Oil refinery gas petrol plant industry with crude tank, gasoline supply and chemical factory showing cyber-physical security for critical infrastructure and healthcare

Managing the Cyber-Physical Security Risks to Critical Infrastructure and Healthcare

Critical infrastructure and healthcare are two of the most vulnerable and targeted industries by cybercriminals. A successful attack can severely impact people’s health and the economy. Jeopardized patient safety, massive disruptions to power and water distribution networks and to transport and communications grids are critical risks that require ever-increasing mitigation.

The critical infrastructure and healthcare industries are key targets for cyberattacks because of their extensive use of cyber-physical systems. Cyber-physical systems bridge the gap between physical and digital environments (i.e., computer-controlled systems that produce physical output like generating power or performing surgery). Digital control of physical technology delivers many advantages, including speed, precision, and consistency. However, it also results in increased cybersecurity risks.

Inside the cyber-physical threat landscape

Let’s take a closer look at these high-risk industries.

Cyber-physical threats to healthcare

Technology innovations make healthcare providers more efficient and effective, but the digital and the physical intersection also creates significant risks. Cyber-physical systems used in the healthcare industry that are vulnerable to cyberattacks include:

  • Surgical devices: Surgical robots undertake more precise operations than previously thought possible and the use of this technology continues to increase risks. Attacks against these devices could render a hospital unable to provide life-saving care or cause harm to a patient during surgery.
  • Scanning and imaging: Ultrasounds, CAT scans and similar systems are commonly connected to hospital networks. An attacker with access to these systems could tamper images, resulting in misdiagnoses.
  • Patient monitoring: Hospitals regularly use networked devices for patient heart rate and oxygen level monitoring and medicine dispensing. Attacks against these devices could block alerts to nurses and/or give patients dangerous levels of medication or the wrong medicine.
  • Personal health devices: Pacemakers and similar devices are increasingly connected to the internet to provide continual monitoring and control. Researchers have demonstrated the ability to exploit vulnerabilities in these devices to deliver painful shocks to patients and to install ransomware or other malware on the systems.

It’s evident that digital-based technology in healthcare creates cyber-physical risks. Securing these systems is vital to protecting the health and safety of patients and healthcare providers.

Critical infrastructure and cyber threats

The critical infrastructure industry is a key target of cyberattacks that result in physical impacts. Cyberattacks against critical infrastructure stretch back over a decade and have impacted all sectors:

  • Power: Ukraine has been the victim of multiple cyberattacks against its power grid, which have successfully denied power to a significant portion of its population for an extended period of time.
  • Water: A recent attack against a water treatment plant in Oldsmar, Florida could have introduced dangerous levels of lye into the water supply if an employee did not detect and reverse the attack before the water supply was poisoned.
  • Transportation: In 2019, transportation was one of the most targeted sectors for ransomware attacks. Incidents continued in 2020. For example, on June 27, 2020, FedEx and several other companies conducting business in Ukraine were hit with the NotPetya malware, engineered by hackers to disrupt operations, and amounted to more than $10 billion in losses. On May 14, 2020, the Texas Department of Transportation became part of a ransomware incident; however, the affected computers were isolated and, fortunately, no derailments or crashes occurred.
  • Nuclear: The Stuxnet malware is one of the most famous cyberattacks in history for being among the first viruses to move beyond hijacking computers for information to instead wreak physical destruction on controlled equipment. The Stuxnet malware targeted Iranian centrifuges (used to enrich uranium gas), remained hidden until specific attack parameters were met, and then caused the centrifuges to damage themselves.
  • Fuel: The recent Colonial Pipeline ransomware attack disabled the pipeline that provides 45 percent of the fuel to the East Coast of the US. While the attack targeted the company’s IT systems, the OT side was shut down as well to protect against the malware.

In the past, threat actors gained access to critical infrastructure as a proof of concept, making these cyber threats largely theoretical. Now, threat actors are increasingly performing real attacks against these sectors, causing millions of dollars in damages.

Best practices for managing cyber-physical risk in healthcare and critical infrastructure

A security gap in cyber-physical systems results in greater risks and implications than in other digital systems. Best practices for managing these risks include:

  • Perform a risk assessment: The first step in securing any system is performing a comprehensive investigation of the system. As a result, areas that require protection will be identified along with a framework for building a security strategy.
  • Follow security best practices: One of the leading challenges in critical infrastructure cybersecurity is the lack of consistent security guidance and enforcement. Critical infrastructure sectors are under the jurisdiction of different government agencies with varying cybersecurity best practices. Enforcement of a cybersecurity standard (e.g., NIST’s cybersecurity framework) can help to close security gaps.
  • Implement access controls: Many cyberattacks against healthcare and critical infrastructure take advantage of poor access management on cyber-physical systems. Access to these systems should be managed based on the principle of least privilege, which only gives users the access and permissions that are vital for their job role.
  • Protect vulnerable systems: The high availability requirements of healthcare and critical infrastructure systems often means that the systems are rarely patched or updated. All systems should be protected against exploitation by using virtual patching solutions.
  • Change default passwords: IoT devices, which are becoming more pervasive in healthcare and critical infrastructure, are notorious for poor default passwords. Immediately and before deploying new devices, passwords should be changed to be strong and unique.
  • Segment IoT devices: IoT devices are familiar entry vectors into an organization’s network and the target of many cyber-physical attacks. Isolating these devices from the rest of an organization’s IT infrastructure can help minimize the probability of a successful attack.

To date, cyberattacks against cyber-physical systems have been relatively rare as attackers focus on stealing data and conducting other digitally focused attacks. However, as attackers grow more comfortable with these systems and ransomware threats continue to grow, the security of cyber-physical devices in critical infrastructure and healthcare becomes more important than ever before.