A cyber-kinetic attack targets cyber-physical systems and causes direct or indirect physical damage, injury or death, or environmental impact solely through the exploitation of vulnerable information systems and processes. Notable attacks in this category in the recent past have targeted critical infrastructure facilities such as water treatment plants, nuclear power plants, oil refineries, and medical facilities.
Crossing the cyber-physical divide
In the early days of computing, security threats were typically limited attacks that caused destruction of data, or degraded access to computing systems or hardware. However, the last several decades have seen technologies—ranging from supervisory control and data acquisition (SCADA) to Internet of Things—which describe objects embedded with sensors and software and utilize the Internet to exchange data.
Such a system is termed as a Cyber-physical system. Such systems cross the traditional divide between purely in-computer systems (software) and real-life systems (physical systems), with algorithms being autonomously able to control physical systems.
One of the most notably cyber attacks that had a physical impact, causing significant degradation of a target system, were the Stuxnet and Aurora worms. The Stuxnet worm was first revealed in 2010 and specially targeted weaknesses in Programmable Logic Controllers (PLCs), devices in the SCADA category of systems. Though it was never positivity attributed, it is widely believed that the malicious software was developed jointly by the United States and Israel to disrupt the Iranian nuclear enrichment facility at Natanz. It has also been reported that Stuxnet and associated variants have infected more than 30,000 systems and had a lasting presence which was extremely difficult to eradicate and purify. Both malicious programs exploited Zero-Day attacks on Windows-based operating systems.
As computing crosses the cyber-physical barrier, there is significant effort spent on 'smart' systems, for instance smart cities, smart homes, smart manufacturing and smart vehicles. In the context of cybersecurity, new threats are emerging that target these smart systems. The timeline of cyber-kinetic attacks attests incidents from as early as 1982. Such attacks on information systems that can have physical world impacts are a complete shift in paradigms within the cyber security community, though not unheard of. Many SCADA systems have been fielded up to 20 years ago have very little in the way of modern security protections that are instrumented.
These types of attacks have the potential to bring a new dynamic forward in the concept of cyber warfare and the potential impact on electrical systems, financial systems, critical infrastructure, and communication systems. Though, in reality, these types of attacks may have a closer relation to espionage or idealistically driven attacks, rather than overt warfare. Cyber-kinetic attacks should not be confused with the simple denial of an information system, such as Distributed Denial of Service (DDoS) attack. In these cases, such attacks merely deny access to an information system, where as a cyber-kinetic attack would deny access to a system by physically destroying part of a system or the entire system, rather than just communication access.