Creating a secure cyber-physical environment: A converged approach
James Thorpe
Share this content
ISJ hears from Paul Wood CSyP FSyl RSES CPP CISM.
Security risks exist in a myriad of guises; both human and non-human, directed from within and outside of an organisation (Wood, 2021).
Identifying this polymorphic state, it has become increasingly accepted that a converged approach to security is necessary to ensure the effective protection of critical assets.
The protection of operational technology, industrial automation processes and critical assets which are central to the functioning of industries and critical infrastructure should be approached in the same way.
Although conscious that security designers may be challenged by the legacy state of OT and historic infrastructure, reasonable steps should still be taken to design proportionate security systems which detect inappropriate access and potential intrusions and delay the access to critical assets long enough for an effective response to be initiated.
The appropriate installation of layers of effective barriers, access controls points and detection tools will help to deter potential threat actors from attacking these critical systems, as the reduced opportunities offered by mitigated vulnerabilities and the increased risk of detection, may counter the level of motivation that individuals have to conduct both hostile reconnaissance operations and sabotage attacks.
While traditional security approaches have predominately focused upon applying layers of reactive security solutions, triggered by breaches to defined rules and processes, there is a growing interest in socio-technical cyber-physical security and its influence upon the human and cultural aspects of security in operational environments.
This is a particularly important concept to grasp in the volatile geopolitical landscape we operate in, within which there is a risk of sabotage activities being conducted by internal and external proxies, potentially directed by nation state actors.
This rapidly evolving human threat landscape coincides with the increasing recognition of the important role that human actors play in security systems.
This has encouraged the growth of behavioural change programmes, designed to increase the security mindedness of individuals, as well as to increase the vigilance of members of a workforce to threat actors.
The return on investment of such developments offers immense value, but rather than exist in isolation, should perhaps continue to take place in concert with the design and implementation of effective physical protective security designs.
Aligned with the views of Pasmore et al. (1982:p1182), the consideration of the socio-technical security of cyber-physical systems should hold in mind the close relationship between “the social and technological subsystems” of an organisation, within which people use technology to produce products or services.
In order to ensure that operational activities are conducted securely, alongside the ongoing identification and assurance of security tools and processes, the influence of human factors warrants further consideration.
In a paper titled ‘Relational Security: A Cultural Shift’ (2021), it’s suggested that the development of cultural understanding is integral to ensuring that a workforce adopts appropriate security behaviours and displays increased security mindedness and vigilance.
Naming this approach, Relational Security, it’s suggested that rather than solely rely upon the direct design and implementation of security solutions and the deployment of people, processes and technology, Relational Security encourages the effective adoption of proactive and positive behaviours on the part of every member of a team and organisation.
Recognising that the increased movement of people and devices has moved the security perimeter from static security tools like firewalls to people, their identities and access, proactive security which incorporates behaviour-based security has become a necessary component of an effective Information Security Management System (Wood, 2021).
This too is of paramount importance within many operational technology and industrial automation and control systems, given the potential reliance on legacy systems, with limited internet network connectivity.
As such systems are not protected in the same way as wider IT networks, systems require greater focus to be placed upon physical and personnel security controls and the development of programmes to improve the behaviours of members of a workforce, in order to mitigate risks to both IT and OT infrastructure.
In addition, increased levels of vigilance and security mindedness will reduce the ability of the key threat vectors of insiders and saboteurs to move freely and to operate undetected.
The relational security approach focuses on encouraging people to care for each other, assets and an organisation.
Emphasising that people are an organisations threat, vulnerability and its protector, by positioning people at the heart of security and focusing upon their role as protectors, such an approach may encourage the development of secure cyber-physical operational environments.
Cross-cutting across a number of cyber-physical problems, organisations may benefit from taking the time to determine human motivators and the factors which encourage people to care about security and the role they play.
This will help organisations to overcome the barriers to effective physical and socio-technical security, identify ways to improve it, and may crucially to help develop the cultural change and system acceptance needed to support the effective adoption of physical, personnel and cybersecurity developments.
This deep dive into an organisation, its culture and existing processes can help it to develop confidence in physical security systems and the security of cyber-physical systems.
Positive engagements can fundamentally increase the risk awareness and maturity of a workforce and improve an organisations’ ability to identify and effectively mitigate risks to operational systems, thereby supporting the identification and implementation of appropriate physical security designs.
This positive feedback loop creates an organisational environment within which everyone arguably adopts elements of the roles of Security Penetration Testers and Architects.
This force multiplier effect will support the overall achievement of a security strategy, protecting people, assets and information accordingly.
Dr Paul Wood MBA CSyP FSyL RSES CPP CISM
As a seasoned security professional, Paul has been instrumental in the design of the converged security architecture and operating models needed to effectively protect global corporations, locations of national importance and government agencies and services.
Following distinguished service with the UK military, specialising in surveillance and reconnaissance, Paul has developed and directed global security services, so as to provide organisations with the confidence needed to operate in the complex modern threat landscape.
In addition to leading Emerging Risks Global, Paul sits on the Board of The Security Institute, is a NED for a government department and advises on a number of global industry standards committees. This has included advising government partners on the security measures needed to protect organisations, ranging from small start-ups, to regulated critical national infrastructure.
Having authored a plethora of research focused on the concept of trust and the human factor in security, Paul is also responsible for developing frameworks designed to increase the crisis resilience of organisations.
He regularly presents to global audiences about his behavioural change-based approach to developing ‘Relational Security’, which encourages everyone to ‘care’ about security.
References
- Pasmore, W., Francis, C., Haldeman, J. & Shani, A. (1982). Sociotechnical Systems: A North American Reflection on Empirical Studies of the Seventies. Human Relations, 35 (12), 11791204
- Wood, P. (2021 ). Relational Security: A Cultural Shift. Professional Security, Nov
- Wood, P. (2021). Socio-technical Security: User Behaviour, Profiling and Modelling and Privacy by Design. Challenges in the IoT and Smart Environments: A Practitioners’ Guide to Security, Ethics and Criminal Threats, 75-91