Mind Meld

With computers now controlling critical assets, it's more important than ever for cyber and physical security managers to work together.

Linda Wilbanks can't fire a gun, but as chief information officer at the Energy Department's National Nuclear Security Administration, she's working with executives to ensure nuclear materials don't fall into the wrong hands. Why is the CIO involved in keeping nuclear materials secure? "Somewhere along the line, there's going to be IT controls" involved, Wilbanks says.

The distinctions are disappearing between securing physical assets like radioactive material and securing information stored on laptops and in networks. Computers have become the de facto mechanism for controlling critical infrastructure. Networks manage not only sensitive data but also the operations of everything from generators to water pumps to nuclear reactors. Many of these systems are accessible through the Internet, which means agencies run the risk of a hacker shutting down operations or a catastrophic failure.

"There are many overlapping components in IT security, cybersecurity and physical security," says Pat Howard, chief information security officer at the Nuclear Regulatory Commission. "More recent is the desire of our opponents to exploit those [overlapping components] and use them against us by bringing down our critical infrastructure remotely."

In March 2007, researchers at the Idaho National Laboratory demonstrated to the Homeland Security Department how they could go online to hack into the programs that control the operations of a generator and manipulate settings so it would self-destruct. The scene of a generator shaking, spewing steam and then breaking down sent shock waves through governments and corporations.

DHS later developed the National Infrastructure Protection Plan and strategies for each economic segment to provide a coordinated approach to protect networks that operate critical infrastructures in the areas of finance, transportation and utilities.

The U.S. Computer Emergency Readiness Team's Control Systems Security Program coordinates infrastructure network protection, offering resources such as a control system cybersecurity self-assessment tool, a curriculum for security training and recommended practices. But agency needs vary, influenced largely by the type and sensitivity of assets. Best practices focus on comprehensive risk assessment, collaboration between those responsible for the security of physical assets and IT, and a governance structure that ensures the managers in charge aren't the weak link.

"[Physical] access restrictions to a particular asset are not good enough if you're also giving all employees access to its networked control system," says Robert Jamison, undersecretary for DHS' National Protection and Programs Directorate. "Agencies have to understand that if they have control systems or physical assets that are connected to a network that is connected to the Internet, there is inherent risk."

In theory, if CIOs conduct risk assessments, as required under the 2002 Federal Information Security Management Act, then protecting physical assets shouldn't add much work, if any. FISMA requires agencies to determine the risk if a hacker gained access to its information systems. Each is assigned a level of risk-low, medium or high-and then the agency determines which security controls to apply.

If an agency deems an asset high risk, it should do as much as possible to shield the system from access. At the National Nuclear Security Administration, IT systems that link to sensitive control systems are housed on the agency's highly classified red network, which is not connected to the Internet. NNSA has classified one of its two other networks as yellow, because it connects semiclassified IT systems and includes extensive access controls. The agency has classified the third system as green, because it connects nonclassified systems and manages information delivered to the public Web site.

To provide guidance on how to assign risk to systems, the National Institute of Standards and Technology released Special Publication 800-60, "Guide for Mapping Types of Information and Information Systems to Security Categories."

"The NIST process is absolutely superb," says Marian Cody, senior information security officer at the Environmental Protection Agency. "What I don't see, however, is the same bible for those who handle physical security. . . . You have to know what you have, and then you have to know the associated risk so you can figure out how to protect it."

NNSA launched its network infrastructure classification this spring, almost a year after an employee at Los Alamos National Laboratory entered a protected vault and saved on a flash drive information on underground nuclear weapons tests that was stored on a classified computer server. The employee printed more than 200 pages of documents to work on them at home.

"In that case, it was shortcomings in physical and cybersecurity," Wilbanks says. Access to the server was not protected properly, allowing the thumb drive to be attached and data to be downloaded, and gates that block access to computer servers were not locked. Now cybersecurity managers work with managers in charge of physical security to conduct inspections of the labs and infrastructure. The team spends four hours a week walking through facilities to check security.

Physical security has long been isolated from IT at federal agencies, and changing that can be hard. But some agencies like NNSA have changed their reporting structure to ease collaboration between the physical and cyber worlds. Wilbanks reports to the deputy administrator of NNSA, whose office collects data on new assets that facilities commission. At NRC, the CIO also carries the title of deputy executive director for corporate management, which oversees physical assets.

"There's alignment that allows closer coordination and cross fertilization," Howard says. "It's new, but it's clear that it will be advantageous to have that level of integration that provides both sides a seat at the same table. We can learn to speak a common language."

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
Close [ x ] More from GovExec

Thank you for subscribing to newsletters from GovExec.com.
We think these reports might interest you:

  • Sponsored by Brocade

    Best of 2016 Federal Forum eBook

    Earlier this summer, Federal and tech industry leaders convened to talk security, machine learning, network modernization, DevOps, and much more at the 2016 Federal Forum. This eBook includes a useful summary highlighting the best content shared at the 2016 Federal Forum to help agencies modernize their network infrastructure.

  • Sponsored by CDW-G

    GBC Flash Poll Series: Merger & Acquisitions

    Download this GBC Flash Poll to learn more about federal perspectives on the impact of industry consolidation.

  • Sponsored by One Identity

    One Nation Under Guard: Securing User Identities Across State and Local Government

    In 2016, the government can expect even more sophisticated threats on the horizon, making it all the more imperative that agencies enforce proper identity and access management (IAM) practices. In order to better measure the current state of IAM at the state and local level, Government Business Council (GBC) conducted an in-depth research study of state and local employees.

  • Sponsored by Aquilent

    The Next Federal Evolution of Cloud

    This GBC report explains the evolution of cloud computing in federal government, and provides an outlook for the future of the cloud in government IT.

  • Sponsored by Aquilent

    A DevOps Roadmap for the Federal Government

    This GBC Report discusses how DevOps is steadily gaining traction among some of government's leading IT developers and agencies.

  • Sponsored by LTC Partners, administrators of the Federal Long Term Care Insurance Program

    Approaching the Brink of Federal Retirement

    Approximately 10,000 baby boomers are reaching retirement age per day, and a growing number of federal employees are preparing themselves for the next chapter of their lives. Learn how to tackle the challenges that today's workforce faces in laying the groundwork for a smooth and secure retirement.

  • Sponsored by Hewlett Packard Enterprise

    Cyber Defense 101: Arming the Next Generation of Government Employees

    Read this issue brief to learn about the sector's most potent challenges in the new cyber landscape and how government organizations are building a robust, threat-aware infrastructure

  • Sponsored by Aquilent

    GBC Issue Brief: Cultivating Digital Services in the Federal Landscape

    Read this GBC issue brief to learn more about the current state of digital services in the government, and how key players are pushing enhancements towards a user-centric approach.

  • Sponsored by CDW-G

    Joint Enterprise Licensing Agreements

    Read this eBook to learn how defense agencies can achieve savings and efficiencies with an Enterprise Software Agreement.

  • Sponsored by Cloudera

    Government Forum Content Library

    Get all the essential resources needed for effective technology strategies in the federal landscape.


When you download a report, your information may be shared with the underwriters of that document.