There was a time when cyberattacks against cyber physical systems (CPS) were almost strictly confined to the theoretical realm. Industrial control systems (ICS) were air gapped. Medical devices were similarly isolated. Building management systems (BMS) were self-contained.
Connectivity has changed all of that. Factories are connecting operational technology (OT) to the internet, sending precious business data and intellectual property to the cloud. Internet of medical things (IoMT) devices are coming online at a rapid pace, enabling not only life-saving innovation but quicker diagnoses and therapeutic recommendations that are enhancing patient care.
Naturally, hackers see an opportunity. As cyber physical systems connect to the internet and the cloud, the same weaknesses that plague corporate networks will also be advantageous to threat actors as they trickle down to OT, ICS, and IoMT devices.
Ransomware attacks have already made their marks on hospitals worldwide, disrupting critical services and interrupting patient care on numerous levels. Geopolitically motivated attacks against ICS and OT security in Ukraine and elsewhere have threatened the availability of power, water, and other critical services.
Attackers are becoming less opportunistic and more targeted in their aggression against CPS.
Let’s look at a host of threats targeting cyber physical systems that are becoming more practical and less theoretical.
Edge Devices Are a Gateway to the Corporate Network
A noteworthy and disturbing trend seems to be an increase in attackers developing purpose-built frameworks targeting edge devices, hypervisors, and other network infrastructure that does not generally support endpoint detection and response (EDR). EDR does a great job catching most publicly known malware and exploits, but there are certain appliances and technology that don’t support EDR. For the past year, hackers have turned their attention to finding and exploiting zero-day vulnerabilities and commodity flaws in order to backdoor these types of technology.
This trend should open some eyes with respect to CPS given that many of the ICS, internet of things (IoT) sensors, and other connected devices that make up the CPS ecosystem also don’t support EDR. This type of illicit access exposes the network, enables lateral movement, and in the case of CPS, can put physical processes at risk.
CPS requires constant network and threat monitoring, and often a host of compensating controls to make up for some of the patching difficulties present in both OT and healthcare environments. Controls such as network segmentation go a long way toward containing these types of attacks and building resilient systems.
Extortion-based Cyberattacks Putting Data at Risk
Healthcare environments, and some other critical infrastructure sectors, have been plagued by extortion-based attacks. These multifaceted campaigns begin with stealthy access to the networks and the exfiltration of sensitive company, customer, or patient data. Asset owners and operators are threatened with leaks of this data and subsequent ransomware deployments if ransom demands are not met.
Asset-heavy organizations can feel the sting of these attacks, even if CPS aren’t the primary target of the threat actor. Hospitals unable to access patient records or Windows-based imaging systems that can fall prey to ransomware may face the difficult choice of re-routing patients to other facilities. Critical infrastructure sectors such as energy, utilities, and water have real public safety concerns if processes are disrupted or damaged by ransomware and other attacks.
Another concern is recovery. How long will critical systems be offline? How long will patients be diverted, or energy delivery impacted? Some organizations face weeks of recovery at extravagant costs to the business.
Digital Transformation Accelerating AI Adoption
Recent research from Anthropic uncovered a China-sponsored campaign that manipulated the company’s Claude family of large language models to execute cyberattacks against a number of high-value tech companies, financial institutions, chemical companies, and government agencies. Anthropic said in its advisory: “We believe this is the first documented case of a large-scale cyberattack executed without substantial human intervention.”
Enterprises have invested heavily in AI and are seeing immediate returns around efficiency and innovation. Likewise, attackers are turning generative AI and large language models (LLMs) such as Claude into dual-purpose tools to accelerate attacks. The cat and mouse game is on.
CPS’ role in AI adoption is clear: Data center construction is up 30% year-over-year and reached a seasonally adjusted rate of $40 billion in June. This means enhanced power and cooling demands and the need to protect the CPS enabling energy and BMS must accelerate alongside this adoption.
The same holds true for manufacturing sectors. Amazon intends to replace more than 500,000 employees—160,000 in the United States by 2027—with robots and artificial intelligence (AI). This logistics automation is expected to save 30 cents per item picked, according to a New York Times article published last month, and significantly cuts into the company’s workforce while expecting to double product sales volume in less than 10 years. From a cybersecurity perspective, it is another wave of CPS that will need to be protected not only in the logistics and warehousing industries but also for manufacturing and other critical industries.
Wrapping Up
Cyberattacks against CPS are emerging from a number of vectors. Nation-state attackers are well-resourced and determined to gain illicit access to systems that, if damaged, can impact critical infrastructure. Less-sophisticated threat actors, meanwhile, are profit- or socially motivated and are interested in disruption, sowing chaos, and distrust in the government’s ability to protect us.
Security leaders charged with protecting these systems must understand how the threat landscape is changing, what threat actors are targeting, and how to best defend them.
In addition to threat intelligence capabilities that provide precise data on the tactics, techniques, and procedures deployed by hackers, CPS asset-heavy enterprises and healthcare providers must have foundational protections in place.
Asset visibility is foremost; a complete and accurate of connected assets is paramount, and will enable the rest of a CPS protection program. For example, exposure management programs will rely heavily on asset visibility in order to understand the vulnerabilities and configuration weaknesses attackers are likely to exploit.
Remote access is another facet of a CPS program that must be secured. Organizations must have visibility into active connections, monitor and audit them, and have the capability to cut off remote sessions in real time in response to potentially malicious activity.
A purpose-built solution such as the Claroty Platform provides comprehensive protection of CPS environments and is the cornerstone of a CPS protection program. Not only does the platform provide the asset discovery, exposure and vulnerability management, remote access, network, and threat protection modern enterprises demand, but it also does so with an eye toward minimizing impact to the business. The Claroty Platform not only understands the connected assets in your environment, but dictates protection based on minimizing business impact, ensuring uptime and availability, and building resilience in the event of an incident.
