The Unstoppable Convergence Between Physical and Cybersecurity

In 2017 in Lappeenranta, Finland, attackers caused heating systems to go offline by targeting them with a Distributed Denial of Service (DDoS) attack, leaving residents to face the sub-zero temperatures typical for that time of year.

In 2016, the U.S. Department of Justice charged seven Iranians for hacking the control systems of a small dam in New York State in 2013. The dam was offline for repair, preventing the hackers from controlling the flow of water.

In Germany in 2014, attackers infiltrated the corporate network of a steel mill, and used the access to pivot into the production network, enabling them to manipulate the facility’s control systems. The attack led to failures in equipment and caused a blast furnace to explode.

With just those few examples, we see security convergence, where physical and cybersecurity issues overlap.

The issue has been around for more than a decade. But it has only been in the last few years that the networked enablement of everyday business functions has forced enterprises to embrace the fact that physical security and cybersecurity must be treated in a unified manner.

But why haven’t companies been able to converge? The problem has been the actual implementation of a converged security solution. Because physical and logical security systems have had little in common on any level, integrating them was seen as a costly and complex proposition.

Yet, that’s changed. While some enterprises might not consider their access control or HVAC data a high-risk asset, hackers are often looking for the path of least resistance into your system and to higher-value physical prizes. That path can easily be through security technology. Traditional “physical” devices such as HVAC, lights, video surveillance, ID cards, biometrics, access control systems and more that are now IP-enabled create an entirely new set of vulnerabilities that hackers will exploit and try to use to access a company’s network to steal business or customer information.

James Turgal, managing director for Deloitte’s Risk and Financial Advisory’s Cyber Risk Services practice, has been working with the convergence of physical and cyber for more than 20 years. He’s a former executive assistant director for the Federal Bureau of Investigation Information and Technology Branch, and a former member of the FBI’s C-suite, where he was responsible for all global applications, corporate systems, infrastructure and operations for the bureau’s worldwide information and technology needs. He also led the FBI’s efforts to transform cybersecurity areas including digital forensics and investigations, data privacy, identity management and cyber resiliency.

According to James Turgal, who served in the FBI for more than 20 years, the FBI as an organization has embraced security convergence in order to mitigate security threats. He says, “During my tenure as the Executive Assistant Director, I drove a philosophy of security convergence with respect to our monitoring platforms. True security convergence in my mind was taking our Enterprise Security Operations Center from our Security Division and combining it with our Network and Insider Threat Center – Monitoring as a Platform (MaaP). This MaaP will allow our network operations team to monitor the networks and the physical security team to examine issues from a physical security standpoint. This philosophy and result allows for synergy of mission, but still a separation of groups who possess their own need to know concerning classified and sensitive information and a very nice example of how the convergence philosophy can work.”

Earlier, while serving as chief human capital officer and head of the FBI’s human resources (HR) division, Turgal focused on aligning staffing resources with emerging risks, streamlining systems and processes, designing a cyber skill and recruiting program, as well as maximizing HR budgets.

He will discuss how to find opportunity and risk within the converging cyber and physical security landscape at this year’s Security 500 West conference on May 10, 2018, in Santa Clara, CA.

For Turgal, due to the fast pace of technology in our personal and professional lives, convergence is an unstoppable reality, and a necessity for any enterprise to successfully mitigate security risks. IT departments at the end user level are getting more involved as the number of connected security devices expands and the rapid growth of video data and managing access control systems and video analytics continues to grow. In fact, at last year’s ISC West show, IT companies exhibited alongside physical security manufacturers.

Yet, he says, there are “some enterprise security teams who still look at the issue from a silo view because they were trained to view security that way. But technology is moving so much faster, and with a silo view, technology is going to roll past them. There are ways that you can segment the two areas in a positive way…but you cannot just continue to maintain the status quo.”

