Drill Down

Converging physical and cybersecurity

Placeholder Image for Article Template

President Barack Obama's Executive Order on Improving Critical Infrastructure Cybersecurity and his Presidential Policy Directive on Critical Infrastructure Security and Resilience are two of the first official acknowledgments of the inextricable link between physical and cybersecurity. Those directives assert that to protect critical infrastructure, federal departments and agency heads must lead the charge to strengthen cybersecurity and increase collaboration and accountability among the infrastructure's public and private stakeholders. Ultimately, federal agencies bear the responsibility of security outcomes.

The directives empower federal organizations to embrace holistic security measures to protect our nation's critical infrastructure, buildings, assets, information and people. In order to achieve a truly holistic approach, federal organizations must close the schism between physical and cybersecurity divisions.

The most effective course of action is to form a homogenized security program under the command and control of federal IT. Here's why:

1. The old dichotomy is outdated and cumbersome. Currently, network and information security falls under the purview of federal IT, and responsibility for physical security resides with facility managers or superintendents. That structure is indicative of an antiquated view of security. As the cybersecurity policy directive so aptly states, "U.S. efforts shall address the security and resilience of critical infrastructure in an integrated, holistic manner to reflect this infrastructure's interconnectedness and interdependency."

Ignoring security silos ignores the nature of modern threats and leaves gaping holes in security strategy that beckon malevolent actors to exploit. Instead, federal organizations must implement systemic mechanisms that enable security personnel to monitor, analyze and respond to threats occurring at any point of entry into the organization, regardless of whether the threat or entry point is physical or virtual in nature.

By combining access, management and reporting functions into a single-pane-of-glass system, attacks on one or more threat vectors would immediately trigger a proactive response across all other areas of vulnerability. Such a unified threat management system for physical security would act like its data security counterpart in form and function and would allow human management, oversight and deterministic response to evolve ahead of the threat.

2. Federal IT professionals already have the technical skills to secure physical assets. In many ways, "physical security" is a misnomer because it ignores the sophisticated surveillance, access control, and visitor management tools and solutions organizations use to keep physical assets safe. From this perspective, federal IT is the logical choice to take control of a unified security program. The tools fall in its wheelhouse. More important, federal IT and cybersecurity professionals already understand the theory, application and nuances of holistic security from their experience with cybersecurity.

If you look at the historical evolution of IT security mechanisms and controls, physical security is five to seven years behind cyber in terms of convergence. A unified physical and cybersecurity system would enable organizations to leapfrog a decade of incremental progress.

3. Federal security leaders could achieve more with less. In an era of budget austerity, consolidating physical and cybersecurity systems under the purview of federal IT offers many benefits. From a technology investment standpoint, the drivers behind the tools are interconnected. As a result, most security management systems, tools and processes can be modernized to interoperate with new and existing systems quickly and cost-effectively.

Although physical security lags behind cyber, the unified system would not introduce inefficiencies. In fact, security personnel could avoid the potential for labor-intensive controls and processes related to monitoring, managing and reporting physical security data by adopting the same computer-based efficiencies established for cybersecurity disciplines.

Furthermore, security consolidation supports several of the objectives set forth in U.S. CIO Steven VanRoekel's report on fiscal 2014 budget priorities for federal IT. Consolidation increases technology's total return on investment, capitalizes on innovative technologies and processes to achieve department and mission objectives, and uses data analytics to make more informed strategy and process decisions. In fact, adding physical security to federal IT's responsibilities would expand its purview and budget power.

4. Critics of convergence forget that change is inevitable. Some security stakeholders might oppose converging security because it could translate into an overhaul of organizational hierarchies, job titles and qualifications, and regulatory oversight. In reality, federal agencies have successfully completed similar transitions in the past. The best example that comes to mind is the FBI's transition in the 1980s, when the advent of computers unleashed an entirely new breed of criminals whose crimes required investigators who were skilled in technical forensics. Some agency veterans resisted the personalities, qualifications and training requirements that came with the new roles. Ultimately, the organizational shift happened -- because it had to happen -- and was carried out gradually.

Similar to the new face of an FBI agent, the federal security manager of the future will have knowledge of both physical and cybersecurity principles and practices, and will apply security solutions that hunt for unified threats. The control systems that he or she uses will report events in real time and apply actions across all applicable control systems in a proactive response, all with clear and manageable human oversight and control.

In the end, the security benefits and ROI of adopting a unified security program far outweigh the initial discomfort and investment in transforming the security organization.

Featured

Reader comments

Wed, Jan 8, 2014 Tim Peters Arizona

As a retired Army Special Forces soldier with a graduate degree in Business and Organizational Security Management and an American Society of Industrial Security (ASIS) Certified Protection Professional (CPP) who works in the Security paradigm, Steve Allen from VA hit "the nail on the head" with his sucinct but comprehensive comments. While convergance/management of physical security with IT/Cybersecurity may fit within the schemata of an IT professional, the only real applicability is within the physical security systems (CCTV, ACS, IDS, C4I) architecture and network security of those systems. Physical security is present in any given environment even when cybersecurity is not.

Sat, Dec 21, 2013 Steven Allen Virginia Beach, VA

The Army field manual for physical security state the following… “Physical security is defined as that part of security concerned with physical measures designed to safeguard personnel; to prevent unauthorized access to equipment, installations, material, and documents; and to safeguard against espionage, sabotage, damage, and theft.” In cyber security IT leverages software such as anti-virus, intrusion prevention and detection, and other systems and tools to control access to information. If I were to state that these tools are sufficient in order to protect the federal government’s information systems, then I may draw the conclusion that to protect my electronic data I simply need the talents of a good software or system administrator. In physical security, security officers use electronic tools such as electronic access control systems, visitor management systems, and video management systems to name a few. Because these are IT based systems you may draw the same parallel and state that only IT administrators are needed to provide physical security to the federal agency. However, in both instances the conclusions are based on far too little information. The truth is that IT security is no more equipped to design the power distribution of a facility then physical security is equipped to design a data center. I believe the confusion stems from the fact that the electronic tools used in most federal agencies have evolved to a point where it may seem like the threat of physical attack, theft, and life safety concerns have been eliminated. However as you may know recent data breaches have proven that the existence of firewalls and software systems have not eliminated cyber threats, any more than the electronic security systems have eliminated the loss of life in our federal facilities. Both physical security and cyber security rely on electronic tools that aid in the endeavor to protect the assets each is charged with securing. However the skills required to protect information systems is very different than the skills required to pick up a gun and protect human life. The physical security staff in a federal agency is charged with all aspects of physical threats to both equipment and people. The overlap in the use of IT systems with cyber security, does not make an IT specialist qualified to act in the event of an active shooter, any more than it makes a security guard qualified to detect a data breach on a computer network.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above