May 25, 2022

Last Updated on January 19, 2024

These are interesting times to say the least in the cybersecurity field. One reason is that domains formerly held to be separate from cybersecurity—notably privacy—are converging under the cyber umbrella.

Another major discipline that is rapidly merging with cybersecurity is physical security. This integration is a literal reality as Internet of Things (IoT) security devices proliferate, creating what the US government’s Cybersecurity & Infrastructure Security Agency (CISA) calls “an increasingly interconnected mesh of cyber-physical systems” that potentially expands a company’s attack surface and blurs the cyber and physical security functions beyond recognition.

To talk about the rapid physical/cybersecurity convergence and share some recent physical security innovations, a recent episode of The Virtual CISO Podcast features Chris Ciabarra, Co-Founder and CTO at Athens Security. John Verry, Pivot Point Security CISO and Managing Partner, is the show’s host.

You will be assimilated.

As a physical security expert with an IP-connected product, Chris has seen this convergence coming for a long time.

“So if you look at the two sectors before, it was two different people heading up each,” Chris relates. “But now it just makes sense to combine them. Why is that? Because everything is IoT-based. Everything has an internet connection these days.”

That means many more cyber threats and vulnerabilities within these cyber-physical systems, which have traditionally been outside the expertise of physical security folks.

“Now you have a lot more things to worry about, and the typical physical infrastructure personnel didn’t have a clue about cyber, right?” adds Chris. “They just plugged it in and it worked, whatever. They didn’t worry about the [cyber] security side.”

Plugging the holes

Cybersecurity technologists now need to be involved in setup and administration of cyber-physical systems because these products are potentially undermining cybersecurity as they’re bolstering physical security.

“Everything is connected to the internet now, so everything should be secured properly and cyber security folks should have control over this kind of stuff,” reiterates Chris. “Before, physical security folks didn’t think about the ramifications and the hacks that are in these types of equipment. They’re buying cameras from China and don’t even realize it because it’s under a different name. And guess what? They have back doors in them, and they’re plugging them into their network without realizing, ‘Oh, that should be on a separate network that doesn’t touch your internal network.’”

Benefits of cyber-physical security convergence

Besides improved overall security, there are several other benefits from the convergence:

  • Communication becomes simpler and disconnects between the two siloed disciplines are reduced.
  • New product rollouts and the introduction of third-party services can take less time since meetings can involve just one group and there are fewer decision-makers.
  • Bringing physical security expertise to bear on cyber-physical systems can reduce the physical accessibility of IoT devices and decrease their exposure to physical compromise, which can lead to some devastating hacks.
  • Compliance complexity is reduced for organizations that need to align with cyber security frameworks like ISO 27001 or CMMC/NIST 800-171 that specify physical security controls.

John cites a further benefit for organizations, which is a unified view of risk across the organization.

“All too often, you had a view of risk from a physical perspective, which uses different thought processes and different methodologies,” notes John. “Then you’ve got your information security risk management, which uses confidentiality, integrity and availability as impact criteria. And you’ve got enterprise risk management, which uses more business type things like impact to operations, legal and reputational risk, and things of that nature.”

The more companies can unify the conversation about risk and put it in the language of the business, the more they can streamline and improve risk management.

What’s next?

To hear this episode with Chris Ciabarra, click here.

Curious how hackers remotely compromise IoT devices? Check out this blog post: Remotely Hacking IoT Devices: Here’s How It’s Done