Securing Physical Security
Wednesday, April 27, 2016 @ 11:04 AM gHale
By Nate Kube
As we mentioned last month, physical security is now intersecting with cyber security in IT and OT environments and the opportunities for physical security system manufacturers, integrators and end users to improve the cyber posture of their assets.
Since then, I attended the inaugural Connected Security Conference and Exposition held in conjunction with ISC West, the largest physical security show in North America, with over 30,000 security professionals in attendance. ISC West integrated the Connected Security Conference as a key topic to the industry, as with the continued growth of networked physical and information security technologies, the risk of cyber attack also grows.
For the physical security industry, this was a great opportunity to learn about the cyber impacts of further integration into the Internet of Things (IoT), and how physical security connects with operational technology (OT) assets.
The Connected Security expo’s core theme was ‘Bridging the Gap between Cyber and Physical Security,’ referring to the convergence of cyber and physical environments. ISC West presented a platform to educate the physical security audience about the emerging cyber security landscape in OT environments that have significant links to physical security systems.
During the event there was much dialogue among key stakeholders resonating a key concept; that as the world becomes more connected, the distinction between digital and physical worlds is diminished, and the risks associated with connectivity have accelerated the need for new cyber security protections. The physical security industry is beginning to understand the risks associated with integrating more connected devices to the IoT and the increasing need for integrating cyber security into their solutions.
Physical, Cyber Security Education
In my keynote, I mentioned educating professionals in the physical security industry about cyber security best practices is a key element to ensuring they contribute positively to the overall security posture of the organization they protect. With the introduction of the Connected Security Expo at ISC West, security professionals are starting to take the necessary steps toward building awareness and understanding the implications, complications and best practices for designing, deploying, and maintaining secure systems. While this topic may be new to many in the physical security business, cyber security has been an executive issue for critical industries, such as energy, utilities and finance; in the OT world, an attack may result in downtime, which could lead to safety risks and financial losses.
Without adequate cyber protection to connected physical security systems protecting critical infrastructure, OT environments may end up exposed and vulnerable; every single connection and connected device is an entry point, an opportunity for a breach. As physical security practitioners remain concerned with maintaining control and protection of their assets, it is vital for them to understand the cyber-security threats that can arise with the increased implementation of connected physical security devices into their systems.
In the future it is possible physical security assessments will consider the cyber security posture of an asset, and likewise, OT cyber security assessments will consider connected physical security devices in a comprehensive risk assessment.
One case in point is deploying IP cameras with default passwords or with a lack of proper network segmentation could serve as viable entry points into a network, thus increasing risk of attack. This is a common practice, as installers may not be aware of the cyber security consequences, although it illustrates a paradox — the IP surveillance camera itself serves as a simple and unsecured entry point into network. Instances such as this should inspire a dialogue in the physical security industry regarding the need to undertake installation best practices in order to avoid allowing opportunities for intrusion through the security system itself. When more devices connect to networks and the IoT, it is crucial for everybody — from operators to executives — to understand that every single connected device will dictate the security of the network.
Frank Marcus, Wurldtech’s director of technology, conducted a live demonstration for stakeholders at the Connected Security expo, featuring several scenarios where a breach on a physical security system could create an opportunity for an attack on an OT system. During the demonstration, he discussed the complexities of OT network activity and the need for complete visibility in order to fully understand the health of the system, and any abnormalities in behavior associated with indicators of compromise. Educating operators about cyber security should be a top priority, he said, as visibility of all network activity and accounting for all technology in the system is crucial to understanding it’s overall cyber posture.
Marcus sees significant opportunities for the physical security industry to understand the cyber security risks facing their technologies.
“ISC West brought together many physical security key stakeholders, collectively driving their respective information revolution,” said Marcus. “Such educational efforts affect the recognition that cyber physical systems are pervasive. It is becoming more evident that there is no separation of digital and physical and every system will evolve to treat cyber-physical interfaces as an integral part of an organization’s information infrastructure and application domain instead of an orphaned network managed by someone else.”
Ed Several, general manager of ISC West, affirmed the Connected Security Expo is a much-needed addition to the ISC portfolio. The event included more than 20 conference sessions and a pavilion of cyber security exhibitors within the larger ISC West conference. Several has seen an increased focus on the critical issues arising within enterprise security for the physical security industry, and expects a greater number of sessions and exhibitors for connected security at future ISC West conferences.
As a result of attending, we have learned that there is a great opportunity in the physical security industry to educate end users and the channel to understand their roles in protecting critical infrastructure (OT). By educating themselves on where system vulnerabilities can be discovered and the potential associated risks with entry points, such as IoT connected devices, the industry will gain a better understanding of how to protect their systems. At ISC West, we saw an opportunity in educating this industry of cyber security risks, evidenced by discussions with the top security media covering the event, to whom OT cyber security was a novel topic. It is rewarding to have inspired a budding dialogue on industrial and IoT cyber security, which will certainly become a key issue within the physical security industry.
The physical security community is undergoing a transformational shift, realizing that as connected devices become more integrated into site operation, the risk of cyber-threat on the asset increases. By educating physical security experts to understand the key importance of ‘closing the gap’ between physical and OT cyber security will help them in implementing a more comprehensive cyber security strategy.
The OT industry can help them better achieve their security goals by advising them, working with them and providing them with services that protect their critical infrastructure from harm.
All journeys start with a beginning; the physical security industry has taken its first steps toward cyber security preparedness with education and awareness, and with that understanding they can integrate and utilize cyber secure systems. As the worlds of cyber and physical merge, every organization focused on security should have a comprehensive understanding of the threats facing the overall network. After all, it takes a community to secure the world.