The convergence of cybersecurity and physical security functions reflects the increasing interplay of digital systems and the physical world, and the growing consensus that a gap in one realm leaves the other exposed.
But silos between the two security functions continue to exist. In some cases, it's for those that oversee cybersecurity to understand the need to share information and coordinate with physical security professionals responsible for facility access control, protection of assets, etc.
And for both security functions – physical and cyber – it may also come down to cost: Each department has a budget to meet and may fear collaboration could lead to competition for already-limited resources.
When security experts discuss cyber-physical convergence, they reference a few well-known incidents in which an external actor remotely manipulates an Internet-connected system to impact the physical world, such as the Colonial Pipeline attacks of 2021 that impacted fuel supplies in the southeastern United States, or the infamous takedown of the Ukrainian electrical grid in 2015.
These incidents are eye-opening. But they can also give the false impression that the cyber-physical convergence sits firmly in the domain of the IT team. In cases like the Colonial Pipeline cyberattack, there's very little role for a physical security team. The attack vector is purely the domain of the cyber realm. These commonly cited cyber-physical threat scenarios carried out by malicious external actors can also obscure the risk posed by current and former employees that may have been trustworthy but eventually pose a threat to the organization from insider threats.
Threats From Within
In my time at the US Secret Service, I co-directed a major study of cyber insider threats across critical infrastructure sectors that included interviews with insiders who had sabotaged or exploited information systems within their organizations. From the Secret Service, we brought expertise from the domain of physical security and partnered closely with cybersecurity experts from the Software Engineering Institute (SEI) at Carnegie Mellon University, recognizing that both domains of expertise were necessary to thoroughly understand incidents of cyber sabotage carried out by current and former employees.
This collaboration was necessary – in particular during our interviews of the insiders themselves. In every interview, we included a physical security expert from the Secret Service and a cybersecurity expert from SEI to probe the pre-attack thinking, planning, motives, and other behaviors of the insiders. Both experts were needed to be able to thoroughly understand the information obtained from the insiders – and to verify the credibility of what we learned in the insider interviews.
One key finding that we uncovered is that insiders who sabotage or exploit information systems don't just snap. Before major incidents, they follow a pathway of planning and research. They engage in troubling behavior that is observable – online and in person – and that alarms co-workers and friends. In some cases, they tell others explicitly about the malicious insider activity they are planning. This finding illustrates that information about potential insider threats may be known to physical security personnel, or cybersecurity personnel, or both before harm occurs – thus underscoring the need for these departments to share information to prevent insider sabotage.
We also found that their motives were often highly personal and were related to problems that the employees were facing when they decided to exploit or sabotage the organization's information systems. Some insiders were under financial stress and used the information systems to embezzle funds or access proprietary information that they then sold to competitors. Other insiders felt unappreciated for their work and wanted to prove their expertise by creating a cyber breach that they then solved. And in other cases, the employee was facing discipline or termination and wanted to embarrass the organization or ruin its brand reputation.
Across these cases, some pre-incident information was observable within the insiders' online behavior, while other pre-incident behavior was observable in the insiders' offline or in-person behavior. Again, this highlights the need for cybersecurity professionals and physical security professionals to work together to prevent insider threats.
Cooperation Is Key to Prevention
It is interesting to note that the findings from the Secret Service/SEI research on cyber sabotage closely parallel pre-attack behavior in cases of workplace violence: Employees who carry out acts of workplace violence typically plan out their attacks in advance, engage in observable behavior that alarms co-workers or supervisors, and often tell other people about their violent plans beforehand.
Experts in the field of threat assessment and threat management know that collaboration between multiple disciplines – such as physical and cybersecurity, human resources, and employee assistance or mental health – is critical to preventing acts of workplace violence. The same is true for preventing insider acts of cyber sabotage or exploiting information systems.
When cybersecurity and physical security professionals work together, they stand a chance at preventing acts of physical violence as well as cyber sabotage. Those who work in the field of behavioral threat assessment already know that physical security and cybersecurity are often closely linked, especially when it comes to concerns about current and former employees. Employees who engage in troubling or odd behavior online may also be engaging in alarming in-person behavior in the office or on Zoom calls, etc. However, if physical security responsibilities and cybersecurity domains don't communicate with each other, they may miss opportunities to share information, "connect the dots," and identify growing concerns.
And when security professionals determine that someone is on a “pathway to violence” or is planning cyber damage to the organization, they can try to determine what is driving that behavior. For example, what problem is the employee trying to solve or what challenges is that person facing? It is possible to move someone off the pathway to violence – or away from plans for cyber sabotage – if we can that employee solve those underlying problems. Sometimes connecting a stressed employee to financial counselling, or changing supervisors or departments, can be all that is needed to defuse hostilities and mitigate risk. A holistic approach, shared by IT, HR, and physical security, may even be able to help employees obtain counseling that could both save their jobs and avoid more destructive acts.
Benefits of Cooperation
As we head into 2022, survey data also underscores the growing need for cyber and physical security to work together: In a recent poll of IT and physical security leaders conducted by the Ontic Center for Protective Intelligence, 37% agreed most of the physical threats their company received in 2021 originated as a cyber threat. In the survey, the pre-incident indicators (or threats) first appeared in cyber-auditing tools, email, on social media, in antivirus software via cyber-breach or ransomware attack.
But sometimes organizations face roadblocks in trying to foster this collaboration. Here are a few ideas for working around them.
First, try to determine where the obstacle lies. Is it a particular manager or department head who may not want to give up "territory"? Is it a language barrier where physical security personnel and IT security personnel simply don't understand each other's professional terminology? Or is it confusion over what each other does and where there is any overlap in responsibilities?
Once you have a sense of where the resistance may lie, you can craft a strategy for fostering better communication and collaboration. It can be as simple as inviting someone for a cup of coffee to hear about what they do in their department, what concerns and challenges they face, and where you can begin to share information. And you might even look for someone who "speaks" both languages – that is, who understands the terminology of cybersecurity as well as physical security and who can serve as a translator of sorts as your departments get to know each other.
The key, for organizations, is increased cooperation between what has been, for years, siloed operations. It's easier than you might think.
About the Author
Former chief psychologist for the US Secret Service, Dr. Marisa Randazzo is an international expert on threat assessment and threat management. As Executive Director of the Ontic Center of Excellence, she offers strategic consulting and services to support clients in developing and managing threat assessment and protective intelligence programs.