DEC 08, 2021
Why should you merge physical security and cybersecurity?
SEP 05, 2021
The virtual world is merging with our physical world in thousands of new ways every year. This reality plays out in far more ways than popular fantasy games or the billions of social media users that are growing in number all the time.
From more shopping online to an explosion of virtual meetings during the global pandemic to the dependence on online apps for driving directions, most Americans rely on their smartphones for everyday life much more than a decade ago.
Indeed, back in 2016 the case was made that leaders in digital merge the physical and the virtual. Here are six business reasons why (with details in the referenced article):
Which leads to this question: Why do most public- and private-sector organizations still maintain separate security organizations for their physical and cybersecurity functions?
The concept of bringing together physical and cybersecurity is far from new — and goes back decades. Back in 2005, Derek Slater introduced me to the concept in this excellent CSO Magazine article:
“Sanders defines convergence as the integration of logical security, information security, physical and personnel security; business continuity; disaster recovery; and safety risk management. (Logical security focuses on the tools in a network computing environment; information security focuses on the flow of information across both the logical and physical environment.) Cost savings is one of the important payoffs in this holistic security strategy. Because there's always some duplication in a stove-piped security organization-in overhead and programs, for example-it's more cost-effective to manage an integrated one. Not only that-duplication can lead to unproductive turf battles among security groups for resources, he adds...
“Bringing together different security silos into one big, happy family and running the combined organization can be a lot easier when one person sits at the top.
“When there’s a single point of contact, the CFO or COO can pick up the phone and speed-dial the CSO instead of having to pull out an org chart to figure out whom to call with a security question.”
In 2011, when I moved from being Michigan’s enterprise CTO to a new role as enterprise CSO, we merged physical and cybersecurity in state government with the goal of critical infrastructure protection. Our goals were:
In an interview with Eric Chabrow at that time for BankInfoSecurity.com, I said: “There are a variety of functions that our physical security organization provides, everything from issuing a badge, using that for parking, entering buildings, [and with] that ID we're talking more and more about digital identification and how we can bring those discussions around proximity readers. How can we use that thing you have — that identification, that picture of you — as a digital ID as well. Bringing that together from an identity management perspective is one area we see some synergy.
“Working together on projects like cameras, we have digital pictures being sent across our networks. We have information traversing our networks that has ... historically been air-gapped. Just as we have the phone system merging together with computer systems and voice-over IT and more and more technology, you have more and more different functions that ride our networks over IT. There's a wide variety of ways that we can work together.
“Another example would be how the two organizations will provide security to the enterprise and to different buildings using a combination of technology and physical security, like guards and different protective measures typically used in securing buildings and sites. We believe that working as one team, we can be more cohesive in our mission. I also think that a holistic look at how we work together in all of our IT functions and all of our physical security functions is going to be important as we integrate more and more functions of our department, our technology management and budget function, within Michigan State government.”
In 2018, Congress formed the Cybersecurity and Infrastructure Security Agency (CISA) within DHS. CISA is the nation’s risk adviser, working with partners to defend against today’s threats and collaborating to build more secure and resilient infrastructure for the future.
This excellent CSA report from 2019 lays out some of the benefits of cybersecurity and physical security convergence:
“Convergence is formal collaboration between previously disjointed security functions. Organizations with converged cybersecurity and physical security functions are more resilient and better prepared to identify, prevent, mitigate, and respond to threats. Convergence also encourages information sharing and developing unified security policies across security divisions.
“An integrated threat management strategy reflects in-depth understanding of the cascading impacts to interconnected cyber-physical infrastructure. As rapidly evolving technology increasingly links physical and cyber assets—spanning sectors from energy and transportation to agriculture and healthcare—the benefits of converged security functions outweigh the challenges of organizational change efforts and enable a flexible, sustainable strategy anchored by shared security practices and goals.”
Many private-sector organizations also see the value in convergence. This article on buildings.com from 2019 makes the case of “Why It’s Time to Converge Physical Security and Cybersecurity”:
“Internet of Things (IoT)-enabled HVAC systems are more energy efficient, reliable and user-friendly for your occupants. But because of those cloud-enabled features, they’re also a target for hacking into.
“Since it’s likely less protected, attackers might use any vulnerabilities in your HVAC system’s network to infiltrate your building’s larger network, therefore potentially affecting or disrupting physical operations. This hypothetical situation demonstrates how physical security and cybersecurity can overlap.”
One more: An article from Dataminr says “The SOC of the Future Is Converged”:
“When speaking to clients about their security operations centers (SOCs), one word inevitably makes its way into the conversation: convergence. They want to know if they should merge their security operations — typically that of cyber and physical — so that they live under a single, unified security function.
“I’m always eager to have such conversations because the SOC of the future is converged. Organizations with best-in-class SOCs have already gone down the path of integration. And now many security and risk leaders find themselves having to respond to the call for convergence — one that has become louder due to risks exposed by the COVID-19 pandemic and the adoption of Internet of Things (IoT) devices.
“While these leaders have made ad-hoc adjustments to recalibrate to the new normal, the underlying issue remains: How to better identify, mitigate and respond to risks across multiple security operations when the surface area of those risks is larger and continuously expanding.
“Converged SOCs can absolutely solve these challenges, but to do so successfully requires an integration strategy that takes into account three key areas: people, process, and technology. Below, I explore what this means for those building SOCs of the future, including best practices for security and risk leaders to adopt.”
Most of the negative responses that I hear from state and local government leaders regarding security convergence come from either governance concerns (these functions are in different agencies or funding pools) and/or staffing people concerns (we don’t have the capability or knowledge to make this work.)
Nevertheless, there is a growing gap in the ability of governments to staff cyber teams. And with a desire to do more with less staff, my argument is that you can reduce risk, provide a better repeatable service and offer a lower cost by bringing together the two functions.
One lesson learned from Colonial Pipeline and JBS and other ransomware attacks on critical infrastructure should be the relationship between cyber attacks and protecting critical infrastructure. So why do we manage these risks in silos?