Today’s mass shootings and outbreaks of war and conflict across the globe represent a near-constant reminder of the need for reliable security. Physical security — whether that is residents locking their doors before bed or a corporate office employing security guards to roam the halls after hours — is crucial to protect against harm. However, implementing stringent cybersecurity measures is often the missing puzzle piece to an integrated and fully developed security plan.
No one well prepared for dangerous threats would lock the front door but purposely leave the back door and windows wide open. Often, this is the mindset some organizations unintentionally take when it comes to cybersecurity.
Just because a cybersecurity threat is unseen, does not mean it does not exist. Organizations that fail to take action and prepare for cyberthreats could face significant disruption. The integration of both physical and cybersecurity helps an organization create a holistic and coordinated approach to security.
A New Era Of Threats
The events of Sept. 11, 2001, ushered in a new age of security in the U.S. and across the globe. The horrors of that day resulted in a much more rigorous airport check-in process, complete with people trudging through security lines barefoot, rapidly moving through metal detectors and canine dogs sniffing at luggage rolling past. The additional physical security made flying much safer, a welcome relief after experiencing such a devastating event.
The post-9/11 environment led to many organizations reevaluating physical security. These evaluations have been further reinforced with the recent rise in mass shootings. According to the Gun Violence Archive, 647 mass shootings occurred across the U.S. in 2022. The wide variety of locations in which these shootings occurred have organizations of all kinds taking a look at physical security measures — from churches to music festival venues to elementary schools. Physical security is inherently a core pillar to keep communities and organizations safe from those who wish others harm.
The 21st century saw a rise in physical security concerns, but that change was not the only mark of a new century. The increase in internet connectivity has led to cyberthreats becoming an unfortunate reality. As organizations continue to turn to virtual connectivity and operations are streamlined increasingly through automated services, cyber solutions are growing more prominent.
In particular, critical infrastructure stands to be especially vulnerable to cyber threats. Hackers could cause major disruption to the water supply by tampering with treatment solutions or wreak havoc on the electric grid by producing massive power outages. According to POLITICO, 60 incidents classified as threats or attacks on major grid infrastructure were reported in the first three months of 2023. Additionally, the U.S. is on track to meet or exceed 2022’s record of 164 major cyber and physical attacks in 2023. Such significant attacks could negatively impact communities and threaten the stability of day-to-day living.
Ransomware attacks also have been on the rise in recent years, as hackers strive to achieve financial gain by holding organizations’ confidential data at a price. According to the NCC Group, September 2023 saw a record 514 victims of ransomware attacks, up 153% from 2022. In 2021, a ransomware attack on Colonial Pipeline infamously led to Americans rushing to gas stations to fill their tanks. The Joint Ransomware Task Force was created as a result to create a central place for the U.S. government to respond to ransomware attacks. These incidents have highlighted not only vulnerabilities to the U.S. supply chain but also the need for strong cybersecurity measures for critical infrastructure.
Global conflict and uncertainty also have created the perfect storm for heightened cybersecurity risk. Rather than fighting on a physical battlefield, foreign adversaries often turn to cyber methods to steal sensitive information and cause disruption to communities. Additionally, domestic extremists pose a real
challenge to critical infrastructure and other organizations. These types of incidents often are not simple data losses or what some might consider a minor inconvenience, but instead can realistically sway the geopolitical state of the world.
Creating A Safer World
For many organizations, cybersecurity starts and ends with compliance. Organizational decision-makers might believe they have kept their data and operations secure by simply meeting the regulations established by the U.S. government. For example, Executive Order 14028: Improving the Nation’s Cybersecurity, requires service providers to report incidents and threats that impact government networks among other mandates. In 2023, the Biden administration announced a national cybersecurity strategy with the goal of defending critical infrastructure and disrupting threats. However, this commitment and these mandates are just a starting point. Organizations still need to take action to prevent a major cybersecurity incident.
