[By Blake Benson, Senior Director – Industrial Cybersecurity Practice at ABS Group]
America’s critical infrastructure faces more diverse threats than ever before. The rapid digitalization of many sectors and the relatively analog operational environments that exist in others have led security specialists and analysts to develop divergent plans of action to accommodate the needs of both.
To better protect our increasingly connected physical and IT infrastructure, federal risk analysts should pursue a comprehensive and integrated view of the threats we face. This includes leveraging existing risk frameworks and models and incorporating cyber-physical safeguards to accurately capture threats and kinetic consequences of cyber-initiated events.
Small changes for a safer world
Developing an approach that both acknowledges the differences between cyber and physical threats, but still considers them alongside one another, will likely require a significant commitment from specialists and agencies. However, the process should be more of an evolution than an endeavor to be started from scratch. For example, the risk models that the U.S. security community currently uses for counterterrorism efforts at ports and other vulnerable sites already provides a solid foundation for the task at hand.
However, to make it work for a cyber-physical world, a few key features will have to change.
To start, the federal government should reframe its thinking around defining and prioritizing cyber risk. The models we use for traditional anti-terrorism programs do a phenomenal job at capturing the physical consequences caused by kinetic adversarial actions and capture the majority of secondary and tertiary repercussions on the economy or related dependencies.
The same consequences are relevant in cyber-physical environments, and the ways that newly connected systems might contribute to these incidents should be part of the equation, but they are only that: a part of it. The blended assessment framework should also consider the effects on communities of things like supply chain disruptions, port closures, or data leaks in combination with more traditional physical threats like explosions or gas leaks.
This redefinition of risk will allow security specialists to build a more consolidated and comprehensive risk framework that incorporates cyber-initiated events with traditional risk models, while allowing for better prioritization and comparison of impacts. While they were once separated, the two have become inextricably linked. Cyber-initiated events can now replicate incidents that were not originally related through digital means, making it even more important that risk frameworks accurately capture safeguards, mitigation measures, and other relevant information about both cyber and non-cyber systems and how they interact.
Finally, the broader security community should to come together to promote transparency about incidents, effective mitigation actions, threats, vulnerabilities, and other related factors. Not only will access to this kind of dataset help inform more effective cyber recommendations, but it can also help businesses pursue more secure operations, more effective risk models, and more effective prioritization strategies to remediate weaknesses. To encourage this transparency, government-level agencies should also lead the charge in developing a cross-sector, cross-organizational database of threats, incidents, and effective mitigation actions to help inform continuous improvement of available resources, in order to better protect critical infrastructure.
Knowing and doing
As is often the case when widespread change is necessary, knowing what you need to do is one thing; actually doing it is another. Agencies with responsibilities in this realm should carefully assess how other policies and priorities interfere with their ability to provide meaningful risk buy-down activities to federal and industry stakeholders alike.
The responsibility of operational cyber activities tends to vary depending on sector and level of maturity. The role and responsibilities of CISA and other federal agencies with oversight and threat advisory responsibilities should be clearly defined, as well as processes for collaboration between these agencies and related industry stakeholders.
The above are just two practical adjustments that may support the theoretical changes that should take place in order to help the U.S. to build a better, more comprehensive OT cyber risk management program. Ultimately, the specifics matter less than the outcome; as marrying cyber and physical homeland security programs will be an ongoing commitment to which the U.S. government, private companies, and experts in OT and IT must dedicate their time if they hope to mitigate today’s cyber-physical security concerns.