Two converging worlds: Cyber and physical security

Not long ago, government agencies and other organizations had two sets of security guards: one group protecting buildings, offices, labs and other physical structures; the other monitoring networks for hackers and other cybercriminals. But that's changing.

More and more, companies, government agencies and other organizations are looking holistically at their security management and practices. This convergence of cyber and physical security, in part, has spawned the Open Security Exchange, a consortium of private-sector technology companies developing vendor-neutral interoperability specifications and best practices guidelines.

"There is no such thing as security if they're separate; one is increasingly dependent on the other," said Laurie Aron, OSE's vice chairwoman and strategic sales director at Software House.

She said lines between cyber and physical security are blurring.

Eric Maurice, director of Computer Associate's ETrust Security Solutions and OSE's executive director, said "convergence" has two meanings.

The first is technical convergence. Traditionally, physical security systems such as access control panels or surveillance cameras were operated on dedicated networks. But in recent years, organizations have begun to run physical security systems on their IP networks. But running nontraditional technologies on such networks has raised concerns about performance and security.

"I'm aware of a few incidents where companies were putting in place a digital video recording system without changing the password," Maurice said. "Traditionally, you talk about hacking and spying as something very abstract. But, in this particular case, I can look at you working at your desk, and you won't even know it."

The second meaning of convergence refers to security disciplines. Security needs to be viewed in a strategic manner, Maurice said, because the majority of computer crimes are committed by individuals such as disgruntled employees or contractors who physically access unauthorized systems.

OSE officials are working with industry leaders to provide standards that allow physical and IT security systems to share information, something that is difficult to achieve, Maurice said.

Among the benefits of convergence, experts say, are consolidated security management and response, better detection and tracking, simplified forensics and consistent policies across the enterprise.

Security tug of war

Organizations have traditionally spent more on IT security than on securing facilities, experts say. They also cite cultural problems affecting the two security groups, among them a lack of collaboration, coordination and response. Usually, IT employees are better paid and have more clout within an organization than their physical security counterparts.

Consequently, both sides are engaged in a tug of war about who should be in charge of overall security. The emergence of an executive-level chief security officer position in industry and in the government sector is an answer to that problem, experts say.

Within industry, attitudes are changing. Tom Goldman, president and chief executive officer of NetBotz, said convergence is past the early adopter stage. NetBotz has about 2,600 customers, one-third of which are in the federal government. The company integrates environmental sensors, which capture temperature, biological, chemical and radiological values, into an organization's network.

"We're probably not into mainstream adoption like what you see in typical technology curves, but [we're] certainly riding the wave up," he said.

Most experts say the commercial sector is ahead of the government in understanding and creating converged security. Alon Moritz, CEO of Moozatech, which provides security consulting and assessments for converged environments, characterized private- sector officials as the movers and shakers, with government officials trailing.

"But when they do follow, they're going to follow en masse," he said.

However, Phil Libin, president of CoreStreet, which develops large-scale electronic credentials systems, said convergence spending and implementation in the commercial and government sectors are about equal. Federal officials are probably further ahead in terms of mandates and the number of people who will be affected, he said.

For example, in August, President Bush issued Homeland Security Presidential Directive 12, which calls for a common identification standard for federal employees and contractors who need to access federally controlled physical locations and digital information systems.

The Defense Department also has a Common Card Access program, which uses smart cards for physical and network access for employees and contractors. The Homeland Security Department's Transportation Security Administration is testing a single credentialing system called the Transportation Worker Identity Credential program. Other federal entities, including the State and Energy departments, are working on similar programs.

Maurice said when security analysts look at convergence they look at three things: putting in place a single credential, such as a physical access-control badge, deploying a single identity point and employing a centralized provisioning process.

He said a federal department, which might have hundreds of facilities, most likely has different access control panels and hardware at each site. Because the panels are not designed to interoperate, it's difficult to know who has access to what. If employees are fired, their credentials would need to be deactivated at each site, unlike convergence applications that allow administrators to manage access across IT systems.

"In the physical world, we don't have that," Maurice said. "OSE is trying to provide a data schema that will allow physical access vendor applications to talk to each other, and you can guarantee immediate provisioning of people across multiple vendor systems."

Moritz added that the human element must be strong. Although technology can help track and log employees and contractors entering and exiting facilities or accessing networks, employees must be trained to recognize and identify unauthorized

people.

In addition to awareness and education, other issues such as compliance and higher returns on investments have created interest in converged security, experts say.

"The goal is not to replace physical security systems or IT security systems," Maurice said. "The goal is really to allow the systems to communicate so that security staff — physical or IT security — have the best tool in front of them to do incident response and remediation and maybe do some concerted response."