News

The rise of phygital attacks on critical infrastructure — and how to stop them

Certain industries and infrastructure are absolutely critical to the way we live life. For example, utilities, health care, emergency services, and supply chains all fall under the heading of critical infrastructure. Unfortunately, that means these sectors are at the greatest risk of being targeted by cyberterrorists. 

One relatively new form of cyberattack is the “phygital” attack, which bridges “physical” and “digital” access points. Often these phygital attacks come in the form of an innocuous-looking USB drive or a microcomputer sent through the mail. Once the packages are on site, the devices concealed inside them attempt to access the local networks and collect sensitive data. Or, once an employee plugs in that innocent-looking USB device, it can start to spread malware through a company’s critical information systems. 

Phygital attacks are becoming more common, and they’re a serious threat to critical infrastructure. What do these phygital attacks entail? And what can chief security officers (CSOs), chief information security officers (CISOs), and other security personnel do to protect companies against them? 

The Rising Phygital Threat

Phygital attacks are so effective because, although everyone is aware of the need to prioritize cybersecurity for critical infrastructure, the physical aspects of security remain under-addressed. When was the last time you worried about the contents of the packages lying on your employees’ desks while they’re out of the office? Or have you ever given a second thought to that pile of mail near your servers? Both of these situations could increase your risk of a devastating phygital attack. 

Phygital attacks come in many different forms. The FBI recently warned about the risk of phygital attacks that come through malicious USB drives disguised as official communications. And there’s been a lot more awareness about the phygital threat as physical Internet of Things (IoT) devices like smartwatches and even smart cars abound, increasing the number of entry points into your network. 

The mailroom provides a major entry point for phygital attacks. Phygital threats that come through the mail are often called “warshipping” attacks, a term coined by IBM in 2019. These attacks can employ any internet-enabled physical device, from a smartwatch to a miniature computer like a Raspberry Pi. These devices attach themselves to your network to eavesdrop on communications, sniff out sensitive packets of data, and discover vulnerable access points. The risk of warshipping is aggravated in a remote or hybrid work environment, when many employees have their packages shipped directly to their workplace, only to have them sit on desks and in mailrooms for days or weeks before employees come in to pick them up. 

What’s worse, you may not even know you’ve fallen victim to such an attack. In some cases, warshipping devices end up in your mailroom marked with the wrong address, sit there gathering data for a while until they’re finally processed, then get returned to the original sender who now has access to all the information they could want. And all this can happen without you ever discovering the device exists. 

It’s time to increase awareness about phygital risks so these threats don’t slip by your security measures. As part of moving in that direction, Cybersecurity and Infrastructure Security Agency (CISA) recently recommended that businesses that are any part of critical infrastructure develop measures to combat phygital security breaches. 

Cyberthreats have already targeted major utility systems. In May of 2021, the Colonial Pipeline ransomware attack resulted in increased awareness of the danger when a major American oil pipeline had to shut down for days, causing a national state of emergency. This attack earned the dubious status of being the largest ever of its kind. But it’s far from the only such attack. Today, 40% of critical infrastructure suppliers have experienced attempted shutdowns. There needs to be a comprehensive strategy to respond. 

What Can You Do in Response? 

Stopping phygital attacks isn’t something you can do overnight. It requires a strategy. Here are some steps you can consider: 

  • Process mail upon arrival. Prioritize catching up with your backlog of mail so you can weed out potential threats as soon as they arrive. Any mail with incorrect addresses should be immediately processed and returned, and used packing material and boxes should be removed from the facility and discarded. 
  • Educate employees about the danger. There are major gaps in most employees’ awareness when it comes to phygital threats. Consider requesting that your employees ship personal packages to their homes instead of their offices. And be sure that they know not to insert any unfamiliar USB drive. 
  • Screen all mail for threats. You can start by simply visually inspecting mail for anything that looks unusual or suspicious. You can feel envelopes to see if they might contain USB drives or small warshipping hacking devices. You can also use a metal detector or mail scanner to check for electronics without opening packages. 
  • Monitor networks for unusual activity. With network monitoring and intrusion detection software, you can often detect phygital attacks through any abnormal activity. Telltale signs to look for include the sudden appearance of suspicious or unknown files or the sudden lockdown of user accounts. The sooner you can spot a phygital attack, the more you can mitigate any damage.

Cybersecurity threats, and phygital attacks in particular, will only become more common. In fact, from 2020 to 2021, the number of breaches increased by 10% in the U.S. alone. It would be a mistake to focus all of your attention on cybersecurity without addressing physical security as well. And in the case of critical infrastructure, that mistake could endanger whole economies and countries. It’s not a risk that should be taken lightly.


This article originally ran in Security, a twice-monthly security-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.

Back to top button