The physical security world is becoming increasingly IP-enabled – IMS Research estimates that about 22 billion devices overall will be internet-connected by 2020 – it’s really just a matter of time before most companies consider convergence. But before any enterprise can realize the potential gains – like cost savings and efficiency – it must sort out any power struggles and turf wars. Because the modern design of IP networks means that they can encompass business critical systems alongside security video and other security systems that enable physical access to a facility.

The people aspect of the issue is one where Turgal also places importance: The cooperation between IT, cyber and physical security in an enterprise needs to happen to keep pace with rapidly changing technology. “All three parties and their collaboration rolled up into a strategy creates a holistic security view that can help organizations thrive. Without it, you are duplicating efforts which can create vulnerabilities and cost money. Running a network for cybersecurity and physical security are also two networks that you’ve got to continue to patch. And if you create a vulnerability on one network, you create a vulnerability across the organization. So the synergy [of physical and cyber] is being driven by the increase in technology [in enterprises] and how fast that systems and new technology is moving.”

“This [movement] is all about leadership, accountability and execution. Leadership has got to embrace this. Historically, and even now, you have a tremendous number of leaders in the CIO role and the C-suite that are all about the business operations. And because of the last [few] years, those conversations have been about the cyber world. There are vulnerabilities out there they never have had to deal with before. So now, they’re talking about those issues, but still not looking at it in a holistic [strategic] viewpoint. For that to happen, senior leadership has to embrace the desire to do it, but success hinges on the accountability and execution pieces. It was difficult in the FBI, and it’s difficult everywhere.”

From the accountability piece, Turgal says that there’s a large cultural aspect involved. “These are people’s positions that they’ve held sometimes for decades. Every enterprise has a culture. One of the most important conversations to have before an integration is to discuss the culture of that organization, including a security leader’s ability to assess their people, their strengths and their motivations in order to understand the individual organization culture. Understanding what the culture is and how to operate in it plays a critical role in the success of any type of implementation. A misaligned organizational culture can have a tremendous impact on both the business and the security aspects. You could potentially be changing the philosophy that the enterprise has had for years, not just combining networks.”

According to Turgal, costs could be reduced during the convergence process and personnel could be realigned, which only can add to the hesitation for people to embrace convergence, as employees fear for their jobs. “Employees might think in the beginning that they’re losing their jobs, when really, they aren’t. Because if you’re doing it correctly, you need to have the same personnel, particularly with physical security. You’ll still need teams with subject matter expertise who understand the physical security piece of the network.”

Turgal believes that video surveillance is one driver of a converged state of mind. “I ran cases in the FBI where an organization had a great CISO, secure networks, policy, and governance on network patching and making certain that they were always up to date and protected their endpoints. But they lacked that same rigor on the physical security side. And someone found that they had no security cameras, and they weren’t locking their doors. They literally entered the back door into one of the facilities and accessed the network directly while sitting in a lawn chair. So, that’s a perfect example of needing to have all of it – physical and cybersecurity.”

Another driver, says Turgal, is insider threats. “At the FBI, we were very concerned about insider threats. As an example, the FBI was involved in a case with a manufacturer who has a lot of intellectual property, and who was recruiting at a local university. They posted the recruiting event on their Facebook pages and through social media. One nation-state planted individuals at the university where the career fair was held to be hired by that company. After just 18 months, that employee began exfiltrating information from the networks and stealing company secrets. In my opinion, that’s a convergence of not only the insider threat and external threat, but also a cyber and a physical aspect. Bottom-line, both had a substantial economic impact for that company.”

Overall, Turgal stresses the fact that a CSO needs to drive the security philosophy to the C-suite, that convergence is inevitable and the benefits that it will provide to the enterprise. “A CSO must take a leadership role, build their systems and get their own team to understand it and to buy into it. So you’re not just bolting on security. You are living it every day. And then you create that relationship piece with the CIO and CISO, enabling them to become symbiotic friends and neighbors with the same philosophies. You can have your leadership at the top believe [in convergence], but the implementation is also important, and that has to occur at the lower levels. It has to happen from the mailroom to the boardroom.”