During World War II, the U.S. Air Force twice targeted ball bearing factories in Schweinfurt, based on the premise that disrupting manufacturing operations would impact Germany’s ability to produce many forms of warfighting machinery.

This pattern is playing out in the cybersecurity world today, where an attack on one industry has broader implications for the ecosystem. The Colonial Pipeline cyber attack had consequences American Airlines operations at Charlotte Douglas Airport. Russia’s NotPetya cyberattack against Ukraine leaked onto the internet and affected supply chains worldwide.

At the S4 conference in 2023, Josh Corman spoke on stage about the potential for cascading failures. National critical functions of the Agency for Cybersecurity and Infrastructure Security were born from the need to coordinate cybersecurity across all critical infrastructure sectors. In his talk, Josh discussed how hospitals need support from several critical infrastructure sectors, including water, energy, transportation and emergency services, for the healthcare sector to fulfill the national critical function of ‘patient care’.

If a critical cyber incident against a single pipeline or shipping company can have pronounced supply chain implications, what would a cyber incident across multiple segments of the economy look like? The consequences can be profound.

What’s even more annoying is that this is not a new problem. SQL Slammer is estimated to have seized one in every thousand computers worldwide more than 21 years ago. Unlike the CrowdStrike bug, which the company was questioned about before Congress last week, Slammer was an intentional exploit for which a patch was available for more than six months. While there are certainly differences between the two events, Software doesn’t care about intentions, motives, or geopolitics.

Digital technology has spread into every facet of our lives that we rely on, including cars, water utilities, energy generation and medical equipment, with enormous societal benefits. Research from Claroty’s Team82 shows that insecure code and misconfigurations exist in technology that have always baffled software and can have consequences in the physical world. It is no exaggeration that the consequences for national security, economic security and public safety are significant and potentially devastating.

While the CrowdStrike event caused personal discomfort and businesses suffered losses, the world has moved on. However, before we close this short chapter in our digital history, this is an important moment for reflection and action for both companies and governments to prevent a wider and more painful event in the future.

Cyber ​​attacks against cyber-physical systems: a shifting red line

Every water treatment plant, electric utility, factory and office building – including military bases and hospitals – uses digital equipment to achieve important objectives. These connected devices are called cyber-physical systems or CPS and have the ability to gain insight into conditions or effect changes in the physical world. The reality is that there are billions of tiny computers powering every aspect of our lives today, bringing enormous benefits to society. However, the soft underbelly of this digital society is digital risk, and we have seen cybercriminals and nation states exploit the flaws in our digital lives to wreak havoc.

The first notable attack on CPS was the Stuxnet malware in 2014, it hampered Iran’s nuclear enrichment program by causing its centrifuges to spin wildly out of control — even though the gauges showed everything was running normally. Other incidents have marked the past decade, including Industrialthe Russian malware that shut down part of the energy network in the Kiev region of Ukraine for an hour in 2016; the Iranian attempted attack about Israeli water companies in 2020; and the Chinese breaches of US critical infrastructure including electricity and water companies in 2023.

What’s most important about some of these incidents – and especially unintentional incidents like the CrowdStrike bug – is that cybercriminals and hostile nation states are using them as an opportunity to understand the gaps in critical infrastructure resilience, how entities from the private and public sectors respond and the impact on national security, economic security and public safety.

China has begun to expand its objectives from espionage to… burrowing into U.S. critical infrastructure and military infrastructureto eliminate US warfighting capabilities and sow confusion at home in the event of a conflict. The reality is that the digital infrastructure that provides so many social benefits is also our digital Achilles heel. We need to see how the creeping line of attacks on information technology shifts to CPS and affects the real world for what it is: a red line that our adversaries will continually cross to achieve their objectives.

The CrowdStrike bug: Maintaining perspective while understanding the broader implications

Let’s be clear: the CrowdStrike bug was nothing more and nothing less than an error associated with gaps in the quality assurance process. Mistakes happen, even in the best organizations. However, something has changed in our digital dependency in recent years. Unlike IT systems, the physical side of a cyber-physical system can be an oil pipeline, a foundry, or a patient in a hospital. The physical consequences of failure are broader and more dangerous than ever before.

Although the attacks on CPS are rare, we must remember that many of the systems that manage or control them run on Windows operating systems. In addition to the fact that more than 25% of the 1,181 vulnerabilities in the CISA Known Exploited Vulnerabilities Catalog are based on the Windows operating systems, further complicating matters is the necessary culture of aversion to change in operational technology, and the long periods of technological obsolescence of industrial equipment that pose greater cyber risk. What if a nation-state were to directly attack CPS in US critical infrastructure in ways that were harder to fix than the CrowdStrike bug?

What can be done?

Despite the high cyber risk associated with many CPS, it will take years to replace this insecure infrastructure deployed in asset-intensive businesses and government facilities. In the meantime, there are three key actions that need to be taken:

1. Operationalize compensating controls. With an asset inventory and a clear understanding of known good communication patterns, organizations can move forward in implementing compensatory controls such as network segmentation or secure access that limit the ability of machines or users to connect to these vulnerable systems.
2. Extend secure-by-design to CPS. In April 2023, CISA put forward a well-known but critical concept Safe by designthat should be expanded and focused around CPS with medical device manufacturers and automation suppliers.
3. Use Secure-by-Demand programs. CISA recently Secure by Demand introduceda body of work that offers asset owners recommended questions to ask their software vendors before, during, and after purchase to shape market forces toward the production of more secure software.

While CPS adoption drives innovation and efficiency, the nature of these assets creates new forms of risk. If one link of a global supply chain fails, the failure can spill over into other sectors and impact critical services. The CrowdStrike incident was not a malicious attack, but a simple, flawed content update in a ubiquitous cybersecurity tool that figuratively caused some airlines, emergency services, and hospitals to fail. Disruption is a real threat to economic and national security, and we need to understand the role CPS plays in the smooth running of everyday society.

Grant Geyer is Chief Strategy Officer at industrial cybersecurity company Claroty Ltd. Previously an executive-in-residence at Scale Venture Partners, he also served as an executive at RSA and Symantec and served as a military intelligence officer for the U.S. Army. He wrote this article for SiliconANGLE.

Image: SiliconANGLE/Ideogram