What does the Corporate Security Manager need to know about cyber security? by James Willison
Typically the corporate security manager focuses on the protection of physical assets by devising a layered approach based on sound intelligence, strong perimeters, cctv, access control, close protection, intrusion detection, threat monitoring, crisis management, legal investigations, forensics, counter terrorism initiatives, evacuation and bomb procedures. This list is far from complete and indicates the breadth of issues that all need to be understood and the necessary controls put in place if the organisation is to operate effectively and recover from the related risks.
Cyber security is often not the highest priority and providing the team follows the advice given from the Information security department on good cyber hygiene practises then it might be concluded that all is well. The media and leading consultancies suggest that phishing emails are the main source of cyber attack and therefore providing the physical security team follows the training then that is good (https://www.ncsc.gov.uk/guidance/suspicious-email-actions). Some will say, “It’s not my area of responsibility”. It is a subject that is seen as highly technical and the control measures used are not the same as in physical security.
In fact, there is a lot of common ground and as physical security systems are often run on the IT Infrastructure there are risks to them that require cyber security controls to mitigate. CCTV, Access control and real time monitoring are areas of security which cross over both domains. In the home environment hackers have proven to be successful in controlling CCTV, lighting, and smart televisions. As Ken Munro[PW1] , Pen Test partners, explains, he found over 15,000 homes and small businesses ‘without security being done properly’. This means they can be easily controlled by an attacker.
Can hackers control your home? BBC London. https://www.youtube.com/watch?v=oTmyYudMnN0
Key things you should know about cyber security
- The benefits of secure technologies to support the business
- Cyber security of building security systems -the impact of the Internet of Things Control measures
- The GDPR – security and privacy by design
- Opportunities for innovation and real time risk management
- Important International Security Standards and Frameworks.
This article explores the cyber security issues which are of particular interest to a corporate security manager. We also provide guidance on further reading and reference security courses.
1. How cyber security risk relates to corporate security risk.
Today’s corporate security manager faces a complex array of challenges and risks in an increasingly connected world. It is this connectivity which makes digital systems a fundamental part of the overall security picture. In some organisations, corporate security and cyber security expertise are brought together in one department, but even where this does not happen both competencies need to work closely together. Most if not all large organisations will have an Enterprise risk management policy which includes both physical and cyber security risk. Focus on cyber has sometimes pushed physical to one side as boards see competitors losing millions in data breaches and invest in the latest cyber solutions to ensure it does not happen to them.
Back in 2001 it was the reverse as companies recruited large physical security teams to protect them from possible terrorist attack. With this increasing connectivity the corporate security person must engage in the organisational view of risk because the systems are no longer separate from others and risk must be managed holistically. This means understanding all areas of security risk and how to work with individual stakeholders to protect them from blended threats. Since any area can be a vulnerability to a cyber physical attack a collaborative approach to risk is essential. The skills of corporate and cyber are often different but complementary. The CSO may have many years of investigative and crisis management experience and know how to manage and protect large groups of people in an environmental incident, fire or protest whereas a CISO understands the complexities of high end encryption and how to respond to a data breach in compliance with international legislation.
2. Cyber security of building security systems – the impact of the Internet of Things
The impact of the Internet of Things described in the media tends to focus on fridges, toasters and smart televisions and it comes as quite a surprise to physical security managers that IP-based video, access control and building management systems (BMS) are also subject to cyber attacks. The National Institute of Standards and Technology clearly identified an IP camera as an IoT/Cyber physical device in 2016 urging that it should be a ‘robust and valued component of a cyber physical system’ : NIST Framework for Cyber Physical Systems (p 25). https://pages.nist.gov/cpspwg/
The corporate security manager needs to assess the risks to the physical security and building management systems and how these can be protected. Therefore, it is important to understand cyber security.
In the movie,‘IT’, we see the dramatic impact of how one temporary member of staff can gain access to a CEO’s home and then disrupt an entire business. (I.T. Official Trailer (2016): Pierce Brosnan Movie
https://www.youtube.com/watch?v=hfnDTvbtDUI).
