Integrating Physical and Cyber Security: Strategies that Work

What is the average age of a Chief Security Officer today? Would 50 years be a good guess? A CSO in this age range will have been working at some aspect of protection services, then since the 1980s, and at least since 1990 leading up to this current career pinnacle. Consider then the environment today’s CSO has worked through over the past 25 to 30 years. 

Considering that between 1985 and 1995 computers were more commonly associated with games, academia and entertainment, and considering security professionals were just beginning to see the emergence of computer technology into their work space, a CSO today has only begun to operate with an IT security focus since about 2004 or later. Y2K woke up many individuals to the realization that computers play a larger part in our lives than we had previously contemplated and ushered in more than world-wide terrorism for security professionals. Certainly, within critical infrastructure protection circles, information technology allowed for new security tools to be deployed and added some physical security concerns such as server room protection, but IT security has not been forefront. 

IT security in the same environment has been limited to a handful of specialists who have grown the IT security discipline within industry and taken up challenges related to critical cyber asset protection in a way that traditional security professionals could not. But IT security has typically not crossed the line into traditional protection planning in many instances. IT security professionals have often been relegated to server rooms and backrooms out of sight and not part of the traditional security team.

 In 2012, the world view is such that IT security (or cyber-security) has exploded to become the primary focus within security debates, news stories, government legislation and critical infrastructure protection initiatives. IT security has taken center stage in critical infrastructure protection. Security professionals in CSO roles now see cyber-security as central in initiatives related to regulation and standards. The traditional security professional may feel somewhat out of step as IT security professionals such as Chief Information Security Officers (CISOs) suddenly take senior posts within organizations. Even within organizations whose primary business is focused on physical assets like pipelines, dams, water systems, nuclear plants, museums, transportation systems and so on, an IT security shift is apparent. All of this creates a new paradigm. 

At a time when international espionage, nation state attacks and terrorism adopt cyber weapons, priorities for security professionals must change. In a climate where employees still use their birth dates as passwords and key vendors are still building backdoors into critical applications and defaulting factory passwords to something as mundane as, “password”, what does an organization do to protect its cyber infrastructure and also shift security culture without reducing protection across its extensive physical asset base? Does IT make business happen or simply support it? Is that question even relevant?

Today, security professionals are challenged to protect critical cyber assets as well as the infrastructure the IT serves. Not only do physical assets and their related Operational Technology (OT), like Programmable Logic Controllers need priority protection from a number of threats, access to these assets has been given network access. Assigning protection to server rooms and facilities is now only a relatively small part of the protection formula. Along with insider threats, and IT-savvy insiders at that, threat actors can reach our critical assets and their operating systems from around the world. Stealing financial records, intellectual property and personal information through hacking is scary enough. Gaining access to OT controls that assist in the operation of major dams, pipelines, railway systems, nuclear plants and the like is somewhat terrifying. Security leaders are now faced with a fully integrated problem that cannot be solved by independent security teams working in isolation from one another.

Security principles have not changed much in the past 30 years, but the application of those principles is shifting daily. Addressing integrated security disciplines to ensure a cohesive and collaborative security solutions environment in any organization requires a number of coordinated things to happen efficiently. These include information sharing, collaborative planning, new education platforms, shared risk management practices and much more where IT and traditional security experts combine resources to achieve protection goals.

The Utilities Security Council of ASIS International has partnered with security professionals from (ISC)² to draft a white paper on the topic of security integration and the challenges associated with integrating the IT and traditional security disciplines. This paper provides some important solutions for bringing traditional security and IT security into a collaborative and truly integrated partnership and directs the discussion to address security in the new paradigm. The priority concern today is that we recognize the need for an integrated approach and that critical infrastructure and security management be well served through effective security leadership. This paper will be discussed at the 58th Annual ASIS International Seminars & Exhibits, in Philadelphia, PA. 

Join us on Tuesday, September 11th, 2012 at 11:00 a.m. for session #3115 to hear Utilities and IT security professionals discuss, Integrating Traditional & Cyber-security: Strategies that Work.

Featured

  • Gaining a Competitive Edge

    Ask most companies about their future technology plans and the answers will most likely include AI. Then ask how they plan to deploy it, and that is where the responses may start to vary. Every company has unique surveillance requirements that are based on market focus, scale, scope, risk tolerance, geographic area and, of course, budget. Those factors all play a role in deciding how to configure a surveillance system, and how to effectively implement technologies like AI. Read Now

  • 6 Ways Security Awareness Training Empowers Human Risk Management

    Organizations are realizing that their greatest vulnerability often comes from within – their own people. Human error remains a significant factor in cybersecurity breaches, making it imperative for organizations to address human risk effectively. As a result, security awareness training (SAT) has emerged as a cornerstone in this endeavor because it offers a multifaceted approach to managing human risk. Read Now

  • The Stage is Set

    The security industry spans the entire globe, with manufacturers, developers and suppliers on every continent (well, almost—sorry, Antarctica). That means when regulations pop up in one area, they often have a ripple effect that impacts the entire supply chain. Recent data privacy regulations like GDPR in Europe and CPRA in California made waves when they first went into effect, forcing businesses to change the way they approach data collection and storage to continue operating in those markets. Even highly specific regulations like the U.S.’s National Defense Authorization Act (NDAA) can have international reverberations – and this growing volume of legislation has continued to affect global supply chains in a variety of different ways. Read Now

  • Access Control Technology

    As we move swiftly toward the end of 2024, the security industry is looking at the trends in play, what might be on the horizon, and how they will impact business opportunities and projections. Read Now

Featured Cybersecurity

Webinars

New Products

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction. 3

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions. 3

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings. 3