In CGI’s 2022 Voice of Our Clients report, leaders across the globe cited cybersecurity as the top trend affecting their ability to deliver on the mission. Threats come from many directions in the operating environment: from people, processes and technology. Those organizations with the most secure postures understand that a risk-based approach means looking holistically at the enterprise.
The technology assets, systems and datasets that form the foundation of our national and socioeconomic security are of particular interest to criminal, politically motivated or state-sponsored actors seeking to exploit data, disrupt operations or cause a destabilizing loss of public confidence. When investigating and assessing risks, organizations must approach from multiple disciplines: cybersecurity, information technology, physical security and operations technology.
A Red Team—people, processes and technology playing the role of adversaries to test the effectiveness of your defenses—can prove invaluable. Here we address some of the best practices that support an interdisciplinary approach to achieve more resilient and secure operations.
Assess risks across operational technology (OT) and information technology (IT). To counter dynamic threats to the security and resilience of both OT and IT systems, government and industry must take a comprehensive view of risks, our collective dependency upon these systems and the comprehensive portfolio of attack vectors that adversaries can exploit. Risks may span across solutions, processes and from OT to IT, which brings physical locations, end user consoles and public data sources into scope for any Red Team.
In one example, a Red Team breached a physical environment using a can of compressed air and entered a data center. The risk assessments for cyber did not include areas of physical breach, which set up the organization for risk of onsite hacking and exfiltration.
Think like your adversaries. As we work to elevate the baseline level of cybersecurity across government and industry, the ease of remote exploitation will wane and the physical tactics of espionage will enjoy a resurgence. Even today, our adversaries exploit interdisciplinary techniques to compromise critical systems. While the National Institute of Standards and Technology (NIST) guidelines, High Value Asset control overlays and other requirement sets encompass physical and environmental security controls, too often security assessments overlook penetration testing at this integrated level.
Know the inherent risks of incorporating integrated techniques. There are organizational risks to pursuing an interdisciplinary approach to security assessments using Red Teams. These include corporate or governmental liability, the risk of injury and the potential for adverse interactions with law enforcement. The act of a physical breach, whether authorized or unknown, can expose the Red Team to external parties. Clearly defined rules of engagement provide safeguards and enable true real-time assessments. In this way, organizations can balance internal, external and stakeholder risks in support of a more holistic approach.
Addressing the assessment gaps
Security does not end with Red Team exercises, assessment or alerts; organizations must prioritize addressing the gaps and risks in their operating environments. Agencies and industry alike face increasingly complex and frequent risks, which can result in an inundation of data and over-extended resources. Once the organization completes its assessment and issues reports, the next step is to use its available data and tools to coordinate and develop appropriate responses.
Cybersecurity risk has become much larger than networks and credential security, and leaders recognize its impact on their missions. Accounting for all elements of mission delivery via an interdisciplinary approach—beyond cybersecurity—positions organizations to more effectively meet the challenge of an ever-evolving threat landscape.