Cyber-physical security: When IT and reality merge
Physical security solutions for protecting people and property can act as a gateway for attackers. This is especially true if the devices are networked. How can we ensure that cybersecurity systems are protected?
Physical security solutions for protecting people and property can act as a gateway for attackers. This is especially true if the devices are networked. How can we ensure that cybersecurity systems are protected?
Digitising and automating access, control, and security systems in companies and organisations have significantly change the way we protect the perimeter in many areas. As a result, an ever growing portion of security solutions are shifting to servers or to the cloud. Cybersecurity is therefore a top priority on the agendas of IT departments. But security technology in the real world, along with the interfaces that people use to interact with these systems, are sources of risk in a cyber-physical security model.
Cyber-physical systems used for perimeter protection consist, for example, of sensors, cameras, computers, networks, software triggers, and alarm protocols. They control access by people and the flow of data in the physical world, thereby connecting cyberspace with reality. However, these things also make them an attractive target for hacker attacks.
IT security and perimeter protection: two sides of the same coin
Whilst IT security requirements are generally known, cyber-physical systems remain a challenge for conventional security approaches. According to the Fraunhofer Institute for Secure Information Technology, this is due to the fact that these systems process more than just information. They manage and optimise physical events as individual devices or entire ecosystems.
Whether they are small or comprehensive, cyber-physical security systems should make perimeter protection more convenient. This is done through the ability to control and monitor different devices, such as cameras, door openers, and lighting, centrally from a single system. The people in charge are thus able to respond faster to security-relevant events, and they also receive related notifications in real time.
By integrating cyber and physical security, companies and organisation can optimise the design and effectiveness of their access control systems, as is regularly demonstrated by the exhibitors at Perimeter Protection in Nuremberg. Access systems thus become smart solutions that allow, for example, individual employees to access only certain areas. These types of systems also protect rooms housing servers and digital resources against possible security breaches.
EU requires personal responsibility
In light of growing threats, companies are called upon to keep their cybersecurity practices up to date. Special entities that the EU considers to be particularly important, including critical infrastructure, health care, energy companies, and communications, must put their IT security to the test and should not disregard cyber-physical systems.
The European Union’s planned NIS-2 Directive allows for substantial administrative fines if protective measures fail to meet certain minimum standards – fines of up to €50 million are planned for facilities that are part of critical infrastructure. After all, attacks on these sensitive industries in particular can have far-reaching consequences and even pose a danger to life and limb.
Protection in both worlds
Since IT and the physical world are merging, cybersecurity and perimeter protection must also be viewed as inseparable parts of a comprehensive security concept. In practice, the security staff log onto servers or into the cloud via mobile devices and terminals. If this access is insufficiently protected, the entire security system is at risk. Conversely, a lack of proper perimeter protection exposes the security system’s hardware and software to the threat of unauthorised access in the physical world. It is therefore crucial to implement cybersecurity protocols in coordination with the physical security system.
One approach that enables IT to take over perimeter protection is the zero trust model. This security concept is based on the idea of not trusting any user outside one’s own building or network and granting only limited access at first.
In the future, it will be essential for the members of staff responsible for physical security to work more and more closely together with the IT security department and to share information. Only when the two teams communicate with each other more effectively and link the data for physical and cyber security will it be possible to create a solid security concept.