With cyberattacks increasing, chief information officers (CIOs), chief information security officers (CISOs), and chief security officers (CSOs) are working hand-in-hand to defeat these hackers.
As reported by Wall Street Journal on April 26th, 2023 by James Rundle.
Cyberattacks are blurring the lines between physical and digital risks, forcing cybersecurity and physical security chiefs to work closely together to combat threats, executives say.
Cyber-physical threats, where an attack on computer systems might cause damage to property or people, or vice versa, have long been a concern for companies in the defense-industrial base, power utilities, and other critical-infrastructure sectors.
Now security chiefs across industries are becoming increasingly concerned that even a minor technology disruption after a hack could have real-world risks.
At Schneider Electric SE, CIO Elizabeth Hackenson said she now works closely with the company’s chief information security officer and chief security officer, who is responsible for safeguarding facilities against intrusions and damage. The three are peers in the company’s hierarchy, she said, regularly sharing threat intelligence and planning for scenarios where a converged incident might occur.
Ms. Hackenson said concerns at Schneider, which specializes in energy management and automation technologies for residential and commercial properties, center on what they could be missing. A physical attack on one of the company’s plants or distribution centers, for instance, could distract attention from a cyberattack if the cyber, IT and security divisions aren’t sharing information, technology, and resources to analyze information.
“The threat actors are always ahead, and they sometimes use newer technologies better than we do, so I feel this new cyber-physical threat is something that we absolutely have to pay more attention to,” she said.
Hacks have had material consequences in the past. A cyberattack against Ukrainian power stations caused blackouts across Kyiv in late 2016, and similar strikes were attempted during the opening phases of Russia’s invasion in 2022. Recently, leaks of U.S. intelligence material suggested that pro-Russia hackers infiltrated systems within Canadian energy infrastructure operators, giving them the ability to shut down machinery or even cause explosions.
Although cyber-physical tactics have traditionally been considered a tool of nation states, the critical importance of technology to companies across sectors means that even low-level criminal cyberattacks can have pronounced impacts on day-to-day operations.
“If you take a ransomware attack in something like a hospital, and that shuts the hospital down, that caused a physical action from a cyber event,” said Marshall Heilman, chief technology officer at Alphabet Inc.’s Mandiant threat-intelligence unit.
Sometimes the actions of a hacked company trigger physical aftermath. When Colonial Pipeline Co. was hit with ransomware in May 2021, the company decided to shut down tech systems to prevent the malware’s spread. In turn, Colonial temporarily stopped transporting fuel, shutting down the largest fuel artery on the U.S. East Coast for six days.
Getting cybersecurity and corporate security on the same page isn’t always an easy task. While both functions deal with security in a broad sense, the disciplines involved are different, said Dave Komendat, who was the CSO for aerospace giant Boeing Co. until retiring from the company in October.
Cybersecurity tends to be a technical function, focused on network defense, while corporate security has been traditionally concerned with personnel and the protection of physical assets, which requires both sides to learn about the other’s jobs, Mr. Komendat said. He is now an independent consultant.
“The hard part about this is the reluctance from CSOs to dip their toe in the cyber pool. For many of them, it’s still a foreign language, it’s scary to them and so the easy thing to do is just push it away,” Mr. Komendat said.
Cybersecurity chiefs, too, are finding that industry advances are also forcing them to learn more about protecting physical infrastructure. Auto makers, for example, now oversee networks of electric-vehicle charging stations.
At Boeing, Mr. Komendat oversaw the physical security of the company’s facilities worldwide and roughly 2,000 security employees, and his responsibilities extended to networks for classified programs. While the company didn’t have a converged security model where cyber and physical were under one roof, he said an “intentional” model of shared resources and intelligence was critical.
“Our commitment to each other was ‘no surprises.’ If there was something happening in my world, in the physical security world, then there’s the potential that it’s going to have an impact on the cyber side,” he said.
Determining which threats have the potential to become cyber-physical in nature can be challenging, said Ms. Hackenson of Schneider Electric.
Companies generate reams of information from their networks and physical security systems in text, video, photographs, and other forms of data. Finding patterns across that data that could indicate a coordinated cyber-physical attack that would be difficult for humans, she said.
Artificial intelligence will likely be required to effectively analyze threats fast enough to respond, given how quickly ransomware strikes and other cyberattacks can shut down systems, she said.
“If we can marry that with real-time data on the physical event side. I think that becomes powerful,” she said.