The rapid growth of technology is considered as a threat for most of the organization from the perspective of security. The innovative technology gives us a lot of solution and makes the business easier ever than before. But it becomes threat for the organization when the updated technology is used to break security system. In addition, the physical security is also another threat for the organization that causes the physical access to the company’s information.
Most of the organizations are used to control these threats with the help of security departments. These security departments are run as individual. It is not secured and more importantly the running cost is also high. So, to reduce cost and increase safety, both physical and IT security needs to bring together under one management authority. But in future, what would be the consequences. This study paper is to find out the both positive and negative consequence of converging physical and IT security.
Potential consequences of the convergence of physical and IT
A lot of people think that the convergence of physical and cybersecurity is unavoidable, but what is the real picture in today’s market world. The current situation of industry is that most of the companies have not yet joined the roles of physical and cyber security. There is a need for chief information security officer who is responsible for both physical and IT security. But the reality is, most of the companies do not have that.
In today’s world, technology is playing an ever-increasing role in our life-at home, at work or at everywhere. But the world is now a very dangerous place and most of today’s technologies were developed at that time when security was not a headache at all. Security is now a lot more than just armed peoples. Therefore, Security has become very complex now-a-days from the perspective of both physical and logical access.
As individual, none system can solve the security gap of any organization. Cyber system is attacked by the hackers not in the way they used to be. The purpose of such type of intrusions is to get the financial benefits and terrorism. The nationals infrastructure including water, gas, power, oil, food supply, hotel, embassies and so others are in threat. The threat is not only from the terrorist attack, but also to theft and environmental disasters. “[I]t is commonly acknowledged that 30% of intrusions within a company’s computer system are from outside hackers; 70% are from people associated with the company” (Malies, 2004).
So, finding the solution is extremely important, where physical security and IT security will be applied as a combined form. The consequence of such application can bring important enterprise-wide benefits to the organization. Combining physical and IT security will be a compulsory factor to provide crucial protection to nation’s critical infrastructure. Physical security is dependent on cybersecurity and similarly, cybersecurity is dependent on physical security. Handling either physical security or cybersecurity as individual is not possible for very much longer. There are huge amount of intrusions happened within the organization’s computer system.
When you get the physical access, then breaking cybersecurity is nothing matter. So, it is needless to say how much it is emergency to provide physical and cybersecurity in a common flat. But the million dollar question is what would be the consequence of the convergence of physical and IT security. Will it be effective and beneficial for the organization more than before? This paper is to find out the potential consequence of the convergence of physical and IT security.
The outcome of convergence of physical and IT security may be positive for some organization or may be negative for some others. Many organizations may find no reasons to implement the convergence strategy because they still get the cost efficiencies and security improvements. So to identify the advantages and disadvantages it is needed to make a comparison.
What is convergence?
When a bad guy is capable to get physical access to the cybersecurity system of the organization, then it is not organization’s cyber system anymore. “[I]f physical access to a computer system can be achieved; gaining logical access to the information on that computer system is guaranteed” (McAlearney Shawna, 24 January, 2005). The attacker can use either cyber or physical means to get the access to important information. So, the security is needed which can ensure both physical and IT access.
Convergence is to be said as formal cooperation between earlier disjointed security functions and Cooperation means a positive outcome-oriented effort to work together. Convergence strategy consists of the process and accountability by which security management become more holistic than single physical security or IT security. Multiple security discipline are brought together to form the convergence strategy. It would be better to say convergence is the “[i]ntegration of logical security, cyber security, physical and personal security, business continuity, disaster recovery and safety risk management” (IDG, n.d.).
The example of convergence of physical and IT security can be this:-Firewall on the network can protect data entry system, antivirus software on the servers can protect intrusions, detection etc. “room[s] [are] physically secured from unauthorized access and also protected with fire suppression, climate control and power systems” (McAlearney, 24 January 2005).
Where, CEO= Chief Executive officer
CIO= Chief Information officer
CSO= Chief security officer
COO= Chief operation officer
Positive consequence of convergence
For positive convergence, the organization needs to bring together the physical and IT security departments and let them work as one unified team. It certainly will bring some benefits in favor of the organization. The benefits an organization can get from converging physical and IT security systems are (OSE, n.d.):
- Identity management
- Joint access management for physical and logical systems
- Incident management
- Processes and organization
- Business continuity and emergency management.
Now these are discussed below:-
- Identity management: with the help of combining the physical and IT security the organization can introduce a single card system of access to the information. It surely can increase the safety and decrease the cost. “IT and physical teams are used to complete control, control of their strategy and control of their budget” (Geiger, 19 September 2006). The combined organization become strong and the management can imagine their power, strength and scope. By formulating the converging plan and executing it with dependence and cooperation, each group will act as a resource for other. As a result, the security management can gain an identity.
