ou’ve heard the buzzword, you’ve got an idea of what it is, but what really are ‘cyber-physical threats’? A virtual panel of trans-Tasman security specialists was convened last month to provide some insights.
If you’re a security professional working in one of the majority of organisations who are yet to converge their security functions, you’re likely to have some idea of what ‘cyber-physical threats’ are, but they may also represent something of an enigma.
According to the US Cybersecurity and Infrastructure Security Agency (CISA), “The adoption and integration of Internet of Things (IoT) and Industrial Internet of Things (IIoT) devices has led to an increasingly interconnected mesh of cyber-physical systems (CPS), which expands the attack surface and blurs the once clear functions of cybersecurity and physical security.”
An expanded attack surface, a blurring of cyber and physical security functions… it doesn’t sound good. But, beyond such dark yet somewhat esoteric descriptions, but what does do cyber-physical threats actually look like, how can they potentially impact on organisations, and how can they be neutralised?
Converged threats
As his first in a series of six questions, panel host Jonathan Calver, Director at Strategy Mix, asked: “What are some examples of the types of cyber-physical threats that require a hybrid risk mitigation response?
According to panellist Darren Kane, Chief Security Officer at nbn Australia, the threat posed by the ‘trusted insider’ is one that can fit the description of a cyber-physical threat.
A trusted insider, such as an employee, is someone who has typically been given various means of accessing their organisation, including physical access cards, a company Id, door codes, a user profile, network login and passwords.
“The trusted insider is someone who we’ve given access to all of those items,” says Darren. “They become an ‘insider threat’ when we prove that they have nefarious intent against us.”
According to Nicholas Dynon, a Security Risk Management Specialist at Optic Security Group cyber-physical security threats can be thought of in terms of two categories: (i) physical security breaches that result in a cyberattack; and (ii) cybersecurity breaches that result in a physical incursion.
“Think of the archetypal guy in the hi-vis vest who bypasses a physical access control point into a work area, then slips something into a USB port and wreaks cyber havoc,” says Nicholas. “That’s an example of the first category.”
An example of the second category, he says, could be the cyber breaching of a CCTV camera assisted by poor patching practices or an unchanged manufacturer’s password.
“Having bypassed an IP CCTV camera (or any IoT device for that matter), the malicious actor is now potentially in the network of the organisation operating the CCTV and may use the surveillance footage to assist in the perpetrating of a physical breach.”
According to panellist Michael McKinnon, CIO at Pure Security, it’s all about what happens “before the fingers hit the keyboard or the device gets plugged into the USB.”
“It’s all of those things that happen in that potential attack chain that are going to potentially impact the data within the organisation.”
Converged solutions
Having provided some examples of the types of cyber-physical threats, the panellists touched on the hybrid risk mitigation responses needed to thwart them. They did so via the model of ‘converged security’.
In the face of cyber-physical threats, traditionally distinct – or 'siloed' – approaches to physical security and cyber security are no longer adequate. As a report by PricewaterhouseCoopers points out, “These risks may converge or overlap at specific points during the risk lifecycle, and as such, could become a blind spot to the organisation or individuals responsible for risk management.”
Converged security, which is an approach to security that involves ‘converging’ the cybersecurity and physical security functions within an organisation, removes the blind spots.
“For me, the importance of converged security is around having that entire picture and thinking about the risks across both the physical and cyber realm,” says Michael McKinnon.
Darren Kane, who has deployed a converged security model at nbn Australia, is a champion of the benefits of a converged security approach in relation to managing the risk posted by insider threats.
“The reason that the converged model is useful in managing that risk is that you get on oversight of the whole lifecycle of the employee, from data feeds, to an understanding of investigations capabilities and other things,” he says.
“Ultimately, a converged security approach is about adopting a hybridised cyber-physical lens in order to identify cyber-physical threats, and then using tactics that involve cyber and/or physical means to neutralise those threats,” says Nicholas Dynon. “It’s about fighting fire with fire.”
“Without a converged approach, your cyber team may be trying to put out a fire but your physical security team can’t smell the smoke… and that’s no longer a defensible position to be in as an organisation.”