Your agency’s physical security people are probably conscientious and competent. Your cybersecurity people are probably diligent and downright brilliant. Yet to an attacker with the right skills, the overall security of your organization or facility might seem like a joke.
How could this be? If your organization is like most of those analyzed by the U.S. Cyber Consequences Unit (US-CCU), it will be in part because you manage your physical security and cybersecurity separately. In fact, your chief of physical security and your chief of cybersecurity might not talk to each other. If your organization is a large one, it’s even possible they have never met.
How can I convey in a short column how insane that is?
Let’s start with physical security. Almost every aspect of physical security today is utterly dependent on networked electronics.
It’s by means of networked electronics that your physical security staff monitors the condition of your facility. They rely on sensor alarms to warn them about intrusions, fires and nearly all other hazards. They use video surveillance to show them what’s happening in key areas. And they probably monitor these devices on computer screens. Computers probably also control physical access. Employees swipe and scan badges or identification cards using networked electronics. Almost all other authentication methods also employ networked electronics. Even the access authorization lists administered by humans are generated using computers.
Finally, nearly all industrial processes are managed by automated controls. These electronic controls are what keep the processes within safe parameters. Every level of that physical security paradigm would collapse if the networked electronics failed to function properly. Virtually all of these electronic devices are now digital or managed by something that is. This means that they are all vulnerable to cyberattack.
Your cybersecurity, meanwhile, utterly depends on your physical security. If an attacker can gain physical access to a computer, that attacker can almost always take control of it. Merely getting access to a physical terminal where a memory device could be plugged in is usually sufficient.
All of the physical devices that contribute to the functioning of an information system — the monitors, cables, routers, switches, hard drives, sensors, scanners, printers and power sources — must be physically protected, or they can be turned into tools for attacks.
It doesn’t matter what sort of firewalls or other security measures separate a system from the outside world if an attacker can get to it physically. There are a multitude of ways to sniff, tamper with or damage an information system if you can get your hands on the equipment that supports it.
Despite the extent to which physical and cybersecurity depend on each other, it’s surprising how often we learn during US-CCU security reviews that the people responsible for one fail to give a thought to the other.
Cybersecurity people usually pay little or no attention to their role in protecting physical facilities. The kinds of activities that would help attackers enter or destroy a facility aren’t necessarily high on the priority lists of cybersecurity teams. Similarly, physical security people often pay little heed to actions that could give attackers control of information systems. They primarily worry about vandalism and theft, not the possibility of someone plugging a flash drive into a supposedly secure system.
Is it any wonder then that US-CCU typically finds gaping security holes wherever physical security and cybersecurity intersect? As long as organizations treat their physical and cyber domains as separate, there is little hope of securing either one. The convergence of cyber and physical security has already occurred at the technical level. It is long overdue at the organizational level.