Linking Physical and Virtual SecurityJointly Addressing Physical, Cyber Risks Seen as Effective
A new report from the Government Accountability Office Wednesday is a reminder that the physical cannot be safeguarded effectively without help from the virtual.
The GAO report is entitled Pipeline Security: TSA Has Taken Actions to Help Strengthen Security, but Could Improve Priority-Setting and Assessment Processes, and addresses the efforts by a Department of Homeland Security's Transportation Security Administration unit - the Pipeline Security Division - to assure the security of the nation's mostly privately owned networks of pipelines.
Little of the report has to do with IT security, but the GAO assessment points out the growing synergy between physical security and cybersecurity.
The division conducts corporate security reviews with pipeline operators' security personnel based on an 8-year-old protocol that covers areas such as credentialing, security training, physical security and cybersecurity. Yet, division officials told GAO investigators they don't get involved with in-depth inspections or assessment of operators' cybersecurity system and their vulnerabilities because the DHS unit does not possess this expertise. "They explained that other federal component agencies, such as DHS's National Cybersecurity Division, have this expertise, and pipeline operators typically have in-house expertise or contract for it," the GAO report states.
That lack of expertise can prove problematic. In a footnote in the 77-page report, GAO explains why cybersecurity is crucial to pipeline safety:
"Some pipelines may be vulnerable to 'cyber attacks' on computer control systems that are used to collect data from pipeline sensors in real time and display these data to controllers, who monitor the data and operate pipeline control equipment remotely. A pipeline operator's control system represents a significant investment on the part of the operator and is a critical resource for response and recovery in the event of a pipeline incident of almost any type."
That point isn't lost on the Pipeline Security Division. The division is drafting revised security guidelines for pipeline safety, to be issued later this year, that will include a new section on cybersecurity.
The highest ranking IT security official at DHS, Deputy Undersecretary Philip Reitinger, emphasized the interplay between physical and virtual security in June when he testified before a Senate committee and expressed some reservations about the Protecting Cyberspace as a National Asset Act of 2010. That bill - sponsored by Sens. Joseph Lieberman, ID-Conn., Susan Collins, R-Maine, and Thomas Carper, D-Del. - among other things, would create a new component within DHS to focus on cybersecurity. Reitinger, in his testimony, said it's more effective to address jointly the risks to key physical and cyber infrastructures:
"The private sector speaks the language of all hazards, they worry about risk, as a telecom would say, whether it's from a cyber attack or a back hoe. We, in government, need to step to that, and speak their same language if we want to influence how they behave in an all-hazards way, in a risk-based way, and if something bad happens, physical or cyber, to be able to address it seamlessly."
And, it's not just the fact that organizations employ cyber systems to help protect physical assets; some of the same technologies that provide virtual security furnish physical protection, too, a point made by Patricia Titus, the onetime chief information security officer at TSA, in a recent interview with GovInfoSecurity.com:
"Logical security utilizes infrastructure such as card readers and biometrics and video surveillance, which are all based on technology, so there are cyber implications to them, or virtual implications. I agree with Phil, by trying to pull them apart and put them into different agencies, you are going to have issues between the collaboration that needs to happen between the physical and virtual world."
The link between physical and digital security is just one more example how our world is evolving to the point where separating the real and the virtual is becoming harder to discern.