Cyber-physical security convergence is not a new concept but it is increasingly gaining attention from security leaders—in both the private and public sectors. Here, we explore what converged security entails and how to achieve and strengthen cyber-physical resilience.
In February, a cyber attack forced a network of Florida healthcare organizations to divert several of its emergency patients to other facilities and cancel many of its non-emergency surgeries. This attack, the latest in a number of cyber crimes aimed at U.S. healthcare providers in the past few years, is an example of the rapidly increasing cyber-physical risks that organizations—both in the public and private sector—are facing today.
According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), these risks are defined as those that have ramifications in both the digital and physical domains. While the threat can emanate from either domain, cyber-physical risks often begin with a cyber threat vector, such as a ransomware attack, and then spill over into the physical world.
When threats in the digital and physical domains converge, the consequences are often real and significant as evidenced by the attack on the Florida healthcare system.
Other times, cyber-physical risks lead to major business disruption. For example, when global software company Kaseya was hit with a ransomware attack in 2021, more than a thousand of its clients and its clients' customers were affected, including Sweden’s largest grocery chain. It had to shut down 800 of its stores as a result.
Although related, there is a distinct difference between cyber-physical security convergence and security convergence.
As cyber-physical risks have rapidly evolved in type, impact and scope, Dataminr recommends organizations view them on a threat spectrum.
On one end of the spectrum are kinetic events that have an impact on the cyber infrastructure of organizations and industries. This includes physical threats to information technology (IT) and operational technology (OT) infrastructure, network and power outages, natural disasters and more. These events are not inherently cyber-related but can have significant impact on cyber infrastructure.
On the opposite end are cyber events that impact the physical world, such as cyber attacks against critical infrastructure that have varied ramifications—ranging from inconveniences for consumers to supply chain disruptions and third-party and vendor risk. Consider the serious ripple effects of a ransomware attack against a manufacturing plant. For example, as semiconductors (or chips) are vital to the operation of cars and consumer electronics, a cyber attack against a semiconductor manufacturer is likely to significantly disrupt the automotive and consumer electronics industries.
In the middle of the cyber-physical risk spectrum lies geopolitical risk, with the most notable and recent example being Russia’s invasion of Ukraine, which has sparked ongoing cyberwarfare.
As the conflict persists, the world has witnessed a spike in attention paid by Russian threat actors—not only to Ukrainian assets but also industries and countries believed to be sympathetic to Ukraine. For example, pro-Russia hacking group Killnet has been a persistent threat in this area, especially against the U.S. aviation industry in retaliation against the U.S.’s involvement in the war. This includes an attack on U.S. aviation defense contractors and a DDoS attack against more than two dozen U.S. airports.
The increase in cyber-physical risks is due to both the prevalence of IoT and OT devices, as well as the advancement of the tactics and procedures employed by threat actors. Our society, governments and businesses across all industries rely on these devices and the cloud much more than they did five or 10 years ago. This has created a significantly larger attack surface with new and expanding vulnerabilities and risks that have real world consequences.
“The attack surface has rapidly expanded because our world is now flush with cyber-physical systems that connect the digital and physical domains,” said Nate Green, Product Marketing Director at Dataminr.
And the stakes are high. According to the U.S. White House, cyber-physical systems (CPS) are complex and fragile and “can easily break down or suffer from cyber-attacks…events or attacks in one part of one system can have ripple effects leading to banking outages, oil pipeline failures, ground-stops of whole fleets of aircraft, and disruption of medical facilities with devastating outcomes.”
The pace and level of this dependence are only accelerating, making the attack surface that threat actors can manipulate and exploit ever-growing. Take for instance ransomware attacks. They surged by 87% in 2022 from the year before, with energy, manufacturing and financial services as the most commonly targeted industries by politically and/or geopolitically motivated threat actors.
As such, organizations in these industries tend to be much more forward-thinking and innovative in how they manage cyber-physical risks to ensure business resilience and prevent financial, operational and reputational damages.
