How physical security and cyber security are basically the same

Posted 2 years ago by mr_kelsey

Whether it is mechanical, electrical, software, security, or otherwise, engineering is engineering is engineering.  It’s all just problem solving under various different constraints.  As an engineer, it is my job to know the best tools and techniques to overcome those different constraints.  Sometimes, it means making my own tools rather than using off the shelf solutions.  But at the end of the day, there is nothing inherently special about cybersecurity engineering than there is any other type of engineering out there.

For the last year or so, I’ve been working as a physical security engineer.  And, believe it or not, it was actually my educational background in cybersecurity that qualified me for the job.  Why?  Because security engineering for the physical world and security engineering in cyber space extremely similar.

In this post, I’ll enumerate many of those similarities

As with all engineering, we start with a problem.  In this case, the problem is the potential for some adversary to breach your walls and enter your kingdom.

So where do we begin?

Before anything else, it is important to do a risk assessment.  What types of assets are inside that need to be secured?  What are the likely capabilities of a typical attacker for your industry?  How likely is it that your infrastructure will be targeted?

Can you see how the same questions apply to both physical security and cyber security?

Once we have a good idea about the threat landscape in which you may find yourself, it is time to start eliminating vulnerabilities and reducing risk.

If every external door has a lock, but people leave the doors propped open, the locks protective value is diminished down to zero.  This is akin to poor password policies that allow for weak passwords and/or password reuse across multiple services.  While it might not be quite as easy to brute force a weak password as it is to walk into a door that’s been propped open, it’s generally not too much more difficult.

Plus, the solution to both problems is the same: better policies that put security at the forefront.

I do a lot of work on access control systems.  As such, I love access cards.  It used to be that, if you wanted into a door, you needed the key.  And that was all well and good except that it allowed anyone with the key into the door and provided absolutely no insight into who was using the key.  There could be 30 people with a copy of a single key, each going in and out of the room.  If something breaks, or disappears,it becomes pretty difficult to narrow down who is responsible.

Enter access cards.  Now, each person has specific credentials that allow them into the room.  Further, upon entering the room, their specific presence is logged creating accountability.  And just like in cyber, we have the ability to set group policies allowing specific job titles access to specific areas based on them needing access.  This helps enforce least privilege.

Let’s briefly return to the 30 copies of a single key scenario.  Undoubtedly, this is where the need for CCTV came into play.  It is a detective control that can be used to detect who is responsible for an action.  Despite the advances in access control, cameras are still widely used in physical security.  However, with all the advances in technology, they are still just a detective control.  Thus, you can equate cameras to an intrusion detection system.

Cameras inside a building would be the Host IDS while cameras outside the building are more akin to Network IDS.  Together, they can give great insight into the security of the infrastructure.

With modern Network Video Recorders, there is a log of everything the camera sees.  These logs can be correlated for specific events and provide a fuller picture around what may have happened.  In this way, the NVR acts as a network SIEM.

Similarly, a security control room where security officers can watch live surveillance feeds is very similar to a SOC.  Inside, the security team looks for Indicators of compromise.  And not just at the perimeter.  Layered security is just as important in physical security as it is in cyber.

There are even similarities in the attacks on both systems. 

For example, both phishing (cyber)  and tailgating (physical) work on the same principle; they exploit the human vulnerability.

I hope you can see what I’m saying here.  Basically, if you know cyber security, don’t be afraid to venture out into the physical security engineering world.  And if you have physical security engineering experience, you are likely well qualified for cyber security engineering as well.  Just learn the terms and apply what you already know.

For everyone who chooses to use this info to expand their career opportunities, happy hunting!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>