Let’s Get Physical: How Kinetic Cyber Attacks Can Crush Your Company
Shortly before sunset on December 23, 2015, workers at the Prykarpattyaoblenergo control center, a power distribution company in western Ukraine, were wrapping up their shift. One operator was organizing papers at his desk, getting ready to head home for the day, when he noticed something strange: the cursor on his computer was moving — on its own.
The cursor began navigating toward buttons that controlled circuit breakers. With a couple of clicks, one substation was taken offline. The operator lunged for his mouse, frantically trying to regain control of the cursor, but it was unresponsive. Soon thereafter, the machine logged him out of the control panel. The operator tried to log back in, but couldn’t gain re-entry; his password had been changed. All he could do was watch in horror as the malicious phantom that had taken control of his machine systematically opened breakers one by one, ultimately knocking some 30 substations offline. The attackers simultaneously struck two other Ukrainian energy distribution companies, doubling the damage.
“It was illogical and chaotic,” one electric control center manager told CBS News. “It seemed like something in a Hollywood movie.”
Ultimately, the cyber attack cut electricity to nearly a quarter million customers. Thousands of Ukrainian businesses and households were plunged into darkness for six hours. This incident marked an important milestone: it was the first successful cyber attack on a power grid. A new era of cyber threats had officially begun.
A New Era of Cyber Threats
We tend to think of cyber incidents as episodes that play out solely in the digital domain. When we talk about cyber attacks, we generally discuss things like websites being taken down or data being destroyed. But as the Ukrainian power grid attack demonstrates, breaches can also cause direct, physical damage.
Kinetic cyber attacks used to be relatively rare. Yet, they are becoming increasingly common. In 2008, a Polish teenager breached a tram system with a homemade transmitter. Four cars were derailed, injuring 12 people. In 2014, hackers caused massive damage to a German steel mill. Perhaps the most famous example of a physical cyber attack is the 2010 “Stuxnet” virus. This attack, believed to have been orchestrated by the United States and Israeli governments, involved planting a computer worm in Iran’s nuclear reactors, causing their centrifuges to self-destruct.
It’s not just critical infrastructure that’s coming under attack. Consumer products are also being targeted, with potentially devastating consequences. In 2015, a video demonstrating how a Jeep could be hacked remotely with Wi-Fi went viral. The attackers were able to cut the car’s brakes, shut down the engine, and take control of the steering wheel. Shortly thereafter, Chrysler recalled 1.4 million vehicles for a software update.
Medical devices are also becoming top targets for hackers. In recent years, numerous vulnerabilities have been uncovered in a wide range of life-saving devices — from insulin pumps to computers supporting surgery. Dick Cheney’s doctors famously disabled the Wi-Fi functionality on the former Vice President’s pacemaker due to fears that the device might be hacked in an assassination attempt.
These examples are just the tip of the iceberg. As the Internet of Things continues to expand, connecting an ever-greater number of gadgets and systems to the web, the frightening possibilities of physical cyber attacks appear limitless.
What Can Companies Do?
Physical cyber attacks can sometimes seem like the stuff of science fiction. But the future has arrived; the risks are all too real. Here are a few steps companies can take to keep themselves safe from these emerging threats.
1. Keep abreast of current events.
Kinetic cyber attacks are fairly sophisticated, and thus are often carried out by nation states. You might not think that complex geopolitical conflicts have anything to do with your business. But if you’re not careful, your company can easily get caught in the crosshairs. Globalization and technological change have created an increasingly interconnected world. Cyber attacks that happen in Ukraine no longer necessarily stay in Ukraine. That’s why you need to be on top of the news cycle and anticipate how global events can potentially affect your organization.
2. Incorporate kinetic cyber attacks into your incident response plan and tabletop exercises.
Cyber attacks can come in many forms and have different kinds of associated risks — financial, strategic, operational, etc. None of these risk categories can be overlooked, and that includes physical risk. In order to successfully respond to kinetic cyber attacks, your organization needs to prepare. That means integrating physical attack scenarios into your preparation efforts.
3. Carefully map your organization’s IoT connections.
A growing number of office devices are being connected to the internet — including everything from closed-circuit cameras to coffee machines. These gadgets can be weaponized in unexpected ways. Don’t take security on any device for granted. Make sure you account for your organization’s entire attack surface.
We’re Here to Help
If you want more information on how to understand cyber risk from the executive perspective and how to ensure your team can work to safeguard your organization from the physical impacts of cyber attacks, be sure to check out our Resolve program. Explore how our Cyber Risk Seminars, Deep-Dive Executive Cybersecurity Sessions, and Tabletop Exercises can help your organization reduce its kinetic risks.