As we talk physical security and technology it can’t be long before the conversation turns to cyber vulnerabilities, especially with the rapidly growing numbers of IP enabled physical security systems. What could be called the Internet of Security Things (IoST).
To traditional physical security people, cyber seems like a dark art, “he who shall not be named,” but you have to realise that cyberattacks are started in the physical world by a person and end up having an effect in the physical world on people. The attack means is via computer code and the environment the perpetrators manoeuvre through is a cyber environment or cyberspace.
The reality is that these events are a physical and cyber security challenge at the same time and the traditional barriers between physical and IT security must be bulldozed aside and quickly, if we are to mitigate the rapidly morphing and expanding threats.
As connectivity increases, and boy is it increasing, Gartner estimates that more than 25 billion connected devices will be utilised by 2020 in the revolution that is referred to as the Internet of Things, does this really pose a threat? Is this not something that is dealt with by the cyber security geeks, why should we worry?
When I look at the digital world, I see it no differently to that of the physical world, it is just a different domain and for the life of me I have difficulty understanding why people behave so differently in the digital than physical world.
‘Cyberspace’ is something everyone should start to understand more as it is the environment where elements of the physical world are connected. It is the environment where security and technology join.
However, the threats through cyberspace are rapidly evolving and cyberspace has become an operating environment for nation states, terrorists and criminals alike. Security professionals must be aware that they could be the target of interest or attacks from any or all of these actors. Rogue nations see influencing the physical world through cyberspace as a natural extension of their foreign policy. Just remember the impact the NotPetya and WannaCry attacks had on different organisations.
WannaCry and Not Petya were hugely successful because they attacked via vectors that if they had been updated and patched properly, the impact of the attack would have been greatly reduced. The Department of Health and Social Care (DHSC) estimated that the WannaCry attack of 2017 cost the NHS £92 Million in direct costs and lost output. The shipping giant Maersk estimated the cost of the 2017 NotPetya attack for it was $300 million.
Gary Miller, the then UK Managing Director, Thales Cyber Security and Consulting UK said to me a couple of years ago, “Digital technology is transforming the way we live our lives, do business and share information. This new online environment brings with it unprecedented opportunity alongside increased risk for both public and private sector organisations.” The security professional needs to be aware of their update and patching policy now, as much as their guard routine!
But surely security devices are secure? In a word no, and one illustration of this was a couple of years ago when the internet domain name system (DNS), the address book for the internet, controlled by a company called Dyn Inc was subjected to a Deliberate Denial of Service Attack (DDoS) which meant that the address book was overloaded with data and couldn’t point people to the right website – in effect part of the internet was disabled. Many of the devices that carried out this attack were security devices, IP Enabled cameras and the like and they were infected with a piece of malware called Mirai which created a bot net of thousands of devices, all of which flooded Dyn Inc with requests overloading their servers.
The key to integrating technological solutions into areas of traditional physical security and stay safe in the cyber environment is to think of it holistically with the physical environment, identify the risks and threats in the same way and mitigate them using the same principals. Do the basic things well and correct all of the time with a culture of positive ownership of security responsibility by all and you will make it difficult for anyone to get into your systems.
If the risk from lost business, lost reputation, stolen intellectual property were not enough the potential fines under the European General Data Protection Regulation (GDPR) which came into effect in May 2018 and will still apply post BREXIT, should ensure that management oversight of security, including cyber security, is something on every board meeting agenda. The greatest difficulty is the measurement of success is that nothing happens, and senior management needs to realise that the cost of something happening, could be catastrophic.
With the explosion of IoT devices and IoST devices with even more interconnected gadgets carried by everyone today, the threat landscape is growing exponentially. The basics cost very little to implement and good leadership to maintain. Cyber security is as much a leadership and cultural issue as it is technical solution. However, cyber security, the basics at least, are the responsibility of every member of staff and every member of the security community needs to have a bit more of an understanding. As technology grows in the security arena, so must the security staffs understanding of the threats and how to deal with them grow along side.
In essence proper defence requires a cultural change and a recognition that protection is only as good as the weakest link, security professionals must be able to assess that weak link whether it is in the physical or the technological arena, no longer should it just be an issue that the IT department deals with.
As more and more tech comes on line, I am minded of a conversation I had with Eugene Kaspersky, the CEO of Kaspersky Lab when he said, “I don’t see the Internet of Things as the Internet of Things, I see it as the Internet of Threats,” and went on to say he found it “curious to live in this world as I don’t know what will happen tomorrow” as he referred to how the threat, and cyber criminality, is likely to grow.
Philip Ingram MBE
Philip Ingram is an internationally renown defence and security journalist and consultant. Building on a long and distinguished military career, retiring as a full Colonel, after performing intelligence, counter-intelligence, security and planning roles whilst on active service. He is also the man behind the hugely respected, Grey Hare Media. Philip is a strategic thinker and recognised subject matter expert on issues of international security, defence and geo political events…..