The Effects of Cyber-Physical Attacks on Ill-Prepared Organizations

Sept. 10, 2021
Cyber-physical attacks most commonly target the critical infrastructure and healthcare sectors

Cyber threats against cyber-physical systems have existed for decades. In 2010, Stuxnet demonstrated malware’s potential impact on industrial control systems. Multiple attacks against Ukraine’s power grid occurred in the following years.

2021 has experienced an ever-increasing number of threats to cyber-physical systems, followed by widespread public awareness. The narrowly averted attack (February 2021) on the water treatment plant in Oldsmar, Florida threatened the city’s water supply by injecting dangerous levels of chemicals. Furthermore, the May 2021 ransomware attack on the Colonial Pipeline shut down 40% of the U.S. East Coast’s fuel supply and was labeled a national emergency.

Organizations need to implement defenses to detect and protect against cyberattacks, especially in heavily targeted industries like critical infrastructure and healthcare.

The Growing Threat of Cyber-Physical Attacks

Attacks on cyber-physical systems occur on a regular basis. However, 2021 is notable for experiencing multiple successful and high-impact attacks. The two largest contributors to the growing threat are the changing nature of organizations’ networks and the rise of ransomware.

Evolving Networks -- Cyber-physical attacks most commonly target the critical infrastructure and healthcare sectors. Organizations in these industries have the greatest number of cyber-physical systems, providing a wide range of potential targets, and are uniquely vulnerable to these types of attacks.

Dissolving Perimeters in Critical Infrastructure -- Operational technology (OT) availability and uptime are the primary concerns within the critical infrastructure sector. Taking down a critical system for maintenance could result in a power outage or a loss of access to drinking water. Therefore, many OT environments are running legacy systems that lag vulnerability patches and other updates.

In the past, OT systems were protected by an air gap, which physically isolated them from the organization’s IT network and the Internet. While this did not provide perfect protection (as demonstrated by Stuxnet), it made these systems more difficult for attackers to access and exploit.

Today, the OT/IT air gap is dissolving to enable remote monitoring, data acquisition and management of OT systems from devices on the IT network. While this provides greater convenience and efficiency, it also exposes vulnerable OT systems to cyber threats.

An Expanding Internet of Medical Things (IoMT) -- Internet of Things (IoT) device adoption has exploded and many of these devices pose significant threats to security and privacy. However, the medical sector’s adoption of highly intrusive Internet-connected devices eclipses other industries due to the rapid response required for patient wellbeing and survival. These devices enable continuous monitoring and management for inpatient and outpatient care.

Within hospitals, diagnostic tools are connected to networks, providing real-time or quick access to review results. In addition, more and more people are adopting health tracking apps and/or Internet-connected pacemakers and glucose monitors. These Internet of Medical Things (IoMT) devices can have dramatic effects if targeted by a cyberattack. Tampering with scans could cause a patient to skip a critical procedure or undergo an unnecessary one. Compromised pacemakers can be configured to deliver painful shocks or to halt functionality until a ransom is paid.

Despite the growing threat to IoMT devices, the healthcare sector is lagging behind in cybersecurity. As a result, the healthcare industry has the highest average cost of a data breach and is the slowest to detect them with an average time of 329 days, compared to a global average of 290.

The Rise of Ransomware -- The evolution of cyber-physical systems in critical infrastructure and healthcare sectors is a major driver in the rise of cyberattacks on these systems. However, another important contributor is the continued increase and advancement of cybercriminals.

In 2017, when WannaCry was released, it came as a surprise to many. While ransomware has existed for more than 30 years, ransomware attacks were uncommon. Today, these attacks occur daily and are the leading threat to corporate cybersecurity.

Ransomware’s rise can be attributed to two key factors:

  • Ransomware attacks have proven highly successful and profitable. In the healthcare sector, ransomware attacks cost an estimated $20.8 billion in 2020, and the average ransom payout is more than $300,000. Cybercrime is a business and ransomware provides an easy opportunity for cybercriminals to monetize their attacks.
  •  The introduction of Ransomware as a Service (RaaS) enables one cybercrime group with a ransomware variant to distribute it to “affiliates” to infect target organizations. RaaS models enable cybercriminals to specialize, allowing ransomware groups to dramatically expand the scale and profit of their attacks, and place sophisticated malware in the hands of more cybercriminals. As a result, ransomware attacks are more common and more successful.

Best Practices for Improving Cyber-Physical Security

Although cyber-physical systems do not mirror traditional IT systems, many of the same security best practices apply. Organizations should continually improve the maturity of security programs and elevate the protection of cyber-physical and traditional IT systems.

