krunja - stock.adobe.com
In a digital era, combining physical and cyber intelligence is key to overcoming modern security management challenges, according to a panel of industry experts.
“Change is the only constant, and the way to deal with that is by converging physical and cyber security, which have operated in separate silos in the past,” said Sarb Sembhi, certified information security manager (CISM) and CISO at Virtually Informed.
“To cope with the constant changes in the world around us, we need bring physical and logical security together in a single security operations centre [SOC] to provide a single view,” he told attendees of the IFSEC International Conference in London.
One of the key drivers of the need for converged security, said Sembhi, is the fact that the base technology used for CCTV, heating, lighting, air-conditioning and fire alarm systems, for example, is essentially the same.
“The only thing that differs is the sensors used to feed into those systems, but the underlying technology is the same and it is typically full of vulnerabilities that makes it easy to hack.”
Another driver for the need for physical and cyber security professionals to work together, said Sembhi, is the fact that hackers do not work in isolation and will seek to exploit vulnerabilities wherever they find them to achieve their aims, whether that is in the physical or cyber world.
“Once upon a time, there was a limited number of entry points for a single device, but now for every single device, there are multiple points that hackers can exploit to get in because there are so many different technologies and components involved,” he said.
“Each device has a hardware, software and storage, and in each layer there are lots of things that can be attacked, before the product even leaves the manufacturer. After that, there are multiple points in the supply chain where vulnerabilities can be introduced that hackers can exploit.”
With the emergence of smart houses, smart building and smart cities, where there are a huge number of systems connecting to each other and lots of points of attack, he said the security challenges are only going to expand.
“That is why having a converged SOC is so important, so that organisations are able to look at all of these vulnerabilities in a single place. Physical security is no longer about just physical products, hackers will work to exploit any vulnerabilities they can, and the only way an organisation is going to know they are being attacked is if they have a single view across all potential points of attack,” he added.
To help meet this need, Maurice Singleton, president of Vidsys, said his organisation is working with partners in the technology industry to bring various capabilities together in a single converged platform to enable monitoring, situational awareness, management, response and mitigation.
“This is achieved by bringing data from various disparate technologies, including billions of connected devices that form part of access control, video management, analytics, social media, facial recognition and other biometric systems into a single, common operating platform,” he said.
This approach, said Singleton, enables organisations to improve their overall security capability by filtering out the noise and mitigate potentially costly risks and threats.
“This single view enables organisations to respond in real-time to physical and cyber threats or intrusions across the enterprise – for example, raising an alert if a single employee identity is used to access a physical building at the same time as accessing corporate systems from a different location.
“It also provides metrics that can be used to make improvements such as fine-tuning procedures to measure their effectiveness,” he said.
Playing the role
Steven Kenny, industry liaison architecture and engineering at network camera maker Axis Communications, said it is important for physical security practitioners to understand that they have a role to play in cyber security.
“Raising awareness on this issue is part of our focus on supply chain and due diligence,” he said, which involves three layers of protection in the form of security management, vulnerability management, and education and collaboration.
Security management, said Kenny, is about making sure camera systems are secure by default by ensuring passwords are changed at installation, that strong passwords are used, that encryption is enabled, and that remote access is disabled.
“It is also about additional security features such as using trusted platform modules in the technology to reduce the opportunities for hackers to gain unauthorised access,” he said.
Vulnerability management, said Kenny, is about looking at the integrity of the system. “In the UK we have the Cyber Essentials scheme, which enables the business to evaluate how they protect themselves to protect their customers by building security into their systems, processes and technologies, and how they address and mitigate vulnerabilities that may emerge after deployment.”
There is an acknowledgement that physical and IT security have merged, said Kenny. “Education is important to upskill traditional physical security practitioners so that they are able to work within the IT domain, which includes not only classroom-based training, but also things like hardening guides to support people who are deploying systems.”
Bringing security teams together
Converged security, said David Humphrey, CTO of digital transformation firm Micro Focus, is about bringing various forms of security intelligence together, such as “human, open source and cyber intelligence combined with video and audio analytics”.
“While this is common and proven in national intelligence agencies and defence departments, it is only now emerging in the commercial arena, but we need to get out more widely to all SOCs so that they are able to make full use of the wide range of intelligence sources available.”
In the digital era, Humphrey said these sources include CCTV, mobile camera, social media, broadcast media, audio sensors, websites, email messages and chat sessions, in addition to traditional reports by security officers.
With the appropriate systems in place, he said organisations can combine these intelligence sources to predict, prevent and or mitigate threats.
But despite the fact that physical security teams working in silos have no way of knowing if a CCTV system has been compromised by a hacker, for example, converged SOCs are still relatively rare, said James Willison, founder of converged security firm Unified Security.
“The need has never been greater than it is now with the proliferation of internet-connected devices [making up the internet of things (IoT)] because many of these devices have no security, and this is a big issue because most physical security systems now have one or more IoT components.”
Against this background, Willison said that the largest physical security association in the world, ASIS International, has launched its enterprise security risk management (ESRM) maturity model.
“ASIS is asking its 34,000 members to test their maturity on ESRM, which is about managing all security risks cross functionally – which means all departments within an organisation working together. But few organisations have converged security centres, and that is where we have got to get to,” he said.
Such maturity models are a key enabler to converged security, said Willison, with the lowest level requiring physical, cyber teams and other risk teams to work together on projects.
“The top level, level 5, requires all security risk mitigation activities to be performed by staff that report in a single organisation structure to a single security officer at the executive level, and all security risks to be managed in a single department,” he said.
In closing, Willison urged organisations to start building converged security centres by finding suppliers of physical security systems that demonstrate mature cyber security, and then bringing together physical cyber teams and consultants.
“Next, they should find and use converged real-time monitoring systems and automated tool, taking care to pen test these before purchase, while at the same time building their converged security centres and training teams to deploy and use the tools for at least three months before going live,” he said.
Read more about converged security
- Convergence of threats and technologies and an increasingly complex regulatory environment are driving the need to implement new cyber security protections, says McAfee chief.
- IT execs must evaluate an organisation's current on-prem and cloud setup before selecting a hyper-converged offering to avoid security holes, disjointed workflows and poor user experience.
- A lack of skills, visibility and clarity on which business function is responsible for securing operational technology are the biggest challenges to managing the risk, a study shows.
- Operational technology comes with its own unique challenges and benefits, but the IT department can shine a light on how to tackle its security issues.