Cyber-Physical Attacks Are Already a Reality
In March 2019, a DDoS attack impacted the operations of an electric utility company. More recently, an attack against a water processing plant in Florida in February 2021 allowed attackers to change the mixture of chemicals in the water, essentially changing it to lye. If the attack had not been detected by a worker and subsequently reversed, it could have badly sickened anyone who drank it.
These attacks on public utilities are not the only way in which cyberattacks can have impacts on the physical world. Another prime example is the healthcare sector. In 2020, 560 healthcare providers were the victim of ransomware attacks, degrading their ability to provide crucial services during the COVID-19 pandemic. Cyber threats can have more personal impacts as well as demonstrated by pacemaker vulnerabilities that can allow the installation of malware that delivers life-threatening shocks or ransomware that forces patients to pay up or risk having their pacemaker shut down.
Identifying the Risks of Your Internet-Connected Systems
In the critical infrastructure and healthcare sectors, the overlap between cybersecurity and the physical world is easy to see. However, as businesses become more reliant on Internet-connected systems, the physical risks of cyber threats will continue to grow. Some examples of Internet-connected systems in the modern office that pose physical threats include:
- Operational Technology: Devices that interact with the physical environment (industrial control systems, fire control systems, access management systems, etc.) or control these systems and that are accessible from the network or public Internet.
- Door Locks: Smart door locks could be compromised by an attacker. If no physical override exists, this could lock people inside or outside of a door.
- Thermostats: Internet-connected thermostats allow a building’s internal temperature to be controlled remotely. This could be used to cause illness to residents or potentially starts a fire by overheating machinery.
While many organizations do not operate critical infrastructure, medical facilities, or have OT systems on their networks, Internet-connected door locks, thermostats and other Internet of Things (IoT) devices are common in the modern office. While these smart devices are convenient, they also pose both cyber and physical threats to an organization.