Cyberattacks now pose not only an informational but also a physical threat. How to reduce such risks and why businesses still do not do this, we figure it out together with Kaspersky Lab
Threats move into the physical world
Cybersecurity risks for businesses are growing not only because hackers are launching more and more attacks, and the attacks themselves are becoming more sophisticated. It’s about convergence: threats are flowing from the digital to the physical world. If before, attackers could steal money, data, or encrypt information, now they can speed up a car, turn on or reprogram a machine, or interfere with the operation of an entire industrial facility.
This is confirmed by the statistics of companies that were attacked in 2023. Victims of cybercrimes committed in the first half of the year reported physical consequences in only 18% of cases. In the second half of the year, this number more than doubled to 37.5%. Moreover, this trend has been observed for several years. Such attacks lead to production shutdowns or disruptions in product deliveries, and in some cases, to losses of hundreds of millions of dollars and the closure of businesses. Moreover, cybercriminals are increasingly choosing large organizations that can pay a large ransom.
How hackers attacked physical infrastructure
2024 year
Eastern European hacker group Lifting Zmiy attacked Russian IT companies through servers that control elevators in the entrances. Although no attacks on the elevators themselves were recorded, the vulnerability that the hackers used allowed them to gain control over the equipment.
2023 year
A cyberattack paralyzed up to 70% of petrol stations in Iraq. The pro-Israeli group Gonjeshke Darande (Predatory Sparrow) claimed responsibility for it.
Residents of a district on the west coast of Ireland were left without water for two days after an Iranian-backed hacking group attacked parts of Unitronics equipment. The equipment is made in Israel and is used in water and wastewater systems around the world.
2022 year
The attackers gained access to equipment in an agrohub near Moscow and tried to spoil 40 thousand tons of frozen products. Using an industrial controller that controlled refrigeration units and was connected to the Internet, they changed the temperature from -24°C to +30°C.
A cyberattack caused a fire at a steel plant in Iran when molten metal spilled in one of the workshops. Hackers allegedly managed to hack into the automated process control system (APCS).
The list of potentially vulnerable companies is expanding along with the scale of digitalization and the spread of the Internet of Things (IoT), including the industrial (IIoT). Many industrial systems are becoming accessible via the Internet, and this is one of the easiest ways for hackers to penetrate.
In 2020, the number of IoT connections in the world exceeded all other connections. By 2027, IoT Analytics expects there to be more than 29 billion IoT connections worldwide — mostly via Wi-Fi, Bluetooth, and cellular standards, including the emerging 5G. “A single weak link — such as a compromised IoT device — can compromise the security of the entire network,” warn experts at the World Economic Forum.
Alexey Matyushin, Senior Information Security Analyst, Secure Platform Development, Kaspersky Lab: “The flow of threats from the information to the material environment is noticeable in literally all areas. The most obvious of them is the Industrial Internet of Things (IIoT). There, the convergence of IT and OT (operational tech), that is, IT and industrial systems, is happening, as they say, by definition. Although the usual IoT has also begun to generate significant risks.
Smart home, city and manufacturing systems hide many dangers that are not yet widely discussed. In my opinion, judging by the range of attacks on converged systems, neither businesses nor attackers fully understand the situation they are in. Personally, I am convinced that the criminal world is currently figuring out what to do with this huge and very rich field of activity – IoT/IIoT – and is conducting a kind of “reconnaissance of deposits”. This is evidenced by the growing demand for IoT vulnerabilities on the darknet.
Attackers may soon master new directions and methods of attacking convergent systems. And then the number of such cybercrimes will grow exponentially – in particular, we may be talking about attacks through industrial controllers.”
The software is vulnerable and is not updated
The low level of protection of the IoT environment is largely due to outdated software and lack of full support. By the beginning of 2023, the firmware of the average IoT device was six years out of date, Phosphorus Cybersecurity found . At the same time, 28% of businesses say that it is impossible to install patches. Among the reasons are the lack of updates after the departure of vendors and the lack of in-house competencies.
Sometimes it is impossible to install a system update at all. For example, if it requires replacing specialized software (such as SCADA systems for dispatch control and data collection), which in turn requires upgrading the equipment. As a result, there are still “antiquities” in production facilities, including technological processes controlled by MS DOS.
Problems also arise with new software. Some of the products that replaced solutions from vendors that left Russia contain errors and vulnerabilities that are easily exploited by both cybercriminals and hacker activists.
Elements of IoT and especially IIoT are used in innovative projects that have special security requirements due to their convergence, i.e. the merger of IT and OT. And the lack of suitable security tools is becoming one of the main obstacles for businesses on the path to implementing the Internet of Things.
Alexey Matyushin: ” Until recently, information security services paid special attention to corporate protection perimeters. But in the operation of IT systems in the corporate sector, there has already been a mass transition to systems in the Zero Trust concept.
The basic idea of this concept is simple. If we draw an analogy with states, perimeter protection is a check at the border, after which you are weakly controlled. And in the Zero Trust paradigm, no one trusts anyone: there are no strict checks at the border, but you will be checked at the entrance to every restaurant and every hairdresser. Instead of one large perimeter of protection, many microperimeters are formed, instead of a large attack surface, we care about small surfaces of protection.
