Physical and cyber systems that are critical to the functioning of a nation’s economy, security, and health are referred to as critical infrastructure. The sectors are energy, transportation, finance, telecommunications, healthcare, water, emergency services, etc. Both disruptions to critical infrastructure can have catastrophic consequences as they underpin almost every segment of modern society and provide service across every sector.
As a key part of the control system for these components, physical and cybersecurity security are critical in protecting critical infrastructure. In the past, these domains were regarded as independent of one another. Yet, the merging of information technology into (physical) systems has resulted in a transmission of the integration of cyber and physical risks. Today, these intersections have become a place where attackers can then exploit them to induce disruptive effects that span the digital and the tangible domains.
This article will examine the intersection of cybersecurity and physical security in critical infrastructure. It will cover the evolution of industrial control systems, the nature of cyber-physical threats, challenges in securing converged environments, and emerging strategies that aim to bridge cybersecurity and physical security to create a more secure infrastructure.
The Rise of Industrial Control Systems
Industrial control systems (ICS) are computer networks used to monitor as well as to control physical industrial processes. They are supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other control system configurations. Automated operation and monitoring of infrastructure such as power plants, electricity grids, pipelines, refineries, transportation and water treatment facilities is the main function ICS can perform.
For the first few years, ICS used proprietary technology and was air-gapped from external networks. But the use of standardized protocols and components has made them adopt increasing connectivity and remote access. ICS has embraced Internet-connected devices, wireless data transmission, and IT platforms. This allows for efficient remote control and automation, but also for cyber intrusion. An ICS network can be attacked using the corporate IT network, wireless connections, or third-party access points like maintenance ports.
The IT environment and ICS environments have increased enormously the cyber attack surface. Legacy ICS components have been designed without security in mind and cannot be patched or upgraded. Since attackers have increasingly targeted industrial targets, ICS cyberattacks are becoming more frequent, automated, and destructive.
The Cyber-Physical Threat Landscape
Cyber threats against ICS can be categorized based on the attacker’s intent:
- Espionage – to gather sensitive operational or proprietary data.
- Disruption – to interrupt the availability or operation of the ICS.
- Destruction – to corrupt, degrade, or destroy ICS components.
These cyber intrusions are often a precursor for follow-on physical effects. By compromising an ICS, attackers can manipulate or sabotage the physical processes under control. This can result in impacts like:
- Loss of View. Inability to monitor the physical process and state.
- Loss of Control. Inability to control the physical process.
- Unexpected Equipment Operation. Unplanned or unsafe operation of equipment.
- Damage to Equipment. Component failures or accidents.
- Loss of Automation. Loss of automated monitoring/control functions.
Product Loss or Contamination
The control obtained and the nature of the process targeted determines the scale and duration of the physical effects. ICS are subject to attacks that have severe cascading effects that can undermine national security, public health, and safety.
It has also made room for multi-stage cyber-physical attacks by the convergence of IT, OT, and physical domains. In these, a cyber intrusion is made to penetrate perimeter security before physical infiltration to attack the core infrastructure. The cyber intrusion serves as reconnaissance, access and/or a distraction to allow the physical attack.
A 2013 case in point was a California electricity substation sniper attack that exploited previous cyber intrusions to map the site. Because of this, many traditional security controls can be bypassed and the attack surface is greatly expanded by multi-stage attacks. They have to be defended against, and doing so requires tight collaboration between the cyber, physical, and personnel security teams.
Challenges in Securing Converged Environments
The integration of IT and operational technology presents significant challenges for cybersecurity and physical security teams. Organizational silos, incompatible systems, and regulatory constraints often hinder communication and unified protection efforts. Key issues include:
Differing risk management approaches. ICS have unique reliability, safety, and uptime requirements compared to corporate IT networks. Actions like taking systems offline to patch vulnerabilities can undermine ICS functionality.
Inability to support traditional IT security controls. Legacy ICS components often cannot accommodate controls like firewalls, intrusion detection systems, and anti-malware tools without impacting process control and uptime.
Interdependence and cascading failures. A disturbance in one infrastructure system can trigger cascading failures across multiple sectors. This complex risk landscape strains siloed security approaches.
Weak cybersecurity regulation and oversight. Governance frameworks related to ICS cybersecurity tend to be fragmented across industry sectors and lack overarching standards and accountability models.
Constrained information sharing. It may be, in turn, discouraged by a fear that reporting cyber incidents would result in regulatory penalties, litigation, and bad publicity. Information hoarding prevents others from noticing that something is going wrong.
