Real words or buzzwords?: NIST declares physical access control systems are OT

Feb. 27, 2024
Does it really mean anything that OT has joined the parade of labels (IT, IoT, and then IIoT) variously getting applied to security systems?

Editor’s note: This is the 74th article in the “Real Words or Buzzwords?” series about how real words become empty words and stifle technology progress.

First physical security devices were labelled IT, IoT and then IIoT (Industrial IoT). At the same time, security systems were labeled Cyber-Physical Systems (CPS).

Now, the National Institute of Standards and Technology (NIST) has classified physical access control systems and devices as Operational Technology (OT).

Is the security industry undergoing a long-term product identity crisis?

It All Started with IT

It all started in the early 1990s with the introduction of computer software and networking in physical security systems. In 2005, the federal government began classifying physical security systems as IT systems.

The Security Industry Association’s Quarterly Technology Update (QTU) of June 2005 stated, “A key concept of this QTU is that U.S. Government automated security, access control and digital video systems are now considered Information Technology (IT) systems, and as such, all of the protections and design criteria applicable to IT systems in the Federal space will be applicable to these systems.”

Since then the security industry overall has struggled with IT adoption, and still lags in the adoption of the design and deployment practices relating to information technology (See the Real Words or Buzzwords article titled, “Shallow IT Adoption.”

But the main point here is about the federal pronouncement of the “Information Technology” label meant that new sets of policies, practices and technical requirements would now be applied to all physical security systems being deployed in government facilities.

As could naturally be expected, many security industry marketing folks are fond of grabbing and touting such labels in articles and literature to position their company and products as being current, highly relevant and worth considering.

That’s their job. However, before doing that they should make sure that they consider the answers to the following questions.

  • What does the label really mean?
  • Why is it being applied?
  • What aspects of our offerings are relevant to the new label?
  • What, if any, changes do we have to make to products and/or services to live up to that label?
  • Is there any advantage in promoting that label?

Notice that promotion is last on the list, not first. Living up to the label should be a prerequisite to using it!

IoT and IIoT

While we were still working to get IT right, the IoT buzzword arrived and got traction in the early 2010s. Suddenly many camera makers and other security device companies were calling themselves “Internet of Things” companies.

For several years that became a popular security industry buzzword even though very few products were designed for secure and reliable Internet communications. Many companies made big use of the IoT moniker when they shouldn’t have because their products weren’t Internet ready.

General Electric gets credit for coining the term Industrial Internet of Things (IIoT) in 2012. GE has been instrumental in the development and popularization of IIoT.

For example, its jet engines began sending diagnostics back to GE via the Internet, so that airport service crews could be standing by ready to perform needed maintenance instantly, eliminating the previously common on-the-ground diagnostic delays. 

The IIoT label also appeared in the security industry. An excellent article that used this label appeared in September of 2023 titled, “How to Protect Network Centric Physical Security Systems”, written by Jeffrey Slotnick and Antoinette King.

Its introduction says, “In the modern era, the Industrial Internet of Things (IIoT) has revolutionized the way we interact with technology, offering increased convenience and efficiency.

“In the realm of physical security, IIoT devices have become pervasive, seamlessly integrating into our daily lives to safeguard our homes, offices, and public spaces.

“However, while these smart devices offer numerous benefits, they also expose us to significant vulnerabilities. The physical security device manufacturers, security executives and physical security practitioners no longer have the luxury of cyber ignorance.

The italic emphasis is mine, because I applaud this long overdue statement made by two people who are more than well-qualified to make that assessment.

Cyber-Physical Systems (CPS)

At the same time as IIoT was advancing, there was heightened interest in Cyber-Physical Systems, an ongoing area of academic research at many universities for over 20 years.

A cyber-physical system (CPS) is an integrated system comprising computational (cyber) and physical components, tightly interconnected and interacting with each other.

Physical access control and intrusion detection systems are by definition cyber-physical systems, as are video surveillance systems whose motion detection notifications are fed into access and intrusion alarm systems.

Furthermore, what we call a deployed “physical security system” is actually a “systems of systems”, which is an area of academic research within the Cyber-Physical Systems domain.

The term wasn’t being ballyhooed in the security industry in large part because the label is meaningless to customers, and so there is no marketing value in promoting that label. However, the arrival of that label should have triggered the asking of the five questions at the start of this article.

Operational Technology

The Operational Technology label was applied to physical access control systems in the glossary of the September 2023 revision to the Guide to Operational Technology (OT) Security, which is NIST Special Publication 800-82r3, now at 299 pages.

The NIST defines Operational Technology thusly (italic emphases added): “A broad range of programmable systems and devices that interact with the physical environment or manage devices that interact with the physical environment.

“These systems and devices detect or cause a direct change through the monitoring and/or control of devices, processes, and events. Examples include industrial control systems, building automation systems, transportation systems, physical access control systems, physical environment monitoring systems, and physical environment measurement systems.”

