GSX 2018 kicked off with its first full day devoted to education, featuring sessions on the most pressing priorities and issues for security management professionals.
Attendees had the opportunity to listen to experts share their personal experiences in security, lead deep dives and panels, and gain insights from keynote speaker Fareed Zakaria.
Read below about a few of the sessions that the GSX Daily team attended throughout the day.
A handful of power grid failures—from the 2017 Puerto Rico power crisis to the 2015 attack on Ukraine's power grid to the 1989 Quebec solar storm outage and even a solar storm in 1859—can teach us a lot about why and how a power grid can be breached, and what to prioritize when the lights go out.
AcquSight Managing Director David Winks discussed weaknesses in the electrical grid, emerging threats, and hardening tactics in Monday afternoon's "Preparing a Critical Infrastructure Enterprise for a Cyber-Electromagnetic Pulse Attack" session.
Electromagnetic pulses (EMPs) can be naturally occurring—through solar storms—or targeted. Manmade directed energy weapons can be carried in a briefcase or truck and direct energy at a specific target, rendering entire substations or data centers useless.
And high-altitude electromagnetic pulses (HEMPs)—which are caused by the detonation of nuclear devices—could destroy all equipment within a 1,000-mile radius.
Using the electromagnetic spectrum in a combined cyber-physical attack is an emerging threat, Winks said, noting that nation states will use all the weapons at their disposal.
"You'll see an escalating set of activities: a cyberattack then combined physical attack, which would lead to an EMP," Winks said. "It's a lot easier to use a missile if there's nothing to keep them out or shoot them down with."
If an EMP event does occur—whether naturally or by bad actors—Winks described the importance of prioritizing the hardening of other critical infrastructure.
"We want to avoid unplanned mass migration in cities," Winks said. "If there was an EMP event, you'd have 8 million people wanting to leave New York, and what if they had to leave the city on foot? How well will they be received on the other side? A nation-state could just launch this attack and sit back and watch you self-destruct in civil war."
The highest priority, he said, would be restoring water and sewer service. Even if people had no heat, they would be more likely to wait out the event in their homes if they had running water.
"That will give people hope that the rest can be fixed," he noted. Restoring power, telecommunications, hospital operations, banking and transaction clearing, and transportation—in that order—may reduce a mass exodus in the event of widespread power outage.
Secure facility design must account for both the foreseen and unforeseen to withstand disaster, according to speakers at the Monday session "Planning and Designing Facilities for Extreme Events."
Scott Tucker, principal and senior manager at Page Southerland Page, an architecture and engineering firm, explained that in the building industry, there are several threats that can be planned for.
"Floods, windstorms, tornadoes, and other disasters—most people think of them as unpredictable, but they do have a track record," he noted. "So those are addressed already…in building codes and by standards and best practices."
He noted it's the "black swan" events—a coin termed by author Nassim Nicholas Taleb in a best-selling book referring to unforeseen but history-altering incidents—that are harder to account for. Examples are 9/11 and the unprecedented flooding during Houston's Hurricane Harvey in 2017.
"Instead of getting busy thinking about why a severe event happened, let's spend our time and resources addressing the cause," Tucker said.
What are some challenges that a company may face when it's trying to keep its entire workforce safe during a crisis?
In the education session "Managing a Global Workforce in a Crisis," Tim Crockett, vice president of security for HX Global, and John Coovert, global head of personnel protection for SAP, ran through the myriad of factors that come into play when a crisis occurs and a company wants to keep its global workforce safe.
Most companies are serious about their duty of care responsibilities, which call for organizations to make a serious effort to keep employees safe when a crisis hits. This means all employees, including those that work at home or remotely, Coovert said.
Four tasks are usually key in managing such a crisis: companies must know where all employees are located, must determine if any employees are in the vicinity of the incident, must communicate with them, and must assess their safety needs.
But there are day-to-day issues that can make these four factors challenging to fulfill.
For example, even companies with a dedicated travel office that makes travel arrangements for staff may find that some employees decide to book flights and hotels themselves.
"They want to earn their miles and their points," Coovert said. When that happens, the details of the employees' travel times and locations may not be recorded by management.
In addition, sometimes when a crisis occurs, company leaders will find that the human resources department does not give out a lot of personal information on employees, for privacy reasons.
Coovert cited a situation he was involved in when the HR department would give out the email addresses of employees, but not cell phone numbers.
Crisis managers must ask themselves, "Are you truly compiling all the data that you need? And do you have access to it?" Coovert said.
Sometimes, an employee will finish a business trip and then take a few days of vacation to explore the area that he or she has traveled to. If an incident occurs when the employee is on vacation, some companies feel that the vacationing worker is not their responsibility.
But that's a risky stance for the company to take, Coovert said, as it could get out by word-of-mouth that the firm is not good at protecting employees, and that can mean brand and reputational damage for the company.
From public surveillance networks to self-driving cars, cities are becoming smarter—but that doesn't necessarily make them safer, according to speakers at the Monday session "Smart Cities/Safe Cities: 2020 and Beyond."
To ensure communities are secure while providing more efficiency, practitioners should focus on privacy, transparency, and using data to its fullest advantage.
A cornerstone for smart cities will be implementing faster, more reliable networks, said Steve Surfaro, vice chair of the ASIS International Security Applied Sciences Ad Hoc Council. Houston, Texas, for example, recently became one of the first cities to implement 5G Internet access, which is 10 times faster than the 4G network.
Another city breaking ground with smart technologies is Las Vegas, Nevada, home to GSX 2018. Its downtown Innovation District is equipped with LiDAR (light detection and ranging) technology for roadway intelligence to improve the experience for pedestrians, bikers, and drivers.
"If the sensors detect someone is stuck at a crosswalk at a Las Vegas boulevard, all the lights will turn red and allow them to pass," Surfaro explained.
With so much data being collected
and analyzed to help smart cities operate, speakers cautioned that the privacy of citizens should be treated with the utmost care.
"You want to know who's going to be able to use that data, when are they going to be able to use it, where, why, and how," said Don Zoufal, CPP, of CrowZnest Consulting, Inc., and chair of the Security Applied Sciences Ad Hoc Council. "All those questions should really be answered with regard to the data you're keeping."