Science fiction is still seen as the only place where cyberattacks resulting in catastrophic damage and loss of life may be considered “real.” However, the reality is that cyberattacks with catastrophic consequences are no longer confined to film or the digital arena. They’ve made a real, tangible impact on the world around them.
The death toll from a cyberattack has now reached nine, making it the first time a human has been killed in one.
When Cyberattacks Result in Physical Destruction
On September 10, 2020, a ransomware assault crippled the IT systems and operations of a hospital in Germany, encrypting 30 servers. With limited phone and email connections, the hospital declared that it was “deregistered from emergency care” because of its “severe IT breakdown” and would delay all planned and outpatient treatments.
As a result, patients and visitors to the hospital were redirected to alternate facilities. A patient in a life-threatening condition was sent an hour away to a different hospital, where he died shortly after being admitted there.
At first, the hospital’s systems appeared to be working fine, but then began malfunctioning and eventually shutting down. The ransomware letter was discovered on one of the 30 encrypted servers after investigators discovered the criminals exploited a known Citrix vulnerability. But the university, not the hospital, received the communication.
Officials in Germany contacted the attackers and explained that the attempt was intended to compromise the safety of patients at a hospital, so they returned the money and handed over the decryption key.
There are also charges of homicide or manslaughter related to the patient’s death that were redirected and given medical attention an hour later than would have been required.
Ransomware, personal liability, and homicide
Many have made a link between cybersecurity and safety in business operations, and this most recent cyber event just serves to confirm that comparison further.
It is safe to say that EHS procedures are significantly more established than cybersecurity ones. The Occupational Safety and Health Administration (OSHA) regulates workplace practices in the United States, for example, and assists employers in protecting the health and safety of their workers and the environment through several regulations, reporting requirements, audits, citations, and fines. Employers who breach or disregard their responsibilities can now be charged with criminal violations under the OSH Act, which gave OSHA new tools to use against them. Besides the OSH Act, OSHA works with the Department of Justice to report safety violations to the district attorneys in their jurisdictions for prosecution.
As cyberattacks spread to the real world, so do the ramifications for both the victims and the perpetrators of these crimes. Like security. In contrast to EHS fines and jail time, there are rare occurrences of cyber incidents resulting in fines and prison terms for employers. The stakes for cybersecurity are rising across the board, and this recent instance may be the first to result in a death and a negligent homicide probe.
According to a new Gartner estimate, 75 percent of CEOs will be directly accountable for cyber-physical security events by 2024. A cyber-physical attack that causes death might cost over $1 billion by 2023, according to current estimates. A cyber-physical incident has far-reaching consequences, akin to those of a safety breach. “Even without taking into account the actual value of human life, the costs for enterprises in terms of compensation, litigation, insurance, regulatory fines, and reputation loss will be enormous,” says Gartner.
As far as cyber-physical systems are concerned, laws are in their infancy for the vast majority of industries. However, there have already been fines levied, and they aren’t cheap ones either.
When it comes to securing the nation’s main power system against cyber and physical intrusion, the North American Electric Reliability Corporation (NERC) is in charge. An unnamed utility with more than 120 security infractions over four years had a $10 million NERC-CIP fine against them as of 2019.
In 2018, PG & E was fined $2.7 million by the National Electric Reliability Corporation (NERC). Additionally, the firm has been forced to pay over $30 billion in legal fees as a result of the wildfires in California.
The field of cyber security is still in its infancy. The stakes in cybersecurity and the expense of cyber catastrophes will continue to climb, however, if lessons can be drawn from safety measures. And with good reason.
Cyber-Physical Security in the Modern Age
Throughout the last few decades, the boundaries between the actual and virtual worlds have become increasingly blurred as technology has improved efficiency, efficacy, and safety. Because operational technology (OT) is notoriously insecure and a target for cyber adversaries, most cyber-physical systems today rely on it. As a result, what steps should businesses take to safeguard their operations?
Vulnerabilities are difficult to patch in operating situations where uptime and availability are critical. In the instance of the German hospital ransomware, unpatched assets leave operations open and vulnerable to attack.
The Citrix ADC CVE-2019-19781 vulnerability was used by the attackers in the German hospital cyberattack. In January of this year, Citrix issued a patch for the vulnerability. But it’s not only the hospital. During the same week as the ransomware attack on Luxottica, a company that manufactures, markets, and sells luxury and sports eyewear was also targeted. Luxottica’s web properties were downed, and their production chain was disrupted as a result of the attack.
Additionally, many of these environments run on flat or non-segmented networks, which increases their vulnerability. Chemical compound procedures in pharmaceuticals or ballast operations in maritime can be impacted by a compromise in the email system, for example. “With perimeter-only protection, once an enemy gains access, nothing prevents them from traversing the network unchallenged,” Paul Arceneaux of Mission Secure wrote in a previous blog post. In IT environments, segmentation and micro-segmentation limit unauthorized access; in ICS, they should do the same. Segmenting networks and implementing a zero-trust security approach are urgently needed by organizations. Organizations can also “virtually patch” their systems by monitoring and regulating access to each asset in real-time while maintaining segmentation, decreasing risks and the chance of a cyber incident even further.
Cyber-physical systems are being used in almost every industry. From the food and pharmaceuticals, we consume to the electricity that powers our lights and traffic lights, practically every aspect of our existence is affected by cyber-physical activities. Cyber-physical technologies such as security controls and smart HVAC systems are used in building and facility management.
Personal data and intellectual property are no longer the sole concerns of cyber security; it now covers a wide range of operations that have an impact on the daily lives of people all over the world. According to Gartner’s analysis of the market, a focus on operational resilience management (ORM) beyond information-centric cybersecurity is desperately needed.