In 2017, an unknown attacker broke into and robbed a casino through a fish tank.
Bypassing all the extensive and expensive physical and cybersecurity defences, the attackers allegedly exploited an internet-connected thermometer which was used to remotely monitor and automatically adjust the water temperature in the tank.
After gaining access to the network, they moved undetected for some time before virtually walking out the front door with 10GB of highly valuable customer data, including a database with details on the organization’s most important revenue stream, its high rollers.
In 2021, a United Airlines flight from San Francisco to Orlando was evacuated before take-off because several passengers simultaneously received a threatening picture of what appeared to be a gun on their smartphones.
The picture was sent using AirDrop which only works within roughly 30 feet of the person sending the file and it was this digital threat with immediate physical proximity to passengers that prompted the evacuation. Fortunately, the photo turned out to be of a toy gun that was sent by a teenager as a prank.
In 2013, Iranian hackers took control of the Bowman Avenue Dam in New York. According to a 2016 U.S. Department of Justice indictment, the attackers obtained access to a computer control system that would have allowed them to “operate and manipulate” a gate on the dam and release the flow of water if it had not been manually disconnected at the time for maintenance.
In the cybersecurity field, we have essentially reached the conclusion that the conventional concept of a logical security perimeter is no longer valid. What these security incident examples begin to demonstrate is that as the digital transformation of the physical world accelerate, we are also beginning to see the concept of a “physical security perimeter,” not becoming obsolete, but being completely redefined.
Like every other industry, the physical security industry itself is undergoing digital transformation. In fact, it has progressed to the point that, at the technical level, the convergence of physical and cybersecurity has essentially already occurred.
The cloud has been a key enabler of this, vastly improving overall capabilities such as video surveillance augmented by artificial intelligence and Open Source Intelligence (OSINT) techniques leveraging social media and other online services which are now used to identify early threats and investigate criminal activity in the physical world.
So, if the lines have blurred between logical and physical risk and physical security has enthusiastically embraced digital transformation already, why are we not seeing more evidence of actual convergence between cybersecurity and physical security teams in terms of coordination, integration, orchestration, and automation in managing enterprise risk?
The answer is not an unwillingness to do so but, in most cases, it is simply legacy budgeting and cost centre structures, outdated hierarchically-based org charts, and good, old-fashioned organizational inertia that are the most common impediments.
While the world is changing and external enterprise risks are converging, much of how organizations operate, budget for, procure and measure the success of security teams has not.
Most organizations have multiple distinct cost centres for procurement of consumables and equipment managed separately by business function.
Physical security is likely allocated a budget for equipment such as cameras and access control devices — all of which are evaluated, procured, implemented and managed separately from the firewalls, endpoint detection and multi-factor authentication solutions they integrate with and depend upon.
Think about how this works in your own organization: Are the key performance indicators that apply to your security guards aligned or in any way related to those of the security operations centre analysts? Did the team who selected and manages your physical surveillance system have any input into which firewalls were purchased and implemented? Likely not.
While these organizational structures may be disadvantageous for aligning and converging security to address enterprise risk, they likely persist because — real or perceived — they are the most effective means of supporting business operations and are therefore unlikely to change.
Consequently, the practical aspects of convergence — which can be as simply defined as getting everyone working together towards proactively managing enterprise level risk rather than in silos — is not going to be achieved by advocating for immense corporate restructuring or merging culturally incompatible organizations.
The commonality between all aspects of an organization’s security posture and where convergence can best occur lies in rethinking and redefining where accountability sits, creating enterprise-level (not simply domain-based) risk policies, and in aligning key performance indicators that measure success of the overall mission, not the individual department.
Kevin Magee is chief security and compliance officer at Microsoft Canada (www.microsoft.ca).
Print this page