This is the second of a four part series on the convergence of IT and OT (Operational Technologies) by Rick Geiger
Physical Security has evolved from serial communication to modern systems that are largely, if not completely, IP networked systems. The unique requirements of physical security have often lead to shadow IT departments within the physical security department with networks and servers procured and operated by the physical security department with little or no involvement from IT.
Intersections with IT and the corporate network began with the interconnection of physical security systems and the placement of physical security appliances on the corporate network to avoid the cost of wiring that would duplicate existing networks. At one time IT may have been persuaded that these “physical security appliances” didn’t need to be managed by IT. But that persuasion was shattered by malware infections that revealed far too many “physical security appliances” to be repackaged PCs with specialized interface cards.
IT departments scrambled to locate and remove these vulnerable devices and either outright banned them from the corporate network or insisted that they be managed by IT. A hard lesson was learned that just as the organization, including IT, required physical security, video surveillance and badge access control, the physical security department needed the cyber security expertise of IT to protect the communication and information integrity of networked physical security systems.
Convergence is sometimes regarded as the use of physical location as a criteria for network access. Restricting certain network access to a particular location and/or noting any discrepancies between the location source of a login attempt and the physical location reported by the badge access system. For example, the network won’t accept a login from Asia when that user badged into a building in Philadelphia.
The need and opportunity for Cyber and Physical security convergence is much broader than network access. Physical Security systems need Cyber Security protection just as Cyber Systems need Physical Security protection.
What are, at a very high level, the primary activities of Physical Security on a day to day basis?
- Protect the perimeter
- Detect breaches
- Situational awareness
- Standard operating procedures define for anticipated events
- Forensic to gather, preserve and analyze evidence & information
Physical security personnel often have a law enforcement or military background, and approach these activities from that point of view.
Over time, the technology of physical security has evolved from walls, guns and guards to sophisticated microprocessor based sensors, IP video cameras with analytics, and network storage of video & audio. Although there are many examples of close collaboration between IT and Physical Security, there may also be tension. Physical Security departments defend their turf from what they perceive as the encroachment of IT by claiming that they are fundamentally different.
A quick look at the Physical Security systems quickly reveals something that looks very familiar to IT. Networked devices, servers, identity management systems, etc. are all familiar to IT.
At a very high level, the primary activities of Cyber Security can be grouped into a set of activities that are very similar to Physical Security. The common process that both need to follow is a regular review of Risk Assessment:
- What are the possible threats
- What is the probability of occurrence of each threat
- What are the consequences of such occurrence
- What are cost effective mitigations — as well as mitigations required by compliance
The Risk Assessment process is an integral part of NERC-CIP V5, which requires a review at least every 15 months of “…cyber security policies that collectively address…” CIP-004 through CIP -011. Implementation is required to be done “..in a manner that identifies, assesses, and corrects deficiencies…”
Many of the activities Cyber and Physical Security overlap and need to align:
- The use of IT Technology in Physical Security systems
- Overlapping Identity Management
- Device Identity management
- Requirement for IT process maturity
- IT security required for Physical Security systems
- Physical Security required for IT Systems
- Consistent future strategy & direction
The bottom line is that the activities of Physical and Cyber security have many parallels with opportunities to learn from each other and collaborate in threat assessment and risk assessment strategies and coordinated implementation and operation. NERC-CIP V5 has mandatory requirements for both Physical and Cyber security. Modern security, both Physical and Cyber, need to move beyond reacting to events that have already occurred, to agility and anticipation.
What does this mean for Cisco?
Cisco has a portfolio of leading edge Cyber and Physical Security solutions. Cisco’s Advanced Services offerings help our customers develop and deploy a collaborative, unified approach to Physical and Cyber security. NERC-CIP V5 is a compelling event for the electric utility industry. The transition period is underway with completion required by April 2016. Are you up to date on Cisco’s solutions and capabilities? We are here to help!