Buying external protection tools for each of the many microperimeters is expensive. And in IoT/IIoT, everything is even more complicated: how to protect each controller, gateway, sensor, or, for example, camera, which do not always work under Windows or Linux OS, and often do not have a dedicated system layer in the form of an operating system?
We promote a cyber-immune approach to software development, this is our practical methodology in the Secure by Design ideology. This approach is conceptually close to Zero Trust, only it is not about protecting finished software products during operation, but about their own internal structure, about their development.
In a cyberimmune product, every element is isolated and every interaction is strictly controlled.”
It is difficult for businesses to set security goals
In some applied areas, security regulations have already been established. For example, there are security requirements for critical information infrastructure (CII) facilities, avionics, automobiles, and so on. For CII, the law specifies the principles of ensuring information security and its assessment, the specifics of control and interaction with government systems. The aircraft industry has its own set of industry standards, and the automobile industry has its own, but in both cases, attention is focused on physical security (safety). At the same time, not everyone understands the share of software in the cost of developing, for example, an airplane: for a civilian vessel, this share reaches 50%, and for a military one – 60%.
Alexey Matyushin: “There are several problems with setting tasks in areas where there is no strict security regulation, but there is an objective need for it – for example, in IoT/IIoT.
Often, customers do not set security tasks for developers, considering it self-evident. However, developers are not inclined to solve tasks that no one has set. They are not paid for this, but for the implementation of functionality.
Even if the customer is concerned about security, they often shift the responsibility for requirements to the developer, setting the task as “make everything safe”. This assumes that the developer has the appropriate competencies. But if you do not solve a certain type of problem on a regular basis, where will you get the appropriate competencies? And where will the regular basis come from, if problems are usually not set at all?
In addition, with such a formulation of the task there are no criteria for its implementation. As a result, it is unclear how necessary and sufficient the implemented protection measures are and how well they are implemented.
Another serious problem is non-mandatory nature. Security requirements, even if they are formulated, have been and are still non-functional requirements (NFR). To be honest, for a developer this sounds like “non-mandatory”.
As a result, security tasks are either not solved at all, or are solved locally, superficially, often poorly, or external means of protection are applied to the finished product. Because the task cannot be solved better than it was set.”
You can think about security earlier
An alternative approach to security is the Shift Left principle. When applied to development, it means “let’s think about it earlier.” That is, you need to formulate security requirements from the very beginning and develop the product architecture and design taking them into account.
In this case, product security is not considered as an optional add-on, but as a mandatory part of the architecture. If you adhere to the Shift Left principle, there is a fundamental opportunity to create software in the Secure by Design (SbD) paradigm, in Russian – structurally secure.
However, the Shift Left principle and, accordingly, the Secure by Design paradigm are not yet widely used in software development.
Firstly, companies do not fully understand what Secure by Design is in practice, what exactly needs to be done. Creating a product in this paradigm without the appropriate methodology is difficult – it is like applying the Agile philosophy without the Scrum or Kanban methodologies.
Secondly, developing structurally secure products is more expensive and takes more time. Although it minimizes the amount of expertise and additional costs needed to maintain and support the software.
Alexey Matyushin: “Companies have become accustomed to putting up with a certain number of security incidents – this is the established business mindset. Although in many other areas, product security is one of its main functions. You wouldn’t buy, say, household appliances that are known to cause a short circuit and fire, would you? Why is it considered that millions of cyber incidents per year are the norm? We don’t consider millions of fires per year to be the norm.
You can reduce the number of incidents if you think about security at the stage of software development (Shift Left) and make them secure by design. We create our own cyber-immune products, hone and promote the cyber-immune approach. We are building a methodology in which the developer and business do not need super-competence in cybersecurity. It is enough to take clear steps in the right order at each stage of work, at each level of competence – customer, developer, tester.”
Kaspersky Lab compared the costs of conventional and structurally secure solutions using the example of a cyber-immune thin client (a compact low-power computer that transfers all or most of the information processing tasks to the server). According to the company’s calculations, the cost of ownership (TCO) for this SbD product over three years of operation of 1,000 devices is reduced by 33%. This is due to reduced costs for deployment in the infrastructure, administration and updating the operating system, as well as due to the fact that there is no need to purchase imposed security tools.
The company notes that the choice between external (imposed) security systems and investments in structurally safe products is determined by economics and other objective conditions.
There are situations when regular software updates and support on the entire fleet of devices are economically acceptable and technically feasible. And if the cost of a single incident is also acceptable, and the imposed protection systems basically solve the problems, then their use is an acceptable and even reasonable choice.
Investments in creating structurally secure products are justified under certain conditions. If a company is geographically distributed, employs several tens of thousands of people and has no means of centralized software updates, then patching its vulnerabilities is expensive and time-consuming. To update all workstations in an acceptable time, a huge number of IT specialists will be needed.
There are frequent situations when the devices on which the software runs are physically inaccessible or located at geographically distributed sites – gas station networks, pipelines, territorial branches of the company.
Finally, for the cyber-physical world, even a single (first) incident is often unacceptable: the damage is too great or unpredictable. Here, the traditional “incident – investigation – countermeasure” scheme is not suitable. In all these situations, software that is structurally secure and more resistant to threats is needed.
