Physical security controls for IT and ICS

If you can touch it, you can break it

Basically, that is what it is all about when considering physical security controls for IT and ICS systems. Protecting your IT and ICS systems against cyber-attacks using logical controls does not release you from the obligation to have physical controls in place as well.

Logical controls, such as two-factor authentication, firewalls, anti-malware, application whitelisting, vulnerability scanning, monitoring, and so on, leave your data and equipment vulnerable to the effects that physical access can generate.

Being near your data carriers and equipment provides attackers with an opportunity to take, change, or destroy them. Like a cyber-attack, this may affect the confidentiality, integrity, and availability of your data and disrupt your business continuity.

According to Verizon’s 2018 Data Breach Investigations Report (DBIR), about 11% of the breaches reported involved physical actions.

Examples of vulnerabilities

An example of a physical attack vector is theft of equipment containing data, such as laptops and mobile devices. If the screen lock is not activated, the attacker has immediate access to the data stored on the device and to the connected network. However, even with the screen lock activated, you will lose all the data on the device, and without a proper back-up in place you will never see it again.

Another well-known example of damage resulting from attackers having physical access to your equipment involves the installation of a key-logger between the keyboard and the computer. The key-logger collects the key-strokes comprising the username and password and sends them to the attackers.

Using these credentials, the attackers can now log into the system and start finding their way around your systems. Furthermore, as the attackers receive all entries, they can also find out the sites you are visiting, the text you are writing, and so on.

Encrypt your data

Physical access often by-passes logic controls. If your data-at-rest is not encrypted, anyone accessing your servers can take a drive from the rack and read what is on it. The same goes for eavesdropping on your unencrypted data communications. Having access to your servers or routers would allow attackers to install listening devices.

If you believe this is far-fetched, you should take a peek into Verizon’s DBIR or the annual report of your country’s intelligence services, which rate industrial espionage as a top-tier risk year after year.

Physical access may also cause unwanted changes or damage to your (production) equipment’s operating and safety systems. A contractor uploading an update to your machine without supervision from your staff could make a mistake, resulting in damage and business interruption.

The above does not take into account disgruntled employees seeking revenge. Even though rare, they form a dangerous category of attackers, as causing havoc and mayhem is all they want, and setting a fire or destroying your property would fulfil their purpose just as well as launching a cyber-attack.

How to establish priorities

As we have seen, unauthorised physical access to data and equipment may jeopardise the confidentiality, integrity, and availability of your data. This is why we need to take a closer look at the security you need to have in place to reduce this risk.

In 2016, the SANS1) Institute published a document named ‘Physical Security and Why It Is Important’. We will introduce you to some of the strategies and tactics described in this document and provide you with references to European standards commonly used in the design of physical security controls and electronic alarms.

Without a security plan, no adequate security is possible. As in every risk management project, you will need to start with a risk assessment, taking into account the vulnerabilities of your staff, processes, data, and equipment.

The next step will be to create a heat map by determining the potential impact on your business and the likelihood of its occurrence. When determining the impact, don’t forget to take the potential period of business interruption into account.

Risk scenarios could include:

Attackers having uncontrolled access to your industrial control systems.
Thieves taking a laptop containing personally identifiable information (PII).
Cleaning staff accidentally damaging the routers in a rack.
Thieves taking one or more hard drives from your data centre.
A contractor uploading a faulty update into your warehouse management system.

Each scenario is measured for impact (e.g. value of damage and time required for recovery) and likelihood (e.g. rate of occurrence in days), with the result plotted in a matrix. At a glance, you can now see that the risk of thieves taking one or more hard drives from your data centre (no. 4) is assessed as unlikely to happen but with a high impact.

As the subject of our plan is physical security for IT and ICS, the risks relate to locations. This enables you to translate the heat map into a site plan indicating vulnerable areas from an IT and ICS perspective.

Riskmap indicating impact and likelihood

Site Plan 1

In the site plan 1, we have marked the identified areas of risk, which could be classified as;

Red = Critical risk area
Yellow = Elevated risk area
Green = Normal risk area
Grey = Observation area

In this simplified example, we have identified the control cabinets for ICS, the server room for IT, and the server room for the WMS as critical risk areas. The offices have been identified as an elevated risk area because of the anticipated presence of devices containing important data.

The warehouse and production areas are considered a normal risk as devices present in these areas are not considered to contain important data, and the area within the fence outdoors is considered the observation area.

