How to marry physical and logical security into a cohesive plan

How to marry physical and logical security into a cohesive plan

Wael Lahoud, CISSP, ESS, GCCC, PSP Cyber Security, Physical Security, Security, Security Convergence, Security Management

Over the past five years, Canadian businesses have seen the threat of hacktivism, cyber extortion and the incidences of data breaches grow exponentially. No industry is immune to these threats, not even licensed producers of cannabis across Canada.

For every LP, securing their operation is not an option; furthermore, managing their risks of exposure to regulatory scrutiny, litigation, reputational costs, and business loss is becoming a daily task they cannot ignore. Throw in the mandatory breach reporting, notification measures, and the costly fines proposed by the Digital Privacy Act (Bill S-4) and its amendments to PIPEDA, security concerns for LPs are only going to increase in complexity.

Canada’s Access to Cannabis for Medical Purposes Regulations (ACMPR) act stipulates requirements for physical security at cannabis production facilities. Many producers — whether licensed or in the licensing application phase — rely on physical security integrators or consultants for selecting the proper security equipment and measures to comply with ACMPR regulations. Unfortunately, the security design plans, selection of equipment and their implementations are often executed in silos without an overarching organizational-wide security program that includes a holistic view of cyber security and its related business risks.

Current physical security technologies, such as video surveillance, electronic access control, intrusion detection, and their monitoring and management systems increasingly rely on IP networks. Most of this is done by local on-premise or over wider networks spanning beyond the LPs premises and control. Despite the many advantages IP-based physical security systems present, the fact of the matter is that many are still vulnerable to cyber security attacks due to manufacturers lagging on securing their equipment throughout the production process or installers and designers not considering cyber security as a priority or part of their scope.

With the digital transformation trends in IT and the LP’s shift to using operational technology (OT) for production, environmental and other building control efficiencies, it is not uncommon to see IoT and physical security systems converging on a unified network platform. In other words, security is now operating alongside other business-critical systems that deal with clients’ private health and sensitive data. Because of this convergence of technology, LPs are now at risk of having potential security gaps that may be neglected or otherwise missed.

Other aspects of this problem include the misperception that designing and implementing physical security systems on segregated or separate IP networks eliminates the need for extensive cyber security measures. In fact, the converse is true in that the stakes are even higher when such networks are advertently or inadvertently linked to the production or enterprise networks to meet operational requirements. Examples include the remote video surveillance monitoring by third-party security service providers or even local monitoring by the security managers over the corporate network. Again, leaving LPs exposed to the same critical cyber security business risks and losses that are commonly reported in the news these days.

ACMPR Security Compliance is a regulatory requirement, and it should not be considered an ultimate secure state for LPs as it may only provide them with a false sense of security. The incidences of cyber security breaches of physical security systems is on the rise, despite the hefty investments in traditional security measures, such as firewalls and anti-virus software. For me, relying solely on these old-school approaches and managing security in physical and logical silos within an organization is simply not working.

Security is no doubt a critical aspect of every LPs business plan and ultimate success. It is a complicated and expensive issue that cannot be ignored – an issue that is only going to become more complex because of the converged relationship between an LP’s physical and cyber security controls, measures and processes.

Security Pointers

  • Embrace organizational change by assigning an organizational-wide qualified security leader accountable for all aspects of IT, OT, physical security, and even IoT.
  • Actively engage cyber security subject matter experts or independent consultants, not associated with any manufacturer or security service provider, in all facets of IT, OT and physical security planning, design, implementation, and operations.
  • Develop a comprehensive and converged security program while ensuring that overall electronic security measures and their overall architecture form part of the organizational cyber security program.
  • Avoid replicating the risks associated with flawed physical security designs and invest the proper time and resources in analyzing your organizations’ specific cyber security risks. Replicating vulnerabilities may expose your business as well.
  • Have a cyber security plan ready and be sure to practice it – cyber security should not be an afterthought.

Over the past five years, Canadian businesses have seen the threat of hacktivism, cyber extortion and the incidences of data breaches grow exponentially. No industry is immune to these threats, not even licensed producers of cannabis across Canada.

