Physical and Cyber Security Management: How to protect your organization from threats

Cyber resilience is on everyone’s mind. But security threats don’t just come from cyber actors. There’s been a noticeable increase in so-called blended threats, requiring integrated security incident management software and solutions to address.

And so, in the following article, we detail the threat and how to protect your organization.

A connected threat environment requires more than cyber security management

Indeed, today’s security threats come from everywhere. And that’s simply because modern infrastructure systems and modern security systems both consist of physical and cyber components interacting with each other in very complex ways.

Cyber security and risk management security systems, in particular, are composed of physical barriers and detectors, many of which are under computer control, thereby vulnerable to attack.

Interactions between these physical and security components are extremely common, creating what experts in the field refer to as blended security threats. These are potential attacks that involve the use of both physical and cyber-attack tactics in the same scenario.

Protecting organizations from blended threats require physical security teams to know about cyber-attack tactics and cyber security teams to know about physical vulnerabilities that can compromise the digital systems for which they’re responsible.

Physical attacks, cyber attacks, and blended cyber-physical attacks

So, what are physical attacks and cyber attacks, respectively?

Physical attacks typically refer to the unlawful gain of physical access to a physical asset in the infrastructure system in order to damage it, disable it, steal it, or use it in an undesirable way.

In physical attacks, an adversary uses force, stealth, or deception to disable or bypass access controls, completing the attack either by manipulating the system or by causing physical damage to its components.

Cyber attacks, in contrast, involve cyber manipulation of a system without ever gaining physical access to the affected component.

Hence, protection against cyber attacks, often via means such as user authentication, access control, encryption, monitoring, integrity checking, redundancy, and disaster recovery planning, focuses either on ensuring that unauthorized users cannot access the system, that authorized users’ capabilities to cause damage are limited, or that system restoration can be accomplished quickly.

But there’s more? In the essay, Identifying and Defeating Blended Cyber-Physical Security Threats, scholars affiliated with Sandia National Laboratories argue for a class of blended cyber-physical attack types. They define the attacks thusly:

Cyber-enabled physical attack

This blended attack pathway uses cyber-attack tactics to manipulate or disable cyber-controlled elements of the physical protection system (e.g., detectors, alarm annunciators, or locks) to enable physical attack to be accomplished more easily.

Physical-enabled cyber attack

This blended attack pathway may use a physical attack to access cyber control or entry points (e.g., network terminals or control rooms) from which cyber attacks are then launched.

Blended Threat Scenarios

The following scenarios, furnished by the Cybersecurity and Infrastructure Security Agency (CISA), demonstrate how if successful, the blended attacks (described above) can disrupt operations or even deny critical services to society.

• A security gap in access controls, such as unauthorized access to facilities or system permissions, can allow an individual to use a universal serial bus (USB) device or other removable hardware to introduce a virus or malware into a network.
• Heating, ventilation, and air conditioning (HVAC) systems can be virtually overridden, causing a rise in temperature that renders network servers inoperable.
• A cyber-attack on telecommunications can impair communication with law enforcement and emergency services, resulting in delayed response times.
• An unmanned aircraft system (UAS) can compromise sensitive information by gaining access to an unsecured network using wireless hacking technology.
• A cyber-attack exploiting healthcare vulnerabilities can compromise sensitive data or cause a connected medical device to malfunction, resulting in injury or loss of life.

Physical security, cyber security, and risk management challenges to protecting your organization against blended threats

Attacks that can occur over such an extended threat terrain are difficult enough. However, the way physical security, cyber security, and risk management are all set up in most organizations tends to make the problem even more difficult to solve.

How so? Although security personnel have determined that their systems are vulnerable to both physical and cyber attacks, physical security and cyber security remain very separate and independent disciplines within the enterprise.

For instance, cyber security risk management and physical security risk management analyses are performed by separate teams and documented in separate reports. Similarly, cyber security incident management and physical security incident management remediation plans are developed and implemented by separate teams.

The teams in question have different cultures, too, leading to siloed procurement decisions. Cyber security management software buying decisions have little to anything to do with decisions for purchasing solutions for physical security management, e.g., security workforce management software or security guard management software.

Worse still, it’s rare that security teams share common security information management software or security risk management software, despite the obvious benefits.

As a result, senior leaders and teams lack visibility of interconnected physical and cyber assets, leaving the organization unable to quickly identify, prevent, and respond to blended threats. And when there is a blended attack, lines of communication haven’t been established, impeding coordination and collaboration.

