Gorodenkoff/stock.adobe.com
Protecting Data is Critical Physical security and cybersecurity converge
BTy Wayne Dorris
o say that the Internet of Things (IoT) has become a part of everyday life would be a dramatic un- derstatement. At this point, you would be hard- pressed to find an electronic device that is not con- nected to the internet.
There are smart fridges, smart toasters, thermostats, etc. Com- panies are even connecting things like belts and (I can’t believe I’m not making this up) beehives to the internet. Sometimes the benefits are clear. Other times, not so much. But in all cases, the increased use of connected devices has thrust cybersecurity even further into the spotlight.
Connected devices are hardly new to the security industry — IP cameras have been around for more than 25 years. But as net- work cameras grow both more advanced and more accessible to a broad range of businesses, the line between physical security and cybersecurity has grown increasingly fuzzy. Any connected device represents a potential entry point for a would-be attacker, and cameras, audio sensors, access control stations, and other physi- cal security devices have become common targets for adversaries.
Fortunately, this is not happening in a vacuum. Device manu- facturers, application developers and government regulators have all taken note of the growing convergence of physical and digital security, and several trends are now emerging that point toward stronger devices security in the future.
NIST CSF UPDATES
FOCUS ON IMPROVING GOVERNANCE
Last year, the National Institute of Standards and Technology (NIST) made it known that the organization was reevaluating its cybersecurity framework (NIST CSF). In late February, the
22
MAY/JUNE 2024 | SECURITY TODAY
updates to the framework became public, and organizations are now working to understand what NIST CSF 2.0 means for their security practices.
It is important to note that NIST CSF is not a government regulation — which is to say, there is no penalty for noncompli- ance. Rather, NIST CSF is a voluntary framework that organiza- tions can use to measure the maturity of their security program, complete with tips and recommendations for how certain areas of security can be strengthened.
NIST is not the only organization to publish security recom- mendations — advisory groups like MITRE and OWASP have freely available guidelines of their own, and frameworks like SOC 2 and ISO 27001 have become all but mandatory for organiza- tions that manage significant amounts of data. But NIST CSF is considered to be the most widely used framework, with a recent study finding that nearly 50% of businesses map their security controls to the recommendations outlined in the framework.
Traditionally, NIST CSF has focused on five core functions: Identify, Protect, Detect, Respond and Recover. While impor- tant, those functions are primarily aligned with incident response, which meant there was not really a way for security teams to cus- tomize their approach according to their specific circumstances, such as industry, company size or program maturity.
There was also no way to consider contractual regulations or compliance needs, both of which are significant risk factors for organizations. But NIST CSF 2.0 addressed this by adding a sixth core function: Govern. Rather than sitting side-by-side with the other functions, Govern touches all of them, with a focus on organizational context, risk management strategies, roles and re- sponsibilities, and polices, and procedures.
CYBERSECURITY