For every LP, securing their operation is not an option; furthermore, managing their risks of exposure to regulatory scrutiny, litigation, reputational costs, and business loss is becoming a daily task they cannot ignore. Throw in the mandatory breach reporting, notification measures, and the costly fines proposed by the Digital Privacy Act (Bill S-4) and its amendments to PIPEDA, security concerns for LPs are only going to increase in complexity.

Canada’s Access to Cannabis for Medical Purposes Regulations (ACMPR) act stipulates requirements for physical security at cannabis production facilities. Many producers — whether licensed or in the licensing application phase — rely on physical security integrators or consultants for selecting the proper security equipment and measures to comply with ACMPR regulations. Unfortunately, the security design plans, selection of equipment and their implementations are often executed in silos without an overarching organizational-wide security program that includes a holistic view of cyber security and its related business risks.

Current physical security technologies, such as video surveillance, electronic access control, intrusion detection, and their monitoring and management systems increasingly rely on IP networks. Most of this is done by local on-premise or over wider networks spanning beyond the LPs premises and control. Despite the many advantages IP-based physical security systems present, the fact of the matter is that many are still vulnerable to cyber security attacks due to manufacturers lagging on securing their equipment throughout the production process or installers and designers not considering cyber security as a priority or part of their scope.

With the digital transformation trends in IT and the LP’s shift to using operational technology (OT) for production, environmental and other building control efficiencies, it is not uncommon to see IoT and physical security systems converging on a unified network platform. In other words, security is now operating alongside other business-critical systems that deal with clients’ private health and sensitive data. Because of this convergence of technology, LPs are now at risk of having potential security gaps that may be neglected or otherwise missed.

Other aspects of this problem include the misperception that designing and implementing physical security systems on segregated or separate IP networks eliminates the need for extensive cyber security measures. In fact, the converse is true in that the stakes are even higher when such networks are advertently or inadvertently linked to the production or enterprise networks to meet operational requirements. Examples include the remote video surveillance monitoring by third-party security service providers or even local monitoring by the security managers over the corporate network. Again, leaving LPs exposed to the same critical cyber security business risks and losses that are commonly reported in the news these days.

ACMPR Security Compliance is a regulatory requirement, and it should not be considered an ultimate secure state for LPs as it may only provide them with a false sense of security. The incidences of cyber security breaches of physical security systems is on the rise, despite the hefty investments in traditional security measures, such as firewalls and anti-virus software. For me, relying solely on these old-school approaches and managing security in physical and logical silos within an organization is simply not working.

Security is no doubt a critical aspect of every LPs business plan and ultimate success. It is a complicated and expensive issue that cannot be ignored – an issue that is only going to become more complex because of the converged relationship between an LP’s physical and cyber security controls, measures and processes.

Security Pointers

  • Embrace organizational change by assigning an organizational-wide qualified security leader accountable for all aspects of IT, OT, physical security, and even IoT.
  • Actively engage cyber security subject matter experts or independent consultants, not associated with any manufacturer or security service provider, in all facets of IT, OT and physical security planning, design, implementation, and operations.
  • Develop a comprehensive and converged security program while ensuring that overall electronic security measures and their overall architecture form part of the organizational cyber security program.
  • Avoid replicating the risks associated with flawed physical security designs and invest the proper time and resources in analyzing your organizations’ specific cyber security risks. Replicating vulnerabilities may expose your business as well.
  • Have a cyber security plan ready and be sure to practice it – cyber security should not be an afterthought.

If You Find this Article Helpful Please Share It

About the Author

Wael Lahoud, CISSP, ESS, GCCC, PSP

Twitter

Wael Lahoud is a multi-domain Security Consultant and certified professional on a wide gamut of information security, cyber security , physical security with a focus on their convergence, management, and business risks. Over his career, he has been privileged to gain valuable physical and logical security industry expertise across four continents and multiple market sectors. He started Goldmark Security Consulting in 2015 to provide a fresh consolidated approach to clients' modern security needs and provide them valuable insights for their risk-informed decision making . Wael is member of the International Association of Professional Security Consultants (IAPSC) and their primary representative on the Canadian Cyber Security Alliance.