Cyber vs. Physical Attacks: an Analysis of Technical Discriminant Criteria, and their Consideration from a Legal Perspective

Original Research (Published On: 03-Jun-2024 )

Cyber vs. Physical Attacks: an Analysis of Technical Discriminant Criteria, and their Consideration from a Legal Perspective

Tamara Hadjina, Stéphane Paul, Bengi Zeybek and Emmanuel Gureghian

Adv. Artif. Intell. Mach. Learn., 1 (1):1-37

Tamara Hadjina : Koncar - Digital

Stéphane Paul : Thales Research & Technology

Bengi Zeybek : Institute for Information Law, University of Amsterdam

Emmanuel Gureghian : Thales Research & Technology

Abstract

Security threats on critical infrastructures are evolving and increasingly consist of a combination of physical and cyber-attacks. In practice, a common approach to characterise physical and cyber-attacks is lacking, which may cause security gaps. This article proposes a set of technical criteria to characterise attacks. It evaluates these criteria based on attack scenarios to assess their efficacy. This study is situated against the background of the EU policy and regulation to highlight the regulatory relevance of the distinction between physical and cyber threats for critical infrastructure protection. The article concludes that, based on the currently applicable criteria, it is not technically possible to distinguish systematically cyber from physical attacks. This calls for a security management approach that acknowledges the convergence of physical and cyber threats. From a legal perspective, authors conclude there is no harmonised guidance as to how physical and cyber threats may be addressed in protecting critical infrastructure. The multidisciplinary approach of this article aims to inform decision making in terms of security governance and management.

Most of us consider the split between cyber and physical attacks as obvious. Typically, lock picking

a door is, without any doubt, a physical attack. Conversely, a distributed denial-of-service attack on

a web service is obviously a cyber attack. More generally, one would intuitively state that the main

difference between cyber and physical attacks is that cyber attacks are typically carried out remotely

and target computer systems, whilst physical attacks involve a direct physical attack on a facility

or equipment. In other words, the target type is the main discriminant criterion, complemented

by the location of the attacker with respect to its target, and the method used. However, using

these common sense criteria, some attacks are much more difficult to classify. For example, is

the plugging on a server of a USB key containing a malware a cyber or a physical attack? If the

malware enciphers sensitive data, would you definitely classify it as a cyber attack? Conversely, if

the malware opens wide the valves of a damp, drowning the village below, would you change your

mind and classify it as a physical attack?

When the situation becomes fuzzy, community calls them cyber-physical attacks, without further

thought about which parts of the attack are cyber, and which parts are physical. This article addresses

three question. First, is it useful for an organisation to classify clearly an attack as being a cyber or

a physical attack? One of the motivations that we analyse is the necessity to clearly distinguish the

governing responsibilities over cyber and physical attacks inside the organisations (cf. section §2,

and criteria n◦8 in section §4.2). Having accepted the difficulty and need of characterizing some

attacks as being cyber or physical (cf. section §2), we analyse some existing taxonomies of attacks

and / or security in the literature (cf. section §3). Second question: is it possible to decide formally

that an attack is cyber or physical? Based on the state of the art, we propose our own taxonomy of

technical criteria (cf. section §4) that can be used to discriminate cyber and physical attacks. The

taxonomy is tested against a use-case derived from the PRAETORIAN project (cf. section §5). Last

question: how does the EU cybersecurity and critical infrastructure (CI) protection legislation deal

with cyber and physical attacks? The legal section of this article (cf. section §6) focuses on internal

market-based EU laws. National security aspects of CI protection are not dealt with in this article.

Finally, the main results are provided and discussed (cf. section §7).

Cybersecurity Journal: A leading publication focusing on research, trends, and innovations in cybersecurity, offering insights into threat mitigation, data protection, and cyber policy developments.

Journal of Data Science: A prominent journal that publishes cutting-edge research on data analysis, statistical methods, and computational techniques, fostering advancements in data science theory and applications.

read more:- https://cybersecurityjournal.info/archive/cyber-vs-physical-attacks-an-analysis-of-technical-discriminant-criteria-and-their-consideration-from-a-legal-perspective