Cyber-physical cybercrime is a scary topic that is largely unknown to most of us, like the worst effects of ransomware campaigns. In fact, this form of crime has been on the agenda only recently (the past few years), being discussed together with ransomware, data breaches, viruses, trojans, phishing, and other cybersecurity issues in general. These are just a few terms or cybersecurity techno-jargon that resonate with and worry information security professionals and tech-savvy folks alike all over the world. By far the most worrisome of all of them is cyber-physical cybercrime.

This is the heavy end of cybercrime and the worst thing about it is that it can affect all of us, rob us of our money and even threaten our lives while receiving medical care (more examples in the next sections.) For these reasons, let’s take a look at what is meant by cyber-physical cybercrime, give some real-world examples of the issue and finally look at how to arm yourself with the tools and knowledge necessary to prepare for potential cyber-physical attacks.

Cyber-Physical Cybercrime?

Cyber-physical cybercrime can sound a bit confusing at first, although it is simple to define and get the point across to anyone because of the direct nature of this type of cyber attack. Cyber-physical cybercrime is when cybercrime or crime perpetrated in the digital realm by criminals (cybercriminals/hackers) transcends over into the real world. When we say digital world, we are referring mainly to the internet e.g. attacks perpetrated remotely that leverage the internet as a vessel. In rarer cases, attacks can be carried out over infected external devices as well that can topple systems, networks, and servers. Infected USB sticks and the like are mostly in the past, though. In most cases, it is most convenient, lucrative (not to mention comfortable) for attackers to remotely orchestrate cyber-physical attacks over the internet.

Serious, specialized, targeted cyberattacks like cyber-physical attacks are always very bad news. These types of attacks are always high-profile, elite-hacker-level scenarios. They are perpetrated by hackers of such skill that they are considered terrorists (cyber-terrorists) by law enforcement and intelligence agencies all over the world. These scenarios almost always point to a nation-state-backed group of expert black hat hackers. There is no recorded cyber-physical attack that has not caused significant damage at the very least to people and their livelihoods, even resulting in death in some cases.

Cyber-physical attacks also cripple critical infrastructure, so any critical municipal or national infrastructure that operates digitally that a certain population depends on for daily life. Finally, they can completely undermine national security and are considered a national defense emergency of the highest level.

Why Do These Scenarios Occur?

The answer is multi-pronged. As the internet itself is a mirror today for everything right and wrong about society, it is expected that a wide range of people inhabit this internet, including malicious actors. There are around 5 billion of us on the internet every day, and over  30 billion devices so it would hardly make sense that this environment is absolutely safe.

Cybercriminals have always existed, albeit in varying degrees of severity and sophistication. Today, the modern internet has proliferated across almost the entire globe, and with that critical systems and critical infrastructures such as; hospitals, banks, insurance even such industries as factories, agriculture, and water treatment have been digitally transformed. As a result of this digital transformation, the doors are now open for cybercriminals to attack our critical infrastructures resulting in real-world danger.

Industrial control systems and other critical infrastructure tend to use old software known as ‘legacy’ software, that can easily be compromised by cyber-attacks; exploiting software vulnerabilities, injecting code, and exploiting backdoors. Furthermore, even if these ‘entry points are secure, cybercriminals can anchor unsecured devices anywhere else in the network chain for domino-effect-like consequences.

Cyber-physical systems are now at risk. To better put this into perspective by borrowing a sentence or two from NIST, “CPS comprise interacting digital, analog, physical, and human components engineered for function through integrated physics and logic.” This list includes items such as all ‘smart’ items (IoT), smart grids, smart cities, and of course critical infrastructure. The internet is a double-edged sword, in that it has literally evolved our species to another level, but it also poses extreme risks of cyber-physical sabotage if our knowledge is not up to scratch, our detection systems weak, and our software outdated.

Examples of Cyber-Physical Cybercrime

There are several examples of when malicious digital tools and techniques resulted in real-world harm. Here are some examples;

• The Stuxnet worm that eradicated centrifuges in Iran’s nuclear facility a decade ago

• A 2013 cyberattack that took control of a small dam

• A 2015 attack that led to power outages for over a quarter of a million people

• The infamous WannaCry ransomware attack that disrupted the medical industry

A report by Symantec really proved just how dangerous cyber-physical attacks can be. The findings of Symantec stated, “It’s not just nation-state malefactors who are responsible or big infrastructure that’s being targeted. Malicious cyber hackers have taken control of water treatment plants, hacked steel mills to halt production, and other examples.  White-hat hackers, probing for flaws, proved they could theoretically take over the ballast pumps of cargo ships and capsize it, or take over an electric scooter, via faulty password validation, and accelerate it.” Now, imagine that in the context of a pacemaker.

Can You Protect Yourself?

Now we come to the big question. If such attacks and schemes are so sophisticated and ill-intentioned, with unlimited resources, support, and substantial funding behind them, can we actually protect ourselves, our families, and our friends from the consequences of cyber-physical attacks? With billions of devices now connected, how can we be sure that our electric car, our electric scooter, or even our pacemaker cannot be weaponized? It is a difficult question to answer, but one of the best remedies for this is to use common sense when it comes to cyber-physical cybercrime awareness. That means that the industry must make the switch to Zero-trust frameworks and that we as people use information security best practices to our advantage every time we are online.

The problem with proprietary industrial software and hardware components like control panels that rely on this software is that most companies in the heavy industry, for example, do not collaborate or share information (which would be a great step towards collectively fighting off heavy cybercrime.) Another issue is that industry-grade software in particular is not usually created with security in mind from the ground up or probed for flaws (regularly, at least.) This is especially shocking when it comes to the medical industry. 

To quote Symantec again, “companies need to step away from their proprietary, black-box mindset and start sharing information with networks, consumers, and each other. [Device makers need to share data about their software, firmware, and hardware], says Dale Nordenberg, executive director of Medical Device Innovation Safety and Security, a non-profit focused on medical device security.” If we are to build entire smart cities someday that will augment our reality to new heights, it must be done with security in mind at every stage.