The Long Path to True Convergence: Where Do Things Really Stand and Why Have They Not Progressed Further?
The ongoing digital transformation means limitless opportunities for those who can harness the digitization of the physical world safely and effectively. But these changes have forever altered the threat landscape, leaving no entity without risk.
According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), today’s threats result from hybrid attacks targeting both physical and cyber assets. The adoption and integration of Internet of Things and Industrial Internet of Things devices has led to an increasingly interconnected mesh of cyber-physical systems that expand the attack surface and blur the once clear lines between cybersecurity and physical security.
Any compromise of cyber-physical systems can have a devastating impact on security, operations, profitability and reputation. Experts agree that the current approach of dealing with security in departmental silos is leading to increased risk, rising costs and a climate of mistrust among regulators.
Cyber-physical threats are an everyday occurrence no longer isolated to IT systems. Real-life events, including several high-profile cyberattacks, bear this out. It is a multidimensional problem that is rippling through the supply chain, forcing abrupt business changes that are siphoning profitability. Cyberattacks on food and beverage and water supplies can have devastating effects on distribution and quality, potentially affecting the safety of consumers. Ransomware can shut down mission critical operations, like petroleum supplies, and no one knows when the next attack will happen or what the target will be.
The threat extends beyond the organization itself. Research firm Gartner forecasts that liability for cyber-physical security incidents will “pierce the corporate veil to personal liability” for 75% of CEOs by 2024, creating even greater urgency to move the needle to true security convergence.
The Hacker Threat
JBS Foods, the leading beef producer in the world, with operations in the United States, Australia and Canada, was hit by a cyberattack in June. In a statement to the media, the organization revealed that it paid the equivalent of $11 million in ransom in response to the hack.
Three months earlier, Molson Coors had suffered a ransomware attack. In an SEC filing, the beverage giant stated that the incident “has caused and may continue to cause a delay or disruption to parts of the company’s business,” including brewery operations, production and shipping.
And a February attack on a Florida water treatment plant that exploited a vulnerability in a remote access software program on a facility computer offered yet another reminder of the growing dangers of cyber-physical threats – and the possibility that employees can be part of the problem.
As every market continues to digitally transform, systems and processes are moving to rapidly connect. Security convergence, focused on identity and access governance, links all of these separate departments and operations, so communications and processes actively and collectively address risk preemptively.
A three-dimensional approach to security converged across IT, operational technology (OT) and physical systems stands as the only way forward in a post-pandemic world. COVID-19 continues to transform access governance, automating across a broader, cross-departmental reach that includes not only security but also safety, health, wellness and the human experience.
Building a Holistic Security and Safety Culture
Why are the worlds of cyber/IT, OT and physical security still separate, siloed operations? What is preventing convergence from moving forward? Both an attitude and a cultural shift are needed to change perceptions and outcomes.
Mark Weatherford, chief information security officer at AlertEnterprise, said, “The security divide shouldn’t be there. Distinct lines between cyber, OT and physical security teams have resulted in disjointed and ineffective detection, mitigation and response to risk, forged by years of siloed departments.”
“As risks have changed, there’s now an expectation that CEOs, board members and other executives will be held accountable when bad things happen if they haven’t taken the kind of mitigation steps, like convergence, or addressed and invested in cybersecurity, people and policies,” Weatherford added. “Wholesale change is occurring and the physical security industry is ‘present at the creation moment’ as this transition continues.”
It is not a new problem. In fact, the vulnerability of critical infrastructure has been discussed for decades. However, people have continued to stay isolated within separate roles in an enterprise. Moving to a converged approach across all departments, including HR, cyber/IT and OT/SCADA can effectively secure the most critical resources while actively enforcing compliance requirements and company policies.
The “CISA Cybersecurity and Physical Security Convergence Guide” describes convergence as “formal collaboration between previously disjointed security functions.” The guide states that, “Organizations with converged cybersecurity and physical security functions are more resilient and better prepared to identify, prevent, mitigate and respond to threats. Convergence also encourages information sharing and developing unified security policies across security divisions.”
A culture of inclusivity is vital to successfully converging security functions and fostering communication, coordination and collaboration.
“Security, HR, IT and all departments working together can proactively address risk while caring for the wellness and safety of employees,” Weatherford said. “Wellness scores and risk scores are now part of the identity and access governance process, and we have to have high expectations for our employees to follow through, providing the training and education to understand how security is an important part of business viability and profitability.”
What Is CISA?
The Cybersecurity and Infrastructure Security Agency (CISA) is a federal agency that works with public and private-sector partners to defend against cyber and physical threats and build secure, resilient infrastructure.
The Way Forward
The only way forward for business is digital transformation. In the past, security was regarded as something that security people took care of, but now it has become a core part of business processes. Security is really business by another name. This approach will bring challenges and opportunities in a post-COVID world in which the rules have changed and technology dominates.
Per CISA, organizations of all sizes can pursue convergence by developing an approach that is tailored to the organization’s unique structure, priorities and capabilities.
“That’s the era we’re in now,” Weatherford said. “Being able to trust that the people onsite are who they say they are while facilitating a positive user experience. Fear, uncertainty and doubt has to shift to trust, certainty and assurance. With convergence, we can see that security doesn’t have to be a painful, friction-full experience. It can be built into business and actually make these processes better and richer.”