At a recent industry event I attended, end-users were sharing opinions about fostering productive vendor relationships. In a panel discussion directed at security integrators, the end-users recommended to the integrators how to go about becoming a trusted advisor. One particular corporate security director said he was looking for his physical security integrator to provide him with specific advice to address his concerns regarding cybersecurity.
In response to this request, today's physical security integrator is faced with a formidable challenge. Physical security professionals may hesitate in this response as they grapple with the complexity of the situation. Many have come to realize that the discipline of logical security and physical security may not merge naturally into a mutually beneficial relationship. The two areas of expertise are, in many ways, considered to be different animals in form and function. Little or no direct crossover in practice areas within the company culture cultivates communication and strategic disconnect. This resultant lack of knowledge and appreciation for the contribution of each does nothing to encourage a collaborative effort for a comprehensive security program; yet, the message endures from industry experts — to protect a company’s assets, a cooperative effort must be established.
To the integrator, the peril lies in the charge — move forward or risk being left behind; however, in the face of the unknown, some integrators choose to avoid the topic altogether. To move toward collaboration between logical and physical security disciplines, education on both sides must be promoted; and the programs, devices and disciplines employed for information and physical security be brought together to form a symbiotic relationship.
Experts Weigh In
In his experience in IT security in high-risk environments like the Federal Reserve Bank and the Department of homeland Security (DHS), Darnell Washington, CISSP, president and CEO of SecureXperts, observes a divide between IT and physical security. To him, it appeared as if the IT personnel had claimed authority over their physical security counterparts.
In response to this phenomenon, Washington’s most sobering message to the IT security teams aimed at addressing the vulnerability of physical data centers that house and store federal information and data. “If you cut a cable or systematically attacked an environment where perpetrators go undetected from the perimeter or lack proper security controls, there is no predictable limit as to the potential consequences an attack may have”, Washington told the IT professionals. “If you cannot protect the physical environment of your information, you cannot protect the data.”
Lloyd Uliana, a Business Development Engineer with Bosch Security Systems who is currently working on a major project with the DHS Federal Protective Service, adds that “physical security professionals have a depth of knowledge and training in observing patterns and threat sources. IT staff often lack the vigilance to conduct security operations on a 24/7 basis, and have a misconception that life safety and physical facility protection strategies are not constantly changing like cybersecurity. Why do we have Information Security staffs if a thief or insider can enter a facility and walk out with data undetected?”
Washington and Uliana agree that interoperability and compatibility issues plague physical security when the systems are connected to IT networks. It is extraordinarily complex to design a solution when IP addressing, security, bandwidth, latency and system loads need to be calculated in concert with IT administrators’ requirements.
Both insist that without the proper education on information security process and practices, the integrator will struggle to address customer scenarios and concerns in this complex environment.
In light of the trials involved, I asked the question, “What is a realistic initial approach to cybersecurity for integrators?” Both Washington and Uliana insisted that without the proper education on information security process and practices, the integrator will struggle to address common customer scenarios and concerns on this front. Consider the following examples they offered:
Field Challenge #1
I am a systems integrator. I know the product, but do not have a full understanding of the environment or use case in which it will be used. You don’t know the interdependencies of the security product, the network infrastructure, nor the threats that can be exploited against the system.
Real-world example: A systems integrator comes into a facility to upgrade an access control panel. During the process, he uses a weak password, (i.e., the building’s zip code) for the entire facility’s security functions. Attackers recognize this as one of the top ten possibilities password ‘possibilities’.
Repercussions: A hacker goes in, steals the password and changes all of the addresses and configurations denying access to everyone.
Who’s involved: Installer, IT Security Integrator, Building Management, and Physical Security Management.
What you need to know: The types and methods that attackers use to guess passwords and to implement strategies that will decrease the likelihood of occurrence of something like this happening.
Field Challenge #2
I am a systems integrator and lack the foundational knowledge of internet protocol addressing, sub netting and configuring gateway addresses on devices that are connected to the corporate IT network.
Real-world example: A systems integrator configures an IP camera to a reserved IP address that was connected to a gateway system that the company uses to transmit electronic data securely to other locations.
Repercussions: This address conflict created a loss of service and disruption within the IT network that was difficult to trace and resulted in hundreds of thousands of dollars in lost productivity and man hours required to troubleshoot, identify and resolve the issue.
Who’s involved: Installer, IT Security Integrator, and IT Department.
What you will need to know: The system integrator needs to thoroughly understand configuration and change control management within IT systems and the processes that are required to perform installation verification, performance measurement validation and installation quality management validation.
Field Challenge #3.
The systems integrator has a lack of knowledge and training into single sign-on (i.e. when a user uses a single password that logs them in to multiple systems – both physical and logical) and how to introduce the proper interfaces that pull user information and identity information into the systems that they are deploying for security purposes.
Real-world example: Managing new employee on-boarding and access privileges.
Repercussions: when an employee is terminated, and fails to turn in their credentials, their access remains active allowing physical intrusion to go unnoticed, resulting in possible consequences in loss of life, theft, and damage to company assets.
Who’s involved: Human Resources Dept., Installer, IT Security Integrator, IT Department
What you need to know: When a new employee is on boarded and issued an access card, the systems integrator needs to know how to copy and manipulate this data that is entered from the HR system into the database that is used to grant new employee access to controlled areas.
While the complexity of cybersecurity may intimidate the security integrator, both cyber and physical security objectives should be harmonized into a common set of organizational goals and priorities. As the market continues to evolve to network-based technologies, the integrator must be knowledgeable about emerging capabilities and must obtain training and real-world experience to effectively recommend the best-fit solution for their customer.
Barbara Shaw, CPLP, is Director of Education at PSA Security Network. Learn more about cybersecurity and Physical Security with Washington and Uliana, along with other subject matter experts at TEC 2014 presented by PSA May 5th-9th 2014 (www.psaTEC.com).