Security has always been one of the biggest headaches for enterprises in their digitization journey. Despite heavy investments in cyber-security, organizations still have security vulnerabilities and face major cyber-security threats. This was evident in the recent large-scale ransomware attack, “WannaCry”, earlier this year. Cyber-security attacks are rising in number and sophistication, which is a direct result of the increased complexity of ICT systems and hence the difficulty of safeguarding these. To make things worse, there are a large number of systems that must be secured from physical security threats as well, on top of cyber-protection. This is the case for most of the critical infrastructures that underpin our society, which comprise of many physical systems and devices, in addition to ICT platforms. Security solutions, therefore, need to address both physical security and cyber-security vulnerabilities. Hence, the security community is now discussing the convergence of physical and cyber security solutions. Digital transformation managers, security experts and C-level executives must understand the rationale of this convergence, along with possible solutions. This would allow them to save time and costs in their effort to secure the critical infrastructures that they own or operate.
Drivers of Integrated Security Systems
The convergence of cyber and physical security is propelled by the following factors:
- Rise of Cyber-Physical Systems: At the dawn of the fourth industrial revolution (Industry 4.0), organizations are deploying many cyber-physical systems (CPS) i.e. systems that bridge physical processes with IT systems. Prominent examples of CPS systems are industrial robots, smart pumps, smart meters, industrial machines with digital interfaces and more. The increased deployment of such systems leads to infrastructure of dual nature (physical, cyber), which require integrated security solutions.
- Physical Security Systems are IT enabled: Acknowledging the need for increased physical security, critical infrastructure operators are deploying various physical security solutions such as access gates, CCTV (Closed Circuit TeleVision) cameras and IoT drones. Many of these systems are based on leading edge IT-based technologies such as biometric authentication and image analysis, which makes their integration with cyber-security systems easier than ever before.
- Attackers find the weakest link: Attackers tend to seek the weakest link of a security infrastructure. For example, in Social engineering attacks, attackers exploit human psychology and in many cases, these attacks are more effective than any IT-based hacking. This is the reason why enterprises cannot focus on one aspect (i.e. cyber or physical), while ignoring the other. It’s also noteworthy that physical attacks have also increased in frequency and sophistication, as they become more asymmetric and less predictable.
- Regulatory Compliance: Most security regulations focus on protecting both citizens’ and businesses’ security, safety and privacy, without distinguishing between the physical or cyber threats that could compromise them. For example, the General Data Protection Regulation (GDPR) in the European Union, mandates the protection of a citizen’s personal data regardless of the channels (e.g., physical/cyber) used to transmit these data. This means that a unified, integrated approach to confronting cyber and physical threats is needed as part of regulatory compliance efforts.
Sectors In-Need of Integrated Security
The need for integrated security exists in many systems and applications in a variety of sectors. However, Industrial applications and critical infrastructures are leading the way here, as a result of their cyber-physical nature. Overall, integrated security is needed in all cases where infrastructures can be considered as large-scale CPS systems. Prominent examples are found in the following sectors:
- Energy: Emerging energy infrastructures are typical examples of CPS systems, as these include physical devices (like smart meters) and SCADA systems, which are coupled with IT systems that perform forecasts and optimizations. Therefore, the business continuity of an energy management infrastructure could be greatly impacted in case of an attack and absence of effective integration of cyber and physical security systems to counter the attack.
- Manufacturing: Manufacturing infrastructures are also a mix of IT and operational technologies. Manufacturers are therefore, deeply concerned about the trustworthiness of any IT systems that they use, while at the same time investing significantly in the protection of the physical parts of their plants.
- Finance: Financial organizations deploy advanced cyber-security systems (e.g., Intrusion Detection Systems, Anti-Virus platforms), along with many physical security systems like CCTV and access gates. The coordination of these systems could lead to cost-savings and enhanced security.
- Transport: Transport infrastructures are physical systems in nature, yet these are becoming connected based on ICT systems such as broadband, wireless and optical networks. Such interconnections form the cornerstone of modern transport and supply chains. It’s therefore wise to consider the integration of physical and cyber security systems as part of an integrated approach.
- Telecommunications: Telco enterprises have to protect their buildings and data centers, in addition to managing and protecting their networks. An integrated security approach will help them to timely confront integrated and asymmetric security attacks against their infrastructures.
In several of the above listed critical infrastructures the benefits of integrated security are obvious. However, the implementation of an integrated approach can be very challenging. This is not just due to the technical integration barriers, but also due to the diverse background of people working on physical and cyber security. In order to cope with these challenges, effort should be allocated on the following tasks:
- Systems integration: Physical and cyber-security are usually based on different systems. The technical integration of these systems can be a big step towards more effective security. As already outlined, the technical integration is facilitated by the fact that many physical security systems are IT-based.
- Policies Integration: Currently, IT security and physical security policies are specified independently from one another. Unless policies are integrated, the added-value of systems integration will be extremely low. A holistic security approach should look at both types of threats at all times, while correlating them during the phases of vulnerability assessment and mitigation, and also during preparation against security attacks.
- Organizational consolidation: In many organizations, physical security and cyber-security are separate concerns that are handled by different departments. Hence, there is organizational fragmentation as well. In order to implement an integrated security approach these different departments should be consolidated, or at least try to talk to each other and collaborate effectively and frequently. In addition to increased security, this could also lead to other benefits, such as more integrated and cost-effective procurements of security systems.
- Standards adherence: There is a host of security standards covering both IT systems and processes (e.g., ISO27001) and physical systems security (e.g., the ISO28000 family of standards for supply chain systems). An integrated security approach should start by considering the standards-based processes to be implemented, as this can drive security process integration and optimization.
There is a clear value proposition in taking a holistic approach to cyber and physical security. Integrated security is certainly more relevant to organizations that are deploying many CPS systems as compared to organizations that are operating in the cyber space only. In all cases a smooth migration path that takes into account technological and cultural diversity within the organization should be considered. An effective handshake between these two aspects of security of an enterprise is the ideal solution.