However, it’s important to remember that cyber-physical risks are not limited to CPS. As mentioned earlier, physical events can greatly impact digital infrastructure. For example, record temperatures in the U.K. and U.S. in 2022 caused a number of Google and Oracle data centers to suffer from outages. As severe weather occurs more frequently, data centers and other critical infrastructure become more vulnerable. Add to that the rise in cyber crimes and ongoing geopolitical tensions, and cyber-physical risks become much more prevalent.
Recognizing the surge in cyber-physical risks and the urgent need to have a more holistic, innovative approach to respond to those threats, a number of regulators and governments have developed new regulations and initiatives. The U.S. has responded by creating a working group dedicated to strengthening cyber-physical resilience with the goal of finding new approaches to the problem; experts from academia, and the public private sectors will be consulted.
The European Union is following suit. In December 2022, the European Commission issued the new NIS2 Directive, which seeks to boost cyber and physical resilience of EU critical entities and networks by expanding the sectors and types of entities falling under its scope. These include digital infrastructure such as public electronic communications networks and services, as well as physical infrastructure like manufacturing of critical products, and postal and courier services.
More businesses are also realizing the impacts of cyber-physical threats and how they can ultimately affect operational and business resilience. In response, they have taken steps to ensure tighter alignment between their cyber and physical security teams, which allows for a more holistic view of CPS and risks.
Some companies have done this by creating a formal security operations center (SOC) that merges cyber and physical security teams into a single, unified function. Others forgo combining the teams and instead focus on ensuring effective collaboration and communication between the two, including following best practices like sharing incident response playbooks and conducting tabletop exercises together.
According to the U.S. Cybersecurity and Infrastructure Agency (CISA), those that do establish a formal means for the two security functions to work together will be more resilient against and better prepared to identify, prevent, mitigate and respond to cyber-physical threats.
Learn More: Why Businesses Need Converged Security Now More Than Ever
Staying up to date on new and emerging risks is a constant challenge for any organization, especially if the business relies on third-party vendors—such as suppliers, manufacturers, distributors and more. Each third-party partner is a potential attack vector.
If a vendor has a vulnerable attack surface, it could be used to gain access to the various organizations for which it provides services. Those organizations are then more at risk to cyber threats such as a data breach. The more vendors a company uses, the larger its attack surface and the more potential vulnerabilities it can have.
To gain the earliest and clearest line of sight into such cyber-physical threats, security operations on both the cyber and physical sides of the house should ensure they have access to real-time alerting tools and technology. Organizations, particularly those that have established modes of collaboration among all security teams, are then able to quickly respond to and effectively mitigate threats no matter the origin or type of impact.
“It is unreliable to rely on your vendors and suppliers to inform you of a disruptive event in a timely manner, especially if they’re the ones under attack. Having real-time, actionable data on emerging threats to your business and partners allows for contingency planning and faster, more proactive responses to incidents—by hours or sometimes days,” says Green.
There are two key ways organizations better protect themselves against cyber-physical risks:
Invest in the right tools and technology
Real-time alerting solutions are key to detecting and responding to threats as soon as possible. Dataminr Pulse, for example, provides intelligence on cyber-physical risks as they happen.
For example, in the case of the aforementioned cyber attack on the U.S. aviation industry, Pulse alerted its customers of hackers’ intent to target the airports’ network infrastructure eight hours ahead of media coverage. This allowed customers to accelerate their response timelines.
Businesses also need tools that enable them to assess their attack surface (e.g., network infrastructure), practice cyber hygiene and develop robust response playbooks.
Acquire industry insights
This is vital. Security teams should communicate with their industry peers to learn how they are managing cyber-physical risks. This includes asking: How are phishing campaigns and/or ransomware groups targeting your organization? What vulnerabilities are consistent across your industry, whether that be an industrial control system (ICS), a customer relationship management (CRM) platform or a specific piece of software that's ubiquitous in your sector?
The convergence of cyber and physical risks is not a new concept and it will only become more prevalent due to the proliferation of OT and IoT devices. Organizations should also keep in mind that cyber-physical risks exist in a threat spectrum and the attack surface is ever-growing. Businesses that understand this and take swift action to strengthen their resilience against converged risks will be in a much better position to respond to and recover from a threat when—not if—it occurs.
Learn how organizations like yours use Dataminr Pulse for Cyber Risk to strengthen resilience against cyber-physical risks.