Published on the 09/09/2020 | Written by Jonathan Cotton
A connected world is a risk-filled one, says Gartner, and it’s CEOs on the hook…
As the recent attacks on the NZX show, it’s a whole new world of cyber risk out there. And DDoS attacks aren’t the half of it.
Increasingly, analysts are looking to the vulnerabilities of ‘Cyber Physical Systems’ (CPS), networks of embedded systems that interact with physical input and output. As the Industry 4.0 revolution rolls on, and the Internet of Things rapidly becomes the Internet of All the Things, these interactions between the physical and computational are increasingly ubiquitous, complex, and critical.
“The fast and significant evolution of CPS affects… people’s way of life and enables a wider range of services and applications including e-Health, smart homes, e-Commerce, etc,” say the writers of the research report, Cyber-physical systems security: Limitations, issues and future trends, published in June by US National Library of Medicine. “However, interconnecting the cyber and physical worlds gives rise to new dangerous security challenges.
“A focus on operational resilience management beyond information-centric cybersecurity is sorely needed.”
“This is due to their heterogeneous nature, their reliance on private and sensitive data, and their large scale deployment.”
“As such, intentional or accidental exposures of these systems can result in catastrophic effects, which makes it critical to put in place robust security measures.”
Simply put, interconnecting the cyber and physical worlds – especially for critical applications – gives rise to a score of new and dangerous security challenges.
In March of last year, the US Department of Homeland Security issued a warning that hackers could access certain implanted cardiac defibrillators made by the company Medtronic. The vulnerability meant that an attacker with short-range access to the device could ‘inject, replay, modify, and/or intercept data’, the EDHS said at the time.
“This communication protocol provides the ability to read and write memory values to affected implanted cardiac devices; therefore, an attacker could exploit this communication protocol to change memory in the implanted cardiac device.”
While the pacemaker problem could be fixed with a firmware update, the challenge extends beyond connected medical devices. From smart cars to smart factories, infrastructure both public and private, and connected homes and offices, new types of risk are arriving moment to moment, embedded in the technology of everyday life.
Pen Test Partners recently documented how easy it would be for malicious actors to hack – and then capsize – a cargo ship, by taking control of its ballast pumps remotely.
“If one was suitably motivated, perhaps by a nation state or a crime syndicate, one could bring about the sinking of a ship,” say Pen Test researchers. “Maybe one wanted to delay an LNG shipment in winter to a country running out of gas, affecting spot prices. Maybe one wanted to affect shipping of critical components, or just influence the stability of a country dependent on maritime cargo?
“Any half-decent attacker can happily abuse these operating systems all day long and still cover their tracks effectively. This means that trying to establish confidence in the data that these systems hold will be difficult at best, impossible at worst.”
While we’re yet to experience the first truly catastrophic CPS attack, it seems like it’s only a matter of time.
“Cyberattacks on critical infrastructure… have become the new normal across sectors such as energy, healthcare, and transportation,” says The World Economic Forum’s 2020 Global Risks Report.
“Such attacks have even affected entire cities. Public and private sectors alike are at risk of being held hostage.
“Digital dependency is changing the nature of international and national security,” says WEF.
Given the reality of that threat, research firm Gartner is predicting a rapid increase in CPS attacks, as insufficient security protocols leave systems open to attack.
Predicting imminent deadly consequences, Gartner is forecasting that the financial impact of cyber-physical systems attacks resulting in fatal casualties alone will reach over US$50 billion by 2023.
And as life – and capital – is lost, high profile exploits will quickly lead to regulation says Gartner analysts.
“Regulators and governments will react promptly to an increase in serious incidents resulting from failure to secure CPSs, drastically increasing rules and regulations governing them,” says Katell Thielemann, research VP at Gartner.
Accordingly, says Gartner, personal liability for such cyber-physical security incidents will ‘pierce the corporate veil’, affecting ‘75 percent of CEOs by 2024’.
“In the US, the FBI, NSA and Cybersecurity and Infrastructure Security Agency (CISA) have already increased the frequency and details provided around threats to critical infrastructure-related systems, most of which are owned by private industry. Soon, CEOs won’t be able to plead ignorance or retreat behind insurance policies.
“Technology leaders need to help CEOs understand the risks that CPSs represent and the need to dedicate focus and budget to securing them,” says Thielemann. “The more connected CPSs are, the higher the likelihood of an incident occurring.”
“A focus on ORM – or operational resilience management – beyond information-centric cybersecurity is sorely needed.”