Both physical security and information security have the word “security” in common, but historically, that’s where the similarities stop. However, that’s changing today—and it’s driven by necessity. Some security professionals are getting dragged kicking and screaming into the new era, while others are embracing it.
We can talk about how much physical security technology has or has not evolved (that’s an interesting discussion, because while there is a great deal of progress being made, it is still generally a decade behind IT). But that is for another time, as there are more fundamental changes happening right now, most notably in the areas of physical security’s core objectives, function, and how they are achieved.
Part of the change becomes clear when you step back and look at the department that physical security team reports to. Traditionally, physical security reported to facilities, and staff came straight out of law enforcement. Why? Because protecting physical assets and people is typically managed by law enforcement skills and processes. Add in the fact that many of the functional controls like head end systems, wiring, controllers, door readers, and alarms are typically affixed to the facility itself, and that approach made sense—until now.
So what’s changed? Well, quite a bit.
For a long time, a simple physical security model was effective: Issue corporate badges in a separate database, make sure people can get into the building just fine, and if people seem OK and assets are in place, all is considered to be going well. But now we’ve started to focus less on premises and people and more on protecting a business’s ability to build and ship product, provide support to customers, or even receive payments.
An organization’s adversaries are now looking at all angles to steal intellectual property and replicate or compromise business operations. Attackers are no longer obvious, and once they realize that getting through the doors is much easier than getting onto the network, they will no longer limit themselves to dumpster-diving around the perimeter. I have been on some red teams and can attest to the fact that once I figure out how to break the control system and get through the man trap, I am going to get inside the data center, the SCADA system, or install a PWN plug somewhere. Maybe I’ll drop some compromised USB devices with a nifty payload that will get me back in remotely just when I need it.
PROGRAM OBJECTIVES & DESIGN
Now why would attackers do this? Because hackers are lazy—if you know any, they will admit it. They want to spend the least amount of effort/time relative to their objective as possible, and physical access, being a decade behind IT security on the technology and policy front, offers the lowest barrier of resistance to reach their target.
That means that the traditional methods of developing a physical security program must evolve. When I go into large enterprises to perform assessments, the vast majority of the time I find that the assets that are typically protected are people and physical equipment. As a result, companies often structure their security program around creating a matrix of the types of buildings (sales office, R&D, manufacturing, storage, etc.) and the assets they typically contain. That’s how risk is assessed, and budgets are assigned accordingly.
I spend a fair amount of time deprogramming clients’ approach toward risk assessments to look further into their operational risks and how their security program could better protect them. This takes a different approach, much like information security, to assess their operations, threat model, and the desired controls that need to be developed and put into place.
Technology needs to support the controls and processes that will mitigate elements of the identified threat model. This is important, because many physical-security organizations feel immense pressure to keep both capital and operational costs down, since they can be seen as a cost center verses a business partner. I am a big advocate of building a threat model, because every business is different and without a well-tailored threat model, good choices can’t be made when issues arise. In addition, it forces professionals to get out of the mindset of buying their way to security.
This approach drives the need for operational intelligence, efficiency, and collaboration with other business units, such as IT. The truth is, the vast majority of physical-access programs are not set up to deal with non-traditional threats that cross over to aspects that involve electronic controls—and most physical-access components are rapidly becoming more like IT.
The control system in now on a server, has a relational database, a Web server, and a mobile component as an alternative to the thick client in the security operations center (SOC), and IP cameras are now on the network—all of which need adequate protection. Additionally, the cost of physical security is generally so high due to its legacy of being highly proprietary, resulting in closed and inflexible systems that, instead of being interoperable and extensible, leave companies facing either obsolescence or ripping-and-replacing at a high cost.
There are already many IT processes, standards, procedures, and governance models that can be reused in the context of physical security. Improved intrusion- and anomaly-detection, incident-response methods, and focused intelligence layers are the forefront of where physical security is heading. But companies can’t reinvent their physical security approaches in a vacuum.
THE ORGANIZATIONAL ASPECT OF A PHYSICAL SECURITY PROGRAM MATURITY MODEL
The legacy model of having physical security under facilities stunts an organization’s ability to focus and evolve its security program. The main reason is because the facilities department is not as familiar with key IT management methodologies, such as proper TCP/IP management, as they are with HVAC. To improve their security program’s focus and effectiveness, larger organizations have already begun to move physical security out from under facilities into a stand-alone autonomous group.
Separate physical-security departments have been a reaction to improve their focus on global infrastructure, acquisitions of incompatible hardware and software, and managing many disparate geographic locations and assets. As physical security adopts the threat model and technology that looks more like IT, it makes sense to leverage IT’s standards, security practices, and governance model.
In order to achieve that, IT and physical security will need to build a closer relationship, instituting a framework that fosters collaboration and a shift in physical-security culture. I don’t think physical security can get there on its own. Right now many of its systems are configured in ways that are almost illegal on the InfoSec side (default passwords for network devices, the inability to interrogate a service request, poor key management, etc.—but that’s a longer discussion that will be a topic of an upcoming blog). IT has taken a long time to evolve its expertise, and it will need to share that knowledge with its physical-security counterparts to educate them (or at least those who are willing to learn).
Therefore, the next step in the maturity model is to roll physical security under the CISO, incorporating physical security as another program within the company’s risk portfolio that drives toward the same objectives. This will provide a better opportunity to operationalize (and mentor teams around) the overall integrated threat, resulting in fewer blind spots for the organization as a whole.
Another thing to keep in mind is that everything evolves, including threats. Indeed, they have been proven to evolve much quicker than physical security’s capability to detect and respond. We must face the fact that we live in the Digital Age, and the devices we have come to rely on can be exploited in many ways.
As for small- and medium-sized organizations, most of them don’t have a separate physical-security program because they don’t have the management infrastructure and P&L for such a separation to stand on its own. Moving to an integrated InfoSec/physical management model can also work for smaller organizations and is scalable. Physical security will need to leverage much of the shared infrastructure anyhow (rather than doing it on their own), so it just makes sense to align respective infrastructure management and intelligence layers.
Information security will also have a learning curve. The physical-access market has been so proprietary for so long that managing such a transition means that information security and IT operations really need to understand what they are taking on before aggressively integrating and charting a new course. I am often asked by CISOs what advice I can give as they embark on this effort, and I tell them, “Forget everything you think you know and learn how things really work before you try to solve anything.”
Basically, physical access has been so proprietary, it hasn’t followed any logic that would make sense to most people in IT—and that situation can lead to some wrong assumptions even based on solid logic. The only way the IT team is going to figure things out is with the help of their physical security counterparts, who can put some things in context (why things were built the way they are). It’s not about one department acquiring another, but rather a structured collaborative effort and evolution.
This article was originally posted on Peerlyst