Designing physical security controls

To protect physical assets, the concept of choice is ‘defence in depth’. This is a concept used to secure assets through multiple layers of security. If an attacker compromises one layer, they still have to penetrate the additional layers to obtain an asset. Adequate security can only be achieved by combining physical elements with technology in an administrative (response) framework.

Our RICE-DARI timeline is a visual aid. It shows the resistance time provided by structural security elements (e.g. wall, door, or window) counts only after the (attempted) intrusion is detected. This is because, if not detected, the attacker could remove the structural element altogether without triggering any response. When designing our ‘defence in depth’, the total resistance time provided by all elements between the entry point and the asset should be calculated and compared to the response time of the defenders.

In the RICE-DARI timeline below, it is shown that reconnaissance can be done by the attacker without triggering a response if no surveillance is present. The resistance time provided by the elements is represented by the distance AB. The attack is first detected at point C after a large part of the resistance time of the elements has been taken away.

While detection and alarming take only seconds when using electronic sensors and signalling, the response will take much more time to organise. Before private security or police are on site, it may take as much as 15 minutes. This is represented by the distance CD.

Selecting physical security controls

Assuming that we want to prevent an attacker from entering the ICS cabinets or the IT and WMS server rooms, the values CD and AB are the ones we need to consider when deciding on the number and resistance time of the structural security elements.

Site Plan 2

In the site plan 2, we have now entered physical and technical security controls as follows:

fences around the yard
reinforced walls, doors, and windows around the offices
reinforced walls, doors, and windows around the ICS, IT, and WMS
cameras in the yard
cameras near the ICS, IT, and WMS
passive infra-red detectors inside the buildings

Taking the IT room as an example, the resistance time is now defined as the resistance time of the wall around the offices plus that of the wall around the IT room. The shortest line from outside the yard to inside the IT room appears to go through the yard, passing the wall (or door) around the offices, and passing the wall (or door) around the IT room. Assuming that the cameras in the yard have built-in video content analysis, the attacker will be discovered after crossing the fence.

The resistance time will therefore be the total resistance time available for both walls surrounding the IT room. Without the outside cameras, this would be limited to just the wall surrounding the IT room, as the wall around the offices could be passed without being detected.

European standards that can be used to select and describe physical security controls can, among others, be found in the series EN 1627 to EN 1630. Resistance classes relating to tool sets used by attackers provide the resistance time in minutes. For technical (electronic) controls such as sensors and signalling equipment, the EN 50131 and 50136 series provide advice along the same lines.

Using these standards together requires a careful approach, as the definitions used in the standards do not always match.

Hidden ‘defects’ in the defence-in-depth model.

This article is only a summary of the considerations to be made and the tools available to physically secure your assets. It is possible to mix and match physical, technical, and administrative controls, but this should be done very carefully. One should especially take care not to include common vulnerabilities in the defences.

Examples of such common vulnerabilities include using a single key for all doors, or having only a single transmission path for the signalling of alarms. Physical controls can, of course, be combined with logical controls. Again, however, one should take great care not to create single points of failure in the defences, such as using a default password or providing access to persons who do not have a direct need to access those systems.

A major pitfall for all security systems is the ‘manager dilemma’. Often, managers believe they should be able to access all rooms and systems by themselves. However, it is strongly recommended to apply the ‘least privilege’ and ‘four eyes principle’ for all employees, including managers. Do bear in mind that people with access to all and everything are the preferred targets for social engineering and/or coercion.

Summary

If you can touch it, you can break it. Access to IT and ICS assets can bypass the best logical controls, such as two-factor authentication and firewalls. According to Verizon’s 2018 Data Breach Investigations Report (DBIR), about 11% of the breaches reported involved physical actions. Physical actions could include adding spyware to your systems or simply taking data carriers from your server rooms.

Designing physical security measures requires the application of a risk management process. The heat map from your risk assessment can be transferred to the site plan to indicate where physical protection is most needed.

The concept of choice for physical protection is ‘defence in depth’.

Erik van der Heijden

The concept of choice for physical protection is ‘defence in depth’. As the resistance time of the structural security elements is only valuable when detection and alarming are in place, you can use the RICE-DARI timeline to visualise the minimum requirements for your physical, technical, and administrative security elements.

In the specifications, you can use European standards to assist you in selecting the correct quality for your security elements. Of course, you can (and should) combine your physical security with logical security.

Article by

Erik van der Heijden

Senior Risk Engineer, If

Don’t touch this! Physical security controls for IT and ICS