Physical Damage
Physical damage is the damage, destruction or theft of devices and other hardware.
Behaviours
SB063: Checks security credentials of unknown persons at work
Individuals should check the security credentials of unknown people they come into contact with in the workplace. ...
SB064: Prevents tailgating at security checkpoints
When passing through security checkpoints, people should check they are not being followed by others who do not ...
SB065: Does not share security passes or access tokens
Sharing security passes even with "trusted" contacts creates risk. People should only ever use security passes ...
SB066: Escorts visitors to ensure they follow security policies
Visitors should be escorted according to organisational policies. This reduces the risk of unauthorised access to ...
SB105: Uses a security key
Security keys are USB keys or dongles that work as an advanced form of multi-factor authentication. Using them ...
SB177: Does not lose device through theft or negligence
Losing devices containing sensitive information through theft or negligence increases the likelihood of cyber ...
SB177a: Does not lose mobile device through theft or negligence
Losing a mobile phone or tablet containing sensitive information through theft or negligence increases the ...
SB177b: Does not lose laptop/desktop through theft or negligence
Losing laptops/desktops containing sensitive information through theft or negligence increases the likelihood of ...
SB195: Completes policy attestation
Most organizations today have multiple compliance requirements and contractual obligations that require all ...
Case study
Prison Break-in
In July 2014, John Strand, an ethical hacker from BlackHills Information Security, took a new approach to penetration testing a prison: he deployed his mother.
Rita Strand posed as a health inspector with a fake badge and business card. She also had a fake “manager’s card” that gave her access to the building and allowed her to roam the prison alone. Rita connected malicious USB devices to various computers inside the facility. They gave BlackHills employees access to the prison’s systems.
There was no resistance from the prison. Believing Rita was a real Health Inspector, they allowed her to carry her cellphone and record the operation. She also entered the prison’s server rooms and its network operating centre without raising any suspicions.
This incident proves how lax cyber security measures allow people with limited technical expertise to infiltrate a company’s systems. Learning from its mistakes, the prison strengthened its security measures and required any future visitors to carry identity cards and undergo additional verification before entering the facility.
German Steel Plant
In 2014, a steel plant in Germany confirmed the second case ever of physical damage as the result of a cyber attack.
Employees at a steel plant in Germany had no idea that opening an email attachment would lead to the total shutdown of their plant and cause irreparable damage to a blast furnace.
The attack began when some employees received "spear phishing" emails from seemingly legitimate sources. The emails tricked people into opening malicious attachments.
Employees who fell for the ruse handed their login details over to criminals, who used the details to access the company’s main system and unleash chaos.
The attack first caused sections of the steel plant to fail, which led to an unscheduled shutdown and, eventually, massive damage to the plant’s blast furnace.
A report by Germany’s Federal Office for Information Security was unable to pinpoint the attackers’ motive but suggested organisations could prevent similar future attacks with real-time anti-malware protection, two-factor authentication and secure remote protocols.
Stuxnet
In early 2010, a Bularussin antivirus company discovered new malware targeting Microsoft Windows systems. The malware attacked computer-controlled high-speed motors manufactured by Siemens. It was named “Stuxnet”.
Stuxnet caused fluctuations in the speed of the Siemens’ computer-controlled motors. If allowed to continue unchecked, the out-of-control motors caused irreparable physical damage.
Following its release, Stuxnet infected over 200,000 computers and physically damaged 1,000 machines. Later investigations suggested Stuxnet was developed to disrupt the Iranian nuclear development programme.
Hostile nations develop such sophisticated malware as “cyberweapons”. This shows how cyber attacks have advanced to the level of global warfare, making cyber security critical to protect not just private but also national assets.
In response to the highly publicised incident, Siemens released a detection and removal tool for Stuxnet. It also recommended regularly updating Microsoft systems, prohibiting the use of third-party USB drives and upgrading password access codes.