That said, many cyberattacks on cyber-physical systems (including those on the Oldsmar water treatment plant and Colonial Pipeline) take advantage of lapses in basic security controls between the business network and the operational network. Implementing a few best practices can dramatically improve an organization’s resiliency against these attacks.

Stronger Authentication and Access Control -- The common thread in many attacks on cyber-physical systems, and cyberattacks in general, is weak authentication and access management. The Oldsmar plant was exploited using the organization’s TeamViewer software with credentials that were shared by all employees and may have been leaked in an earlier breach. Similarly, the Colonial Pipeline attackers accessed the company’s systems using a virtual private network (VPN) with connections leaked on the dark web.

Using the same password across multiple accounts and forgetting to monitor and change leaked passwords are failures in basic security controls. Organizations should enforce strong password policies, establish controls following least privilege, implement multi-factor authentication (MFA) and cryptographically validated identities where applicable, and monitor for compromised credentials on the dark web.

Secured Remote Access -- In addition to shared password issues, the Oldsmar plant and Colonial Pipeline attackers took advantage of remote access solutions that provided access to critical systems given a set of valid credentials. With the rise of remote work, remote access is necessary, but it is important to implement it in a secure fashion. If an organization uses the Remote Desktop Protocol (RDP) or a VPN, access should be limited and protected with a jump host and strong authentication. A better approach is to use a solution that supports a zero-trust security policy, such as zero-trust network access (ZTNA).

Network Segmentation -- An organization’s environment includes a variety of devices with different criticality and trust levels. For example, IoT devices are largely insecure, making them a common target of cybercriminals. Generally, these devices should be untrusted. Alternatively, certain high-value systems require a high level of trust and are critical to operations.

Within an organization’s network, the boundaries between devices with different levels of sensitivity and trust should be enforced and protected. IoT devices should be segmented from the rest of the network to decrease the chance that an infection could spread to the rest of the network. Critical systems should have additional monitoring and protection to minimize the chance that an attacker can access them.

Proper network segmentation dramatically reduces cyber threat potential to critical systems. For example, the Oldsmar plant hack was made possible because a critical system was directly accessible from the Internet via TeamViewer. Restricting critical system access to only internal devices and inspecting all traffic for anomalies may have prevented the hack.

Improving the Security of Cyber-Physical Systems

The Oldsmar plant and Colonial Pipeline hacks demonstrate cyberattacks’ potential ramifications on unprepared organizations with limited cyber-physical infrastructure. If these attacks were successful, many of Florida’s residents may have become critically ill and multiple states would have experienced no fuel for several days.

The willingness and ability of cybercriminals to successfully target and exploit major organizations with cyber-physical systems increases daily. IT environments are constantly evolving, data breaches are a regular occurrence, and cybercriminals will never stop probing and exploring an organization’s defenses for exploitable vulnerabilities. Authorities recognize the potential damage of cyberattacks and many have responded with directives. For example, and as a direct result of the pipeline attack, the Transportation Security Administration (TSA) released a cyber directive requiring critical pipeline owners and operators to report confirmed and potential cybersecurity incidents to the DHS Cybersecurity and Infrastructure Security Agency (CISA) and to designate a Cybersecurity Coordinator. The directive also requires critical pipeline owners and operators to review current practices and to identify any gaps and related remediation measures to address cyber-related risks and report the results to TSA and CISA within 30 days.

To effectively manage the risk of cyber-physical attacks, organizations must implement defenses to prevent, detect, and respond to attacks. Employing security-focused best practices (related to technologies, teams, and ways of working together) helps eliminate some of the most commonly exploited vulnerabilities within an organization’s environment. Designing and implementing a more comprehensive security strategy enables holistic management of cyber risks to cyber-physical systems.

About the author: Michael Welch is the Managing Director of Strategy and Risk at MorganFranklin Consulting. Welch works with clients and partners globally. As a management and technology consulting firm that works with leading businesses and government to address critical cybersecurity, finance, technology and business objectives, Welch brings years of practical experience as a CISO and Senior Manager for compliance and critical infrastructure protection to the table. 
About the Author

Michael Welch | Managing Director of Strategy and Risk at MorganFranklin Consulting.

Michael Welch is the Managing Director of Strategy and Risk at MorganFranklin Consulting. Welch works with clients and partners globally. As a management and technology consulting firm that works with leading businesses and government to address critical cyber security, finance, technology and business objectives, Welch brings years of practical experience as a CISO and Senior Manager for compliance and critical infrastructure protection to the table.