1. L
ast November,
the disruption
and chaos at Sony
Pictures Entertainment realised by hackers was
all over the national and international news. We
then witnessed the significant online attacks
targeting US Military Twitter accounts as well
as leading French institutions.
The issue now is that these occurrences
directly affect not just IT systems but also
people. What used to be ‘annoying downtime’
has entered the domain of the physical security
practitioner because many of them are involved
in protecting their colleagues and families from
physical harm. In years gone by, you would
sometimes hear the physical security manager
state: “Well that’s not on my watch” in relation
to the online or digital space, but ‘cyber’ is now
very much at the door of physical security
professionals whether they like it or not.
What, then, can be done about all of this?
Since the turn of the century several of us have
spent much of our lives looking at the subject
of convergence and what it actually means. We
passionately believe convergence really can
make a difference to our organisations. At long
last, it does appear the need for such holistic
managerial oversight is being recognised.
For example, The Security Institute’s new
Manifesto for Professional Security (Risk UK,
December 2014, pp12-13) declares the
foillowing: “The scope of security is rapidly
expanding and now encompasses a wide
variety of areas ranging from the tangible, such
as physical security and property, to the
intangible, such as intellectual property and
brands alongside cyber security. Security risks
are becoming increasingly converged. Whereas
in the past physical assets were deemed a
priority, in the 21st Century information and
intellectual assets demand equal focus.
Managing the convergence of threats is a more
complex challenge for the security professional
and the support they will need from
professional bodies and education providers is
likely to increase in equal proportion.”
The European Union Agency for Network and
Information Security (ENISA) has identified
cyber-physical systems as an emerging cyber
threat. While its focus is on critical
infrastructure protection, it also considers the
impact of The Internet of Things in this field. In
the report entitled ‘ENISA Threat Landscape
2014: Overview of Current and Emerging Cyber
Threats’, the organisation recommends: “The
main focus should be on breaking silos and
enabling the creation of proper grounds for
necessary interdisciplinary co-operation.”
What do we mean by ‘convergence’?
Fundamentally, convergence references the
bringing together of different security functions
and other departments such as Human
Resources (HR), Legal and Finance to identify
and respond to risks across the business. It’s
not a new concept but the issue is that we need
to do this now if we’re to have any chance of
countering the aforementioned threat from
cyber-physical systems.
EY has warned that cyber attacks are only
going to cause even more damage, stating that:
“67% of respondents to our 2014 Global
Information Security Survey see threats rising
in their information security risk environment.”
In 2011, ASIS Europe and the Information
Security Awareness Forum conducted research
indicating that around 35% of organisations
were operating a converged security strategy
but, since then, we haven’t seen widespread
progress. For various reasons, many companies
continue to operate their physical and cyber
security functions separately from one another.
22
www.risk-uk.com
James Willison MA MSyI:
Founder of Unified Security,
Vice-Chairman of the ASIS
European Convergence/ESRM
Committee and an Associate
Senior Lecturer on the Post-
Graduate Security
Management Programme at
Loughborough University
In the last year or so the number of
cyber attacks targeting major
organisations has risen
dramatically while their
impact has been significant.
What are we going to do,
then, about the increasing
number of blended cyber-
physical ‘strikes’ on the
business community? James
Willison explains why the
convergence agenda is now more
relevant than ever before
‘Blended Threats’: Defending the Business Community
2. Convergence, BS 65000:2014 and ANSI/ASIS PAP.1-2012
In more recent times, Government ministers
and senior police officers have called on physical
security practitioners to participate in cyber
security strategies because they acknowledge
the level of expertise resident in our industry.
It’s an instance of learning from our past. Back
in May 1940, Sir Winston Churchill said: “Let us
go forward together with our united strength.”
We now appreciate to a far greater degree
how the technical specialists working diligently
at Bletchley Park provided our military leaders
with details about the locations of Nazi tanks
and battle plans which rendered the Allies’
attacks in World War II so much more effective
and, indeed, saved many lives.
Frankly, we need to re-establish that unity if
we are to have any chance at all of combating
the growing complexity of attacks on all of our
critical business systems.
Collaboration and alignment
In truth, physical security has as much to
contribute to cyber security as does the IT
function. Accordingly, many of us need to
respond and seek opportunities to work with
our cyber security specialist colleagues while
determining how we might actually help them.
We also need to ask for help to ensure that
our own physical security systems are secure.
This is what we mean by the phrase
‘interdependency’.
Of late, it has been particularly encouraging
to see the importance placed on collaboration,
alignment and integration within the pages of
the new British Standard BS 65000:2014
Guidelines on Resilience. There’s a section
specifically focused on ‘Bringing coherence’.
The British Standard states: “The governing
body of the organisation sets priorities for that
organisation to ensure resilience and inform
operational activities. Top management should
align operational activities with these priorities
and achieve coherence across the various
management systems to build resilience. To
ensure that organisational silos support
resilience, the organisation should integrate risk
management activities and operational
disciplines and ensure that knowledge is actively
shared across internal organisational boundaries
so that risks and opportunities are addressed
coherently by all parts of the organisation.
Specifically, the operational disciplines to be
integrated should include, but not be limited to,
the following: cyber security, fraud, physical
security, business continuity… and HR.”
