The risks and rewards of meshing physical and cyber security
Written by Sanjay Vaid, Practice Director of Cyber Risk Security at Wipro Limited
Security is undoubtedly a primary focus for any organization, particularly in this digital age where assets extend beyond the physical to include virtual assets such as data. The emergence of cloud or Internet-based devices, such as smart meters and smart CCTV cameras, is expanding the reach of traditional security measures and enabling a host of heretofore unknown benefits.
For most industries traditional security mechanisms such as perimeter and access control are still of vital importance. Technology has, however, introduced new ways for these to be managed and automated. These technologies are yielding faster response times and improved security. Meshing technology with physical security can vastly improve the overall security landscape for any organization.
Introducing Internet of Things (IoT) devices into an operational environment aids the reduction of many health and safety risks. These can range from smart cameras for surveillance, to sensors implanted on vehicles which track and trace progress, prevent breakdowns and enable pre-emptive maintenance. For example, sensors can quickly identify gas leaks, enabling quick resolution. Another example would be IoT-enabled construction equipment, which help avoid collisions or load-related accidents. Technology is making the industry safer.
There is a flip side to this however, as advanced technology also introduces a number of threats into security environments. Operations of organizations in entirety can be brought down by cyber-attacks, launched on a seemingly innocuous piece of technology such as a sensor or smart device.
Recently, a casino in Las Vegas was infiltrated via its fish tank, albeit a very high tech fish tank connected to a wireless access point – the intent being to steal data. Fortunately, technology also came to the rescue in this case, as the systems were closely monitored and the hackers could be stopped before too much damage was done. Another recent attack saw an entire critical infrastructure plant’s operations being shut down due to hackers accessing and taking control of an Internet enabled workstation.
The likes of these attacks highlight how effectively cyber criminals can damage or cripple an entire business in a matter of minutes. In certain industries where health and safety are of paramount import – such as mining, oil and gas, engineering and health- the derailing of infrastructure and the halting of operations can cause more than simply financial or reputation damage – there are lives at stake.
A challenge facing industries such as those involving chemical plants, mines and oil & gas organizations, is that technology can also introduce physical threats. WiFi, for example, can cause a fire hazard in environments sensitive to sparking. In such cases, organizations need to investigate alternative, environmentally suitable technologies to bring these sites onto their cyber security network, and maintain central surveillance, access control and identity management.
Access, both physical and network, is the area that businesses need to closely monitor and secure. Physical access is critical and ensures only the right people gain entry to the right areas of a business at any given time. Technology is allowing businesses to apply the likes of biometrics to manage access enabling quicker, more accurate access control.
From a virtual access and data security point of view, it is critical that organizations implement proper identity controls such as authentication and passwords, as well as multiple layers of encryption across their data-at-rest and data-in-motion.
Integration and centralization is critical in order to properly manage and monitor all of these technology-backed security measures. Businesses need to ensure that the security technology they invest in, from physical to cyber, is capable of integrating with a central management platform from which they can efficiently and effectively control their entire security environment.
It’s also important to have the right security policies and processes in place, so that organizations are able to follow proper protocol in times of breach, or when a risk is identified. This is especially important as new regulations emerge, such as the Protection of Personal Information (PoPI) Act and the General Data Protection Regulation (GDPR). Such regulations will be pivotal when redefining data security policies and are likely to have a larger impact on sectors such as the financial, retail, and insurance sectors.
Budget and security concerns are likely to come up against each other, as businesses weigh risk against costs. Costs, however, will be in line with the risks, which inevitably vary across different industries. For many organizations where it is less critical for security to be wholly controlled within the business, opting for Security-as-a-Service will be a win-win answer to the risk vs cost debate.