Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Physical Security

1/14/2021
11:00 AM
James Willison, founder of Unified Security Ltd
James Willison, founder of Unified Security Ltd
News
50%
50%

Who Is Responsible for Protecting Physical Security Systems From Cyberattacks?

It's a question that continues to engage debate, as the majority of new physical security devices being installed are now connected to a network. While this offers myriad benefits, it also raises the question: Who is responsible for their cybersecurity?

The Debate Continues
In December 2020, I conducted a poll on LinkedIn to further understand what the views of security and IT professionals are. I was very encouraged by the interest and comments that it raised.

Over one week there were 81 votes from across all areas of security and IT. My special thanks to IFSEC Global, Mike Gips (Principal, Global Insights in Professional Security) who is a global leader in security research, and Rollo Davies, Managing editor of TPSO magazine, who reshared the poll. This enabled me to receive a range of perspectives that I simply could not have gained on my own.

Twenty-eight percent voted for head of physical security, suggesting that the system owner is responsible (assuming this is physical security/FM etc.) and should seek support from the others. I think this is also what ISACA would advise from my studies of the CRISC materials. The head of IT allocates responsibility to individual business units and the system owner is then responsible. Similarly, the ASIS CSO Organisational Standard explains that the CSO is responsible for all security risks and can delegate "some" accountability to heads of business units who are supported by the appropriate organization's security team. Hence the physical security lead should look for support from the head of cybersecurity to provide specialized services that reduce the risk.

Brian Allen (Cyber Advisory, EY) added his comments to this: "The system owner, CSO in this case, being physical security equipment, is the system owner, with the system's state being in the cyber environment. I'd say the CSO is the system owner and whomever has responsibility in protecting assets in the digital environment, would be responsible for those protections to the limits the stakeholder (CSO) desires."

Sixty-three percent voted for head of cybersecurity, with responses including both senior physical and cyber security professionals. This is most interesting and, in some ways, expected. It reflects my earlier findings that 69% think physical systems are in fact cyber.

Over the years I have worked in the converged arena, I often meet people from both areas who are clear that physical security professionals are not experts in cybersecurity and should not try to manage this risk. Others, not surprisingly, see it as a highly complex field which they have worked in for many years and now want to help protect IoT and physical security devices. But as colleagues in IoT security are often specialists, it remains obvious that many of these systems are unprotected. I say this because if the majority believe quite reasonably that the head of cybersecurity is responsible, whereas in reality the head of physical security is, we have a problem.

Few heads of physical security in fact do know how to cyber-protect their systems and think the head of cybersecurity is doing it. This is a problem when the cyber department is in fact busy protecting the network from new risks such as the security of their own solutions (as SolarWinds evidences), of ransomware and working from home. In many instances, the last thing the cybersecurity head is worried about is CCTV and BMS.

How much time does the typical CISO/head of cybersecurity devote to this? Operational technologies are getting more attention with increasing attacks on the energy sector and the recent ransomware attack on Dusseldorf University Hospital that caused the tragic death of a patient. But if the official view is that it is the responsibility of physical security, then the industry must wake up to this and take action.

Nine percent voted for the head of IT. Clearly, some leading IT and security professionals believe that the head of IT has overall accountability and responsibility. They would then delegate the day-to-day running of the system to the business unit. This answer is of course reasonable and indicates that the business recognizes that the issue of cyber security of all systems is significant.

Peter also indicated that the IT systems should self-protect and that by 2024 the CEO would become personally responsible. We know that some of the more advanced CCTV systems self-protect, but sadly not the majority!

I didn't give the option of a CSO in the poll, partly because there are few senior roles like this and I wanted to see the answers to physical or cyber. Though it would have been interesting to see who would have voted for the CSO. The CSO, for instance, can delegate this to the head of physical or cybersecurity.

If it is evidently a challenge for the physical security lead to fully understand cybersecurity, then it makes real sense to collaborate and form cross-functional teams to address these common risks. And, as we have demonstrated at IFSEC's Converged Security Centre, it is even more important to monitor real time attacks on these systems if we are to identify the risk in time. How can the head of physical security honestly expect to see these attacks if there are no real-time cybersecurity monitoring technologies in the control room?

This is precisely why we need converged security operations centers and to move into the digital age. Without convergence technologies, the officers in a control room will not know if the camera is down from a cyber or physical attack.

Not taking anything away from Bruce Willis here, but if he could work with the hacker to save the stock market from a hostile takeover in Live Free or Die Hard, why on earth can't we?

James Willison is the founder of Unified Security Ltd, the Project Advisor to the IFSEC Converged Security Centre and Co Chair of the Smart Built Working Environment Group, IoTSF. James was also listed amongst the IFSEC Global Top Influencers in Security & Fire 2020.

This story first appeared on IFSEC Global, part of the Informa Network, and a leading provider of news, features, videos, and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies — like video surveillance, access control, intruder/fire alarms, and guarding — and emerging innovations in cybersecurity, drones, smart buildings, home automation, the Internet of Things, and more.

IFSEC Global, part of the Informa Network, is a leading provider of news, features, videos and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies – like video surveillance, access control, ... View Full Bio
 

Recommended Reading:

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
li'l ciso
50%
50%
li'l ciso,
User Rank: Strategist
1/14/2021 | 12:46:30 PM
Fortune 1000 has a name for this
In the United States, companies that make 1 Billion USD or more annually are often in the Fortune 1000. These large Enterprises should (most do) have a Corporate Security team

I prefer using the Corporate Security banner because this includes Corporate Security Intelligence (i.e., threat intelligence, trusted insider threat prevention, etc), while the private security industry or the perimeter security business units are often focused away from issues such as stolen property or high-grade or even hybrid threats
Visit the Web's Most Authoritative Resource on Physical Security

To get the latest news and analysis on threats, vulnerabilities, and best practices for enterprise physical security, please visit IFSEC Global. IFSEC Global offers expert insight on critical issues and challenges in physical security, and hosts one of the world's most widely-attended conferences for physical security professionals.

News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3243
PUBLISHED: 2021-04-15
Wfilter ICF 5.0.117 contains a cross-site scripting (XSS) vulnerability. An attacker in the same LAN can craft a packet with a malicious User-Agent header to inject a payload in its logs, where an attacker can take over the system by through its plugin-running function.
CVE-2021-29448
PUBLISHED: 2021-04-15
Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. The Stored XSS exists in the Pi-hole Admin portal, which can be exploited by the malicious actor with the network access to DNS server. See the referenced GitHub security advisory for patch details.
CVE-2021-30138
PUBLISHED: 2021-04-15
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2021-27112
PUBLISHED: 2021-04-15
LightCMS v1.3.5 contains a remote code execution vulnerability in /app/Http/Controllers/Admin/NEditorController.php during the downloading of external images.
CVE-2021-20288
PUBLISHED: 2021-04-15
An authentication flaw was found in ceph in versions before 14.2.20. When the monitor handles CEPHX_GET_AUTH_SESSION_KEY requests, it doesn't sanitize other_keys, allowing key reuse. An attacker who can request a global_id can exploit the ability of any user to request a global_id previously associa...