The State of Converged Security Operations

Convergence is still alive, and it’s more than just a buzzword

Convergence is a Necessity

When electrical utility companies were not getting the picture on convergence, the North American Electrical Reliability Company (NERC) developed Critical Infrastructure Protection (CIP) standards that mandate many elements of convergence. For facilities covered by the regulations, the security plan has to define both “physical security perimeters” and “electronic security perimeters.”
Physical security perimeters are the physical borders surrounding computer rooms, telecommunications rooms, operations centers and other locations in which critical cyber assets are housed and for which access is controlled. Where a complete six-wall border (four walls plus a ceiling and floor) cannot be established, alternative measures of protection are required.

Electronic security perimeters are the logical border surrounding a network to which critical cyber assets are connected and for which access is controlled. Network connections to computers and control equipment are the “doors” through which to gain passage beyond the electronic security perimeter.

The NERC CIP standards actually specify that physical access control systems must protect the electronic security perimeter, and that cyber security measures must be applied to the physical access control systems. In other words, the physical and logical access control systems must protect one another. But the standards don’t stop there. Change management processes must include review and application of physical and logical security measures. Why? Because the converged application of security measures is necessary in order to establish acceptable security for critical electronic assets.

Exelon Corp. operates the largest fleet of nuclear energy plants in the United States. In a keynote address last September to the Nuclear IT Strategic Leadership (NITSL) Symposium, Susan Landahi, Exelon’s senior vice president of Operations said, “Cyber Security is going to rival physical security in importance. Physical and Cyber better learn to get along; in fact, we need to co-locate them now in the same organization.”

The State of the Union

In leading organizations, the union between corporate and physical security and IT is established around key touch points, with increasing collaboration under an overall objective to benefit from convergence that is followed up by specific planning. Organizations that are achieving the greatest benefits with convergence are those with strategic risk planning collaboration at senior levels, and who also have tactical collaboration in appropriate projects, initiatives and ongoing operations.

However, most organizations still struggle with technical and organizational convergence issues, mainly because of a lack of active convergence knowledge and planning. They do not get out in front of convergence issues — they work reactively, addressing problems as they arise, but without thought of advancing their organization into a stronger position, and without understanding the full convergence landscape.

Top-to-Bottom Convergence

Organizations that have been most successful at advancing through convergence have been those with convergence dialogs and planning going at all levels from top to bottom in the organization. These are rarely discussions about convergence itself, as a subject or topic. They are discussions about identifying and addressing risks at various levels of the organization.

How Do You Start?

Dave Tyson is Senior Director and CISO at Pacific Gas & Electric Company (PG&E). Incorporated in California in 1905, PG&E is one of the largest combination natural gas and electric utilities in the United States, serving more than five million electric customer accounts and four million-plus natural gas customer accounts. Tyson is also the author of the book “Security Convergence: Managing Enterprise Security Risk” — the working reference that I use when my security practitioner clients want to address security convergence to improve their organization’s risk profile. The book covers the full convergence spectrum in a very practical way.
Making a good start should include an important convergence insight: it is people who advance the organization’s risk awareness, set strategies and policies, collaborate and develop security plans, and put such plans into effect. People change the organization, not technology. So although there has been a great focus on “convergence” products and features in the security industry, the place to start is with people.