It has been one year since I wrote about critical infrastructure protection. Over the past 12 months, I experienced the security industry through a new lens of security practices, allowing me to span the 16 sectors and sub-sectors of the U.S. Critical Infrastructure. Change has been the continuity of progress in how our security industry continues to learn, adapt, and evolve. Another observation that remains static is the struggle security practitioners have to gain a consensus or wield the influence to apply acceptable security practices.
The Good, the Bad and the Ugly. Many of us are familiar with the classic Clint Eastwood movie. At least my generation. The movie has nothing to do with the security field or critical infrastructure protection, but the catchy title is a retrospective way to frame out discussion points.
The Good
People: In the communities and industries where we live, work, learn, or play, we expect to be safe. People are generally good. People want to feel protected. Challenges for security practitioners remain over differences with individual perceptions or group think - some still view security measures as a hindrance, evasion of privacy, low probabilities of unwanted occurrences, and unnecessary costs. This will remain both an opportunity and challenge for instituting balanced security practices. The key to success is “engagement” through all forms of communication to highlight the importance and support for protection programs. A further engagement component is ensuring people know how to report situations and observations – see something, say something – and ensuring their comments are listened to, with feedback provided. This feedback loop makes individuals feel heard and valued in the security process.
Another aspect of The Good within our community is that there is a higher percentage of talented women and men in the security industry than many others. Most require elevated pre-employment background checks, technical training, and security clearances at the entry and sustainment levels. This leads to a more advanced and trustworthy community of practitioners, capable of delivering higher levels of qualitative services at every level. Their trustworthiness and competence should instill a sense of security and confidence in our audience, knowing that they are in good hands.
Equipment and Technology: We are fortunate to work in an industry where our manufacturers continue to explore advances for new and improved products and technology. This is good. As threat actors continue to improve their tactics and techniques, we as an industry must be ahead and able to adapt quickly. This will be a continuing cycle. The partnerships between the end-users with security industries, government agencies, academia, and research centers will continue as an essential knowledge and experiential foundation for advancement.
Training and Awareness: As organizations claim their people are their greatest assets, safety and security training and awareness are significant measures to back the intent. Challenges surround allocating time for training, competing with many training subjects, and some cases of cynicism. Real-world experiences, liabilities, and other people’s tragedies help validate the necessity for training.
Convergence: The drumbeats have been getting louder and louder for nearly 20 years. If you can’t hear them, time to get your hearing checked. Cybersecurity has quickly moved to the forefront of the security world. Nearly everything in our lives and businesses is driven by technology. Nearly everything security has a technology component…and we now live in the advent of Artificial Intelligence. The information/cybersecurity world has labeled the non-cyber world “physical security.” We continue to hear reality stories where security teams get reorganized into a collective security component under an information security head.
Whether the inevitable happened or not, convergence is the new reality. Under a unified risk management construct, threats, vulnerabilities, criticalities, consequences, mitigation, and recovery measures should be the operating model. Security is Security and not a division of efforts. The best approaches are a unified leadership model, a collective of policies, security risk management, investigations, compliance, training, and financial management applied to managers who oversee their respective operations.
The Bad
Insider Threats: This is a silent horror that usually incubates within organizations. Insider threats are categorized by different types of behaviors and motives to deliberately or accidentally cause harm and disruption. The common thread of a vulnerability is the “trusted” access provided. The familiar gaps are lackluster control measures allowing third parties unchecked access into a workplace or poorly associating individual behaviors until it is too late. Many third-party risk management programs, office leases, and service contracts ignore physical credentialing programs and further allow unescorted physical access in the workplace, especially during non-business hours.
Incorporating insider threat as a credible risk, with collective program measures [to include] access controls and credentialling (physical and virtual), Third-Party risk management (background checks), individualized confidentiality agreements, and contract/lease language, with awareness training helps tighten the exposure for the insider threat.
Cyber Incidents: This is the new normal. Like most homes, businesses, and vehicles have varying locking mechanisms to safeguard people and property, the same holds true with technology and data. The complexity is much greater because technology continues to expand in every aspect of society, with the threat spanning across the globe. With that comes the harmful effects. Unlike many criminal or distressing incidents, cyber incidents can go undetected and have wider-area impacts.
Cyber threats and threat actors continue to evolve, becoming more sophisticated in their techniques and tactics. Security programs must continue to adapt and try to stay ahead of the threats. Cybersecurity programs and risk committees must recognize protective strategies are not one-dimensional, but a collective of aligned, recognizable, and funded programs.
Policy and Compliance: There are differing views on the strength of security policies. I lean towards the prescriptive nature of policies versus vagueness and hollowness. Limited or bad policy leads to bad things happening. Allowing bad behaviors is setting those behaviors as a standard. Additionally, there must be a measure of compliance enforcement. A good example I have seen surrounds the wear of a security badge and anti-tailgating in office complexes. I have seen differences in organizations with strict policies that are communicated and enforced, compared to an open and uncontrolled environment…until something bad happens. Security policies like security plans must pass the “FAS Test” – Feasible, Acceptable, and Suitable. They must have the backing of senior management with the appropriate resources to enact and measure. The unique aspect of policy is that it can be changed and waived, and exceptions are applied.
