When Cyber Security Meets Physical Security

CeanCorporate Espionage, Cyber Security, Spying

In a recent interview with CNN, the Director of the Secret Service noted that his organization is increasingly focusing on the cyber security of the physical facilities visited by the President of the United States as part of its duty to protect him. This raises the fascinating question of just how much cybersecurity will become part of the physical security conversation in 2017.

As I wrote in 2015, the landscape of cyberwarfare is rapidly changing, with a growing emphasis on the targeting and disruption of physical civilian critical infrastructure like the power grid. The nation of Ukraine has already experienced firsthand the results of cyber-induced blackouts, proving these approaches have left the realm of speculation and are now entering the wild.

To date most of these attacks have focused on national infrastructure as part of larger simmering conflicts and their use in surgical targeting of particular high-ranking individuals has been more limited. Yet, it is only a matter of time before we see such applications, as the Secret Service director’s comments reflect.

Imagine a major head of state on an official visit to a foreign country or even a visit by the President of the United States to another part of the US. Security forces go to great lengths to construct a physical security cordon and maintain exclusive control over who is able to enter that controlled space. Yet, the growing Internet of Things means that more and more the various objects in that controlled space, from the light bulbs overhead to the elevators to the fire alarms to the traffic cameras are all remotely accessible.

Imagine a foreign intelligence service that wanted to disrupt and embarrass a foreign head of state visiting another country. Today they might hack into the local police offices in the city being visited and monitor email accounts and document archives to locate official security plans and schedules for the visit to plant paid protesters holding large signs along the motorcade route. But, take this a step further and consider for a moment the new factor of the vast Internet of Things that envelopes that visit.

Those hackers could monitor all of the traffic cameras in the area to watch the head of state’s movements in realtime and monitor his or her schedule second by second. As he enters a building, the local CCTV cameras throughout that building could be used to surveil his movements and compile an intelligence list of everyone he meets with.

Yet, here’s where things get far more worrying. When he steps on the elevator to change floors, those hackers could disable the elevator system and trap him, disrupting his visit and generating media images of him being helplessly dragged up a ladder to safety. Or they could trigger the fire alarms or overheat a piece of equipment to cause a real fire and activate the sprinkler system, leading to images of a soaked and miserable leader cutting his visit short. Given that most modern office buildings have switched to electronic access controls, those hackers could simply deactivate all locks across the building, instantly rendering the entire facility unsecured, doors flapping in the breeze and causing mass panic among his guards. Or, they could move to paralyze the entire city, cutting power to every major building, while activating fire alarms across the city and manipulating traffic signals to cause massive traffic accidents and trap first responders helplessly across the city and preventing him from reaching his next appointments.

Instead of a head of state, one could imagine the ultimate jewelry theft in which a thief uses building CCTV cameras to monitor the building for the right moment and then turns off the cameras, disables all locks across the building, disables the emergency generator and then cuts power to the entire building, plunging it into darkness. Once the theft is complete, the remote hacker could even trigger the fire alarm and sprinkler system, causing the building to empty into the streets and allowing the thief to simply blend in with the rest of the occupants evacuating into the nighttime streets below.

Putting this all together, there is thankfully no record to date of a cyberattack targeting the physical infrastructure as part of an attack on a head of state or a sophisticated jewelry caper, but as the physical world increasingly becomes just a bunch of internet connected devices, we must start contemplating a future in which physical security becomes one with cyber security.

Kalev Leetaru  – Jan 13, 2017