Douglas Miorandi discusses the importance of pairing physical security and cybersecurity to protect data from all types of attacks in the nuclear sector
When a data breach makes headlines, people assume it resulted from a cyberattack. Indeed, from Facebook to Google to Uber, these types of hacks have made headlines around the world.
However, protecting data against physical threats like flash drives or other recording devices is just as crucial.
Edward Snowden entered the cultural lexicon in 2013 after he physically downloaded and leaked thousands of classified National Security Agency documents to journalists. He is neither the first nor the last employee to attempt to smuggle secrets out of a building. Physical data security is often overlooked.
The nuclear industry is no stranger to maintaining high-security measures. The US Nuclear Regulatory Commission (NRC), requires nuclear power plants and some fuel facilities to have security measures in place. According to the NRC nuclear security report, while security for nuclear and energy facilities has always been a top priority, 9/11 created a push for even stricter requirements for power plants, such as upgraded physical security plans and more restrictive site access controls.
Since the dawn of the digital age, we have fought cyber pirates with tools like firewalls, encryption, strong passwords, antivirus software and white-hat hackers. But with so much attention on protecting against cyber risks, we sometimes forget about the other side of the coin: the risk that data will be physically removed from a facility.
According to a report by the International Atomic Energy Agency (IAEA) on Nuclear Security Management for Research Reactors and Related Facilities, more than 70% of research reactors are more than 30 years old, and present-day security considerations were not taken into account when these facilities were built. Though many facilities have been upgraded, the upgrades may still not give adequate consideration to security and original security features may have degraded with age.
There are four main risks to physical data security facing nuclear facilities: insider threats, outsider threats, innocent personal items and inadequate security screening.
1. The insider threat
Every facility probably has at least one disgruntled employee working for them, whether they know it or not, and every organisation is at risk of having data walk out the building with that employee.
People steal data from their workplaces as a means to an end, whether it is to expose something embarrassing or damaging in a personal vendetta. Or they can sell it to a competitor or the media and benefit financially, so they don’t even have to be disgruntled; they might just want a quick way to make a buck. This can happen to private companies as well as government agencies – don’t forget that Snowden was a contractor working for the NSA.
Financial data can also be attractive, for insider trading or to sell to the competition.
2. The outsider threat
Nuclear facilities in the private or government sector also have to be wary of threats from outsiders.
These can come in the form of the corporate spy – someone specifically hired to pose as a legitimate employee or private contractor to extract information – or the opportunistic thief. That might be a contractor hired to work on a server or in sensitive areas who sees an opening and seizes it. Both types of threat are equally damaging to sensitive data.
3. The ‘innocent’ personal item
There are two types of personal items that can be used to steal data. One is commercially available ‘off the shelf’, and the other is intentionally disguised.
Commercial devices include SD cards, external hard drives, audio recorders and smartphones, any of which can be used to transport audio, video and computer data in and out of a facility. Disguised devices are straight out of a spy novel; they could be a recording device that looks like a car key fob, or a coffee mug with a USB drive hidden in a false bottom.
The difference between commercial and disguised devices is that security will know what the former is and can confiscate it. The disguised device looks like a security-approved item anyone could be carrying.
Additionally, sometimes these devices are not only used to bring information out of a facility; they could also damage a server or hard drive once plugged into a computer or the network.
Some are both – a recording device that extracts data and then destroys a hard drive.
4. Poor or nonexistent screening
The fourth risk amplifies the other three. Whether it is an employee, an outside contractor or a device, the physical security risks are real, and everyone and everything entering and leaving a facility must be screened.
Unfortunately, screening is often not occurring at all, or is ineffective or inconsistent. Even companies with airtight cybersecurity protocols can sometimes fall down when it comes to physically screening people and stopping them from taking data on recording mediums.
This is a huge mistake, and the consequences can be dire. They include loss of customer trust, costly lawsuits and falling stock prices in the private sector, and risks to national security in the public sector. Costs and resource needs rise during efforts to reactively fix or mitigate the effects of physically stolen data.
What can be done to combat these four physical risks to data security?
Not long ago, the physical security department and the cyber security department were considered two different entities within an organisation, with little overlap or communication. Organisations now are realising that, because of the level of risk they face from internal and external threats, they must take a holistic approach to data security. Physical data security and cyber security must combine.
Using the right technology is also key. In physical security, many problems can be avoided by simply using the right technology to detect devices that can bring threats in and carry proprietary information out.
Electronics such as hard drives, cell phones, smart watches, SD cards and recording devices have a magnetic signature because of the ferrous metals inside them. Using a ferromagnetic detection system (FMDS) as people enter and exit a building or restricted area means that anything down to a small microSD card triggers an alert, allowing confiscation or further action as needed.
FMDS cannot be shielded because it detects a magnetic signature, making it highly effective for detecting small devices like a USB or SD card.
Although it is a passive technology, it is more effective and reliable than using hand wands or the walk-through metal detectors typically seen in an airport, which cannot detect very small ferrous metal objects.
Recognising the existing threats, putting together a holistic security strategy, and using the right technology to detect illicit devices is an effective three-pronged approach to protecting an organisation’s data. Strong countermeasures are necessary because data loss can come from both inside and outside, in both private and public sectors, from places not everyone thinks of – and with technology like FMDS acting as a backup to the human element, organisations can securely lock down their data.
Douglas Miorandi is director of federal programmes, counterterrorism and physical data security at Metrasens