The New Paradigm of Converged Security and Risk

Sept. 20, 2018
How the convergence of IT, OT and physical security will improve risk assessment and mitigate organizational liability

The next-level technology evolution is coming. Long-awaited and discussed, the full convergence of all systems has now been made feasible by Artificial Intelligence, secured communication, and advancements in physical security technology, or more simply, IP-based technology on the network. Initially, this meant that devices could be connected to one another and, to some limited ability, communicates. In the fully converged future, soon to be the present, this communication will enable far greater intelligence capabilities to protect our organizations from risk and liability in ways previously not possible.

Reading this, you may be thinking that we are already well established in this paradigm. In the physical security industry, we have integration between systems such as identity management, access control and video surveillance, along with PSIMs and incident management software. The progress over the past few years has delivered many benefits to users in the way of convenience and efficiency.

For example, a person can go from street to secure office without ever touching a key or card. Using an app on their phone or facial recognition technology, they enter the building through a security revolving door or turnstile. An integration with the elevator system automatically brings a car to the lobby floor, opens the doors and whisks the employee to their floor. Once at their desk, if they have authority as a facility manager, they can log in to the building’s HVAC system, make adjustments and read logs directly from their laptop/computer.

While these capabilities are a powerful demonstration of integration, they still fall short of full convergence with IT and OT systems. What is more concerning, today’s IP-enabled and connected world has created new vulnerabilities for organizations for which they are not yet prepared. This gap leaves organizations with a dangerous shortfall when it comes to proactively identify and mitigating risk. The situation becomes even more clearly untenable when you consider that beyond direct risk to people, property and assets, there is virtually limitless exposure to liability – to the organization and to the C-suite itself – engendered by the lack of communication between those areas of business operations.

To address these issues, a new set of converged standards is in development now; standards that apply to every industry, which will help companies holistically assess and improve their current risk posture. Yet this is only one part of the solution.

 Traditional Business Risk Assessment – a Broken Paradigm

Business risk assessment, separate from and not to be confused with business security risk assessment, has traditionally been handled by professional services firms. The goals of such an assessment could include finding new investors, evaluating potential liability or obtaining insurance. This is an assessment model which is top-down in nature; the analysis is based on business activities such as profitability, retained earnings, personnel and workflows. Security itself is often not given any particular consideration in this model.

Another key factor in traditional risk assessments is the application of compliance regulations and their oversight. Depending on the industry, there are many different regulations that must be followed, necessitating an additional layer of business operations. Since these regulations have been created to help reduce risk, some of them do cross over into the realm of physical and cyber security – yet that factor may not be specifically included in the assessment.

Overall, the risk assessment done by a professional services company will be looking at governance, which can be defined as the collective management activities of all the diverse business operating units of an enterprise. The better the governance, the theory goes, the less risk and liability exposure there is to the organization. However, again, security is not typically a part of this assessment, and so it is left out of the governance overview as well.

The final result of the assessment is typically a rating and a maturity level, which are then used to achieve the above-mentioned goals. Yet without the consideration of security practices relating to IT, OT and physical security, the rating and maturity level can only tell part of the story, particularly when it comes to liability.

A company can still be vulnerable to security threats such as cyber hacking, theft, workplace violence, active shooter, data breach, and so on. To illustrate the very real nature of this risk, in 2013 Target – a highly-rated Fortune 500 company – was the victim of a cyber-attack in which the hackers entered the network through a vulnerability in the HVAC system and stole data from 40 million credit and debit cards of shoppers. The breach cost Target $202 million, along with damage to the company’s public image and trust. Ultimately, the CEO was fired.

Security Assessments – The Other Puzzle Piece for Risk and Liability

Whereas traditional risk assessments have been managed by professional services companies, security assessments have been handled by security-specific consulting companies. These consultancies typically do not look at the business risks discussed above but limit their oversight to IT, OT and physical security practices.

Exacerbating this disconnect, completely different providers with differing specialties generally assess the three disciplines (IT, OT and physical security) separately.

Management in each of the three disciplines develops their own strategies to protect the enterprise by preventing incidents that relate to their systems. For example, IT management will run penetration testing exercises to find and eliminate vulnerabilities in their networks. Physical security management will deploy surveillance cameras with advanced video analytics to detect potential problems such as a backpack left in a hallway, or to help identify criminals after an incident. OT systems, originally designed to be standalone but now usually connected to the network in order to ensure their continued stability, are typically exceptionally robust and can last for well over 25 years with little more than routine maintenance.

Double Trouble and Catastrophic Consequences

As described above, the model for identifying risk and potential liability is doubly broken. The first gap is within the security piece, as there is normally little-to-no connection between the silos of IT, OT and physical security; the second is beyond security, as there is typically no correlation with the risk profiles presented by business operations and governance.

With multiple areas of business functions each being evaluated by different entities, the organization cannot be fully and properly assessed with regard to risk. Putting together the two halves of the funnel illustrates the way in which liability blooms at the junction between security and business.

