Seven years ago I authored a short piece published in Government Security on the tending convergence of cyber and physical security. The piece, titled “Cyber and Physical Security Unite,” is still online at http://govtsecurity.com/mag/cyber_physical_security and still gets periodic attention.
I’ve been asked by some government friends to update my thoughts on the old article I mentioned, and am noodling over how to do that now. If you have any advice/comments/suggestions for me on that I would appreciate it. I’ve reprinted it below.
QUOTE:
Cyber And Physical Security Unite
May 1, 2003 12:00 PM, Bob Gourley
The passion is coming back to the on-again/off-again romance between cyber-security and physical security. Three drivers are putting the excitement back in the relationship: technology, policy and economics.
TECHNOLOGY — Increasingly physical security devices are being computer-enabled. They are also being networked together to provide automated results of physical security status to centralized databases for analysis. Often these devices communicate with each other via wireless circuits. All of this physical security information must be protected, forcing an integration of the cyber- and physical security disciplines. Computers and networks must be protected from both cyber- and physical compromise, of course, which reinforces the connection.
POLICY — In some situations, IT security is run by one organization, personnel security by another, physical security by another, and network operations by another. Each may have its own budget, priorities and processes. This results in seams that adversaries can exploit. Patching these seams requires policies that reinforce coordination and cooperation.
ECONOMICS — Managing the two together can result in more efficient use of budgets and staff time. Integrating physical and cyber security is not without challenges. The disciplines have always been related, but both require different expertise.
No organization should force its physical security guard force to be the computer network response team (or vice versa). Trying to do so is a recipe for failure for both missions. How, then, can organizations find the right balance in integrating physical and cyber security? Here are five suggestions:
- Respect the expertise requirements and training needs of both disciplines.
- Allow leaders in both disciplines to have insights into and input to each other’s emergency reaction plans.
- Ensure coordination prior to acquisition of physical or cyber security devices.
- Ensure senior management is well versed in the needs of both disciplines.
- Periodically exercise the entire security force using multiple, realistic scenarios.
UNQUOTE
In thinking about how to update that short piece I thought about what has changed since 2003. Changes include:
- We are now more dependent than ever on IT
- Threats to our cyber structures have been growing
- There is now more linkage than ever between physical and cyber threats (bad people who operate in cyberspace usually are doing bad things in the real world too, for example, and bad people plotting attacks frequently use cyber to help their malicious purposes).
- Technology for cyber security has continued to advance and almost everything in the physical world is connected to IP-based communications.
- There has been a real shift towards all citizens (including fed workers) using social media, resulting in significant information opportunities for the bad guys.
- There is a more refined national structure for coordinating across critical infrastructure sectors. There has also been changes in how cyber security coordination occurs.
But many things have remained the same, including:
- Human nature, including the tendency of humans to focus on the mission they are assigned and, for many reasons, to not focus so much on the mission others are assigned.
- Bureaucratic politics, much of which flows from human nature, and much of which serves to reduce collaboration and coordination.
- Pressure on budgets. There is always a need to watch how money is spent.
- The importance of both physical security and cyber security is another critical constant. Both must get done to a level where our country can thrive in tough times. This is an enduring need.
- And, unfortunately, we are still facing many challenges in optimizing our defenses against both physical and cyber attacks.
Because of all that, how should I update that little article? I think the give key points I made are still pretty close, but they need to be fleshed out and informed by the many new cyber and physical structures and processes we have in place in enterprises big and small.
The article is definitely in need of an update to be relevant. If you have any suggestions for me on how to do that please let me know.
Related Reading
- A Fierce Domain: Conflict in Cyberspace
- The Bill Codifying The New Cybersecurity and Infrastructure Security Agency Is Short and Sweet
- Working in Cybersecurity: Life on the front lines, in the C-suite, and everywhere in-between
- Leveraging The FFIEC Cybersecurity Assessment Tool (CAT) To Improve Corporate Culture and Raise Security Posture
- CISO-as-a-Service: When your enterprise needs cybersecurity expertise on demand
- Business Decisions Require New Insights Into The Age of Geopolitical Risk
- DHS Opens the National Cybersecurity and Communications Integration Center (NCCIC)
- Gourley: Intelligence Community Should Provide Unclassified Cyber Threat Assessments Annually – The New New Internet
- Pros and Cons: Cyber Command
- Mature Models for Healthy and Resilient Cyber Systems
