Imagine a hurricane hits a small town sending the community into emergency response, during response efforts the town’s water utility is unable to provide service not because of the storm but because of an opportunistic cyber-attack. Although fictional, many are thinking about the potential for this scenario and the cascading effects it could bring. Today’s digitally interconnected world and the electronically reliant infrastructure society relies upon introduces new threats to consider and provides an expanded attack surface for threat actors to exploit. Consequently, physical and cyber security can no longer be siloed into separate categories but should be viewed holistically, because a threat in the cyber realm can turn physical and vice versa. Thus, CISA advocates for a convergence of cybersecurity and physical security.
The risk-management firm, Gate 15, has been analyzing this phenomenon for many years and has termed this convergence “Blended Threats.” It defines a blended threat as “a natural, accidental, or purposeful physical or cyber danger that has or indicates the potential to have crossover impacts and harm life, information, operations, the environment, and/or property.” Consider, the Oldsmar water system attack, which started in the cyber realm but could have affected systems in the physical world and ultimately endangered lives. Or conversely, a powerful storm could potentially damage telecommunications and electricity in a locale and render virtual services inoperable.
Thinking back to the fictional scenario above, many state and local governments are actively updating their preparedness plans and conducting exercises based around converged physical and cyber threats. In Indiana, for instance, a state-wide exercise in August included responding to an earthquake while also managing an opportunistic cyber-attack against a local water utility. Additionally in 2018, the City of Houston and the U.S. Army Cyber Institute conducted a three-day drill that simulated a cyberattack, that disrupted response efforts, during a hurricane.
Indeed, in this year alone the Multi-State Information Sharing and Analysis Center (MS-ISAC) has been involved in more than five exercises with state and local governments that simulate a natural disaster and a cyber attack. “We almost always see some spike in cyber attack attempts impacted by any major event, whether it’s natural disaster or something else,” explained Randy Rose, senior director of cyber threat intelligence, at the MS-ISAC. “It’s an easier way for threat actors to gain a foothold. They take advantage of a system in a weakened state.” Read more at PEW or at Gate 15.