Security megatrends were the topic of the hour at ASSA ABLOY’s 18th annual Systems Integrator Breakfast at ISC West.
A panel of industry veterans discussed “Navigating Megatrends for Sustainable Growth,” a session dedicated to three forces shaping the future of the security industry: sustainability, cybersecurity and artificial intelligence (AI).
Hosting the event was Angelo Faenza, ASSA ABLOY Opening Solution’s Head of Digital Access Solutions. Some focus was given to sustainability, a topic of rising concern amidst the growing unrest around climate change, as well as cyber-physical hybridization. But AI won the lion’s share of discussion by a landslide.
A Sustainable Approach to Security
The sustainable security movement was very politically charged in the beginning, but it wasn’t meant to stay that way, noted Faenza: “Now it’s about what’s good for your business.”
Sustainable and efficient security technologies that reduce a company’s carbon footprint or energy consumption may simultaneously offer a competitive advantage.
Panelist Peter Boriskin, Chief Technology Officer for the Americas at ASSA ABLOY, began his talk with the wish that security professionals think about emerging security trends in terms of strengths, weaknesses and opportunities. He outlined a roadmap for symbiosis and collaboration.
“The perception is that sustainability and security are at odds, and that is not necessarily the case,” Boriskin said.
Wireless access control systems, for example, are simultaneously secure, minimally invasive, easy to manage and highly power efficient -- meaning smart buildings don’t have to sacrifice efficiency and efficacy to reduce environmental impact, he says. Those traits may also be highly attractive to clients.
“People don’t think about the non-security benefits of security practices,” he says.
Pivoting again to an opportunistic focus, Boriskin elaborated on his “security with a capital S” approach to innovate holistic security solutions. “As we think about integrated approaches, we have an opportunity to create converged security services for customers,” he notes.
An Expanding Cyber Perimeter
While many security teams are concerned primarily with defending their perimeter, that perimeter has expanded far beyond the physical in modern times. The businesses of today must maintain a robust cybersecurity posture as attacks increase in both scale and sophistication.
“Cybersecurity is not just about opening an infected email,” said Faenza in his opening remarks. “It’s so much deeper. Our products live on the network now.”
The mass connection of once-everyday devices to the internet has opened the floodgates for threat actors to infiltrate systems using somewhat unorthodox methods. According to Chris Warner, panelist and GuidePoint Security’s Senior Security Consultant, OT Security GRC, over two thirds of operational technology (OT) systems are connected to the internet, creating a huge attack vector.
“The more we connect, the more compromised we can get,” Warner elaborated. “We lose eyes and ears on something and we can’t protect it.”
This hybridization of physical and cybersecurity has long been on the horizon, and efforts to more closely integrate the two have been slowly gaining traction in recent years. But the merge has not been seamless. A wealth of outdated technology hampers teams attempting to make the change, Warner says, with legacy systems causing a significant drag on traffic.
“The right side isn’t talking to the left side,” Warner commented. “Physical and cybersecurity have to work together.”
As physical security systems move online in droves, particularly to the cloud, an emergence of hybrid security threats threaten organizations.
According to Warner, recent attacks in certain sectors, including critical infrastructure and healthcare, have aspects of both physical and cyberattacks. Cyber-secure server rooms may still be prone to physical breaches, and physical security systems dependent on an internet connection can be hacked or shut off remotely.
The panelists urged optimism in the face of these new hybridized threats. Boriskin pointed to the wealth of experience physical security professionals can bring to solving 21st century problems.
“Existing sensors working in concert between the two disciplines can create holistic solutions,” said Boriskin. “A lot of our issues are just new versions of old problems, and we have a lot of solutions that we can bring to bear.”
Warner likened his defense strategy to “siege warfare,” with employees, or the first line of defense, serving as the “moat.” With responsive employees delaying attackers on the front lines, security teams are given the time needed to address threats, he explains. Risk assessments and documented security plans further improve an employee’s ability to identify and properly react to suspicious activity.
This comes from closer relationships with an organization’s security executives, who must analyze an organization’s risk and pass that understanding down the ladder, says Warner. To do this, there needs to be a clear line of communication from the front line to the C-Suite and senior leadership.
Getting frontline employees and security executives on the same page about training and risk assessment is especially important in the modern age, according to Antoinette King, Founder of Credo Cyber Consulting and a panelist at the event.
Hostile nation state actors aren’t the only threats anymore, and those on every level of an organization are attractive targets for social engineering campaigns bolstered by AI technology, she points out.
Mitigating the Risks of Artificial Intelligence
The unprecedented AI technology boom has completely transformed the global threat landscape, earning its megatrend status.
AI has seen a closer shift toward deep learning than machine learning, says King, or the use of artificial neural networks to mimic human behavior.
The sophistication of this technology has enabled unskilled threat actors to carry out cyber attacks on a scale they would not have been otherwise able to. Glitchy robocalls and inauthentic typo-riddled emails have been replaced by voice cloning, personalized messages, and even malicious AI-generated code.
“Attacks that once required sophisticated skill can now be accomplished by AI,” King says. “It lowers the barrier of entry to these types of attacks.”
Because AI models feed on massive amounts of data, personal data could also be compromised, she notes. The vast amount of personal data available on social media, for example, provides malicious actors with perfect bait for spearphishing.
“It does introduce some new school problems,” said Boriskin. Advancements in AI to clone voices, generate personalized messages, and gather data has led to unpredictably effective spearphishing attempts.
Boriskin recalled an instance in which a hacker orchestrated a fraudulent Zoom call filled with the deep-faked identities of several executives to target a specific CFO, marrying all three of these technologies to devastating effect. “They knew exactly who would be in that call.”
As a new and relatively untested technology, AI also has vulnerabilities beyond exploitation by hackers. Because AI is not true intelligence, it may recite incorrect information or reference things that do not exist, a phenomenon that Boriskin called “AI hallucination.” A model might also suffer “data poisoning” if it is given incorrect information or infected with malicious code.
As AI is essentially a well of all the data it has collected, it is also capable of developing biases. This may result in healthcare solutions or facial recognition software that discriminates on the basis of race, age, or sex.
Panelists still believe, however, that AI -- despite its risks -- is worth support. “A lot of these issues are just new versions of old problems, and we have a lot of solutions that we can bring to bear,” said Boriskin.
King concurred that regular auditing, collaboration with regulatory compliance and adversarial training for large-language models could eliminate AI models developing biases or frequently “hallucinating.”
Embracing the Benefits of AI
“Artificial intelligence is synonymous with the future, but many don’t know what it is,” says Dan Reichman, breakfast panelist and CEO and Chief Scientist at Ai-RGUS. To combat this, he described AI’s benefit to the industry in terms of tasks.
To complete a task, he explained, instructions and recognition are necessary. Because AI models can be given instructions and trained to recognize patterns, they can automate repetitive tasks that would otherwise take a significant amount of time or effort to accomplish free of human error.
More difficult tasks, like writing technical instructions or reviewing X-rays, can be made possible without consulting an expert.
“From a commercial perspective, AI saves time and money and can be a competitive advantage if you find it for your use case,” Reichman said.
Aside from the automation of tasks, AI can also be utilized for business intelligence, threat detection, and behavioral analysis. All of these things can elevate the customer experience and reinforce existing surveillance and access control systems.
King points to a unique application of AI that uses digital twins and 3D modeling to simulate incidents, security walkthroughs, and technology integrations.
“AI is not going away. It’s only going to get more and more advanced,” says King. “It’s very exciting for our industry, but it’s something we need to be cautiously optimistic about.”
Samantha Schober is associate editor at securityinfowatch.com.
