Defending against killware: The cyber threat with physical consequences

Even though data breaches, ransomware attacks and other cyber threats have become part of daily life, many organizations still get caught by surprise. Some, perhaps believing it won’t happen to them, still refuse to put money in the budget for cybersecurity. Others put their trust in outdated technology or rely on cybersecurity insurance policies to bail them out after a breach.

No matter what missteps leave a company vulnerable, the results are predictable: a struggle to pick up the pieces after an attack, with financial and operational costs that can linger for years. And hopefully, the organization learns its lesson and implements effective cybersecurity going forward.

But when the impacts of an attack become life and death, there are no second chances.

“Killware” attacks — cyberattacks that aim to cause direct physical damage and bodily harm — are a serious concern for critical infrastructure operators such as oil and gas pipelines, water systems, power generators and medical facilities. Protecting against these threats requires a different mindset, one that focuses on preventing the attack in the first place, rather than mitigating the damage afterward.

What is killware?

A killware attack is fundamentally different from other types of cyberattack. Rather than attempting to steal information, disrupt computer networks, or encrypt data for ransom, killware attacks attempt to cause real-world damage by manipulating operational technology (OT) — the valves, pumps, turbines and other equipment that keeps our world running.

The 2021 attack against the Oldsmar, Florida’s water system is an example of this kind of attack, though fortunately no one was harmed in that case. The Oldsmar attacker gained access to the water treatment plant’s control systems and increased the amount of sodium hydroxide being added to the water by a factor of 100 — an amount that would have been hazardous if the attack had not been detected in time.

In the past, attacks against industrial control systems required physical access to a facility because few OT devices were connected to external networks. But with the rise of smart, cloud-enabled OT devices, the landscape has changed. Threat actors have millions of new devices to target and new pathways to reach them.

We can’t simply hope that someone will detect the next killware attack before the damage is done. OT devices need cybersecurity that is strong enough to prevent threat actors from gaining access in the first place.

Industry standards provide valuable guidance

There are several standards that provide direction on how to protect critical infrastructure. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) regularly updates its guidance on protecting critical systems, including its publication Seven Steps to Effectively Defend Industrial Control Systems. The North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protections for balancing physical security and cybersecurity have been used extensively within the electrical industry and can be used as a cybersecurity framework in other sectors like transportation and pipeline security.

There is a huge body of evidence around the implementation of these controls and the mitigations they provide that are beneficial for other industries to consider. Two concepts are particularly important: limiting external routable communication and limiting interactive remote access.

Hardware-enforced security makes killware ineffectual

Along with these well-established best practices, technology plays a major role in stopping killware attacks.

The open nature of software firewalls, which can be frequently hacked or with rules accidentally left open, unfortunately enables vulnerabilities and introduces new threat vectors. Monitoring and threat detection tools remain important, but many only reveal attacks after the fact.

With hardware-enforced network segmentation, often achieved through one-way-only data flow technology known as data diodes, data can securely flow out of a source network to an external destination without introducing risk. Organizations employing an air-gapped architecture can connect externally through hardware-enforced technology that prevents threats from entering back into the network. In fact, the Department of Homeland Security (DHS) recommends eliminating as many connections as possible in critical infrastructure networks and, if connections are needed, converting them to a one-way out only architecture. That means hardware-enforce data diodes can lock down critical infrastructure devices and networks to prevent successful killware attacks.

It takes an ecosystem

Safety is the number one principle at all critical infrastructure facilities, and cybersecurity is a major component of that safety. With deadly new threats proliferating, operators simply must harden their cyber posture to protect their most important assets and data flows. Cybersecurity is a team sport: entities large and small throughout the supply chain are also vulnerable as potential conduits to the operator target. Everyone needs to understand their role and embrace prevention in earnest.

The good news is that by leveraging available standards and integrating proven hardware-enforced technologies as part of a defense-in-depth strategy, killware can be stopped.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.