The convergence of physical security and cybersecurity
The recent events in the Middle East, where pagers and walkie-talkies were modified to explode on a remote signal, brought to mind an evolution I have long believed needs to happen in critical infrastructure industries - a convergence of cybersecurity and physical security.
Last week’s Cyber Tuesday discussed the partnership between cybersecurity and privacy for data protection and governance. Physical security has a different field of focus, but like privacy, also has overlaps and synergies with cyber.
In their simplest forms, you could say cybersecurity safeguards data and systems and physical security protects people and facilities. In many manufacturing, healthcare, oil and gas, and other critical infrastructure industries these areas converge. Whether it is infusion pumps in a hospital, robots on the assembly line in a manufacturing plant, autonomous vehicles, or controllers for a natural gas pipeline, mechanical systems that were once protected by physical security are now networked and accessible to cyber attacks. Add IoT and OT systems to that list. A convergence of cyber and physical security creates a holistic approach to protecting these assets.
Can these systems be protected by physical and cyber security teams in separate parts of the organization? Yes. Is that the most effective and efficient way? I say no.
We brought the two areas together in my last role, and I evolved from CISO to CSO. Each team kept its own identity but worked side-by-side in the same organization. There were some areas of differences - times when it felt we were not speaking the same language, the background of the professionals in each area, and the types of incidents demanding response. However, we also found synergies:
· Physical and cyber security follow a common cycle – identify your critical assets, assess threats, identify vulnerabilities, establish policies, implement controls, assess performance, address gaps, and then rinse/repeat.
· There were areas of opportunity for working together – access control, user awareness, security assessments, incident response, investigations, threat intelligence, emergency preparedness, policies, executive protection, third party risk, and collaboration with law enforcement.
· The physical security team brought feet on the ground and detailed knowledge of operations in our facilities, and the cyber team brought better management of technology such as cameras and access controls, more senior level visibility, and resources to raise the physical security game in policies, assessments, communications, and awareness training.
· Our leaders appreciated having a single source of reporting and a single point of contact, and the efficiencies of sharing resources for project management, communications, risk management, reporting, and budget.
The alignment is still a work in progress, and while a better model might be still found, both sides and the company benefited.
One day our cybersecurity SOC detected a rogue device attached to a port in one of our hospitals. They reached over to the physical security team, who brought up security camera video of two individuals with backpacks going into an empty training room – the location where the rogue device was detected. They reached out to the local security officers, and the intruders were caught red handed. It turned out to be an unannounced penetration test by our Internal Audit group, but it showed us the value of working together closely.
To achieve effective convergence, security leaders should bridge the disconnect between physical and cyber security teams through collaboration and training to build better understanding of each other's domains. The teams can work together on a holistic picture of organizational risk and embedding physical and cybersecurity into the design of new systems, technologies, and facilities (A broader definition of secure by design).
Many cybersecurity leaders have told me their hands are already full without taking on a new domain of security. It is not an easy addition to one’s plate. However, as mechanical and virtual systems converge, threats will target all aspects of critical infrastructures. The capability of physical and cybersecurity to collaborate is not just a matter of protecting information but also safeguarding lives. Does a convergence make sense to your organization?
Hold Fast and Stay True