Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Physical Security

11:00 AM
James Willison, founder of Unified Security Ltd
James Willison, founder of Unified Security Ltd

Who Is Responsible for Protecting Physical Security Systems From Cyberattacks?

It's a question that continues to engage debate, as the majority of new physical security devices being installed are now connected to a network. While this offers myriad benefits, it also raises the question: Who is responsible for their cybersecurity?

The Debate Continues
In December 2020, I conducted a poll on LinkedIn to further understand what the views of security and IT professionals are. I was very encouraged by the interest and comments that it raised.

Over one week there were 81 votes from across all areas of security and IT. My special thanks to IFSEC Global, Mike Gips (Principal, Global Insights in Professional Security) who is a global leader in security research, and Rollo Davies, Managing editor of TPSO magazine, who reshared the poll. This enabled me to receive a range of perspectives that I simply could not have gained on my own.

Twenty-eight percent voted for head of physical security, suggesting that the system owner is responsible (assuming this is physical security/FM etc.) and should seek support from the others. I think this is also what ISACA would advise from my studies of the CRISC materials. The head of IT allocates responsibility to individual business units and the system owner is then responsible. Similarly, the ASIS CSO Organisational Standard explains that the CSO is responsible for all security risks and can delegate "some" accountability to heads of business units who are supported by the appropriate organization's security team. Hence the physical security lead should look for support from the head of cybersecurity to provide specialized services that reduce the risk.

Brian Allen (Cyber Advisory, EY) added his comments to this: "The system owner, CSO in this case, being physical security equipment, is the system owner, with the system's state being in the cyber environment. I'd say the CSO is the system owner and whomever has responsibility in protecting assets in the digital environment, would be responsible for those protections to the limits the stakeholder (CSO) desires."

Sixty-three percent voted for head of cybersecurity, with responses including both senior physical and cyber security professionals. This is most interesting and, in some ways, expected. It reflects my earlier findings that 69% think physical systems are in fact cyber.

Over the years I have worked in the converged arena, I often meet people from both areas who are clear that physical security professionals are not experts in cybersecurity and should not try to manage this risk. Others, not surprisingly, see it as a highly complex field which they have worked in for many years and now want to help protect IoT and physical security devices. But as colleagues in IoT security are often specialists, it remains obvious that many of these systems are unprotected. I say this because if the majority believe quite reasonably that the head of cybersecurity is responsible, whereas in reality the head of physical security is, we have a problem.

Few heads of physical security in fact do know how to cyber-protect their systems and think the head of cybersecurity is doing it. This is a problem when the cyber department is in fact busy protecting the network from new risks such as the security of their own solutions (as SolarWinds evidences), of ransomware and working from home. In many instances, the last thing the cybersecurity head is worried about is CCTV and BMS.

How much time does the typical CISO/head of cybersecurity devote to this? Operational technologies are getting more attention with increasing attacks on the energy sector and the recent ransomware attack on Dusseldorf University Hospital that caused the tragic death of a patient. But if the official view is that it is the responsibility of physical security, then the industry must wake up to this and take action.

Nine percent voted for the head of IT. Clearly, some leading IT and security professionals believe that the head of IT has overall accountability and responsibility. They would then delegate the day-to-day running of the system to the business unit. This answer is of course reasonable and indicates that the business recognizes that the issue of cyber security of all systems is significant.

Peter also indicated that the IT systems should self-protect and that by 2024 the CEO would become personally responsible. We know that some of the more advanced CCTV systems self-protect, but sadly not the majority!

I didn't give the option of a CSO in the poll, partly because there are few senior roles like this and I wanted to see the answers to physical or cyber. Though it would have been interesting to see who would have voted for the CSO. The CSO, for instance, can delegate this to the head of physical or cybersecurity.

If it is evidently a challenge for the physical security lead to fully understand cybersecurity, then it makes real sense to collaborate and form cross-functional teams to address these common risks. And, as we have demonstrated at IFSEC's Converged Security Centre, it is even more important to monitor real time attacks on these systems if we are to identify the risk in time. How can the head of physical security honestly expect to see these attacks if there are no real-time cybersecurity monitoring technologies in the control room?

This is precisely why we need converged security operations centers and to move into the digital age. Without convergence technologies, the officers in a control room will not know if the camera is down from a cyber or physical attack.

Not taking anything away from Bruce Willis here, but if he could work with the hacker to save the stock market from a hostile takeover in Live Free or Die Hard, why on earth can't we?

James Willison is the founder of Unified Security Ltd, the Project Advisor to the IFSEC Converged Security Centre and Co Chair of the Smart Built Working Environment Group, IoTSF. James was also listed amongst the IFSEC Global Top Influencers in Security & Fire 2020.

This story first appeared on IFSEC Global, part of the Informa Network, and a leading provider of news, features, videos, and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies — like video surveillance, access control, intruder/fire alarms, and guarding — and emerging innovations in cybersecurity, drones, smart buildings, home automation, the Internet of Things, and more.

IFSEC Global, part of the Informa Network, is a leading provider of news, features, videos and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies – like video surveillance, access control, ... View Full Bio

Recommended Reading:

2 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
li'l ciso
li'l ciso,
User Rank: Strategist
1/14/2021 | 12:46:30 PM
Fortune 1000 has a name for this
In the United States, companies that make 1 Billion USD or more annually are often in the Fortune 1000. These large Enterprises should (most do) have a Corporate Security team

I prefer using the Corporate Security banner because this includes Corporate Security Intelligence (i.e., threat intelligence, trusted insider threat prevention, etc), while the private security industry or the perimeter security business units are often focused away from issues such as stolen property or high-grade or even hybrid threats
Visit the Web's Most Authoritative Resource on Physical Security

To get the latest news and analysis on threats, vulnerabilities, and best practices for enterprise physical security, please visit IFSEC Global. IFSEC Global offers expert insight on critical issues and challenges in physical security, and hosts one of the world's most widely-attended conferences for physical security professionals.

Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-14
A buffer overflow vulnerability in SonicOS allows a remote attacker to cause a Denial of Service (DoS) by sending a specially crafted request. This vulnerability affects SonicOS Gen5, Gen6, Gen7 platforms, and SonicOSv virtual firewalls.
PUBLISHED: 2021-06-14
magento-scripts contains scripts and configuration used by Create Magento App, a zero-configuration tool-chain which allows one to deploy Magento 2. In versions 1.5.1 and 1.5.2, after changing the function from synchronous to asynchronous there wasn't implemented handler in the start, stop, exec, an...
PUBLISHED: 2021-06-14
net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.
PUBLISHED: 2021-06-14
Cross-site Scripting (XSS) vulnerability in the main dashboard of Ellipse APM versions allows an authenticated user or integrated application to inject malicious data into the application that can then be executed in a victim’s browser. This issue affects: Hitachi ABB Power Grids ...
PUBLISHED: 2021-06-14
Improper Input Validation vulnerability in Hitachi ABB Power Grids Relion 670 Series, Relion 670/650 Series, Relion 670/650/SAM600-IO, Relion 650, REB500, RTU500 Series, FOX615 (TEGO1), MSM, GMS600, PWC600 allows an attacker with access to the IEC 61850 network with knowledge of how to reproduce the...