Security users and the security industry need to stop treating physical and cyber security as separate issues and focus on the ways they can most effectively collaborate. That was the message from a panel of experts looking at the challenges facing the traditional physical security technology industry in the face of increasing cyber threats, at The Security Event 2019 in Birmingham.
The panel, Convergence in an increasingly cyber enabled age, was chaired by Philip Ingram MBE, and participants included consultant Peter Houlis, Ellie Hurst of consultancy and training provider Advent IM, Andrew Tsonchev, Director of Technology at Darktrace Industrial, and Patrick McBrearty, a ‘Cyber Patrol Officer’ for the West Midlands Police Regional Cyber Crime Unit.
McBrearty pointed to examples of the rising threat of cyber crime using physical technology to gain access to network vulnerabilities, including a Las Vegas casino robbed when hackers gained network access through an internet-enabled fish tank. But, he said, there is a dearth of understanding of the risks, and a real need for education at all levels.
Andrew Tsonchev described a “new kind of hybrid attack”, when attackers compromise physical security items. “We’ve seen an example of someone hacking into a networked fingerprint reader, upload their own prints, and then use that to gain access,” he said.
Hurst said security technology manufacturers, installers and end users all formed a chain of vulnerabilities, and all need to ensure that a security system is truly secure at every point. “There’s a need for shared responsibility,” she said. “It’s not just a technology problem, it’s a people problem – they are the threat that lies between physical security and network security.”
The panel agreed that there is a real need for more effective education, and Houlis suggested that the physical technology security industry faces a looming problem with no real qualification path for installers to follow.
Tsonchev said that in other industries, network specialists and physical specialists have been most successful when able to cross-pollinate, working together rather than trying to learn an all new set of skills.
Peter Houlis said the need for working together is urgent. “We need to treat both physical and cyber security as elements of risk management, and allow specialists to focus on their areas of expertise. That needs to happen at board level,” he said.
Hurst pointed out that the UK Cabinet Office estimates that cyber crime costs the UK £27bn a year – and acknowledges that number as vastly under-reported. “Convergence and collaboration needs to happen now,” she said. “The bottom line is that the threat actors are far more converged and collaborative than the good guys are, and we need to start catching up.”
Tsonchev said it was crucial that IT and physical security products themselves are able to work together well. “We’re pushing for those technology products to be as agnostic as possible to enable this cooperative working approach,” he said. “We need to accept the inherent risk of networks. With the rise of IoT, the risk comes from the increased complexity. The genie is not going back in the bottle.”
And McBrearty highlighted the huge risk posed by cyber crime, as well as its relative lack of resourcing compared to the other priorities. “Cyber crime is a Tier 1 risk, similar to that posed by the conventional terror risk,” he said. “But there’s no comparison in the funding allocated to try to combat it.”
64 High Street