Convergence of physical and cyber security will be vital in protecting cities of the future

Convergence of cyber and physical security is one of the key considerations when planning protected cities and public spaces. This was a central theme of a recent IFSEC Global webinar, in which participants discussed how technology and physical security can converge to combat emerging threats. 

Among the webinar’s contributors are, Sarb Sembhi, CTO & CISO of Virtually Informed, and Co-Chair of the IoT Security Foundation’s (IoTSF) smart built environment group, said the range of cyber security challenges are vast.

There are vulnerabilities in code libraries to develop apps, in vendor application code, in technology standards and protocols, in configuration and/or installation, and in the management of devices, systems and in connections. Threats also exist from social engineering vulnerabilities from hackers, data collection practices of vendors and/or facilities, and in the area of data usage and collection.  

He also outlined emerging and future threats to a converged approach to security.

These include: 

• A lack of governance and preparation for integration 
• A siloed mentality and empire building/protectionism 
• New and emerging vulnerabilities in established technology standards 
• So-called smart cities which are really an extension of the surveillance state 
• Increased surveillance data creating staff blackmail targets 
• Continued use of and delayed replacement of vulnerable devices and systems 
• New and emerging technologies – such as 5G, AI, blockchain and drones  
• The vulnerability of single devices leading to ransomware on all connected infrastructures.  

Everyone from the manufacturer to the installer needs to be thinking about cyber vulnerability, added Marc Weatherley, Senior Sales Director at Avigilon, part of Motorola Solutions. As a manufacturer, it has its own internal policies, manufacturing methods and software development to ensure that products are resilient. We need everybody to be doing that, he said. “We have a whole product range that is NDDA-compliant, and that’s to ensure that we understand the full supply chain behind our products. That’s really at the core of what we do.” 

We are seeing the development of a whole range of smart camera analytics, he explained, such as smoke or vapour detection and concealed weapon detection. You can also detect events like people carrying a bag and then leaving without one. AI gives more of an insight to operators, enabling them to make informed decisions about what to do next. 

Avigilon uses Onvif to connect to all of their devices, said Weatherley. It has always been an open platform, writing integrations or allowing integration into software, which he argued is definitely the direction we need to be moving in so that we have this converged environment. Last year, the company was able to repurpose a lot of its AI, developing occupancy counting, face mask detection and social distancing alerts. It is now working on a project that potentially can monitor how Covid moves from person to person in a specific environment.  

James Willison, founder of consultancy Unified Security and Co-Chair of the IoTSF smart built environment group, asked how can we manage integration of physical and cyber. In a converged security centre, priority would be given to the really important risks, so that potential cyber attacks can also be monitored. These technologies are available now but not enough companies are using them, partly because of a lack of investment in these technologies. Also, there needs to be physical and cyber trained people in the control room to understand the issues. 

While PSIMs (Physical Security Information Management) are very good at bringing together all the physical security elements, said Willison, they are not very good at bringing in all the cyber. Both should sit alongside each other and be treated equally. “Camera systems being subjected to cyber attack is a major issue now – it’s not just something you can leave to physical security managers – they need some help.”  

It’s far easier for criminals to steal from a bank or attack infrastructure by digital means than by a physical one, said Stuart Williams, founder of Blackford Security Consultants and representing the Security Institute. What worries him is the scale of the consequences, such as the amount of money that can be stolen digitally compared to physically, or sabotage attacks on infrastructure where you’re not just taking out one transformer but you’re taking out a whole utility. Physical security traditionally looks at site level, whereas cyber security needs to look at organisation level – that’s a big difference! 

Security is not as converged as it should be, he continued. There are different jobs for chief information security officers and heads of physical security. In the built environment, cyber threats are often excluded from the risk assessment process, because they do not have as much influence on the physical space and the design of the building. 

In response to the question of how to educate the wider industry about these concerns, the IoT Security Foundation is producing guidance for property managers and owners, said Sarb Sembhi. “Whatever happens in many organisations is the result of what happens at the top and the guidance they’ve been given. Governance coming from the board is absolutely vital. If the right governance is not provided and [guidance on] how teams are going to work together, they will continue to work in silos, as there’s no incentive to [work together].” 

There is a need for an integrated approach, said Sembhi, such as effective overall governance of smart city projects rather than separate infrastructure management, an understanding of the skills required to manage smart city security, and complete situational awareness to manage threats from the outset. This integrated approach should apply to the whole lifecycle of the project, from the developers writing code through to the decommissioning of systems. 

What sort of cameras and systems should people be specifying for publicly accessible spaces? “The security manager of a site needs to know what is happening either physically or virtually, and they need to be able to respond as quickly as possible, so any tool that enables us to do that is a bonus,” said Stuart Williams. It’s not just about the cost of £100,000 or £1 million for a new system – it’s what goes wrong if you don’t invest in it.  Rather than being seen as a cost in isolation, security should be presented differently, in terms of risk. There are a lot of people who don’t specify a system correctly, as they don’t fully understand what they want the system to do, or what they want to achieve from it. They should be going to qualified consultants who can do that, he said.  

Williams thought that if implemented, the government’s Protect Duty [an obligation for those with responsibility for publicly accessible locations to consider/implement security measures to protect the public] will herald a significant change for the security industry, and it’s something he’s wanted for the whole time he’s been in the industry. Security doesn’t come high up on people’s priorities, he said – it doesn’t matter what you say in the risk assessment, there are always other competing factors that will knock it down the ladder of importance. “The mentality of ‘it won’t happen to us’ drives all security decision-making, particularly when it comes to cost. I think the Protect Duty will change all of that.”  

He went on to say that the inquiry [into the Manchester Arena attack] concluded that there is no reason why security should be any less rigorous than fire and life safety. A lot of people are calling for a ‘light touch’ regulation – even the introduction to the Protect Duty calls for this – but the Manchester inquiry said it shouldn’t be a light touch. Everyone has a role and everyone needs to be aware of potential of terrorist attacks, just like fire evacuation. 

James Willison, who earlier in the year gave evidence to a House of Lords committee on risk assessment and risk planning, said there was a lot we could learn from South Korea and cities like Seoul. They have the IT capability because they started in 1999 and since 2003 have ‘ubiquitous technology’, as they refer to it. The United States has the IoT Cyber Security Improvement Act 2020 for the federal government since January, while the Cybersecurity and Infrastructure Security Agency advocates convergence as the best solution and has a 4-page guide on this. 

“We need to make sure that technology adapts to what we are trying to achieve with smart cities,” said Sarb Sembhi. Many places which have a smart infrastructure are calling themselves smart cities, which they are not. It’s like getting a smart kettle and a smart TV and calling your home a smart home. It’s not a smart home – it’s a home with a smart kettle and a smart TV in it! Similarly, a city cannot be a smart city just because it has a smart infrastructure – you need a whole range of things.”   

It might be more realistic to call them ‘connected places’ for the time being, Sembhi said, until they really become smart cities. “We need to take the Manchester inquiry recommendations for buildings and apply them to cities. We’re probably ten years away from when we see a real true smart city, where they’ve integrated a lot of things in the right way.” 

Watch the full webinar, below.

Free Download: The Video Surveillance Report 2023

Discover the latest developments in the rapidly-evolving video surveillance sector by downloading the 2023 Video Surveillance Report. Over 500 responses to our survey, which come from integrators to consultants and heads of security, inform our analysis of the latest trends including AI, the state of the video surveillance market, uptake of the cloud, and the wider economic and geopolitical events impacting the sector!

Download for FREE to discover top industry insight around the latest innovations in video surveillance systems.

Download The Video Surveillance Report