IT & Facility Security Officer Disconnect

“The disconnect between the IT departments and the Facility Security Officer.”

To recap from last week, we discussed the requirements of a facility security officer’s responsibility to make notifications to the NCCIC and the NRC in the case of any suspicious activity or breaches of security that are cybersecurity-related. This week we will be discussing “The disconnect between the IT departments and the Facility Security Officer.”

Since the release of NVIC 01-20 “GUIDELINES FOR ADDRESSING CYBER RISKS AT MARITIME TRANSPORTATION SECURITY ACT (MTSA) REGULATED FACILITIES,” Facility Security Officers have been left with few options on how to approach the guidelines. The facility security officer is often left to his own devices to figure out how to comply with these guidelines. There is a fundamental disconnect between the IT departments and the facility security officer from implementation to notification procedures.

In many MTSA facilities, the IT department and facility security officer do not talk at all. For example, we recently had a facility where the facility security officer properly reported a phishing campaign that successfully accessed the facility’s servers and sent out an email to all corporate employees and vendors on behalf of the person who allowed access via the campaign. However, when corporate IT was contacted by the U.S. Coast Guard, NCCIC, and FBI, they took offense to the phone call being made and didn’t understand why it was made. When the FSO was asked why the call was made, a statement of “It was just Phishing; it happens every day” was made to the FSO. First of all, that is the wrong attitude to have. Secondly, the FSO was criticized and ridiculed for doing correctly when the IT department failed to understand the regulations. Finally, only when a third party contractor and the U.S. Coast Guard outlined the reporting requirements for phishing incidents did the IT department acknowledge the FSO was correct in reporting the incident.

This example goes to show you the disconnect between the two departments. The IT department and security departments need to work just as smoothly as the safety and security do. How do we do that? Unified security. A unified security department brings together complementary skill sets and enables a more effective physical security model. Take, for example, a common physical security device, the IP CCTV camera. Because this device sits on an IT network, a typical network administrator can determine the relative health of the device and whether it is operational. However, it takes a security professional to understand the optimal placement of the camera, why such a device may malfunction and what action should be taken when an alarm is triggered. Thus, both the network specialist and security specialist provide value to the security organization.

Borrowing a page from the Department of Homeland Security, many leading organizations are modeling their global security operations ­centers into fusion centers that bring together all security areas — physical, cyber and privacy — to accomplish more together. The idea here is simple: While physical security and cybersecurity sometimes oversee different assets, efficiencies in risk management are clear.