Singapore

Cyber Physical Threat – Bridging the Cultural Divide 

Written by our inhouse resident editor, Lyndsay Turley, an experienced communicator and cybersecurity advocate for over 15 years. 

As a concept, the convergence of cyber and physical security has always been seemed logical. In practice however, while many can agree that the threats to physical and IT infrastructure are increasingly similar, the defences are anything but. Despite many years of talking about convergence, accountability for emerging areas of cyber-physical risk remains unclear.  As both operational and IT drive forward technically, the gaping hole in organisational security seems to be widening. 

“People can buy commercial drones with awesome cameras; analyse Street View on the Internet; and take advantage of social engineering for intelligence gathering.  Things that were the preserve of governments are now cheap and accessible for others. There is a lot out there,” warned one CISO 360 speaker, a former intelligence officer, at our Congress in Rome last month.

Cyber physical threat became a persistent theme at Congress this year, with a role to play in most of the “top 5” concerns to emerge from event discussions – ranging from the human ingenious social engineering, through to the risk of long life IoT encryption becoming obsolete in a quantum era and of course the persistent lack of security by design embedded into the proliferation of connected fridges, kettles, toys and more.

The most telling moment emerged from an interactive group exercise, when the CISOs in the room admitted they were unclear who should or who would be best placed to manage the threat coming from an autonomous drone flying outside of a tall building. The threat was to the safety of the building and the employees within, therefore a physical security issue that was deriving from a sophisticated piece of technology. Questions over accountability for the maintenance of sophisticated air conditioning systems met with similar response, yet all in the room were familiar with infamous case histories of vulnerabilities in these systems that had been successfully exploited.

Discussions pointed to cultural differences between information technology, plant and operational technology, and industrial technology preventing genuine collaboration and leaving different areas of the business to march forward on their own. This was illustrated by Telstra when they put SCADA risk at the top of threat landscape in their Security Report this year citing companies increasing dependency on automation.  “Organisations are working with multiple vendors and are not aware of all the possible devices that may reside on the same network. Vendors tend to manage exposures to the outside world which means that overall security is now much more affected by industrial suppliers than before.”

“It is not that the risks aren’t acknowledged but the pressures are changing.  Air gap is becoming a dirty word, even for legacy systems, with the pressure to integrate industrial systems more and more,” said one workshop participant, who pointed out that advances in robotics are being made to, for example, avoid the need to shut down for scheduled maintenance, and underpin availability as a key objective for industrial systems. Specialised controllers have become the backbone of process control, including SCADA systems.

“The real challenge is the different priorities, practices, technologies and cultural issues that create real tensions between information technology, corporate security and operation technology groups,” he said.

Our group did suggest that the timing for a convergence plan, and shared responsibilities may be approaching as the long-established operational priorities around safety concerns, not just economic loss, increasingly become at risk to cyber-attacks. This thought was aptly illustrated by a university researcher who shared his motivation for looking into the security of robotics: “We particularly looked at robots and security because of the fundamental change in how robots are being deployed.  They (and the humans operating them) used to be protected in separate spaces, cages.  Now humans are not just operating robots they are interfacing with them,” he said. “We need to be fundamentally redesigning cyber-physical systems to, not just avoid concerns, but allow them to achieve their purpose in the case of a hack.”

My observation is that this conversation remains immature despite the decades of talk.  We may well be approaching a tipping point for the convergence of cyber-physical risk with the rise of the machines, their autonomy, and their connection to our corporate networks but we haven’t yet figured out how to bridge that cultural divide that appears to be leaving us vulnerable.

The conversation is set to continue. Cyber physical risk and security convergence is a key theme for the upcoming CISO 360 Asia in Singapore this September and CSO 360 Congress in Budapest in December, international think tanks that are developed and hosted by Pulse Conferences. Join us if you can. The more experience, the closer we get to resolution and move the agenda forward as communities.

Back to Pulse Conferences

You currently have JavaScript disabled!

This site requires JavaScript to be enabled. Some functions of the site may not be usable or the site may not look correct until you enable JavaScript. You can enable JavaScript by following this tutorial. Once JavaScript is enabled, this message will be removed.