The threat of physical and cyber-attacks is real, serious, potentially disabling, and constant. Security departments throughout the country are challenged with protecting against and thwarting attacks, almost daily. Fortunately, security executives like Aura Moore, CIO – deputy executive director at Los Angeles World Airports (LAWA); Clyde Miller, managing partner for Miller & Miller, LLC, a critical infrastructure security consulting firm in San Diego; and David St. Pierre, director of seaport security for the Manatee County Port Authority, Palmetto, Fla., are willing to share their knowledge and experience with their peers to help everyone stay a step ahead.
In a world where the emerging Internet of Things (IoT) links a myriad of devices, the key is to make physical and cyber security work together, seamlessly.
David St. Pierre often queries counterparts at other ports to learn about their solutions to common problems. “Every time I meet security managers at other ports I learn something new,” he declares.
The Los Angeles International Airport, tagged LAX, is the most visible attribute of LAWA. “Everyone is in the same boat. Keeping LAX safe is a sobering responsibility,” Aura Moore says, noting the massive undertaking to manage the amounts of information being created and transmitted. “As more data of a sensitive nature is transmitted across the network, the risks of data breaches pose a significant danger. Protecting this information is a 24/7 operation that requires extraordinary vigilance,” she says.
As threats constantly evolve, so too must the solutions. Security is not a one-and-done project. Constant reevaluation is needed to stay ahead of threats and respond appropriately.
In 2015, 74 million passengers traveled through LAX, making it the seventh busiest airport in the world, by passenger traffic. It is the only airport to rank among the top five U.S. airports for both passenger and cargo traffic. “Maintaining this volume of traffic without disruptions is vital,” Moore says. “Maintaining our security and preventing those disruptions is our primary focus and of foremost concern.”
David St. Pierre has similar thoughts. “My first concern is whether I have fully assessed the risks and vulnerabilities to attack,” he says. “When talking about terrorism, we are talking about a patient adversary who takes his time assessing vulnerabilities. We need to continuously examine our system and evaluate our capabilities to mitigate potential threats.”
Port Manatee has a strategic location – the U.S. seaport closest to the Panama Canal. It supports $2.3 billion in economic activity and 24,000 jobs.
Critical infrastructure organizations must take a risk-based approach to physical and cyber security and preparedness. This involves experts assessing risks, providing a threat dashboard that establishes security priorities, and taking proactive measures. Digitalization is an important tool for extending and supporting electronic channels, content and transactions, while balancing electronic capabilities and traditional business practices.
Working with internal stakeholders provides security experts the opportunity to better understand their organization’s business objectives and shift security from a cost center to a profit center.
“First, understand what your company does to be successful,” says Clyde Miller who focuses on security advisory services and critical infrastructure. Next, Miller advises, “Make sure you assemble an effective team of security professionals. This can be a combination of employees, contractors and consultants, to be more cost effective. Third, conduct a fair, objective assessment of threats your company faces in its business so the security organization can be a business enabler. Fourth, ensure you cover all possible scenarios and be prepared to mitigate them in a cost-effective manner.”
Miller notes that cyber and physical security organizations must be joined at the hip, coordinating risk mitigation measures and attack response. A physical attack could easily be combined with a cyber-attack. “Having a coordinated monitoring program and response effort is critical to an effective overall security program,” Miller adds.
Consolidated command and control centers fuse operations, including cyber assets, physical assets, and operation of the facility. Business intelligence, public safety and outside jurisdictional command should be consolidated and that is just a start.
Be Prepared
“I always felt my team and I had prepared for any issues that might arise and would be able to handle any matter that we faced. Planning, preparation, training and exercises were key elements that kept me from being kept up at night,” Miller says of his days at a major utility.
As an iconic, high-profile target, LAX receives security attacks sourced from all over the world. “We align our attack vectors using open source and current threat intelligence feeds to help us build a threat profile, which we then apply to our security protection devices,” Moore says.
“Government or legal requirements should be the bare minimums, not the maximum measures to meet,” Miller says. The danger in relying on government requirements to set the bar is that companies frequently implement measures to meet only the government requirements rather than conducting risk assessments of the threat environment to their own organization.
There are many government policies, procedures and directives that give guidance on dealing with threats, especially high-threat items. “Not meeting a government requirement becomes the risk rather than the company addressing the actual threat environment,” Miller points out. Government agencies will continue to evaluate incidents and identify where industry has failed and, with time, may implement stronger requirements.
Miller states, “The fact is, you have to be prepared to manage whatever may come up, because something will happen. If you’re properly prepared by implementing appropriate mitigation and trained for when something fails, you’ve done your job.”
Moore says much critical infrastructure is protected by antiquated security systems which are no match for determined attackers. “Owners and operators of these systems are often behind the curve in terms of security maturity and staffing,” she says. “Critical infrastructure sectors need to bolster their own defenses,” Moore adds.
Digitalization
Turning digital or analog data into actionable information and using it to protect against both cyber and physical threats is ultimately what it’s all about. The ability to assist in both normal operations and emergency situations requires a sophisticated tool set: software to analyze the data, sophisticated algorithms to fuse disparate data, correlating and prioritizing the response. Data mining solutions for social media are also critical for detecting events in advance.
“In a world of digitalization, everything is IP-based,” notes Kyle Heaton, national business manager and aviation practice lead for Siemens. “The challenge is to protect the enterprise out to the edge – the cameras, card readers and other devices in the network.”
Security teams have to beware of foreign threats, as well as internal threats from U.S.-based disruptions like disgruntled employees. It is vital for internal departments to work together. “The more we work together, the better we communicate,” says Jim DeStefano, national security sales manager for Siemens. “We have a saying in the emergency response community that the place to exchange cards is not at an actual incident.”
