Skip to content
Menu
menu

Illustration by iStock; Security Management

The Blame Game: Tensions Rise When Red Team Findings Cross Silos

Although many organizations run cybersecurity tests and exercises on a regular basis, few enact regular hard penetration test regimens that combine cyber and physical intrusion attempts to test the whole of a security program, not just its parts, says Chris Tallerico, director of information security for security design, consulting, and managed services firm ZBeta.

“Security is increasing everywhere, but when it comes to planning and red team exercises, in my experience, cyber is better at least 20 to one over physical security,” Tallerico says. “I just don’t see physical security folks doing much red teaming at all, and they certainly are not engaging in tabletop exercises—which is something that’s very common in cybersecurity.”  

Red team exercises often aim for cyber targets, trying to gain access to the most valuable information possible to demonstrate the severity of security vulnerabilities. But there’s an increasing balance with physical security risks and aims, says Brett Zelnio, PSP, senior consulting engineer for ZBeta.

“Convergence is over,” Zelnio says. “Everything is converged. And I believe if you’re lacking on either physical security or cybersecurity—that will be your downfall. It needs to be an equal balance to harden your stance and protect your facility.”

As Tallerico adds, “The first step in cybersecurity happens to be your physical security. I can sell you $10 million of the best cybersecurity equipment in the world; however, if you leave your doors unlocked, there’s very little that I can help you with.”

In Tallerico’s red team work, he regularly gained access to critical cybersecurity facilities using tactics completely unrelated to cybersecurity. These included donning a hard hat and safety vest before announcing to the guard at the front desk that he’s on site to perform a rooftop inspection, or leveraging a physical or logical design vulnerability in an access control system.

“I can tell you that my peers just do not take physical security of cyber facilities seriously,” he says. “It’s a huge problem, and the problem is even bigger when you start looking at critical industrial controls—power plants, substations, wind farms, and water treatment facilities are some of the most unprotected facilities when it comes to physical security of cyber assets, and the doors are wide open in a lot of cases.”

Zelnio adds, “Red teams come in and they’ve got a grocery list of the basic security hygiene items that people ignore, and they’re going to exploit those basic things,” whether it’s a common key that technicians use for access control panels, poor password management, or social engineering weaknesses.

“Keys are great, but the real Achilles heel is the human being,” Tallerico says.

After a red teaming exercise, though, this attitude can change… but not overnight. Tallerico says it’s usually a 50/50 chance of a notable change of mind. Some organizations can devolve into posturing and finger-pointing, with cyber and physical security professionals blaming each other after an exercise instead of collaborating. IT departments will blame security teams, who will pass the blame to contractors, security guards, and access control system field technicians, he adds.


Red teams come in and they’ve got a grocery list of the basic security hygiene items that people ignore, and they’re going to exploit those basic things.


“Now, occasionally you do find clients that take it very seriously and will put a plan in place to remediate [the red team’s findings],” Tallerico says. “But unfortunately, I can tell you that I have returned to the same sites that I have red teamed before and used the same compromise to gain access more than once.”

Some vulnerabilities are more likely to get immediate attention, though.

One client was particularly proud of its cybersecurity stance, boasting a secure, air-gapped, isolated network. But Zelnio and his team discovered that the company’s cybersecurity vendor had built shortcuts into the system to make maintenance easier. Those shortcuts also enabled attackers to repeatedly infiltrate the system. The findings shocked the client into near-immediate action, he adds.

Although cybersecurity contractors rarely leave backdoors open, access control, HVAC, and building management system contractors do to enable field technicians to access critical infrastructure, Tallerico says.

Patch management on devices—including video surveillance cameras—is another major common vulnerability that red teams and attackers can exploit, he notes.

On the IT side of the house, most organizations follow a very strict patch control regimen, but that discipline still has not crossed over to physical security device management.

Tallerico notes that when he was red teaming, “99 percent of the physical security systems that I had on my networks remained unpatched,” leaving them open to known exploits.

 

Claire Meyer is editor-in-chief of Security Management. Connect with her on LinkedIn or reach out directly via email at [email protected].

 

arrow_upward