Are You Prepared for Cross-Domain Threats?

C-level security leaders from leading organizations weigh in on the risks and opportunities of the expanding risk landscape.

---

In the UK, a ransomware attack against a major retailer halted its online sales, impacted operations at a key distribution center, and created inventory issues in stores. In the now well-known attack against Change Healthcare in the U.S., 74% of hospitals reported direct patient care impact, pharmacies were unable to fill prescriptions, and hospitals had to divert patients to other facilities or revert to paper processes. Another ransomware attack against an aviation IT provider led to flight cancellations and delays at several large European airports. 

As the world becomes increasingly digital, organizations are encountering more of these intersections between the digital and the physical domains. The expanding risk landscape—which refers to increasing risk across all domains of an organization presented by high velocity, AI-powered threats, information overload, and organizational silos—has shifted the way security professionals think about and prepare for potential risks. 

Over a series of three webinars, Dataminr sat down with C-level security leaders in energy, transportation, and financial services to discuss the real threats and opportunities in the expanding risk landscape. Here we explore the key takeaways.

Key Takeaway No. 1: Cross-domain risks are on the rise

Consider the realities of a modern-day airplane, cruise ship or energy grid. All are essentially giant data centers that allow for better customer and employee experiences, more accurate and personalized information, and safer industries—but also an increased surface area of and opportunities for attacks. 

“I hate to be ominous with it,” said David DeWalt, Founder of NightDragon. “We have this growing set of threats that are occurring, hundreds of different actors around the world that are gaining more and more capability and already have the motivation.” 

“There’s such a drive to enhance your IT capabilities to give you a competitive edge in whatever industry you’re in,” said David Komendat, former Chief Security Officer of Boeing Company. “What doesn’t keep up most of the time is the ability to protect that enhanced technology, to put the physical, logical pieces in place that protect that. And so you keep reaching out and enhancing your capabilities, but you’re also creating a larger and larger gap [for bad actors] to exploit.”

Watch Now: Cyber-physical Converged Threats and Trends in the Transportation Industry

Key Takeaway No. 2: Be aware of the risks for connected systems

Technology that is both cyber and physical can be a powerful tool for organizations, but how it’s used requires careful strategy. For example, one company has replaced security officers with robot dogs that are connected to synchronized drones. When the drones detect a potential issue, they alert the dogs who are then deployed to investigate.  

“All of that is a hundred percent on the Internet, a hundred percent network connected, a hundred percent cyber-vulnerable,” said Jason Witty, CSO of USAA. “You have to be very thoughtful about not only the business problem in physical security that could be solved by cyber means, but also the controls and what  we are willing to put out there.”

Another issue is when security teams are unaware of how many devices or machines are connected to the Internet. Typically, that means they aren’t properly secured. 

Sebastian Lehnherr, Global CIO of Schlumberger, pointed out the risks of not having a full understanding of all assets, “A lot of people still forget that they have a lot of things out there. Digital technology which may not have been digital technology, but went through an upgrade and now it’s all of a sudden connected with real physical control on the back of it.” 

Alternatively, there are assets with limited protection that hackers will specifically target because they are newly digitized. 

Craig Froelich, CISO at Bank of America, said, “If you’re a bad guy and you want to be able to extract some sort of pain or harm, you’re likely to go after the path of least resistance. Oftentimes it may be something that is a newer technology that doesn’t have the decades of information security controls wrapped around it.”

Watch Now: Cyber-physical Converged Threats and Trends in the Financial Services Industry

Key Takeaway No. 3: Break down the CISO/CSO silos

In the past, cyber attacks and physical attacks were (mostly) mutually exclusive. But the evolution and proliferation of connected technology, like Internet of Things (IoT) devices, requires security teams to rethink their strategies and approaches to communication and collaboration to ensure they’re prepped for any kind of attack.  

While there isn’t an “ideal” security organization structure, Komendat said the key is an intentional relationship between the chief security officer (CSO) and the chief information security officer (CISO), which means no surprises. If a security event is happening in the physical world, the CISO already knows and vice versa. Unfortunately, it’s not always that simple. 

