Why cyber-physical systems security is crucial for state and local governments

Simon Chassar, CRO at Claroty, discusses why cyber-physical systems security is so integral to government in the modern era

Digital transformation allows state and local government agencies to better and more efficiently serve the public. Increasing the connectivity of all physical system programs or logic controllers, human-machine interfaces, workstations, or Internet of Things (IoT) devices like CCTV can help to create a more streamlined and automated service. This interconnected web of cyber-physical systems is the Extended Internet of Things (XIoT).

However, as all these systems are networked and connected within the environment, any disruption can severely impact the organisation. In other words, the benefits of digital transformation and the XIoT come with greater cyber risk. We increasingly rely on online access to physical systems for greater automation, control, efficiency, and convenience.

Cyber-physical systems (CPS) and underlying connected assets were not necessarily designed to co-exist seamlessly in a connected environment, so we are now seeing many new attack vectors emerge.

What risks are involved in connecting cyber-physical systems to underlying connected assets?

Cybercriminals have changed their tactics completely. Adversaries are moving away from extracting personal information and moving towards disrupting business availability as a leverage point for financial gain. With cyber-physical systems being so closely linked to business uptime, they are a natural target for attack.

Cyber-physical systems have multiple entry points which open these systems to potential threats. For example, cybercriminals can enter the network from an IT environment (through a work computer, let’s say) and move laterally to the operational technology (OT) or industrial control side and then misuse system vulnerabilities or exploit hidden security gaps within systems.

Employees may inadvertently facilitate an attack by clicking on a link or downloading a piece of code which acts as an entry point for threat actors. Once an attacker breaches the perimeter, they can inject code to affect the logic controller and create an outage in the distribution system. The organisation would then have to physically restore and recover the environment to make it operational again.

Organisations must also deal with all the system “back doors” accessible for these industrial environments, developed over many years of legacy control systems that multiple automation vendors have been using to access and maintain the health of these physical assets.

Threat actors have increasingly easy access to extremely clever tool sets

Threat actors have increasingly easy access to extremely clever tool sets that can help them exploit this situation, enabling them to enter engineering workstations and mirror legitimate activities. This makes adversaries invisible to the human operator, thus enabling them to carry out covert surveillance.

The public sector has proven particularly vulnerable to these attacks, with criminals threatening critical national infrastructure like water supplies, transportation, and basic operations in local and national governments.

What is the impact of an attack on public services?

The companies operating in the public sector, including water, healthcare, electric utilities, and education, cannot afford downtime. These services are crucial for the everyday functioning of civilians and broader society. Disruptions to these industries can directly affect the lives of all who rely on these public services.

In an extreme example, callous criminals hacked into the water treatment system of a Florida city and added dangerous amounts of sodium hydroxide chemicals to the water supply. The corrosive chemical can cause temporary hair loss and irritation to the eyes and skin, and consuming the polluted water can cause nausea, diarrhoea and vomiting.

Alongside the potential for direct physical harm, these industries store essential financial and personal information of their customers. Customer data such as bank details, home addresses and credit card information are some sensitive information that can be accessed and misused for financial gain.

For instance, the South Staffordshire PLC, the parent company of two major water companies, was hit by a ransomware attack last year. Though the statement mentioned that the firm experienced disruption to its corporate IT network, the water supply was not affected. However, the bank details of some of their customers were accessed and possibly leaked on the dark web.

Why is securing cyber-physical systems a priority for the government?

Cyber-physical systems are also exploited as assets in geo-political conflicts, with state-backed threat groups targeting critical national infrastructure (CNI) as a means of harming opposing nations.

This has prompted legislative action from many governments, as seen following the Colonial Pipeline ransomware attack, which shut down the pumping operations of a major US oil pipeline. Urgent measures were required to be taken as this attack resulted in a reduction in fuel availability, impacting the lives of many civilians.

Governments worldwide are now taking action, starting with the 100-day initiative by US president Joe Biden to ensure that all federal government departments improve their cyber security visibility or understanding of their CNI.

Another initiative is the NIS framework, which was recently reinforced into a global standard called NIS 2 directive. This directive has spread worldwide, including in the UK, the EU and Japan.

The initial NIS directive aimed at improving cybersecurity but is not a cybersecurity law, instead ensuring both the physical and environmental security of CNI. The follow-up NIS 2 directive, on the other hand, includes information security and networking and covers all service providers and suppliers of the CNI environment within the EU.

So, how can different sectors secure their cyber-physical systems?

Whilst government advice and directives are important, implementing proactive security measures is crucial.

One of the most important first steps for organisations is to gain visibility into their networks. Only by gaining full visibility into all cyber-physical systems and assets can organisations start understanding the residual risk from vulnerabilities and security gaps, including end-of-life devices, lurking in their networks. Automated asset discovery tools can help to identify connections and make this task more manageable. Once all devices are identified, it is then crucial to implement regular security updates.

Public sector service providers must also protect their systems by deploying network segmentation. This will break the organisation’s network into smaller groups and ensure that adversaries cannot move across the network. By breaking the network into smaller groups, firms can significantly minimise an attack’s impact.

Digital transformation has benefited customers and organisations in creating acceleration in output, engaging with constituents, and reducing costs. However, it has also been a boon for cybercriminals by opening doors or access points for adversaries to leverage.

Criminal intruders or malware can potentially impact a physical system or disrupt all operations and test an organisation’s cyber resilience. Organisations operating in the public service sector must also put security controls and invest in government-led initiatives to ensure the smooth functioning of society.

Written by Simon Chassar, CRO, Claroty