Convergence: Physical & cyber security


With the advent and growing adoption of the Internet of Things (IoT), the interaction between the physical and the digital domains is becoming increasingly enmeshed. At the same time, the paradigm shift to all things digital has led to the rise of the cyber threat as a pandemic that is adversely affecting individuals, enterprises, and nations alike. Needless to say the physical security threat, like always, remains. So the question is, do we continue tackling the cyber and physical security threats independently or do we adopt a holistic approach to security which unifies both these aspects?

Consider the following cases:

  • In 2014, attackers hacked into the corporate network of a steel mill in Germany. They then proceeded to exploit the access to infiltrate the production network which enabled them to hijack and sabotage the facility’s control systems. The phishing attack even caused a blast furnace – that couldn’t be shut down normally – to explode.
  • In 2017 in Lappeenranta, Finland, cyber-attackers disrupted the heating systems by targeting them with a Distributed Denial of Service (DDoS) attack. It left residents to fend for themselves in the peak winters.
  • On May 16, 2018, homeowners across the US, Netherlands, and Canada experienced hours of outage as their Nest-equipped smart homes were rendered inaccessible by unknown causes, highlighting the fragility of the IoT-driven paradigm.

These incidents (out of many others) alone paint a worrying picture of the global cyber threat landscape. Leveraging technology, threat actors are targeting new avenues – including IoT touchpoints – to infiltrate the enterprise as well as home networks. This is worrisome because the number of IoT-connected devices is projected to reach 75.4 billion by 2025 and organisations are showing greater dependence on this technology for enabling their physical security, building management systems, etc. 

In an IoT enabled world, break-ins would be through the cyber way and if the physical security measures are not up to speed, it would probably be a walk in the park for the criminals to get away with what they want. Unsurprisingly, Verizon’s 2018 Data Breach Investigations Report revealed that more than one-tenth of data breaches in the previous year involved a physical component.

Considering that this trend is only going to grow in scope and severity in the future, organisations and professionals across verticals need to recognize the degree of the overlap between the physical and virtual. Physical security experts and IT leaders must take significant steps to set up a robust security system. How? The answer lies in convergence itself.

Why convergence?

In the face of increasingly intertwining physical and digital threats, business owners need to not only ensure that their cyber security is optimised but also that their physical security equipment is appropriately installed, updated, and maintained. As organisations become smarter and more digitized, the internet-connected and cloud-enabled physical security systems are equally at risk as any other device connected to the enterprise network.

Further, cyber threats steadily morph into physical danger, as illustrated in the examples above. Cyber security, thus, needs to be aligned to physical security in terms of risk management. Once we reach there, we enter the domain of convergence – of security departments and processes. 

But why is it needed at all?

While the aforementioned examples shed light on how weak cyber security can compromise an organisation’s physical security systems, the reverse is also true. Consider this scenario: An enterprise has best-in-class cyber security in place to protect its servers from external threats via the digital route. However, the miscreants employ vulnerability in the physical security to infiltrate the premises and thus can target the server and sabotage/ destroy it.

Keeping robust IT safeguards is not enough if an enterprise scores low on the physical security aspect. To ensure all-round cyber security, enterprises need to pay attention to the physical aspects as well. This is where convergence comes into the picture. It marks the organisation’s transformation from being simply secure in isolation, to be proactive and preventative in its approach to security.

Towards an empowering synergy

This convergence can deliver superior dividends to organisations, especially for an increasingly digital-first economy such as India which, according to the 2018 ‘Internet Security Threat’ Report, is the second-most targeted country behind the USA.

The benefits of convergence are multifold. Besides enabling superior risk management and improved security asset utilisation,  such efforts can deliver enhanced and faster responsiveness to threats at a lower cost. It can also enable the development of a unified cyber and physical intelligence along with a smart and aware workplace environment. A convergence-enabled workplace can also put employees at ease which can translate into a superior experience and greater productivity.

The digitally-transforming ecosystem warrants the security personnel and procedures to undergo constant and continuous up-gradation to match pace with the technological changes. The convergence of the physical and cyber security, therefore, cannot be incidental: it has to be strategically developed by experts to fortify organisations against all types of physical and cyber threats. 

The first step towards achieving this is by establishing a symbiotic relationship between physical and cyber security leaders. To achieve this, the management needs to drive organisation-wide awareness campaigns emphasizing the need for the transformation towards convergence, especially among the physical and cyber security teams. 

The management must link the need for the teams to work together with the overarching organisational vision. This will not only encourage them to adapt to the paradigm shift more conveniently but will also boost their confidence in each other and the organisation.  The leadership will also need to train and educate them to make the process smoother while minimizing the chance of friction between cross-functional teams. 

Organisations can also keep an expert in a senior-level position to oversee the transformation. They can partner with new-age ventures that are dedicated to enabling the convergence within enterprises. This will bolster the capability of Indian organisations to not only defend themselves but also thrive in the rapidly-evolving threat landscape.