November 2018, This Week's Editor's Pick, Cyber Security, Integrated Solutions, IT infrastructure
The question of convergence is nothing new to the physical security industry. It wasn’t too long ago that surveillance technologies converging onto the IP platform was the thing everyone was talking about and we have since seen a massive shift from analogue surveillance to IP-based surveillance – although analogue is far from dead. Similarly, we have seen almost all the areas of the physical security industry moving to IP as a way to better control connected systems and integrate with other products.
Today, however, we are seeing a new convergence game in town, one that will have a far greater impact than IP convergence ever had. One of the reasons for this is that nothing in this industry will remain unaffected. The convergence between physical and logical (or cyber) security will be a game changer, not simply as a result of new technologies available and new skills those in the industry will have to learn, but because it will change the way we do everything, from planning to design and all the way to installation and maintenance.
Another enormous challenge will be getting physical and logical security people and departments to work together and speak the same language. At the NEC XON summit at Sun City this year, Bertus Marais, divisional GM of XON Safety & Security, noted that the convergence of physical and cybersecurity is already a reality in many organisations. He noted that companies today are demanding a holistic view of their security operations and if the two worlds are separate, that simply leaves a gap in your security posture.
Everyone is involved
Roger Truebody also notes that physical/logical convergence is a discussion more people are having, but he says, it is a very difficult topic to deal with as a generality. The discussion is definitely growing, but the level of the discussions vary from industry to industry, and in some cases, company to company.
Those who see security as important to their future business success are further ahead of the curve due to various pressures they find themselves under, as well as past experiences of losing access to their systems (and hence losing money) due to a cyber-attack. Truebody adds that the point of contention in almost all discussions is not technical or skills related, but cultural.
The ‘IT guys’ and the ‘security guys’ have different priorities, personalities and challenges, and very different working cultures – even those working in the same company. Overcoming these differences is where the hard work starts.
Mark Walker, associate vice president: sub-Saharan Africa at IDC Middle East, Africa & Turkey, agrees, noting that the current allocation of duties among the physical and logical teams are still very much in their silos and the teams have a singular view of their tasks and roles in the organisation. He says it is also a question of turf, especially among senior people who are worried what may happen to their position if the silos converge.
What’s needed from both sides is a broader view of the business, adds Walker. Security personnel should start looking at security from a business and user point of view, expanding their concept of security to incorporate the whole business. To use a familiar term, he says they need to look at integrating all their security systems and platforms into a holistic enterprise solution. This will include everything, from data and network perimeter protection, through to facilities management and surveillance, and all the way to integrating the latest artificial intelligence (AI) solutions – such as predictive and/or behavioural analytics.
Starting the process
No matter the challenges, the convergence process is not one that will go away and companies that delay starting will only see their people, assets and systems more vulnerable and more targeted by more sophisticated attacks – because they are easier targets. Truebody says the starting point is to first sit down, talk to each other, and develop the will to make convergence happen.
Once you know that it is going to happen and have buy-in from everyone concerned, you can then start with a risk analysis that does a full audit of your physical, logical and business security risks. In a nutshell, Truebody says that once identified, you can then go further with impact analysis and so forth, developing integrated prevention, protection and recovery strategies.
However, he warns that while it may look good on paper, if the will and buy-in is missing, it will not happen as convergence is a significant clash of culture and ego – who is going to be the boss of the converged security department.
Walker echoes these sentiments, noting that getting the two cultures working from the same scorecard is the first challenge that has to be overcome. The parties need to get talking and raise general awareness at the top about the enterprise’s holistic security challenges.
The next step is to continue the communications while also acknowledging the scope of the task ahead. Then comes the strategy to converge the security function into one and the challenge of putting it all under one executive – a chief security officer (CSO) or someone with authority to speak to the board.
Walker also recommends that automating as much of the converged security function as possible is critical in terms of getting the best results, as well as streamlining integration challenges.
While the convergence of physical and logical security is a complex operation and the chore of getting people from different cultures to work together is enormous, companies can also go for smaller wins to prove its effectiveness.
As an example, Marais said this convergence can simply be an application that logs your computer off, or activates a screen lock when it sees you are no longer sitting in front of it. This combination of physical and cyber is simple, but it can prevent unknown people using your computer, prevent ‘over-the-shoulder’ password stealing and even be integrated with physical access control in order to prevent you from logging onto your computer if you haven’t entered the building (or a trusted location). Similarly, if it notices you have left the building or your area of work without logging off, it can do so for you.
Vernon Fryer, CISO and GM Cyber Security at NEC XON, provides an example of convergence happening in some Cyber Defence Operation Centres (CDOC) NEC XON runs in South Africa and further up on the continent.
These CDOCs are examples of convergence in that one of their functions is to monitor IoT devices, which includes security systems, such as surveillance cameras and other electronic readers or sensors. The central server automatically monitors any number of devices over time and creates a base line of various data points. Should any of these standard readings change, the control centre is immediately alerted that something has changed and operators can investigate.
The readings under scrutiny include almost anything, and range from a simple change in state (from on to off, for example), through to changes in the firmware (in case malware is installed as happened in the Mirai botnet attack), to changes in a device’s configuration or if a device is accessed from a strange IP address.
Any changes are noted and investigated by the CDOC personnel, thereby ensuring the cybersecurity of physical security devices and other IoT systems. This relieves pressure on the operators and makes sure these devices remain in working order over the long term. Another integration Fryer says the CDOCs can perform is to integrate social media feeds to pick up trends, as well as to identify people caught on camera from pictures on their social media feeds.
One article can’t cover the full scope of the convergence between physical and logical security, but it is clear that this is a task we need to get to grips with. Physical security experts have to adapt to the IT world and all that entails, including learning the language and customs of what can be a completely foreign culture in the office next door. The result of this convergence will be a complete security strategy that protects organisations on all fronts from threats that are only increasing in size, scope and sophistication.