Integrating Physical and Cyber Security: Strategies that Work
- By Doug Powell
- Aug 16, 2012
What is the average age of a Chief Security Officer today? Would 50 years be a good guess? A CSO in this age range will have been working at some aspect of protection services, then since the 1980s, and at least since 1990 leading up to this current career pinnacle. Consider then the environment today’s CSO has worked through over the past 25 to 30 years.
Considering that between 1985 and 1995 computers were more commonly associated with games, academia and entertainment, and considering security professionals were just beginning to see the emergence of computer technology into their work space, a CSO today has only begun to operate with an IT security focus since about 2004 or later. Y2K woke up many individuals to the realization that computers play a larger part in our lives than we had previously contemplated and ushered in more than world-wide terrorism for security professionals. Certainly, within critical infrastructure protection circles, information technology allowed for new security tools to be deployed and added some physical security concerns such as server room protection, but IT security has not been forefront.
IT security in the same environment has been limited to a handful of specialists who have grown the IT security discipline within industry and taken up challenges related to critical cyber asset protection in a way that traditional security professionals could not. But IT security has typically not crossed the line into traditional protection planning in many instances. IT security professionals have often been relegated to server rooms and backrooms out of sight and not part of the traditional security team.
In 2012, the world view is such that IT security (or cyber-security) has exploded to become the primary focus within security debates, news stories, government legislation and critical infrastructure protection initiatives. IT security has taken center stage in critical infrastructure protection. Security professionals in CSO roles now see cyber-security as central in initiatives related to regulation and standards. The traditional security professional may feel somewhat out of step as IT security professionals such as Chief Information Security Officers (CISOs) suddenly take senior posts within organizations. Even within organizations whose primary business is focused on physical assets like pipelines, dams, water systems, nuclear plants, museums, transportation systems and so on, an IT security shift is apparent. All of this creates a new paradigm.
At a time when international espionage, nation state attacks and terrorism adopt cyber weapons, priorities for security professionals must change. In a climate where employees still use their birth dates as passwords and key vendors are still building backdoors into critical applications and defaulting factory passwords to something as mundane as, “password”, what does an organization do to protect its cyber infrastructure and also shift security culture without reducing protection across its extensive physical asset base? Does IT make business happen or simply support it? Is that question even relevant?
Today, security professionals are challenged to protect critical cyber assets as well as the infrastructure the IT serves. Not only do physical assets and their related Operational Technology (OT), like Programmable Logic Controllers need priority protection from a number of threats, access to these assets has been given network access. Assigning protection to server rooms and facilities is now only a relatively small part of the protection formula. Along with insider threats, and IT-savvy insiders at that, threat actors can reach our critical assets and their operating systems from around the world. Stealing financial records, intellectual property and personal information through hacking is scary enough. Gaining access to OT controls that assist in the operation of major dams, pipelines, railway systems, nuclear plants and the like is somewhat terrifying. Security leaders are now faced with a fully integrated problem that cannot be solved by independent security teams working in isolation from one another.
Security principles have not changed much in the past 30 years, but the application of those principles is shifting daily. Addressing integrated security disciplines to ensure a cohesive and collaborative security solutions environment in any organization requires a number of coordinated things to happen efficiently. These include information sharing, collaborative planning, new education platforms, shared risk management practices and much more where IT and traditional security experts combine resources to achieve protection goals.
The Utilities Security Council of ASIS International has partnered with security professionals from (ISC)² to draft a white paper on the topic of security integration and the challenges associated with integrating the IT and traditional security disciplines. This paper provides some important solutions for bringing traditional security and IT security into a collaborative and truly integrated partnership and directs the discussion to address security in the new paradigm. The priority concern today is that we recognize the need for an integrated approach and that critical infrastructure and security management be well served through effective security leadership. This paper will be discussed at the 58th Annual ASIS International Seminars & Exhibits, in Philadelphia, PA.
Join us on Tuesday, September 11th, 2012 at 11:00 a.m. for session #3115 to hear Utilities and IT security professionals discuss, Integrating Traditional & Cyber-security: Strategies that Work.