Talent and skills deficits. Specialized expertise in IT, OT, and physical engineering is required to handle ICS environments. This is a problem industry-wide when it comes to training and retaining this multidisciplinary workforce.
Difficulty quantifying risk. The difficulty in assigning value to cyber and physical assets makes it difficult to perform a cost-benefit analysis on security investment.
With critical infrastructure owners and operators facing squeezed profits and limited resources, building a sound business case for security is vital. This requires taking a risk-based approach that demonstrates how converged protections can cost-effectively enhance resilience.
Emerging Strategies for Converged Security
To address the security challenges of integrated ICS environments, a more holistic approach is needed that aligns cybersecurity and physical security. Some emerging strategies include:
Integrated Risk Management
The move toward cyberspace and the physical world presenting increasingly similar threats to the same assets means the security teams need to think in an integrated manner around threats, vulnerabilities, and consequences. The full spectrum of cyber-physical hazards and their direct and indirect effects should be included in joint risk assessments. It is also very important to have unified frameworks for risk measurements and risk comparisons to guide the defense prioritization among IT, ICS, and physical domains.
Improved Communication and Collaboration
Breaking down silos between cyber, operational, and corporate security teams is vital for synchronized incident response. Shared monitoring and intelligence help generate a unified view of the threat landscape to inform better resource allocation. Security teams also need to align policies, plans, and exercises that consider multi-stage cyber-physical scenarios.
Converged Security Operations
Continually more security operations centers (SOCs) are adopting integrationist models to centralize the monitoring of detection, investigation, and response process for cyber-physical events. Playing the book together allows teams to instrumentally orchestrate coordinated cyber-physical responses together in ‘playbooks’ that are shared. DevSecOps is also being applied by security teams to bind governance, processes, tools, and human skills between the protect, detect, and react lifecycle.
Unified Access Governance
Converging identity and access management for cyber and physical systems provides greater visibility and control over privileged access in ICS environments. This can reduce the attack surface by consistently managing access rights, enhancing monitoring for insider threats, and speeding incident response.
Enhanced OT Cybersecurity
Legacy ICS present inherent security challenges but approaches like network segmentation, custom application whitelisting, and monitoring ICS traffic and protocols can reduce risk. Passive cybersecurity measures like multi-factor access authentication, removable media policies, and firmware access controls also limit exposure.
Cost-efficient and scalable cybersecurity measures purpose-built for control systems, like virtual patching, help strengthen defenses. Micro-segmentation and private 5G networks can further isolate and secure OT environments hosting critical processes.
Improved Physical Hardening
Enhancing perimeter security, access controls, and surveillance around critical OT infrastructure is vital. Physical hardening measures like security guards, fencing, alarms, video surveillance, and intrusion detection help deter, detect, and delay threat actors.
Resilience by Design Principles
However, with the need to create new greenfield sites, and also to rip out legacy plants, this is the time to integrate resilience by design principles applied to both physical and cyberinfrastructure. Architecting sites, which means that in failing, they are handling more threats; designing for safe failure modes; and designing backup systems that don’t allow for a single point of failure.
Emphasizing Cyber-Physical Security in Standards and Regulations
Despite such evolution of governance frameworks, there is still work left to be done for addressing integrated cyber-physical risks in standards and regulations of critical infrastructure. More robust and coordinated protection efforts would occur industry-wide provided there were clear minimum expectations as to joint cyber-physical planning, response, reporting, and resilience programs.
Developing Cyber-Physical Security Culture and Expertise
Continuous joint training and exercises are also essential for fostering enterprise-wide awareness of interdependent cyber-physical risks. In addition, operators must also invest in building multidisciplinary teams of cybersecurity, industrial control systems, physical security, and process safety experts.
Conclusion
Critical infrastructure has been over time increasingly digitalized and come along with it new cyber-physical interdependencies and risks. In addition, greater collaboration is needed among cybersecurity, OT security, and physical security teams to protect highly integrated ICS environments.
Protection can be strengthened cost-effectively by emerging convergence strategies developed with the goal of unified risk management, better communication, robust OT controls, physical barriers, and resilience by design. Yet, talent gaps and solving regulatory barriers should also be taken up.
By realizing that infrastructure cybersecurity and physical security are inseparable, operators can create a whole defense. It will be necessary for imbuing critical infrastructure of the future with its highly connected and autonomous nature.
