the potential to cause devastating damage to a company’s bottom line. That includes the physical destruction of company assets but extends further to damages resulting from liability to a third party, such as aggressive regulatory sanctions or the cost to clean up pollution caused by equipment malfunctions.
Lawsuits are another significant concern, ranging from civil suits brought by injured users to criminal liabilities for corporate officers accused of endangering the public welfare through a lack of oversight.
One of the most publicized examples of a cyber-physical attack grabbed headlines in 2014 when hackers breached the computer network at a steel mill in Germany via a spear-phishing email and caused its control network to fail. The company was forced to perform an emergency shutdown of a blast furnace, leading to extensive damage.
In 2017, cybercriminals breached the security of a petrochemical plant in Saudi Arabia, hoping to sabotage the plant’s operations. They were stopped before they could trigger an explosion, but investigators were quick to point out that the system they so easily compromised is used by thousands of critical infrastructure operators globally and remains an ongoing vulnerability.
A study by the Lloyd’s insurance market estimated that a cyber-physical attack on 50 utility company generators in the Northeastern U.S. could cut power to 93 million people and cause widespread damage that leads to up to $1 trillion in losses.
7 steps that reduce the threat of cyber-physical attacks
But while it’s impossible to eliminate the threat of cyber-physical attacks, there are protective measures organizations can take to significantly reduce the possibility.
- Implement cybersecurity measures that recognize potentially malicious activity in a system, such as repeat remote access requests, system activity at unusual times, and access requests from suspicious domains.
- Train non-technical employees to recognize common attack methods like phishing emails. Training should also include what to do if they suspect an attack is taking place.
- Design smart infrastructure with security to not only prevent intrusions but to minimize damage in the event of a compromise.
- Build redundancies into critical processes, ensuring their availability in case hackers cause a device or path to fail.
- Separate critical control systems for machinery or production from business networks and other non-critical functions to make it harder for hackers to gain access. Control systems should never be accessible on the Internet.
- Routinely test systems for vulnerabilities and immediately patch issues that are detected.
- Have well-documented incident response, disaster recovery, and business continuity plans in place to contain the damage and minimize disruption.
Cybercrime is constantly evolving, forcing organizations to also constantly discover new ways to adapt to the latest threats. Cyber-physical attacks loom on the horizon as a new avenue for hackers – with potentially catastrophic results. A skilled cybersecurity provider can help you implement measures to protect systems before attacks cause costly physical damage or even worse, bodily harm to employees or customers.
CyberGuard360 is trailblazing a new software category with CyberGlass, the first and only cybersecurity product on the market to combine all the elements of a complete cybersecurity program in a single interface. To learn more about its full suite of features, including next-generation endpoint protections, call us at 844-315-9882 or use our contact form for a free consultation.