Convergence of physical and cyber security

Have you read the latest issue of our digital (IN)SECURE Magazine? If not, do it now.

The concept of security convergence, where physical and cyber security issues overlap, has been around for more than a decade. But it has only been in the last few years that the IP-enablement of everyday business functions has forced companies to come to terms with the fact that physical and cyber security must be treated in a unified manner.

The IP-enablement of “physical” devices such as heating/ventilation/air conditioning (HVAC), lights (in the office and parking lots and garages), video surveillance, identification cards providing access to a building and even soda and snack machines has resulted in increased business efficiency and saved operating costs. At the same time, however, it has opened up an entirely new set of vulnerabilities targeted for exploitation by hackers trying to access a company’s network to steal vital business or customer information, or impact corporate operations.

To date, talk has focused on improving cyber security technology and processes as a response to hacking and security breaches. There has been scant attention paid, however, to the bigger picture: Companies must take a unified approach to both physical and cyber security. Companies have devoted a lot of resources to unify cyber and physical operations via their network, but have fallen short in the critical next step of unifying their response to deal with the physical and cyber implications in the event that the network experiences some type of disruption.

Many companies have one staff that oversees the physical operations of a facility, such as premises security, credentials for personnel, maintenance of HVAC and fire networks, but a separate staff for the IT operations and security of a company’s computer network – despite the many instances where the network causes the functions of both operations to overlap. In worst case scenarios, these departments and their personnel don’t communicate on a regular basis.

While personnel should remain dedicated to their specific functions, a single point of contact to facilitate communications between the staffs is needed during today’s era of convergence, especially given the fact that the stages for addressing physical and cyber security issues follow very similar processes: Detection and alert; containment; remediation; conclusion; and assessment. Physical threats now have an impact on IT (cyber) operations, and cyber threats have an impact on physical operations. Therefore, to treat cyber and physical threats separately – particularly in terms of response – creates unnecessary confusion, delays and inefficiencies when a crisis hits.

To create the unified approach needed to accommodate the trend of convergence, large enterprises should look to the example of a handful of visionary organizations who have established global security operations centers (GSOC), where there is one central point of coordination to respond to interruptions in business operations due to physical or cyber issues.

A key enabling element for a unified response is the deployment of a next generation crisis communication network to alert the appropriate personnel and facilitate information sharing on a mass scale or on a targeted basis. The technology of today’s IP-enabled communications network allows for two-way communications with impacted personnel and emergency response teams. If a smoke alarm has gone off in a server room, responders can transmit pictures or videos back to the GSOC indicating whether it is simply an overheated device or an actual fire, which will determine whether the room needs to be shut down, possibly impacting cyber operations.

The companies using GSOCs today take advantage of a number of different delivery models for their alerting communications network. Some choose to use only on-site alerting systems, where all of the data and all of the functions operate on the company’s network. Some companies choose to operate their communications completely off-site via cloud-based or hosted systems. Others use a hybrid approach, so that they can keep sensitive data, such as personally identifiable information, on-site while choosing to have the function of the alerting process hosted off-site via the cloud in case their own internal networks are impaired or have been shut down to remediate the effects of a cyber attack.

An example where a company needs a unified response to a crisis using a GSOC deploying an interactive crisis communications network might be when a cross site scripting vulnerability has been exploited and online customer support functions have been disrupted. Such a scenario might involve the participation of a number of business units, such as representatives from the c-suite, IT personnel, customer support, public relations, legal, product managers, and maybe even law enforcement. The response process can be impaired due to the unfamiliarity across business units.

The scenario presents a number of crucial questions that have to be answered:

  • Who needs to be notified and brought together as a team?
  • Who is going to contact the team and assemble the team in an organized communications process?
  • Who is in charge of addressing the situation and managing the response process?

The situation is complicated by the fact that many companies still rely on the antiquated model of distributing crisis response handbooks in hard or soft copy form and hoping the right personnel are trained to use the handbook and follow the correct process for a given scenario – this is assuming they have followed procedure and have the handbook on-hand and easily accessible.

Having a single point of coordination like a GSOC would put the company in a much stronger, stable position to respond to a crisis. It would be the GSOCs responsibility to maintain an updated list of personnel and contact information for representatives from the different business units. The GSOC would also be responsible for deploying the alerting function and making sure the right combination of people were contacted to respond to the crisis and communicating effectively as a group. Most importantly, the GSOC would be responsible for monitoring the status of the company’s operational functions throughout the process, identifying what devices and processes – physical and cyber – that might be impacted by the crisis.

The use of GSOCs and mass notification systems are one of the ways companies are dealing with the challenges posed by the convergence of security today. Other use cases include integrating cyber monitors with alert notification functions. The event of a breach or cyber attack is captured by multiple monitors and the notification system would automatically activate to immediately alert security responders by utilizing out-of-band communications. In case the network has to be shut down, an organized response could still take place and information could still be exchanged between responders to address the situation.

In addition, embedding crisis communication notification systems with alerting networks would also support the dissemination and confirmation of IT security advisories by cyber teams in organizations. Lastly, organizations could leverage IP-based notifications as a unified response tool for both cyber and physical security safety drills conducted for compliance purposes to certify a company’s crisis response operations for auditors on behalf of the company’s customers.

In today’s landscape, it is not a question of if you will be hit by a combined cyber and physical crisis that will impact your organization’s operations, but when. Having a unified response to both processes won’t prevent you from getting hit, but it will allow you recover faster and resume business operations.