Time to Accept the Value of a Converged Approach

Among operators of critical infrastructure, risk assessment is being forced to adapt to recognise that cyber security in many ways, is now developing the potential to be a more effective and attractive route to attack an organisation; that physical security can be undermined by cyber means, and cyber defences can be circumvented in most cases when attacked from within.

More importantly a full appreciation of vulnerabilities to these combined or ‘converged’ threats also recognises the vulnerabilities inherent to interdependencies both internally to critical infrastructure operations, and with other external organisations that can threaten their physical and information assets. The latest developments in cyber threats have illustrated how disruptive sudden changes can be to evaluating and redeveloping security plans, and budgets. They also highlight the limitations of techniques that take a static view of risk within conceptual boundaries, because they fail to account for ‘external’ factors, and flows of information through connected processes & technologies, which limits risk mitigation to local or ‘internal’ contexts.

Converged risk is becoming more accepted as a term to reflect the combination of IT and physical security risk into one over-arching risk landscape. To a degree this is being driven by the convergence of systems technology: As physical security systems are increasingly networked & more IT dependent, IT & network security is now crucial to the integrity these systems, and is forcing a conceptual and organisational convergence. While IT security has long recognised the risks of unauthorised physical access to the network, physical security now needs to face up to the risks of a cyber attack to its systems.

In 2013, all operators of critical infrastructure will need to conduct critical reviews of security risk strategy, based on a questioning of the assumptions that have underpinned their decision-making. Moreover it will require a broader consideration of lower probability & catastrophic incidents, through a better appreciation of the dynamic and converged risk environment, and a concerted appreciation of ‘Black Swans’ or unknown unknowns.

Adopting a converged risk approach therefore recognises the need to assess the combined or converged risk, rather than domains in isolation, in order to mitigate multiple and simultaneous threats. However, this requires a new approach to considering how security measures are organised to mitigate converged risks, which combines technology, processes & safeguards, and management setup & systems, into a single security risk framework that integrates IT and physical security. By bringing together IT and physical security, a converged approach to risk assessment & management can more effectively consider the range of vulnerabilities dynamically across the three recognised dimensions of physical risks, people risks, and process risks across infrastructure, operations, and specific events. However this is fraught with organisation and cultural complexities.

Long-established incident response & contingency planning provides an established platform for cross-departmental cooperation & organisation, and encompasses working practises that will provide a natural starting point for a more collaborative and inclusive approach to examining emerging risk scenarios. However the rising profile of cyber domain threats, considered holistically will require a considerable repositioning of the various information technology (IT) and operations technology (OT) stakeholders within any team tasked to assess risk.

Whereas IT and OT teams operate in quite different environments, and will tend to operate independently to respond to a crisis, they must become a fully integral part of a team that considers converged risk. This tends to expose some of the organisational weaknesses of organisations to date.

Invariably this will require an urgent reassessment of risk management responsibility through senior management and to CRO level, which in some infrastructure operators is still lacking; and must resolve internal issues surrounding the ultimate ‘ownership’ [if not accountability] for risk management.

As greater focus develops on cyber security, to augment existing understanding of information assurance risk, and develop a broader view of threats to IP and other proprietary information assets, there will be a greater requirement for traditional security risk managers to become more conversant with IT concepts in order to develop effective integration with the physical security ‘world’. This is even more apparent at board level, where some decision-makers, and budget holders will have little or no background at all in security or IT, and have only a rudimentary understanding of cyber threats.

Cyber risk analysis is developing rapidly especially as is it now receiving more media attention. The issue of how to ensure that the right investment is channelled appropriately, is reliant both on the people and the process they follow. Chief Information Security Officers (CISO) are invariably technology-oriented and tend not to have a view of the entire security risk landscape. Moreover they have limited influence on the company’s overall risk appetite, and broader business goals.

More interestingly, their relationships with Chief Security Officers (CSO), will need to change, and this in itself will lead to a range of issues that will challenge CSOs. While the rising profile of cyber security will turn the spotlight on the CISO, budget allocations are projected to rise considerably for information & network security, which is causing pressures and jealousies between the cyber and physical security stakeholders.

In some firms there are already signs that this is likely to antagonise some CSOs who may consider information & network security to be secondary to physical security, and therefore may never appreciate the extent to which their convergence requires a new set of attitudes towards security. Moreover, they may resent the increasing reliance on technology for security mitigation, and point to technology as a growing source of vulnerability to the organisation, particularly where systems replace less effective and more expensive guard roles.

It is crucial to resolve this possible situation in order to enable risk-informed management and decision-making, because the converged risk assessment process requires complete and unbiased vulnerability & capability assessments. Contentious or conflicting views between cyber and physical security managers, may distort the aggregated view, in the same way that a poor appreciation of the overall risk landscape will lead to myopic attitudes to prioritising investment, or recommending action. The integrity of management decisions will therefore require that reporting & appreciation of threats, and their potential impact are clear so that appropriate investment and processes can be put in place to contain the risks.

Posted: 18 April 2012 by Optimal Risk Administrator | with 0 comments