The debate continues about who is responsible for protecting the physical security systems from cyber threats since the majority of the new physical devices are connected to a network.
Fremont, CA: Physical security systems are nowadays dependent on IT and extremely vulnerable to attacks. In 2016, the BSIA warned of the threats and recommended that end-users of IP connected CCTV systems should ensure they have extensive cybersecurity policies in place. In 2019, a Norwegian brand has to spend £45 million for restoring its systems, and factory machinery, after it was attacked by ransomware criminals. In 2019, the BBC series The Capture showed how CCTV could be hacked to convince police and security that a potential suspect was guilty by adjusting time- frames in the systems.
Who should be held responsible for this?
Should it be the owner of the systems? For some folks, this is clearly the physical security lead, since they or their predecessors purchased or recommended it. Or is it the head of IT who authorised the CCTV systems, who gave responsibility for the physical security lead? Or perhaps head of cybersecurity? In risk management, there are Responsible, Accountable, Consulted and Informed (RACI) tables which indicate that one person is responsible for the work efforts and management of the risks. This is mostly the system or business unit owner, and that is very hard to determine for a large organisation. Other business functionalities are meant to support that person and offer their suggestions. If you occupy any of these roles, then it is crucial that you ensure the protection of systems from attacks, whether you are responsible for them or not. If you see someone who needs help, then offer your expertise. It is a cross-functional team effort. Physical security professionals seldom are experts in cybersecurity and should not engage in managing risks. It is a highly complex area that requires years of experience and development. The problem arises when the cyber department is busy protecting the network from new risks and do not give importance to the security of the physical security system.
It is definitely a challenge for the physical security lead to fully be aware of the cybersecurity aspects, but it makes real sense when departments collaborate and form cross-functional teams to address these issues. It is equally important to monitor real-time cyber attacks. This is precisely why the convergence of security operations is needed to stay safe in the digital age.