As hackers steal data from political campaigns, health insurance giants and even the CIA director’s personal email account, agencies and businesses are becoming hyper alert to cyber defense. But physical breaches may pose even more risk to government computer systems than cyber intrusions, because physical access opens so many more channels of attack.
That’s why the Department of Homeland Security (DHS) is now rethinking its cyber strategies and looking for ways to better link cyber and physical defense. DHS expects to begin merging the two by creating a Cybersecurity and Infrastructure Protection Agency in 2017. Doing so will require Congress’ approval, but legislation to create the new agency is already working its way through the House of Representatives.
The new agency would focus on defending the nation’s critical infrastructure against both cyber and physical threats, DHS wrote in a March report to Congress.
Physical attacks can affect cyber networks and cyber attacks can have serious physical consequences, the report says. By merging defenses, it continues, “we can detect physical manifestations of cyber events as well as physical events that may impact information and communication technologies, systems, and networks.”
Indeed, Peter Giannoulis and Stephen Northcutt write in a paper published by the SANS Institute, “Physical security breaches can result in more issues for an organization than a worm attack.”
Thumb drives or other devices connected to a network can infect other users. Wireless keyboard sniffers plugged into electrical sockets can surreptitiously “slurp” up logons, passwords and other valuable data. And rarely are security personnel even faintly aware of these risks.
At DHS, security capabilities have “grown up in stovepipes,” the agency acknowledges, but the two realms of defense can no longer afford to be so distinct.
DHS isn’t alone, according to Peter Romness, a cybersecurity programs lead at Cisco Systems. Many organizations “are merging their physical and cyber security infrastructure,” Romness said. “The availability of the technology and the economies of combining the networks are driving adoption.”
By linking cyber and physical, security departments can gain greater insight into employee behavior and patterns, and put that information to work to better protect systems. After all, video cameras, motion detectors, audio sensors and card key or biometric access controls are already in place. The difference is that now it’s possible to align all that data to gain a fuller picture of what’s really happening in a facility and across its networks.
With discipline and tougher controls over cyber access, managers can greatly improve defenses, says Ayal Vogel, vice president for business development at the cybersecurity firm Radiflow.
Consider the case of on-site contractors hired to maintain cyber systems, he says. These vendors often have unfettered access to buildings and the computer systems inside them. “They can walk right in through the front door and have access to the whole facility,” Vogel said. And yet cyber system managers “have no idea what they’re doing on the network.”
That’s a vulnerability.
Integrating physical security with cybersecurity enables agencies and businesses to overcome that weakness, Vogel said. So Radiflow integrates positive identification at the door with access to the network. Now, instead of letting in an outside vendor and trusting that he won’t stray from his assigned mission, security mangers can strictly limit his access to only the specific physical spaces and networked equipment he needs to touch. Everything else is off limits. Access can be determined in advance and spelled out in a work order.
If the technician deviates from the work order, such as connecting an unauthorized device, say a thumb drive, to the network, or issuing unauthorized system commands, the security system detects, blocks and reports it. In addition, physical security devices, such as video cameras, swipe cards and biometric identification systems track the technician’s whereabouts while he is inside the facility.
Expensive? “Relatively expensive,” Vogel conceded. “But a lot less expensive than a data breach.”
Networking giant Cisco Systems encourages its customers to adopt similar multi-layered defensive measures. It’s “what we call micro-segmentation,” Romness said. It “allows access to resources based not only upon who the user is, but on how they’re connected, where they’re connecting from, the time of day and many other factors. This way, someone with access to the heating and air conditioning could be prevented or detected as they attempt to access point-of-sale data.”
Security is augmented when cyber and physical defenses are linked, Romness said. For example, when someone tries to log into a computer, it would be odd if they haven’t already swiped into the building.” Linked systems would spot that.
Concerned that cybersecurity professionals aren’t paying enough attention to physical security, Douglas Jacobson, chairman of the Information Assurance Center at Iowa State University, added physical protection elements to his center’s annual “Cyber Defense Competition.”
The competition, which helps prepare students for cybersecurity jobs, historically focused on protecting websites, email servers, logins, credit card information and other elements “you would think of as normal cyber security,” Jacobson said.
Last winter, Red team attackers threw a wildcard into the contest. They targeted an electrical power substation and Blue team defenders moved to block the attack. While most defenders struggled in vain to discover the digital vulnerabilities attackers had exploited, “the smart teams dispatched someone to the substation,” where they discovered the break-in had been a physical assault, Jacobson said.
Gaining physical access to power substations, which are typically unmanned and often in remote locations, can give intruders access to servers and the computerized control systems that keep electricity flowing. That means they can shut off power.
Like the electric grid, water and sewer lines, transportation systems and oil and gas pipelines are all potential attack targets, Jacobson said. And students studying cybersecurity need to understand that in the working world, attackers won’t play by predetermined rules limiting them to websites and business networks. Instead, they’ll target vulnerabilities wherever they can find them.
For managers planning new facilities, the interconnectedness of physical and digital security has never been more clear. New campus and building facilities today are built around network backbones that support information technology requirements as well as building operations – everything from controlling utility usage and heating, ventilation and air conditioning to on-site security. It’s essential that both chief security officers and chief information security officers are involved in making those decisions, says Chris Burns, vice president of cloud computing and cybersecurity services at General Dynamics Information Technology.
“Involving the chief security officer in the design stage is obvious,” Burns said. “But making sure your chief cyber defender is there too is not. People think of data security like they think of software – something you can always change later. But involving the CISO early on is essential to making sure operations networks are properly protected.”
Physical and information security are completely intertwined in modern buildings and campuses, Burns said, and both parties must be involved in planning and operating those systems.
Still, noted CISCO’s Romness, there’s still “a large discrepancy in security maturity throughout the industry,” and many organizations are not ready to connect information and physical security.
There are institutional rivalries to deal with, as well. In many organizations, cybersecurity has a larger budget than physical security – and wants to keep it that way, Vogel said.
“Big organizations have problems breaking down barriers because they have so many levels of authority,” he said. Managers resist change when they stand to lose influence during organizational makeovers. As for small organizations, they “often lack resources” to build effective defenses, he said. In either case, “they need a strong executive at the top who understands how to look at security holistically.”
ISU’s Jacobson agreed. The two branches of security “are different enough that there is some desire to keep them separate, especially in large organizations,” he said. “But clearly they should be in close communication,” perhaps even reporting to a single security chief.
At a minimum, organizations should “get the physical and cyber people in the same room” to war game security together, Jacobson said. “Brainstorm about how you would break in – nothing’s too crazy,” he urged. “Those sorts of discussions may not happen as much as they ought to.”
Cisco’s Romness sees that happening today as chief information security officers (CISOs) and chief security officers (CSOs) discover they can help each other.
“We are oftentimes seeing formal organizational relationships between the CISO and the CSO, with one working for the other or with the two reporting to the same manager,” Romness said.
“Cybersecurity is a boardroom issue now,” he added. “Mature organizations share resources and realize that they must work together for the safety and security of all.”