Connected Networks are Pushing Security Integration

Industry experts gathered at IFSEC International in London recently stressed the acute need to integrate physical with IT security systems, while recognising the technical, strategic and cultural challenges involved.

Traditional security systems including CCTV, door access control and buildings management are now interconnected across unified IP data networks. Significant efficiency gains are possible by consolidating separate infrastructure and administrative procedures.

And greater operational insight can often be delivered through greater sharing of information and analytics.

Getting from A to B is no easy task though, not least because those same critical physical security systems must also be effectively protected against a growing volume and sophistication of cyber attack arrayed against them.

The danger is that weaknesses in physical systems can be successfully exploited to create disruption and/or gain access to much more sensitive data via the backdoor.

Even network cameras are vulnerable to cyber attack but most manufacturers have not deployed adequate cyber security in their systems.” James Willison, vice chair, ASIS European convergence/ESRM committee

“We have done research into the vulnerability of networks, IP CCTV, chips, operating systems, web servers and communications protocols and every single bit of it was easily breakable,” said Sarb Sembhi, chief technology officer (CTO) and acting chief information security officer (CISO) at Noord-Group.

James Willison is vice chair of the ASIS European convergence/ESRM committee, a security strategy and risk management advisor, and associate senior lecturer in security management at Loughborough University.

“Everything around us is cyber, even the cameras recording us,” said Willison. “All these things are vulnerable to cyber attack but most manufacturers have not deployed adequate cyber security in their systems.

“You ask them a question about it and the response is ‘we don’t know’ or we’ve got somebody working on it’ and that is not good enough.”

Sembhi feels that manufacturers and software developers need to think much more carefully about what the devices and applications they build can and cannot do. But they must also be able to communicate with each other and support closer integration between physical and logical systems.

“There are the social engineering aspects of how theses systems – unattended devices, access and door control, heating and lighting systems, for example- fit together,” he said. “We are always supposed to see smart equipment but actually it is quite dumb. All the manufacturers have done is make it easier to control and that is not smart.”

If you start managing security and risks right at the outset, way before the planning and design stage, it will cost you five times less [than if you bolt it on later].” Stuart Rawling, director, business development, Pelco

Clearly defined security policies equally as critical

In many respects, the physical security market remains immature from an IT perspective having failed to keep pace with developments elsewhere. And technology is only part of the challenge, according to Stuart Rawling, director of business development at security camera, CCTV, and video surveillance system supplier Pelco.

Another aspect involves defining and enforcing effective policies which change the behaviour of both end users and administrators across both types of system (protecting devices by changing default administrator passwords to prevent unauthorised access for example) which often perceive security requirements with very different eyes.

“Technology is one part of it but the team aspect of how we manage security controls and infrastructure is critical,” he said. “As you design converged physical and data security systems, you need to look at operational behaviours and put policies in place. That is hard because everybody hates IT security policies and struggles with the balance between usability and efficiency.”

Nor should those policies be designed purely around physical and IT systems in isolation. Sarb argues that the convergence of physical and logical technology is just one element of a much broader transformation that must extend to the implementation of cross-organisational risk management policies.

“Companies need to start looking at the technology, where the risks are and where they need to start designing appropriate policies and frameworks,” he said. “If you start managing security and risks right at the outset, way before the planning and design stage, it will cost you five times less [than if you bolt it on later].”

“You have to have these areas – data security, resilience, risk management and safety – working together, design them together and at the moment this is not happening,” added Willison. “From now on, organisations must work in cross functional teams. It does not have to be a CISO at the top, it would be nice if it was, but it does have to be a cross functional team.”

Skills sets must adapt

Finding people with the appropriate knowledge and experience to design, implement and manage those overarching risk management strategies is not going to be easy. In most cases existing IT and physical security specialists with one half of the required skill set but not the other will need to be re-trained in an industry where experienced security professionals remain hard to find.

“The differential between cyber and physical security is disappearing and we need a new type of integrator,” said James Hill from the IT services division of NG Bailey. “In the future it will be one role and they will have to have knowledge of both IT and physical security.

“But there is a skills shortage throughout the industry – installers, network guys, consultants – that has to be addressed but I don’t know how.”

Minimum standards to meet forthcoming regulation

The need to implement effective data security on multiple connected systems that span both physical and IT infrastructure is being driven partly by growing volume and sophistication of cyber attacks being formulated and launched by professional criminals and fear of reputational damage.

But a parallel driver comes in the form of new European Union (EU) regulation on data privacy and security, with which many UK companies will be obligated to comply by mid 2017.

The network information security (NIS) directive and general data protection regulation (GDPR) will update existing national and EU data protection regulation and introduce much larger penalties of up to EUR20m, or 4% of a company’s annual global revenue, for breaches alongside stringent auditing, reporting and notification requirements.

The threat of such a hefty fine will inculcate a much sharper focus on end to end data security provision across all devices and systems, and Sarb believes there will have to be a baseline level of data security for all connected devices which can be supplemented by specific defences for specific applications and industries.

In truth it is hard to see a single universal data security framework spanning so many different types of physical end points and architecture certified to comply with appropriate legislation emerging any time soon.

But efforts to encourage hardware and software manufacturers to design secure products from the ground up are underway.

Willison agrees that a single, unified approach to converged data and device security is necessary and has identified the US National Institute of Standards Technology (NIST) special publication (SP) 800-160 systems security engineering proposal as a good starting point.

The next 10-15 years will see machine-to-machine fights where AI elements fight each other [without human intervention].” Jakob Duch, vice president, internal sales, Allied Telesis

Convergence supplemented by big data analytics

Better use of analytics to identify and even predict where cyber threats are coming from will also deliver greater protection in the future.

Vibhor Gupta is technology lead for the UK chapter of the American Society for Industrial Security (ASIS), He previously worked for global consultancy firm Deloitte and other companies focusing on better use of big data to better understand where security risks are coming from and what can be done to mitigate them.

Gupta points to real world examples of where converged physical and IT security platforms that utilise data sets pulled from one system can improve security provision by indicating issues elsewhere.

One German bank was able to identify potential physical security issues when it looked at when and where end users logged into their data networks and what devices they were using, for example.

Gupta also worked with a major IT company having routers stolen from one of its data centres, akin to looking for a needle in a haystack considering there were 200 staff regularly visiting the site.

The security team looked at the access control information from physical security systems and mapped it against workers previous patterns of behaviour in terms of the IT systems they regularly logged into.

With some workers having clocked in and out at 9am and 5pm every day for 15 years, anomalies were easy to spot especially when one member of staff suddenly started working odd hours and visiting the premises at the weekend.

“In those incidents, physical security systems were not responsible for the risks but they are interesting because they resulted in physical and IT security staff working in tandem to handle them,” said Gupta.

Conclusion

As more security solutions move into managed services platforms that remove the administrative burden for end users, automation and machine intelligence is set to play an increasing role in protecting both IT and industrial systems.

Emerging technologies like software defined network (SDN) are already starting to speed up IT security service provisioning and take data security processes off site and into the cloud.

That drive towards a more hands off approach could see security management becoming largely invisible as automated systems take over control and administration of the interconnected world.

“The next 10-15 years will see machine-to-machine fights where AI elements fight each other [without human intervention],” predicted Jakob Duch, vice president of internal sales at fixed and wireless network equipment provider Allied Telesis. “Instead we will see AI algorithms in software able to adapt dynamically to security situations.”