By Jeff Welgan, Head of Executive Training Programs, N2K
This is the sixth post in a six part series about cybersecurity risk. Each week we discuss a different category of enterprise risk and how cybersecurity impacts those risks at the board and executive level. This week we focus on Physical Risk, represented by the nature disaster of an earthquake. Use the links below to access the other articles in the series:
Part One – Introduction
Part Two – Financial Risk
Part Three – Compliance Risk
Part Four – Strategic Risk
Part Five – Operational Risk
Physical Risk: The Volcanoes of Cyber Disasters
Physical security doesn’t always come to mind during a discussion of cyber security. But physical security and cybersecurity are intertwined and their bond is tightening. Across many industries, IT systems are instrumental for operating physical processes. The technical solutions are intended to simplify complex processes, increase efficiency and accuracy, and allow for mass production. For example, software programs are increasingly responsible for ensuring that assembly lines, oil rigs, pipelines, medical devices, and power grids remain operational.
Since these operations are so dependent on IT solutions, a cyber incident can cause significant damage to important physical systems, resulting in lost productivity or costly damages. The consequences of physical risk produce material effects that threaten valuable assets, including equipment, buildings, and people. Like volcanoes, these events are rare, but destructive.
A Disaster with Unique Destructive Power
In 2008, a Turkish pipeline erupted into flames. Residents reported that the heat from the blaze could be felt from half a mile away, while the sound of the blast was heard from even further afield. The Turkish government claimed that the pipeline control systems had malfunctioned, but intelligence analysis later revealed that a cyber attack was the root cause of the blast. Hackers, likely Russian State sponsored, infiltrated systems at a valve station, disabled alarm settings, and issued commands that increased pressure in the pipeline, causing the massive explosion. Luckily, no bystanders were harmed, but the event was dangerous, costly, and a dramatic reminder of how cyber attacks can affect the physical world.
Stuxnet, the Vesuvius of Cyber Attacks
In our post on Strategic Risk, we promised that Stuxnet would make a later appearance. The most extensive physical damage caused by a cyberattack was caused by Stuxnet, a malicious, and now infamous, computer worm reportedly developed by American and Israeli intelligence agencies. Beginning in 2009 and continuing until 2012, Stuxnet aimed to sabotage Iran’s nuclear program by targeting the country’s nuclear centrifuges. For years, the cyber weapon covertly gathered intelligence about Iran’s nuclear program, compromised the programmable logic controllers (PLC’s) that operated centrifuges and gained control of the equipment responsible for enriching nuclear fuel. After compromising the PLC’s, the worm issued commands that increased the rotational speed of a site’s centrifuges, causing them to spin out of control and destroy themselves. Over the course of a few years, Stuxnet destroyed an estimated 20% of Iran’s nuclear centrifuges.
The swift and visible effects of volcanoes are startling, but even greater damage often results from the effect of the eruption, including long-term environmental damage. Cyber attacks on physical infrastructure can produce similar post-incident effects.
Since the use of Stuxnet on Iran’s nuclear facility, governments and hacker groups have adapted and reused Stuxnet’s code on more unsuspecting targets, causing the physical effects of the incident to ripple ever further. Variants of the worm have infected systems in Israel, Palestine, Saudi Arabia, Egypt, Sudan, and even parts of Europe and North America. Most infamously, as we explain in our Operational Risk post, hackers in 2012 used components of Stuxnet to launch a cyber attack on Saudi Aramco which rendered more than 30,000 computers useless.
The Ukraine Power Grid
Cyber attacks can even produce physical effects that cause normal life to come to a grinding halt. In December 2015, hackers rumored to be backed by Russia demonstrated the far-reaching effects of cyber attacks by cutting off power for thousands. The perpetrators infiltrated the systems of three Ukrainian power distribution centers, locked operators out of their workstations, and opened circuit breakers to shut down 30 substations. Via computers, these nefarious actors took down a power grid and left more than 230,000 Ukrainians in the dark for hours. Even several months later, the compromised distribution centers were still recovering from the attack.
The event was an astonishing sign of the physical risk and implications of cyber attacks. However, more seriously, the attack was a warning for other countries. The power grid was not a disaster waiting to happen. Instead, the grid was fairly well defended against potential cyber threats due to network segmentation and strong firewalls. The successful downfall of a thoughtful defense suggests such cyber volcanoes could potentially strike major cities near and far.
The good news is that strategies for managing all types of cyber disasters will allow you to avoid the worrisome threats of the present and near future. Understanding threats, vulnerabilities, and impacts, researching cybersecurity regulations and frameworks, and preparing responses to future incidents will address financial, compliance, strategic, and operational risk in addition to physical dangers. Overall, it is crucial to remember that good cybersecurity is no longer a matter of simply protecting your company’s bottom-line. Poor security can precipitate eruptions that endanger your employees, customers, and the world at large.
Physical risk was our fifth and final risk area. Stay tuned for next week’s post as we reflect on what we learned over the last few weeks.