Why physical and digital security are the same thing

Modern interconnectivity leaves businesses open to attack – which is why physical security must be logical.

In a practical sense, there’s very little difference between a thief breaking in through the front door to steal an item of value and a hacker accessing a system to steal data. But what if the hacker stole the data needed to compromise the security of your front door?

Infamous hacker Kevin Mitnick is known for carrying out a particular demonstration in corporate presentations. He ‘borrows’ a physical security pass from an audience member, and within seconds he clones the card and gains access to the facility. By changing the data on the card, which is part of the door’s digital or logical security, he is able to open a locked door, compromising its physical security.

There are countless other examples revealing how the link between physical and digital security is so often ignored and exploited. Like the 2013 attack on a New York dam, the 2015 hacking of Ukranian power systems, or the 2017 attack on Finnish heating systems that used distributed denial-of-service (DDoS) attacks during sub-zero temperatures.

Scott Borg, Director of the US Cyber Consequences Unit, recently said: “As long as organisations treat their physical and cyber domains as separate, there is little hope of securing either one. The convergence of cyber and physical security has already occurred at the technical level. It is long overdue at the organisational level.”

Security is security

Typically, when businesses think about logical security, they are worried about loss of data, ransomware attacks and other data-focused consequences. And while those outcomes are significant, there is often much greater fallout from an attack.

Physical security relies on digital controls. For example, when a swipe card is allocated to a specific person, a database records information on that individual, the times the card can be used and which doors it can open. But what would happen if someone cloned that card – a simple action when armed with the right equipment, which is easy to purchase if you know your way around the dark web – and altered the database records so the cloned card gave them access to a secure location?

Alternatively, what if an identity was compromised and a malicious actor changed the operation of an industrial machine? This exact scenario occurred in Germany when an industrial steel mill was hacked. The attackers stole user identities via booby-trapped emails and took control of a blast furnace, resulting in “massive damage”.

Top-class security requires businesses to ‘un-silo’

The challenge businesses face when it comes to these tightly linked domains is that they have been traditionally siloed. The systems used to manage physical and digital access have been installed and operated in isolation, and managed by different teams.

Industrial control systems, security equipment such as door sensors and cameras, and heating, ventilation and air-conditioning (HVAC) apparatus are typically installed by specialists with limited understanding of how these systems work on a single network. As these and other devices are added to the enterprise network, the importance of having a trusted identity to access them becomes increasingly vital.

The fundamental connective tissue between both sides of the security coin, however, has always been users. Physical and digital systems rely on knowing – with certainty – the identity of the individual accessing a physical device or computer system. Yet those identities are created and managed separately, with different rules and assumptions about the veracity of the identities.

A link we can no longer ignore

Having a single trusted ID across the physical and digital is vital, certainly – but, more importantly, it just makes sense. Why have two or more ways to establish and verify a person’s identity? And if you have one identity that links these two previously separate domains, then aren’t you really saying there’s no difference between physical and digital security?

The dichotomy between these two realms has dissolved in recent years. Ever since the Stuxnet attack more than a decade ago, we’ve seen that the breach of a logical system has physical consequences – and vice versa. Compromising one often leads to devastating effects for the other.

Businesses are connecting all sorts of devices to their networks. Lighting systems, air conditioners and solar-energy arrays are just the start. Industrial systems, like the centrifuges compromised by Stuxnet or the blast furnace at the German steel mill, highlight that physical and digital security are the same thing. Bottom line: security is security.