Why Security Convergence Redefines Risk Management

Risk, in general, and the risk introduced by security convergence, are enterprise-level issues. It is not specific to one part of an organization. Consequences expand beyond the obvious costs in money, assets, and reputation. There can be physical consequences from attacks on information assets that the cybersecurity team is responsible for protecting. Providing enterprise security must address all aspects of its operations, given its unified threat surface. Threat actors will treat an entire enterprise as a single target, including its data assets. 

This includes both physical security and information security. Security solutions are becoming more sophisticated, but they are doing it by becoming more interconnected. A converged, interconnected risk environment creates more opportunities for threat actors. Previous separate systems are being connected at an accelerating rate, often introducing existing technical debt that contains previously unidentified or unresolved vulnerabilities. Traditional, separate security operations are challenged by threats that exploit vulnerabilities across cyber, physical, and other domains. What is the impact of these various systems being connected to each other? How can the converged risk be addressed?

The nature of enterprise assets is evolving. Physical assets continue to require physical security solutions, but users are driving change in how they are delivered. Data security, from its origins as multiple disparate computers within an enterprise, has evolved from local area networks to dedicated multi-site networks, and finally to systems connected to third-party services delivered by vendors like Microsoft and Amazon over the public internet.

Operational technology such as lighting, building heating and cooling systems, factory control systems, and machines used in day-to-day business is now managed via network-connected “Internet of Things” (IoT) devices. These systems are being connected to support business operations.  Threat actors operating within the information domain are not just targeting computer and network equipment. Physical security, OT, IoT devices, external services, and third-party-controlled devices (e.g., phones) are also targets.

Converged Systems implies Converged Risk

Whenever an enterprise has systems exchanging information, there is an interface between them. These mechanisms must be carefully designed and managed to ensure adequate benefit and minimal or no risk. Once disparate systems are interconnected, a malicious entity on a compromised system can gain access to a high-value target.

The increased use of converged resources can stress systems by pushing them beyond the manufacturer's expectations. Stressing systems with unexpected use can introduce instabilities and expose vulnerabilities, introducing new risks. Exposing system interfaces through shared resources (or, in the worst case, via the public internet) can lead to information leakage and unintended access. Systems that were sufficiently cyber hardened (if at all) in a segregated environment may not be appropriately hardened for a converged environment.

These connections can be used in a controlled manner to manage information exchange, use secure, validated connections, and be monitored. This can help mitigate risks introduced by sharing access and information. Interconnecting these systems offers significant benefits but also increases risk.

While Physical Security and Cyber Security each have their own security standards and guidelines, they are not always aligned with the same goals. While physical security concerns life safety and the protection of physical assets, cybersecurity focuses on information assets. Their security goals often align imperfectly, creating risks not otherwise addressed. 

Connecting pre-existing physical security solutions to shared resources can introduce new risks to the unified threat surface. Existing systems often carry technical debt due to past practical or technical limitations. Often, compensating controls are required to mitigate vulnerabilities inherent in systems that, while outdated or insecure by modern standards, remain in use today and must be connected to other systems.

Any time resources are shared across disparate systems, the risk increases. Sharing networks, identities, cloud resources, and computing platforms can deliver significant benefits, but it requires care. System interfaces not intended for diverse use can introduce challenges. Attaching a human user, workstation, or browser-focused authentication infrastructure to IoT devices such as security cameras or door lock controls can cause issues that impact availability or expose system access. There can be challenges both in deployment and operation. Deploying converged solutions requires skills and support that may exceed what individual operational teams, and their vendor supply chain partners are prepared to handle. Your physical security integrator may not be experienced in applying converged technologies. Your IT integrator may never have seen a network device other than a workstation or a printer.

Challenges

There are challenges to managing risk against unified threats. Aspirationally, Physical and Cyber Security organizations should work together. When the systems are converged, it affects the relationship between the organizations. Each is a customer of the other, whether or not there is an exchange of funds. Each is a supplier to the other. As a supplier, there may be an explicit or implied SLA (service level agreement). They should be partners in delivering enterprise security. They need to work together to deliver enterprise resilience while adhering to governance guidelines across all areas. They should both participate in long-term strategy discussions. They should coordinate their risk assessment frameworks. An enterprise's unified threat surface is only as strong as its weakest link, since convergence increases opportunities for lateral movement within the environment.

These aspirations can be difficult to achieve. Physical security has different compliance requirements than cybersecurity. There may be conflicting guidelines for operating the infrastructure, such as power distribution or building access. Cybersecurity guidelines may impose different constraints on access to information used in Physical Security. Maintenance teams may not be on the same cadence, creating gaps in the consistent application of security updates across converged systems.

An enterprise’s physical security and cybersecurity organizations often have separate origins. The idea of having them work together, be part of the same organization, operate under the same budget, or operate within a harmonized reporting structure can be a foreign concept. There can be “turf wars” (another source of elevated risk). When you view an enterprise as having a unified threat surface, it is critical that disparate organizations communicate and collaborate.

