Writing for Dark Reading, Thomas Kopecky, Co-Founder and Chief Strategy Officer at Ontic, expands on the growing belief in the security industry that physical and cyber teams can no longer operate in silos, and must converge to better mitigate hybrid threats.
When it comes to enterprise security, the physical world and the cyber domain have long been treated as separate — like a Venn diagram whose circles don’t overlap. Those days are over.
Companies are facing an enormous increase in threats, with physical exposures interacting with the cyber domain and vice versa. In a survey commissioned by the Ontic Center for Protective Intelligence, 69% of respondents noted that their companies are experiencing a dramatic increase in physical threat activity compared with last year. At the same time, VMware’s 2021 Global Security Insights Report found that 63% of US cyber security professionals said attacks increased due to employees working remotely.
As such, it has become increasingly apparent that companies need to unify their cyber and physical security operations. As recent cyber-physical threats have shown, to dismiss one area puts the other at risk.
In fact, Gartner predicts that by 2025, 50% of asset-intensive organisations such as utilities, resources, and manufacturing firms will converge their cyber, physical, and supply chain security teams under one ‘chief security officer’ role.
Taking this step can facilitate communication amongst security teams, which not only helps in preventing these attacks in the first place but also ensures that organisations are better prepared to handle them should they materialize.
Utility infrastructure becoming commonplace attack targets
Examples of recent cyber-physical threats are numerous.
Earlier this year, a hacker remotely accessed the Oldsmar, Fla., water treatment plant computer system. In the attack, they attempted to increase the amount of sodium hydroxide in the water supply to potentially dangerous levels. While the method for the attack was cyber, had it not been caught, thousands of people could have been harmed by drinking that water.
Another example is the ransomware attack on the Colonial Pipeline, one of the nation’s largest pipelines, which carries refined gasoline and jet fuel from Texas up the East Coast. The cyberattack provoked a shutdown for five days, leading to temporary fuel shortages along the East Coast. While no individuals were harmed, the economic impact of an event like this could be staggering. With gas prices rising, so will the cost of other goods and services as gasoline surcharges are taken into account when shipping and transporting items.
“Siloed operations are endemic to the corporate world, across nearly all functions. So it shouldn’t surprise anyone that security teams focused on the physical and cyber realm might not collaborate — or even speak the same language.
“Systems that straddle the physical and cyber domains require that security professionals shift their mindsets. Today, IT systems affect physical outcomes and corporations must be able to appropriately handle the convergence of these threats.”
Cyber security experts have warned about infrastructure attacks for years. Driven by outside actors and, in the case of Colonial Pipeline, criminal elements operating on foreign soil, these incidents have generated massive headlines.
These events underscore the determination of threat actors outside of organisations. Furthermore, we know that when it comes to critical industries such as those involving infrastructure, most cyberthreats stem from insiders. Taken altogether, this highlights the need for organisations to maintain consistent security controls to address internal and external threats.
While external threat hunting is usually known to fall under the purview of network security teams, insider threats are typically the responsibility of physical security teams that bring an intelligence-driven approach. That’s why it’s imperative for security teams to approach protection from a converged point of view, especially as cyber-physical systems address a new set of risks that few security and risk leaders have had to consider.
Data centres are no longer purely cyber security targets
Conversely, the digital world is built from physical assets. Attacks against data centres can cost millions of dollars for operators. The impact on clients could be much greater in terms of downtime and lost opportunities.
In April, the US Department of Justice arrested a Texas native who attempted to blow up an AWS data centre in Virginia. Just one month after the AWS attack, a fired security employee at a Microsoft data centre in Cheyenne, Wyo., returned to the facility with a gun.
While data centres might anticipate their threats to manifest on the cyber side of the spectrum, the threat landscape has vastly expanded. In these moments of heightened awareness, security teams should review the physical security controls at their facilities and ensure that they are proactively hunting for threats that may disrupt operations.
Hardware is a gateway for cyber-physical threats
Executive protection and site security can also be affected by cyber intrusions. Back in January, a former security technician for home security company ADT admitted to accessing customers’ home security cameras over four years.
Hacking events like these become physical security issues when live video footage access is abused. A threat actor may easily be able to breach the home security system of a celebrity or high-profile executive to gain insight into their routines, personal life, and habits. Alternatively, malicious actors could access video surveillance systems at an organisation and use that footage when planning and executing an attack. Studying live footage can reveal the daily schedule of key executives, building floor plans, and the exact locations of employees at a certain time — creating numerous threats for an organisation and its people.
Breaking down silos
Siloed operations are endemic to the corporate world, across nearly all functions. So it shouldn’t surprise anyone that security teams focused on the physical and cyber realm might not collaborate — or even speak the same language.
Systems that straddle the physical and cyber domains require that security professionals shift their mindsets. Today, IT systems affect physical outcomes and corporations must be able to appropriately handle the convergence of these threats.
Physical security and cybersecurity are intrinsically connected, and it is no longer effective to manage these threats separately. Cyber-physical incidents can quickly lead to physical harm, destruction of property, environmental disasters, and worse, and all signs point to an increase in these destructive events.