A typical conversation within an enterprise may go something like this: "We don't need any physical examination...
of our network for our security assessment. We only need a remote scan and some consulting time to review our firewall rule set."
Unfortunately, this attitude only considers half of the problem and can lead to some serious issues with an organization's physical network security -- or, at least, may give them a false sense of comfort that all's well.
Think back to Security 101 training and remember the CIA triad, where
C = Confidentiality
I = Integrity
A = Availability
The triad is sometimes even inverted for industrial controls security, with availability at the top of the stack. Clearly, availability is critically important for both an IT and operational technology (OT) network. But that availability must also be balanced with other considerations -- namely, physical network security.
How organizations neglect physical network security
If an organization ignores the physical layer of its network for the security assessment, it will face some challenges that could be easily avoided.
Take one site, for example, where the customer requested both a cyber and physical network security assessment. The cyber assessment included an Nmap scan checking for open ports and services, and a Nessus scan of the workstations. The scans did not reveal any serious security vulnerabilities; however, some serious concerns with the physical layer of some switches were discovered.
One switch was in a small alcove that was subject to high temperatures. The switch was connected in a rat's nest of CAT 5 cabling and power cables. Even worse, the switch was teetering on top of two two-by-four wooden boards -- presumably an attempt to help with airflow around the switch. The probability of failure of this switch was pretty high due to heat and vibration. Also, troubleshooting this switch was made even more difficult due to the jumble of unlabeled and tangled wires.
At another building, the physical layer of a critical office network was inspected face to port. In this case, a stack of two switches and a router were discovered in a boiler room. The stack was not installed in any rack, but was instead literally set atop a stack of books resting on an old wooden desk. The probability of failure of this network array was increased by the location -- a hot boiler room -- the unanchored stacking of the switches and router, and the use of some old books to elevate the stack above the desk and adjacent piping.
Unfortunately, the two examples above are frequently observed on both IT and OT networks when a physical network walk down is done. And neither example, as with other similar ones, would be detected by remote scans or ping sweeps.
Prioritizing physical network security
When preparing to do a network security assessment, include the standard Nmap, Nessus and other cyberscans to locate vulnerabilities. It's also a good idea to either hire a consultant or use in-house staff to literally walk down the networks and check for the following:
- Verify the network drawing is accurate all the way down to the physical port connections;
- Check the port connections to ensure that unauthorized connections are not attached to open ports;
- Check that all network architecture -- including switches, routers, hubs, taps and so on -- are reflected on the network drawings;
- Ensure that network architecture and cables are structurally secure -- i.e., tied down, installed in racks and so on -- and that the equipment is not subject to overheating or freezing; and
- Confirm that all vents are clean, and that the cooling fans are operating properly.
This may not sound like rocket science, but doing physical network security checks in conjunction with cyberscans is worth the effort and time. Besides, think of how you would feel telling your CIO or CISO that the switch failed because it "fell off of the stack of books."
Learn about the FCC's proposal for changing Wi-Fi security
Find out how to identify the warning signs of network intrusions
Discover what enterprises need to know about network traffic blocking