Physical security is a much older and more mature discipline than cybersecurity, yet the spotlight is often more focussed on the latter. But organizations cannot afford to ignore physical security. To implement it effectively, they must identify their requirements and vendors need to understand what constitutes the target market in order to provide and develop the best solutions.
What is critical infrastructure?
When identifying critical infrastructure, you will receive varying responses, depending on who you ask, what industry they work in or what country you are interested in. But no matter what response you get, the answer will consistently identify sectors that help humankind to maintain normalcy in our daily lives, such as transport, energy, healthcare, food and drink, and communications.
What is physical security?
Physical security is the protection of personnel, hardware, software, networks and data from physical actions and events that could cause serious loss or damage to an organization.
When it comes to critical infrastructure, the goal is to ensure the continuous operation of critical services. This involves preventing unauthorized access, theft, sabotage, terrorism and other physical threats that could either disrupt or damage the infrastructure and endanger public safety. A comprehensive, integrated approach involving both physical and technological measures is essential. It also requires the use of effective policies, procedures and training to ensure that the deployed systems can be protected against a wide range of physical threats.
The physical security market is constantly evolving and changing, driven by emerging security threats and shifting customer preferences and needs, including the adoption of advanced technologies and the convergence of cyber and physical security. No organization can assume that this is a task that can be addressed once and then ignored.
How is the landscape changing?
In the past few decades, the security landscape has changed dramatically – the industry has matured, as have its key members and leaders. While the core principles of ‘identify, protect, detect, respond and recover’ still drive programmes, current approaches are much more progressive and integrated.
John Sheridan, RHEA’s Senior Advisor for Security
According to John Sheridan, the physical security industry can be loosely grouped into three categories: architecture, technology and operations.
Architecture
A key contributor to good physical security is Crime Prevention Through Environmental Design (CPTED), which is based on the theory that the incidence of crime can be reduced through proper environmental design and effective building techniques. CPTED has four main principles: natural surveillance, access control, territorial reinforcement and space management. Adopting CPTED best practices provides a way to integrate relatively inexpensive and effective security benefits into a site.
Certain architectural aspects provide additional physical security challenges, however. For example, the concept of ‘hot-desking’ or ‘hotelling’ was introduced in the early 1990s and brought with it a need for less office space. In the post-COVID world, the concept has evolved beyond the cubicle. Now, work collaboration needs dictate space requirements.
People are not ‘expected’ to be in the office every day; their working patterns change regularly. And their access requirements – logical and physical – must follow their bookings. Access systems are now being enhanced and configured to adapt to this new working setup, with access authorization following each person around.
“The protection of the infrastructure and personnel is our top priority. It is important all organizations have general recovery plans for each critical infrastructure. Regular safety exercises take place to make sure cyber and physical security systems are stronger and tougher. When planning any infrastructure, putting in robust and well-thought-out systems pays in the long run.”
John MacKinnon, President, Connect Atlantic in Canada
Technology
Changes in technology, including mobile computing, cloud, increased processing power and internet of things (IoT), are driving significant advances in physical security. For instance, advanced video analytics is enabling a wide range of capabilities, such as facial and license plate recognition, crowd detection and people tracking/counting.
The COVID-19 pandemic was a key driver in providing more functionality via smartphones, including security. System access control credentials can now be securely downloaded to a mobile. Touchless access control, such as hand or facial recognition, is also increasing.
At a systems level, systems are unifying around a core application (such as video or access control) by bringing in back-end enterprise resource planning (ERP) systems, computer aided dispatch, social media monitoring, early threat detection technologies and converged cyber/logical systems. With the integration of other IoT systems (e.g. occupancy sensors and temperature controls), industry is delivering a more holistic building management system environment to large clients.
RHEA’s John Sheridan notes: “Cloud computing is dramatically influencing the development and adoption of security system products, platforms and applications. Moving the management and data storage function outside of the organization to a data centre means scare resources can be invested into on-the-ground security elements. The connectivity and management of security system devices can be outsourced to a cost-effective cloud instance while retaining the data-intensive functions (like video storage) onsite.”
Operations – the human factor
Across the physical security sector, human resources are scarce. The security management and response function therefore needs to be more efficient and effective, leading to a range of responses. The C-suite has changed, for example, with the roles of security director and chief information security officer being combined. For large critical infrastructure and institutional clients, this means that one budget, one programme and one strategic plan drives the security function.
In parallel, cyber and physical security programmes are converging. Risk is being managed in a holistic way, with as much attention paid to who comes in through the front door (using an access reader) as through the ‘back door’ (through a network port or using a computer). There is also convergence in the programmes designed to protect people, assets and data, supported by suppliers with skills and expertise in all of these critical areas.
Potential insider threats are being tackled by data analytics tools that can detect anomalies, predict incidents and improve response times, helping to increase situational awareness and mitigate associated risks. At the same time, privacy concerns will continue to both drive and constrain security programmes. Security video cameras are an obvious example – their use may be constrained in areas where the value of security may be considered less than the perceived right to privacy.
Looking to the future
Physical security systems are continuing to evolve, in much the same way as cybersecurity systems are changing to deal with emerging and increasing threats. They are being designed with more functionality, whereas in the past they were locked down with simplified features. Intelligent display and control systems integrate non-typical security applications, such as social media, into the daily work environment. Security operations centre (SOC) protocols are developing to include ancillary systems, providing a more complete situational awareness environment.
In addition, the generation and analysis of intelligent system metrics will continue to deliver benefits to security teams, such as dashboards to compare event occurrences and rates.