Not Really an Identity Crisis

So, in the last 20 years physical security systems have been labeled IT, IoT, IIoT, CPS and now OT. I’d like to call this continual relabeling of security technology a “security product identity crisis” but it’s not the physical security devices themselves that are confused.

The industry crisis is the fact that every label after IT represents a different deployment setting into which information technology is being applied. And the common elements among them is that they all need cybersecurity for the information technology elements. It’s the depth of adoption of cybersecurity principles and practices where the industry is lacking.

When founders and product development teams enter the security industry from outside domains, such as IT, they already know the answers to those questions so they often are the source of true innovation for physical security.

Example Cyber-Aware Application of IT

This is the case with Eagle Eye Networks, whose founder (Dean Drako) was previously the founding CEO of Barracuda Networks, a provider of security, networking and storage products based on innovative network appliances and cloud services.

Some in the physical security industry scoffed at the fact that Eagle Eye built routing and firewall capabilities into their Bridge appliances (which buffer camera video before optimally sending it to the cloud) and Recording appliances (which have Bridge functionality as well as recording capabilities).

Eagle Eye network appliances also include support for DHCP (Dynamic Host Configuration Protocol), a network management protocol used to dynamically assign an IP address to any network device so it can communicate using IP.

The Eagle Eye VMS is the only true cloud VMS platform having on-premises appliances that establish highly secure camera LANs that can protect other cameras on the LAN, or any connected network, from malware from a pre-infected camera.

Because the Eagle Eye appliances are cloud-managed, the appliance firmware is automatically kept updated for emerging cyber threats without any attention required from end user customers or security integrators.

The appliances are truly IoT devices because they were designed from the start for high-performance and secure functioning over the Internet with full awareness of the cybersecurity risks to account for.

Eagle Eye is also a member of the Cloud Security Alliance’s Star Registry, which has only three members from the physical security industry (the other two being Brivo Systems and Alcatraz AI). Such industry lack of participation is more just more evidence of the industry’s general cyber ignorance that Slotnick and King wrote about.

A Unifying Perspective

The good news is that what’s important about the Guide to Operational Technology (OT) Security is not that it labeled physical access control as OT -- it’s that the guide itself provides specific guidance for applying foundational cybersecurity documents to cyber-physical systems, which differ in important ways from traditional information technology.

There is something much more important to the physical security industry than the fact of the new OT label being applied. What’s critically important is the specific purpose for the recent update to the Guide to Operational Technology (OT) Security.

The document states that the purpose for the update is to provide “additional alignment with other OT security standards and guidelines”, including two foundational cybersecurity guidelines:

  • NIST Cybersecurity Framework
  • Security and Privacy Controls for Information Systems and Organizations (NIST SP800-53 Rev 5)

Two important aspects of this improved cross-guidance alignment are:

  1. New tailoring guidance for NIST SP 800-53, Rev. 5 security controls. This tailoring guidance shows how to adjust the NIST SP 800-53 controls for a better fit to OT products and systems. There are 67 additions labeled, “OT-Specific Recommendations and Guidance”, most of which apply to electronic security systems deployments. Some guidance will apply conceptually and require a little thinking to fine tune it for specific deployments, and some guidance very directly applies. It’s also likely to find that some recommendations have already been applied.
  2. Appendix F provides an OT overlay for NIST SP 800-53, Rev. 5 security controls. This provides tailored security control baselines for low-, moderate-, and high-impact OT systems. Some are specific to physical access control systems.

Thus, this guide provides a single perspective from which both IT specialists and physical security specialists can collaborate about cybersecurity not just for physical access control, but for all electronic physical security systems.

Making Sense of It All

Hopefully, physical security and IT collaboration around cybersecurity guidelines, based on the NIST Guide to Operational Technology (OT) Security, will help us make significant progress in ending the physical security industry’s heretofore persistent cyber ignorance.

Ray Bernard is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities (www.go-rbcs.com). In 2018 IFSEC Global listed Ray as #12 in the world’s Top 30 Security Thought Leaders. He is the author of the Elsevier book Security Technology Convergence Insights available on AmazonFollow Ray on Twitter: @RayBernardRBCS.

© 2024 RBCS. All Rights Reserved.

About the Author

Ray Bernard, PSP, CHS-III

Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (www.go-rbcs.com), a firm that provides security consulting services for public and private facilities. He has been a frequent contributor to Security Business, SecurityInfoWatch and STE magazine for decades. He is the author of the Elsevier book Security Technology Convergence Insights, available on Amazon. Mr. Bernard is an active member of the ASIS member councils for Physical Security and IT Security, and is a member of the Subject Matter Expert Faculty of the Security Executive Council (www.SecurityExecutiveCouncil.com).

Follow him on LinkedIn: www.linkedin.com/in/raybernard

Follow him on Twitter: @RayBernardRBCS.