In today's technology-driven world, where cyber threats dominate headlines and organisations invest significant resources in safeguarding their OT and IT infrastructure from digital threat vectors, the importance of facility physical security can sometimes be overlooked. However, it remains an essential component of enterprise risk mitigation.
A comprehensive security strategy should prioritise and address both cyber and physical vulnerabilities. After all, a malicious actor in either area can cause significant undesirable outcomes (e.g. compromised employee health and safety, damage to equipment, lost production, etc.).
Old threats, new technology
Despite advancements in technology, some hazards will continue to exist. Insider threats, for example, always pose a significant risk to organisations. Typically, these types of attacks are orchestrated by individuals (e.g., employees, contractors, trusted partners, etc.) who have authorised access to systems, data, or facilities but misuse that access for malicious purposes. The threat they present can range from accidental breaches due to negligence or lack of awareness, to deliberate acts of sabotage, espionage, or data theft.
Insider threats can be particularly challenging to detect and mitigate because the individuals often have legitimate access and can exploit their privileges without raising suspicion. Some of the best prevention methods for this type of risk are implementing robust access controls, regular monitoring, and employee awareness programmes. Promoting a culture of security and vigilance can minimise the potential impact of insider threats, and valuable assets such as sensitive information can be better safeguarded.
Vandalism, theft, and release of toxic or flammable substances are also an ever-present risk to facilities. In recent years, many organisations have upgraded their assets to include the latest digital monitoring equipment, promoting the rapid uptake of industrial cybersecurity measures. However, this does not eliminate the risk of physical attempts at vandalism, theft, or purposeful releases, nor does it negate the need to defend against such attempts. Organisations should remain vigilant of these threats, even in a cyber-focused world.
Evolving physical threats
Cyberattacks are typically the first thing that come to mind when discussing the impact of increased digitalisation on industrial plant security. However, physical attack vectors have also evolved with technology.
One prominent physical attack vector example is unmanned aerial vehicles (UAVs) or drones. Several high-profile drone attacks on critical infrastructure outside the US have raised questions about how facilities can protect against aerial attacks. While most of these incidents originate from nation-states or designated terrorist groups with military-grade UAVs, access to recreational drones is now ubiquitous.
Whether operating within the bounds of the plant incidentally or with malicious intent, even the most unsophisticated UAVs can easily penetrate traditional physical security measures (e.g. fences, gates, perimeter cameras, etc.). Most enterprises did not have to consider this when their plant was originally built, thus potentially leaving them exposed to such modern-day threats.
Even on greenfield projects today, the implications of a drone attack are not always incorporated into facility risk assessments. Part of this is attributable to the perception that nothing can proactively be done to prevent such an occurrence. However, this is only true in some cases, as certain critical areas of the facility can be hardened.
By incorporating the threat into a facility risk assessment, personnel will be forced to think about reactive measures if an event does occur, which is important to help minimise its impact and better preserve safety after the fact.
Embracing the concept of ‘security-by-design’, which prioritises integrating security features into the facility during its development, is also important. By addressing physical threats as early as possible with the same rigour and focus as those in the digital space, organisations can enhance their overall security posture, mitigate threats, and help ensure business continuity.
Countries such as Singapore are leading physical security regulations in up-front building design through their Infrastructure Protection Act (IPA). In the future, as threats to mission-critical facilities continue to evolve, it is expected that other countries will implement similar regulations.
Threat, vulnerability, and risk assessments
To help ensure that all physical security risks are addressed, it is beneficial for enterprises to perform either security vulnerability assessments (SVAs), threat and vulnerability risk assessments (TVRAs), or both. Each constitutes a comprehensive approach to risk mitigation and can help facilities develop an effective physical security strategy by:
- Better understanding the unique threats they face - when conducting a threat assessment, facilities can start by identifying adversaries, their intent and capability, then review tactics from past attacks at similar locations to estimate the threat to the organisation.
- Assessing vulnerability - understanding the threat is essential, but the ability to deter attack is amplified by understanding vulnerability. Vulnerability can be considered as the psychological, sociological, or physical characteristics that leave an asset unprotected or exploitable for attack. Typically, the emphasis is on physical security vulnerabilities, but the human factor can make or break security efforts. Thinking “it will never happen here” or “it will never happen to me” can add to vulnerability.
- Quantifying risk – risk is defined in the basic form as “R = L x C”, where R is risk, L is the likelihood of the event occurring, and C is its consequence. When it comes to performing risk calculations, most organisations focus heavily on the consequence term of the equation without measuring it against its associated likelihood. This makes it difficult to accurately prioritise risks and efficiently allocate resources toward mitigation measures. It also shifts the focus away from identifying critical vulnerabilities in infrastructure and leaves operations unprotected from ‘low probability’ events. To develop a complete risk profile, both the consequence and likelihood terms of the risk equation should be thoroughly evaluated.
After quantifying the risk, enterprises can begin to take preventative action by physically hardening infrastructure, such as utilising perimeter protection, blast analysis and design, facade strengthening, disproportionate collapse mitigation, local hardening of security command centres, and more. Another important step is security systems evaluation and design (i.e. intrusion detection, monitoring and surveillance, access control systems, security policies and procedures, redundancy evaluations, etc.), along with the implementation of dependency mitigation measures related to emergency backup power, spare parts, supply chains, emergency response, and so on.
Conclusion: an investment, not a cost
Adversaries continually seek the weakest link in their target’s security. Therefore, a balanced and well-thought-out security profile that includes cybersecurity and physical security can be vital for effective facility protection and safety.
In the ever-evolving landscape of cybersecurity threats, physical security continues to play an indispensable role in protecting organisations. While cybersecurity measures are vital and growing in importance, they should be accompanied by robust physical security measures to provide comprehensive protection.
In both the physical and cyber worlds, security should not be viewed as a cost but as an investment to improve the overall safety of the facility. Organisations must remember that one of the primary goals of any security measure is to preserve the safe, reliable operation of physical infrastructure.
Written by Nelson Duran, Director of Operations for the Protected Design Group, ABS Group.