Explained: NIST SP 800-82r3 and physical security
Victoria Rees
Share this content
Ter Govang, CPP, CISSP, CCMP, Founder and President of Portcullis Modern examines the impact of new guidelines for corporate and physical security.
Article Chapters
TogglePhysical security and cybersecurity
In September 2023, physical security systems were impacted by the National Institute of Standards and Technology (NIST), when it released a revised special publication, NIST SP 800-82r3, Guide to Operational Technology (OT) Security.
Traditionally, cybersecurity frameworks were separate from corporate security operations.
Yet current trends towards increased connectivity between information technology, cyber and physical security have necessitated a more integrated approach.
Corporate security departments have turned to standards and guidelines from organizations like ASIS, ISO, ANSI, UL/ULC, BICSI, NERC and manufacturers for best practices related to the design, implementation and operation of their systems.
Conventional physical security systems (PSS) have functioned independently, with network segregation and reliance on legacy point-to-point input/output forms of integration.
This limited the involvement of resources outside of the corporate security function.
However, the increasing convergence, driven by factors such as the internet of things (IoT), is yielding new avenues.
PSS intersecting with corporate IT networks presents both opportunities and challenges, requiring a reframed security strategy that bridges these conventionally disparate functions.
Close engagement between CISOs and CSOs and their teams can significantly improve security management by combining resources.
Each group brings unique expertise and perspectives that, when combined, can enhance the overall security posture of an organization.
By leveraging industry standards, best practices and frameworks from both cyber and physical, organizations can develop a cohesive security strategy that addresses the unrelenting threat landscape.
Collaborative security: a best-case scenario
As with any notable change, impacts have pros and cons, with some forces pushing for and others resisting the blending of traditional boundaries.
The merging inevitably muddles the clear delineation of responsibilities that previously existed and this change will undoubtedly face resistance from stakeholders who perceive it as a threat to their established structure.
Initially, some may even interpret SP 800-82r3 as suggesting a potential shift in the ownership and control of physical security assets now that they are viewed through the OT lens.
Unifying security domains is not about transferring ownership or control, but rather fostering a united front to leverage the collective expertise and capabilities of corporate security, cybersecurity and IT personnel to achieve a more robust and comprehensive posture that addresses increasing cyber-physical security threats.
This unified approach aims to create a cohesive security strategy that seamlessly integrates physical and cyber security measures, ensuring a holistic defense against the evolving threat landscape.
While the PSS/OT purview may initially raise concerns among C-suite executives and security leaders, NIST does a commendable job of articulating the importance of collaboration between the CISO, CSO and respective teams.
In an enterprise structure, it presents a best-case scenario, offering guidelines while introducing opportunities for new, more cohesive ways of working.
NIST specifically emphasizes the need for strong working partnerships between the CISO and CSO, highlighting the CEO’s or COO’s ultimate accountability for the security of OT systems.
Board-level executives should note the cross-functional team criteria, which underscores creating a need for greater alliances between corporate security and cyber programs.
The CSO and CISO must work together to ensure that all cyber-physical systems are properly secured and that the mutual security posture is consistently maintained.
While it addresses control system engineers, IT professionals working with OT, security consultants, OT system managers and OT security program leaders, it notably omits PSS operators, administrators and analysts.
Organizations will be best served by leveraging specialized physical security resources as part of cross-functional working groups to forge stronger alliances across domains.
PSSs are advancing, with technologies like AI, machine learning and deep learning outpacing the technical capabilities of corporate security departments.
This reality is often evident in the way costly enterprise physical access control systems (PACS) are deployed in a rudimentary fashion, serving merely as basic door alarm monitoring, with access control reduced to simple keyless entry, never reaching its full optimized potential.
While this observation may elicit strong reactions from some readers, it highlights the need for corporate security teams to continuously upskill and work with technical specialists to harness the full capabilities of advanced functionality.
Failure to do so not only represents a missed opportunity, but also potential security risks, as underutilized systems leave vulnerabilities unaddressed.
The paradigm shift
Physical security was previously exempt from OT, likely due to industry’s narrow definition.
Gartner defined it as “hardware and software that detects or causes a change, through the direct monitoring and/or control of industrial equipment, assets, processes and events.”
This definition excluded security systems despite their relevance and criticality to industrial applications.
The former thinking around physical security was reactive, treating it as an afterthought.
Numerous cases exist where security concepts and elements were introduced after schematic design or even after construction had started, leading to suboptimal solutions like surface-mounted conduits because security was not considered during initial planning stages.
NIST defines OT as a broad range of programmable systems and devices that interact with the physical environment or manage devices that interact with the physical environment.
These systems and devices detect or cause a direct change through the monitoring and/or control of devices, processes and events.
The inclusion of PSS represents a change in thinking, recognizing the convergence of cyber-physical structures and the need for a proactive security methodology from the outset of any project or initiative.
