Securing physical security
Physical security is now intersecting with cybersecurity in information technology (IT) and operational technology (OT) environments and there is a greater need for cybersecurity awareness as interconnectivity increases.
Physical security is now intersecting with cybersecurity in information technology (IT) and operational technology (OT) environments. The opportunities for physical security system manufacturers, integrators and end users to improve the cyber posture of their assets are growing.
The inaugural Connected Security Conference and Exposition was recently held in conjunction with ISC West, the largest physical security show in North America, with over 30,000 security professionals in attendance. ISC West integrated the Connected Security Conference as a key topic to the industry, as with the continued growth of networked physical and information security technologies, the risk of cyber attack also grows.
For the physical security industry, this was a great opportunity to learn about the cyber impacts of further integration into the Internet of Things (IoT), and how physical security connects with OT assets. The expo's core theme was 'Bridging the Gap between Cyber and Physical Security,' which refers to the convergence of cyber and physical environments. ISC West presented a platform to educate the physical security audience about the emerging cybersecurity landscape in OT environments that have significant links to physical security systems.
During the event, there was much dialogue among key stakeholders resonating a key concept: as the world becomes more connected, the distinction between digital and physical worlds is diminished, and the risks associated with connectivity have accelerated the need for new cybersecurity protections. The physical security industry is beginning to understand the risks associated with integrating more connected devices to the IoT and the increasing need for integrating cybersecurity into their solutions.
Physical, cybersecurity education
In my keynote at the event, I mentioned educating professionals in the physical security industry about cybersecurity best practices is a key element to ensuring they contribute positively to the overall security posture of the organization they protect. With the introduction of the Connected Security Expo at ISC West, security professionals are starting to take the necessary steps toward building awareness and understanding the implications, complications and best practices for designing, deploying, and maintaining secure systems. While this topic may be new to many in the physical security business, cybersecurity has been an executive issue for critical industries, such as energy, utilities and finance; in the OT world, an attack may result in downtime, which could lead to safety risks and financial losses.
Without adequate cyber protection to connected physical security systems protecting critical infrastructure, OT environments may end up exposed and vulnerable; every single connection and connected device is an entry point, an opportunity for a breach. As physical security practitioners remain concerned with maintaining control and protection of their assets, it is vital for them to understand the cyber-security threats that can arise with the increased implementation of connected physical security devices into their systems.
In the future it is possible physical security assessments will consider the cybersecurity posture of an asset, and likewise, OT cybersecurity assessments will consider connected physical security devices in a comprehensive risk assessment.
One case in point is deploying IP cameras with default passwords or with a lack of proper network segmentation could serve as viable entry points into a network, thus increasing risk of attack. This is a common practice, as installers may not be aware of the cybersecurity consequences, although it illustrates a paradox—the IP surveillance camera itself serves as a simple and unsecured entry point into network. Instances such as this should inspire a dialogue in the physical security industry regarding the need to undertake installation best practices in order to avoid allowing opportunities for intrusion through the security system itself. When more devices connect to networks and the IoT, it is crucial for everybody—from operators to executives—to understand that every single connected device will dictate the security of the network.
Frank Marcus, Wurldtech's director of technology, conducted a live demonstration for stakeholders at the Connected Security expo, featuring several scenarios where a breach on a physical security system could create an opportunity for an attack on an OT system. During the demonstration, he discussed the complexities of OT network activity and the need for complete visibility in order to fully understand the health of the system, and any abnormalities in behavior associated with indicators of compromise. Educating operators about cybersecurity should be a top priority, he said, as visibility of all network activity and accounting for all technology in the system is crucial to understanding it's overall cyber posture.
Marcus sees significant opportunities for the physical security industry to understand the cybersecurity risks facing their technologies.
"ISC West brought together many physical security key stakeholders, collectively driving their respective information revolution," Marcus said. "Such educational efforts affect the recognition that cyber physical systems are pervasive. It is becoming more evident that there is no separation of digital and physical and every system will evolve to treat cyber-physical interfaces as an integral part of an organization's information infrastructure and application domain instead of an orphaned network managed by someone else."
The event included more than 20 conference sessions and a pavilion of cybersecurity exhibitors within the larger ISC West conference. Ed Several, general manager of ISC West, has seen an increased focus on the critical issues arising within enterprise security for the physical security industry, and expects a greater number of sessions and exhibitors for connected security at future ISC West conferences.
As a result of attending, we have learned that there is a great opportunity in the physical security industry to educate end users and the channel to understand their roles in protecting critical infrastructure. By educating themselves on where system vulnerabilities can be discovered and the potential associated risks with entry points, such as IoT-connected devices, the industry will gain a better understanding of how to protect their systems. At ISC West, there is an opportunity in educating this industry of cybersecurity risks, evidenced by discussions with the top security media covering the event, to whom OT cybersecurity was a novel topic.
The physical security community is undergoing a transformational shift, realizing that as connected devices become more integrated into site operation, the risk of cyber-threat on the asset increases. By educating physical security experts to understand the key importance of 'closing the gap' between physical and OT cybersecurity will help them in implementing a more comprehensive cybersecurity strategy.
The OT industry can help them better achieve their security goals by advising them, working with them and providing them with services that protect their critical infrastructure from harm.
All journeys start with a beginning. The physical security industry has taken its first steps toward cybersecurity preparedness with education and awareness, and with that understanding they can integrate and utilize cyber secure systems. As the worlds of cyber and physical merge, every organization focused on security should have a comprehensive understanding of the threats facing the overall network. After all, it takes a community to secure the world.
Nate Kube founded Wurldtech Security Technologies in 2006 and, as the company's chief technology officer, is responsible for strategic alliances, technology, and thought leadership. This content originally appeared on ISSSource. Edited by Chris Vavra, production editor, Control Engineering, CFE Media, firstname.lastname@example.org.
- See additional stories from Kube and from ISSSource linked below.