Don’t Hack It, Cut It.
There have been 11 physical attacks on San Francisco area Internet lines in a year, including Tuesday as reported by USA Today. The FBI is investigating it and so on and on and on…
So one thing cyber warfare/crime people focus on is the sexy Hackers-style attacks that we’ve seen replicated in Live Free or Die Hard and most recently Blackhat. Those attacks deserve the attention they get but look at Oceans 11 and its sequels where a combined physical access team and a cyber element went after a particular target.
That’s the quickest and frankly most dangerous course of action. When the physical team is done and they’ve given the hacker’s access there is so much more they can accomplish. But what if the goal is just to deny one’s adversary the ability to communicate?
Critical infrastructure can and has been attacked in the past. Now it’s Internet cable lines, but in 2013, again near San Francisco, it was the power grid: As @thesecdialogue points out, attacks on infrastructure happen and is “a thing”. And, while the Tweet shows a Syrian government attack on the electrical grid, keep in mind the small-arms attack on a California power station in 2013.
Imagine an adversary who can slip past a lock at a secured government facility and kill communication with the Internet connection as well as satellite communication to critical assets. How? Because someone didn’t change the combination. If you have to protect something and you slap a “cypher” lock on it … change the default combination. Simplex seems to be a popular brand and there’s a Reddit about the factory code, Forbes wrote about the $300 lock you can “break” in seconds, and the company itself puts it out on the Internet. But this isn’t about Kaba, great locks and a great system … so long as you change the combination. The point is that there exists work arounds to the security features that are installed in the cyber and physical realm and the adversary will exploit it.
A coordinated attack, like the one on Tuesday, is not the work of children and neither was the assault on the power station in 2013. Security managers have a lot to worry about and if you’re a company involved in critical infrastructure then you should fret over more than corporate headquarters if you’re worth a damn. DHS had resources to help managers and initiated persons with its Daily Open Source Infrastructure Report.
So heads up cyber guys and security managers … your firewall might protect your network but your locks and fences may not protect your equipment.
Late edit: Not every outage or network failure is the result of a hack or nefarious activity. But the latest outages with United Airlines and the New York Stock Exchange show that infrastructure is vulnerable and needs protecting from natural faults/ghosts in the machine and bad actors.