Last week pro-Trump rioters occupied portions of the U.S. Capitol building. This is a real issue for cyber defense since once there is known or presumed loss of physical security for systems you can no longer assume the same level of trust for those devices.
This scenario is similar to supply chain attack scenarios (like Solarwinds) in many ways. As with supply chain attacks the risks may include insertion of counterfeits, unauthorized tampering, theft, insertion of malicious software and hardware. Since such a widespread physical security breach was probably not planned for, there probably aren’t contingency plans for mitigating the risks associated with the physical breach. Since there are so many more “realistic” threats that needed to be handled, I am betting no one got around to these more esoteric threats, no matter what their level of risk. Since we are seeing more and more unexpected attack vectors (like the physical attack on the capitol, or the Solarwinds supply chain attack) that aren’t covered by standard cyber operating procedures – there needs to be a way to cover these as well as the more mundane threats caused by known vulnerabilities.
Addressing these “unexpected” threats (especially the known-unknowns) is to start taking a broader view of threats and prioritizing them using risk metrics. Risk based cyber programs need to account for known-knowns (e.g. vulnerabilities), known-unknowns (e.g. supply chain attacks, physical breaches) and even unknown-unknowns. This means thinking about cyber security in terms of graphs that automate the discovery, analysis and prioritization of potential and emergent threats (e.g. attack scenarios and threat scenarios), not lists of threats and vulnerabilities. If this would have been done before the capitol breach – the blast radius of possibly compromised devices would have been known, and there would have been a contingency plan on how to handle it.