- Joint access management for physical and logical systems: when the physical and IT security are brought together under one umbrella, then its function become easier. The simplification of management helps the organization to emphasize more on their other operational activities. Furthermore, the consequence of such type of converging always seems in favor of the organization.
- Incident management (detection and response): it helps to increase the detection and response from the management and consequently, the outcomes become the solution of hacker problems or unethical intrusions. Certainly, the cyber problem can be solved through positive response from the management and it can be ensured with the help of running physical and IT security in a common flat.
- Processes and organization: integration of physical and IT security has become a common strategy for the organization. It certainly benefits the total department of an organization. The processes are developed because of improve and safety security concern.
- Business continuity and emergency management: security is now considered one of the most vital elements to make business successful. The efficient control system operators can ensure the continuity of business and it is the concern of the management. The management is now aware about the importance of security systems.
Applying physical and IT security in a common flat can provide and enterprise-wide view and accountability to minimize the risk of business. One of the major characteristics of holistic security is to minimize the cost. When all disciplines goes in one way then cost saving is obvious and expected. The integrated one is more cost effective and easier to manage than managing other discipline as individual. As a result, at present, security is not just security’s problem; it’s now more considered as business concern and can be said as the part of business architecture.
Physical security is one organization, cybersecurity is another organization and so the others. It becomes easier to run the combined organization when different organizations are brought together. It is because one person sits at the top and then certainly the complexity of maintaining more than one organization is reduced. Therefore, security management is part of top-down tactic to get the control of organization’s exposure to risk.
The following example is to show the positive consequence of converging IT and physical security:-
“Jim Mecsics arrived on the job at credit bureau Equifax in 2002 with a mandate to create a corporate security program-to bring together disparate pieces of security, including physical and information security, under one roof. It didn’t take long for the reorganization to bear fruit. Some three months into his tenure, a large identity theft ring began hitting credit reporting agencies and was attempting to penetrate Equifax’s networks.
Mecsics and his team went to work-they set up a plan, mapped out the bad guys’ architecture and worked closely with the FBI. Soon they pinpointed the intermediary company where the breach was taking place. (A former help desk employee at the intermediary company had stolen user codes and passwords and sold them to more than a dozen mostly Nigerian nationals in the New York City area.) At the end of 2002, the U.S. attorney’s office in New York arrested the culprits, putting a stop to what it said was the largest identity theft ring in the country (some 30,000 identities were stolen).
“That was a pure example of [the benefit of] us having everything under one umbrella,” says Mecsics. “I had the ability to bring the data and fraud folks and everyone else together and come up with a cohesive strategy,” he says. Mecsics didn’t have to get authorization from people’s bosses to work on the converged effort. He had the authority, he acted, and the coordinated security groups worked to the company’s benefit.” (IDG, n.d.)
The company can cut cost by joining physical security with IT security function. If the company introduce the IT and physical access onto a single card, then undoubtedly it will save money as well as improve the security.
Convergence of physical and IT security is happening today because of the growth of network connectivity. Some benefits from converging physical and IT security are:-
- According to estimation, each person spends between $200 and $300 per year to reset the password for ensuring the access. So the user can be benefited through introducing a common access token.
- The organization can identify and recognize who have not physically entered the facility by correlating log entries and event information from physical and logical system (McAlearney, 24 January 2005).
- When some accident occurred, then it becomes difficult to investigate because of the two separate organizations. But integration of log and event information helps to determine what actually happened. It is because it has the ability to present all the relevant information to investigate through a single console or reporting system.
- The management can minimize the potential threats within the organization with the help of integrating log and event information. Furthermore, it is known that 70% intrusions come from peoples associated within the organization.
Negative Consequence of convergence
The network connections between physical security and IT security and other discipline in business practice are in very exposed situation. The threat is because of unsecured network, such as wireless devices or a network connection to the third party or network-outsourced connections.
Many companies, especially in the top management level are not familiar with the new threats and risk to their control system that can result from the changes. It is another problem caused by the converging of Physical and IT security. The new potential attackers are now more united and they are now interested in control system. They are trying to influence with a high impact to the senior management level.
The control system is not in advanced position comparatively to the IT systems. It has not been developed over the last two decades while IT system has developed in a rapid and widespread way. Control system requires different design and operating components because of its longer lifecycles than most of the traditional IT systems. With the development of IT system or computer technology every several years, similarly the businesses have developed.
The IT system has a larger impact on the success of the business and they are interrelated. But the scenario of control system is different. It has not been developed so much if we compare with IT system. It is because the function and characteristics of control system is totally different from the IT system. However, the function of control system is very much related with IT system. Control system consists of physical security, cybersecurity and other discipline. But the effects of computer networks and computer interfaces are unavoidable. So, when the hacker attacks the cyber system of the organization, then it can easily take over the less developed control system.
