Overlook Physical Security Risks at Your Own Peril

Illicit remote access to industrial control systems and devices provides threat actors with access to process information, user and service account credentials, and the ability to remotely interact with attack surfaces. These attack vectors are the current security focus of most organizations in critical infrastructure and production, distribution, and service industrial sectors. 

This reprioritization has relegated physical security, once an essential defense ensuring the safety of operational technology, to the backseat. The reasons for this vary from organization to organization and site to site. My experience is that legacy site physical security components change at such a slow rate that weaknesses are likely to go undetected or are easily overlooked. One example would be gaps between doors and door frames occurring when building foundations shift over time. These weaknesses may allow exploitation using simple techniques such as latch jimmying or under-the-door tools, below. 

To offset these weaknesses, most organizations fall back to enhanced closed-circuit television (CCTV) and digital building/room access techniques. However, these same organizations lack an organized response process to explain what happened on the insides of these buildings. Thus, these expensive digital countermeasures merely provide a false sense of security.

It is difficult to predict the motivation of a threat actor or which threat actor group will target an organization at a specific time. Threat intelligence can help focus efforts and reduce costs but, at the end of the day, we must be good at evaluating our countermeasures and reducing gaps little-by-little. Threat intelligence that helps us understand that the ingenuity of each threat actor group should not be underestimated. Threat actors with time to evaluate implemented countermeasures and then react will identify weaknesses and use them to their advantage.

Physical security has always been a consideration for the implementation of Industrial Automation and Control Systems (IACS) due to the potential consequences of unauthorized access. Despite these safety standbys, the Cybersecurity and Infrastructure Security Agency (CISA) has continued to release updates for organizations to review and improve their physical security efforts. In 2021, CISA released an update to the Cybersecurity and Physical Security Convergence guide. 

This guide outlines the separate management of physical security and cybersecurity in all industrial sectors. They highlight the typical siloed management of these efforts and how it provides threat actors with the opportunities to exploit these situations to their advantage. Organization leadership needs to realize that these silos are not intentional. The missions of physical security teams typically never included considerations for digital threats and therefore they lack communication, coordination, and collaboration with the cyber security teams. 

Fortunately for the IACS industry, the CISA Cybersecurity and Physical Security Convergence guide outlines a methodology for improving the partnership of these teams to employ a "converged security operations" effort. The implementation of these recommendations will improve the effectiveness of physical security countermeasures and the responses to unauthorized physical access. These recommendations will result in the establishment of a well-rounded strategy to obtain strategic improvements while moving to improve your team's current physical security compliance efforts.

While leadership is working to improve strategic efforts, OT team leaders responsible for remote sites or a plant's operations should gather a team consisting of persons from the physical security team, the cybersecurity team, and the OT team. This team should conduct a physical walk through of each location to review the ingress points to the location, all external control cabinets, entrances to each building, and the physical control cabinets and network racks within the buildings. 

The team should discuss the current conditions and exchange ideas about how threat actors could take advantage of current conditions to access the facilities and digital assets. The cybersecurity team member can provide educational information about common tools threat actors might deploy to access and persist within the control network, such as dropboxes and wireless access points. The OT team member can provide details about critical areas and assets at the location. The physical security team member can review the conditions of doors, fence lines, and CCTV cameras to understand their current effectiveness in preventing and alerting to unauthorized access. 

These are the starting points to address the lack of communication, coordination, and collaboration that exists between these teams. These efforts are also useful in predicting the actions threat actors could take to attack the physical process at that location or gain access to the location’s network infrastructure and, potentially, access to the organizations core digital assets, such as SCADA control centers.

Conducting a review of physical security countermeasures is necessary to get an organization’s siloed physical and cyber security teams working together with the OT team. This collaboration will improve the safe and reliable operations of any control environment.

I encourage all teams to review the CISA SECTOR SPOTLIGHT: Electricity Substation Physical Security guide to understand some of the challenges of physical security, how threat actors are currently targeting remote locations, and how to implement effective countermeasures. Ultimately, organizations must begin to integrate their physical and cyber security efforts before physical access is used against them.