C-level security leaders from leading organizations weigh in on the risks and opportunities of cyber-physical security convergence
In Denmark, a ransomware attack shut down a train network for several hours on a Saturday morning after a subcontractor’s testing environment was hacked. In the now well-known attack in the U.S., Colonial Pipeline ceased operations after hackers gained access to its computer networks, disrupting fuel supplies along the east coast. A cyber attack against oil refining ports and storage facilities in Belgium, Germany and the Netherlands crippled operations at various ports and terminals in Western Europe, causing significant supply chain disruptions and delays.
As the world becomes increasingly digital, organizations are encountering more of these intersections between the digital and the physical domains. Cyber-physical convergence, where attacks that originate in either the cyber or physical domain create threats in the other—even if they share no digital connection—has shifted the way security professionals think about and prepare for potential risks.
Over a series of three webinars, Dataminr sat down with C-level security leaders in energy, transportation and financial services to discuss the real threats and opportunities behind cyber-physical convergence. Here we explore the key takeaways.
Key Takeaway No. 1: Cyber-physical risks are on the rise
Consider the realities of a modern-day airplane, cruise ship or energy grid. All are essentially giant data centers that allow for better customer and employee experiences, more accurate and personalized information, and safer industries—but also an increased surface area of and opportunities for attacks.
“I hate to be ominous with it,” said David DeWalt, Founder of NightDragon. “We have this growing set of threats that are occurring, hundreds of different actors around the world that are gaining more and more capability and already have the motivation.”
In 2021, ransomware attacks in the transportation industry alone were up 176% and, in 2022, there were seven new ransomware families specifically designed to target operational technology (OT) systems. Cyber-physical ransomware is a growing trend in security as hackers use cyber attacks to access vulnerable physical systems.
This increasing digitization—from self-driving cars to HVAC systems—and interdependence between physical and cyber can greatly benefit a company’s bottom line, but not without cost.
“There’s such a drive to enhance your IT capabilities to give you a competitive edge in whatever industry you’re in,” said David Komendat, former Chief Security Officer of Boeing Company. “What doesn’t keep up most of the time is the ability to protect that enhanced technology, to put the physical, logical pieces in place that protect that. And so you keep reaching out and enhancing your capabilities, but you’re also creating a larger and larger gap [for bad actors] to exploit.”
Watch Now: Cyber-physical Converged Threats and Trends in the Transportation Industry
Key Takeaway No. 2: Be aware of the risks for connected systems
Technology that is both cyber and physical can be a powerful tool for organizations, but how it’s used requires careful strategy. For example, one company has replaced security officers with robot dogs that are connected to synchronized drones. When the drones detect a potential issue, they alert the dogs who are then deployed to investigate.
“All of that is a hundred percent on the Internet, a hundred percent network connected, a hundred percent cyber-vulnerable,” said Jason Witty, CSO of USAA. “You have to be very thoughtful about not only the business problem in physical security that could be solved by cyber means, but also the controls and what we are willing to put out there.”
Another issue is when security teams are unaware of how many devices or machines are connected to the Internet. Typically, that means they aren’t properly secured.
Sebastian Lehnherr, Global CIO of Schlumberger, pointed out the risks of not having a full understanding of all assets. “A lot of people still forget that they have a lot of things out there. Digital technology which may not have been digital technology, but went through an upgrade and now it’s all of a sudden connected with real physical control on the back of it.”
Alternatively, there are assets with limited protection that hackers will specifically target because they are newly digitized.
Craig Froelich, CISO at Bank of America, said, “If you’re a bad guy and you want to be able to extract some sort of pain or harm, you’re likely to go after the path of least resistance. Oftentimes it may be something that is a newer technology that doesn’t have the decades of information security controls wrapped around it.”
Watch Now: Cyber-physical Converged Threats and Trends in the Financial Services Industry
Key Takeaway No. 3: Break down the CISO/CSO silos
In the past, cyber attacks and physical attacks were (mostly) mutually exclusive. But the evolution and proliferation of connected technology, like Internet of Things (IoT) devices, requires security teams to rethink their strategies and approaches to communication and collaboration to ensure they’re prepped for any kind of attack.
