Matthew Rosenquist's presentation at the 2017 InfraGard Atlanta conference, discussing the convergence between cyber and physical security.

1. Matthew Rosenquist
Cybersecurity Strategist
January 2017

2. “We manage security through
Leadership and Preparation,
otherwise we face Crisis and
Desperation”

3. CyberandPhysicalDomainsCollide
3

4. “...If security breaks down,
technology breaks down”
Brian Krebs
Noted Cybersecurity Reporter

5. ConvergenceofCyber&PhysicalSecurity
Physical Cyber
Integration of technology blends the risks, requiring a cohesive approach

6. PROCESS
People and Technology
ConvergenceofCyber&PhysicalSecurity

7.  Protecting People, Property,
and Business Assets
 Limited Resources and Budgets
 Seeking an Optimal Balance of
Risk and Cost
AlignedGoalsandChallenges
Security, Safety, and Privacy

8. InnovationandtechadoptionDrivesRiskConvergence
New technology bridges the virtual and physical worlds,
to connect and enrich peoples lives

9. Convergence without control,
places security, safety, and
privacy at risk!

10. OPERATIONAL, INDUSTRIAL,
AND VIRTUAL SYSTEMS
GOVERNANCE, TRUST,
AND OVERSIGHT SYSTEMS
DATA, INFORMATION
AND CONTROL MECHANISMS
ENDPOINTS, NETWORKS,
SERVICES, AND MACHINES
ACCES CONTROL AND
IDENTITY
SECURITY, SAFETY, AND
PRIVACY CONTROLS
The 5 most cyber-attacked
industries in 2015:
1. Healthcare
2. Manufacturing
3. Financial Services
4. Government
5. Transportation

11. RateofConvergencequickens
11

12. Industrial
 Electricity grid taken offline
 National oil interest attacked
 Life-safety failures at industrial
facilities
 Supply chain compromises
CyberImpactingthePhysicalWorld
Transportation
 Automobiles remotely controlled by
threat researchers
 Airplane systems hacked by
passengers mid-flight
 Undermining autonomous driving

13. Physicalsecurity
 IP Camera image feeds hijacked
 Biometric authentication system
fooled
 Smart locks hacked
 Drones as attack platforms
Privacy
 Healthcare records theft
 Phone conversation surveillance
 Email accounts breached
 Login accounts compromised
 Images, video, and messages stolen
CyberImpactingthePhysicalWorld

14. ConsumerIoT
 ‘Smart’ home device botnets
 Security and safety systems hacked
 Personal and home devices
manipulated
 Ransomware locking devices
Finance
 SWIFT transaction manipulation
 Accounting system compromises
 ATM ‘Jack-potting’
 Account access and siphoning
 Tax and identity fraud
CyberImpactingthePhysicalWorld

15. Healthcare
 Emergency care systems
 Implantable device vulnerabilities
 Medicine delivery systems
 Remote medical care
Government
 Governance/voting manipulation
 Asymmetric military attacks
 Malware/ransomware of agencies
 Political influencing and policy
enforcement
CyberImpactingthePhysicalWorld

16. FutureChallengesinCyber/PhysicalSecurity
16

17. 25+Million
Applications
Connected and creating 50x
the volume of data
50-200BillionDevices
Connected to the Internet
$6trillion
Cyber-crime impact
globally by 2021
$3–$90trillion
Aggregate innovation impact of
cyber-risks
400kNew Malware/Day
575 million unique
samples of malware exist today
29countries
Have formal cyber
warfare units today
4 BillionUsersOnline
Up from 2+ billion today
50Trillion
Gigabytes
Amount of data being
created
A World of Targets with Increased Value

18. Dante'sInfernoofCybersecurityImpacts
18
Denial of Service
(Availability)
• Access of customers
• Availability of data,
systems, & services
• DDOS network attacks,
ransom-ware data
locking attacks
Data Theft
& Exposure
(Confidentiality)
• ID Theft
• Privacy
• Data Breach
• Transaction data
• Database hacks,
skimming, lost
storage, keylogging
Monitor &
Manipulate (Integrity)
• Internal-access
surveillance for
advantage
• Tamper/Manipulation
• Long-term data
gathering campaign
Security Competency
Attacker Innovation
Attacks expand over time,
increasing in severity
based upon different
technology and usages
Own & Obliterate (C/I/A)
• Administrative ownership and control
• Capability of unrecoverable obliteration
• Strategic attack, undermining of org capability

