Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Physical Security

8/24/2020
10:58 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Why Should Physical Security Professionals Learn Cybersecurity Skills?

In the first of a series of columns set to be hosted exclusively on IFSEC Global, Sarb Sembhi, CISM, CTO & CISO, Virtually Informed outlines why physical security professionals should be investing in their cyber security skillset.

Most physical and cybersecurity professionals have worked completely separately since cybersecurity became a field in its own right. This continues to be the case, despite the efforts to promote a joint approach with converged security risk management, of my good friend and colleague James Willison and I.

Whether enterprises see the benefits of the two areas of security risk working together or not, there is one thing that must change – physical security professionals must learn cybersecurity skills. Here’s why…

The Coronavirus is not the only cause of change in the world!

Physical security has been around for centuries, and over the last 20 plus years it has benefited from technological advancements in CCTV, access controls systems, centralised alarm control systems, sensored perimeters, and many others. And, over the last few years the technology has advanced even further to facilitate many more benefits. However, these are only achievable through these systems not only operating on an IP network, but also sharing other technologies, such as protocols, services and applications. The sharing goes beyond the basics, as it involves connecting with many more systems, which are totally different from each other, especially when we are talking about systems in smart buildings.

Sarb-CyberphysicalSecurity-20

I call this last change the 'IoT-isation of technology,' which has pushed what were once physical security systems open to cybersecurity vulnerabilities.

This means that regardless of what physical security professionals think – be they installers, maintenance or facilities staff – they will have to learn enough cybersecurity practices to ensure that they are not making the rest of the network any more vulnerable than before the devices were installed. Unfortunately, if the current installers are not able to secure such devices, then enterprises will need to replace these suppliers with those who have the skillset to do so.

Change in skills requirements

Many of the devices being installed in a commercial environment are also being replicated in the home. More and more people are implementing surveillance technology into their houses under the guise of security, not understanding that they are probably more vulnerable to attack with some of these products than they were without them. Many of these products are amazingly simple to use, however, in many cases the functionality was never extended to include securing the device or system from hackers.

Since these systems are often purchased based upon their price point, and not the security built into the device or system, the chances of them being replaced due to cybersecurity issues is remote to non-existent.

Whilst some may be aware that there is a UK and EU coordinated law that is coming into operation in relation to consumer IoT products, it is so low level that it only deals with the top three of the thirteen ETSI standard requirements for device and system security.

Although commercial and domestic products are not exactly the same and being skilled in one doesn’t necessarily make you an expert in the other, they do utilise many similar technologies, which creates a fantastic opportunity for many small installer/integrator businesses.

However, there still needs to be a major shift in the skills required to install, maintain and oversee facilities, with cybersecurity at the forefront of this requirement.

Job security

Another driver is that several professional bodies and industry standards are beginning to include cybersecurity skills for any smart products that are installed into buildings, be they domestic or commercial. So, physical security professionals may only be left with a limited range of options:

  • ignore cybersecurity and lose business to those who are willing to adapt to the market needs, or;
  • leave the profession or industry because cybersecurity isn't for them, or;
  • learn enough cybersecurity to adapt and add value to customers and the industry, or;
  • go the whole hog and explore a career in cybersecurity, where you are able to provide the additional physical security and safety skills that most current cybersecurity professionals don’t have.

Basically, it seems that if you are or have been in physical security, and want to keep your job security for the longer term, you will have to learn some cybersecurity skills if you want to keep your job security!

Add value to your business offering

The good news is that there is currently a cybersecurity skills shortage and the profession is looking to fill the gap from various avenues.

Unfortunately, some of my cybersecurity colleagues feel that many physical security professionals are not interested in working with cybersecurity teams to provide a single view of risk. There is a view that installers or facilities teams are too entrenched in their views about any non-physical security that they will resist change for as long as they can, while also holding back those who want see change. This resistance is there and will be there for some time, but with the world moving towards smart technology, those who have at least some cybersecurity skills won't be completely left behind.

I do believe that since there is little or no chance that cybersecurity people will attempt to learn the risk skills physical security professionals have, the only chance we have of keeping good physical risk management skills is to train physical security professionals into cybersecurity. On this basis, physical security professionals can create a new breed of security professional. Not only that they will be meeting an immediate gap that needs to be filled around the world not just the UK, US and Europe.

In closing…

As a cybersecurity professional who researched into the vulnerabilities of networked CCTVs, intruder alarms, fire alarms, HVAC systems, and other physical network devices at the time when they were not called IoT devices and they were all under the management of physical security teams, things have changed! Physical security is going to change must faster in the next few years, often in favour of those with cybersecurity skills.

To respond to this big shift, physical security professionals will have to learn some cybersecurity skills, whether it is for 5-10% of their jobs, or as much as 20-30% each working week.

I would like to start this discussion and ask what you would like to see to help you make that progression and have the sustainable future you need for yourself and your business. If you have any questions or there are any topics that you would like me to cover, please feel free to post them on this page, and I will try to respond when I get the chance.

This story first appeared on IFSEC Global, part of the Informa Network, and a leading provider of news, features, videos and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies – like video surveillance, access control, intruder/fire alarms and guarding – and emerging innovations in cybersecurity, drones, smart buildings, home automation, the Internet of Things and more.

Sarb Sembhi CISM, is CTO & CISO at Virtually Informed and a contributor to IFSEC Global.

 

 

 

 

Sarb Sembhi CISM, is CTO & CISO at Virtually Informed and a contributor to IFSEC Global. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PeterEvolv
50%
50%
PeterEvolv,
User Rank: Author
10/21/2020 | 6:19:32 AM
Physical and Cyber Coming Together
Great piece. Strongly agree with your advice that physical security pros build their skills on the cyber side. Transformation is underway to bring the physical and cyber teams together for a holistic, integrated approach to security strategy and operations. Modern technologies are being used to drive that forward. Security pros who want to lead that charge will require knowledge/expertise on both sides of the house.
RichardM23501
50%
50%
RichardM23501,
User Rank: Apprentice
9/1/2020 | 2:25:54 PM
WHat??
Seems most people think of "physical security professionals" as security guards and their staff. They do not make good cybersecurity professionals.

People who install an maintain security equipment are technicians. They have IT skills as well. They understand some aspects of cyber and can level up.

 
Visit the Web's Most Authoritative Resource on Physical Security

To get the latest news and analysis on threats, vulnerabilities, and best practices for enterprise physical security, please visit IFSEC Global. IFSEC Global offers expert insight on critical issues and challenges in physical security, and hosts one of the world's most widely-attended conferences for physical security professionals.

Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29129
PUBLISHED: 2020-11-26
ncsi.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length.
CVE-2020-29130
PUBLISHED: 2020-11-26
slirp.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length.
CVE-2020-26936
PUBLISHED: 2020-11-26
Cloudera Data Engineering (CDE) before 1.1 was vulnerable to a CSRF attack.
CVE-2020-29042
PUBLISHED: 2020-11-26
An issue was discovered in BigBlueButton through 2.2.29. A brute-force attack may occur because an unlimited number of codes can be entered for a meeting that is protected by an access code.
CVE-2020-29043
PUBLISHED: 2020-11-26
An issue was discovered in BigBlueButton through 2.2.29. When at attacker is able to view an account_activations/edit?token= URI, the attacker can create an approved user account associated with an email address that has an arbitrary domain name.