This post first appeared on Federal News Network. Read the original article.
Discussions on cybersecurity mostly revolve around protecting digital infrastructure and various software systems. Physical infrastructure and its security is often overlooked. But the physical security of buildings that host the digital infrastructure and people are equally important.
Foreign governments, terrorist outfits and malicious actors put in regular efforts to undermine and destabilize our government and its infrastructure. In the modern world, government functions and federal agencies function relying on robust digital infrastructure. Bringing it down means government functions grind to a halt. Government and agency infrastructure are targets for cyberattacks due to this reason.
Federal agencies should take efforts to protect the digital and physical infrastructure of their buildings. The ways in which cyber criminals pose a threat to an entity are called attack vectors. From the point of view of cyberattacks, federal buildings have two broad attack vectors:
- Attacking digital infrastructure to gain control of federal buildings.
- Accessing physical infrastructure to gain access to digital infrastructure.
The first kind of attack focuses on a hands-off approach to gain access to digital infrastructure. Cyber criminals gain access to the digital infrastructure of federal agencies through malware, phishing attacks or other attack methodologies without physically accessing the infrastructure. This unauthorized access is used to move laterally through the digital infrastructure to control the software systems that control the physical infrastructure. This could include access control systems, HVAC systems, elevators, etc. This unauthorized access can be used to wreak havoc in federal buildings. Such a digital cyberattack could be used to damage the physical infrastructure of federal agencies. As federal buildings and infrastructure are becoming increasingly connected to a network, the risk of this mode of attack has increased manifold.
The other mode of attack is to infiltrate the physical infrastructure to gain access to the digital infrastructure. Criminals gain physical access to federal buildings to gain access to network installations and network devices. This access is used to insert themselves into the digital infrastructure. Infiltration devices can be connected to the network infrastructure to gain digital access. This is then used to monitor and extract information from federal agencies.
Physical attacks on the infrastructure may seem far-fetched as agency buildings are physically guarded with armed personnel and well-defined access controls. Many federal buildings host data center infrastructure in their own buildings. Those buildings are accessed by guests, contractors, vendors and suppliers beyond federal agents. Remember that the contractor network of DoD had more than 400 vulnerabilities that required mitigation. Such stakeholder vulnerabilities can be used to gain unauthorized physical access to agency buildings to access the physical infrastructure. Such physical threats are often overlooked by cybersecurity experts, creating a vulnerability cybercriminals can exploit.
Comprehensive risk mitigation
Federal agencies have to consider comprehensive strategies to mitigate cyber security risks. Risk mitigation needs to consider cyber threats posed by the digital infrastructure and the physical infrastructure. Some major actions federal agencies should consider implementing are discussed in the following sections.
The cybersecurity framework (CSF) laid out by the National Institute of Standards and Technology provides structured guidance to identify vulnerabilities in digital systems. Use CSF as the guideline to assess the cyber risks faced by agency buildings. Make sure to include physical and digital vulnerabilities while assessing cyberthreats. The assessment will generate insights into the vulnerabilities in assets and infrastructure that can be exploited. The outcome of the risk assessment can be used to create and put in place a cybersecurity plan.
Many federal personnel, contractors and vendors need to access the physical and digital infrastructure of the agency. All such personnel do not need to have access to the complete infrastructure. Ensure you have proper access control protocols in place to ensure employees have access only to the resources they need to complete their tasks. Implement the Principle of Least Privilege wherein each personnel is given only the least amount of privileges and access required to accomplish their task. Infrastructure like network cables and WiFi installations do not need to be accessed by personnel regularly. Federal agencies should implement protocols to limit access to such critical infrastructure.
Monitoring is a proactive measure to prevent any cyberattack. Agency buildings need to have systems in place to regularly monitor the physical and digital traffic in their infrastructure. This includes installation and monitoring with the help of security cameras to keep track of what is going on in the physical infrastructure. Real-time monitoring and threat detection software is helpful in monitoring the digital infrastructure.
One of the major threats is the access given to various stakeholders to federal buildings and networks. Agencies should have a vetted list of trusted stakeholders they can rely on. All personnel of the stakeholder companies should also undergo security scrutiny. Federal agencies should not opt for services from vendors and contractors that have not undergone security checks.
Incident response plan
Prevention is better than cure. But in case of a cyber incident, federal agencies should have a well-defined plan in place to respond to any cyberattacks. All possible attack scenarios have to be explored and respective plans have to be prepared. Having an incident response plan helps federal agencies to get back up and running without much delay. Follow the National Cyber Incident Response Plan (NCIRP) to create custom plans for each federal agency and infrastructure.
In a nutshell…
Cyberthreats against government agencies and infrastructure are on the rise from hostile foreign actors and terrorist outfits. While focusing on the security of digital infrastructure, agencies often overlook the importance of protecting the physical assets of the network. Federal agencies need to create and implement a multi-pronged cyber risk mitigation plan addressing the physical and digital vulnerabilities of the agency. This will improve the security posture of federal agencies and their infrastructure.
Patrick Chown is the owner and president of network installation company, The Network Installers. The Network Installers specializes in network cabling installation, structured cabling, voice and data, audio/visual, commercial wifi and fiber optic installation for industrial and commercial facilities.