The Physical Impact of Cybersecurity

Pipes, plumbing, electrical... all of it is at risk. With artificial intelligence (AI) quickly finding its way into the hands of hackers, the era of the cyber-physical approach to cybersecurity may soon be upon us. Professor Stuart Madnick has studied this subject for decades. He’s an MIT PhD and co-founder of Cybersecurity at MIT Sloan (CAMS). Madnick recently explained the consequences we may be facing in a 2023 NBC interview.

“If you cause a power plant to stop from a typical cyberattack, it will be back up and online pretty quickly, but if hackers cause it to explode or burn down, you are not back online a day or two later; it will be weeks and months.”

Madnick and his team have demonstrated the new breed of cyber threat we may soon experience more frequently in the relatively safe confines of their MIT laboratory. Explosions, pump seizures, and temperature monitor failures are just a few of the malfunctions created by hacking into simulated infrastructure. “The only thing really keeping bad things from happening is there is not sufficient motivation,” says Madnick. But this could be changing as well. Ransomware attacks aimed at infrastructure provide a prime opportunity for lone hackers or nation-states to profit from the physical impacts of cybersecurity.

Attacks on infrastructure and their lengthy consequences

Global events can shake the foundations of cybersecurity and drive threat actors to create malicious campaigns based on these situations. International conflicts and political tensions make ideal breeding grounds for cyber schemes. For example, the COVID-19 pandemic coincided with direct attacks on infrastructure that resulted in disruptions of necessary utility services, such as electricity, city resources, and oil & gas pipelines.

In December of 2020, the SolarWinds fiasco made headlines as one of the most sophisticated cyber attacks in modern times. Numerous U.S.-based Fortune 500 companies and sectors of government (including the Department of Homeland Security) were breached. This red flag highlighted critical weaknesses in the infrastructure cybersecurity of the United States. Even today, we don’t yet know the full extent of its scope and damage.

The Colonial Pipeline Cyberattack in 2021 was yet another example of the vulnerability of physical assets to cyberattacks. The Colonial Pipeline is one of the largest refined oil pipelines serving the northern and the southeastern United States. It is housed primarily in Georgia, with fuel lines running from Texas all the way up to New York, impacting approximately 100 million people. A ransomware attack on the pipeline cost $5 million after bringing operations to a halt for several days.

An alarming upward trend

The pipeline example warned us of what we might experience as AI continues to find its way into the hands of hackers. The immediate consequence was a supply shortage at gas stations in parts of the southern and northeastern United States. Had the ransom not been paid, the impact could have been far more devastating and widespread. Projecting these same scenarios from the public domain into the enterprise domain - and suddenly, trucks don’t have enough fuel to make deliveries. Delays ensue. The loss of reliable service, even for a few days, could throw a bigger wrench into a much bigger machine.

Fast forward to 2024, and the world’s critical infrastructure, including power, medical, construction, waste management, and transportation services, are under near-constant attack. Cybersecurity statistics for 2023 bear out this alarming trend:

• The average ransomware payout surged from $812,380 in 2022 to $1,542,333 in 2023.
• Forbes reported that the number of ransomware victims in March 2023 nearly doubled compared to the previous year.
• Approximately 24,000 malicious mobile apps are thwarted daily on the internet.
• In 2023, the average cost of a data breach reached a record high of $4.45 million, according to IBM.
• Human error contributed to 74 percent of cybersecurity breaches, as reported by Verizon.
• IBM revealed that, on average, it takes 207 days to identify a breach, with the entire breach lifecycle lasting 277 days from identification to containment.
• The World Economic Forum estimated that the likelihood of detecting and prosecuting a cybercrime entity in the U.S. is around 0.05 percent.
• Cisco reported that cyber fatigue, affecting up to 42 percent of companies, contributes to apathy in proactively defending against cyberattacks.
• The U.S. was the target of 46 percent of cyberattacks, more than double the attacks on any other country.

The growing web of IoT security problems

We can’t assume that all physical cyberattacks will be as broad and powerful in scope as the SolarWinds or Colonial Pipeline breaches. But we are looking at common issues with both personal and enterprise situations as the deployment of IoT-based devices evolves.

It’s not just the contemporary devices you might find in a home or office. Yes, IoT devices present attack surfaces and create serious risks because of their security. But as markets, tech, and desire for automation reconfigure our existence, the presence of IoT grows, and so do the immediate physical concerns.

The IoT, smart devices, and infrastructure rely on network connections in similar ways. Place them in critical environments, such as transportation networks or the healthcare industry, and they immediately create a physical threat to workers, pedestrians, doctors, and patients. With cyber attackers ratcheting their attacks on the medical industry, the reliance on IoT-based devices has the potential to disrupt healthcare and threaten lives.

Dangers to your enterprise, and the public

Imagine you are headed to work in the morning. You check your smartphone for daily updates and get bombarded with a warning for your general area. The alert in question states that the local tap water supply may not be safe to drink for a period of time. Why? Third-party threat actors managed to compromise the local water plant and altered its filtering and purification, rendering it harmful to drink.

That scenario isn’t a farfetched concept. In fact, it has already happened. A cyberattack perpetrated by a former water district employee in Ellsworth County, Kansas rendered the water source undrinkable until the plot was foiled by authorities. This sabotage was aimed at filtration processes that control the levels of chemical and bacterial agents. Threats “from within” are an important concern when the physical impact of cybersecurity worldwide is evaluated.

The water treatment plant in Kansas was a relatively small operation, but there’s no reason to believe hackers can’t or won’t eventually bypass security on a wider scale. Cyber attacks have evolved well beyond ransomware schemes and the world of ones and zeroes.

The scarier reality is no longer a “what if” scenario. What if food delivery is disrupted, or electricity, or other essential services? It’s now a matter of when and to what degree. What kind of serious attacks are we looking at in five years? How about ten? The trends behind smart devices and the IoT are certainly not slowing down.

Getting physical with cyber criminals

Cybersecurity experts like Stuart Madnick and Tim Chase, CISO at Lacework, realize the AI genie is out of the bottle for good. “AI can make it easier for someone who lacks the skills and patience to attack industrial control systems themselves,” Chase says. With our increased reliance on automation and the IoT coinciding with more lethal varieties of ransomware, the physical threats become blatantly obvious. The consequences, as illustrated by Madnick's simulations, extend beyond mere service disruptions to catastrophic events with long-lasting impacts on critical infrastructure and safety.

Escalating ransomware payouts, a surge in victims, and persistent human errors contributing to breaches underscore this dangerous cybersecurity landscape. The integration of IoT devices further complicates the scenario, not only presenting security risks in personal and enterprise settings, but also creating tangible physical threats. Can the consequences for cyber criminals be heightened to approximate the physical and personal damage they can now inflict? While tracking, reporting, and prosecution of cyber crimes in general remains challenging, the US and other counties are stepping up efforts to bring the perpetrators of these dangerous acts to justice, ironically using tools like AI and machine learning to improve tracking and collaboration.