Kinetic Cyber How Physical Security intersects with Cyber Security

The Stuxnet attack was carried out by the United States in 2010 to cripple Iran's nuclear ambitions. Its aim was to rip the centrifuges at Natanz nuclear enrichment facility apart. Stuxnet was so successful that Iran's nuclear program was delayed by at least a decade.

In May 2017, the WannaCry ransomware attack paralyzed the NHS in the UK, causing massive inconvenience to patients.

Cyber-Physical Systems (CPSes). They're A Part of Our Reality

The broader public has somehow become immune to the word 'cyberattack'. Most read about data stolen from Yahoo or Marriott and turn the page – thinking that it is just another hacker in Romania who now knows their name, phone number, and address.

Reality is far more insidious.

The overlap between cybersecurity and physical security is of the utmost significance and has to be integrated into the redefined threat matrix.

Much of our life has come to depend on Cyber-Physical Systems (CPS).

It seems that the 2007 film Live Free or Die Hard was quite prophetic. We have yet to reach that level of vulnerability, but do we really know.

Take the power grid, for example. In December 2015, the power grid of Ukraine was taken offline for several days in the first known cyberattack of a public utility. It was attributed to a Russian hacker group known as Sandstorm.

In March of 2019, there was a cyberattack on power grids in the western USA, but no consumers were affected, and the details of the attack remain classified.

We do not know which other attacks have been kept from the public eye, but it is safe to assume that we are gravely threatened.

The reason for this is the overreliance on computers (the term computer here means any type of programmable circuit with a CPU that executes programs) that open and close valves in power plants, switch railway tracks, and runs entire chemical plants.

This change has happened due to the need to cut down on labor costs but has opened up much of our lives to disruptions.

In 2007, the former Vice President of USA, Dick Cheney took the unusual step of having the wireless accessibility to his pacemaker removed. He was afraid that his heart could be hacked. It turns out that his fear was genuine, as demonstrated by Barnaby Jack, an ethical hacker in 2012.

According to cyber security expert Sam Tilston, the CEO ofAwesome Resources - "as CPSes based equipment becomes more prevalent with driverless cars and IoT devices that control every aspect of your life become mainstream, there is a pressing need to understand the enormous overlap between cyber and physical security."

Why The Rise in Kinetic Cyber Attacks

Why is it so difficult to defend against? It is due to legacy systems. Entirely new systems are rarely available in the real-world unless the entire installation is brand new.

The WannaCry attack succeeded in derailing numerous hospitals in the UK because the NHS still used Windows XP.

Why are legacy systems still in use? Because it meant not only do computers have to be replaced, but all programs and IT systems have to be upgraded to use a newer OS.

This poses a problem since a completely new reworked code is never written. Instead, modules added to the older system to keep it alive, much like fastening a new engine to an old car to meet emission standards.

An example, the Boeing 737 Max imbroglio that has till now caused two crashes, death of 346 people, and loss of at least $10 billion for Boeing was caused due to new software called MCAS that was supposed to be "smart" and prevent the aircraft from stalling.

But the "smart" program sat atop a flight computer run using code that was three decades old. This was done to keep retraining of pilots flying older versions of 737 to a minimum. This is an example of a legacy system at its worst and such lines of codes are everywhere around us.

As hackers discover more backdoor exploits, there is a rise in kinetic cyber attacks. Also, with the US attack on Iran through Stuxnet, the use of malicious code by a state for causing mayhem is akin to a Pandora's box that has been opened.

Hacking is now an official tool of foreign policy. Governments are pouring in massive sums of money developing tools to attack other nations.

Addressing The Updated Kinetic Cyber Threat Matrix

To be honest, there is no fixed protocol yet about the problem. It is like a new virus that has been isolated and being studied to develop a vaccine (quite literally). There is also a lot of denial about the possibility of such a dystopian event ever occurring.

Traditional cybersecurity has focused on protecting information. To that end, it depends to no small extent on firewalls and encryption. However, that does not work with protecting devices, sensors, valves, switches that run everything from an insulin pump to an airport.

Embedded software in IoT is not yet capable of handling a firewall since it both slows down the speed with which information is exchanged and also slows down the CPU.

One of the possible ways is to delay deployment of such devices till such time that CPUs are even more powerful, but that does not seem to be very likely in the given scenario that is intent on driving innovation.

The only possible way now is to introduce an air-gap between critical systems and the broader internet. However, this is easier said than done. A medical attendant who decides to charge a phone using a USB port of a desktop connected to the hospital mainframe could introduce malware unknowingly. In fact, the Stuxnet attack had been executed similarly.

Besides an air-gap, the use of traditional cybersecurity to scan all of the software is the only viable option available presently.

Nevertheless, there are so many layers to protect – device firmware, OS, programs, cloud hosting, remote access – that guarding is tedious.

The constant growth in the adoption of CPSes has to be viewed as something that can not only cause good but also harm.

Hopefully, strategies and technology would be devised soon to help protect Cyber-Physical Systems wholly.