Physical Security solutions are increasingly leveraging information technology solutions. There is an evolution toward using some of the same resources as Cybersecurity. In many but not all enterprises, it makes sense to use shared resources for networking, identity and access management, and cloud services. As systems become more connected, the risk of misaligned settings exposing vulnerabilities increases. There should be appropriate tools in place (maintenance protocols, audit processes, automated scanning) to ensure connected systems do not introduce connected risk.

Interconnection of disparate systems can introduce gaps in defenses. Introducing external services creates additional gaps, regardless of the perceived or actual level of security they provide. If risk assessments are conducted on a per-system basis and do not consider the entire converged infrastructure, vulnerabilities at system boundaries can be overlooked. Threat actors can and do seek out these gaps. They are not blocked by organizational silo boundaries; they can always view a target as a unified threat surface. 

Unexpected technical challenges from converging systems can introduce risks. Connecting physical security solutions to IT systems can create situations where unexpected system input causes issues. Because these issues occur at the edge, they can go undiscovered or be difficult to mitigate. Exposing systems to automated inputs can create performance or even security issues. The addition of AI-based information sources expands the range of information processed, exposing systems not only to malformed but also to potentially hallucinated data.

Managed Converged Risk

Convergence provides benefits but also introduces converged risk. It is a whole-enterprise problem and can be best addressed when physical security and cyber security work together. Security operations will be most effective at managing converged risk when they maintain a dialog across the enterprise. Risk management needs to be seen holistically. Enterprises should ensure that operational teams and their vendor supply chain partners work together to address security across disciplines, not just within individual parts of the enterprise. Service level agreements between parts of the organization and with your vendors should include provisions for incident response and escalation. The distinction between physical security and cybersecurity is becoming blurred. Physical security teams need to apply more cybersecurity practices, and cybersecurity teams need to consider the physical and operational impacts of vulnerabilities.

An enterprise’s supply chain partners should support an enterprise’s risk management goals. Vendors need to secure their own infrastructure. They need to deliver solutions that can be appropriately secured and to support the delivery of risk-reduction activities (such as applying vendor hardening guidance). Vendors need to ensure that when they provide integration for their customers, they do not introduce unexpected additional risk.

Technology can be leveraged to manage converged risk. This may require additional resources, such as higher product costs, increased labor to handle more complex deployments, or additional system resources. The risk-benefit should be considered (and it may not cost that much more to “do it right”). Areas to consider:

• New or newly converged systems should be evaluated for suitability for the purpose. Do not simply believe the vendors that things will work as expected.
• System components should have best practices and vendor hardening guidance applied more diligently.
• Security monitoring solutions should have visibility to relevant telemetry regardless of its source to identify cross-functional threats. Event correlation solutions should be able to handle both physical and cyber events.
• Vulnerability assessments, threat intelligence sources, and security master planning, commonly used to identify cyber issues, should be expanded to include all devices that exchange data or connect to the public internet. Everything within the Unified Threat Surface should be considered.
• Leverage shared identity and access management services provide zero-trust access to all components, not just IT resources. This may require effort, as non-person entities such as security cameras have usage characteristics that differ from those of workstation users.
• Ensure your Incident Response Plan covers all aspects of the organization, not just cyber areas. Practice your IR process. Consider including your vendor supply chain partners.

Managing converged risk requires recognizing that the entire organization must be secured, not just physical or information assets. Effective cross-team communication, careful use of interconnected technologies, and attention to the implications of interrelated systems are necessary. Identifying risks, regardless of the source (cyber, physical, OT, HVAC, etc.), is critical to securing the infrastructure used by modern enterprises.

While Physical Security and Cyber Security each have their own standards and guidelines, they are not always aligned in their goals. While physical security concerns life safety and physical asset protection, cybersecurity focuses on information assets. Their security goals often align imperfectly, creating risks not otherwise addressed.

Connecting pre-existing physical security solutions to shared resources can introduce new risks to the unified threat surface. Existing systems often carry technical debt due to past practical or technical limitations. Often, compensating controls are required to mitigate vulnerabilities inherent in systems that, while outdated or insecure by modern standards, remain in use today and must be connected to other systems.

Any time resources are shared across disparate systems, the risk increases. Sharing networks, identities, cloud resources, and computing platforms can deliver significant benefits, but it requires care. System interfaces not intended for diverse use can introduce challenges. Attaching a human user, workstation, or browser-focused authentication infrastructure to IoT devices such as security cameras or door lock controls can cause issues that impact availability or expose system access. There can be challenges both in deployment and operation. Deploying converged solutions requires skills and support that may exceed what individual operational teams and their vendor supply chain partners are prepared to handle. Your physical security integrator may not be experienced in applying converged technologies. Your IT integrator may never have seen a network device other than a workstation or a printer.

