Source: Homeland Security Today
“Security convergence” is the industry term used to describe the uniting of cyber and physical security into a single organizational structure. It is a point of discussion among practitioners since ASIS International and the Information Systems Audit and Control Association (ISACA) established the Alliance for Enterprise Security Risk Management – an organization dedicated to this concept – 17 years ago. Yet only 52.5 percent of large companies surveyed are either “fully or partially converged,” as noted by Megan Gates in the latest issue of Security Management. Gates also cites the Colonial Pipeline incident, which operated as a traditionally siloed cyber and physical security program and is now merging security functions in the wake of experiencing a crippling ransomware attack in May. Critical infrastructure providers, particularly those in the energy sector, cannot operate effectively with cyber and physical security information siloes in place.
With rapidly changing geopolitical risks, persistent cyber threats, enduring COVID-19 with seasonal hot spots, and violent kinetic attacks and conflicts occurring globally, companies have re-thought traditional enterprise risk management frameworks to account for all risks and hazards. The risk surface for critical infrastructure providers particularly those in the energy sector is complex.
First, energy providers that deal in the dynamic world of dispersed generation, distribution, and transmission operations often have a vast array of infrastructure located in all types of threat environments ranging from urban to isolated rural areas. These bulk-electric system sub-stations, or critical pipelines, for example, fall under varying regulatory oversight (including NERC/CIP, CFATS, and TSA Pipeline Security directives), most of which require robust cybersecurity and even physical security controls (e.g., NERC/CIP 14). Second, energy providers are increasingly susceptible to Operational Technology attacks cyber attacks that target physical infrastructure and can have a devastating physical impact beyond operational disruption.