Internet of Things (IoT)-enabled HVAC systems are more energy efficient, reliable and user-friendly for your occupants. But because of those cloud-enabled features, they’re also a target for hacking into.
Since it’s likely less protected, attackers might use any vulnerabilities in your HVAC system’s network to infiltrate your building’s larger network, therefore potentially affecting or disrupting physical operations. This hypothetical situation demonstrates how physical security and cybersecurity can overlap.
Many companies today still treat their physical security and cybersecurity departments as separate entities. But as more building systems become digitized—from HVAC to access controls—experts agree that it’s time to consider converging on a departmental level to keep up with the technical level.
“People have been talking about [converging departments] for at least 10 years—having one person responsible for the whole thing,” says Michael Gips, chief global knowledge officer for ASIS International. “The advantages there, they say, are cost savings; more efficiency having one department, one leader, one common mission; and you have cross-training, so physical security personnel is learning about cybersecurity and vice versa.”
What Is Physical Security vs. Cybersecurity?
Understanding the difference and what it means is important.
When experts say physical security, they are referring to protecting occupants, equipment, infrastructure, etc., from physical harm. This could include fires, theft or a physical attack such as an active shooter event.
Also referred to as logical security, cybersecurity refers to preventing unauthorized access to your building or company’s network and data.
Physical security and cybersecurity have long been treated as separate systems.
[On topic: 12 Things Active Shooter Insurance Should Cover]
“It used to be years ago that corporate IT departments didn’t want security departments hogging bandwidth—like with alarms and [closed-circuit television] footage,” says Gips. “It would slow everything down. Now with cyber being so vast and storage being much cheaper, it’s not that big of a deal anymore.”
But what’s more addressed these days, Gips adds, is the convergence of security departments, processes and cultures.
Benefits of converging the two realms include streamlining processes for potential cost savings. Streamlined processes, as well as symbiotic relationships between physical security and cybersecurity leaders, can also cover any vulnerabilities that were there before convergence. It can also lead to happier occupants.
“The decision-making process within an enterprise has moved away from the traditional facilities or real estate team to IT and the [chief security officer] position—they’re thinking about physical and logical security and combining those with a comprehensive strategy,” says James Segil, co-founder and president of Openpath, a mobile access control system.
Gips says there are many reasons why many companies today aren’t interested in converging their physical security and cybersecurity departments, including:
- Perceived cost
- Not trusting of the other department
- Fear over lost jobs
“We’ve found when [companies] do converge, there are far more positives than negatives,” Gips says. “It’s just getting over that hurdle.”
Where to Begin
Matthew Bohne, vice president and chief product security officer at Honeywell, reiterates the idea that a departmental convergence revolves around changing the workplace culture.
“There is culture that we all need to drive, which is inclusivity versus exclusivity,” he says. “Over the years, [physical security and cybersecurity] have been independent of each other. You have to be open minded and drive that inclusive behavior to bring those communities together and share information.”
Bohne explains that convergence doesn’t have to mean one department, one leader—but rather more effective communication.
“The answer oftentimes is: Are you allowing good communication? Are you effectively sharing information between those two communities so that things happen correctly? Because there are good reasons why you have a physical team and why you have a cyber team. Sometimes there are challenges with saying, ‘Let’s make them all report to one person.’ That may not work in every case.”
Bohne recommends these steps when starting the process of convergence.
1. Know who the players are.
Does the physical security team have awareness of who the members of the cybersecurity team are, and vice versa? You might find key players don’t want to share information because they don’t know the other team well enough.
2. Physically bring the two teams together.
Have a kick-off meeting where the two teams are physically together. They might see they have similar credentials and be more willing to accept security confidence. This can form a sense of trust between the two.
3. Work through how to communicate better.
After the initial kick-off meeting, make sure the two teams are meeting regularly to work through how they prefer to better communicate.
“What I’ve seen happen is that they may start off with an informal meeting, but then will leave it at that and never go back to having those interactions or conversations,” Bohne says. Keep teams accountable.
4. Offer more cross-training.
With an ever-evolving digital world, Bohne says companies have an obligation to help teams with training and education. Help physical security personnel better understand cybersecurity best practices and the digital components of your building. Or have cybersecurity personnel do rounds with a physical security team member to see a different perspective.
“You can get some really exceptional talent out of that,” Bohne says, adding: “That helps glue the communities much closer together.”
[Related: Access Control Technology is Eating Key Cards]
Why Converge Physical Security and Cybersecurity?
Imagine that one of your security guards is patrolling the corridors at night, and he or she sees a door open that shouldn’t be. And the doors are controlled digitally.
If the security guard is in tune with that digital access control system, then “if they see something unusual, they can act accordingly,” Bohne says.
Benefits of converging the two realms include streamlining processes for potential cost savings. Streamlined processes, as well as symbiotic relationships between physical security and cybersecurity leaders, can also cover any vulnerabilities that were there before convergence.
It can also lead to happier occupants. Building IoT devices and systems bring convenience, and knowing they’re safe and their data is protected brings peace of mind.
Convergence “improves the user experience, which I think is what we all want at the end of the day when we go to work,” Segil says.
A Changed World
As buildings become smarter and more digitized, it’s important that security personnel and procedures keep up with the technological changes.
“We need to understand that the world is changed,” Bohne says. “There is a changing workforce, which sometimes can make one group or another hesitant to grow this knowledge or expand into that area.”
People are key. A culture of inclusivity is vital to successfully converging your physical security and cybersecurity sectors, or to just foster more efficient communication between the two. Bohne describes it as a team sport.
Honeywell took that to heart as it joined the Global Cybersecurity Alliance, created by the International Society of Automation. The goal is to “build awareness, provide education, share best practices and accelerate the development and adoption of cybersecurity standards,” according to a press release.
At the Global Security Exchange 2019 conference and expo, Gips plans to share with attendees a survey conducted by ASIS International that polled 1,000 chief information security offices, chief security officers and business continuity professionals in the U.S., Europe and India.
The survey asked, among other questions, if their companies had converged, and if not, why not? If they had, what were the results?
Gips will reveal the survey results in more detail at the conference, but tells BUILDINGS that the data shows most companies aren’t converged—though many have worked together collaboratively but have not formally converged.
He adds that it depends on the building or company’s circumstances—the two sectors might be so different that it doesn’t make sense to converge. But effective communication can still bolster security measures and bring a holistic perspective to protecting a building and its occupants and data.
Check these out: