For the general public, cyber-attacks causing catastrophic damage and loss of life are still thought of as only ‘real’ within the sci-fi genre—movies, books, television series, and video games. But the truth is cyber-attacks with dire consequences no longer live merely in film or the digital realm for that matter. They’ve transcended into the physical world with real, tangible impacts.
And perhaps for the first time, a cyber-attack has also resulted in the loss of human life.
When cyber-attacks have physical repercussions
On September 10, 2020, a hospital in Germany fell victim to a ransomware attack that encrypted thirty servers, severely disrupting its internal IT systems and operations. Functioning with only limited phone and email communications, the hospital announced it had “deregistered from emergency care” and will postpone all planned and outpatient treatments due to its “extensive IT failure.”
As a result, inbound hospital traffic was redirected to other hospitals. In one situation, a patient with a life-threatening condition was detoured an hour to another hospital, dying shortly after arrival.
“If the ransomware attack did indeed lead to a patient’s death, however indirectly, the incident could go down in history as a first of its kind.”
- Fortune, Ransomware attack on a hospital may be first ever to cause a death
According to AP, the hospital’s systems were infected and disrupted for a week before gradually crashing to a halt. Upon investigation, authorities identified the attackers exploited a known Citrix vulnerability and found a ransomware note in one of the thirty encrypted servers. However, the message was addressed to a university, not the hospital.
German authorities contacted the adversaries, explaining their target was, in fact, not a university but a hospital and was endangering patient lives; the attackers withdrew the ransom and provided the decryption key.
Among other charges, German prosecutors are investigating negligent manslaughter or homicide due to the patient’s death that was rerouted and received medical care an hour later than would have otherwise been necessary.
From ransomware’s financial gain to personal liability and homicide
Many have drawn the line between cybersecurity and safety in commercial operations, and this latest cyber incident reinforces that parallel.
Environment, health, and safety (EHS) practices are far more mature than cybersecurity. In the United States, for example, Occupational Safety and Health Administration (OSHA) has numerous regulations as well as reporting requirements, audits, citations, and fines to regulate employer practices and help ensure the health and safety of employees and the environment. The OSH Act further expanded OSHA’s available recourses, empowering them to bring criminal charges against employers that violate or neglect their responsibilities. On top of the OSH Act, OSHA is also working with the Department of Justice to refer safety violations to local district attorneys for prosecution.
As cyber-attacks cross into the physical world, consequences of these attacks are also escalating—both for victims and perpetrators. Just like safety. While there are numerous cases of employers facing steep fines and jail time for failing to comply with EHS protocols, there are few cyber incident cases. This recent case might be the first incident to result in death and a negligent homicide investigation, but the stakes for cybersecurity are increasing across the board.
By 2024, 75% of CEOs will be personally liable for cyber-physical security incidents, according to a new Gartner report. By 2023, the financial impact of a cyber-physical attack resulting in fatalities is expected to reach over $1 billion dollars. The ramifications of a cyber-physical incident are far-reaching, similar to safety. Gartner states, “Even without taking the actual value of a human life into the equation, the costs for organizations in terms of compensation, litigation, insurance, regulatory fines and reputation loss will be significant.”
“…incidents in the digital world will have a much greater effect in the physical world as risks, threats and vulnerabilities now exist in a bidirectional, cyber-physical spectrum.”
Cybersecurity regulations, especially for cyber-physical systems, are in their early stages for most industry sectors. But there are fines to date, and they aren’t small.
The North American Electric Reliability Corporation (NERC) regulates and enforces cyber and physical security (through the Critical Infrastructure Protection, CIP, standards) for the U.S. bulk power grid. As of 2019, the largest single NERC-CIP related fine was $10 million against an unidentified utility with over 120 security violations over four years.
Pacific Gas and Electric (PG&E) previously held the largest NERC-CIP fine of $2.7 million in 2018. The company has also incurred over $30 billion in legal damages due to its negligence in the California wildfires.
Cybersecurity is still a relatively new discipline. But if lessons can be learned from functional safety requirements and practices, the stakes for cybersecurity and costs of cyber incidents will continue to rise. And rightly so.
Protecting today’s cyber-physical world
As technology has helped increase efficiency, efficacy, and many times, safety, over the last several decades, it has also slowly blurred the cyber and physical lines. Today, the majority of these cyber-physical systems rely on operational technology (OT), and OT is notorious for being unsecure and a target for cyber adversaries. So, what can organizations do to protect their operations?
In industrial control system (ICS) environments where 24/7 availability and uptime are crucial, patching vulnerabilities is often arduous. But unpatched assets leave operations exposed and vulnerable to attack, as was the case for the German hospital ransomware incident.
Attackers in the German hospital cyber incident exploited a known Citrix vulnerability, the Citrix ADC CVE-2019-19781 vulnerability. Citrix had previously released a patch for the vulnerability in January of this year. But the hospital isn’t alone. Luxottica, who designs, manufacturers, and sells luxury and sport eyewear, also fell victim to a ransomware attack exploiting the same Citrix vulnerability during the same week. For Luxottica, the attack resulted in downed online properties and disruption to their production chain.
Compounding the effect of lacks patch management, many of these ICS environments operate in flat or unsegmented networks which puts them at greater risk. For example, a breach in the email system can traverse to critical systems like chemical compound processes in pharmaceuticals, safety control system, or ballast operations in maritime. As Paul Arceneaux states in his article on the International Society of Automation (ISA) cybersecurity blog, “With perimeter-only protection, once an adversary gains access, nothing prevents them from traversing the network unchallenged. Segmentation and micro-segmentation stop unbridled access in IT environments and should be doing the same in ICS environments.” Organizations need to segment their networks and start implementing a zero-trust model of security. In establishing segmentation, organizations can also ‘virtually’ patch their systems by monitoring and controlling access to each asset in real-time, further reducing risks and the likelihood of a cyber incident.
Today, there are few industries that don’t leverage cyber-physical systems. Cyber-physical operations permeate nearly every part of our lives, from the food we eat and the medicine we take to the energy that powers our lights and the lights that manage traffic flow. Even building and facility management utilize cyber-physical technologies like security controls and smart HVAC systems.
Cybersecurity is no longer only safeguarding personal data and intellectual property—it is protecting vast, complex operations that impact everyday life and each individual’s lives throughout society. As Gartner states, “A focus on ORM – or operational resilience management - beyond information-centric cybersecurity is sorely needed.”
“A focus on ORM – or operational resilience management - beyond information-centric cybersecurity is sorely needed.”