Lewis Shields joined ZeroFOX in 2020, having previously held positions at Deloitte and the UK’s Home Office and Department of Education. He became the Principal Intelligence Analyst at ZeroFOX in 2022. He holds an undergraduate degree in Philosophy from the University of Nottingham.
He shares his expert insight with Cyber Digital around the convergence of cyber and physical security, particularly in critical infrastructure sectors like finance, energy, and healthcare which face a growing threat landscape due to their expansive attack surfaces.
What is cyber-physical convergence and why is it a growing threat?
Over the past few years, threats within the cyber and physical domains have become increasingly intertwined and indistinct. ‘Cyber-physical convergence’ explains this increasingly strong relationship between these two spheres; how cyber threats impact physical systems, and how physical and geopolitical developments are shaping the cyber threat landscape.
We are now seeing an interconnected world in which physical assets, infrastructure and systems can be disrupted by cyber threat actors leveraging their typical cyber tactics, techniques and procedures (TTPs). In addition to this, we are also increasingly seeing battle lines drawn in cyber threat actor communities based on physical and geopolitical dynamics. This outline will focus on the former of these two; namely how cyber threats impact physical systems.
The interconnectivity, complexity, and fragility of supply chains is on an upward trajectory, with greater adoption of smart technologies, third-party services, and integration of technological solutions. This is driving a rapid expansion of the attack surface, leaving more vulnerable endpoints for threat actors to exploit, and making it more difficult for security personnel to secure their environments. This interconnectivity means that people can act out in the physical world from within the cyber realm, while also having the flexibility to participate in the physical space based on what they learn and are taught in cyberspace.
Physical infrastructure now relies heavily on digital systems, creating a complex and intertwined ecosystem. Increased automation and the expansion of the Internet of Things (IoT) is driving more tools and machines to require network access than ever before. Greater interconnectivity between Information Technology (IT) and Operational Technology (OT) networks creates new vectors for threat actors’ cyber attacks to disrupt physical systems. This convergence threatens to leave many organisations with outdated security management and resilience strategies that are unable to holistically mitigate cyber threats posed against organisational assets.
How can physical security threats materialise online?
Bad actors will utilise online research tools, including social media, to harass, bully, or provoke their intended victim. Additionally, traditional cyber attack methods can disrupt physical systems, processes and assets. After gaining initial access, threat actors can conduct a range of follow-on malicious activity including moving laterally, privilege escalation, payload deployment (ransomware and malware), and data theft. Four of the main ways physical security threats materialise online include:
- Unauthorised access: Threat actors are able to obtain credentials for physical system users and administrators to conduct follow-on malicious activity. This can be achieved by obtaining compromised credentials in data breaches, social engineering, or brute force attacks against users.
- Vulnerabilities: Threat actors are able to leverage Common Vulnerabilities and Exploits (CVEs) and zero-day vulnerabilities in OT infrastructure, as well as moving laterally after leveraging vulnerabilities in IT infrastructure. Threat actors are exploiting these vulnerabilities faster than ever before, placing increasing strain on security teams to rapidly identify and implement security patches or functional work-arounds.
- Disclosure of sensitive data: Both during and after an attack, threat actors can leak sensitive company information including intellectual property, financial information and even sensitive information on employees and corporate locations. For example, leaking of office schematics or doxxing of employees can create a real-word physical threat to both buildings and personnel.
- OT infrastructure that is critical to organisational output, that may have traditionally been air-gapped from internet-facing systems, may now be a vulnerable aspect of wider attack surfaces. Business-critical equipment may be disrupted and its function ceased, as a part of a digital extortion attack.
How does this convergence affect the threat landscape, and which industries is it impacting most?
This convergence is multifaceted, intertwined, and no longer one-dimensional. All of us rely on the cyber realm to ensure our physical existence is efficient, comfortable, fun, and civil. Cyber-physical convergence impacts almost all industries in all locations. Industries operating significant OT infrastructure face an overt threat, including–but not limited to–Critical National Infrastructure, Manufacturing, Healthcare, Agriculture, Mining, Transport and Logistics, and Construction. Organisations in these industries may not have historically been responsible for managing the security of internet-connected systems, and may lack the awareness of how to do so effectively.