The threshold to provision for convergence?
Vulnerabilities in end devices, legacy systems and IoT components are commonly overlooked, undervalued or misunderstood.
However, these vulnerabilities are not exempt from physical security and failing to address them can have detrimental consequences.
For example, when it comes to mechanical HVAC systems, IT plays a supporting role to the leading discipline.
Similarly, where physical security is scoped, IT/cyber isn’t best suited to lead the design, development or operations of discipline-specific elements.
Instead, a partnership should be adopted that leverages the respective expertise of each domain.
Likewise, physical security leaders must understand the impacts their systems have at the application and data levels.
They bear responsibility for ensuring the performance and suitability of the chosen technology, as well as how these devices and infrastructure integrate into the overall organizational structure and align with governance, risk and compliance (GRC) requirements.
Leaders need to recognize and adhere to IT policies, proactively engaging vendors to ensure solutions meet expectations before finalizing standards, design selections and procurement.
CSOs’ physical security teams possess a profound understanding of the physical and operational requirements of OT systems.
Their expertise is invaluable in supporting IT throughout the design, development and deployment of ongoing lifecycles.
Significant to address is the intricate relationship between physical and digital spaces, as physical access serves as a precursor to logical access.
In the event of a cyber incident, physical consequences can have severe impacts on people, psychological safety, equipment and the environment.
CSOs are best positioned to analyze these physical risks and impacts, guiding IT to ensure the overall safety of the system, physical assets and personnel.
OT systems differ from traditional IT in terms of their operational requirements, with stricter demands for reliability, availability and other key factors.
Corporate security intimately understands these characteristics and can provide insight into the physical nature of OT architecture, further closing the gap between cyber-physical applications.
The role of physical security in managing critical areas and applications
Cyber and corporate security present opportunities for both domains to complement each other synergistically.
Physical security measures directly support IT through comprehensive testing, including coverage criteria for access points, interface testing between physical and logical access systems and backup environments for critical systems and infrastructure.
Equally, access control logic, behavior reviews, job change monitoring and other measures fulfilled by corporate security can provide valuable key performance indicators (KPIs) that contribute to the overall security posture of multiple IT systems.
Conversely, IT support in areas such as privileged account management, dual custody scenarios and managing access to sensitive areas like server and network termination rooms designated as no-lone zones.
Additionally, IT security can bolster corporate security efforts through endpoint security, identity and configuration management, verification of device health status, device level behavior modeling, device property management, remote management and geolocation tracking.
Improperly executed, combining safety, security and control functions into a single system can introduce new risks, such as a compromise enabling attacks to propagate and impact multiple systems.
Strong physical security controls are essential to mitigating these risks and shaping the integrity and resilience of OT infrastructure.
The integration of PSS/OT blends IT/cybersecurity and corporate risk management functions, indicating a shared responsibility for securing systems across all stakeholders.
While corporate security’s primary objective is to safeguard organizational assets and reputation, IT security can support by implementing multi-layered controls and establishing safeguards to prevent single points of failure.
Adopting a defense-in-depth approach, coupled with continuous upskilling, minimizes the impact of any mechanism failure and ensures the overall security posture is not undermined by inadequate implementation, control or maintenance of PSS measures.
Developing an overarching cyber-PSS strategy that considers the complete system lifecycle, from conception to commissioning, is imperative.
To protect people and assets adequately, organizations must refine and supplement current risk management strategies to address OT-specific constraints and requirements.
Transparent boundaries and delegated responsibilities
Neglecting or delaying security considerations in projects or relying on reactive patching will inevitably result in substantial losses.
In modern, highly interconnected topologies, security must be an integral part of the project strategy from the outset to achieve success.
CIOs, CISOs and CSOs must engage closely, acknowledge and seek out diverse areas of expertise and work together to develop a comprehensive and cohesive organizational security design and operational model.
Each group brings a unique perspective to the table that is foundational for effective security risk management.
The latest release of NIST SP 800-82r3 brings physical security systems within the scope of OT, creating a situation where transparent boundaries and clearly delegated responsibilities are needed.
While the changes may face initial resistance, the goal is to foster a united front on security; collaboration can significantly enhance security management functions by leveraging their respective expertise, best practices and active engagement with management, engineers, operators and qualified advisory teams.
An overarching cyber-physical strategy that considers the full system lifecycle, from concept and design to sustainment, is foundational to realizing security objectives and managing risks effectively.
Organizations that refine and supplement their risk management strategies to address integrated OT-specific criteria will be best positioned to prevent PSS attacks and protect corporate assets.
About the author
Ter Govang owns Portcullis Modern, a security industry advisory firm that specializes in technical and management consulting.Â
She holds the ASIS Certified Protection Professional, ACMP Certified Change Management Professional and ISC2 Certified Information Systems Security Professional certifications.
This article was originally published in the June edition of Security Journal Americas. To read your FREE digital edition, click here.