You probably aren’t a physical security expert. I’m not. We should rely on people with domain expertise to design and evaluate physical security. Your task this week is to evaluate the physical security assumptions and plan at OT manned sites and areas.
- What are the physical security controls that limit and record access to control rooms, plant floors, OT data centers, and other sites where people are often present?
- Who, or what roles, are allowed physical access to the cyber assets in this area? At what times?
- What detection and logging measures for physical access are available (don’t forget about camera systems)?
Take this information and interview key people in Operations to understand if this access is appropriate. Does it follow a least privilege methodology that still allows Operations to function properly?
Control rooms and control centers tend to be easy for physical security. Plant floors and other areas where a wide variety of roles require access tend to be harder. Areas where people are always present tend to be less risky than areas that may be unmanned for hours at certain days and times.
_________
This week you should:
- Identify and document the physical security protection, detection, and logging systems that are in place.
- Identify and document where unauthorized physical access to cyber assets is possible and results in medium or high risk.
- Discuss the identified items with the physical security team and develop a plan of action to address the identified risk.