Whatever, control system is operated in a limited boundary and on the other hand IT systems have structural maintenance and updated very quickly. As it is updated very quickly, it easily can defeat the control system.
The physical facilities and processes that control systems operate are very diverse, and, as a result, systems are often custom-built – made up of control devices and operating systems available at the time the system was implemented. These older systems are also often patched together with unique device driver code and customized computer code written by the engineers or vendors who installed the system and modified it over the years. As a result, these older legacy systems still use outdated operating systems that meet operational needs but lack current security management. Operators continue to use these older machines and code because of the tremendous value of the systems and the cost required to replace, change, or update them. (Grason, et al, 16 January 2007)
The cultural difference between control system operators and IT system operators is another negative consequence of convergence. The operating systems of these are different from each other. It is known that the staff members of control systems are engineers, often older and their activities is mostly related with the production oriented and they do understand the function of IT systems very little.
“In contrast, the staff members of IT systems are often younger and most of their activities are related with running business networks and they do understand the control system requirements very little” (Hobday, 2000). In addition, the goals of two groups are also different. Availability, reliability, safety are the result of control system operators and on the other hand, confidentiality, integrity, availability of data are outcomes of IT system operators.
The decision makers within the organization have limited understanding about the threat. When they become aware about the cyber threat, they usually think only of emailed viruses, IT system failures, worms.
There are a lot of challenges involved in combining physical and IT security from the company’s point of view. Many management teams are not prepared to assist to the level of strategic planning of the organization. There is want of an efficient executive who can lead both organizations. In addition, the staffs of both physical and IT security have the beliefs of different cultures and strategies. They are best at what they are used to do and it is their specialty. They may think that the combination of physical and IT security will affect their ability and change their expertise.
- The chief information security officers are requested to build strong relationship with physical security counterparts. The step can be taken by attending at ISSA or ASIS meeting together to identify the area in which they will deal.
- From the past experience, it is known that the most effective hackers are those who are able to combine physical and cyber techniques to gain access. So, it’s not just a physical security or cybersecurity program. It’s all about comprehensive asset protection program. So, it needs to realize from the all perspective of the organization.
- Each employee is responsible for the security of their company and it should be understood by them. To make them understood the training program about security can be an effective solution.
Both cyber and physical security are valued as an enabler to control system operator goals of confidentiality, integrity, availability, safety. The executive members need to understand the risk regarding the control system. To do so they should be educated by the training program that can be taken by the critical infrastructure protection partners. Historically, control systems are developed in a way to meet the initiative operational activities. In contrast, cybersecurity is unable to maintain these operational characteristics. So, the control system operators should investigate the cybersecurity program and their function. Otherwise, it will be impossible for them to achieve their desired levels of confidentiality, safety, availability and reliability.
Another area should be developed is the awareness of executive leadership. More importantly, executives are responsible for establishing safety level investment decision. They are also liable for making the corporate culture developed. The executives should be aware of cyber threats, its limitation, and vulnerabilities, if they want to promote corporate culture.
The availability of improved cyber information needs to be developed. The control system operators have no access to the information of cyber incidents. It is because, “[t]he needed mechanisms do not exit to adequately protect shared information” (E. Grason. et al, January 16, 2007). So, without any doubt the availability of sharing information needs to be available.
Critical infrastructure control system operators day by day are facing new challenges and threats because of the convergence of physical and IT security. Critical infrastructure control systems face various types of exposures every day and it is no longer isolated. However, the government can play an important role to help or support the public-private partnership for protecting against intrusions. The government may look for building a strong relationship with the private sector to solidify the partnership. It should be reminded that many companies have two security directors- one for physical security and another for IT security.
The two different departments represent different language, but both serve the same customer concurrently. Whatever, if the organization can bring these two groups under one umbrella in an effective way then the outcome would be mostly in favor of that organization.
Geiger, Rick. (2006), How security professionals can work together to broaden their impact. Computer & network security columns. Web.
Grason, E. Margaret., Peters, Gregory. & Conrades, George. (2007). The NIAC convergence of physical and cyber technologies and related security management challenges working group. Web.
Hobday, Mike. (2000). The project-based organisation: an ideal form for managing complex products and systems? Research Policy Volume 29, Issues 7-8, Pages 871-893.
IDG (International Data Group). (n.d.). Physical and IT security convergence: The basics. Security Leadership. Web.
Mailes, Phil. (2004), Convergence of physical and IT security, Hi-Tech Security Solutions. Web.
McAlearney, Shawna (2005), Convergence of physical and logical access control systems, Tech Target Data Center. Web.
OSE (Open Security Exchange). (n.d.). Physical/IT Security Convergence: What It Means, Why It’s Needed, and How to Get There. Washington. Web.
Physical and IT security: converging with the traditional roles of the facility manager (2003), from Today’s facility manager. Web.