IT security threats and vulnerabilities are no stranger to enterprise IT systems, now largely well-tracked, researched, mitigated, and communicated by security leaders. However, the emergence of cyber-physical systems (CPSs) introduces a new set of considerations that few security leaders have typically had to consider.
Cyber-physical systems, which are borne either of OT/IT convergence, or the deployment of IoT or Smart technologies, now face unique threats that are rapidly evolving as bad actors and their techniques move beyond enterprise IT systems. Unfortunately, most organizations are still only in the awareness stage, which itself presents the greatest threat, as ignorance is no longer bliss when it comes to CPSs in 2020 and beyond.
CPS threat actors are not dissimilar to other cybersecurity threats with motivations including:
- State-sponsored actors and advanced persistent threats (APTs), motivated by espionage, theft or any other activity that furthers the interests of a particular nation/group of nations
- Cyber terrorists’ intent on disrupting critical services or causing harm
- Organized crime looking for financial gain
- Insiders, who can be motivated by anything from revenge to fraud, or who can inadvertently create security incidents due to incompetence or negligence
- Hacktivists with a political cause or a societal gripe
- Script kiddies looking for excitement or notoriety
Unlike most IT cybersecurity threats, however, CPS threats are of increasing concern because their connection to the physical world means that safety, operational resilience, or environmental implications of an attack need to be considered.
Many cyber-physical systems underpin critical infrastructure. US security agencies including the FBI and CISA (Cybersecurity and Infrastructure Security Agency) have issued warnings of increased activity over recent months, with cyber-actors demonstrating continued willingness to conduct malicious cyber-activity against critical infrastructure by exploiting internet-accessible operational technology assets.
In 2019, Gartner predicted that the financial impact of CPS attacks resulting in fatal casualties will reach over $50 billion by 2023. Aside of financial implications, CSP attacks can also entail loss of customers, intellectual property theft, operational shutdowns or degraded equipment performance and quality of delivered products to name a few.
Emerging threat vectors
With CSPs become increasingly connected as digital business innovations continue to take priority for organizations, the rapid adoption of technologies including IoT and 5G will have a much greater effect in the physical world as risks, threats and vulnerabilities now exist in a bidirectional, cyber-physical spectrum. As CSPs become increasingly connected, emerging threat vectors are simultaneously evolving, heightening risks and vulnerabilities.
Four emerging threats are outlined below that security leaders should consider:
5G security-related threats
As 5G becomes integrated across networks, allowing for faster communications, increased autonomy of vehicles and assets and better human-machine experiences, the implications of 5G for CPS are endless. As is unfortunately usual, speed to market and cost considerations are taking precedence over security considerations, and the security standards emerging are complex.
For example, mixed 4G/5G environments will lead to backward compatibility issues and mixed environment management challenges. Targeted attacks are likely to increase, using device manufacturer, operating system, version and model, allowing bad actors to precisely categorize a device as an Android or iOS, a video camera or a phone, a car modem, a router, etc. Physical world security implications such as rapid drain down of battery life are scarcely discussed. Physically, low-cost, short range, small-cell antennas widely deployed are likely to become new hard targets, as conspiracy theory-fueled cell tower attacks have already occurred.
Sensory channel threats
An important component of CPSs are the sensors they use to interact with each other and the physical world around them. Yet most current security models focus on protecting the networking components of a CPS utilizing traditional security mechanisms, such as an intrusion detection system for data that traverses network protocol stacks. As a result, not enough consideration is given to sensory channels threats (e.g., targeting light, temperature, infrared) where bad actors could trigger malware, transfer malware or even combine malicious use of different sensory channels to increase the impact of the attack on CPS devices.
Data spoofing threats
Some CPSs rely on data communications to perform their intended functions. For example, commercial airplanes send and receive communications related to flight routes, navigation and landing. They do so via Aircraft Communications Addressing and Reporting Systems (ACARS), which are unauthenticated. Such communications could be spoofed and manipulated to send false or erroneous messages to an airplane, such as incorrect positioning information or flight plans. Other data spoofing vectors for commercial airlines exist as well.
QR code threats
QR codes are interesting because they are not traditional CPSs, but they do straddle both worlds. They are developed in the cyber world, created to live in the physical world, where they are read with a device to connect back to the cyber world. The top threat vector for QR codes is that a malicious URL embedded within could take users to a fake website, capture personal data or install malicious software. While in a pandemic world, many people see QR codes pop up as alternatives to physical restaurant menus, for example. They were first used by the Japanese auto industry to streamline manufacturing processes and are widely used in operational and mission-critical environments where many CPSs reside.
To manage the technology, information and resilience risk involved with CPS, security leaders should implement the following recommendations:
- Deploy operations or mission-centric asset discovery solutions to uncover all the CPSs already in their environment, as well as partner with engineering, operations and product development security teams to get ahead of greenfield deployments.
- Augment existing threat management and incident response approaches with an expanded lens to account for the broader CPS threat surface. At a minimum, any security solutions deployed in operational or mission-centric environments should also have anomaly and threat detection features.
- Deploy security best practices for CPS, such as identifying high-value/mission-critical assets for immediate focus, then using threat modelling to predict the most likely attack vectors and paths, and taking an ecosystem view of their architecture (enterprise, operations, field, third party) with a critical eye toward understanding CPS connectivity, and how these devices and systems are communicating with each other and other parts of your network, or your vendors if they provide remote support.
Katell Thielemann, VP Research Analyst, Gartner