BS 65000:2014 goes on to include other
functions. It doesn’t limit this integration. This is
very similar to the work a dedicated convergence
team carried out for ASIS International in the
ANSI/ASIS PAP.1-2012 Standard which states:
“Analysis, planning, implementation, evaluation,
documentation and review activities need to take
an enterprise security risk management
perspective, integrating all facets of the
functions and processes in the organisation.
Teaming with other business functions and
processes is key to success in protecting the
organisation’s assets.”
Importantly, the two standards also
emphasise the interdependency of risk. BS
65000:2014 says: “The organisation should go
beyond information sharing to collaboration
(see BS 11000) and joint actions where this
realises mutual benefit and where
interdependencies require it.”
The ANSI/ASIS PAP.1-2012 Standard opines:
“Evaluation of interdependencies is critical to a
successful ‘protection in depth’ strategy given
the reliance of many physical countermeasures
on electronic, telecommunications and
information systems.”
While BS 65000:2014 is a high level
document, the terms ‘coherence’ and
‘convergence’ (the latter referenced in the PAP
Standard) are almost interchangeable. It’s
really significant that the ANSI/ASIS PAP
Standard is listed in the ‘Further reading’ for
the British Standard, and I would strongly
advise security professionals to consider how
they might implement both of these standards
within their organisations.
While I would also advocate using
experienced security consultants to assist with
that process, it’s possible to start by looking at
“Convergence has always championed the view that security
professionals from all areas work together to examine the
threats and achieve a true understanding of risk”
23
www.risk-uk.com
3. 24
www.risk-uk.com
Convergence, BS 65000:2014 and ANSI/ASIS PAP.1-2012
Bibliography
*ASIS International (2012):
ANSI/ASIS PAP.1-2012
Security Management
Standard: Physical Asset
Protection
*ASIS International Europe
(2012): The ASIS/ISAF
Security Convergence Survey
*BSI: BS 65000:2014 –
Guidance on Organisational
Resilience
*ENISA (2014): ENISA Threat
Landscape 2014: Overview of
Current and Emerging Cyber
Threats
*EY (2014): Global Information
Security Survey
*The Security Institute (2014):
‘Recognised, Respected and
Professional: A Manifesto for
Professional Security’
*Tyson D (2007): ‘Security
Convergence: Managing
Enterprise Security Risk’,
Burlington, MA: Elsevier
Butterworth-Heinemann
ways in which to incorporate the standards
within security policy.
Will IT subsume physical security?
In recent years, respected colleagues in the
physical security arena have expressed concern
that IT will simply take over the area of
corporate and physical security and that
technology will replace much of what we know
as ‘traditional’ security measures.
Convergence has always championed the
view that security professionals from all areas
work together to examine the threats and
achieve a true understanding of risk. It certainly
doesn’t urge the destruction or replacement of
physical security.
In many instances, cyber security
professionals are the first to acknowledge the
skills of their physical security colleagues in the
fields of investigation and criminality detection.
For many years, I’ve advocated the need for
companies to develop policies which train and
deploy physical security officers to identify
cyber security threats.
There are opportunities for forward-thinking
businesses to nurture a meaningful unified
security strategy which helps them in
discovering real threats to the IT infrastructure.
In his excellent 2007 book entitled: ‘Security
Convergence: Managing Enterprise Security
Risk’, ASIS International’s President Dave Tyson
writes: “With your in-house guard force you can
then expand this role to look for more
worrisome breaches, such as rogue wireless
access points or passwords left on written
notes around work surfaces. In our organisation
we were able to reduce IT security policy
violations by 54% in three months.” This will
involve some training, but there are several
ways in which security officers can add value
here, and yet few among us have followed this
sage advice.
Those who are leaders in this field should
seriously examine how they can work with the
cyber security team to help identify threats, ask
for any necessary training and improve the
overall security posture of the business.
Physical Security Information
Management (PSIM)
Convergence is effective at many levels
throughout an organisation. We’ve looked at
what some security officers could do, but how
do we identify attacks on our physical systems
and who will attend to this point?
In recent years we’ve witnessed the growth of
Physical Security Information Management
(PSIM). Some have seen how this can really
help improve our response to threats in real
time. That said, we’re now facing up to cyber
attacks on our Critical National Infrastructure in
addition to our IP-enabled cameras and physical
access control systems. This has raised
concerns among some and that’s a good thing.
At last, colleagues are changing default
passwords and even checking for software
updates. Progress? Perhaps, but is this enough?
The determined hacker will – as we
witnessed with the Sony episode – find their
way in and then deface the company website. Is
there anything further you can do to protect the
organisation? Of course there are some
excellent consultants out there who can test
your systems and be of great assistance. Please
do ask for that help if you need it, but what
about technology options?
In fact, there are real-time solutions available
which, once configured, can identify cyber
attacks on your IP video and access control
systems. These solutions do range in terms of
cost but, for some, will be well worth the
required investment.
Of course, training is important for these
systems but if you’re working together with the
IT Department then the latter’s constituent
members will appreciate your overriding desire
to examine these potential vulnerabilities and,
on this basis, it’s commendable if you do seek
to make that approach.
As stated, convergence is the bringing
together of security professionals and other
areas of the business to identify and respond to
the actual threats we face and, in turn, more
effectively protect our colleagues. The faster we
can do this the less likely attacks will have the
impact intended by their perpetrators.