"Cyber and Physical Threats Illuminate Need for Security Convergence in Energy Sector"
Security convergence refers to joining cyber and physical security into a single organizational structure. Since ASIS International and the Information Systems Audit and Control Association (ISACA) established the Alliance for Enterprise Security Risk Management, an organization dedicated to security convergence, it has been a topic of discussion among practitioners. Yet, according to Megan Gates in the latest issue of Security Management, only 52.5 percent of large companies surveyed are "fully or partially converged." Gates also makes reference to the Colonial Pipeline incident, which showed the need for security functions to be combined after a crippling ransomware attack in May. Colonial Pipeline had operated as a siloed program for physical and cybersecurity. With cyber and physical security information siloes in place, critical infrastructure providers, especially those in the energy sector, cannot operate effectively. State actors are increasingly using cyberattacks on the grid to punish adversaries in a non-attributional or obfuscated manner. Earlier this year, the Department of Homeland Security (DHS) issued a warning about domestic violent extremists targeting infrastructure to launch physical attacks in order to cause widespread chaos and undermine public trust in the government. The Nord Stream pipeline was sabotaged beneath the Baltic Sea in September, serving as a reminder of the disruption that a surgical attack can cause on vulnerable infrastructure. The threat of a converged attack, in which a sophisticated threat actor gains access to a critical site or location and introduces malware directly into ICS/SCADA systems, has only increased. A coordinated cyber and physical attack on disparate key bulk-electric system nodes simultaneously could have amplifying and cascading consequences. A converged or dedicated cross-functional team can charter a combined threat working group, develop an internal risk intelligence function, and incorporate threat-informed validation of security controls and procedures to manage these security contingencies or risks with low probability but high consequence. This article continues to discuss cyber and physical threats and the need for security convergence in the energy sector.