Emma Boakes writes about her doctoral research on cyber and physical security collaboration

Could an unknown third party remotely manipulate your building’s heating systems? Could this cause physical damage to your premises or render them uninhabitable? What impact would this have on your business operation? What if the layout of your headquarters was available on the internet? Could this allow a well-informed intrusion?

These scenarios may appear far-fetched, yet they are real-world examples of when Building Management Systems (BMS) have been compromised. They demonstrate how the boundary between physical security and cybersecurity is becoming increasingly blurred.

What is a Building Management System?

A BMS is a cyber-physical system. It controls a building’s physical assets such as heating, lighting, and security systems, but can be connected to an organisation’s networks, which exposes the BMS to the risk of cyber threats.

There are a growing number of adversarial groups interested in targeting cyber-physical systems, and the number of incidents involving them is rising. A cyber-attack targeting a BMS could have a physical impact, disrupting ventilation or power, or it could undermine physical security operations which increasingly rely on internet-enabled devices, such as CCTV cameras and access control.

Within an organisation, the way that separate security teams work together to understand the potential threats to their systems is fundamental in helping to prioritise their resources, and to establish ways to maintain operational resilience should an attack occur. Despite this, guidance on securing a BMS does not detail how security teams should collaborate, focusing instead on technological solutions and the adoption of a defence-in-depth approach.

There are problems with this, however, as it adds complexity and has the potential to overload the staff responsible for implementing, maintaining and updating systems.

There is increasing variety in the ways organisations may be attacked

Organisational security staff already claim they lack the resources necessary to scan for vulnerabilities, and few report having visibility of their whole attack surface. This demonstrates a gap between documented guidance and the practicality of implementing it in a real organisation. It also shows that additional technological solutions can make systems unmanageable for staff who already have competing duties: this could in turn introduce new vulnerabilities.

In short, security teams face a challenging task.

There is increasing variety in the ways organisations may be attacked; their systems are more complex and therefore more difficult to secure, and their security resources are stretched.

There is an increasing likelihood that they will be a casualty of a cyber-attack, and, as BMS are more broadly adopted, the probability that these are specifically targeted is also likely to increase.

This makes it more important for security teams to collaborate and plan for operational resilience by identifying the potential threats that cross the boundary of cyber and physical security.

Working together

The idea of collaboration is not new. Security practitioners and academics have advocated that different security teams work together, yet while the benefits of ‘convergence’ have been highlighted, there is little information on how to effectively adopt the approach.

Security teams traditionally have different backgrounds and skill sets and tend to work independently of each other, with separate teams for physical security and cybersecurity. This means that effective collaboration may need some facilitation.

Literature from industry and academia provides little guidance on how to achieve this collaboration.

Rather than focusing on how the teams might engage and what the likely difficulties might be, the emphasis is placed on convergence in organisational structures or bringing teams together at certain stages in the risk assessment process. This does not mean that security teams within organisations are not effectively collaborating, just that there is little evidence on how to do this reliably and consistently and to demonstrate the impact.

My research is interested in understanding how organisations adopt a converged security approach, how they facilitate collaboration, and what barriers and challenges there are. I plan to build a picture of convergence across two or three organisations using a case study methodology.

Case studies allow in-depth exploration of a case site using a variety of data collection methods; my research will utilise interviews with senior staff and document analysis, as well as participatory engagements with groups of security and other organisational staff. This latter method will encourage participants to work as a group to produce a visual representation of their discussions about security within their organisation. It is hoped this will be an engaging way for participants to capture their thoughts, and that it will allow more complex concepts to be more succinctly displayed.

I aim to establish how each organisation has adopted convergence, what commonalities there are across organisations in methods and measures, and to identify best practice. This will help to determine methods that already exist to facilitate collaboration between security teams or opportunities for new interventions that can be developed and tested as part of this research.

My research will use an established framework for evidence-based practice to structure the case study data collection and analysis. This will help determine the evidence organisations have used in their decision to adopt convergence and how they have evaluated that evidence. It will also enable my research to build on the evidence base through the data collected as part of the case study.

Overall, I anticipate that my research will contribute to practice by identifying how convergence can be adopted, by highlighting the evidence for convergence, and by detailing the evidence that organisations need to consider when making a decision to adopt a converged approach.