July 23, 2018

Cyber and Physical Security: Maverick and Iceman

Derek Bourland
Security Consultant
Arrow Electronics

Cocky hotshot Maverick and cool and calculating Iceman made for perfect rivals in the 1986 hit Top Gun. However, when six Russian MiGs threatened a U.S. communications ship, Maverick and Iceman created a perfect team shot down four planes that caused the other two to flee. Learning the value of teaming up, Maverick and Iceman formed a friendship guaranteeing both would always have a wingman.

Just like Maverick and Iceman, cyber and physical security need to team up if we have any chance of confronting the threats against us.

Combining these two universes requires not only technical changes to an organization but cultural as well. Part of the reason Maverick and Iceman made a great team is that they accommodated one another’s diverse strengths and weaknesses. Likewise, the only thing cybersecurity and physical security have in common is the word security. They have always used different systems and interfaces. Physical security uses locks, cameras and ID cards, while cybersecurity uses hardware and software tools, such as firewalls and antivirus.

Unlike cybersecurity, physical security is either provided by the building owner or in larger enterprises, by the corporation’s facilities or security departments. In addition, physical security employees have completely different skill sets from IT employees, with backgrounds in military or law enforcement, while information security employees have strong IT backgrounds.

Merging these two areas will not be an overnight process, but will acclimate over time just like Maverick and Iceman. Companies may push back with questions like, “Doesn’t this seem like more trouble than it is worth?” and “Won’t this be too costly to implement; will the benefit outweigh the cost?” These questions will be answered by the advent of more intelligent solutions that companies can implement without disrupting their current security systems.

Reasons to Converge

In many ways, physical security systems have always been the first line of defense against nefarious access to a company’s assets, whether physical or logical. Why spend countless hours looking for a zero-day or an unpatched system to access a company’s database when you can just walk through the front door and throw a thumb drive into the first machine you see?

Benefits of Converging

Let’s look at the top-line benefits that convergence brings to an organization.

  1. Streamlines the creation and deletion of user identities
  2. Provides affordable two-factor authentication
  3. Improves user access
  4. Authenticates remote access with location and status information from physical systems
  5. Includes identity reporting for forensic investigations
  6. Coordinates security personnel in emergency situations

Integration of physical security access and multi-factor identification such as tokens, soft tokens or biometrics will allow organizations to manage one single, consolidated repository for all credentials and access privileges will only need to be set once for both physical and cyber resources.

Take advantage of MFA by using existing tools, such as employee badges as a second form of ID, rather than spending extra money on both security badges and tokens, or biometric scanners.

Synchronizing of building and network access has many practical applications, such as not allowing a user to access the corporate systems until they have badged into the building or not allowing remote access to a user who has already badged into the building. This also helps with tailgating, when one employee closely follows another employee in without scanning their badge, and vice versa; if an employee does not scan their badge when entering the building, they cannot access the system.  

After an employee is terminated or resigns, there are often weeks of lag time between their last day and when their building access is removed. A converged infrastructure allows companies to terminate access immediately. Fully integrated physical and logical systems also allow for consolidated logging of entry and access data. With an accurate occupancy list, you’ll know exactly where an employee is in case of an emergency.

Benefits Starting to Outpace the Costs

Combining physical and cyber security isn’t a new theme. The idea has been around for years. So why haven’t more companies gone down the path? Since physical and cybersecurity have little in common, combining them has seemed like a very complex and costly task, but the benefits are starting to outpace the costs. As Iceman asked Maverick, “You may not like who’s flying with you, but who’s side are you on?” Like each other or not, there are many factors forcing them to unite against a common enemy. 

Recent changes have made this convergence of an unlikely team closer to reality, including:

  1. Compliance – With increased auditing for regulatory compliance, auditors are seeing gaps in all aspects of security and are advising clients to take action.
  2. IoT – Most physical devices are now connected, including cameras, card readers and access controllers.
  3. Physical security is friendlier – Most physical security vendors see the need to interact and integrate with cybersecurity and are building interfaces to integrate with cybersecurity.
  4. New standards – The new standard Physical Security Bridge to IT Security is a vendor-neutral approach developed by the Open Security Exchange to enable easier integrations.
  5. Cost-effective token solutions– The recent introduction of affordable smart cards are ideal for IT security because they are far more secure than the traditional 125KHz Prox technology most systems use.
  6. Gateways – NextGen gateways are fixing the common integration problems with gateways that provide a bi-directional exchange of identity data and real-time events.
  7. Single sign-on – More and more companies are deploying SSO, creating the need for stronger authentication practices.

The Future

Some companies have embraced the convergence of IT with physical security and are reaping the benefits of an unstoppable Maverick and Iceman style pairing. For example, Aetna and insurer Aon PLC have structured cybersecurity and physical security to report to one CSO and Bank of America. The company does not reveal organizational structure, but says that “these two functions closely collaborate.” Most companies have yet to move down this road of convergence.

When presenting solutions to your customers, it is important to recognize whether the solution can be added to what they already have, or if it is going to force them to replace all their existing gear. For this to work, solutions need to integrate with what companies already have invested in for both physical and cybersecurity. Without this, there are potential roadblocks, such as high costs and current processes, which could be disrupted and make it harder for a company to accept your proposal.

Integrated security solutions can bring a variety of benefits, including improved cost savings, risk reduction and compliance assistance. Plus with a new wingman onboard, all corporate assets are protected with a new line of defense.

Combining these two separate entities has the potential to close gaping security vulnerabilities. Setting all Iceman and Maverick rivalries aside, cyber and physical security need to converge to safeguard against modern threats.

All companies from all verticals should make this a priority next year. Learn more about embracing the convergence of IT and physical security and how Arrow can make this possible.