Who Is Responsible for Protecting Physical Security Systems From Cyberattacks?

It's a question that continues to engage debate, as the majority of new physical security devices being installed are now connected to a network. While this offers myriad benefits, it also raises the question: Who is responsible for their cybersecurity?

The Debate Continues
In December 2020, I conducted a poll on LinkedIn to further understand what the views of security and IT professionals are. I was very encouraged by the interest and comments that it raised.

Over one week there were 81 votes from across all areas of security and IT. My special thanks to IFSEC Global, Mike Gips (Principal, Global Insights in Professional Security) who is a global leader in security research, and Rollo Davies, Managing editor of TPSO magazine, who reshared the poll. This enabled me to receive a range of perspectives that I simply could not have gained on my own.

Twenty-eight percent voted for head of physical security, suggesting that the system owner is responsible (assuming this is physical security/FM etc.) and should seek support from the others. I think this is also what ISACA would advise from my studies of the CRISC materials. The head of IT allocates responsibility to individual business units and the system owner is then responsible. Similarly, the ASIS CSO Organisational Standard explains that the CSO is responsible for all security risks and can delegate "some" accountability to heads of business units who are supported by the appropriate organization's security team. Hence the physical security lead should look for support from the head of cybersecurity to provide specialized services that reduce the risk.

Brian Allen (Cyber Advisory, EY) added his comments to this: "The system owner, CSO in this case, being physical security equipment, is the system owner, with the system's state being in the cyber environment. I'd say the CSO is the system owner and whomever has responsibility in protecting assets in the digital environment, would be responsible for those protections to the limits the stakeholder (CSO) desires."

Sixty-three percent voted for head of cybersecurity, with responses including both senior physical and cyber security professionals. This is most interesting and, in some ways, expected. It reflects my earlier findings that 69% think physical systems are in fact cyber.

Over the years I have worked in the converged arena, I often meet people from both areas who are clear that physical security professionals are not experts in cybersecurity and should not try to manage this risk. Others, not surprisingly, see it as a highly complex field which they have worked in for many years and now want to help protect IoT and physical security devices. But as colleagues in IoT security are often specialists, it remains obvious that many of these systems are unprotected. I say this because if the majority believe quite reasonably that the head of cybersecurity is responsible, whereas in reality the head of physical security is, we have a problem.

Few heads of physical security in fact do know how to cyber-protect their systems and think the head of cybersecurity is doing it. This is a problem when the cyber department is in fact busy protecting the network from new risks such as the security of their own solutions (as SolarWinds evidences), of ransomware and working from home. In many instances, the last thing the cybersecurity head is worried about is CCTV and BMS.

How much time does the typical CISO/head of cybersecurity devote to this? Operational technologies are getting more attention with increasing attacks on the energy sector and the recent ransomware attack on Dusseldorf University Hospital that caused the tragic death of a patient. But if the official view is that it is the responsibility of physical security, then the industry must wake up to this and take action.

Nine percent voted for the head of IT. Clearly, some leading IT and security professionals believe that the head of IT has overall accountability and responsibility. They would then delegate the day-to-day running of the system to the business unit. This answer is of course reasonable and indicates that the business recognizes that the issue of cyber security of all systems is significant.

Peter also indicated that the IT systems should self-protect and that by 2024 the CEO would become personally responsible. We know that some of the more advanced CCTV systems self-protect, but sadly not the majority!

I didn't give the option of a CSO in the poll, partly because there are few senior roles like this and I wanted to see the answers to physical or cyber. Though it would have been interesting to see who would have voted for the CSO. The CSO, for instance, can delegate this to the head of physical or cybersecurity.

If it is evidently a challenge for the physical security lead to fully understand cybersecurity, then it makes real sense to collaborate and form cross-functional teams to address these common risks. And, as we have demonstrated at IFSEC's Converged Security Centre, it is even more important to monitor real time attacks on these systems if we are to identify the risk in time. How can the head of physical security honestly expect to see these attacks if there are no real-time cybersecurity monitoring technologies in the control room?

This is precisely why we need converged security operations centers and to move into the digital age. Without convergence technologies, the officers in a control room will not know if the camera is down from a cyber or physical attack.

Not taking anything away from Bruce Willis here, but if he could work with the hacker to save the stock market from a hostile takeover in Live Free or Die Hard, why on earth can't we?

James Willison is the founder of Unified Security Ltd, the Project Advisor to the IFSEC Converged Security Centre and Co Chair of the Smart Built Working Environment Group, IoTSF. James was also listed amongst the IFSEC Global Top Influencers in Security & Fire 2020.

This story first appeared on IFSEC Global, part of the Informa Network, and a leading provider of news, features, videos, and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies — like video surveillance, access control, intruder/fire alarms, and guarding — and emerging innovations in cybersecurity, drones, smart buildings, home automation, the Internet of Things, and more.