informa
6 MIN READ
Commentary

Exploring the Intersection of Physical Security and Cybersecurity

Residential, commercial, and public buildings are getting smarter; fitting them with a network of connected systems allows buildings to regulate their environment, save energy, and be more secure.

Jane Waterfall, Content Manager at IASME Consortium, explains how systems — such as heating, air-conditioning, smoke detectors, and smoke alarms — can connect to generate, collect, and analyze data to monitor the environment in order to improve effectiveness of service.

The connected, embedded sensors and devices that make up the Internet of Things (IoT) contain software that provides these systems with their "intelligence." All software contains millions of lines of code, and these inevitably contain some mistakes.

In the world of cybersecurity, mistakes are called vulnerabilities and can be the equivalent of a window left open for cybercriminals to gain access.

Herein lies the paradox: The hundreds of IoT devices brought in to help make a building more secure can create open gateways for hackers to access not only the device with the vulnerability, but the whole IT network that the device is connected to.

Cybersecurity is concerned with preventing unauthorized access to a building or a company's network and data. Many physical security systems now include numerous connected devices with remote access from the cloud, closely resembling an IT architecture.

Cybersecurity is viewed as essential for technology that connected to the Internet. Yet if you consider the fact that many features in smart buildings still contain critical defects and overlook best practices, from a security point of view, many smart systems are far from smart.

Essential Cybersecurity for IoT
IoT is a very attractive target for hackers, not least because numerous IoT devices make it simple for attackers to steal valuable data, take control of or disrupt a system, or access bigger prizes within a network.

Attacking the physical is often part of a larger attack where its role is to act as an easier gateway to another system.

IoT systems security is somewhat behind the security level of most business computers, with some security experts estimating it is at the stage in its journey where information security was 15 years ago. Consumer IoT devices and those found in many smart buildings frequently do not have even the basics in place, leaving the devices and the networks vulnerable to cyberattacks.

The ETSI EN 303 645 standard was created by a team of experts from across the European Union — in industry, academia, and government — to prevent large-scale, prevalent attacks against smart devices. The standard, released in 2020, describes 13 requirements to establish a security baseline for connected consumer products and provides a basis for future IoT certification schemes.

New legislation coming into law in the United Kingdom in the near future will bring some much-needed improvement to consumer IoT device security. The new legislation will specify three mandated security features that are aligned with the top three requirements of the European Technical Standard for IoT Security (ETSI).

Physical Security to Protect IT
In the same way that cybersecurity is needed to protect physical security technology, physical security practices are essential in helping to protect information technology.

Access control is one of the key principles of cybersecurity, covering the essential precaution of controlling who can access your devices, accounts, and data. The technical control includes creating user accounts for everyday use and limiting access to the administrative accounts to those people who need them for their roles.

Access control also includes physical access to equipment and premises. This would include, for example, protection from unauthorized people walking unchecked into an office or server room, or even just looking through a window.

The rule of "least privilege" is a secure way to work. This simply means staff are given all the resources and data necessary to perform their roles, but no more. The same rule can be applied to accessing different parts of the business premises. Physical access control measures can include using a key card or biometric scan to enter the building and further access control for different offices, ensuring that computer screens are not visible from the window and that devices in use to access organizational data automatically lock after a period of inactivity.

Physical security and cybersecurity have long been seen as separate sectors, but with the rise of smart buildings and the interdependence of physical systems with Web-based or cloud-based networks, the boundaries between the two are becoming less visible.

Organizations, facilities managers, and those in the security industry need to find ways to better identify, mitigate, and respond to risks across multiple security operations when the surface area of those risks is larger and continuously expanding.

Security Convergence
Security convergence is the practice of integrating physical security and information security within projects and organizations. The idea is to manage the total risk to assets, property, systems, and networks in a holistic security strategy, anchored by shared practices and goals.

Effective security convergence has needed a culture shift from that of siloed departments with separate funding sources and strategies to one of inclusion and collaboration. The security sector knows that it needs to build more awareness of IoT breaches, provide education, share best practices, and accelerate the development and adoption of cybersecurity standards.

Good security strategies focus on people, processes, and technology, encourage training and education for their teams and prioritize working with trusted providers who use assured products and technology to connect their building assets.

IASME developed the IoT Security Assured certification scheme to provide an accessible and achievable way for manufacturers to demonstrate the security of their Internet-connected devices and to show they are compliant with best-practice security.

When the IoT Security Assured scheme badge is displayed on the device, it will reassure end users that their devices include the most important security features.

The IoT Security Assured scheme is aligned with the leading global technical standard in IoT security, ETSI's EN 303 645, and with imminent UK IoT security legislation and guidance.

Within the IoT Security Assured scheme, there are three levels of security that a device can be certified to:

  1. The Basic level: This level is aligned with proposed UK legislation and covers the top three requirements of the ETSI standard.
  2. The Silver level: This is aligned with the 13 ETSI mandatory requirements and data protection provisions.
  3. The Gold level: This is aligned with the 13 ETSI mandatory requirements, as well as all the additional ETSI recommended requirements and data protection provisions.

An information security management system (ISMS) such as IASME Governance standard is a documented systematic approach that addresses people, processes, and technology. The Governance standard integrates both cybersecurity and physical security, helping organizations embed good security awareness, knowledge, and behavior into its practices as business as usual.

This story first appeared on IFSEC Global, part of the Informa Network, and a leading provider of news, features, videos, and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies — like video surveillance, access control, intruder/fire alarms, and guarding — and emerging innovations in cybersecurity, drones, smart buildings, home automation, the Internet of Things, and more.

Editors' Choice
Robert Lemos, Contributing Writer, Dark Reading
Robert Lemos, Contributing Writer, Dark Reading
Dark Reading Staff, Dark Reading
Jai Vijayan, Contributing Writer, Dark Reading