Information technology (IT) and physical security have been on a converging path for years. As physical security systems switched from analog to internet protocol (IP)-based, the relationship between these functions began to change. Today, with data breaches rising worldwide and with privacy and compliance regulations evolving fast, it’s more important than ever for physical security and IT teams to work together to safeguard facilities and network infrastructure in the utilities sector.
Utilities worldwide are looking to bridge these skills and teams to prevent interrelated IT/physical security business risks and take advantage of the growth of data. Siloed responsibilities, unique department cultures, and isolated systems make this a difficult task. Many electric utilities also have mandatory and enforceable federal regulatory standards in place for both cyber and physical security, to enforce prioritization of grid protection.
According to a CIO/CSO Partnership Survey conducted by IDG Enterprise, 38% of CIOs said they meet with their CSO or CISO daily and 65% reported interacting at least once a week. The trend continues with IT teams as 42% of CSOs/ CISOs said they work with their IT counterparts weekly, while 36% reported collaborating every day.
How can these teams work together to secure facilities and networks, optimize business operations, and bring physical security data into a holistic environment?
Unifying critical infrastructure IT and physical security solutions -- and the humans who manage them
CTOs, CISOs, and CSOs are looking at the challenges and considerations. Their concerns are about team integration, role delineation, compliance, and the complexity of the decision-making process. Finding common ground isn’t always easy. Organizations face several fundamental challenges when they work to increase IT/physical security team collaboration.
- Different strengths. IT and physical security each play critical roles in corporate risk management. But the types of risks they oversee can be vastly different. So are their skills and expertise in identifying and mitigating those threats. Since these teams are focused on their own objectives, they may not always recognize the overlap in their work. A well-architected and cyber-resilient physical security deployment can make a vast difference. It means that physical security pros can operate without a hitch to keep the organization safe, while strong physical security systems mitigate potential risks posed by devices and software on the network.
So, who should oversee the purchase of new physical security solutions? Do most physical security teams have the in-depth know-how to implement a robust security system that runs well on the network? Can they ensure performance and reliability across a large and often widespread ecosystem of devices? Or does IT need to guide implementation requirements and specifications?
- Competing priorities. Because every second counts when a potential physical threat is detected, physical security teams require that all information be available to as many people as possible. IT typically wants to limit the number of devices on the network to minimize exposure to cyber threats. In some cases, the disconnect between teams may lead physical security to find their own solutions. Particularly across smaller organizations, they may be more eager to adopt technology without fully vetting feasibility, reliability, or vendor cybersecurity credentials. The more these teams remain focused on different objectives, the greater the potential organizational risk, which may lead to non-compliance fines from NERC CIP violations.
- Growing exposure to cyber risks. Utilities may have thousands of physical security and IoT/IIoT devices on their networks. The more devices, the more cyber risk. With networks expanding to the supply chain, perimeters become less clearly defined. And with increasing cyberattacks come new regulations. Achieving compliance can be labor- and time-intensive. From devising and implementing corporate policies, auditing procedures, and systems, to re-investing in new technologies, the cost of data protection and privacy compliance is surging within all industries.
- Data mining. While utilities invest in physical security systems to protect facilities, critical assets, and people, there’s a growing realization that they’re also collecting a goldmine of data that can be used to gain efficiency and business insight. To capitalize on this data, utilities need the right people with the right skills. That’s where the disconnect can happen. Though the data is coming from physical security investments, IT teams are typically the group most engaged in data projects and digital transformation initiatives. Today, physical security pros are starting to take a more proactive role in unlocking the value of their physical security data.
3 strategies for utilities to build better collaboration between IT and physical security teams
As roles converge and skill sets combine, organizations are taking different approaches to unify IT and physical security. For some, IT teams are bringing physical security professionals into their group. In others, physical security leaders are expanding their departments with IT skills. And some are broadening the security operations (SecOps) function to address security risks and capitalize on data coming from both groups.
1. Physical security expands with IT skill sets
This scenario involves physical security hiring dedicated resources within their department to oversee IT-related tasks and/or act as a bridge for enhanced interdepartmental collaboration. For instance, they may bring on cybersecurity and privacy experts or add data specialists. Incorporating existing internal IT resources within the physical department is another option.
2. Security operations takes on physical security tasks
Security operations groups have experience in IT-related cybersecurity, network optimization, and risk mitigation. In this scenario, they evolve that responsibility to also oversee those domains across physical security. They manage data across the enterprise, including from physical security sources, with the primary goal of using that information to extract business value.
3. IT begins to align goals with physical security mandates
In addition to becoming more active in physical security decision-making, in this scenario, IT also begins to align goals more closely with physical security mandates. The CISO becomes the predominant leader of IT and physical security. This provides a more central view of operations and risk mitigation strategies, with a focus on resilient networks and security ecosystems.
Unifying physical security systems plays a critical role in converging IT and security within utilities
An open, unified physical security platform supports all convergence strategies, facilitating the IT and physical security merger. Built to include video surveillance, access control, and license plate recognition, a unified solution eliminates the need for separate systems. Instead, data flows into an intuitive platform, providing a shared view for consistent decision-making across the enterprise.
Simplify business operations
A unified solution consolidates all physical security data in one view. Physical security teams can access thousands of cameras and doors, intrusion sensors, radar technologies, intercoms, and much more across facilities and remote sites. This ensures they can efficiently manage security policies, monitor events, and run investigations. It also simplifies data management for IT and SecOps by consolidating security system data. Seamless integration and a standardized data format provide consistent paths to extract and export information to external databases or data lakes. This streamlines data sharing, enhances collaboration, and enables efficient utilization of security information within the broader data ecosystem.
Improve privacy and cybersecurity
Working from a unified security platform, IT and security teams can implement a single, global data protection and privacy strategy. Everything from the ways they encrypt data and enable multi-factor authentications to how they share evidence and define user privileges can be applied across all physical security systems. A unified platform creates a comprehensive view of real-time risks and effective tools to harden systems and devices. Automating retention policies, scheduling audit reports, and provisioning access and user rights further streamline compliance.
Optimize data gathering and business intelligence
When all physical security data comes into one platform, teams can gain meaningful business insights. A unified platform that offers rich data visualization can display data in maps, charts, or histograms, rather than in databases and spreadsheets. In highly regulated industries, this can help teams get critical information faster, find valuable insights, and uncover unexpected issues. Teams can identify patterns in security incidents and better understand how current security strategies measure up. From there, they might find opportunities to enhance incident response or make cost-saving improvements to their standard operating procedures (SOPs) process.
With a data-driven view, teams can find new ways to gain visibility over remote locations, leveraging a layered and unified technology approach at substations with a defense-in-depth methodology. They can digitize SOPs, enhance auditability and reporting functionalities, and automate firmware and/or patch updates. This approach can also help utilities optimize space, expand sustainability efforts, and extend system information to other departments.
There is no right or wrong approach to converging IT and physical security teams. These departments have long-standing organizational strengths. They share a dedication to keeping the organization secure. And in many cases, these teams have already found ways to adapt and work more closely together to successfully implement new projects and improve processes. Unifying physical security systems can help utilities ease convergence, simplify compliance, and ultimately unlock the power of data.