G 0.47 — Harmful Side Effects of IT-Supported Attacks

An attacker takes over a poorly secured smart TV in the lobby of a company. The device itself contains no sensitive data, and its failure would be irrelevant for the business. But the smart TV sits in the same Wi-Fi segment as the VoIP phone system and three network printers with scan-to-mail functionality. Through the compromised television the attacker moves into the internal network and gains access to contract documents that are cached on the printer.

Harmful side effects of IT-supported attacks count among the most frequently underestimated threats. The BSI lists them as elementary threat G 0.47. The key insight: in networked infrastructures the impact of an attack is hardly predictable, because dependencies between systems are rarely fully documented.

What’s behind it?

IT-supported attacks can have impacts that go far beyond the actual target. These side effects appear in three variants:

Cascade effects

Attackers often do not fully understand their target’s infrastructure. A ransomware attack aimed at financial data can reach production control systems, building technology or medical devices through chain reactions. The perpetrators may never have intended this — the damage happens anyway.

Systems with low intrinsic protection requirements can serve as a stepping stone for attacks on more critical targets. IoT devices, printers, older test servers or forgotten development environments — all of these systems potentially provide an attack surface through which an attacker can work their way into more valuable network segments.

The consequence: the actual protection requirement of a system follows from the damage an attacker can cause from this system to other systems. An IoT thermostat may be worthless in itself. Sitting on the same network as the finance database, it inherits its protection requirement.

Impact

Compromised systems can be misused for attacks on third parties: as part of a botnet for DDoS attacks, as a relay for spam dispatch or as a proxy for illegal activities. The affected organisation suffers no direct damage — but can be held legally and reputationally liable.

Practical examples

Botnet via compromised surveillance cameras. A company operates 40 IP cameras for building monitoring. The cameras run on default passwords and outdated firmware. An attacker integrates them into a botnet and uses them for DDoS attacks against third parties. The company suffers no direct damage to the cameras — but the ISP suspends the internet connection because of suspicious outgoing traffic. Business-critical cloud services are no longer reachable.

Ransomware hits building control. An attack targets the ERP data of a production plant. However, the ransomware also spreads through the flat network to the building automation: heating, air conditioning and access control fail. In winter the temperatures in the production hall drop below the operating range of sensitive machines. The building damage exceeds the damage to the IT systems.

IoT device as entry point into the company network. A smart drinks vending machine in the break room is connected to the internet via Wi-Fi — for stock notifications to the supplier. The vending machine uses an outdated TLS library with a known vulnerability. An attacker compromises the machine and uses the Wi-Fi connection to scan the internal network. There he finds unsecured SMB shares with contract documents.

Relevant controls

The following ISO 27001 controls mitigate this threat. (You’ll find the complete list of 1 mapped control below in the section “ISO 27001 Controls Covering This Threat”.)

Since G 0.47 is conceptually a cross-cutting threat, numerous controls from other threats act indirectly alongside. The following controls address the core of the problem — containing side effects:

Prevention:

A.7.13 — Equipment maintenance: Regular maintenance and firmware updates prevent devices with known vulnerabilities from serving as gateways.
A.8.22 — Segregation of networks: Segmentation is the single most important measure for limiting the reach of side effects.
A.8.20 — Networks security: Firewall rules control communication between network segments.
A.5.29 — Information security during disruption: Continuity plans that account for cascade effects.

Detection:

A.8.16 — Monitoring activities: Monitoring detects unexpected lateral movement between network segments.
A.8.15 — Logging: Logging also on devices with low intrinsic protection requirements.

Response:

A.5.24 — Information security incident management planning and preparation: Incident response plans that explicitly rehearse cascade scenarios.
A.5.26 — Response to information security incidents: Immediate isolation of compromised segments to contain side effects.

BSI IT-Grundschutz

The BSI IT-Grundschutz catalogue links G 0.47 with the following modules:

INF.13 (Technical building management) — protection of building automation and control against compromise via IT networks.
NET.1.1 (Network architecture and design) — segmentation as a foundation for limiting side effects.
SYS.4.4 (General IoT device) — hardening and isolation of IoT devices that could be misused as stepping stones.
IND.1 (Process control and automation technology) — protection of industrial control systems against cascade effects from office IT.

Sources

BSI: The State of IT Security in Germany — annual report with current incident statistics
BSI IT-Grundschutz: Elementary Threats, G 0.47 — original description of the elementary threat
ISO/IEC 27002:2022 Section 8.22 — implementation guidance on segregation of networks

Frequently asked questions

What are harmful side effects of IT attacks?

Harmful side effects are consequences of a cyber attack that the perpetrators did not intend, that do not concern the actual target or that harm uninvolved third parties. They arise from the high complexity and interconnection of modern IT infrastructures, in which dependencies between systems are often not obvious.

Why should I protect systems that have low protection requirements on their own?

Systems with low protection requirements can serve as a stepping stone to attack more important systems on the same network. An unprotected IoT sensor in the Wi-Fi, a forgotten test server or an older printer -- all of these devices can be gateways for attacks on critical infrastructure.

How do I account for side effects in risk analysis?

Map the dependencies between systems, services and processes explicitly. For every risk consideration, ask: what happens if this system is misused as a platform for an attack on other systems? The answer determines the actual protection requirement -- which can be considerably higher than the system's own intrinsic requirement.