Bridging a governance gap: physical and cyber security
How can physical security improve cyber security?
The scene for a typical hacker movie: a few ragtag young idealists are trying to get access to the systems of an evil corporation to obtain a McGuffin. Layer by layer they are able to strip down the different firewalls until they are finally at the core. Maybe something goes wrong and they have to start over, perhaps some romance evolves between certain characters, but the “hacking” part of the plot usually does not significantly differ from what is described here.
Yet, more and more people come to realize this is not what happens in reality. Quite often, a cyber breach is possible because prior physical access was obtained beforehand, before the system could be compromised. Unfortunately, security governance structures of organizations still seem to treat physical and cyber-attacks as separate non-linked, events. This silo or stove piped approach is inadequate. The two domains are more and more intertwined due to evolved technology, and are likely to be challenged interchangeably by converged threats, as vulnerabilities are exploited by the physical and cyber domain in conjunction.
A recent master thesis written for the master Crisis and Security Management established a framework outlining what critical success factors contribute to security convergence, with a specific focus on critical infrastructures (CI) because of the high societal importance in adequately securing these kinds of infrastructures. Disruptions, incapacitation or destruction would have debilitating impact on the environment, health, safety, economic and social wellbeing of citizens and on the effective functioning of government and society as a whole. However, different departments in CI are often responsible for only a piece of security, and thus not able to consider security risks holistically.
The framework consists of eleven key elements for security convergence, on both the strategical, tactical and operational level. At the strategical level, the first key element is a security vision which describes the meaning of security to the organization. The second is a security strategy in line with the security vision that outlines the high level way forward with regards to security. The third key element, in addition to the vision that articulates the function of security, is the alignment of security with the organizational values in general. The fourth key element is the incorporation of security into the overarching Enterprise Risk Management (ERM) practice.
At a tactical level, the security vision and strategy should be translated to the fifth key element, a security policy, which describes a set of basic principles and associated guidelines to pursue the defined long term goals. The sixth key element is concerned with the alignment and linkage between the security vision, strategy and policy to ensure that security is embedded equally in all levels of the organization. The seventh element is the existence of a security risk management process at tactical level driven by a security policy. The eighth key element is that different security related risks are holistically considered, regardless the source (physical or cyber). The ninth key element is communication and information sharing throughout the process to make sure that all stakeholders in the process are informed, involved and aligned. The tenth key element is top-down direction from strategical to tactical level and from tactical to operational level. The eleventh element is the other way around, the bottom-up reporting from operational to tactical level and from tactical to strategical level.
Besides these key elements, twelve enablers for successful implementation of the framework are identified, including but not limited to consideration of the organization’s risk culture, support from the top, mutual understanding and acceptance, clear establishment of ownership, oversight and monitoring of progress and effectiveness.
This framework supports analytical thinking towards proper security convergence, both for design and implementation. It does not drive a movie plot as well, but in the real world it will make it less likely for an converged attack to be successful, since physical and cyberattacks are viewed as linked events.
The master thesis was reworked into a paper. For more information on both, you can contact the author at firstname.lastname@example.org.