Challenges

There are challenges to managing risk against unified threats. Aspirationally, Physical and Cyber Security organizations should work together. When the systems are converged, it affects the relationship between the organizations. Each is a customer of the other, whether or not there is an exchange of funds. Each is a supplier to the other. As a supplier, you may have an explicit or implicit SLA (service level agreement). They should be partners in delivering enterprise security. They need to work together to deliver enterprise resilience while adhering to governance guidelines across all areas. They should both participate in long-term strategy discussions. They should coordinate their risk assessment frameworks. An enterprise's unified threat surface is only as strong as its weakest link, since convergence increases opportunities for lateral movement within the environment.

These aspirations can be difficult to achieve. Physical security has different compliance requirements than cybersecurity. There may be conflicting guidelines for operating the infrastructure, such as power distribution or building access. Cybersecurity guidelines may impose different constraints on access to information used in Physical Security. Maintenance teams may not be on the same cadence, creating gaps in the consistent application of security updates across converged systems.

An enterprise’s physical security and cybersecurity organizations often have separate origins. The idea of having them work together, be part of the same organization, operate under the same budget, or operate within a harmonized reporting structure can be a foreign concept. There can be “turf wars” (another source of elevated risk). When you view an enterprise as having a unified threat surface, it is critical that disparate organizations communicate and collaborate.

Physical Security Challenges

Physical Security solutions are increasingly leveraging information technology solutions. There is an evolution toward using some of the same resources as Cybersecurity. In many but not all enterprises, it makes sense to use shared resources for networking, identity and access management, and cloud services. As systems become more connected, the risk of misaligned settings exposing vulnerabilities increases. There should be appropriate tools in place (maintenance protocols, audit processes, automated scanning) to ensure connected systems do not introduce connected risk.

Interconnection of disparate systems can introduce gaps in defenses. Introducing external services creates additional gaps, regardless of the perceived or actual level of security they provide. If risk assessments are conducted on a per-system basis and do not account for the entire converged infrastructure, vulnerabilities at system boundaries can be overlooked. Threat actors can and do seek out these gaps. They are not blocked by organizational silo boundaries; they can always view a target as a unified threat surface. 

Unexpected technical challenges from converging systems can introduce risks. Connecting physical security solutions to IT systems can introduce unexpected input into the system, causing issues. Because these issues occur at the edge, they can go undiscovered or be difficult to mitigate. Exposing systems to automated inputs can create performance or even security issues. The addition of AI-based information sources expands the range of information processed, exposing systems not only to malformed but also to potentially hallucinated data.

Managed Converged Risk

Convergence provides benefits but also introduces converged risk. It is a whole-enterprise problem and can be best addressed when physical security and cyber security work together. Security operations will be most effective at managing converged risk when they maintain a dialog across the enterprise. Risk management needs to be seen holistically. Enterprises should ensure operational teams and their vendor supply chain partners work together to ensure security is addressed across disciplines, not just within individual parts of the enterprise. Service-level agreements between organizational components and vendors should include provisions for incident response and escalation. The distinction between physical security and cybersecurity is becoming blurred. Physical security teams need to apply more cybersecurity practices, and cybersecurity teams need to consider the physical and operational impacts of vulnerabilities.

An enterprise’s supply chain partners should support an enterprise’s risk management goals. Vendors need to secure their own infrastructure. They need to deliver solutions that can be appropriately secured and support risk-reduction activities (such as applying vendor hardening guidance). Vendors need to ensure that when they provide integration for their customers, they do not introduce unexpected additional risk.

Technology can be leveraged to manage converged risk. This may require additional resources, such as higher product costs, increased labor to handle more complex deployments, or additional system resources. The risk-benefit should be considered (and it may not cost that much more to “do it right”). Areas to consider:

• New or newly converged systems should be evaluated for suitability for the purpose. Do not simply believe the vendors that things will work as expected.
• System components should receive best-practice and vendor-hardening guidance more consistently.
• Security monitoring solutions should have visibility to relevant telemetry regardless of its source to identify cross-functional threats. Event correlation solutions should have access to both physical and cyber events.
• Vulnerability assessments, threat intelligence sources, and security master planning, commonly used to identify cyber issues, should be expanded to include all devices that exchange data or connect to the public internet. Everything within the Unified Threat Surface should be considered.
• Leverage shared identity and access management services provide zero-trust access to all components, not just IT resources. This may require effort, as non-person entities such as security cameras have usage characteristics that differ from those of workstation users.
• Ensure your Incident Response Plan covers all aspects of the organization, not just cyber areas. Practice your IR process. Consider including your vendor supply chain partners.

Managing converged risk requires recognizing that the entire organization must be secured, not just physical or information assets. Effective cross-team communication, careful use of interconnected technologies, and attention to the implications of interrelated systems are necessary. Identifying risks, regardless of the source (cyber, physical, OT, HVAC, etc.), is critical to securing the infrastructure used by modern enterprises.