Mapping the consequences of cyber-physical attacks

At the start of this year, the World Economic Forum (WEF) published their annual Global Risks Report, and while there was an understandable focus on the risks posed by climate change and extreme weather events, cybersecurity also took center stage. Just as the 4th industrial revolution popularized by WEF founder Klaus Schwab illustrates the merging of digital and physical domains, so too are many of the cybersecurity challenges emerging in this space.

“Operational technologies are at increased risk because cyberattacks could cause more traditional, kinetic impacts as technology is being extended into the physical world, creating a cyber-physical system,” the WEF says. “However, using “security-by-design” principles to integrate cybersecurity features into new products is still secondary to getting products quickly out into the market.”

To date, the Department of Homeland Security highlights 16 sectors as key, including transportation and energy. They’re regarded as so important that any downtime or interruption to their operation would have a considerable impact on the security, economic vibrancy and safety of the country. In many ways, these airports, power plants and electrical grids are the glue that holds society together, and any breakdown in infrastructure has at least annoying consequences, but at worst catastrophic ones.

Ukraine provided a perfect example of just how big a threat this is, as hackers compromised the energy system in 2015 and shut off power to around 230,000 people. It was a prime example of how cyberwarfare is being waged alongside the more traditional sort, and with more and more systems online, the warning is one that we should all heed.

An existential threat

Towards the back end of last year, the National Infrastructure Advisory Council (NIAC) published a report highlighting the existential threat cyberattacks were posing to national security. These threats are not just limited to high profile infrastructure, such as nuclear power plants, but also on the supply chains that so facilitate life as we know it today.

It suggests that numerous countries, including China, Russia and Iran, have the capability to launch a cyberattack on critical infrastructure, and urges preventative measures to be put in place to mitigate this risk.

Despite the Department of Homeland Security recently reviving a program to better detect the risks in areas such as aviation, alongside guidelines for small businesses and local government on cybersecurity issues, there remains much that can be done.

As F-Secure highlights in their recently published Attack Landscape H1 Report, the Internet of Things remains an area of grave concern, with countries around the world vulnerable to cyber attack in this way. 

Researchers from the Institut für Angewandte Informatik in Austria are developing a simulator to help assess the various forms of cyber-physical attacks. Central to their project is an understanding of the dynamic relationship between infrastructure. For instance, if a power plant fails then this has a knock-on effect on things such as water supplies and cooling systems, which could damage the supply of food in our supermarkets. It’s also likely to have a detrimental impact on hospitals, public transport networks and various other vital parts of our lives and communities.

The project is striving to provide a comprehensive risk model for the Austrian capital Vienna, and would be built using the data already available from the city authorities and major stakeholders. It aims to use artificial intelligence to ensure the simulation is as lifelike and realistic as possible.

Building cyber resilience

Such projects are increasingly common, with Brainport Eindhoven developing a Cyber Resilience Center in the Netherlands to help protect the region’s manufacturing sector from cyber attack. The facility aims to provide companies in the region with a collective system to help them protect against attack. The project reinforces the notion that systems are only as strong as their weakest points, and therefore small businesses have to be as robustly defended as larger institutions.

“The national and international examples of recent cyber attacks are numerous and the economic impact for a company and/or region can be enormous. Large companies such as ASML and Philips will be able to weather a cyber attack, but for SMEs that is very much the question”. The team say. “Chain resilience is therefore of really great importance. The exchange of information and cooperation are the key to cyber resilience, as we are becoming more and more digitally connected. At the same time, entrepreneurs in the smaller business community do not have sufficient knowledge and resources to be self-reliant.”

It’s clear that as the digital and physical worlds become ever more intertwined that this kind of integrated approach is crucial, and that cybersecurity professionals are as vital a part of any development as physical security experts. Only then will sufficient risk assessments be possible and mitigation strategies deployed.