To create a more resilient cybersecurity plan, risk first needs to be assessed. Any system automation or network has the potential to be vulnerable. Critical functions dependent on cyber connectivity should be evaluated to understand and eliminate risks, as appropriate for each organization.
In the age of digitalization, network and system project teams discuss numerous aspects upfront during the planning phase. From efficacy to reliability to resiliency, organizations want systems that are ready for any challenge. Cybersecurity should be as much a part of early discussions as any other factor that goes into the planning phase. Before a threat ever arises, taking proactive action can help an organization to identify risks and vulnerabilities, prevent an attack and put a plan in action in the event of a cybersecurity breach.
Often, an engineering firm thoughtfully prepares for a project’s budget and schedule, but offloads cybersecurity concerns to a third party. Or, it can be an expectation the organization provides its own cybersecurity services post-design and implementation of a solution. Bringing in a reliable in-house cybersecurity team that is already integrated into the engineering side of a project can help to seamlessly create more secure systems and networks.
Specifications and designs should be strategically planned to account for cybersecurity concerns. By assessing cyber vulnerabilities and risks, organizations can move forward confidently with informed decision-making that protects crucial processes.
Deploying Secure Solutions
Organizations can take several steps to improve cybersecurity. By incorporating secure remote access to critical infrastructure, these highly vulnerable entry points are protected. This is particularly beneficial if physically accessing a site is rendered difficult due to a natural disaster, pandemic or other significant event. Cybersecurity teams can deploy a single solution that gives organizations complete control and vendor oversight.
Deploying continuous monitoring and detection strategies of operational technology network and communications is also beneficial for organizations. Having 24/7 monitoring and detection strategies in place increases visibility and awareness into operational technology networks to enable a swift response in the event a cyberattack occurs. Additionally, managed threat services help with ongoing security concerns, focusing on both information technology and operational technology operations.
An end-to-end risk analysis of current operating systems also should be used as part of solution development to protect assets and prepare for cyberthreats. This analysis takes a look at every asset an organization contains to provide maximum security. Increasing security orchestration, automation and response provides greater cybersecurity. By increasing the automation of security-related tasks, cybersecurity teams can be efficient and focused, knowing routine tasks are being deployed. This also enables cybersecurity teams to increase their scope and coverage for more secure operations.
Having an impenetrable identity and access management system in place is crucial for critical infrastructure teams. Owners, operators and managers should deploy a zero-trust security platform to prevent cyberthreats that could occur through a plethora of vendors.
Cyber-threats will continue to escalate in volume and sophistication, and implementing a zero-trust security platform helps to prevent hackers from accessing the most vulnerable data.
Integrating physical and cybersecurity is critical to provide a holistic and coordinated approach to keeping operations safe and reliable. Examining systemwide architecture helps to identify security gaps and begins the process of implementing a plan to shore up an organization’s security. Gaps in physical and cybersecurity are often hard to spot — that is, until threats highlight the vulnerabilities.
Critical industries — including electric utilities — can benefit from assessing and maximizing security infrastructure. By planning ahead, threats can be eliminated, data remains confidential and operations stay reliable.
William Smith ([email protected]) is a director of security and risk consulting at 1898 & Co., part of Burns & McDonnell. In his role, he is passionate about and committed to safeguarding critical infrastructure through strategic engineering, regulatory compliance and common sense. He is a 22-year veteran of the Naval Nuclear Propulsion Program and holds a bachelor’s degree in nuclear engineering from the University of Michigan, MBA degree from Oklahoma City University and master’s degree in cybersecurity from the University of Maryland Global Campus.
Victor Atkins ([email protected]) is a director of security and risk consulting at 1898 & Co., part of Burns & McDonnell. In his role, he develops and delivers industrial cybersecurity solutions and services to the critical infrastructure industry. He specializes in helping clients reduce risk in the critical infrastructure sectors. He is a nonresident senior fellow at the Atlantic Council, focusing on cybersecurity, hyperintelligence and nuclear security.