Col Sandeep Sudan
Head – Special Services Group
Reliance Industries Limited
Paradigm Shift in the Security Threat Landscape
With the evolution of Internet of Things (IoT) the security challenges for industrial security are increasing exponentially. From 25 billion devices in 2015 the world is expected to have 50 billion connected devices by 2020. Thereby virtually every person will be connected to six things online in terms of sensors, smart objects and device clustered systems. The robustness of the security architecture for any organization is as good as its weakest link. With billions of devices connected in today’s globalized world, the security challenges increase manifold in terms of the scale, intensity and complexity of the attacks.
Today you may have the best of physical security in terms of security personnel and automated security processes using the latest technology platforms and think your organization is very secure. However with the exponential increase in the cyber threat landscape, the chances of carrying out a physical attack exploiting vulnerabilities in the cyber security architecture and vice versa cannot be ruled out any more.
Holistic Approach to Address the Security Threat Landscape
Today we need to look at the concept of ‘security’ in a more holistic manner encompassing physical security, cyber security, information security, business continuity, risk management, compliance & privacy protection and emergency & crisis management.
With the convergence of logical and traditional physical security there is a paradigm shift in the threat landscape in terms of the manifestation of the threat itself. The potential of a cyber-based physical attack or breach of physical security to carry out a cyber-attack by using multiple threat vectors and thereby exponentially increase the impact, is a major challenge for the security professionals to deal with.
This has necessitated that we create synergy across the threat landscape to deal with a combination of physical and cyber-based threat vectors. In order to achieve this objective it is important to act in a concerted manner.
As a result Chief Security Officers need to take care of not just the physical aspects of security but incorporate the digital aspects as well and help to strengthen both, while at the same time address the increasingly complex area of compliance.
Convergence not only helps in providing enhanced level of security but also results in cost saving by integrating disparate systems and optimizing resources both in terms of personnel and technology platforms.
Have mentioned five case studies covering critical infrastructure, financial institutions, social media platforms and an entertainment company to highlight the impact and adverse consequences. Especially in the first three cases where the cyber vulnerabilities were exploited by breaching the physical security.
The 1768 km long Baku-Tbilisi-Ceyhan (BTC) crude oil pipeline connecting the oilfields in the Caspian Sea to the Mediterranean Sea was blown up by hackers. They used ultra-modern computer technologies by exploiting the vulnerabilities of the IP cameras communication software, to gain entry and move deep into the internal network, to blow the pipeline by over pressurizing it. This resulted in a loss of USD 1 billion in export revenue for Azerbaijan and the pipeline was out of action for 20 days.
The stuxnet virus that was used for spinning several centrifuges out of control at an Iranian nuclear facility was believed to have been transmitted using a thumb drive that was physically inserted into a computer within the facility.
Sony Pictures was targeted by hackers who wiped out half of Sony’s global network. They erased everything stored on 3,262 of the company’s 6,797 personal computers and 837 of its 1,555 servers. At the same time they ensured that nothing could be recovered by using a special deleting algorithm that overwrote the data seven different ways. Subsequently the code targeted each computer’s start up software and rendered the machines brain-dead.
A group of cybercriminals successfully targeted 100 banks in 30 countries globally including US, Russia, Ukraine and China after phishing its targets with infected email attachments. The criminals used their computer exploits to dispense cash from ATMs or transfer cash digitally to accounts they controlled. The USD 1 billion haul was unprecedented in its scope, which Kaspersky reported as under investigation.
LinkedIn confirmed in 2016 that the impact of a 2012 breach in which 6.5 million users’ passwords were compromised, is now likely to be closer to 167 million users, 117 million of whom had both their e-mails and passwords exposed.
Critical Infrastructure is the Most Vulnerable with High Impact
Thus in the future critical infrastructure in particular is likely to be targeted both by terrorist and state sponsored actors. Future wars will be asymmetric in nature. As it provides an easy option to the terrorist groups and economically weaker nations to inflict heavy economic loss on their adversaries to include both life and property, by using meagre resources, as compared to achieving the same using conventional means at a huge monetary cost and loss of lives.
All it takes to target critical infrastructure is a bunch of highly trained cyber hackers who require hardware, software and a high speed internet connection. All of this will cost not more than a few hundred thousand dollars and the political will to execute. The best part is you can do so sitting anywhere in the world and you need not be physically present at the target location. The victim organization / country cannot be very sure of the identity of the perpetrator group / individual / country and retaliate immediately. Thereby virtually going scot free in terms of facing any consequences and enjoying virtual immunity against any adverse action, due to lack of stringent laws at the global level.
Need for Public Private Partnership and Restructuring of the Traditional Security Organization
Thus there is a need for public private partnership to effectively deal with such scenarios, wherein we pool in the resources of the government and the private sector to address these security challenges to our critical infrastructure and the industry at large. At the same time there is a requirement to create a CXO level appointment within the organization who should be responsible for addressing the security challenges to include both physical security as well as cyber security.