Mind Meld

With computers now controlling critical assets, it's more important than ever for cyber and physical security managers to work together.

Linda Wilbanks can't fire a gun, but as chief information officer at the Energy Department's National Nuclear Security Administration, she's working with executives to ensure nuclear materials don't fall into the wrong hands. Why is the CIO involved in keeping nuclear materials secure? "Somewhere along the line, there's going to be IT controls" involved, Wilbanks says.

The distinctions are disappearing between securing physical assets like radioactive material and securing information stored on laptops and in networks. Computers have become the de facto mechanism for controlling critical infrastructure. Networks manage not only sensitive data but also the operations of everything from generators to water pumps to nuclear reactors. Many of these systems are accessible through the Internet, which means agencies run the risk of a hacker shutting down operations or a catastrophic failure.

"There are many overlapping components in IT security, cybersecurity and physical security," says Pat Howard, chief information security officer at the Nuclear Regulatory Commission. "More recent is the desire of our opponents to exploit those [overlapping components] and use them against us by bringing down our critical infrastructure remotely."

In March 2007, researchers at the Idaho National Laboratory demonstrated to the Homeland Security Department how they could go online to hack into the programs that control the operations of a generator and manipulate settings so it would self-destruct. The scene of a generator shaking, spewing steam and then breaking down sent shock waves through governments and corporations.

DHS later developed the National Infrastructure Protection Plan and strategies for each economic segment to provide a coordinated approach to protect networks that operate critical infrastructures in the areas of finance, transportation and utilities.

The U.S. Computer Emergency Readiness Team's Control Systems Security Program coordinates infrastructure network protection, offering resources such as a control system cybersecurity self-assessment tool, a curriculum for security training and recommended practices. But agency needs vary, influenced largely by the type and sensitivity of assets. Best practices focus on comprehensive risk assessment, collaboration between those responsible for the security of physical assets and IT, and a governance structure that ensures the managers in charge aren't the weak link.

"[Physical] access restrictions to a particular asset are not good enough if you're also giving all employees access to its networked control system," says Robert Jamison, undersecretary for DHS' National Protection and Programs Directorate. "Agencies have to understand that if they have control systems or physical assets that are connected to a network that is connected to the Internet, there is inherent risk."

In theory, if CIOs conduct risk assessments, as required under the 2002 Federal Information Security Management Act, then protecting physical assets shouldn't add much work, if any. FISMA requires agencies to determine the risk if a hacker gained access to its information systems. Each is assigned a level of risk-low, medium or high-and then the agency determines which security controls to apply.

If an agency deems an asset high risk, it should do as much as possible to shield the system from access. At the National Nuclear Security Administration, IT systems that link to sensitive control systems are housed on the agency's highly classified red network, which is not connected to the Internet. NNSA has classified one of its two other networks as yellow, because it connects semiclassified IT systems and includes extensive access controls. The agency has classified the third system as green, because it connects nonclassified systems and manages information delivered to the public Web site.

To provide guidance on how to assign risk to systems, the National Institute of Standards and Technology released Special Publication 800-60, "Guide for Mapping Types of Information and Information Systems to Security Categories."

"The NIST process is absolutely superb," says Marian Cody, senior information security officer at the Environmental Protection Agency. "What I don't see, however, is the same bible for those who handle physical security. . . . You have to know what you have, and then you have to know the associated risk so you can figure out how to protect it."

NNSA launched its network infrastructure classification this spring, almost a year after an employee at Los Alamos National Laboratory entered a protected vault and saved on a flash drive information on underground nuclear weapons tests that was stored on a classified computer server. The employee printed more than 200 pages of documents to work on them at home.

"In that case, it was shortcomings in physical and cybersecurity," Wilbanks says. Access to the server was not protected properly, allowing the thumb drive to be attached and data to be downloaded, and gates that block access to computer servers were not locked. Now cybersecurity managers work with managers in charge of physical security to conduct inspections of the labs and infrastructure. The team spends four hours a week walking through facilities to check security.

Physical security has long been isolated from IT at federal agencies, and changing that can be hard. But some agencies like NNSA have changed their reporting structure to ease collaboration between the physical and cyber worlds. Wilbanks reports to the deputy administrator of NNSA, whose office collects data on new assets that facilities commission. At NRC, the CIO also carries the title of deputy executive director for corporate management, which oversees physical assets.

"There's alignment that allows closer coordination and cross fertilization," Howard says. "It's new, but it's clear that it will be advantageous to have that level of integration that provides both sides a seat at the same table. We can learn to speak a common language."

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
FROM OUR SPONSORS
JOIN THE DISCUSSION
Close [ x ] More from GovExec
 
 

Thank you for subscribing to newsletters from GovExec.com.
We think these reports might interest you:

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download
  • The Big Data Campaign Trail

    With everyone so focused on security following recent breaches at federal, state and local government and education institutions, there has been little emphasis on the need for better operations. This report breaks down some of the biggest operational challenges in IT management and provides insight into how agencies and leaders can successfully solve some of the biggest lingering government IT issues.

    Download
  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

    Download
  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

    Download
  • Ongoing Efforts in Veterans Health Care Modernization

    This report discusses the current state of veterans health care

    Download

When you download a report, your information may be shared with the underwriters of that document.