The Physical security team will be called on to help manage such crises and may also find themselves accountable for systems’ failures. In a post event investigation, it might be evidenced that the Security manager had procured and was responsible for the maintenance of a poorly designed and secured system. Some larger security companies provide the solutions themselves to the organisation. It is therefore very important to check these have been tested and proven to work well in your organisation’s IT environment throughout the systems’ lifecycle.
It is not just the CCTV systems which are vulnerable. For many years hackers have exposed flaws in access control systems. Some companies have addressed these and improved their encryption and crypto key storage capabilities, but others have not. There are many older existing access systems (125 Khz) which do not conform to industry standards such as https://www.securityindustry.org/industry-standards/open-supervised-device-protocol/
Foundational is its support for high- end 128 AES encryption, PKI/FICAM and biometrics. It is important to use the latest generation PIV cards. You also need to have current encryption keys, standards based, vetted algorithms and proper key management. Central to this approach is an understanding that if your installers and security teams lack the ability to configure, set up and maintain these systems then it is vital you engage with the cyber security team to manage the risk. There are some key actions Security managers can take to limit the risk. The Internet of Things Security Foundation (IoTSF) and The Institute of Workplace and Facilities Management (IWFM) have produced these top 10. They highlight Building management systems (BMS) but these apply equally to CCTV, access control and other IoT devices/systems.
Checklist for BMS with remote or Corporate network access for operations or maintenance
- Assess the potential cyber security risks and agree, with the building stakeholders (Owners, Facilities Managers, IT /Cyber Security teams), a mitigation plan and process for continual review/action.
- Check/scan for unknown IoT devices that may be connected to your network/systems.
- Ensure that any IoT devices are secured behind a firewall/DMZ with appropriate network segmentation deployed.
- Change any factory default credentials and ensure passwords are unique per building/account/devices. Enforce password policies (password history, minimum characters & complexity). If you can use 2FA (like an authentication app or SMS code) then do so.
- Rename default accounts and disable any unused accounts.
- Check that the systems and devices software/firmware are at the latest version as specified by the system/device vendor. Any required updates should be conducted securely.
- If possible, offer authorised staff remote access to your BMS via a corporate network VPN, rather than you directly connecting from the Internet.
- Ensure any staff or third-party contractors with access to the BMS who are working from home follow suitable security guidance such as the UK’s National Cyber Security Centre (NCSC) issued ‘Home working: preparing your organisation and staff’
- Ask your IT/Cyber Security function to monitor attempts to access your BMS system (both unsuccessful and successful) and agree how they can alert you to suspicious activity.
- Check that your systems/device suppliers have a Vulnerability Disclosure Policy and how security vulnerabilities will be reported to you if any are discovered.
COVID-19 Crisis: Cyber Security Advice for Building Owners and Facilities Managers
3. Access and Identity Management.
Access control is crucial to both physical and cyber security, but they are often managed separately. If an individual is not recorded as a single identity then it is possible for physical access to buildings or digital access to systems to get out of sync, and enable security to be compromised as you don’t know who is on your network if you don’t have seamless physical and network access monitoring. There are common principles across the security areas such as approved access, accepted forms of identification, barriers, company policies, and real time monitoring technologies.
In terms of network security approval is granted based on what is needed by an individual and authorised by the organisation. User IDs and passwords are issued with additional controls such as two factor authentication. This usually includes some kind of physical device such as a smartphone/ID card and a biometric (iris, palm, voice) and number generated passcode for more sensitive locations. The Information Security function will run firewalls and set up secure zones to limit network access and monitor internet activity dependent on individual roles. These controls help prevent unauthorised activity on the network and combine with reliable physical access controls to ensure only those with the right level of permission can read and edit a file.
This of course is of high importance in times when nations and organisations are subject to targeted and random attacks. Sometimes this is successful because access is gained physically by impersonation techniques and then fake network access granted. The risk to company laptops/smartphones remains high if senior executives lose their physical device and it is not properly secured.
