Our increasingly connected world gives hackers even more ways to exploit technology for malicious purposes. We’re now entering a period when cyber attacks could cause major physical damage. To protect people from these combined cyber and physical threats, information security experts and law enforcement, which traditionally handles physical security, will have to share strategies.
After all, the boundaries between cyber and physical attacks are already blurring. In March, the U.S. Department of Justice claimed seven Iranians in New York state in 2013. The dam was offline for repair, preventing the hackers from controlling the flow of water. However, the incident demonstrated that hackers could take over infrastructure that was controlled by computers.
And, of course, there was the Stuxnet computer virus that stymied Iran’s nuclear program by targeting the centrifuges that enriched uranium. Stuxnet is considered the first program that showed how malware could cause physical damage.
Now with more items gaining web connectivity as part of the Internet of Things (IoT) movement, the need to physically protect devices from hackers will only increase. Information security professionals will be called on to make sure attackers can’t tamper with the brakes on our autonomous cars or hack our smart thermostats and turn off the heat in our home during the winter.
Like I’ve said in previous columns, talking about these flaws, which researchers have already discovered, isn’t meant to spread fear. Raising these topics will hopefully result in security being included in a product’s development instead of being treated as an afterthought.
Fortunately, the key steps companies can follow to defend physical assets – proper planning, thorough testing and extensive collaboration – can also help defend against cyber attacks.
The best plans are built around scenarios that could potentially happen. Police officers use this tactic to prepare for potential security incidents. While on patrol, officers will think about how they would deal with an incident at one of the buildings on their beat. They’ll consider what could occur, such as a perpetrator escaping through the roof.
Companies need to follow this process when responding to an information security incident. Quickly remediating a threat isn’t enough. Security teams need to consider what else could have happened. Attacks often contain components that are intentionally easy to detect, leading security teams to falsely believe they have fully stopped an attack. In reality, elements remain that allow the attack to persist. Just detecting the smallest sign of atypical behavior can allow security analysts to discover the entire attack. For example, a computer that’s running slow could be infected with malware, which could mean a company was the target of a phishing attack and an employee clicked on a malicious link.
Proper planning also means developing an incident response plan that includes the input of key people in every department. Often times only a company’s IT and security personnel are involved with planning because they’re the ones who handle a breach. But dealing with the fallout from a security incident requires the efforts of the whole company. Hospitals, for example, may want to include their public relations staff in the plan, since the company maybe legally required to publicly disclose a data breach.
Conducting a full-scale simulation is the best way to test how your security plan would hold up in a real-world incident. Holding drills will expose any of the plan’s weaknesses, providing companies with an opportunity to improve it before a real incident occurs.
Red team-blue team exercises offer an opportunity to merge physical testing and cyber security testing and determine how physical systems can protect online systems and vice versa. In many organizations, protecting gigabit Ethernet is a priority for people handling physical security, since being online is essential for all businesses. Knock out a business’ Web connection and that takes down its email, IP phones and employee access to servers. From an IoT perspective, conducting penetration testing on a product will expose vulnerabilities, allowing a company to fix them before the item goes on sale.
And don’t forget to allow employees to weigh in on the security plan. Often workers have the best advice on what additional details would improve it.
When either a physical or cyber security incident occurs, a company will undoubtedly need help from people outside the organization to resolve the situation.
For example, the chief security officer of a large company may want to reach out to the local fire and police departments and discuss how first responders would handle a situation at the organization. On the cyber security side, companies may need to have an incident response firm on standby to remediate a threat if they suffer a data breach. Or law and public relations firms maybe needed to handle the fallout from an attack.
Too often, though, businesses are reluctant to collaborate with third parties, fearing that corporate secrets will accidentally get exposed. In reality, these people are essential to helping your business return to normal as quickly as possible after an incident. Companies need to develop relationships with these entities long before an emergency. Waiting until a situation arises to collaborate with outside organizations is too late. Companies will be far too busy handling the incident to explain how your business works and form a substantial relationship.
Organizations can no longer afford to handle physical security and cyber security separately. Attackers aren’t distinguishing between the two, and companies can’t either if they hope to stay protected.
This column previously appeared in Network World.