Conducting Hybrid Security Risk Assessments to Address Physical Cybersecurity Exposures

From a security perspective we have finally reached what was once considered a distant vanishing point where companies can no longer afford the luxury of envisioning physical/technical security and cybersecurity as parallel but separate disciplines and expect to achieve a comprehensive security program. Historically, many professionals have downplayed physical cybersecurity issues believing that strong but separate physical/technical security and cybersecurity silos were sufficiently robust to effectively mitigate the exposures posed by physical cybersecurity threats.

Although physical cybersecurity issues have been identified by the Cybersecurity & Infrastructure Security Agency (CISA), the Federal Energy Regulatory Commission (FERC), the International Information Security Certification Consortium, and others; there has been little guidance on how to effectively assess physical/technical security and cybersecurity concurrently using an integrated security risk assessment (SRA) methodology to identify and mitigate physical cybersecurity exposures.

The SRA process has demonstrated that the human component of physical access to cybersecurity nodes has historically been marginalized or ignored. Extensive resources have been allocated to addressing remote internet threat actors while overlooking or even tolerating the growing reality of physical threats posed by “trusted” insiders, contractors, vendors, and criminal enterprises. The failure to adequately assess physical spaces containing cyber-assets has become increasingly evident across a wide spectrum of facilities, leading to inadequate security and insufficient protection of cyber-nodes from malevolent physical compromise. Cyberspace mitigations do not provide a viable remediation strategy to address the malicious elements of human behavior, nor has conventional physical/technical security adequately assessed or remedied the exposure of cyber-assets assuming that such exposures were being mitigated by the cybersecurity discipline.

This presentation discusses assessing physical cybersecurity using the ANSI/API Standard 780 SRA methodology and discusses countermeasures that have proven to be effective in delivering the hybrid risk analysis essential to identifying and mitigating blind spots that historically have been overlooked. While there is no universally applicable solution-set that will completely address all physical/technical and digital security exposures, there is a strong business case to be made in addressing threat-agent attributes associated with the digital networks that must be included in hybrid SRAs to ensure that physical cybersecurity exposures do not go unmitigated.