4. Real time monitoring.
Real time monitoring is important to both physical and cyber security, yet both suffer from data overload where manual monitoring cannot keep up. The NIST Risk Management Framework (RMF) ‘promotes near real-time risk management and ongoing information system and common control authorization through the implementation of continuous monitoring processes‘ (p ii).
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf
It recommends automation as a tool whereby to achieve this. There are real time monitoring systems such as Security Information and Event Management (SIEM) solutions which can help identify and enable an efficient and fast response. (Task M-1 & 5 below).
How SIEM works
SIEM software collects and aggregates log data generated throughout the organization’s technology infrastructure, from host systems and applications to network and security devices such as firewalls and antivirus filters. The software then identifies and categorizes incidents and events, as well as analyzes them. The software delivers on two main objectives, which are to
- provide reports on security-related incidents and events, such as successful and failed logins, malware activity and other possible malicious activities and
- send alerts if analysis shows that an activity runs against predetermined rulesets and thus indicates a potential security issue.
SIEMs can also work with Artificial Intelligence and Physical Security Information Management (PSIM) s to provide converged security and a mature Enterprise Security Risk programme. In this way they can manage high volumes of data and increase operational efficiencies. Central to such cross functional approaches is a real time communication of risk to all responsible personnel at an Enterprise level.
The NIST Risk Management Framework for Information Systems and Organisations, states,
“The purpose of the Monitor step is to maintain an ongoing situational awareness about the security and privacy posture of the information system and the organization in support of risk management decisions.”
Monitor Tasks and Outcomes (p 76).
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf
The same reasoning can be applied to personnel security. Today people rely on smart phones and social media to manage their lives and so physical security teams and close protection officers need to understand the cyber threats to the people since they can be targeted and physically threatened by attackers in cyber space. Therefore, the lines are blurring.
4. The GDPR and Security.
The EU GDPR is quite clear that Data Protection Impact Assessments are to be carried out on surveillance systems and new technologies. These technologies range from heat sensing, face mask detection, social distancing analytics, audio/visual communications, and occupancy analysis. The ICO explains, “When do we need to do a Data Protection Impact Assessment?
What is the general rule?
Article 35(1) says that you must do a DPIA where a type of processing is likely to result in a high risk to the rights and freedoms of individuals:
“Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.”
Article 35(3) sets out three types of processing which always require a DPIA:
Systematic and extensive profiling with significant effects:
“(a) any systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.”
Large scale use of sensitive data:
“(b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10.”
Public monitoring:
“(c) a systematic monitoring of a publicly accessible area on a large scale.”
For those who surmise that ‘large scale’ does not apply the ICO states, “Examples of large-scale processing include:
- a hospital (but not an individual doctor) processing patient data;”
There are also established physical security solutions providers which deploy technologies across large facilities and profile persons and so they must carry out a DPIA. Of course, a DPIA expects an organisation to protect the data on the system and so if this can be accessed by an attacker you must secure it using reasonable means as described in article 5.
Article 5(1)(f) of the GDPR concerns the ‘integrity and confidentiality’ of personal data. It says that personal data shall be:
‘Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures’.