“The CSO at times feels threatened by the CISO. Their funding is different. The visibility, especially in today’s world, is different,” said Komendat. “A lot of times, peer CSOs have a tendency to want to be insular a little bit and that is the absolute worst position a CSO could take. They really need to reach, build that bond and relationship with their counterpart because at the end of the day, the goals of both the CISO and the CSO are pretty similar: To protect the assets of a corporation.”

For Martin Strasburger, VP, CISO at Duke Energy, this means a fully combined Information technology and enterprise security team called Enterprise Technology & Security, which reports up to a leader who is both CIO and CSO. 

Elizabeth Hackenson, Global CIO of Schneider Electric, works closely with her organization’s  global CISO to determine what investments and resources are necessary to manage risks. Further, their respective teams work together across issues, so when a problem arises, they’re already prepared to work together seamlessly. 

Watch Now: Cyber-physical Converged Threats and Trends in the Energy Industry

And at Delta, as DeWalt noted, the CSO and CISO are in almost every one of the audit committee meetings and every one of the safety security meetings.

Regardless of the specific organizational setup, the experts all agreed it comes down to what’s most important: “Protecting business value, protecting the organization,” said Devon Bryan, Global CISO of Carnival Corporation. “That then drives the necessity and the intentionality in closely collaborating and working together.”

Bryan explained how this plays out in his organization, “We work very closely with our corporate security team, shoulder to shoulder, side by side as we triage physical and cyber threats against our global facilities.”

Key Takeaway No. 4: Extend the security conversation into the business

Security teams should ensure they are having ongoing and strategic conversations with senior leadership and prioritize doing so to secure the resources and skills necessary to protect the business.

Komendat said, “The challenge that a lot of corporations have today is there’s limited IT resource dollars in many cases and unlimited need within the company. As they’re making decisions on what they want to do, a lot of that investment goes towards, ‘Let’s enable our business. Let’s grow our business.’ The security costs that should go along with it sometimes are not maintained at the same levels.”

The best way to establish relationships and ensure true understanding is to involve leadership and other key parts of the business in actual training and scenarios. 

“Get them to really understand what a cyber attack or even a physical attack might look like. How might it play out? Hold exercises where, together, you tabletop out those kinds of scenarios and figure out whether you’d be ready to respond. You always learn some good lessons,” said Strasburger.

Those exercises can also help leadership understand that, at some point, these security investments will pay for themselves by reducing potential business disruptions that are the result of a cyber-physical attack—and helping to ensure the organization can continue to run at full capacity. 

Key Takeaway No. 5: Protect your systems and your business

All security team collaboration must be underwritten with solid technical solutions. 

“The basics still apply,” said USAA’s Witty. His list includes:

• Event detection
• Patch management
• Vulnerability management
• Asset management
• Log management 
• A good crisis management process

“Make sure the crisis management process is an all hazards process that takes into account cyber, physical, reputation—anything,” he added. 

Other companies, like Carnival, utilize the NIST Cybersecurity framework to prioritize assets, implement protections and report risks to audit and safety committees.  

What matters most when it comes to cross-domain risks is knowing about them as soon as they arise. These risks can have real and significant consequences that, if not mitigated early on, can spiral and create lasting knock-on effects to employees, customers, suppliers and entire industries. For security teams—both cyber and physical—this means detecting and responding to cross-domain risks, in as close to real time as possible, is mission critical.

Dataminr has a crucial role to play when it comes to the detection of such risks. Our AI platform provides real-time event, threat and risk intelligence on cross-domain threats and risks as soon as they arise, as well as updates in real time and as they evolve.

Additionally, Dataminr Intel Agents—our groundbreaking Agentic AI capability—extend Live Briefs for real-time event summaries by autonomously enriching alerts with critical intelligence. This gives security teams instant clarity on what’s happening, why it matters, and the right context to guide their response—without sifting through scattered sources or noise. Intel Agents are available in all of our products, including Dataminr Pulse for Cyber Risk and Dataminr Pulse for Corporate Security.

This article has been updated from the original, published on June 30, 2023, to reflect new events, conditions or research.