How to Improve Security and Safety in a World of Cyber-Physical Dangers
Over the past decade, the world has witnessed a new type of cyber attack that can cause physical damage, disruption and even destruction of critical infrastructure and industrial systems. These attacks, known as cyber-physical attacks, use digital means to manipulate or sabotage physical processes, such as power generation, water treatment and manufacturing. They pose a serious threat to the safety and security of essential services and operations that depend on operational technology (OT) networks.
OT-targeted cyber attacks are on the rise
The first cyber-physical attack to be publicly disclosed was Stuxnet, a sophisticated computer worm that targeted Iran’s nuclear program in 2010.1 Stuxnet was designed to infect and sabotage specific centrifuges used for uranium enrichment, causing them to spin out of control and fail.
Since then, five more cyber-physical attacks have been identified, each with different targets, techniques and objectives. BlackEnergy and Industroyer targeted Ukraine’s power grid in 2015 and 2016, causing widespread blackouts. Trisis malware targeted a petrochemical plant in Saudi Arabia in 2017, compromising its safety instrumented systems (SIS) and risking a catastrophic explosion. Industroyer 2 and Incontroller, discovered in 20222 , are newer variants of Industroyer and Trisis, respectively, with enhanced capabilities and flexibility.
These “Cyber-Physical Six” represent a clear trend towards more frequent, more sophisticated and more effective attacks on industry. They also demonstrate state-sponsored cyber actors' growing interest and investment in developing and deploying cyber-physical attack frameworks, especially against critical infrastructure sectors.
The 2024 risk profile of OT networks has reached a new level of extreme concern
The Cyber-Physical Six also reveal some key insights into how cyber-physical attacks have evolved and expanded over time. By looking at them together, the Honeywell Global Analysis, Research and Defense (GARD) team identified some common patterns and observations, such as:
- Broad capabilities highly dependent on command and control (C2) communications are developed first, using modular frameworks, followed by more refined implementations with more specific targets
- A consistent need for penetration of the industrial network, using initial attack phases that rely on a few consistent vectors: network penetration, removable media and the supply chain
- A steady increase in the overall attack surface and with each new attack comes a net increase in the overall cyber-physical threat capability
- A quickening pace of development with a dwindling delay between new cyber-physical attacks.
These observations indicate that the 2024 risk profile of OT networks has reached a new level of extreme concern. Cyber-physical attacks are not only becoming more frequent and powerful but also more flexible and reusable. They are evolving from targeting specific assets to manipulating the OT protocols, making them more adaptable to different industrial environments and scenarios. They are also expanding their viable attack surface, by leveraging more widely used protocols such as Open Platform Communications (OPC), Modbus, a client/server data communication protocol and IEC 61850, an international standard defining communication protocols for intelligent electronic devices, which are common across several industries.
State-sponsored cyber actors are specifically targeting critical infrastructure
Another important implication of the Cyber-Physical Six is that state-sponsored cyber actors are specifically targeting critical infrastructure and industrial systems, with the potential to cause significant physical, economic and social harm. The motives and objectives of these actors may vary, but they could include espionage, sabotage, coercion or retaliation. Some of the possible scenarios that could result from a successful cyber-physical attack include3 :
- Large-scale power outages that affect millions of people and businesses, disrupt essential services and create public safety and security issues
- Damage or destruction of industrial equipment and facilities, resulting in production losses, environmental hazards and costly repairs or replacements
- Compromise or manipulation of safety systems, leading to hazardous conditions, injuries or fatalities.
These scenarios illustrate the potential consequences and impacts of cyber-physical attacks, which could have far-reaching and long-lasting effects on the economy. Therefore, it is imperative that critical infrastructure and industrial operators, as well as governments and regulators, take proactive and collaborative measures to enhance the resilience and security of their OT networks and assets.
How to improve protections for your OT networks and assets from cyber-physical threats
The good news is there are ways to mitigate and prevent cyber-physical threats. The GARD team suggests practical and actionable guidance on how to improve security for your OT networks and assets:
- Sensitive information, such as business data and process control logic, that attackers could use to plan a cyber-physical attack
- Cloud-based data security platforms such as “beach-head” systems that provide cybersecurity and IT teams with encryption, remote access control and sentinel capabilities to help protect vulnerable data across all device types could be compromised or used to penetrate the industrial control network
- Control outbound network traffic to prevent unauthorized backdoors and remote access trojans from reaching attackers’ servers
- Assume all industrial control assets are vulnerable and monitor the process to detect cyber-physical attack phases
- Segment SIS equipment into distinct zones and control SIS-related data flows.
- Design your control system with resiliency to minimize the impact of a cyber-physical incident.
Following these recommendations can help improve your OT cybersecurity posture and reduce your exposure to cyber-physical threats. However, cybersecurity is not a one-time effort but a continuous process that requires constant vigilance, adaption and collaboration. Therefore, it is also important to stay informed and updated on the latest developments and trends in the cyber-physical threat landscape and leverage the expertise and resources of trusted partners and providers.
You can download the full report to learn more about the Cyber-Physical Six and how to protect your OT networks and assets from cyber-physical threats.
[1]https://cisac.fsi.stanford.edu/news/stuxnet#:~:text=Stuxnet%20was%20the%20name%20given,2010%20by%20computer%20security%20researchers. Stuxnet: The world's first cyber weapon, Feb 3, 2015
[2] https://blog.scadafence.com/industroyer2-attack, Industroyer2 Malware Attack: Vigilance needed on ICS Networks | SCADAfence, April 14, 2022
[3] https://www.securitymagazine.com/articles/100543-critical-infrastructure-may-be-the-subject-of-disruptive-cyberattacks#:~:text=State%2Dsponsored%20actors%2C%20like%20those,vulnerabilities%20to%20extort%20large%20sums., Critical infrastructure may be the subject of disruptive cyberattacks, March 7, 2024