While there isn’t an “ideal” security organization structure, Komendat said the key is an intentional relationship between the chief security officer (CSO) and the chief information security officer (CISO), which means no surprises. If a security event is happening in the physical world, the CISO already knows and vice versa. Unfortunately, it’s not always that simple.
“The CSO at times feels threatened by the CISO. Their funding is different. The visibility, especially in today’s world, is different,” said Komendat. “A lot of times, peer CSOs have a tendency to want to be insular a little bit and that is the absolute worst position a CSO could take. They really need to reach out, build that bond and relationship with their counterpart because at the end of the day, the goals of both the CISO and the CSO are pretty similar: To protect the assets of a corporation.”
For Martin Strasburger, VP, CISO at Duke Energy, this means a fully combined information technology and enterprise security team called Enterprise Technology & Security, which reports up to a leader who is both CIO and CSO.
Elizabeth Hackenson, Global CIO of Schneider Electric, works closely with her organization’s global CISO to determine what investments and resources are necessary to manage risks. Further, their respective teams work together across issues, so when a problem arises, they’re already prepared to work together seamlessly.
Watch Now: Cyber-physical Converged Threats and Trends in the Energy Industry
And at Delta, as DeWalt noted, the CSO and CISO are in almost every one of the audit committee meetings and every one of the safety security meetings.
Regardless of the specific organizational setup, the experts all agreed it comes down to what’s most important: “Protecting business value, protecting the organization,” said Devon Bryan, Global CISO of Carnival Corporation. “That then drives the necessity and the intentionality in closely collaborating and working together.”
Bryan explained how this plays out in his organization, “We work very closely with our corporate security team, shoulder to shoulder, side by side as we triage physical and cyber threats against our global facilities.”
Key Takeaway No. 4: Extend the security conversation into the business
Security teams should ensure they are having ongoing and strategic conversations with senior leadership and prioritize doing so to secure the resources and skills necessary to protect the business.
Komendat said, “The challenge that a lot of corporations have today is there’s limited IT resource dollars in many cases and unlimited need within the company. As they’re making decisions on what they want to do, a lot of that investment goes towards, ‘Let’s enable our business. Let’s grow our business.’ The security costs that should go along with it sometimes are not maintained at the same levels.”
The best way to establish relationships and ensure true understanding is to involve leadership and other key parts of the business in actual training and scenarios.
“Get them to really understand what a cyber attack or even a physical attack might look like. How might it play out? Hold exercises where, together, you tabletop out those kinds of scenarios and figure out whether you’d be ready to respond. You always learn some good lessons,” said Strasburger.
Those exercises can also help leadership understand that, at some point, these security investments will pay for themselves by reducing potential business disruptions that are the result of a cyber-physical attack—and helping to ensure the organization can continue to run at full capacity.
Key Takeaway No. 5: Protect your systems and your business
All security team collaboration must be underwritten with solid technical solutions.
“The basics still apply,” said USAA’s Witty. His list includes:
- Event detection
- Patch management
- Vulnerability management
- Asset management
- Log management
- A good crisis management process
“Make sure the crisis management process is an all hazards process that takes into account cyber, physical, reputation—anything,” he added.
Other companies, like Carnival, utilize the NIST Cybersecurity framework to prioritize assets, implement protections and report risks to audit and safety committees.
What matters most when it comes to cyber-physical risks is knowing about them as soon as they arise. These risks can have real and significant consequences that, if not mitigated early on, can spiral and create lasting knock-on effects to employees, customers, suppliers and entire industries. For security teams—both cyber and physical—this means detecting and responding to cyber-physical risks, in as close to real time as possible, is mission critical.
Dataminr has a critical role to play when it comes to the detection of such risks. Our AI platform provides real-time intelligence on cyber-physical threats as well as the earliest warnings of digital risks, external attacks and vulnerability prioritizations.
Learn more about how Dataminr helps CISOs and CSOs stay ahead of and respond to cyber-physical risks faster and more effectively.