Earlier this summer the Center for Cyber and Homeland Security (CCHS) at Auburn University in conjunction with the International Security Management Association (ISMA) released a new survey that reflected how the C-suite views the evolving roles of cyber and physical security risks and mitigation strategies within their organizations. As October is National Cybersecurity Awareness Month, the timely findings of the research highlight the fact there has been a seismic shift in how organizations approach the relationship between the cyber and physical security threats they face.
In the days following the September 11, 2001 terrorist attacks physical security spending increased ten-fold and spurred the development of advanced technologies in biometrics, video surveillance and sensors. However, as the security landscape has shifted to a more IT-centric world and the Internet of Things continues to evolve, how security professionals view the realities of physical security is changing as well.
Physical Dangers are Real
There is a real fear that the expansion of cyber-attacks is moving beyond simple nuisance hacks and low-level ransomware demands to potential physical threats carried out by dangerous nation states and organized cyber-criminals with bad intent. Most experts agree that potential physical catastrophe is a matter of when, not if. As threats constantly evolve, so too must the solutions. Security is not a one-and-done project. Constant reevaluation is needed to stay ahead of threats and respond appropriately.
The CCHS/ISMA survey certainly reflects the priority-shift of corporate management as it relates to cybersecurity as opposed to physical security risks. CEO, CSO and CISO respondents overwhelmingly state they prioritize cyber over physical security and all CEOs envision an increasing cyber security budget over the next five years. The CEOs, though, do believe they must maintain a unified incident response plan that is a blend of cyber and physical security. Furthermore, 80% of the CSO respondents strongly believe communication and information sharing with their CISO and IT partners is key to expanding their current operations and security capabilities. There is also a growing belief that the inherent danger of cyber-intrusion to physical systems may require organizations to rethink how they construct their networks.
Reports from the Field
There is no lack of tangible evidence that cyber-attacks on physical security networks create havoc and potential human casualties if not addressed. Some real-world examples of cyber intrusion impacting physical spaces include:
- IP security cameras and DVRs were over 80% of the “attackers” in the massive denial of service attack that brought down Internet hosting giant Dyn Inc. in October 2016.
- In 2017, a North American casino suffered a cyber-attack via a digitally controlled fish tank thermometer.
- In January 2018, the U.S. Department of Defense removed surveillance cameras manufactured by a Chinese company because of their concerns about security.
- The 2013 breach of Target Corp. was executed through an insecure air-conditioning system.
- A 2017 cyber-attack infiltrating an industrial network targeted a petrochemical plant in Saudi Arabia intending to not only sabotage the plant’s operations but also cause an explosion.
- This year, a major global hotel chain was hacked through its electronic access control system enabling the hackers not only access to customer and business information, but the ability to remotely access every hotel room.
These incidents are the high-profile examples of the sort of havoc resulting in a compromised physical security system. But for every breach headline there are real-life scenarios that could play out in hospitals with HIPAA documents hacked through an online printer or a drug infusion device controlled through an IoT endpoint device. Industrial plants and manufacturing assembly lines are also at risk by cyber breaches, along with every mode of transportation in the air, on the road and on rail across the country. In fact, securing mass public transportation became such a priority with the past administration, it teamed with DHS, TSA and the Department of Transportation to help APTA identify key elements of vulnerability and potential mitigation that addressed the management, operational and technical aspects of protecting federal information and information systems. Making the current situation even more challenging, over the next few years self-driving cars controlled by edge data centers will be on the roads, further increasing the impact of cybersecurity on public safety.
How to Help Mitigate the Risk
Every enterprise from the critical infrastructure and industrial sectors, to healthcare facilities and corporate organizations must take a risk-based approach to physical and cybersecurity and preparedness. That process begins with a comprehensive risk assessment of both your cyber and physical systems vulnerabilities, continues with peer reviews to establish a baseline of best practices and then creating a threat dashboard that provides the organization its roadmap of security priorities that will enable the C-suite to identify both business and security risk and allow for proactive measures.
Building a baseline of business and organizational intelligence can aid with assessments, audits, and shared roleplaying exercises can help sync both physical and cyber security sides of the house. Engaging management with employees by periodically testing to see if all concerned are following cyber security protocols and then extending that model to check them on physical security issues ensures security staff that everyone is on the same page. Increasingly, organizations are establishing “emergency response teams” comprised of both IT and physical security staff to coordinate joint responses due to many threats having both cyber and physical aspects.
The bottom line is cyber and physical security organizations must work as conjoined partners when it comes to coordinating risk mitigation measures and attack response. In today’s environment where a cyber-attack can have devastating effects on the physical world ensuring that your organization embraces a coordinated monitoring program and response effort is critical to an effective overall security program.