Integrating Physical and Cyber Security: Strategies that Work

What is the average age of a Chief Security Officer today? Would 50 years be a good guess? A CSO in this age range will have been working at some aspect of protection services, then since the 1980s, and at least since 1990 leading up to this current career pinnacle. Consider then the environment today’s CSO has worked through over the past 25 to 30 years. 

Considering that between 1985 and 1995 computers were more commonly associated with games, academia and entertainment, and considering security professionals were just beginning to see the emergence of computer technology into their work space, a CSO today has only begun to operate with an IT security focus since about 2004 or later. Y2K woke up many individuals to the realization that computers play a larger part in our lives than we had previously contemplated and ushered in more than world-wide terrorism for security professionals. Certainly, within critical infrastructure protection circles, information technology allowed for new security tools to be deployed and added some physical security concerns such as server room protection, but IT security has not been forefront. 

IT security in the same environment has been limited to a handful of specialists who have grown the IT security discipline within industry and taken up challenges related to critical cyber asset protection in a way that traditional security professionals could not. But IT security has typically not crossed the line into traditional protection planning in many instances. IT security professionals have often been relegated to server rooms and backrooms out of sight and not part of the traditional security team.

 In 2012, the world view is such that IT security (or cyber-security) has exploded to become the primary focus within security debates, news stories, government legislation and critical infrastructure protection initiatives. IT security has taken center stage in critical infrastructure protection. Security professionals in CSO roles now see cyber-security as central in initiatives related to regulation and standards. The traditional security professional may feel somewhat out of step as IT security professionals such as Chief Information Security Officers (CISOs) suddenly take senior posts within organizations. Even within organizations whose primary business is focused on physical assets like pipelines, dams, water systems, nuclear plants, museums, transportation systems and so on, an IT security shift is apparent. All of this creates a new paradigm. 

At a time when international espionage, nation state attacks and terrorism adopt cyber weapons, priorities for security professionals must change. In a climate where employees still use their birth dates as passwords and key vendors are still building backdoors into critical applications and defaulting factory passwords to something as mundane as, “password”, what does an organization do to protect its cyber infrastructure and also shift security culture without reducing protection across its extensive physical asset base? Does IT make business happen or simply support it? Is that question even relevant?

Today, security professionals are challenged to protect critical cyber assets as well as the infrastructure the IT serves. Not only do physical assets and their related Operational Technology (OT), like Programmable Logic Controllers need priority protection from a number of threats, access to these assets has been given network access. Assigning protection to server rooms and facilities is now only a relatively small part of the protection formula. Along with insider threats, and IT-savvy insiders at that, threat actors can reach our critical assets and their operating systems from around the world. Stealing financial records, intellectual property and personal information through hacking is scary enough. Gaining access to OT controls that assist in the operation of major dams, pipelines, railway systems, nuclear plants and the like is somewhat terrifying. Security leaders are now faced with a fully integrated problem that cannot be solved by independent security teams working in isolation from one another.

Security principles have not changed much in the past 30 years, but the application of those principles is shifting daily. Addressing integrated security disciplines to ensure a cohesive and collaborative security solutions environment in any organization requires a number of coordinated things to happen efficiently. These include information sharing, collaborative planning, new education platforms, shared risk management practices and much more where IT and traditional security experts combine resources to achieve protection goals.

The Utilities Security Council of ASIS International has partnered with security professionals from (ISC)² to draft a white paper on the topic of security integration and the challenges associated with integrating the IT and traditional security disciplines. This paper provides some important solutions for bringing traditional security and IT security into a collaborative and truly integrated partnership and directs the discussion to address security in the new paradigm. The priority concern today is that we recognize the need for an integrated approach and that critical infrastructure and security management be well served through effective security leadership. This paper will be discussed at the 58th Annual ASIS International Seminars & Exhibits, in Philadelphia, PA. 

Join us on Tuesday, September 11th, 2012 at 11:00 a.m. for session #3115 to hear Utilities and IT security professionals discuss, Integrating Traditional & Cyber-security: Strategies that Work.

Featured

  • New Report Reveals Top Trends Transforming Access Controller Technology

    Mercury Security, a provider in access control hardware and open platform solutions, has published its Trends in Access Controllers Report, based on a survey of over 450 security professionals across North America and Europe. The findings highlight the controller’s vital role in a physical access control system (PACS), where the device not only enforces access policies but also connects with readers to verify user credentials—ranging from ID badges to biometrics and mobile identities. With 72% of respondents identifying the controller as a critical or important factor in PACS design, the report underscores how the choice of controller platform has become a strategic decision for today’s security leaders. Read Now

  • Overwhelming Majority of CISOs Anticipate Surge in Cyber Attacks Over the Next Three Years

    An overwhelming 98% of chief information security officers (CISOs) expect a surge in cyber attacks over the next three years as organizations face an increasingly complex and artificial intelligence (AI)-driven digital threat landscape. This is according to new research conducted among 300 CISOs, chief information officers (CIOs), and senior IT professionals by CSC1, the leading provider of enterprise-class domain and domain name system (DNS) security. Read Now

  • ASIS International Introduces New ANSI-Approved Investigations Standard

    • Guard Services
  • Cloud Security Alliance Brings AI-Assisted Auditing to Cloud Computing

    The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, today introduced an innovative addition to its suite of Security, Trust, Assurance and Risk (STAR) Registry assessments with the launch of Valid-AI-ted, an AI-powered, automated validation system. The new tool provides an automated quality check of assurance information of STAR Level 1 self-assessments using state-of-the-art LLM technology. Read Now

  • Report: Nearly 1 in 5 Healthcare Leaders Say Cyberattacks Have Impacted Patient Care

    Omega Systems, a provider of managed IT and security services, today released new research that reveals the growing impact of cybersecurity challenges on leading healthcare organizations and patient safety. According to the 2025 Healthcare IT Landscape Report, 19% of healthcare leaders say a cyberattack has already disrupted patient care, and more than half (52%) believe a fatal cyber-related incident is inevitable within the next five years. Read Now

New Products

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols.

  • 4K Video Decoder

    3xLOGIC’s VH-DECODER-4K is perfect for use in organizations of all sizes in diverse vertical sectors such as retail, leisure and hospitality, education and commercial premises.

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.”