By Douglas Miorandi, Director of U.S. Federal Programs at Metrasens
These days, when a data breach makes headlines, people are conditioned to assume it resulted from a cyberattack. With so much attention on cyber-risks, we sometimes forget about the other side of the coin: the risk that data will be physically removed from a facility.
The protection of data against physical threats like flash drives or other recording devices is just as crucial. Edward Snowden, for example, entered the cultural lexicon in 2013 after he physically downloaded and leaked thousands of classified National Security Agency documents to journalists. The truth is that he is neither the first nor the last employee to attempt to take confidential data out of a building.
And yet, physical data security is often overlooked within energy facilities – where the stakes could not be higher.
The nuclear and energy industries certainly emphasize high security measures. The United States Nuclear Regulatory Commission (NRC) requires nuclear power plants and some fuel facilities to have well-equipped security measures in place. According to the NRC nuclear security report, while security for nuclear and energy facilities has always been a top priority, 9/11 created a push for even stricter requirements for power plants, such as upgraded physical security plans and more restrictive site access controls.
Yet, even though energy facilities are required to maintain high security protocols, there are four main risks to physical data security that often don’t receive as much attention as they should.
Keeping the following risks in mind is imperative when creating a comprehensive approach to protecting critical assets.
Risk One: The Insider Threat
Every energy facility most likely has at least one disgruntled employee working for them, whether they know it or not, and that means every organization is at risk of having data walk out the building with that employee.
People steal data from their workplaces because they see some means to an end, whether it’s to expose something embarrassing or damaging due to a personal vendetta, or because they can sell it to a competitor or the media and benefit financially – meaning they don’t even need to be disgruntled; they might just want a quick way to make a buck. This can happen to both private companies as well as government agencies.
Risk Two: The Outsider Threat
Energy facilities in the private or government sector need to be wary of threats from outsiders. These can come in the form of the corporate spy – someone specifically hired to pose as a legitimate employee or private contractor in order to extract information – or the opportunistic thief – a contractor hired to work on a server or in sensitive areas who sees an opening and seizes it.
Either one is equally threatening to sensitive data.
Risk Three: The Seemingly Innocent Personal Item
There are two types of personal items that can be used to steal data: the commercially available off-the-shelf (COTS) variety, and the intentionally disguised variety.
COTS devices include SD cards, external hard drives, audio recorders and even smart phones, any of which can be used to transport audio, video and computer data in and out of a facility.
Intentionally disguised devices could be a recording device that looks like a car key fob, or a coffee mug with a USB drive hidden in a false bottom.
The difference between COTS and disguised devices is that if one gets caught with a COTS device, security will know what it is and can confiscate it. The disguised device looks like a security-approved item anyone could be carrying into the workplace, making it especially devious.
Risk Four: Poor or Nonexistent Screening
Unfortunately, screening sometimes isn’t occurring at all or is ineffective for screening employees or outside contractors. Even companies with airtight cybersecurity protocols can sometimes fall down when it comes to physically screening people and stopping them from taking data on recording mediums.
This is a huge mistake, and the consequences can be dire. Be it in the private or public sector, the risk has never been greater that information will be physically removed from a facility on a piece of hardware.
Fighting the physical threats to data security
Energy facilities must take a holistic approach to data security. Physical data security and cybersecurity must be considered the yin and yang of a policy that effectively protects sensitive or confidential assets from a malicious attack. Combining these elements leads to better results.
Because protecting the physical security of data entails a physical approach, many problems can be avoided by simply using the right technology to detect devices that can bring threats in and carry proprietary information out.
Electronics such as hard drives, cell phones, SD cards and recording devices have a magnetic signature because of the ferrous metals inside them. Using a ferromagnetic detection system (FMDS) as people enter and exit a building or restricted area means that anything down to a small microSD card triggers an alert, allowing confiscation or further action as needed.
Recognizing the existing threats, putting together a holistic security strategy, and using the right technology like FMDS to detect illicit devices comprises an effective three-pronged approach to protecting a facility’s data.
Strong countermeasures are necessary because data loss can come from both inside and outside, in both private and public sectors, from places not everyone thinks of – and by incorporating technology like FMDS into their screening methods, organizations can securely lock down their data.
Douglas Miorandi is director of federal programs, counterterrorism and physical data security for Metrasens. Miorandi can be reached at firstname.lastname@example.org