Perhaps one of the greatest fears shared by both IT and physical security professionals in today’s age of connected devices is the risk for a cyber-attack that goes beyond data theft and threatens human lives. Concerns surrounding potential attacks from nation-states or terrorists that cripple the electric grid or financial markets and change life as we know it are frequently cited as realistic possibilities, but as widespread as the impact of these attacks would be there are still other, more localized threats that many people fail take into consideration.
At last month’s Converged Security Summit in Atlanta, John Gomez, CEO of Sensato Cybersecurity Solutions, laid out a hypothetical scenario that would have businesses and consumers alike running to unplug their devices from the internet were it to ever come to fruition. In Gomez’s example, a cybercriminal taps into the printers at an office building and forces them to overheat and burst into flames. But rather than just stop there, the attacker proceeds to reroute their voice-over-IP (VoIP) phone systems to prevent 911 calls and hijacks their fire panel to circumvent any type of alarm from sounding.
While an attack of this nature may seem unlikely to some, it’s certainly not out of the realm of possibility given what we know about the vulnerability of internet-connected systems and how cyber-attackers have already proven that they can disable or destroy various pieces of physical equipment vis-à-vis the Stuxnet virus. In fact, just days after reports that batteries in Samsung Galaxy phones were exploding due to a flaw in the phone’s programming in 2016, Gomez said that both good and malicious actors investigated whether or not they could make the phone explode on demand.
“Why would you do that? Well, if you’re on the good side of the world and you have a terrorist out to do something and you could target their phone, and have it burst into flames while they’re holding it up against their head it’s a pretty good attack. Now if you’re on the bad side of the world, well obviously taking people out through their phone would be a pretty good tactic if you’re a terrorist,” Gomez says. “The point is this is the convergence of cyber and physical. It’s when we take the cyber asset – phones, printers, access control systems, perimeter protection – and we use the cyber element to create a physical attack.”
So, how can organizations increase their cybersecurity posture enough to prevent these types of worse-case scenarios from becoming a reality? According to Gomez, the key is psychology and changing the mindset of people that work within an organization.
“About 90 percent of cybersecurity, or even physical security, is your psychology,” Gomez explains. “We found a few years ago this thing called rational response theory, which is that most of us rationalize what we don’t understand or fear and that leads to the first chink in the armor of any kind of security.”
Gomez says that attackers bet on people’s rationalization – they will click a link or take some action that on the surface may seem harmless or even like the right thing to do but leads to a security breach. For example, in testing for security vulnerabilities, Gomez says his firm has had someone wait in a wheelchair in the rain with no coat on outside an employee entrance until someone will inevitably ask how they can help and let them inside the building.
“Two minutes after they’re brought in, they can get up and walk freely through the building,” Gomez says. “Why does that work? Because I know, psychologically, if I put someone in a wheelchair and they’re wet and they’re cold, people are going to help, which is great unless you’re trying to protect a facility.”
In addition, Gomez says that people also need to change their mindset as it relates to who today’s attackers are. Rather than someone living in their mother’s basement who spends their spare time trying to “hack” websites – the old “400-pound person” sitting on a bed image made famous by President Donald Trump in one of the 2016 presidential debates – Gomez said that today’s cybercrime organizations are comprised of the best and brightest students in Europe, many of whom have bachelors, masters and even doctorate degrees in computer science. These cybercriminals are given high salary jobs complete with paid vacations, full benefits and incentives.
“This is the forefront of cyber, these are the attackers and these guys are doing things that no one else is imagining because we rationalize and we don’t give them enough respect,” he adds. “The other thing is this changes the battlespace. So, if you think we’ve seen the worst of it or you think ransomware attacks are bad, wait until you start seeing polymorphic ransomware attacks which are ransomware attacks that change on the fly. Life has changed, your adversary has changed and that is leading to a much greater threat on the physical side.”
A Real-Life Scenario
To demonstrate just how big of a threat cyber-physical attacks are, Gomez recounts an example from a hospital that hired his firm to test their vulnerabilities. They decided to first carry out a physical attack by seeing if they could access a CAT scanner in the hospital and do something that would place patients or staff at risk either by making it provide improper diagnoses or physically hurt everyone in the vicinity of the device.
Gomez’s team was able to gain after-hours access to a room that contained the CAT scanner as there was no physical access control on the door. Prior to this, however, they entered the physicians’ lounge where they were able to “borrow” a couple of lab coats, allowing them to walk around the facility unimpeded.
After gaining access to the CAT scanner, they found the operating manual for it, accessed the computer systems that the operator failed to previously log out from, and finally gain entrance to the scanner’s wiring closet. “This gave us multiple opportunities to inject things that could mess with the operation and the diagnostic capabilities of this CAT scanner,” he says.
The attack team also discovered a helium compressor unit with a cryocooler that they later learned was highly flammable and could be exploded. “We had the second element of our attack at that point, which was we could decide to either mess with the patient diagnostics or we could just explode this thing and hurt people around it,” Gomez adds.
All of this was accomplished not through the breach of a network but by simply accessing this unsecured scanner.
“You can apply this scenario to a lot of different things, and I know a lot of you are thinking; not in my world and I hope that’s what you’re thinking. I hope you’re thinking if someone was that audacious, we could stop them,” Gomez says. “Don’t rationalize. Don’t let your own psychology work against you because it is what (attackers) are counting on.”
About the Author:
Joel Griffin is the Editor of SecurityInfoWatch.com and a veteran security journalist. You can reach him at firstname.lastname@example.org.