Cyber and Physical Threats Illuminate Need for Security Convergence in Energy Sector – HS Today – HSToday

Security convergence is the industry term used to describe the uniting of cyber and physical security into a single organizational structure. It is a point of discussion among practitioners since ASIS International and the Information Systems Audit and Control Association (ISACA) established the Alliance for Enterprise Security Risk Management an organization dedicated to this concept 17 years ago. Yet only 52.5 percent of large companies surveyed are either fully or partially converged, as noted by Megan Gates in the latest issue of Security Management. Gates also cites the Colonial Pipeline incident, which operated as a traditionally siloed cyber and physical security program and is now merging security functions in the wake of experiencing a crippling ransomware attack in May. Critical infrastructure providers, particularly those in the energy sector, cannot operate effectively with cyber and physical security information siloes in place.

With rapidly changing geopolitical risks, persistent cyber threats, enduring COVID-19 with seasonal hot spots, and violent kinetic attacks and conflicts occurring globally, companies have re-thought traditional enterprise risk management frameworks to account for all risks and hazards. The risk surface for critical infrastructure providers particularly those in the energy sector is complex.

First, energy providers that deal in the dynamic world of dispersed generation, distribution, and transmission operations often have a vast array of infrastructure located in all types of threat environments ranging from urban to isolated rural areas. These bulk-electric system sub-stations, or critical pipelines, for example, fall under varying regulatory oversight (including NERC/CIP, CFATS, and TSA Pipeline Security directives), most of which require robust cybersecurity and even physical security controls (e.g., NERC/CIP 14). Second, energy providers are increasingly susceptible to Operational Technology attacks cyber attacks that target physical infrastructure and can have a devastating physical impact beyond operational disruption.

Additionally, sophisticated cyber attacks against the grid are increasingly how state actors attempt to punish adversaries in a non-attributional or obfuscated way. Earlier this year, DHS even warned of domestic violent extremists targeting infrastructure for physical attack to create widespread chaos and undermine confidence in the government. In September, the Nord Stream pipeline was sabotaged under the Baltic Sea a stark reminder of the disruption a surgical attack can have on exposed infrastructure. Global geopolitical instability has only increased the potential for a converged attack, in which a sophisticated threat actor gains access to a critical site or location and introduces malware directly into ICS/SCADA systems a threat vector that no amount of air-gapping IT/OT systems can prevent. Worse, a coordinated cyber and physical attack, targeting disparate key bulk-electric system nodes concurrently, could have an amplifying and cascading effect.

Based on these threats, regulators are attempting to drive greater security convergence and physical-cyber coordination within the energy sector. In addition to outlining physical security requirements, TSAs latest Pipeline Security Directive, released in July, requires covered Owner/Operators to have an up-to-date Cybersecurity Incident Response Plan that includes measures to reduce the risk of operational disruption. In addition to baseline cybersecurity criteria, NERCs CIP-014-1 Physical Security also requires transmission operators to identify and protect Transmission stations and Transmission substations, and their associated primary control centers, that if rendered inoperable or damaged as a result of a physical attack could result in widespread instability, uncontrolled separation, or Cascading within an Interconnection.

NERCs Electricity Information Sharing and Analysis Center (E-ISAC) also leads the GridEx exercise biannually to offer member and partner organizations a forum to practice how they would respond to and recover from coordinated cyber and physical security threats and incidents. GridEx planners continue to anticipate a rise in sophisticated, coordinated attacks that will challenge traditionally siloed security organizations. When read holistically, these key regulatory and exercise regimes highlight converging cyber and physical risks.

The criticality of the sector, its reliance on decentralized, exposed infrastructure, and the creativity and sophistication of adversaries demand the dismantling of information siloes within security organizations. The best way to eliminate siloes is to converge security functions under a single, accountable executive responsible for security-related risk management decisions and investments. An incremental model would see physical security programs converge with OT security functions (vs. the entire IT cybersecurity ecosystem), uniting under a single chain of command critical functions that prevent, respond, and recover from hybrid threats and attacks.

To manage these tail risk security contingencies, or those risks with low probability by high consequence, a converged or dedicated cross-functional team can:

Convergence is not a panacea, appropriate for every company and every sector. Cybersecurity and physical security practitioners have specialized skillsets and experiences that have evolved over time and warrant continued specialization. Each bring unique perspectives that can illuminate how an adversary would exploit a vulnerability. However, critical infrastructure providers particularly those within the energy sector lack inherent protections afforded to other industries (e.g., co-locating high-value assets or systems, less persistent threat activity, and limited physical impacts from an attack). Instead, these organizations are the target of sophisticated threat actors, operate vast arrays of exposed infrastructure with inherent physical and cyber vulnerabilities, and provide services that directly impact societys ability to function. Now is the time for the energy sector to earnestly consider converging security functions to effectively manage an unprecedented threat landscape.

Read the original post:

Cyber and Physical Threats Illuminate Need for Security Convergence in Energy Sector - HS Today - HSToday