Cyber and Physical Protection Go Together

Homeland Security Conference 2013 Show Daily, Day 1

All too often, cyber and physical protection are considered separately, when really they go hand-in-hand, according to experts speaking at the first day of the AFCEA Homeland Security Conference in Washington, D.C., February 26, 2013. The conference opened with a half-day of conversation about hackers, terrorists and natural disasters and addressed concerns involving both physical infrastructure and the cyber environment for all kinds of attacks, be they physical, virtual or even natural in origin.

Richard Puckett, chief security architect for GE, drove home the point that physical infrastructure, such as power plants, have a cyber component. “People want to be able to walk around a power plant with an iPad. They want to attach remotely to these systems, because it is an incredibly powerful and attractive tool. It’s very visceral to them,” he said. “What we’re concerned about as we see those increased patterns of connectedness is how to protect that.”

Puckett emphasized that the relationship between cybersecurity and physical infrastructure was a focus of government and military, noting that the term "cyber" means a lot of different things to different people and for the private sector was more connotative of personal and financial cybersecurity.

Paige Atkins, vice president of cyber and information technology research, Virginia Tech Applied Research Corporation, said that part of the problem is that cyber is a sometimes difficult concept. “Cyber is a little harder for us to understand and grasp because it is not as graphic," she said. "In my personal experience, the cyber-physical area is underappreciated and not fully understood.”

Fellow panelist Darren Ash, deputy executive director for corporate management and chief information officer for the U.S. Nuclear Regulatory Commission (NRC), which oversees civilian usage of nuclear power, said that the key organization within the NRC that oversees physical security also oversees cybersecurity.

The NRC in recent years has approved licenses to build new nuclear power facilities and is requiring companies to include cyber protection. This fiscal year, the agency begins inspecting to ensure the companies are complying with requirements. “We look at it holistcally and ensure those licensees have protections in place,” Ash said.

The cybersecurity panelists also addressed mobile devices and cloud computing, but Atkins said all too often experts need to change focus. “We spend too much time trying to solve yesterday’s problems, and we aren’t addressing unpredictability.” She added that research and development and public-private partnerships are critical as the nation moves forward.

The Critical Infrastructure panel also addressed both physical and cyber protection. William Bryan, deputy assistant secretary for infrastructure security and energy restoration, Department of Energy, said that addressing critical infrastructure requires addressing cyber and natural disaster resilience and recovery.

Jeffrey Mazer, physical scientist for the Selection Management Office's Technology Innovation Program at the National Institute of Science and Technology (NIST), said that solar power technology can play a role in keeping the power grid running in the aftermath of a disaster. “Photovoltaics is a mature, robust technology, and it’s quite well suited for supporting critical infrastructure during long-term outages,” he asserts.

He cited examples of photovoltaic technology being used with microwave repeaters on mountaintops in remote areas. Photovoltaic energy, he said, is used at Kirtland Air Force Base, New Mexico, for remote communications, for example. Mazer, who works with the Smart Grid program at NIST, said that advanced energy storage technology will be a critical part of Smart Grid. “As Smart Grid develops, renewables will become a bigger and bigger part,” he stated.

The luncheon keynote speaker, on the other hand, focused almost entirely on protection of physical structures as he gave a behind-the-scenes view of protecting hotels from terrorist attacks. The hospitality industry--hotels, in particular--has been the object of many terrorist attacks in recent years.

Alan Orlob, vice president, global safety and security, Marriott International, said he was surprised to see the scene involving a Marriott hotel bombing in the movie Zero Dark Thirty. The scene showed the explosion just as he was thinking it really did look like the Marriott, Orlob reported.

In that incident, he said, a dump truck loaded with explosives rammed the concrete barriers surrounding the hotel and got stuck, unable to move forward or back, so the driver detonated the explosives where he was. Although the barriers were further away from the hotel than required, the blast was strong enough to cause significant damage.

In another terrorist attack, he said, a florist working at one hotel provided access to a bomber. 

Orlob's first-person accounts of two 2009 attacks on hotels in Indonesia illustrated the need for first-responder training and addressing evacuation plans.

The conference continues today with keynotes from Gen. Michael V. Hayden, USAF (Ret.), and author John Fass Morton, and panels on biometrics/identity management and information/intelligence sharing.