- Corporate Security
- Governance, Risk & Compliance
- Information Security
By Resolver Modified February 7, 2021
While some might consider cybersecurity and physical security to be distinct disciplines, they are, in fact, highly connected. Obviously, one cannot ensure the availability of data systems, for example, if criminals can easily steal the equipment on which they reside. Likewise, cybersecurity failures can lead to serious consequences in the physical world.
Here are five areas of emerging technology in which cybersecurity can significantly impact physical risks, and which people concerned with risk management should learn about:
The Internet of Things (or IoT) – that is, the collection of devices that are connected to the Internet but which are not computers in the classic sense of the word – is rapidly expanding. While the typical consumer may experience the emergence of such technology in the form of smart household appliances – for example, a refrigerator that allows its owner to check its contents while shopping via an Internet-connected camera inside the device, or a television that contains all sorts of apps that allow viewers to check the weather, play games, or watch movies from subscription sources without the need for a cable box – the reality is that commercial and industrial uses dominate IoT, and will account for the vast majority of IoT devices for the foreseeable future.
Various smart devices on factory floors, self-repairing equipment, equipment that reports on production status, and numerous other newer technologies will make many non-smart devices obsolete in just a few years. Firms that don’t embrace newer technologies will quickly grow uncompetitive, and be relegated to history books.
Of course, all of IoT creates risk. Household devices can potentially be turned off or “played around with” by hackers. But, industrial IoT poses even greater risks. Terrorists, criminals, or even competitors could potentially hack into such systems in order to cause failures – many of which may endanger human lives; it is not hard to picture how industrial equipment set to intentionally malfunction could directly kill or injure people, or create dangerous situations such as fires or chemical spills that may result in human deaths.
Social media has quickly become one of the most powerful mechanisms for human communication. Yet, this new medium also creates serious security concerns. It is not a secret that cyberbullying on social media has led to teenagers committing suicide, nor that information overshared on social media has led to all sorts of physical crimes. People who have shared their vacation plans – or posted photos of themselves away with their entire families, for example, have come home from vacation to find their homes robbed. Parents who post information about their children so as to let strangers calculate the children’s schedules and whereabouts may expose their children to unnecessary risks. Likewise, employees oversharing has allowed criminals to craft highly effective spear phishing emails used to trick employees into taking actions that undermine security systems; this may lead to both digital penetration (i.e., data breaches and hacking) and physical penetration (e.g., robberies).
In fact, social engineering type attacks – that often begin with criminals doing reconnaissance by scanning social media for overshared information – is believed by many experts to be the number one way of commencing an attack in today’s world of numerous security systems. Why would criminals expend resources trying to undermine and defeat advanced, mature technology when they can exploit social engineering to trick the technology into thinking they are authorized users?
Today, many offices and factories are secured with physical access control systems that utilize smart cards for identification. By holding a card near a reader authorized individuals can enter a building or specific sections within a building. Many of these systems, however, are connected to the Internet – raising possibilities that hackers could potentially allow unauthorized parties to gain access into a building, or into a sensitive region within a facility. Obviously, such a risk means that corporate espionage is a concern – but so is robbery and sabotage.
Furthermore, many safety systems are also now “smart” and “connected;” it is obviously of tremendous benefit if a fire suppression system can, for example, notify administrators if it detects some sort of pressure problem in a particular section of its plumbing. At the same time, however, connecting safety systems to the Internet creates risks. Consider, for example, if a hacker were to breach a connected fire alarm system or fire suppression system and disable it, or cause it to go off unnecessarily at periods of peak production? Or what would happen if someone triggered it repeatedly to the point that people began to ignore it? What if a criminal sent false signals to a centralized monitoring and control system – or to someone monitoring the system – that impersonated a safety system and reported that everything is fine when it is not? The impact in any of the aforementioned scenarios could be devastating.
As smart devices increasingly permeate the healthcare field, information technologies have created numerous risks to human life. According to a report issued last month, studies performed by researchers found that hackers were able to successfully breach patient monitoring systems, check-in kiosks, and drug dispensers, using a variety of hacking techniques. Had such attacks been conducted by nefarious parties intent on inflicting harm rather than by researchers, there is little doubt that the lives of patients could have been put at risk.
Sadly, the findings of the recent report were not unexpected. Earlier this year, a researcher managed to hack into hospital systems in Russia via an improperly configured Wi Fi network. Last year, researchers found that many hospitals have poor passwords protecting their X-Ray and CT scanners and associated data. It’s not hard to imagine the risks to human life: What if someone swapped the results of two patients’ tests, or modified electronic health care records?
Besides the obvious liabilities involved in putting human lives and health at risk, there is also the possibility of direct financial damage to hospitals and healthcare facilities: What if a hacker remotely controlling expensive and highly needed medical equipment abused it and caused it to break?
The physical risk from medical equipment is not limited to situations involving a technology breach; the impersonation of medical devices could lead to catastrophic consequences as well. Imagine, for a moment, that someone impersonated the transmissions from a smart pacemaker that regularly transmits patient and device status information to doctors – and sends distress signals when the patient is actually fine. Could that result in unnecessary procedures and associated risks? Could it lead to doctors ignoring distress signals when they are actually real? Similar risks apply for any other medical equipment that transmits patient information across the Internet; if it is not properly secured there could be serious consequences even without anyone actually breaching a medical system.
It doesn’t take much imagination to realize the danger that poor cybersecurity in smart cars could create. And, that risk is not theory anymore. Over the past few years, experts have discovered significant vulnerabilities that almost certainly would have led to deaths had they been discovered first by malicious parties rather than by whitehat hackers. Researchers were able to remotely breach a Jeep Cherokee via its cellular-connected entertainment system, attack the vehicle’s computer system, and gain control of the car’s brakes, engine, and transmission. Fiat Chrysler had to issue a recall and update the software on over a million vehicles after hackers demonstrated that they could take remote control of various cars from across the Internet. Last week, Nissan was forced to disable an app that allowed owners of its electric Leaf car to control their cars’ heating and cooling from their smartphones, after a researcher demonstrated that he could use the app to control the systems in cars not belonging to him.
The risks are obvious. Ironically, much of the equipment used to make vehicles today is itself “smart,” so any system used to ensure that vulnerabilities don’t enter a car is itself subject to risk – bringing us back to the risks mentioned above about industrial IoT systems.
As technology evolves new risks will emerge. And in today’s technology-reliant world, that means significant risks to both individuals and businesses. To successfully manage those risks, managers must understand the role that cyber issues play with regard to the physical world.