The document discusses the convergence of physical and logical security infrastructure. It notes that as physical security systems like access control become network-enabled, they can be vulnerable to hacking and compromise the entire organization. The document outlines a solution of building cross-training between physical and IT security teams to increase awareness and complete small collaborative projects. Key lessons discuss managing expectations, having central change management, balancing both security teams, and integrating process models for collaboration. The document emphasizes that knowledge sharing between teams is important for effective security.

1. User Briefing
Convergence of Security
Bob Radvanovsky, Infracritical
Allan McDougall, Evolutionary Security Management
October 20-21, 2008
Midwest Information Security Forum
Chicago, IL
The contents of this presentation are confidential and intended solely for
use by forum participants. Copyright © 2008 IANS . All rights reserved.

2. Introduction
About Infracritical and Evolutionary Security Management
 Infracritical and ESM were formed as a result of the need to establish and
define standards and protocols for Critical Infrastructure Protection (CIP).
 We’re one of the industrial leaders within the private sector, providing research
to management, best practice capabilities, education and training, information
sharing practices, and (most importantly) information security awareness
programs to both private and public sectors throughout the United States,
Canada and North America.
About Bob Radvanovsky and Allan McDougall
 Experienced in Critical Infrastructure Protection (CIP), visionaries, speakers,
and published authors on the subject (Bob: 4 books, Allan: 2 books).
2008 Midwest Information Security Forum 1

3. Convergence of Physical and Logical Infrastructure
 Physical Security infrastructure (access control systems, CCVE, etc) has
traditionally operated in isolation from other systems in order to maintain the
confidence that the system has not been compromised.
– As these systems become web-enabled, there is increasing concern that
they can be subject to compromises such as hacking, spoofing, etc.
– As these systems take up space within the network infrastructure, there is
increasing concern that network assets are becoming single points of
failure that can expose the whole organization to compromise.
– Finally, there is increasing concern that as the complexity of these physical
security systems increase, they can occupy increasing amounts of network
resources (bandwidth) and become a business limiter.
2008 Midwest Information Security Forum 2

4. Convergence of Physical and Logical Infrastructure
 Consider this diagram of a
network enabled CCTV
system spanning several
locations
 Each element assigned an IP
 Do these infrastructure points
allow for an attacker to control
the infrastructure point or gain
access through the
infrastructure point?
2008 Midwest Information Security Forum 3

5. Solution Strategy
 Build awareness and integrate Physical Security and IT Security communities
into a common Asset Protection community paying particular attention to
building a comprehensive awareness and capacity of personnel to work across
domains.
– Put forward a plausible vision
– Manage expectations
– Set achievable goals
– Maximize the ability to first anticipate then detect and respond to emerging
issues
2008 Midwest Information Security Forum 4

6. Key Steps
 Key Activities:
– A – Cross train personnel to build awareness
– B – Small scale projects to build and proof interaction between communities
– C – Ensure expert-driven contributions to improve effectiveness, reduce
waste and identify possible avenues of risk
 Key Resources
– Visionary leadership
– Cross training up to cross certification integrated into job expectations
– Small scale test environment isolated from critical systems
2008 Midwest Information Security Forum 5

7. Results
 Security personnel more aware of situations that allow the means and
opportunity for threat agents to compromise the organization
 Greater granularity of understanding of infrastructure at the enterprise level
 Greater ability to achieve domain awareness in terms of facility security and
trend analysis through automation
2008 Midwest Information Security Forum 6

8. Lesson #1: Manage Expectations
 Just because technology exists doesn’t mean it’s appropriate to your
environment
– Security intrinsic to system commensurate to assets being protected
– Tested, certified, or accredited?
 Put a check and balance on new technology acquisitions ensuring that they are
being proposed based on business lines
– New technology should be linked to improvements in business processes
or reductions in overhead
– Closely monitor communities that constantly attempt to install the “latest
and greatest”
 Unnecessary collections of shiny things only attract trouble
2008 Midwest Information Security Forum 7

9. Lesson #2: Set a Central Change Management Authority
 Senior Management Support
– Early step in the consultation process
– Mandatory step in approval process
 Check and balance for integration of new technologies
– Consistency (procurement, maintenance and disposal)
– Modularity to ensure granularity (detail) and interoperability (compatibility)
– Scalability in support of changing and evolving business requirements
 Management of change means appropriately integrating tools to improve
efficiency and effectiveness
2008 Midwest Information Security Forum 8

10. Lesson #3: Balance the Team
 Do not allow Physical Security or IT Security to dominate
– Symbiosis under the need to ensure effective and efficient business
processes
– Take advantage of knowledge bases across communities to ensure best
possible solution
 Appropriate Delegation
– Prevent decisions without understanding risk
– Ensure risk management includes consideration for all potentially impacted
parties (including system and data owners where appropriate)
 Reinforce the concept of individual success is dependent upon team success
2008 Midwest Information Security Forum 9

11. Lesson #4: Integrate Process Models for Integration
 Similar to the COBIT Model
– Plan and Organize based on business needs and ensuring the ability to
prevent, detect, respond to and recover from security events
– Acquire and Implement to ensure that modularity and scalability
maintained while not exposing critical infrastructure to unknown risks
– Deliver and Support using personnel who understand physical and logical
risks so that internal actions do not create unknown vulnerabilities
– Monitor and Evaluate the performance of the system against system
performance criteria commensurate to the sensitivity of assets involved
 Remember that process is there to serve a purpose, not to be the purpose
2008 Midwest Information Security Forum 10

12. Lesson #5: Understand that Knowledge is Power
 Awareness in Management of key issues
– What is real and what is visionary
 Cross training of experts to minimize conflicts of ideologies and maximize
understanding
– Definition bases
– Core concepts and models
– Due diligence
 Impose continuous learning and professional development
– Do not allow complacency
– When you’re green you’re ripe, when you’re ripe you’re rotten
 You need to understand that administration, management and leadership are
complimentary but not the same thing
2008 Midwest Information Security Forum 11

13. Contact Information
Bob Radvanovsky, CIFI, CISM, CIPS
rsradvan@infracritical.com
Allan McDougall, PCIP, CMAS
amcdougall@evolutionarysecurity.ca
2008 Midwest Information Security Forum 12