- Security TWENTY
- Women in Security
It has been years since I started talking about cyber risk to physical systems and when I first started banging this particular drum, I was met with a mixture of disbelief, disinterest and bemusement virtually everywhere I spoke, writes Mike Gillespie, of Advent IM.
It was very heartening to see this topic rise in prominence at events recently and I have found myself addressing physical security, facility management and counter-terror audiences this year on this very real threat to our security. The growing awareness of the need to understand cyber threat across organisations and functions is very reassuring and it comes not a minute too late.
The RSA conference in February included a showcase of new ransomware, an extortion malware that demands payment after locking up files or systems from owners or users, that was built for physical systems. If you think about that, then this is the epitome of what I was most concerned about: a risk to physical life, from cyberspace. Now, I am the first to agree that scaremongering and marketing by fear is a bad move and generally speaking, can be counterproductive. But at the start of 2016 we predicted the rise of ransomware and the probable infection of the NHS and was accused of scaremongering. Some things you don’t want to be right about.
Where this leaves us then, is behind the curve in reality. Because of a reluctance to get behind the idea of cyber securing physical systems and assets, criminals have made hay while the sun belted down and now they can attack these systems as ‘low hanging fruit’; systems less secure and easier to penetrate. Once they have gained access they may choose to disable it; rendering it inaccessible – a kind of physical Distributed Denial of Service (DDoS), if you will. Or they may choose to creep quietly through connected networks once they have established the inroad; laying down command and control to enable further, more complex and potentially harmful activity.
Let’s look for some scenarios. What if attackers had managed to get access to, let’s say, a surveillance camera system with ransomware. Like in Washington DC when 75pc of the DVRs were hit by ransomware four days before the Trump inauguration [featured in the March 2017 print issue of Professional Security magazine, ‘Who wanted to hit Trump’s big day’]. They may refuse access to the system or the recordings until the ransom had been paid; during this time, criminal activity in the physical space could be missed and criminals potentially evade justice. This could have been the intent and the ransom merely a distraction from the real crime. People could be harmed, property stolen or damaged or perhaps even terrorist activity planned or executed in this period of unavailability. Of course, it could be a solely financially motivated crime of the kind that we see coming out of organised crime syndicates so frequently. They use ransomware to generate cash for other activities and sometimes for terrorist funding. Organised crime groups care nothing for where their malware ends up, they care only about getting the pay-day.
It is also worth considering other serious implications for the attacking of a physical system. If you take control of a building’s air quality or temperature, you could make the building too uncomfortable to use or even lock people in or out, as we saw in a ransomware attack on a hotel key-card system. In this case it locked people out of their rooms by negating the coding on the key cards, though this was misreported in some places as the occupants being locked in not out. If a criminal group were able to ransom an entire building of people, from the other side of the world, they might consider it less of a risk and a greater likelihood of a pay-out than simply ransoming a system?
Ten years ago we were dealing with Stuxnet, a worm of a cyber weapon that attacked Programmable Logic Controllers (PLCs) in industrial systems, to alter their programme and debase their function. The conference in February revealed they are now targets of new malwares, including ransomware and so we can now start to see industrial systems also at risk of being held captive or made unavailable, such as the attack Ukraine experienced with its power grid, twice.
So developments from the criminal side have moved quickly and as security professionals, we are playing catch-up. Organisations may not have risk assessed the cyber side of systems or applications they are using, as they are not viewed as ‘cyber’ despite being web-enabled. That being the case, they cannot genuinely know if the use of these systems is within risk tolerances and appetite. They may also then, have little or no idea about the lifecycle of these systems potentially. This was well demonstrated by the kinds of systems impacted by the NHS ransomware spread; imaging systems and other systems built on Windows XP, which is an end of life operating system, no longer supported by Microsoft, and therefore no longer subject to security updates and patching.
So despite these systems being vulnerable, networked, unpatched and so open to infection, the fact that they still worked was the main consideration; the systems are viewed as being fit for purpose and consequently their practical end of life did not appear to be on the horizon. It would appear that the cost of managing systems through their lifecycle is not always taken into consideration when budgeting for the system at the outset. This needs to change if we are to be able to protect our systems and our organisations from attack, whether direct or through connected systems or organisations. We need to know we can effectively secure them for their entire lifecycle and that this is already costed.
The challenge is on; if we look at the systems still in use, for instance by a glance at the Norse attack map (http://map.norsecorp.com/#/) we can see there are some legacy systems still in use and these are high on the exploitable list, with thousands of them under attack every day. The National Cyber Security Strategy explained that 99pc of system exploits are exploiting a vulnerability that is over a year old. So it would appear that we are not only challenged by the level of legacy systems in place but also by our ability to keep abreast of the threat landscape and deal with known vulnerabilities. This may be due to these systems not being in scope for IT security attention, it might be because they were not costed with whole lifecycle included or it may just be due to a lack of awareness. Whatever the reasons are, we need to ensure we change the way we secure these physical or non standard systems going forward if we are to avoid another WannaCrypt-style meltdown.