It’s hard to have a crystal ball in the world of security, but if one were to make a safe prediction, it’s this: Organisations will need to further integrate their cyber security and physical security functions throughout 2022 and beyond. So argues former chief psychologist for the U.S. Secret Service, Dr. Marisa Randazzo, who now heads up Ontic’s Center of Excellence.
Dr. Marisa Randazzo, Executive Director, Ontic Center of Excellence
The convergence of cyber and physical security functions reflects the increasing interplay of digital systems and the physical world, and the growing consensus that a gap in one realm leaves the other exposed.
But silos between the two security functions continue to exist. In some cases, it’s for those that oversee cyber security to understand the need to share information and coordinate with physical security professionals responsible for facility access control, protection of assets, etc.
And for both security functions – physical and cyber – it may also come down to cost: each department has a budget to meet and may fear collaboration could lead to competition for already-limited resources.
When security experts discuss cyber-physical convergence, they reference a few well-known incidents in which an external actor remotely manipulates an internet connected system to impact the physical world, such as the Colonial Pipeline attacks of 2021 that impacted fuel supplies in the south-eastern United States, or the infamous take-down of the Ukrainian electrical grid in 2015.
These incidents are eye-opening. But they can also give the false impression that the cyber-physical convergence sits firmly in the domain of the IT team. In cases like the Colonial Pipeline cyber-attack, there’s very little role for a physical security team. The attack vector is purely the domain of the cyber realm. These commonly cited cyber-physical threat scenarios carried out by malicious external actors can also obscure the risk posed by current and former employees that may have been trustworthy but eventually pose a threat to the organisation from insider threats.
In my time at the U.S. Secret Service, I co-directed a major study of cyber insider threats across critical infrastructure sectors that included interviews with insiders who had sabotaged or exploited information systems within their organisations. From the Secret Service, we brought expertise from the domain of physical security and partnered closely with cyber security experts from the Software Engineering Institute (SEI) at Carnegie Mellon University, recognising that both domains of expertise were necessary to thoroughly understand incidents of cyber sabotage carried out by current and former employees.
This collaboration was necessary – in particular during our interviews of the insiders themselves. In every interview, we included a physical security expert from the Secret Service and a cyber security expert from SEI to probe the pre-attack thinking, planning, motives, and other behaviours of the insiders. Both experts were needed to be able to thoroughly understand the information obtained from the insiders – and to verify the credibility of what we learned in the insider interviews.
One key finding that we uncovered is that insiders who sabotage or exploit information systems don’t just snap. Before major incidents, they follow a pathway of planning and research. They engage in troubling behaviour that is observable – online and in person – and that alarms co-workers and friends. In some cases they tell others explicitly about the malicious insider activity they are planning. This finding illustrates that information about potential insider threats may be known to physical security personnel, or cyber security personnel, or both before harm occurs. Thus, underscoring the need for these departments to share information to prevent insider sabotage.
We also found that their motives were often highly personal and were related to problems that the employees were facing when they decided to exploit or sabotage the organisation’s information systems. Some insiders were under financial stress and used the information systems to embezzle funds or access proprietary information that they then sold to competitors. Other insiders felt unappreciated for their work and wanted to prove their expertise by creating a cyber breach that they then solved. And in other cases, the employee was facing discipline or termination and wanted to embarrass the organisation or ruin its brand reputation.
Across these cases, some pre-incident information was observable within the insiders’ online behaviour, while other pre-incident behaviour was observable in the insiders’ offline or in-person behaviour. Again, this highlights the need for cyber security professionals and physical security professionals to work together to prevent insider threats.
It is interesting to note that the findings from the Secret Service/SEI research on cyber sabotage closely parallel pre-attack behaviour in cases of workplace violence: employees who carry out acts of workplace violence typically plan out their attacks in advance, engage in observable behaviour that alarms co-workers or supervisors, and often tell other people about their violent plans beforehand.
“The key, for organisations, is increased cooperation between what has been, for years, siloed operations. It’s easier than you might think.”
Experts in the field of threat assessment and threat management know that collaboration between multiple disciplines – such as physical and cyber security, human resources, and employee assistance or mental health – is critical to preventing acts of workplace violence. The same is true for preventing insider acts of cyber sabotage or exploiting information systems.
When cyber security and physical security professionals work together, they stand a chance at preventing acts of physical violence as well as cyber sabotage. Those who work in the field of behavioural threat assessment already know that physical security and cyber security are often closely linked, especially when it comes to concerns about current and former employees. Employees who engage in troubling or odd behaviour online may also be engaging in alarming in-person behavior in the office or on Zoom calls, etc. However, if physical security responsibilities and cyber security domains don’t communicate with each other, they may miss opportunities to share information, ‘connect the dots’, and identify growing concerns.
And when security professionals determine that someone is on a “pathway to violence” or is planning cyber damage to the organisation, they can try to determine what is driving that behaviour. For example, what problem is the employee trying to solve or what challenges are they facing? It is possible to move someone off the pathway to violence – or away from plans for cyber sabotage – if we can help them solve those underlying problems. Sometimes connecting a stressed employee to financial counselling, or changing supervisors or departments, can be all that is needed to defuse hostilities and mitigate risk. A holistic approach, shared by IT, HR, and physical security, may even be able to help employees obtain counselling that could both save their job and avoid more destructive acts.
As we head into 2022, survey data also underscores the growing need for cyber and physical security to work together: In a recent poll of IT and physical security leaders conducted by the Ontic Center for Protective Intelligence, 37% agreed most of the physical threats their company received in 2021 originated as a cyber-threat. In the survey, the pre-incident indicators (or threats) first appeared in cyber auditing tools, email, on social media, in antivirus software via cyber-breach or ransomware attack.
But sometimes organisations face roadblocks in trying to foster this collaboration. Here are a few ideas for working around them.
First, try to determine where the obstacle lies. Is it a particular manager or department head who may not want to give up ‘territory’? Is it a language barrier where physical security personnel and IT security personnel simply don’t understand each other’s professional terminology? Or is it confusion over what each other does and where there is any overlap in responsibilities?
Once you have a sense of where the resistance may lie, you can craft a strategy for fostering better communication and collaboration. It can be as simple as inviting someone for a cup of coffee to hear about what they do in their department, what concerns and challenges they face, and where you can begin to share information. And you might even look for someone who ‘speaks’ both languages – that is, who understands the terminology of cyber security as well as physical security and who can serve as a translator of sorts as your departments get to know each other.
The key, for organisations, is increased cooperation between what has been, for years, siloed operations. It’s easier than you might think.
About the author
Former chief psychologist for the U.S. Secret Service, Dr. Marisa Randazzo is an international expert on threat assessment and threat management. As Executive Director of the Ontic Center of Excellence, she offers strategic consulting and services to support clients in developing and managing threat assessment and protective intelligence programs.
Enjoy the latest fire and security news, updates and expert opinions sent straight to your inbox with IFSEC Insider's essential weekly newsletters. Subscribe today to make sure you're never left behind by the fast-evolving industry landscape.
Sign up now!
Interesting article and viewpoints. In addition to both sides (cyber + physical security) needing to work together, there is going to be more boardroom attention paid to physical security going forward. Cyber normally gets most of the attention and funding, but boards are realizing that physical security is also very important, given the rise in violence, shootings, and other events at stadiums, in workplaces, and schools.” At the same time, physical security is marred by a physical, labor-based, reactive approach. Over the past 10-15 years we’ve seen significant advancements in cybersecurity through the use of AI and ML – essentially digital innovations… Read more »