19. SecurityFutures:
19
1. Threats remain equitable to the growth and use
of technology
2. Age of massive connectivity drives opportunities
for cyber threats
3. Society expectations raise for cyber security, privacy, and safety
4. Tipping points approach: threats to life-safety, cybercrime hyper-growth,
offensive cyberwarfare
5. Pendulum swings towards more security, ultimately settles for an optimal
balance (regulatory, nation-states, technology innovators/manufacturers)
6. Emerging data, devices, and services are targeted by Threat Agents
pursuing their objectives, driven by their specific motivations

20. IndustryBestPractices&Perspectives
20

21. TheBestOrganizations
a
Seeks Optimal Risk
Risk management planning
Anticipates impacts
Balance Cost, Risk, & Usability
Adapts to shifting demands
Comprehensive Processes
Security as a continuous cycle
Continuous improvement process
Technology and Behaviors
Obstacles and Opposition
Leads into the Future
Clearly defines success
Plans for a sustainable future
Roles and accountability
Continuously adapting
21

22. An effective strategy enables
operational flexibility while
driving cost efficiency and risk
manageability

23. • The goal is to be sustainably secure
• How we operate largely defines our
capacity to handle the dynamic
nature of cyberattacks
• Adaptation to the evolving threats is
therefore a key success trait
• Establishing a comprehensive
capability process is the best way to
optimize resources for maximum
protection against loss
HowCanYouBePrepared?
Physical & Cyber
Security Capability
Process

24. ImportantConsiderations…
24
Smarter vs More
Collaboration across security
functions improving effectiveness
Better IT choices & enablement
Properly balancing the risk, cost,
and usability constraints
Expectations Drive Change
Society’s expectations shift with
pain, impact, and inconvenience
Trust will be valued, demanded
Security, privacy, and controls will
align with greater impacts
Controls Must Adapt
Innovation intersecting emerging
attacks to keep pace with attackers
Static defenses are easy to defeat
Intelligence, analysis, and actions
must feedback to improve systems

25. FutureTechnologymustbeDesignedwithSecurity
Smart Security innovation must deliver more capable solutions
to keep pace with threats
Ubiquitous Security must protect data wherever it exists or is used,
for all parties and devices across the compute landscape
Trusted Technology and security providers must be trustworthy,
in the creation and operation of their products
Strong Products and services must be hardened to resist
compromise and make security transparent to users
Open Platforms and security standards must be open to
promote collaboration and accelerate adoption
Security must be
part of the design
for future
technology. Adding
security after, is no
longer sufficient or
sustainable
25

26. • 1.5-2 million unfilled positions in 2017
• Job postings rose 91% (2010-2014)
• Leaders and engineers in highest demand
• Professional Services, Finance, Defense and
Manufacturing are leading sectors
• Finance, Healthcare, and Retail are growing
fastest
• ‘Hybrid’ jobs are increasing, contributing to
demand
CyberSeek.org – free interactive resource
sponsored by NIST, CompTIA, and NICE.
Workforcechallenges

27. OpportunitiesandRisks
27
1. Understand the exposure and risks
of connected technology
2. Staffing qualified personnel to
manage the risks
3. Follow cyber best practices
4. Lead. Before the threats gain a
significant advantage

28. Conclusions
Cyber and Physical security are converging based
upon aligned goals of security, safety, and privacy
Cyber will continue to have an ever greater impact
on the physical world
New threat vectors will emerge as advanced
technology is integrated
The rise of cyber represents risks and opportunities
Leaders with insights to the future have the best
opportunity to align resources and be prepared

29. “We manage security through
Leadership and Preparation,
otherwise we face Crisis and
Desperation”
…Areyouprepared?