Kinetic attack is no longer the stuff of movies. The risk of a cyber-attack inflicting serious physical damage on your business is only too real - and you don't have to be the intended target to get hurt.
Ten years ago, the fourth Die Hard film pitted Bruce Willis against cyber-terrorists attempting to systematically shut down the US by attacking critical national infrastructure (CNI) and triggering physical mayhem in the process.
Today's real-world cyber-criminals are no longer solely targeting personal data and intellectual property, but have in their sights systems that can cause massive physical harm. These attackers can exploit the growing interconnectedness of devices, as well as business dependence on network-enabled CNI, to cut power, contaminate water systems, and initiate fire, flood, or terror attack from half a world away.
There is a growing trend of connected CNI being targeted, both by state-sponsored and sub-state actors.
Understand your attack surface
Developing a solid understanding of the attack surface of your organisation is essential for protecting it, not only from the business risk of a successful assault, but also from the physical harm that could be done.
The Internet of Things (IoT) is organically growing that attack surface by the day, with every networked device providing a potential vector for hackers. Vulnerabilities that could allow a kinetic effect have been found in innocuous items, from laser printers to networked vehicles, and legacy operating systems that enable old SCADA or industrial control systems give hackers yet more opportunities.
Would-be attackers even have a road map thanks to specialist search engines - such as shodan.io – which crawl the internet for publicly accessible devices, allowing users to find vulnerable systems and hardware with relative ease.
Also, systematic leaking of nation state malware allows attackers to modify high-end code for nefarious purposes. WannaCry, the ransomware that crippled the NHS in May, was based on code developed by the National Security Agency to exploit a flaw it had discovered in Microsoft's software.
All this makes it essential to understand how your business systems function, their dependencies, and which ones are network enabled.
1. Don't assume kinetic attack is science fiction: There are plenty of solid examples of viable kinetic cyber-attack, from overheating printers and remote control of cars, to the disruption of power in the Ukraine and the destruction of Iranian nuclear centrifuges.
2. Don't assume you're not a target: Even if you're not operating in a target industry for nation state or advanced persistent threat (APT), you could find yourself targeted by ‘hacktivists' with a political agenda, or novice hackers simply flexing their muscles.
3. Don't assume you are immune to collateral damage: If critical national infrastructure (CNI) is attacked there is likely to be an impact on your business, whether direct (your power is cut) or indirect (your staff can't get to work because the trains aren't running).
4. Disconnecting is not an option: It is simply not viable to disconnect from CNI as the cost to your enterprise could vastly outweigh any possible gain.
What you need is an in-depth business continuity and disaster recovery plan to mitigate the real risk of cyber-attack with kinetic consequences.
Reducing the risks
While the likelihood of kinetic attack may be slim, you need to have the possibility on your radar which means the risk of attacks on CNI should be part of a general risk assessment and managed appropriately, according to your risk appetite.
As well as making sure you understand your attack surface, you should:
· Conduct a thorough analysis of dependency on CNI using a critical infrastructure dependency analysis tool
· Regularly stress test and update your plans for business continuity and disaster recovery
· Consider your suppliers' vulnerabilities to CNI attack and the effect it might have on your supply chain.
With such broad dependency on CNI, you can't eliminate risk, but, if you understand your exposure, you can reduce it where practicable and transfer it where required, using a holistic and rigorously tested disaster recovery and business continuity plan.
Contributed by Graeme Park, senior consultant at Mason Advisory
Graeme is an IT security professional with over eight years' experience in IT delivery, information assurance and cybersecurity in a high-profile and fluid MoD environment. Prior to joining Mason Advisory, Graeme had a distinguished military career reaching the rank of Major. He is endorsed by the National Cyber Security Centre (NCSC) and the Institute of Information Security Professionals as a Senior Security Information Risk Advisor. He is also an accomplished penetration tester and in the process of completing a GCHQ accredited degree in Cyber Defence and Information Assurance.
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.