August 8, 2024 – From the desk of Shane Istre

The Cybersecurity Infrastructure Security Agency (CISA) released guidance on the topic of Convergence for federal agencies in 2019. Physical Security and IT departments are increasingly recognizing the reality of converged threats. The traditional separation between these two domains has often led to isolated management of vulnerabilities, which might seem manageable on their own. However, when malicious attacks or simple oversights bridge these gaps, the risks can escalate dramatically. As Dark Reading’s Thomas Kopecky says: “Physical security and cybersecurity are intrinsically connected, and it is no longer effective to manage these threats separately. Cyber-physical incidents can quickly lead to physical harm, destruction of property, environmental disasters, and worse.” ¹⁴

To address today’s evolving security challenges, Physical Security and IT departments need to better align their budgets and objectives. For example, the Department of Defense (DoD) has made strides in this direction by investing in integrated security systems that combine physical access controls with cybersecurity measures. This alignment is crucial for reducing risks while maintaining convenience and ensuring compliance with company policies. Advanced converged technologies, such as biometric access controls and real-time monitoring systems, can aid in managing these risks. However, the ultimate responsibility lies with security professionals to chart the right course, integrating both physical and cyber security measures to safeguard their organizations effectively.

Here is an example of a physical access breach leading to a logical access breach as completed by an ethical penetration testing company. “I went into the manager’s office and assumed the role of, “I’m here with the help desk. We’re trying to make the network faster.” He escorted me to every machine, and I did a 100% compromise of every machine in that branch, including the wire transfer computer and the network servers. He gave me full access to everything, and he walked with me to do it.” Jayson E. Street, Secure Yeti.

Solution: To overcome these challenges, federal agencies can implement a converged security strategy involving the following key steps:

1. Integrated Risk Management Framework: Develop an integrated risk management framework that combines physical and cyber security assessments. This framework allows both departments to collaboratively identify vulnerabilities and prioritize risks based on a holistic view of potential threats. For instance, vulnerabilities in physical access controls, such as weak locks or unsecured entry points, are assessed for their potential impact on IT systems.
2. Unified Security Operations Center (SOC): Establish a Unified Security Operations Center to provide real-time monitoring and response capabilities. The SOC should integrate data from physical security systems (e.g., surveillance cameras, access control logs) and IT systems (e.g., intrusion detection systems, network traffic analysis). This convergence enabled the detection of coordinated attacks that span both physical and cyber domains. For example, an attempted breach detected by the SOC involves both unauthorized physical access to a secure area and suspicious network activity.
3. Cross-Training Programs:  Implement cross-training programs for physical security and IT personnel to foster a better understanding of each other’s domains. Physical security staff can be trained in basic cybersecurity principles, while IT professionals learn about physical security protocols. This cross-training enhances communication and collaboration between the two departments, ensuring a more cohesive approach to managing threats.
4. Joint Incident Response Teams: Form Joint incident response teams, comprising members from both physical security and IT departments. These teams are equipped to manage incidents that involve both physical and cyber components.
5. Integrated Security Technologies: Invest in integrated security technologies, such as advanced biometric access controls and centralized monitoring systems that combine physical access data with cyber threat intelligence. These technologies provide a unified view of security events and enable more effective response and mitigation strategies.

Click here to contact Shane Istre and learn more.

About Identity One

Identity One builds on the FIPS 201 standard, creating innovative next generation registration, validation, issuance visitor management, visitor PIV card and derived credentials for CAC, PIV and TWIC.  Identity One’s solutions serve physical access, logical access for TWIC compliance, US Federal Government Security and US Armed Forces Security. We issue, register and verify identities for frictionless access and integration everywhere, protect identities from being impersonated, and secure intellectual property. We digitally verify identities for the physical and logical world. Identity One software and services are BAA (Buy American Act) compliant and TAA (Trade Agreements Act) compliant. Identity One is headquartered in Atlanta, Georgia, USA and all our products are proudly made in the USA.