As critical infrastructure organizations continue to invest in cybersecurity technologies, they should remain vigilant at the intersections of physical security, information technology (IT) and operational technology (OT) because if these systems are not protected, it can make them vulnerable to adversaries gaining direct access to their systems.

Direct access is every adversary’s dream. It is one vector an attacker can use to gain access to a system and then use that access to steal, alter or damage data. Many organizations don’t consider direct access in their cybersecurity programs, but the fact is physical access to a computer can lead to catastrophic consequences for a company. Installing a keystroke logger, inserting a USB device to steal information, depositing malicious code, conducting an inductive charging-based attack on the system or otherwise physically sabotaging the system(s) or their functions are all potential outcomes that may be achieved with physical access.

Theft of a device or devices for future malicious use is also possible, as seen in the well-publicized attacks on the Maroochy Shire water system in Australia where a rogue actor used radio signals to release toxic waste in parks and other public areas. Alternatively, rogue devices, including cellular access points, may be added to a network. This small change may potentially allow an adversary to bypass several layers of security and access the network later from a safe, remote location.

For many of STV’s clients in the transit, transportation and water sectors, physical security and cybersecurity are still being treated as two distinct areas which often fall under the purview of different programs or personnel within an agency. To better support our clients, we have pulled together a team comprised of a robust mix of both physical security and cybersecurity experts that cover the entire spectrum of security to allow us to help agencies secure these intersections. The space between physical and cybersecurity is not a grey area with STV as a partner,

To mitigate direct access threats, critical infrastructure providers and agencies may consider the following:

• Develop a program for asset identification, accountability and risk assessment.
• Physically secure OT assets whenever practical.
• Develop systems that deter, detect, delay, assess, communicate, and respond to physical security threats to their systems.
• Utilize a six-wall perimeter (four sides plus ceiling and floor) for physical and electronic security systems.
• Harden/secure field level devices.
• Practice good “cyber-hygiene” including being mindful of locking doors, devices and cabinets; better password hygiene – i.e., not leaving passwords on post-it notes or on sticky labels. Also, have a responsible corporate and private device usage policy.
• Conduct cybersecurity awareness training for both new hires during onboarding, and for long-standing employees.
• Conduct regular physical reviews and walk-downs of an area.

While this is not a comprehensive list, these measures will support greater security outcomes for the agency. If you are looking for a customized program built to address your specific needs, STV’s mix of technical and practical expertise allows us to work with our partners to address physical security risks to OT systems and mitigate their impact an agency’s operations.

Beyond our clients, STV is working actively to improve cybersecurity across our practice areas. Our team features active participants in several subcommittees of the American Public Transportation Association including the Infrastructure & Systems Security Working Group, the Control and Communications Security Working Group and the Enterprise Cybersecurity Working Group. Further, we are actively participating in the development of international standards for rail system cybersecurity, traction power substations, physical security design standards, and groups working on the rollout of cyber-informed engineering.