With telecommunications networks now considered critical infrastructure in the eyes of the federal government, the way we protect such assets from harm of all forms is evolving, and cyber risk emerging from physical access to hardware needs to be assessed at a large scale.
The recent Optus hack and data breach have showcased just how severe and widespread the effects of digital attacks exploiting vulnerabilities in telecommunications operators’ IT systems can be, with the information of millions of Australians potentially compromised.
As operators of far-flung physical network infrastructure, telecommunications operators face risk in the physical realm, too. Natural disaster, tampering or deliberate damage are just some of the potential risks telco operators need to think about when managing their network infrastructure.
But with corporate offices around the country, Australia’s telecommunications carriers also need to consider the physical security of their physical IT infrastructure.
Although most cyber attacks come from afar, in the form of ones and zeroes travelling along copper wires, fibre optic cables or through the air, some can originate from the physical actions of a person with real-world access to an endpoint of a corporate network, such as a smartphone, server, laptop or tablet computer.
All it takes is one dodgy USB stick to be inserted into someone’s business computer to access a network and cause havoc across the business. Clearly, physical cyber security defences require physical measures.
With this in mind, it should come as little surprise that the Australian Cyber Security Centre’s (ACSC) Information Security Manual (ISM) provides guidance on physical security.
The ACSC’s guidance notes that the application of the ‘defence-in-depth’ principle to the protection of systems is enhanced through the use of successive layers of physical security.
According to the ACSC, the first layer of physical security involves the use of a security zone for facilities containing systems, a step that typically incorporates measures such as perimeter controls, building standards and manning levels in certain areas.
The second layer of physical security makes use of an additional security zone for digital infrastructure such as a server room or a communications room. This can be further supplemented by the use of security containers or secure rooms for the protection of servers, network devices and cryptographic equipment.
According to the ACSC, perimeter security is needed to prevent the observance of or access to facilities containing particular systems, hardware or workstations. Computer displays, for example, should not be visible from outside the bounds of a secure area. Likewise, access points should be controlled and monitored.
In fact, when it comes to physical IT assets such as data centres – a key piece of corporate digital infrastructure – an integrated and layered approach to security should mitigate against both internal and external threats. To achieve this, it should start beyond the data centre’s perimeter, and extend from the external physical perimeter through to the server room itself.
Beyond the fence, radar provides excellent wide area coverage even in conditions with no light. With a detection distance of up to 60 metres and an 180 degree arch, a person can be detected before even approaching the fence, which then activates autotracking, deterrence strobes or speakers for playing warning messages.
At the fence, network video, thermal cameras, radar and analytics can typically provide the means with which to cover the entire site perimeter. At the same time, site entrances and exits form part of the perimeter and can be monitored with network video surveillance combined with technologies such as licence plate recognition.
On the interior of the site, between fences and facilities, radar can also be a valuable complementary technology to more conventional video surveillance technology, as it allows for intelligent tracking of people and moving objects across open spaces. Radar is typically also less sensitive to innocuous events that might trigger a false alarm in other types of surveillance technology.
At the server room level, high resolution cameras can be programmed to automatically pan and zoom when specific server cabinet doors are unlocked or opened, providing effective measures against the risk of someone gaining physical access to servers in order to introduce malware or spyware into the corporate network from its most vulnerable access point.
Such physical aspects of information security feed into the converged security approach – a model of protection that aims to break down business silos and empower different teams to work together towards a common goal.
With this model, it is essential that physical security teams are able to rely on technology designed to support their operational requirements and address the risks associated with physical asset security, while at the same time supporting IT security policies to ensure physical devices cannot be used by unauthorised individuals to gain backdoor access to a corporate network.
Under the converged security approach, it is understood that cyber and physical security are not separate from each other, but are intertwined and jointly responsible for the protection of corporate assets.
With all stakeholders working together, employing both physical and cyber security technology, it is possible to create a converged secure cyber and physical environment.