The high wall between physical and cyber-security was a recurring theme athis year's Security and Counter Terror Expo at London's Olympia centre provided delegates from all over the security industry with one dedicated stream of talks on cyber security and three others in which the topic figured heavily. There was one particular theme which figured heavily at the expo: the high wall around cybersecurity.
The IoT takes information security into the physical world, and with it, a dramatic reevaluation of the priorities that traditional cyber security has held so close for so long. Jennifer Ellis of IoT security practice at Symantec, pointed out that the holy trinity of security - confidentiality, integrity and availability - is upended when meeting with the problems of IoT. Confidentiality, perhaps the most important of those principles in pure information security, no longer exists when it comes to IoT.
The barrier between physical security and cyber security might seem arbitrary, but according to many at the expo, it is one that remains frustratingly in the way of progress, especially as we try address the often woeful state of IoT and critical infrastructure security.
Ron Gregory, vice chair (north) of the National Association for Healthcare Security talked about how the neglect of either side could spell trouble for critical services such as the NHS. Up until now, attacks against the NHS have mostly involved ransomware and while those attacks have been worrying, including an attack against a Lincolnshire Trust late in 2016, those threats could mutate into the physical world.
“Many NHS trusts operate their physical security separate to their cyber-security. That's not saying everyone does but you can see the problem there straightaway.”
The increasing reliance on smart buildings with management systems operating everything from heating to fire suppression to access control poses another complication. Taking out those management systems could spell chaos for a busy hospital.
“The NHS is a huge organisation, said Gregory and, “countering the insider threat is going to be hugely complex if not impossible.” The NHS employs more than 1.5 million people, making it the largest employer in the UK and one of the largest in the world, leaving ample chance for rogue insiders to compromise NHS systems.
Gregory, who comes from the world of physical security told the audience, “we cannot just rely on walls, locks and people anymore”. Physical security, he added, “needs to support cyber-security, they cannot work in isolation.”
SC asked Gregory,why that barrier between physical and cyber is so stubborn. “I think it's mainly because people have followed their career path”, said Gregory, “People have taken different paths there's not usually someone jumping across from one side of the profession to the other. There's just not that cross-pollination between the two.”
“Stepping back”, added Gregory, “we need to look at bringing them back in.”
Steve Dobby, a product manager of Geoquip told the audience that it is increasingly common that attackers go after not just the virtual but physical components of security too: “they're being a little bit clever now and looking at both. Therefore we need to look at our devices, the passwords, the connectivity methods and procedures.”
Dobby cited CAPSS, or Cyber Assurance of Physical Security Systems, a new standard from the Centre for the Protection of National Infrastructure (CPNI). The standard, said Dobby, took two years to complete and covers many levels of security “from the fence, through your network, to your front end management system.”
Security isn't complete without that thoroughness, said Dobby: “Some people might concentrate on one side, but if you don't look at everything you're leaving yourself open to attack”.
Professor Tim Watson, director of the University of Warwick's Cyber Security Centre, gave a talk on automotive security, warning delegates about his foreboding concerning this issue which is emblematic of the blindspot between cyber and everything else.
“Automotive cars are built by safety engineers, they're not built by cyber-security specialists,” Watson told SC,”so what we see is a wonderful safety culture; you can be in a high speed crash and walk out of it - but what they're not thinking about is the actors who can choreograph your bad luck.”
“It's that dichotomy between the safety and security culture which encompasses why we have a blind spot”.
And it works in more way than one. If a hacker wants to go after a car, said Watson, the first question for them will be “what can I make it do”. The person defending that car, will typically go “straight for the ones and zeroes”. The information assurance model and a focus on data will not properly address the problems posed by the hacking of a vehicle.
We don't need more “siloed specialists”, said Watson, what we need is “deep generalists.” People, “who understand different disciplines, because, as an attacker, I'm going to combine physical access with social engineering with technical attacks.”
Watson works with a multidisciplinary team that employs psychology, political theory, history and sociology to better address the problems of cybersecurity.
“This is a team game”, Watson told SC, “so you need to understand the domain. As more and more conversations are happening, we're getting more and more relationships between the private sector, government and academia. Those conversations are bearing fruit; we are understanding each other's worlds and that can only be a good thing.”“We are on the verge of a cultural overhang,” said Watson. When the electric kettle was invented, manufacturers still put the handle on the top, an artifact from the time when you still had to heat a kettle on the stove. The reasoning went that when you heated water on the stove, a topside handle would let you avoid the searing heat of just-boiled water. On an electric kettle, the handle had the opposite effect, burning the hands of its new owners. As more and more people seem to be thinking, the solution for one era, ended up being the problem for the next.