The Cybersecurity and Infrastructure Security Agency is known for issuing cybersecurity advisories and guidance to help network defenders stay up to date on the latest digital threats and best practices.
But CISA’s Infrastructure Security Division is also working on ways to raise awareness of overarching “physical security” threats to critical infrastructure sectors.
David Massington, CISA's executive assistant director for infrastructure security, said the agency is currently developing “physical security performance objectives” similar to the cross-sector cybersecurity performance objectives CISA released for critical infrastructure last year.
“Right now, they're doing inter-agency coordination,” Massington said in an interview. “In the future, after the inter-agency consensus is reached, they will then coordinate with various industry stakeholders to ensure that they have goals and practices that are customized to the needs of specific industries.”
“It's one thing to say generally, 'You should manage insider threats,' but it's quite another to say how to do that in your specific industry,” he added. “And that's what we're aiming for.”
One of CISA's primary roles is to serve as the “national coordinator” for critical infrastructure security and resilience, and Massington noted that insider threats and other risks to the 16 critical infrastructure sectors are “getting worse.”
Government officials have warned in recent years that both cyber and physical threats to U.S. critical infrastructure have increased.
A 2023 assessment by the North American Electric Reliability Corporation (NERC) highlighted an increase in security incidents affecting power infrastructure, including ballistic attacks, vandalism, intrusions and theft. It warned of threats from both foreign and domestic extremists.
NERC's assessment also called for the development of cyber and physical standards for electric infrastructure.
In a follow-up email after Federal News Network's interview with Massington, a CISA spokesperson said that once physical security performance goals are finalized, the agency will work with other agencies and the private sector to determine whether sector-specific goals are needed.
“PSPG enables critical infrastructure owners and operators, especially those with limited resources, to effectively identify and manage physical security risks, implement comprehensive security plans, and communicate funding needs for security hardening as needed,” the spokesperson wrote. “It also provides security hardening options that can be tailored to the needs of each facility, which is important given the different levels of funding available for security and risk tolerance between organizations.”
Meanwhile, CISA released physical security performance objectives specific to religious institutions in December. The agency released the guidelines in response to heightened threats to religious institutions following the outbreak of hostilities between Israel and Hamas.
The document details steps these agencies can take to strengthen their security, ranging from preventative and detective measures, such as implementing video surveillance and strong cyber hygiene, to response and recovery procedures, such as developing emergency response plans.
Massington said the goal of CISA's faith-based guidance is to give religious institutions concrete options for improving their physical security in an easy-to-understand format, rather than relying on security experts' jargon.
“This is being translated into language that non-security experts can understand, with a view to injecting expertise into programs that organizations can create on their own,” Massington said. “So we're not trying to impose a single model on people, but we're trying to give people access to abstract information from very complex literature in sources they might not normally use.”
As CISA develops broader critical infrastructure security performance goals, the agency's follow-up work to translate high-level objectives into concrete practices across industries and sectors will be crucial, Massington said.
“There are generic versions, but the goals applied to your specific business environment allow you to pull together metrics for your program and see how you are doing against best practices and industry benchmarks,” Massington said. “So it's about revisiting and reaffirming best practices through benchmarking, lessons learned, training for staff and managers, and making sure they're aware of what their risk landscape is.”
“National Safety Month”
The development of this goal comes as CISA prepares to raise public awareness about physical security during National Security Month in June. The agency is highlighting existing efforts in the area of physical security, including its Bomb Threat Guide and Insider Threat Mitigation Guidance.
“Now is the time to focus on how to keep the work environment safe and hazard-free,” said Massington. “Workplace safety is centered around planning what to do to avoid foreseeable and unforeseeable risks.”
Massington also chairs the Interagency Security Committee, which addresses government-wide security at federal facilities. Like CISA’s cybersecurity work, the agency’s messaging on federal facility security focuses on “resilience” as well as defense.
“We think it's important to focus on the resiliency of the federal government's ability to deliver services and maintain the safety and security of our facilities,” Massington said. “So recovery from disruptions is also a central feature of these programs. So, part of the focus of our plans is to return to reduced services for a period of time while we restore full services in security environments that have unfortunately experienced incidents.”
Copyright © 2024 Federal News Network. All Rights Reserved. This website is not intended for users within the European Economic Area.
