Strategies Emerging to Fill in the Physical Security Gaps with Zero Trust

Significant blemishes in U.S. history, such as the 2014 cyber infiltration of Sony Pictures and the 2016 cyberattack on the Democratic National Convention information systems, serve as stark reminders about nation-state actors’ advanced capabilities to reach out and touch even U.S. companies and infrastructure beyond the IT closets and keyboards. A more recent example is the almost 3-year conflict between Russia and Ukraine. At the conflict’s onset in 2022, Russia used cyberattacks to soften targets and sow chaos across the country, and to dismantle Ukraine’s command, control, and communications capabilities ahead of the ground invasion. Though some scholars assert that the conflict’s cyber operations fall squarely in the support realm as opposed to having decisive or crippling effects on the outcome, attack strategies for IT and OT systems are only limited by the imagination and, therefore, demand continuous exploration of the edge. Would anyone have predicted the edge moving into the physical security equipment space 10 years ago? 

Continuous edge evaluation is paramount for the U.S. industrial base to remain secure. Modern technology efforts must demand every piece of distributed and employed technology be analyzed, protected, encrypted, and trusted, with redundant protections, so administrators and operators of the technology can all but guarantee the safety and security of data--and in sensitive government spaces and strategic locations, mission accomplishment without compromising the team’s safety. 

A natural byproduct of redefining the edge is increased confidence in mitigating an insider threat. However, administrators and security professionals are cautioned not to overlook or discount any insider threat potential risk indicators employees might display. Something as “simple” as pushing Zero Trust to the sensor edge does, however, provide confidence that assuming all Zero Trust principles and tenets are also aligned (i.e., users authorized, devices authenticated, etc.), the actual scene being displayed in a video management system is encrypted, secured, and factual. In other words, the scene visually presented on a monitor in an operations center is reliable and trustworthy--as if a security response team was physically present at the scene and seeing it for themselves. Today, armed security teams must be deployed to an alarm in some federal government spaces even though immediate visual assessment of the site can be made from a remote location. The power of moving the edge into scene authentication resolves manpower deficits, eliminates threats of spoofing, mitigates time/distance factors between affected sites and the location of alarm response teams, and has the potential to save money in the long run.

Is Moving the Edge Important?:

In a word, yes. Today’s geopolitical landscape and the U.S.’s status as a world superpower demand continued technological advancements and security efforts for the DIB. Suppose the U.S. is, in fact, one step behind global cyber criminals, regardless of the actor’s intent. In that case, the ramifications of the U.S. not moving to first place ahead of would-be cyber actors could prove debilitating and unsustainable for the U.S. The great Chinese General Sun Tzu would succinctly tell us, "If quick, I survive. If not quick, I am lost. This is death.”

Cybercriminals often find voids, exploring vulnerabilities and loopholes in the U.S. government’s push toward Zero Trust. Security practitioners should not be lulled into a false sense of security or rest on the laurels of Zero Trust alone--there is much work to be done. Some of that work includes continued evaluation of the edge and its relationship to IT and OT components. Security advancements can appear quite different between the federal government and the corporate world, where slow advancements in technological defenses could mean continued survival … or certain death. In the corporate world, executives neglecting the relationship between cyber and physical security may result in unintentional gaps between the two disciplines. Cyber is the newest player and far more sexy than physical security. Yet, physical security voids can just as easily put corporations in a position of unenviable reputational risk, opening a chasm for the company through lost revenue, remediation costs, lawsuits, or worse.

On the federal side, the risks are unimaginable. Two military Service components – the United States Air Force and the United States Navy – are directly responsible for the safekeeping of strategic weapons in all 3 legs of the nuclear triad. Allowing an adversary to infiltrate U.S. cyber and PSE mechanisms could, on the one hand, simply compromise a particular capability. On the other hand, an infiltration could altogether remove, as a response option, the President of the United States’ ability to employ the weapons wherever and whenever needed--to include in the nation's defense. In the eyes of many foreign powers, the U.S. is a lucrative target and the public does not have all the information.

The Waterfall report is informative and chock-full of important data for the industry to analyze. Yet one key notation refers to the cyberattacks “in the public record,” The importance of this notation should not be lost on the reader, which subtly tells us federal government systems, including classified systems and sensitive operations directly tied to national security, are cloaked in secrecy and therefore not reported in these unclassified publications. Yet, one can assume these classified IT and OT systems are also targeted by cybercriminals, hacktivists, and nation-states alike.

Many federal government attacks, if not all, are held close to the government’s chest--for good reason. Imagine a future where hacktivists and nation-state actors successfully limit the United States’ ability to leverage any of the instruments of power (diplomacy, information, military or economic), especially if those attacks can be executed without any kinetic activity. If the U.S.’s national security is at risk, or even in question, how can it remain a world superpower and adequately posture for a potential future fight? Just one incident in the United States where a nation-state actor gains access to federal OT systems in a strategic weapons area could prove detrimental to U.S. missions at home and abroad. At the very least, it will degrade the U.S.’s global strategic posture.

The Zero Trust journey is fraught with challenges. It is undoubtedly expensive, but moving the edge from server rooms and beyond the camera lens also strengthens the cybersecurity posture necessary to preserve critical infrastructure, critical assets, and strategic capabilities which may very well define future U.S. survival (or global influence at the very least). Even the Department of Defense (DoD), with its intricate web of mission partners in a wide variety of global settings and environments, including the DIB, is constantly navigating enterprise checks and balances, where the result is the ability to allow authorized users authenticated access to DoD information systems from wherever they are, yet do so while keeping the IT and OT systems secure. 

Moving the edge has important intangible benefits, too. In an acknowledgment to account for insider threats, the Department of Defense’s Zero Trust Strategy highlights four Strategic Principles tied to four categories: of Mission-Oriented, Organizational, Governance, and Technical, the latter of which contains a sub-category, Scrutinize and Analyze Behavior, to wit, “All events within our IE must be continuously monitored, collected, stored, and analyzed based on risk profiles and generated in near-real time for both user and device behaviors.” The Department’s clear linkage of counter-insider threat principles to Zero Trust activities is revolutionary. It strengthens the U.S. industrial base and protects its critical systems and infrastructure.