Executive Summary

The Organization for Security and Cooperation in Europe (OSCE) has released a new technical guide urging its participating states and critical infrastructure operators to break down the traditional silos between physical and cybersecurity. The guide, titled "Technical Guide on Physical Security Considerations for Protecting Critical Infrastructure against Terrorist Attacks," argues that the increasing convergence of Information Technology (IT) and Operational Technology (OT) makes a unified security strategy essential. The document warns that physical security can be defeated by cyber means, and vice-versa. It provides a series of technical and policy recommendations to help organizations build a holistic security posture that addresses the blended threats of the modern era, where remote cyberattacks can have kinetic, real-world consequences.

Policy Details

The OSCE's guidance is a strategic call to action, recognizing that the digitization of critical infrastructure has fundamentally changed its risk profile. Key principles and recommendations from the guide include:

• Cyber-Physical Convergence is Reality: The guide explicitly states that physical and cybersecurity are "deeply intertwined." An example would be a cyberattack that disables a facility's electronic access control systems, allowing physical entry for an attacker. Conversely, a physical breach could give an attacker hands-on access to OT/ICS equipment.
• Expanded Attack Surface: The connection of Industrial Control Systems (ICS), HVAC, and other operational technologies to the internet has created a global attack surface. Threat actors no longer need physical proximity to disrupt or destroy critical infrastructure.
• Holistic Security Framework: The document advocates for a single, integrated security framework that covers both cyber and physical domains. This includes unifying risk assessments, incident response plans, and security governance.
• Data Sovereignty and Contractor Standards: The guide advises states to ensure that contractors handling sensitive infrastructure data meet minimum cybersecurity standards and to strive for data sovereignty to prevent foreign access to critical information.

Affected Organizations

The guidance is aimed at a broad audience involved in the protection of critical infrastructure, including:

• OSCE Participating States: National governments are encouraged to adopt these principles into their national security strategies and regulations.
• Critical Infrastructure Owners and Operators: Companies in sectors like energy, water, transportation, and telecommunications are the primary audience for implementation.
• Security Professionals: Both physical security managers and cybersecurity analysts are encouraged to collaborate and share intelligence.

Impact Assessment

The adoption of the principles in the OSCE guide would lead to significant changes in how critical infrastructure is secured:

• Organizational Restructuring: Security teams may need to be reorganized to eliminate silos, creating converged security operations centers (SOCs) that monitor both physical and cyber alerts.
• Increased Investment in OT Security: Operators will need to invest more in securing their Industrial Control Systems, which have historically lagged behind IT systems in terms of security maturity.
• Integrated Risk Management: Risk assessments will need to consider blended, multi-stage attack scenarios that cross the cyber-physical divide (e.g., a phishing attack to steal OT credentials, followed by a remote shutdown of a power grid).
• Enhanced Regulatory Requirements: Governments may translate this guidance into binding regulations, forcing operators to demonstrate a unified security posture.

Compliance Guidance

To align with the OSCE's recommendations, critical infrastructure operators should:

1. Form a Converged Security Committee: Establish a cross-functional team with representatives from physical security, cybersecurity, engineering, and operations to oversee the integrated security strategy.
2. Conduct a Unified Risk Assessment: Perform a risk assessment that specifically evaluates cyber-physical attack scenarios. Identify critical OT assets and map their dependencies on IT systems.
3. Deploy OT-Specific Monitoring: Implement network monitoring solutions specifically designed for OT environments. These tools can passively monitor traffic on ICS networks to detect anomalous commands or behavior without disrupting sensitive processes. This aligns with D3FEND's D3-NTA: Network Traffic Analysis.
4. Integrate Physical and Cyber Incident Response: Develop and drill incident response playbooks for scenarios that involve both domains. For example, a ransomware attack on an ICS should trigger a physical security response to secure the facility and prevent unauthorized physical access.
5. Secure Remote Access: Implement strong authentication and access controls for all remote access to OT networks. Use jump boxes and enforce MFA for all administrative sessions. This is an application of D3FEND's D3-MFA: Multi-factor Authentication.