ACCESS CONTROLS: IS THAT A PHYSICAL OR CYBER SECURITY ISSUE? (YES.)

by David Pounder & Omar Tisza

Blended threats, in which attacks can cause harm to both cyber and physical systems, are a growing reality for many organizations.The more connected organizations and individuals become, the more impact technology has on their respective physical worlds. In March 2019, we were reminded of how the opposite can be true when two journalists were able to access sensitive fiber optic communications cables simply because someone forgot to lock the gate. Once they gained unimpeded access to the station, the journalists were able to go into a “nondescript hut” where the Hibernia Submarine Communication Cable reaches the British mainland. Despite having CCTV on site, the journalists were not challenged. Had they been there for nefarious purposes, they could have executed physical actions, such as tampering with cables, which could have had a direct cyber-related impact. 

• A blended threat is a “deliberate, aggressive action that causes harm to both cyber and physical systems”and a growing reality for many organizations. 
• One of the biggest concerns facing both physical and cyber security disciplines centers on access controls, whichare designed to protect employees/personnel and prevent unauthorized physical access to facilities, equipment, materials, documents, data, and to ensure network activities can continue uninterrupted.
• For the Faith Based Organizations (FBO), this means ensuring physical security controls safeguarding computer networks and infrastructure systems are equally prioritized as cyber controls to prevent theft of sensitive information and financial data and prevent any type of disruptions or exploitation to operations. 

For most of us, it is common to think of ways in which cyber actions impact physical security, such as the Ukraine powerplant attack, Mirai botnet attack, or this amusing Amazon thermostat review. But when physical actions have a cyber impact, it is a stark reminder that physical and cyber security go hand-in-hand and need to be addressed concurrently, especially in the area of access controls. Once a user is granted access to a system or network cybersecurity controls manage and track activity, but actions leading up to that access, and afterwards, are in the realm of physical security.[Understanding the various ways in which the two disciplines work together–within access controls–can help organizations from all industries improve their overall security posture.

For FBOs, physical access controls may not have as much direct impact as a larger business – but useful nonetheless – even with smaller staff. FBOs maintain sensitive financial and personal information about their members which make them an attractive target for cybercriminals. As part of their risk management approach, FBOs are encouraged to undergo a risk assessment to determine relevant controls for the type of information being protected. For example, while it may not be practical to install a badging system, key pads or safes would be viable solutions to protect sensitive information from unauthorized physical access. Considerations for risk assessments include: 

• Key & Badge Control. Employees with access to sensitive materials through a badge or key, must be aware of the responsibility that comes with this level of access. Additionally, organizations must also account for those keys through inventories. Some areas that require physical access controls include telecommunications rooms, power supply rooms, HVAC systems, server rooms, and data centers.

• Employee Termination or Change in Job Responsibility. A prime consideration around access controls addresses what happens when an employee vacates their role. It is important to work with Human Resources in these instances, but managers may need to ensure employees have the appropriate level of access that corresponds to their new role. This includes employee termination and procedures to delete access, as well as adjusting access as employees move within the organization. Likewise, personnel and responsibility changes can disgruntle employees or motivate malicious users to harm the organization. 
• Clean Desk Policy. While many organizations are moving to paper free offices, documents containing sensitive information may still be printed. Having a clean desk mitigates the risk of exposing sensitive material to unauthorized individuals.
• Laptop Computers. Portable devices used within an office need to be physically secured when left unattended, even in the office during normal business hours, to mitigate against unauthorized access to sensitive data. Likewise, never leave portable devices unattended in public spaces.

Additional unauthorized access tactics that security teams should be on guard for include:

• Tailgating.“Occurs when one or more people follow an authorized user through a door.” Sometimes individuals with authorized building access will hold the door for others who may not be authorized to enter out of courtesy. 
• Door Propping.“Propping doors open, most often for convenience, is another common way unauthorized individuals gain access to a location and potentially create a dangerous situation for the people and assets within.”
• Levering Doors.“Many doors can be levered open using something as small as a screwdriver… Advanced access control systems include forced-door monitoring and will generate alarms if a door is forced.”

In our increasingly blended threat environment, FBOs need to continue to increase their mutual understanding and collaboration within the cyber and physical disciplines. Increased awareness of the various ways in which the two disciplines work together within access controls can help organizations from all industries improve their overall security posture. So, to answer the question, are access controls a physical or cyber security concern, the answer: BOTH.

Consider joining FB-ISAO!

Read more on membership from the link at left and below.

• Learn about our Membership Programs
• Learn why your FBO should join FB-ISAO
• About our Vetting Policy
• About the Traffic Light Protocol

David Pounder is the Director for Intelligence and Analysis at Gate 15, supporting FB-ISAO. Dave provides expert threat and risk analysis, assessments and special project support for internal activities and client needs.

Omar Tisza is a Jr. Risk Analyst at Gate 15. After a brief stint in business development on the federal market, he began his role as at Gate 15 in 2018 and currently supports a number of efforts, including the Health Information Sharing and Analysis Center (H­-ISAC) and the Healthcare Sector Coordinating Council.