To visualize this in the context of an actual incident, imagine this potential “kill chain”. A large office building is connected to a manufacturing plant where electronic products are assembled. With a single day, there are three separate events: OT sees an unexplained rise in temperature in one section of the manufacturing facility, physical security is alerted that a terminated employee has attempted to use expired credentials to enter the office, and a data storage server is compromised. Each of these incidents triggers some sort of response; however, the responders do not communicate with one another and there is no recognition or understanding that these events are all related.

Days later, the real event occurs – a massive data breach with catastrophic results. The manufacturing process is ruptured, tens of thousands of customers have their personal information stolen, the company’s financial records are held for ransom. Top management finds their names plastered all over the news, and they are ultimately held personally liable for tens of millions of dollars in damages. The company’s reputation is in ruins.

While this is a worst-case scenario, it is by no means impossible. A wide variety of versions of this story is playing out every day right now around the world. It is up to each individual organization to ensure that they are protected in this new risk environment.

What is most needed is what is known in IT as a “single pane of glass” – one view that converges and correlates all communications and information necessary for management to make critical judgments and take swift action when needed. This would encompass all business operations and governance along with OT, IT and physical security, providing the resource needed for a full converged risk assessment. This is the new paradigm that today’s businesses truly require, to best prevent and mitigate all business risks and liabilities.

Positive Disruption: Creating a New, Converged Standard

As organizations have individually recognized the need for this converged view, many have taken it upon themselves to create a custom, home-grown version that meets their own needs. While this seems to be an immediate solution, it has drawbacks and limitations. It is costly, requires substantial IT expertise in-house, and is subject to falling short when new systems and devices are added or the network is upgraded. Further, should the company be purchased or acquire another business, a whole new set of diverse systems will need to be integrated.

The time has come for a single converged standard to be created and made available to all enterprises, across all industries around the world. As might be expected, there are security professionals, along with the Security Industry Association (SIA), working on this standard now. When complete, it will provide a detailed blueprint for risk assessments that address all areas of business.

The new converged standard would assess an organization’s overall practices, breaking them down into four categories with a rating using CMMI or Carnegie Melon Maturity Index for each on the NIST framework. The categories would include business processes, technology, compliance and behavior. Technology would include ratings for both vendors and products, with detailed insights into their standards and practices. For Compliance, each relevant regulation would need to be addressed by an installed solution, which would have to be properly functioning to meet specific goals. The rating for Behavior, which would evaluate how well the organization addresses weaknesses and risks in the first three categories, would rise or fall over time with each improvement or breach.

Within this new model, every stakeholder within an organization will have visibility to risks and incidents, along with a clear understanding of how they might impact each area of operations including their own, no matter where they come from. It is truly the future of security, bringing together management of every area of business, critical infrastructure, municipal safety and more. 

The key to this is the connectivity of vulnerabilities and threats to business risk and aligning assessments to the neck of the funnel so a true understanding of the overall security liability is seen. From the power grid to traffic lights, IoT to cybersecurity, access control to door solutions, it will include management and oversight of all networked devices.

Rarely does an incident occur without numerous indications of some kind leading up to it; however, without the ability to correlate seemingly unrelated actions, the significance of each can easily be lost. In a converged system with the intelligence to recognize the early formation of a kill chain, these actions can be identified at an earlier stage and a preventive response can be mounted. Further, the ability to gain insight after the fact into some of the weaknesses that led to the attempted incident is a vital first step to implementing new measures to prevent future issues.

Looking to the Future

This new converged standard is a very complex and detailed concept. Developing the technology behind it and building the systems cannot be accomplished quickly; currently, the goal is a release date of late 2018 or early 2019. Once created, this must be presented to a public forum to discuss the weighted questions and answers. Additional time will be needed to train users on the technology, which at the beginning will be somewhat complicated – much like the way in which early computers required users to have a higher understanding of programming languages than is needed now. In time, more of the processes will be automated and the onboarding will be faster and easier for all users, helping to spread the use of this breakthrough concept.

Bringing this new standard to a typical organization end-user, it makes for a compelling case. The installation of any new product or solution – whether it is turnstiles, an HVAC system, HR software or an IP phone system – can be made with the peace of mind knowing where it fits within this new converged standard. The organization itself is better able to communicate, integrate and collaborate. Risk assessments can be made with full visibility into all aspects of the organization and the understanding of how they work together to prevent issues. Ultimately this will not only shield from liability, it will also help to reduce costs such as insurance, improving the financial position of the organization as well.

The evolution of networked systems, AI, and the IoT have led to a virtually endless array of new technologies – many bringing incredible benefits to individuals and society, others created by those who use their expertise to commit crimes and cause mayhem. As an industry, we must take the lead together in leveraging our capabilities to maintain a safe, secure and strong environment in which technology can flourish.

About the Author: Pierre Bourgeix is President of ESI Convergent in Cleveland, Ohio. ESI Convergent is a management consulting firm focused on helping companies assess and define the use of people, process, and technology within the physical and cyber security arena. The company was formed to not only help end users but also manufacturers in defining the proper strategy to drive products successfully into the marketplace. As a thought leader in the Security Industry, Bourgeix has helped companies successfully launch and position products and solutions globally. He is also an Enterprise Consultant Manager for Boon Edam.