Disruption to these systems can impact revenue, reputation and, in some cases, pose an immediate threat to life. OT systems are attractive targets for threat actors given their role in maintaining day-to-day business operations. These industries face threats from financially, politically and ethically-motivated threat actors, including nation state and Advanced Persistent Threats (APTs). There are increasingly prevalent OT-specific malware strains being deployed across the landscape. It is becoming increasingly difficult for organisations across industries to have a thorough understanding of–and thorough maintenance plan for–the IT/OT infrastructure employed within their supply-chains, increasing opaqueness and the threat posed by unforeseen elements.
However, increased digitisation and increasingly complex supply chains means that organisations in almost every industry face a greater threat from cyber-physical convergence. Organisations must consider their entire supply chain when assessing the threat, including potential disruption to the supply of hardware and software.
In your experience, how should organisations make their infrastructure more resilient to protect against these threats?
Companies must prioritise basic cyber hygiene for their networks and people under their stewardship– but also act beyond those minimum standards. Preventing these threats can be broken down into a few key areas.
Organisations must take steps to fully understand their complete environment–cyber and physical–including third party suppliers and supply chains. They must conduct a full audit of their infrastructure to identify potential weak points including unpatched vulnerabilities, user errors, privilege issues and insider threats, among others.
The other important factor here is training your employees to be vigilant of these kinds of threats. Your IT team may be well versed in managing risks across both cyber and physical systems, but oftentimes employees aren’t as educated on how their online presence can impact their physical security, or vice versa.
Predictions show that by the end of 2024, 75% of CEOs may be personally liable for damages from cyber-physical security (CPS) incidents that harm corporate personnel and facilities. Dedicating appropriate resources to defend online and offline infrastructure is of critical importance now.
How is ZeroFox working to address this convergence challenge?
There are three main areas ZeroFox is involved in when it comes to helping organisations counter this specific convergence challenge. These all sit under its Physical Security Intelligence (PSI) software.
First, ZeroFox provides widespread visibility into physical attack surfaces, allowing the user to see threats based on real-time data. This provides more insight into key physical locations through advanced geovisualization of incidents where customers can easily search for and visualise global physical security incidents in proximity to their protected locations and assets on an interactive map. The provided visibility tracks across the surface, deep, and dark web in over 152 countries. Increasingly more important in our interconnected world, is geopolitical intelligence. This provides access to unique ZeroFox intelligence from the global map with a detailed analysis of activity affecting selected locations, with additional context from our threat analysts with a broader context of current geopolitical climates and threat actor motivations.
ZeroFox also provides granular threat research which shows the historical and current global threat map and filters by incident type, specific keywords, location, and time to anticipate future threats and implement proactive measures to safeguard your organisation.
PSI also enables organisations to mitigate any human resourcing strains through AI-driven technology in the platforms which can automate alerts and investigate efforts across thousands of online avenues. The combination of these factors allows users to better prioritise threats, addressing the most critical threats first.
What do you see as the future of physical and cyber security convergence, and how can companies best prepare for these developments?
Converging physical and cyber security challenges are on a strong upward trajectory, so organisations must establish robust cybersecurity standards. For example, the UK government currently has a consultation open to collate views on proposed regulation to improve the security and resilience of data infrastructure, including data centres. The primary focus has been on safeguarding sectors crucial to human safety, national security, and the economy. These newly introduced frameworks encompass regulations designed to enhance capabilities and processes for preventing, detecting, and responding to security incidents within critical sectors.
While proposed regulations will likely aid security, they are not a panacea. They will likely be unable to address entire supply chains, govern foreign manufacturers, and may be difficult to police or enforce. Such legislation is almost certain to become more widespread and comprehensive, though it is very likely to consistently lag behind the TTPs used by contemporary threat actors.
Although these measures are expected to bolster the long-term security and resilience of critical sectors, short-term challenges are anticipated in maintaining the security of IoT and OT in particular. This is because many OT systems are outdated or pose complex challenges when updating to today’s security standards. This means security teams need to secure legacy OT technology all while organisations across the world are planning to invest nearly 13% more in new Industrial IoT (IIoT) technology by 2028.
The UK is the third most targeted country in the world for cyber-attacks, behind the US and Ukraine. Therefore, it is even more urgent that, especially organisations that operate in the critical services sectors like energy and healthcare-or their supply chains- continue to invest in resources that will support physical and cyber infrastructure resilience.
Cyber Magazine is a BizClik brand