With computers now controlling critical assets, it's more important than ever for cyber and physical security managers to work together.
Comment on this article in The Forum.Linda Wilbanks can't fire a gun, but as chief information officer at the Energy Department's National Nuclear Security Administration, she's working with executives to ensure nuclear materials don't fall into the wrong hands. Why is the CIO involved in keeping nuclear materials secure? "Somewhere along the line, there's going to be IT controls" involved, Wilbanks says.
The distinctions are disappearing between securing physical assets like radioactive material and securing information stored on laptops and in networks. Computers have become the de facto mechanism for controlling critical infrastructure. Networks manage not only sensitive data but also the operations of everything from generators to water pumps to nuclear reactors. Many of these systems are accessible through the Internet, which means agencies run the risk of a hacker shutting down operations or a catastrophic failure.
"There are many overlapping components in IT security, cybersecurity and physical security," says Pat Howard, chief information security officer at the Nuclear Regulatory Commission. "More recent is the desire of our opponents to exploit those [overlapping components] and use them against us by bringing down our critical infrastructure remotely."
In March 2007, researchers at the Idaho National Laboratory demonstrated to the Homeland Security Department how they could go online to hack into the programs that control the operations of a generator and manipulate settings so it would self-destruct. The scene of a generator shaking, spewing steam and then breaking down sent shock waves through governments and corporations.
DHS later developed the National Infrastructure Protection Plan and strategies for each economic segment to provide a coordinated approach to protect networks that operate critical infrastructures in the areas of finance, transportation and utilities.
The U.S. Computer Emergency Readiness Team's Control Systems Security Program coordinates infrastructure network protection, offering resources such as a control system cybersecurity self-assessment tool, a curriculum for security training and recommended practices. But agency needs vary, influenced largely by the type and sensitivity of assets. Best practices focus on comprehensive risk assessment, collaboration between those responsible for the security of physical assets and IT, and a governance structure that ensures the managers in charge aren't the weak link.
"[Physical] access restrictions to a particular asset are not good enough if you're also giving all employees access to its networked control system," says Robert Jamison, undersecretary for DHS' National Protection and Programs Directorate. "Agencies have to understand that if they have control systems or physical assets that are connected to a network that is connected to the Internet, there is inherent risk."
In theory, if CIOs conduct risk assessments, as required under the 2002 Federal Information Security Management Act, then protecting physical assets shouldn't add much work, if any. FISMA requires agencies to determine the risk if a hacker gained access to its information systems. Each is assigned a level of risk - low, medium or high - and then the agency determines which security controls to apply.
If an agency deems an asset high risk, it should do as much as possible to shield the system from access. At the National Nuclear Security Administration, IT systems that link to sensitive control systems are housed on the agency's highly classified red network, which is not connected to the Internet. NNSA has classified one of its two other networks as yellow, because it connects semiclassified IT systems and includes extensive access controls. The agency has classified the third system as green, because it connects nonclassified systems and manages information delivered to the public Web site.
To provide guidance on how to assign risk to systems, the National Institute of Standards and Technology released Special Publication 800-60, "Guide for Mapping Types of Information and Information Systems to Security Categories."
"The NIST process is absolutely superb," says Marian Cody, senior information security officer at the Environmental Protection Agency. "What I don't see, however, is the same bible for those who handle physical security. . . . You have to know what you have, and then you have to know the associated risk so you can figure out how to protect it."
NNSA launched its network infrastructure classification this spring, almost a year after an employee at Los Alamos National Laboratory entered a protected vault and saved on a flash drive information on underground nuclear weapons tests that was stored on a classified computer server. The employee printed more than 200 pages of documents to work on them at home.
"In that case, it was shortcomings in physical and cybersecurity," Wilbanks says. Access to the server was not protected properly, allowing the thumb drive to be attached and data to be downloaded, and gates that block access to computer servers were not locked. Now cybersecurity managers work with managers in charge of physical security to conduct inspections of the labs and infrastructure. The team spends four hours a week walking through facilities to check security.
Physical security has long been isolated from IT at federal agencies, and changing that can be hard. But some agencies like NNSA have changed their reporting structure to ease collaboration between the physical and cyber worlds. Wilbanks reports to the deputy administrator of NNSA, whose office collects data on new assets that facilities commission. At NRC, the CIO also carries the title of deputy executive director for corporate management, which oversees physical assets.
"There's alignment that allows closer coordination and cross fertilization," Howard says. "It's new, but it's clear that it will be advantageous to have that level of integration that provides both sides a seat at the same table. We can learn to speak a common language."