“Security convergence” is the industry term used to describe the uniting of cyber and physical security into a single organizational structure. It is a point of discussion among practitioners since ASIS International and the Information Systems Audit and Control Association (ISACA) established the Alliance for Enterprise Security Risk Management – an organization dedicated to this concept – 17 years ago. Yet only 52.5 percent of large companies surveyed are either “fully or partially converged,” as noted by Megan Gates in the latest issue of Security Management. Gates also cites the Colonial Pipeline incident, which operated as a traditionally siloed cyber and physical security program and is now merging security functions in the wake of experiencing a crippling ransomware attack in May. Critical infrastructure providers, particularly those in the energy sector, cannot operate effectively with cyber and physical security information siloes in place.
With rapidly changing geopolitical risks, persistent cyber threats, enduring COVID-19 with seasonal hot spots, and violent kinetic attacks and conflicts occurring globally, companies have re-thought traditional enterprise risk management frameworks to account for all risks and hazards. The risk surface for critical infrastructure providers – particularly those in the energy sector – is complex.
First, energy providers that deal in the dynamic world of dispersed generation, distribution, and transmission operations often have a vast array of infrastructure located in all types of threat environments – ranging from urban to isolated rural areas. These bulk-electric system sub-stations, or critical pipelines, for example, fall under varying regulatory oversight (including NERC/CIP, CFATS, and TSA Pipeline Security directives), most of which require robust cybersecurity and even physical security controls (e.g., NERC/CIP 14). Second, energy providers are increasingly susceptible to Operational Technology attacks – cyber attacks that target physical infrastructure and can have a devastating physical impact beyond operational disruption.
Additionally, sophisticated cyber attacks against the grid are increasingly how state actors attempt to punish adversaries in a non-attributional or obfuscated way. Earlier this year, DHS even warned of domestic violent extremists targeting infrastructure for physical attack to create widespread chaos and undermine confidence in the government. In September, the Nord Stream pipeline was sabotaged under the Baltic Sea – a stark reminder of the disruption a surgical attack can have on exposed infrastructure. Global geopolitical instability has only increased the potential for a converged attack, in which a sophisticated threat actor gains access to a critical site or location and introduces malware directly into ICS/SCADA systems – a threat vector that no amount of “air-gapping” IT/OT systems can prevent. Worse, a coordinated cyber and physical attack, targeting disparate key bulk-electric system nodes concurrently, could have an amplifying and cascading effect.
Based on these threats, regulators are attempting to drive greater security convergence and physical-cyber coordination within the energy sector. In addition to outlining physical security requirements, TSA’s latest Pipeline Security Directive, released in July, requires covered “Owner/Operators” to “have an up-to-date Cybersecurity Incident Response Plan that includes measures to reduce the risk of operational disruption.” In addition to baseline cybersecurity criteria, NERC’s CIP-014-1 Physical Security also requires transmission operators “to identify and protect Transmission stations and Transmission substations, and their associated primary control centers, that if rendered inoperable or damaged as a result of a physical attack could result in widespread instability, uncontrolled separation, or Cascading within an Interconnection.”
NERC’s Electricity Information Sharing and Analysis Center (E-ISAC) also leads the GridEx exercise biannually to offer “member and partner organizations a forum to practice how they would respond to and recover from coordinated cyber and physical security threats and incidents.” GridEx planners continue to anticipate a rise in sophisticated, coordinated attacks that will challenge traditionally siloed security organizations. When read holistically, these key regulatory and exercise regimes highlight converging cyber and physical risks.
The criticality of the sector, its reliance on decentralized, exposed infrastructure, and the creativity and sophistication of adversaries demand the dismantling of information siloes within security organizations. The best way to eliminate siloes is to converge security functions under a single, accountable executive responsible for security-related risk management decisions and investments. An incremental model would see physical security programs converge with OT security functions (vs. the entire IT cybersecurity ecosystem), uniting under a single chain of command critical functions that prevent, respond, and recover from hybrid threats and attacks.
To manage these “tail risk” security contingencies, or those risks with low probability by high consequence, a converged or dedicated cross-functional team can:
- Charter a converged Threat Working Group within the security organization that meets regularly or in response to an operational or aspirational threat against the company. Ensure experts from OT/cybersecurity and physical security share information and best practices to prepare for, respond to, and recover from an attack.
- Develop an internal Risk Intelligence Function. This single team is responsible for collecting, analyzing, and disseminating cyber and physical threat and risk intelligence. Work with the Executive Leadership Team and Operation Unit Leaders (e.g., heads of Generation or Transmission) to develop actionable intelligence priorities. Synthesize information from government and information sharing initiatives and continue to refine threat bulletins.
- Incorporate Threat-Informed validation of security controls and procedures. Develop and continuously refresh a converged set of adversary tactics, techniques, and procedures (“TTPs”) – i.e., a design basis threat – that reflect real and plausible adversary activities. Assess existing security measures against this risk-ranked list of threat vectors, and develop corresponding design standards that best detect, delay, and defeat hybrid threats.
Convergence is not a panacea, appropriate for every company and every sector. Cybersecurity and physical security practitioners have specialized skillsets and experiences that have evolved over time and warrant continued specialization. Each bring unique perspectives that can illuminate how an adversary would exploit a vulnerability. However, critical infrastructure providers – particularly those within the energy sector – lack inherent protections afforded to other industries (e.g., co-locating high-value assets or systems, less persistent threat activity, and limited physical impacts from an attack). Instead, these organizations are the target of sophisticated threat actors, operate vast arrays of exposed infrastructure with inherent physical and cyber vulnerabilities, and provide services that directly impact society’s ability to function. Now is the time for the energy sector to earnestly consider converging security functions to effectively manage an unprecedented threat landscape.