One of the least explored topics in the security debate is the risk posed to the network by physical security systems and visa versa. Most data networks have at least a modicum of security controls and defense systems. Many utilize sophisticated network and host-based intrusion detection and prevention systems and have dedicated resources managing the risks these systems face. The dirty little secret regarding physical security systems is that often they are not managed by IT. In the best case they are "managed" by third-party vendors, whereas in the worst case, they are not managed at all. This is because physical security people are not generally IT people by nature, so patching and maintaining computer servers, operating systems and applications is not their primary function.

This problem is compounded exponentially when you consider network challenges, such as viruses and worms, attacks from inside the network, spyware and other malicious software. As well, physical security staff and contractors may not be as well versed in hardening servers as their IT counterparts. Shutting down unnecessary services, closing ports and deleting default setting are often things physical security folks are unaware of. This undoubtedly increases the risk of a computer being compromised and presents an opportunity for a security team to secure their often mission critical systems.

So before you go cancelling that service agreement with your physical security vendor in favor of in-house resources, consider these words: The network is only as safe as the weakest link. Therefore, if you are not 100 percent sure your physical security systems are managed with at least the same rigor as your organization's IT systems, ask yourself how important it is to your organization that these systems maintain integrity?

For IT and IT security pros looking to open a conversation with their physical security counterparts, this may be a great place to start.

Plus, given that these systems are often managed by outside parties and present potential risks to the network, IT can be a great help in ensuring they are not compromised by network-based attacks, while maintaining the integrity of the network by ensuring that these systems do not open the back door to the network.

Dave Tyson is CSO of the city of Vancouver


30 seconds on... 

Test your systems

Dave Tyson, CSO of the City of Vancouver, says the best way to understand your assurance level on physical security systems is to test them. A vulnerability assessment by an IT security analyst is a great place to start, he says.

The weakest link

Tyson has a warning for security professionals: In the corporate environment of today, any physical security system operating on a Microsoft OS is vulnerable to the same attacks as network servers.

Real risk mitigation

IT and physical security groups, says Tyson, can and ought to work together to analyze and understand the entire risk picture of these systems to deliver higher risk mitigation and reduced network risk.


The recent Alliance for Enterprise Security Risk Management (AESRM) study entitled, "Convergent Security Risks in Physical Security Systems and IT Infrastructures," is a great read and place to start, adds Tyson.