JamesWillison-20

Project & Engagement Manager, IoT Security Foundation

Author Bio ▼

James Willison MA, is a recognised International leader in Security Convergence and Enterprise Security Risk Management. In 2020 IFSEC Global listed James #8 in the top 20 Cyber Security Thought Leaders across the world. Shortlisted in Security Serious Unsung Security Heroes Awards 2018, as a Security Leader/mentor. James is Co Chair, Smart Buildings Working Group, Internet of Things Security Foundation and a member of the ASIS International ESRM Steering Committee. He is founder of Unified Security Ltd, a Vidsys consultant, works with AXIS Communications on cyber security and advises on the IFSEC Converged Security Centre. James was awarded the Imbert Prize for an ‘outstanding contribution to the Security Industry in 2011’ for his work on convergence with ASIS Europe and the Information Security Awareness Forum. He has more than 20 years of management experience in the physical and information security industry, including posts as Advisor on Convergence to the Mitie TSM Board, Senior lecturer in Security Management at Loughborough University and Digital Security Expert with the European Union. He has co-authored three White Papers and a series of new articles with Sarb Sembhi, sponsored by AXIS Communications, on ESRM, GDPR and Smart Buildings and Cities’ Security.
January 11, 2021

Sign up to free email newsletters

Download

Whitepaper: Multi-residential access management – The move to digital

Cyber-physical security

Who is responsible for protecting physical security systems from cyber-attacks?

It’s a question that continues to engage debate, as the majority of new physical security devices being installed are now connected to a network. While this offers myriad benefits, it also begs the question: Who is responsible for their cyber security? James Willison explores the various opinions in the sector following the results of a recent poll on the subject.

In recent years it has become more obvious that physical security systems are dependent on IT and vulnerable to cyber-attacks.

In 2007, the movie Die Hard 4.0 showed how a group of criminals were able to control traffic systems and bring Washington D.C and the stock market to a standstill. In the film, ‘Johnny English Strikes Again’ (2018) all the trains in the UK are directed to Bristol.

These movies are very much based in reality. In 2016, the BSIA warned us of the risks and recommended that “end users of IP connected CCTV systems should also ensure that they have comprehensive cyber security and information security policies in place”. In 2019 a Norwegian company spent £45 million to restore its computer systems, factory machinery and building systems following a ransomware attack on its 170 sites and over 35,000 staff.

While these were operational technology systems, the 2019 BBC series, The Capture, demonstrated how CCTV could be hacked to convince police and security services’ investigations that a lead suspect was guilty by adjusting the time frame in the system. Once again, this television ‘drama’ is now the unfortunate reality. The IFSEC Global Video Surveillance Report 2020 found that 76% of respondents were concerned about the cyber security of surveillance systems.

For those who haven’t noticed this issue, it would be wise to take stock. It is now likely that the physical security system can be attacked. As far back as 2014, the UK CPNI stated that it was possible. Cyber security has progressed very rapidly since then, hence a physical security lead should be engaging with the cyber security team to work with them – and vice versa.

Whose responsibility is it?

Questions-ConvergedSecurity-20But who is responsible for protecting them from these attacks?

Is it the owner of the system? For some this is clearly the physical security lead. After all, they or their predecessor purchased or recommended it, didn’t they?

But now they have a problem as they have heard the systems are not secure. Are they accountable to the business if an attacker gains access through the CCTV system to the IT corporate email and convinces the finance director to authorise an invoice costing thousands of pounds?

Or is the head of IT who authorised the CCTV system and gave responsibility for its day-to-day management to the head of physical security responsible? Or perhaps it is the head of cyber security who is an expert in the field and has implemented a range of controls on the network to mitigate cyber-attacks? Surely this person is the one who is responsible?

Well, maybe.

A poll I conducted in November with a small group of 14 security professionals indicated 69% think physical security systems are cyber. When a ransom attack is mounted and successful, whose job is then at risk – the CEO/CIO/CISO or CSO? The board may decide that one or more people should be fired.

When you want to pay a ransom – who does it? This is a grey area, but once these systems are hacked the responsibilities will become clearer and some will lose their jobs.

Are there easy answers? Is one person responsible? Or, as some would argue, isn’t everyone responsible for security?

In risk management there are RACI (Responsible, Accountable, Consulted, Informed) tables which indicate that one person is responsible for performing the work effort and management of the risk. This is usually the system or business unit owner. But, that might be hard to identify for some people in large organisations.

Other business functions are meant to support that person and offer their expertise and technological services. If you occupy any of these roles, then it is important to ensure you are protecting the systems from attack, whether you are directly responsible or not. If you see a person in need of help it is vital to work with them – for their sake and the success of the business.

Whoever you believe is the most responsible for protecting physical security systems from cyber-attacks, ultimately it must be a cross-functional team effort.

The debate continues

In December 2020, I conducted a poll on LinkedIn to further understand what the views of security and IT professionals are. I was very encouraged by the interest and comments that it raised.

