Cybersecurity and Physical Risk Management for Critical Infrastructure Protection
In recent years, as primary actors and threats continue to rise, the White House has made improving the Nation’s critical infrastructure a top priority. To reinforce this message, the Administration has proclaimed November 2022 the “Critical Infrastructure Security and Resilience Month”. Businesses of all kinds are encouraged to take a moment to reflect on their security postures, both physical and cyber, and explore ways to improve their efforts. So, where should you start?
For decades, the role of security in risk management has been innately understood, with physical security often highlighted as the first line of defense for any organization. From perimeter cameras and parking barriers to access control at the front door, threats to the naked eye often take precedence. However, as technology has advanced cyber attacks, such as hackers gaining access to critical Industrial Control Systems (ICS), have taken center stage, often emerging as an unseen threat with equally devastating consequences.
Managing your cybersecurity and physical security risk must be a hand-in-hand effort to enhance your operational resilience to threats from all angles.
In this article, we’ll explore the most common misunderstandings for both cybersecurity and physical security that put industrial enterprises at risk. You’ll find striking similarities in the processes to improving the resilience of our nation’s critical infrastructure against all hazards — both natural and manmade.
1- If your informational technology (IT) practices are sound, your Operational Technology (OT) is protected.
We’ve said it before, and we’ll say it one thousand times more: IT and OT security are different beasts. Although there are some similarities in the theoretical basis of the fields, IT and OT environments are completely disparate in practice. Many leaders task existing IT teams with protecting those assets, but those professionals are often untrained and untested in OT security. As a result, many companies with exceptional IT programs have OT environments that remain exposed. Instead, companies must begin to invest more of their cybersecurity budgets in hiring OT specialists, training IT professionals in the specifics of OT security or contracting an experienced third party.
2- Resources should be distributed equally because elements of the facility are critical.
When designing security protocols, the default is to protect the system homogeneously. This approach may come from IT practices and it’s one that doesn’t translate well into OT environments. When the purpose of the system is to protect user information, avoiding a leak may be more important than keeping the system running. However, when the system provides water or power to entire regions, periods of operation at the facility’s minimum adequate function are preferable to total downtime.
The fact is that only some equipment is critical to that minimum adequate. Developing an asset inventory that includes relative criticality rankings can help guide resource allocation within facilities to optimize a company’s approach. Unfortunately, many companies fall short in this regard. The survey done by the SANS Institute and ABS Group found that 30% of companies have no formal process for asset inventories and 10% are unsure of their inventory status.
3- Updated facilities are more secure.
Newer is always better, right? Well, yes and no. Of course, creating connected facilities by adding remote monitoring and other capabilities using internet of things (IoT)-enabled devices has boosted efficiency in industrial operations, but those next-generation connections come at a cost.
Every new point of connection is a possible door through which bad actors can gain entry to industrial operations. As such, they need to reevaluate their cyber hygiene to account for an expanded attack surface by prioritizing visibility into those new controls. Many companies are falling short in this regard. SANS found that 65% indicate that their visibility into their control systems is limited, and 7% have no visibility into their control systems at all. Without an adjustment in approach that prioritizes network visibility, operators who have updated their facilities may be at more risk than they were before.
4- “Air gapping” keeps equipment safe.
So, if you haven’t added connections in your facility, you’re safe — right? Not quite. Many OT operators believe that foregoing connected equipment altogether will keep them safe from attack. The theory is hypothetically sound, but it falls apart in practice. The thing is that “air-gapping” doesn’t exist. Any piece of industrial equipment that’s ever been updated or had maintenance done on it has been connected to an external source. Whether the update comes from a supplier’s USB, a direct download or some other means, it’s an alteration to the system through which ransomware or other malicious code can access your facility. If you’re relying on air-gapping to keep your facility safe, you’re relying on a fallacy and need to change your approach.
5- Being compliant means being protected.
With government-level regulations becoming commonplace for industrial contractors and original equipment manufacturers (OEMs), like NERC CIP standards in the power industry, for example, many leaders believe that being compliant means they’re secure. That’s not the case. Compliance is about meeting minimum requirements. Good OT cyber practices are tailored to the facilities they protect. A well-designed program is guided by the risk profile of the facility it protects, not a checklist. If a company is banking on compliance to keep its systems protected from ransomware, then it’s likely to fall short when an attack comes.
6- Physical security starts once the facility is up and running.
You need to begin considering the physical security of your organization as soon as possible—this includes the new build phase. Security-By-Design (SBD) considers security upfront in the development process, with security features integrated into the building design. Utilizing the built environment can help protect your organization from both man-made and natural hazards. The earlier you understand the vulnerabilities to critical infrastructure, the easier it is to implement rational cost-effective mitigation strategies.
7- A basic risk assessment can keep critical infrastructure safe.
When is the last time you completed a threat, vulnerability and risk assessment? While many public facilities only perform risk assessments, Security Vulnerability Assessments (SVAs) and Threat and Vulnerability Risk Assessments (TVRAs) for critical infrastructure can help you address all the elements in the equation that require attention. This will help you to:
Understand the Threat. When conducting a threat assessment, it is suggested that you start by identifying adversaries, their intent, and capability, then review tactics from past attacks at similar locations to estimate the threat to the organization.
Assess Vulnerability. Understanding the threat is important, but the ability to deter attack is amplified by understanding vulnerability. Vulnerability can be considered as the psychological, sociological or physical characteristics that leave an asset unprotected or exploitable for attack. Typically, the emphasis is on physical security vulnerabilities, but the human factor can make or break our security efforts. Thinking “it will never happen here” or “it will never happen to me” can add to vulnerability.
Calculate Risk. It’s finally time to tackle the risk assessment. This is the process of identifying the likelihood of an event arising from threats and vulnerabilities and analyzing the impact if the event occurs.
8- Everything should be protected and prioritized equally.
While SVAs, TVRAs and Risk Assessments identify all elements within the security equation, it’s important to remember the adage: If everything is important, nothing is important. It’s crucial to identify what resources are essential to your operation and require the highest protection. Begin by identifying your critical assets. Examples include restricted areas, specialized tools and equipment, supplies like keys, uniforms, badges, weapons, hazardous materials and more. Consider the impact of their loss to operations.
Most often, facilities need bespoke solutions to their unique problems, including protective design, SBDs, anti-terrorism and force protection and onsite training and exercise support.
The Path Ahead: Next Steps to Protecting our Nation's Critical Infrastructure
The common thread in the above misunderstandings is experience. OT cybersecurity is somewhat of an emerging field among cyber professionals, and it’s certainly a new priority for industrial sectors. Contrarily, physical security often remains top of mind; however, man-made threats to commercial targets and critical infrastructure have increased exponentially, resulting in a surge in demand to protect assets from bad actors. The good news is that you don’t need to tackle these problems alone. Experienced vendors like ABS Group can help companies evaluate their facilities, take a critical look at existing initiatives, and tailor physical security and OT cybersecurity programs to their needs.