[ad_1]
“Security convergence” is an industry term used to describe the unification of cyber and physical security into a single organizational structure. It’s been a topic of discussion among practitioners since ASIS International and the Information Systems Audit and Control Association (ISACA) founded the Enterprise Security Risk Management Alliance—an organization dedicated to the concept—17 years ago. Yet only 52.5 percent of the large companies surveyed are either “fully or partially converged,” as Megan Gates noted in the latest issue of the magazine. Security management. Gates also cites the incident at Colonial Pipeline, which has operated as a traditionally closed cyber and physical security program and is now merging security functions after suffering a damaging ransomware attack in May. Critical infrastructure providers, especially those in the energy sector, cannot work effectively with established silos of cyber and physical security information.
With rapidly changing geopolitical risks, persistent cyber threats, persistent COVID-19 with seasonal outbreaks, and violent kinetic attacks and conflicts occurring around the world, companies have reimagined traditional enterprise risk management frameworks to all hazards and dangers. The risk landscape for critical infrastructure providers – especially those in the energy sector – is complex.
First, energy providers operating in the dynamic world of dispersed generation, distribution and transmission often have a wide array of infrastructure located in all kinds of threatening environments – from urban to isolated rural areas. These large electrical system substations, or critical pipelines, for example, fall under various regulatory oversight (including NERC/CIP, CFATS and TSA pipeline security directives), most of which require strong cyber security and even physical security (e.g. NERC/CIP 14). Second, energy providers are increasingly vulnerable to operational technology attacks – cyberattacks that target physical infrastructure and can have a devastating physical impact beyond operational disruption.
In addition, sophisticated cyberattacks on the network are increasingly a means by which state actors attempt to punish adversaries in unattributable or covert ways. Earlier this year, DHS even warned of domestic violent extremists targeting infrastructure for physical attack to create widespread chaos and undermine trust in government. In September, the Nord Stream gas pipeline was sabotaged under the Baltic Sea – a stark reminder of the disruption a surgical strike can have on exposed infrastructure. Global geopolitical instability has only increased the potential for a convergent attack, in which a sophisticated threat actor gains access to a critical site or location and injects malware directly into ICS/SCADA systems – a threat vector that lacks IT that “closes the air.” /OT systems can prevent. Worse, a coordinated cyber and physical attack, simultaneously targeting different key nodes of the electrical system, could have an amplifying and cascading effect.
Based on these threats, regulators are trying to bring about greater security convergence and physical cyber coordination within the energy sector. In addition to outlining physical security requirements, the latest TSA pipeline security directive, released in July, requires covered “owners/operators” to “have an updated cybersecurity incident response plan that includes measures to mitigate the risk of disruption.” In addition to the basic cybersecurity criteria, NERC’s CIP-014-1 Physical security also requires transmission operators “to identify and protect Transmission Stations and Transmission Substations, and their associated primary control centers, which, if rendered inoperative or damaged as a result of a physical attack, could lead to widespread instability, uncontrolled disconnection or cascading within the interconnection . “
NERC’s Electricity Information Sharing and Analysis Center (E-ISAC) also conducts the GridEx exercise every two years to offer “member organizations and partners a forum to practice how they will respond to and recover from coordinated cyber and physical threats and incidents security”. GridEx planners continue to foresee an increase in sophisticated, coordinated attacks that will challenge traditionally siled security organizations. When read holistically, these key regulatory and practice regimes highlight converging cyber and physical risks.
The criticality of the sector, its reliance on decentralized, exposed infrastructure, and the creativity and sophistication of adversaries require the dismantling of information silos within security organizations. The best way to eliminate silos is to converge security functions under a single, accountable executive responsible for security risk management and investment decisions. An incremental model would see physical security programs converge with OT security functions (versus the entire IT cybersecurity ecosystem), uniting under a single chain of command critical functions that prevent, respond to, and recover from hybrid threats and attacks.
To manage these “tail risk” security contingencies, or those risks with low probability and high consequence, a converged or dedicated cross-functional team can:
- Form a converged threat task force within a security organization that meets regularly or in response to an operational or aspirant threat against the company. Ensure that OT/cyber security and physical security professionals share information and best practices to prepare for, respond to, and recover from an attack.
- Develop an internal risk communication function. This unique team is responsible for collecting, analyzing and disseminating information about cyber and physical threats and risks. Work with the executive leadership team and operational unit leaders (eg heads of generation or transmission) to develop actionable intelligence priorities. Synthesize information from government and information sharing initiatives and continue to refine threat bulletins.
- Include threat-based validation of security controls and procedures. Develop and continuously refresh a convergent set of adversarial tactics, techniques and procedures (“TTP”) – ie. design-based threat – that reflect actual and credible adversary activities. Evaluate existing security measures against this ranked list of threat vectors and develop appropriate design standards that best detect, delay, and defeat hybrid threats.
Convergence is not a panacea, suitable for every company and every sector. Cybersecurity and physical security professionals have specialized skills and experiences that have evolved over time and require continued specialization. Each brings unique perspectives that can illuminate how an adversary can exploit a vulnerability. However, critical infrastructure providers – particularly those in the energy sector – lack the inherent protections afforded to other industries (eg, co-location of high-value assets or systems, less persistent threats, and limited physical impact of attacks). Instead, these organizations are targeted by sophisticated threat actors, manage a vast array of exposed infrastructure with inherent physical and cyber vulnerabilities, and provide services that directly impact society’s ability to function. Now is the time for the energy sector to seriously consider merging security functions to effectively manage the unprecedented threat landscape.
[ad_2]
Source link