The current number of active connected devices across the globe is estimated to exceed 20 billion and it is expected to climb above 40 billion by 2025. This comes as no surprise as organizations are integrating cyber into physical systems and emerging technologies into their operations at a staggering rate. From artificial intelligence and machine learning to security cameras and smart phones, technology plays an integral role in business processes and delivery of goods and services. Technology has fueled a surge in innovation, efficiency, and profitability but it has also cultivated interconnected cyber-physical ecosystems that expand an organization’s attack surface and blurs the once-clear lines between cybersecurity and physical security. This illuminates the need for organizations to inventory and understand how assets connect and interact across the enterprise and rethink how they approach enterprise-wide security.
Today, a single vulnerability in a connected environment can disrupt an organization’s operations on a national or global scale, potentially impeding delivery of critical services. Colonial Pipeline and JBS are two recent, high-profile examples. In May 2021, Colonial Pipeline, the largest fuel pipeline in the U.S., suffered a ransomware attack that prompted the company to shut down critical fuel distribution that supplied nearly half of the gasoline used on the East Coast. This shutdown, initiated by Colonial Pipeline out of an abundance of caution, led to panic buying and temporarily elevated gas prices. In June 2021, JBS, one of the world’s largest meat processing companies, was also compromised by ransomware targeting its servers causing the shutdown of U.S.-based processing centers. The disruption impacted approximately one-fifth of the nation’s meat supply and threatened to further interrupt food supply chains. In both instances, a cyber vulnerability was exploited, a network was compromised, and physical operations were disrupted on a massive scale resulting in a cyber-physical attack. These incidents exposed the dependent conditions between information assets and operational technology – where the compromise of one seemingly independent system negatively impacts the performance and operation of an entirely separate environment.
While Colonial Pipeline and JBS were large-scale events, there are also examples of cyber-physical attacks that have occurred on a smaller scale with potentially life-threatening consequences. In February 2021, a water treatment facility in Oldsmar, Fla., was targeted by cyber actors who accessed the facility’s supervisory control and data acquisition system and remotely altered chemical amounts in the water. Had an onsite employee not quickly identified and remedied the problem, the incident could have had serious impacts to the potable water supply to the local community.
These cases highlight the complexities of the operating environment and have led some organizations to reconsider their approach to security. Globally, industries are facing myriad threats targeting both their cyber and physical assets that require a more holistic security approach to fully assess and mitigate the breadth of risks. Industry must also contend with navigating the dependencies and interdependencies of assets and their connectivity to critical networks.
To appropriately address these challenges, a complete understanding of enterprise assets is required, and security professionals can no longer operate in separate spheres without acknowledging that the protection of cyber-physical assets is a shared responsibility. The main objective should be for security professionals to work together to develop a flexible, sustainable security strategy that is anchored by shared goals that align with current organizational priorities. Though the need for this kind of increased collaboration is understood, many are unsure where to begin. To help, the Cybersecurity and Infrastructure Security Agency (CISA) released a product that explains the interconnected operating environment and the need for increased collaboration.
In January 2021, CISA developed the “Cybersecurity and Physical Security Convergence Guide” to help security professionals begin the conversation within their organizations about how to implement a comprehensive approach to security that bridges the gap between cybersecurity and physical security and aligns security efforts with organizational priorities and the evolving threat landscape. The guide describes the cyber-physical operating environment, risks associated with siloed security functions, convergence in the context of organizational security functions, and a flexible framework for aligning security functions. Acknowledging that convergence – formal collaboration between previously disjointed security functions – is not a one-size-fits-all approach, the guide provides a variety of proposed activities that are applicable across industries regardless of an organization’s size, structure, or current capability level.
The guide serves as a starting point for security professionals interested in implementing convergence within their organization. Leveraging the tenets of the framework provided in the guide, organizations can overcome the potential risks of siloed security functions by formalizing collaboration and acknowledging the shared responsibility of protecting an organization’s cyber-physical assets. In addition, the challenges facing organizations are everchanging and efforts to convergence must remain fluid and adaptable. CISA’s recommendations mirror the complex and interdependent threat environment in which we operate – implementing this concept and maintaining this level of integration over time requires consistent communication, coordination, and collaboration. The primary goal for integrating these concepts into organizational processes and weaving the idea of formal collaboration into organizational culture is to eliminate internal siloes that create gaps in security and increase risk to linked cyber and physical assets.
With expanded use of connected devices growing, and with predicted advancements in technology, organizations are encouraged to take a proactive role in protecting their enterprise from threats manifesting in the cyber-physical ecosystem. By instituting a comprehensive approach to security that brings together cross-disciplinary expertise to fully assess and protect against all threats targeting the organization, a more secure enterprise is possible.
To learn more and access CISA’s Cybersecurity and Physical Security Convergence Guide, visit Cybersecurity and Physical Security Convergence | CISA.