The template provided by the ICO asks, “Do you plan to consult information security experts” (p 4) https://ico.org.uk/media/about-the-ico/consultations/2258461/dpia-template-v04-post-comms-review-20180308.pdf about the new technology being used. It also indicates that smart technologies, biometrics and some IoT devices and systems are high risk and so require a DPIA as described in recital 91. https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/data-protection-impact-assessments-dpias/when-do-we-need-to-do-a-dpia/
Data protection related control mechanisms
| Description | Stakeholder | Target |
| Project manager or other appropriate staff should conduct a Data Privacy Impact Assessment | Any | PM |
| Project teams should limit how and what processing can take place in line with policies and procedures | Any | Project team |
| Project teams should use data anonymisation techniques at all opportunities | Any | Project team |
| Project managers should only agree to share personal data where there is a legal basis to do so | Any | PM |
| Project teams must ensure that data subjects will be able to exercise their GDPR rights | Any | Project team |
| Project managers ensure that requesting data processing consent is made user friendly and understandable | Any | PM |
| Project teams ensure that devices and applications are designed to inform data subjects using appropriate interfaces | Any | Project team |
| Project managers ensure that data subjects will be informed about the type of data collected (by sensors) and any additional processing and analysis that will be undertaken with the data once it is collected | Any | PM |
| Project manager to communicate to relevant controllers and processors when a data subject withdraws consent or opposes the data processing | Any | PM |
| Project manager to ensure that granular choices are provided when granting access to applications in relation to the data that may be processed | Any | PM |
| Project manager to ensure that location tracking using fingerprinting is both limited and controllable by data subjects | Any | PM |
| Project manager to ensure that transparency and user controls can be enforced with tools provided to read, edit, and modify data before it is transferred to any data controller / processor | Any | PM |
Smart GDPR assurance for a smarter world (p 22).
Further advice from the White paper, “Smart GDPR assurance for a smarter world,” is available here: http://www.axis-communications.com/smart-assurance-wp
The benefits of implementing new technologies to the people in the facility will mean companies that provide safe and secure working environments will prosper against those which do not.
Network monitoring and intrusion detection systems to manage security incidents and data breaches are particularly important if a company is to identify cyber attacks and respond within the necessary time restraints such as the 72 hours required by law. The legislation expects organisations to operate appropriate controls and so the corporate security manager needs to equip the organisation with effective tools and systems which will identify security incidents in real time. These include physical breaches and increasingly blended attacks such as hacking of physical security systems and BMS. As the digital transformation of society and organisations rapidly progresses so will the need to respond to cyber physical attacks. The penalties for failing to protect this data by using technologies to prevent its loss can result in fines of up €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.
5. International Security Standards and Frameworks.
In addition, many international standards (ISO 31000, 27000 series, 22301, COBIT Framework, NIST Cyber Security Framework) recommend a holistic approach to security risk and now Enterprise Security Risk Management (ESRM) programmes (ASIS/ISC (2) Security Awareness Standard). For about twenty years ASIS International, the leading security association for corporate security professionals has advocated ESRM recommending security teams work together on all areas of security risk and by so doing enable organisational resilience. In their latest standard ASIS and (ISC)2 state the need to “Establish cross-functional security teams to identify cyber physical risk in the digital/smart environment”.
https://store.asisonline.org/security-awareness-standard-e-book.html
6. Further reading and Security courses.
Where do we go from here?
It is important for those who have responsibility for physical systems to examine these standards and frameworks if they are to understand the risks and controls required in their own organisation and reduce them. The concerns to protect assets from system failure and compromise together with a recognition that a vulnerable physical device could disrupt a colleague’s network should inspire any security professional to initiate contact with the cyber security team.
So, given the acceptance that cyber security impacts physical security what is important for a Corporate security person to understand? Most people are unlikely to have time for full time university courses or even part time distance learning programmes. It is certainly worth reading some books on computer and information security and doing some short online courses. Here is a list to start:
Coursera: This website has free courses from Universities and companies across the world. There are many free courses on cyber security including:
Information Security: Context and Introduction offered by Royal Holloway, University of London
https://www.coursera.org/learn/information-security-data?
ISO 27001: 2018 Information Security Management
https://www.iso.org/isoiec-27001-information-security.html
National Institute of Standards and Technology, “Framework for Improving Critical Infrastructure Cybersecurity”
https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
National Institute of Standards and technology, Risk Management Framework for Information Systems and Organizations
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf
Open University:
Introduction to cyber security: stay safe online:
The UK National Cyber Security Centre recommends a range of courses from awareness to application and courseware. Most of these are hosted by training companies and there are fees with exams and certifications.
https://www.ncsc.gov.uk/information/certified-training