In a Security Management webinar last week, Dataminr Chief Information Security Officer Brian Lozada made this point: if you are not working hard to tighten the integration of your information and physical security teams, then you are leaving your organization vulnerable.
The webinar, “Building a Unified Approach to Cyber and Physical Security,” is available free on-demand by registering.
Lozada gave several real-world examples that demonstrated how cyber attacks and physical security are related. Remember the huge Target data breach in 2013? The hackers didn’t hit Target directly; they found a vulnerability by means of an HVAC contractor Target was using.
How could you decrease the productivity of a company in Finland? If it’s a crisp winter day with highs well below freezing, then you shut off their heating system and cause an office building's temperature to plummet. This happened in 2017.
Or what about Baltimore right now? Several government systems are down and being held hostage due to ransomware. What’s the effect on physical security? Well, one of the systems is the Baltimore Department of Public Works’ water department. Oh.
Lozada put it bluntly: “If your cyber and physical teams are not aligned, you are introducing risk.”
A significant source of risk is the prevalence of supervisory control and data acquisition, or SCADA, systems, which control a lot of the different critical infrastructure, from the water supply to security cameras to elevators and even things like gas or oil lines. The systems were installed in order to be controlled remotely, often from centralized locations. Put simply, SCADA systems make controlling infrastructure light years more efficient than it had been previously.
And then there’s the downside: “Many of these SCADA systems are old. They were installed piecemeal, and they are out of date,” Lozada said. “Some of the SCADA systems are running on Windows 98 or on operating systems that you can’t even put antivirus on them. It gets scary when you think about things like that; they control so many things in buildings.”
The rise of the Internet of Things, and the billions of systems and devices that are being added to remote control protocol represents an incredible escalation of this risk.
Lozada pointed out that an organization's best risk mitigator in the face of these threats is a tightly integrated cyber and physical security team. Two main benefits of a tight integration are efficient information sharing and bringing diverse experience to recognizing potential vulnerabilities.
Information sharing between the two teams is essential because time is often critical when a threat is identified. Lozada reported that approximately 10 percent of cyber attacks are the result of a physical breach. A scenario: unauthorized access of an area is detected and security investigates. With separate teams, IT has no idea and is going about its day-to-day business. On an integrated team where IT is notified of the unauthorized access even before it is investigated, they can begin assessing whether area information systems have been compromised or accessed and working to mitigate any potential IT threats.
The combined security operation approaches issues with diverse experience because, as Lozada described it, cyber security is instantly thinking about how to respond and recover from the threat while physical security starts with a focus on the security of people and then the protection of physical assets.
“When you look at these major compromises, it took a lot of imagination for the threat actors to actually execute on that,” Lozada said. “Cyber and physical teams need to have the same type of imagination to protect against those types of things. Bringing different thought processes to examine the same information can be incredibly valuable.”