Over one week there were 81 votes from across all areas of security and IT. My special thanks to IFSEC Global, Mike Gips (Principal, Global Insights in Professional Security) who is a global leader in security research and Rollo Davies, Managing editor of TPSO magazine, who reshared the poll. This enabled me to receive a range of perspectives that I simply could not have gained on my own.

28% voted for head of physical security, suggesting that the system owner is responsible (assuming this is physical security/FM etc.) and should seek support from the others. I think this is also what ISACA would advise from my studies of the CRISC materials. The Head of IT allocates responsibility to individual business units and the system owner is then responsible. Similarly, the ASIS CSO Organisational Standard explains that the CSO is responsible for all security risks and can delegate ‘some’ accountability to heads of business units who are supported by the appropriate organisation’s security team. Hence the physical security lead should look for support from the head of cyber security to provide specialised services that reduce the risk.

Brian Allen (Cyber Advisory, EY) added his comments to this: “The system owner, CSO in this case, being physical security equipment, is the system owner, with the system’s state being in the cyber environment. I’d say the CSO is the system owner and whomever has responsibility in protecting assets in the digital environment, would be responsible for those protections to the limits the stakeholder (CSO) desires.”

63% voted for head of cyber security, with responses including both senior physical and cyber security professionals. This is most interesting and, in some ways, expected. It reflects my earlier findings that 69% think physical systems are in fact cyber.

Over the years I have worked in the converged arena, I often meet people from both areas who are clear that physical security professionals are not experts in cyber security and should not try to manage this risk. Others, not surprisingly, see it as a highly complex field which they have worked in for many years and now want to help protect IoT and physical security devices. But, as colleagues in IoT security are often specialists it remains obvious that many of these systems are unprotected. I say this because if the majority believe quite reasonably that the head of cyber security is responsible, whereas in reality the head of physical security is, we have a problem.

Few heads of physical security in fact do know how to cyber-protect their systems and think the head of cyber security is doing it. This is a problem when the cyber department is in fact busy protecting the network from new risks such as the security of their own solutions (as Solar winds evidences), of ransomware and working from home. In many instances, the last thing the cyber security head is worried about is CCTV and BMS.

How much time does the typical CISO/Head of Cyber Security devote to this? Operational Technologies are getting more attention with increasing attacks on the energy sector and the recent ransomware attack on Dusseldorf University Hospital that caused the tragic death of a patient. But, if the official view is that it is the responsibility of physical security then the industry must wake up to this and take action.

9% voted for the head of IT. Clearly, some leading IT and security professionals believe that the head of IT has overall accountability and responsibility. They would then delegate the day-to-day running of the system to the business unit. This answer is of course reasonable and indicates that the business recognises that the issue of cyber security of all systems is significant.

Is there a better way?

As long as someone is dedicating some time to the issue, all options stated above may be reasonable. But, is there a more holistic solution?

As several comments on LinkedIn indicated, a converged security operation ultimately is led by a CSO may provide the answer. “The buck stops here” as Peter French, (CEO, SSR Personnel) a leading influencer expressed, echoing my own thoughts.

ConvergedSecurityCentre-Webinar2020-20

Peter also indicated that the IT systems should self-protect and that by 2024 the CEO would become personally responsible. We know that some of the more advanced CCTV systems self-protect, but sadly not the majority!

I didn’t give the option of a CSO in the poll, partly because there are few senior roles like this and I wanted to see the answers to physical or cyber. Though, it would have been interesting to see who would have voted for the CSO. The CSO, for instance, can delegate this to the head of physical or cyber security.

If it is evidently a challenge for the physical security lead to fully understand cyber security, then it makes real sense to collaborate and form cross-functional teams to address these common risks. And, as we have demonstrated at IFSEC’s Converged Security Centre, it is even more important to monitor real time attacks on these systems if we are to identify the risk in time. How can the Head of Physical security honestly expect to see these attacks if there are no real time cyber security monitoring technologies in the control room?

This is precisely why we need converged security operations centres and to move into the digital age. Without convergence technologies, the officers in a control room will not know if the camera is down from a cyber or physical attack.

Not taking anything away from Bruce Willis, here, but if he could work with the hacker to save the stock market from a hostile takeover in Die Hard 4.0, why on earth can’t we?

James Willison is the founder of Unified Security Ltd, the Project Advisor to the IFSEC Converged Security Centre and Co Chair of the Smart Built Working Environment Group, IoTSF. James was also listed amongst the IFSEC Global Top Influencers in Security & Fire 2020.

 

Free Download: The Video Surveillance Report 2023

Discover the latest developments in the rapidly-evolving video surveillance sector by downloading the 2023 Video Surveillance Report. Over 500 responses to our survey, which come from integrators to consultants and heads of security, inform our analysis of the latest trends including AI, the state of the video surveillance market, uptake of the cloud, and the wider economic and geopolitical events impacting the sector!

Download for FREE to discover top industry insight around the latest innovations in video surveillance systems.

VideoSurveillanceReport-FrontCover-23

Related Topics

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments