The Need for Cybersecurity and Physical Security Convergence

Security leaders have been discussing the convergence of cybersecurity and physical security for years.

But what does it mean? According to “Physical and IT Security Convergence: The Basics,” convergence is a formal cooperation between previously disjointed security functions – cooperation is a concerted and results-oriented effort to work together.

Despite the fact that physical and cybersecurity are intrinsically connected, many organizations still treat these security functions as separate systems. Until recently this was justified because the technology to integrate physical and cybersecurity was not yet available. But now, the problem comes down to governance, making it a priority to create a single body for security policies, procedures and deployments, a Cisco report notes.

Scott Borg, Director of the U.S. Cyber Consequences Unit, says, “As long as organizations treat their physical and cyber domains as separate, there is little hope of securing either one. The convergence of cyber and physical security has already occurred at the technical level. It is long overdue at the organizational level.”

The Importance of Convergence

A recent Forbes article discusses how security is the new transformation imperative since the COVID-19 pandemic started sweeping throughout the world. “Highly integrated corporations can adapt to weather not just competitive challenges, but also unexpected market changes like what we are experiencing now,” writes Christopher R. Wilder, Senior Analyst-in-Residence, Security, for Moor Insights Strategy.

“Right now, most U.S. companies rely on patchwork systems, even to handle their most sensitive data and functions,” says Brivo CEO Steve Van Till. “Now that we are experiencing the formerly unthinkable, security threats, both cyber and physical, have been illuminated or exacerbated and the importance of efficient, integrated, and secure systems has been highlighted.”

Cybersecurity is critical for any system that exists online - which is about every system in existence today. To provide some perspective about how many physical and digital components are connected to the Internet, here is some research. In 2019, the number of active Internet of Things (IoT) devices reached 26.66 billion, up from 7 billion IoT devices in 2018 . Every second, there are 127 new IoT devices connected to the Internet, creating a larger attack surface, which threat actors can leverage to take control of and exploit.

The statistic doesn’t just include personal devices, such as smartphones and tablet computers – it includes sensors, cameras and devices used in security that are now IP-enabled because of the convergence of the IP network.

Therefore, says Brivo, physical security must take into account cybersecurity as this massive convergence can have a negative impact on the performance of the network if the network has not been properly designed and deployed to handle this increase in traffic. “Your physical security system has identification information for your employees or tenants, access data for your facility, and the actual functions to control access to the facility itself,” Van Till further explains. “That is why it is important to choose a physical security solution that is constantly maintained, penetration tested and cyber audited.”

Solid Security Posture

How does physical security help mitigate cybersecurity? “The right physical security solution helps any company meet compliance standards and follow proper protocols when it comes to visitor and identity management,” notes Van Till.

Knowing who is on your property or in your building and when, and ensuring they are authorized to be there, creates a safer space, for instance. Areas of the property or office that house sensitive information or equipment, like server rooms or HR offices with employees' personal information, can also be locked down to everyone except a few designated and trusted individuals.

How Brivo Meets the Most Rigorous Cybersecurity Standards

BUILD PRODUCTS (technology)

It becomes difficult for customers to manage their level of cybersecurity as locks, cameras, and other physical security devices commonly come from multiple vendors with varying attention to cybersecurity. One of the primary tenets of cybersecurity is to not trust input from other systems. Brivo designs their systems with cybersecurity as an explicit component.

They assume that networks used to communicate with controllers and management systems may be public, untrusted networks.

As such, they employ:

Techniques such as mutual client-server authentication (the strongest available encryption) for communications protocols.
Anomaly detection and monitoring to locate and terminate unexpected communications or processes.
Client-server TLS certificates to protect the content of communications between devices and provide mutual authentication between devices and servers - This means an unauthorized device or hostile server will not be able to negotiate a network connection to a device, much less change its operation or status.

DEPLOY APPLICATIONS (process)

Brivo designs, architects and codes their applications for cybersecurity from the start. They test for cybersecurity throughout the development lifecycle.

This includes:

Using automated code analysis tools on software prior to deployment
Continual scanning of deployed and upcoming software/systems for potential cybersecurity issues
Manual code and design reviews with developers and security experts

Brivo has frequent software deployments to provide new features and functionality to their customers. As availability is a major concern, Brivo also uses multiple physical and logical networks to ensure availability even in the case of region-wide disruptions, such as hurricanes or other natural or man-made disasters.

MANAGE BUSINESS (people)

As the old adage goes, a chain is only as strong as the weakest link. Therefore, Brivo takes cybersecurity into mind with their personnel and internal business processes.

This means Brivo:

Invests in technical and security training for internal developers, testers and other personnel
Uses the principle of least privilege to minimize the impact a rogue actor might cause - Personnel can only access systems and data they have a demonstrable business need to access (and that access is still monitored)
Use third-party audits and assessments of their software, devices, servers and business processes to validate that we meet industry standards, legal, and other compliance drivers

Achieving Convergence

There are many steps enterprise security leaders can take to achieve convergence. Enterprise leaders should look for a provider who makes cybersecurity a priority for how they build products, deploy applications and manage their internal business. Here is a checklist on what to look for:

1. Building network secure products:

While professional cloud-based solutions are designed to operate over public networks, systems originally designed for on premise installation may lack precautions like strong hardware security and data secure transmission with the system server.

If not done right, network devices can be entry points for malicious attacks when they require open inbound ports and allow unauthorized inbound communication.

According to Brivo, questions to ask your provider include:

Does the platform reduce my “attack surface” by eliminating the need to establish open inbound ports?
Can the platform prevent malicious attacks with bot monitoring and other security techniques for self-detection?
Can we transition to more secure mobile credentials to prevent keycard duplication?
For control panel authentication, is a unique digital certificate issued for each control panel during manufacturing?
Do you offer a higher level of device communication security such as 256-bit AES encryption (same level as banks) with Transport Layer Security (TLS) 1.2 or higher?

2. Deploy and Support Applications

The best providers, says Brivo, deliver 24/7 monitoring on a network with a multi-layered security model to provide redundancy, business continuity and risk management. Without proper support and active monitoring, you could face security breaches and costly service disruptions (especially for older systems).

Questions to ask your provider include:

Is the application deployed in multiple redundant data centers to make sure my building is protected?
Do you have active cyber defenses and a documented response plan?
Are current applications analyzed on a regular basis to determine their vulnerability against recent cyber attacks?
Does the application support two-factor authentication?
Does the platform enable automatic software and firmware updates?

3. Manage their Internal Operations

According to Brivo, cloud providers must go beyond the data center (AWS) provided features and accreditations and look at the certifications delivered by the application provider.

Providers need to limit internal employee access to their data center, as well as key areas like backup storage and server rooms to protect your data.

Questions to ask your provider include:

Can you provide evidence of your own audited data security controls in addition to those from your data center provider?
Can you provide evidence of third party audits and vulnerability tests on your software, hardware and internal processes?
Does the platform get an A grade in Qualys SSL cloud security and compliance tests?
Do you provide a service level agreement (SLA) guarantee for platform uptime?
Do you have strict internal personnel policies like monitoring what data and equipment your internal employees can access?

Preparing for Convergence

While preparing for this convergence, enterprise security leaders should keep in mind the following aspects, says Brivo.

You cannot provide good cybersecurity without good building security, or if both the cybersecurity and physical security team continue to be siloed.
Working together with your IT department improves your organization’s cybersecurity.
Building a better relationship with your IT group helps you become breach-ready.
There’s a lot to consider when handling risks: threats, scalability, reputational risks, disaster response, data privacy, etc.

As a reminder, to determine whether a manufacturer is providing good cybersecurity, look at how they build their products, deploy their products and manage their people and procedures internally.

Brivo, for instance, builds end-to-end security designed for IoT using the strongest encryption for communications. Their hardware uses embedded bot monitoring and real-time alerts to take immediate and corrective action. Brivo also deploys their applications with regular and automatic software updates and pre and post-deployment scans of software and systems. They enable business by monitoring and managing what employees can access, and religiously conduct third-party audits on software, hardware and internal processes. For more on how Brivo meets the most rigorous cybersecurity standards, see SIDEBAR.

To learn more how Brivo can help your organization achieve convergence goals and more, visit https://www.brivo.com/lp/call

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.