Converged security functions

The solution then? Organizations need to get serious about converged security functions.

What do we mean by convergence, though? The industry definition is the formal collaboration between previously disjointed security functions. Convergence tends to encourage information sharing and the development of unified security policies across divisions, making companies more resilient and better prepared to identify, prevent, mitigate, and respond to threats.

Benefits of convergence include:

• A secure enterprise. Convergence enables integrated views of security threats, so that leaders can gauge the security posture of the organization.
• Greater efficiency. Connected physical and cybersecurity functions reduces duplicative efforts and raises productivity.
• Streamlined security functions lead to cross-training and overall knowledge increase.
• Strategic alignment. Risk and threat management is fully aligned under a holistic strategy.
• Shared information. Security functions share information and best practices while working to integrate and operate a unified team.
• Common goals. Convergence creates a single security program under one set of shared practices and goals to secure cyber-physical infrastructure.

A framework for aligning security functions

But how to achieve convergence? Well, organizations of all sizes can pursue convergence by developing an approach tailored to their unique structure, priorities, and capability level.

Getting started is key, though. To that end, CISA recommends developing the following framework for aligned security functions:

Communication

• Initiate a dialogue. Enable a communication with security leaders. Engage with upper management to discuss what convergence might look like within your organization.
• Review leadership roles. Discuss whether your current leadership structure can be realigned.
• Establish a convergence team. Identify key players, such as CSO, CISO, physical security, IT, cybersecurity, and facility managers.
• Enable information sharing. Engage with team members across all security functions to identify points of convergence.

Coordination

• Formalize convergence team roles and responsibilities. Establish a cadence and structure for team coordination and integration.
• Identify linked assets. Coordinate with team members across security functions to assess cyber and physical assets, identifying those that are linked. Assess the risk level of each asset based on linkages.
• Conduct a vulnerability assessment. Identify gaps in security and risk mitigation and determine where gaps can be closed through convergence.
• Determine the baseline. Leverage initial assessments and gap analyses to determine the baseline for security operations and incident management.

Collaboration

• Run the numbers. Determine if convergence on any scale is financially feasible.
• Prioritize improvements. Identify and prioritize improvements, including patches, software updates, virus protection, and opportunities for automation.
• Craft risk-driven policies. Develop and implement risk-driven policies with broad applicability and that reflect converged security functions. Identify best practices.
• Strategic alignment. Align strategy to shared practices and goals. Focus on improving efficiency and increasing information sharing.

Integrated security management software to tackle blended threats

Another step to take when prioritizing convergence is procuring the right security management software that covers all security incidents – not just cyber or physical incidents.

Such solutions help organizations proactively safeguard their people, assets, and reputation with actionable threat intelligence, enhanced situational awareness, and robust incident reporting.

What specific capabilities to look out for? To incentivize convergence, we’d recommend:

• Data gathering. Empower staff to effortlessly report data using public forms accessed via QR codes, SMS, or a relevant mobile app to ensure security teams remain informed about what’s happening throughout operations.
• Situational awareness. Improve situational awareness with customizable dashboards that gather data using scrolling banners, live maps, and feeds to consolidate information from various sources, including news, weather, social media, traffic, and natural disaster streams.
• Threat intelligence. Stay on top of potential threats and risks to people, assets, and reputation with real-time, AI-driven threat intelligence that streamlines escalation and supports effective incident response.
• Entities of interest. Manage persons, organizations, and assets of interest across the organization, to ensure teams have the latest intelligence about entities in a format that’s easily distributed via notices, to keep interested parties informed and support better decision-making.
• Incident management. Empower teams to efficiently respond to incidents using automated notifications via customizable workflows and assign response actions to expedite recovery. Log and share updates and impacts for clear situational awareness.
• Investigation management. Conduct incident investigations to understand the causes and learn from disruptions. Capture case notes and persons of interest and identify options to prevent reoccurrence and be better prepared to respond in the future.

Finally, the rapid uptick in blended threats means organizations can’t rely on cyber and physical security management solutions working alone. That same threat picture is radically affecting the type of resources physical security teams have to work with, as well.

Physical security information management (PSIM) has, therefore, emerged as a solution. But what is PSIM? Check out our article on the Importance of Physical Security Information Management for a deeper dive.