It's not uncommon for Chief Security Officers (CSOs) to manage two large teams: one focused on physical security, the other on cyber and information security. A close collaboration between both factions is key to reducing risk across the entirety of the
organization.
This piece outlines seven techniques security leaders can use to help better align IT, operational technology (OT) and physical security.
Understanding IT-OT Integration Disruption
Integration of IT and OT is not new. Supervisory control and data acquisition (SCADA) systems have provided a pane of glass for integrating devices in industrial, manufacturing and utility industries for decades. Until recently, these devices were separated
from IT assets by air gaps, data diodes and purpose-built firewalls; however, the benefits of integrating them have forced not only an integration at the technology level, but also of management and oversight. The internet of things (IoT) both muddies
the waters and draws experts from both sides toward a middle ground.
While the convergence of technology isn’t new, the consolidation of management functions is relatively recent. Many organizations from varying industries are debating how to consolidate the security strategy and responsibilities across the physical,
product and information domains.
7 Steps to Integrating IT-OT and Physical Security
Because technology is connecting devices typically considered under the purview of physical security, and connectivity is blurring the line of what constitutes IT devices - OT and IT have more in common than either side may know. But neither IT nor OT
understand the intricacies of physical security or the role the information security function plays in a comprehensive physical security plan.
There’s a tendency for all three parties – IT, OT and physical security – to separate themselves from the others and to overstate the complexity of their own domain of expertise. All three have significant complexity and each has built
a corpus of expertise and experience. One main problem is that each function is possessive of its own expertise and underestimates the sophistication – both operationally and culturally – of the others.
Here are seven steps used by organizations that have successfully merged information, operational and physical security.
1. Create an Exchange Program
Identify staff from each function who have an interest in one of both of the other disciplines and implement a staff-swapping or internship program. Send IT security staff to physical security and vice versa for a period of time. Make them ambassadors.
Identify IT security staff who tinker with Raspberry Pis or Arduino boards, who know what a breadboard and resistors are, and who know how to use a soldering iron. Identify physical security staff who are computer-literate, who know the difference between
Windows, OS X and Linux, and who grasp the metaphor between door access and open ports.
2. Create a Translation Dictionary for Each Group’s Distinct Terminology and Concepts
Building a team starts with a common mission and language. The combined mission is centered around combined modality attacks (see the next recommendation), but without the ability to effectively communicate, team unity will be loose. For example:
- IT security thinks in terms of systems, networks and data: confidentiality, integrity and availability.
- OT security thinks in terms of devices, locations, actuators and sensors: safety, privacy and compliance.
- Physical security thinks in terms of gates, guards and guns: facilities, law enforcement and surveillance.
3. Add Combined Modality Attacks to Each Function’s Threat Models
Physical attacks can affect IT assets and cyberattacks can affect physical assets. In a simple sense, many cyberattacks involve some form of social engineering, which can manifest in physical access.
Plant operators have well-thought-out threat models. For example, they know that turning an upstream actuator in a pipeline on and off rapidly can create bubbles that will render a downstream sensor inaccurate. Neither IT nor physical security would know
to look for this attack behavior, yet one has access to data and the other has eyes-on visibility.
4. Involve Managers and Staff from All Functions in Combined Tabletop Exercises
This is a natural extension of combined modality threat models and also begins to integrate the functions as a team. It also prepares them to look across functions for attacks such as USB sprinkling, out-of-place Raspberry Pi equipment or suspicious strangers
potentially masquerading as contractors or new hires.
READ: Create a Security Charter Committee to Align with the Business
5. Encourage Communications Between All Functions
Include all functions on status reports and encourage all functions to include the others in communications and meetings. Reinforce that real-world attacks bridge information, operational and physical security modalities, and that many successful attacks
combine at least two of them.
Add social engineering to phishing attacks, make success statistics available to all and call out individuals across the functions who succeed in crafting successful campaigns or prevent attacks
from succeeding.
Challenge IT security to find ways to detect physical attacks. For example, add door badging telemetry to the SIEM and write use cases for detecting anomalous behavior or to augment IT use cases, such as a virtual private network (VPN) login from a user
who’s already in the facility.
6. Discourage Cultural Biases and Divides
Organize events where all parties attend. Introduce the staff to each other, both in a work context and at social outings.
Make IT understand that physical security staff aren’t all muscle and no brains and vice versa. The more people like each other, the more they’re apt to work together.
7. Combine Policies Across All Functions
Most organizations have separate policies for information security, operations and physical security. Combining the policies gives each function a sense of the scope of the others’ roles and responsibilities, as well as sparks areas of cross-functional
benefit.
Expand the policy to incorporate these areas of new opportunity. And don’t forget to include incident response (IR), which is vastly different between IT and physical security (police and fire vs. an IR company on speed dial with public relations
staff standing by.)
Managing the Integration of IT-OT and Physical Security
Not all staff will embrace a combined security program. Put in place a system to identify those who have an interest in working across groups, but don’t penalize those who are comfortable in their chosen domain. Every organization needs generalists
and specialists.
No matter how the management structure is reorganized to accommodate the newly integrated functions, make sure the office ultimately responsible has the authority to govern a combined security program. Too often, the CISO is given responsibility for overseeing
manufacturing or other operational functions but hasn’t been given the power to implement strategies across all of them. Executive management must be clear about who reports to whom and where the ultimate authority – and responsibility
– lies.
Finally, there may be areas where integration creates more risk. This is rarely an operational problem: There is power in having visibility over all three functions; however, there are legal and privacy aspects of combining groups with largely unrelated
operational models.
READ: How to Apply the Three Lines of Defense
Advice for Successful Alignment
Casinos are already using data and observations such as car license plate numbers, hotel registration, facial recognition and behavior profiling to identify pickpockets and card counters. Every organization has a physical presence and associated threats,
as well as a cyber footprint and associated threats. The casino model should not be foreign to other industries beyond gaming and entertainment.
Combining security programs from IT, OT and physical security/facilities can reduce risk beyond the sum of each operating independently. When combined with traditional IT telemetry, data from physical systems can provide greater insight into security
and operational activity, expand associated use cases, and improve defenses from attackers both cyber and physical. For example, consider adding social media monitoring and associate it with visitors and customers to inform both physical and cybersecurity
on potential threats.
Beyond risk reduction, an integrated approach can benefit employees, contractors, visitors and customers alike. For example, integrating identity and access management (IAM), door and garage access control systems,
along with Wi-Fi can provide a seamless experience to everyone while giving both IT and physical security a greater level of visibility and early warning into suspicious activity.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.