Integrators like Siemens know that technology can be effective in establishing physical access control and that combined physical and virtual access verification will establish whether someone can access the network, access data, download files or make coding changes.
Dollars and Sense
The cost of physical and cyber-security is going up and, all stakeholders agree, will continue to increase for the foreseeable future. Migrating security departments from cost centers to profit centers can somewhat offset the cost. For example, security can charge for escorting non-TWIC (Transportation Worker Identification Credential) certified guests through restricted areas, like Port Manatee does. It can also take advantage of the ability of Public Private Partnerships (PPP) to leverage vast intelligence-gathering resources. Innovative organizations are converging resources that make for better operational performance. Sometimes, these partnerships self-fund critical security-related initiatives.
Miller says all robust security organizations need solid relationships with both private sector security entities and government agencies such as the FBI, Department of Homeland Security, and Department of Defense.
“Having effective relationships can provide early warnings of the nature of attacks,” Miller notes. “It’s better to have those relationships in place in advance than trying to establish them in the middle of a security event. At that point, precious time can be wasted in learning to trust each other and exchange necessary information.”
Security Investment
Business operations must continue while being protected. Here, security teams turn to systems that provide access control and identity management. Command and control platforms give real-time insights to potential threats. The bottom line is executives need to understand how the appropriate security systems and measures support meeting their business objectives and can help turn security into a profit stream.
Given their high public profile, it may be a bit easier for transportation hubs to get the budget they need. Moore offers no apologies for that. “LAX has seen a steady increase in cyber-attacks. There are more types of attacks, more sources of threats, greater reliance on increasingly complex IT systems, and a shortage of effectively trained security staff.”
“Maintaining a security budget that adequately funds responses to security threats keeps our security posture high and our network secure,” Moore says. “LAX is fortunate in that we have a chief executive officer who understands the importance of cyber security and the role it plays in protecting LAX,” she adds.
Technology continues to progress, helping facilities do more with cyber and physical security. Miller points to smart analytics that identify suspicious activity, alerting control rooms. “The key for critical infrastructure facilities is to continue to make use of proven, advanced technology. Make sure it is proven technology. Do not rely solely on cutting edge technology that may fail, or may not meet business objectives,” he says.
Technology should assure the necessary compliance, but that technology must go further than simple compliance and add value that will help to satisfy a company’s business objectives, too.
To meet the demands of the emergency operational environment, security executives must understand the normal operational environment, recognize threats quickly and act immediately while communicating. The inability to effectively communicate in a heightened security state is detrimental.
“There is no crystal ball that can provide the answer to the risk/threat question,” St. Pierre says. “We must instead evaluate the potential for all possible attack types and sources. Unfortunately, I have to respond to all of them.”
It is a constantly moving target but security must design and scale a solution, based on Best Management Practices (BMPs) to handle all the moving parts.
BMPs and Economics
Users and their integrator partners must develop understanding and solutions for the entire critical infrastructure life-cycle, including: assessment and analysis, remediation, monitoring, mitigation, detection, response and reconstruction. Then they need to examine where plans have been successful and where they failed. Finally, they must define the difference.
St. Pierre realizes there can be significant costs to providing security services. “We always look for potential sources to offset costs,” he says. Using government grants is a great way to improve security systems and infrastructure he finds, but recovering the soft costs related to operational expenses is much more challenging.
“Our goal is to develop strategies that ensure the efficient use of resources so that we can keep costs to a minimum and develop methods to fairly recover costs for the port’s users,” St. Pierre says.
Executives also need to know their business partners. Miller says to look for integrators who can enhance the operation’s basic technology and support business objectives. This includes providing a solutions roadmap that applies new and forward-looking technology.
“The best value-add is for an integrator to be my partner in this process rather than trying to sell me something,” Miller insists. Since most security organizations cannot afford to have technology experts on staff to cover the spectrum of available technology, having a trusted vendor/integrator is invaluable, he adds.
St. Pierre would agree. “We look for systems that we can integrate to support our operations,” he says. “When selecting vendors, I look for people who listen and try to understand the process before trying to sell me a solution. No two ports are exactly alike so our systems need to be tailored to meet our specific needs.”
To help, security integrators must develop a full complement of consultancy services, including network engineering, software development, risk/threat assessment services for critical infrastructure, and more, according to Mike Dietsch, account executive for Siemens security. A good integrator will look at the unique needs of the critical infrastructure customer and apply a solution roadmap that looks at their cost restraints while meeting their security objectives.
As Port Manatee grows and brings new business into the area, St. Pierre continuously assesses the security impacts and makes changes to address them. “Changes come at a cost,” he states. “We always work to develop strategies that increase our efficiency, and obtain technologies that allow us to keep budget increases as low as possible.”
Current cyber security issues such as zero-day exploit, denial-of-service (DoS), phishing, malware and others may disrupt operations anywhere. “Complacency will put a vendor business on the sideline,” Moore states. “LAX does not need a security system only for today; it needs one for tomorrow as well. So, we look for partners that are anticipating these trends and preparing to meet those challenges.”
Conclusion
Threats and vulnerabilities will continue to challenge critical infrastructure customers. Forward-thinking use of technology solutions will allow users to correlate multiple data sources to help all involved to manage events appropriately.
About the Author: James (Jim) Lantrip is the security segment head for the Building Technologies Division at Siemens. Lantrip has more than 26 years of industry experience. Located in Irving, Texas, he can be reached at +1-469-662-8781 or at [email protected].