Governance & Risk Management: Just as policies need substance and a compliance nature for effectiveness, a requirement exists for management controls and cross-functional positive leader influence. Security practitioners must have the active backing of senior leadership to influence people and operations. Part of a meaningful governance framework is risk management. Risk management is more than a catchy pair of words; it is a complete, formalized process inclusive of all security practices inculcated into a framework.
Third-Party Risk: Like risk management, I have seen third-party risk management diced up with many assorted flavors by different process owners. Reducing exposure to the workplace requires equal diligence for non-employees requiring access to the networks and data as consultants or contractors and non-employees requiring unescorted physical access to the workplace. Similarly to an enterprise approach for risk management, the same is essential for third-party risk management.
Lack of Convergence: Just as the convergence of the digital and physical space is important, the lack of it will continue to expose organizations. Bias and experiences [or lack thereof] will weaken protective strategies without unity. In the military we are taught the principle of Unity of Command - all forces operating under the authority of a single commander who directs them toward a common goal. A divide between security and accompanying security risk management practices weakens an organization’s ability to unify a comprehensive approach to protection management.
Complacency: In law enforcement, we are taught “complacency kills,” or the word has been used in the workplace context as the “silent killer.” Complacency continues to haunt organizational appetites for resource-protective practices. A common theme I have listened to for nearly 40 years has been, “I never thought this would happen to me” or “I never thought this would happen to our organization.” Complacency will remain a stand-alone risk category, with the unfortunate results producing negative consequences. Complacency avoidance begins from the top, with a supportive structure, and a foundation of training and awareness.
Uncrewed Systems (Drones): The rise of the machines is here. Drones continue to be a part of our lives – air, ground, and water. In unfortunate circumstances, the bad guys are also employing drones for a myriad of surveillance, nefarious, and harmful activities. It is also fair to say that laws associated with countering uncrewed systems have not caught up to the employment of the technology. Only a select group of government and military agencies have limited authority to take down an ariel drone. There are approaches and technologies to detect, identify, and locate drones and their operators. To start this process, the threat of drone capabilities should be included in risk management measures. Incorporate counter-drone detection technologies into perimeter security. There is no operational benefit to prolong the inevitable.
The Ugly
Mass Casualty / Weapons of Mass Destruction (WMD): There is no question that mass casualty events and WMDs are Ugly, as well as scary. These subjects are rarely discussed outside the security realm and many parts of the inner security sphere. Unfortunately, the threat is real. Active shooter scenarios and the use of Chemical, Biological, Radiological, and Explosive weapons are authentic and further expanded with the addition of drugs used as a weapon (CBRE-D).
The sabotage of food/water, healthcare products, and prescription drugs remains a credible threat. It is easy to ignore, as a low probability or negligible risk, until the day of an attack. Training in hostile surveillance and response measures are initial steps to mitigate events. Investment in detection technology through AI surveillance systems and advanced sensors is readily available for heavily populated venues. First responders are measurably ready when an incident occurs. The true measure relies on investments equally critical towards on-site prevention and detection measures to avoid or lessen consequential losses.
Violent Crimes: Violence in and out of the workplace is detrimental regardless of the location of the assaults. Criminals and disturbed persons either randomly or target their victims. The horrible impact on victims cascades to loved ones, communities, and the workplace, which has long-term effects. Mitigating the threat reflects the necessity of situational awareness, reporting unusual behaviors, including online activities like cyber-stalking, and physical security measures. Educating persons, managers, and human resource partners is essential to understand potential indicators and warnings of violent behaviors and take immediate action. Workplace violence plans and viable programs are essential branches of crisis management programs.
Terrorism: The threat of terrorism has unfortunately become a way of our everyday life. The fear transmitted is that terrorists can strike anywhere. Terrorism has evolved over time with adversarial tactics and techniques to match the modernization and openness of free societies. Terrorism comes in many different attack forms of violence ranging from organized nation-state actions down to self-radicalized individuals. Weapons of choice are unlimited, varying from the effects of munitions, homemade explosives, poisons, use of vehicles, kitchen knives, etc. Terrorist motives have also expanded beyond the distinctive political and religious to many other disgruntled segments of societies. The best measures to mitigate always come back full circle to the basics of situational awareness, target hardening, and expectation of governmental intelligence programs.
Disasters: Unfortunately, disasters will occur, whether environmental, accidental, or man-made. Their toll on people, communities, and business operations will remain insurmountable no matter the scale. Safety practices and safety compliance are key to preventing accidents. The planning, preparation, training, and readiness to manage a disaster are most critical. Investing in emergency response, crisis management, and continuity of operations will result in far fewer costs than dealing with the consequences of failing to prepare.
The Sequel
Is there a sequel to The Good, the Bad and the Ugly of Critical Infrastructure Protection? Probably not. It is a long-running performance that may never end. Those who work in the security industry can script out the scenes. Many of the protective basics for securing assets and incident response have remained. Security techniques and technology continue to modernize as adversaries improve their capabilities. As a community of practice, we can continue to shape the future and influence positive outcomes.