Cyber and Physical Security Convergence

The emergence of the internet, and its subsequent convergence with our physical world, has helped make supply chains become much more efficient over the past few decades. Orders automatically drop from sales systems to warehouse management systems, which then generates picking lists and shipping labels; companies can then track the resulting shipment anywhere in the world using RFID and GPS technology. Despite these advances, we’re entering a brave new world of supply chain vulnerability as well, where criminals can create physical security weaknesses by exploiting cybersecurity weaknesses and use physical security gaps to weaken cybersecurity.

This risk isn’t purely theoretical, a number of worrying cases illustrating the convergence of physical and cyber security have occurred over the past few years. In Belgium, for example, a drug smuggling group took advantage of poor physical security at port facilities in Antwerp to install software that allowed them to track incoming cocaine-laden containers after their remote hacking of port management systems was exposed. This case demonstrates how some cybersecurity measures are only as good as their accompanying physical security measures. In the United States, fictitious pickups of cargo shipments involving criminals who have stolen the identity of trucking companies – typically with the use of phishing emails – have become increasingly common. Cargo theft and drug trafficking are dirty, dangerous businesses, so who can blame criminals for using technology to make their work a little less dirty and dangerous?

For most companies, however, the problem is more prosaic than hackers breaking into company networks. Employees often lack awareness of how physical security vulnerabilities can cause headaches on the cybersecurity side as well, and IT security teams often don’t work as closely as they should with groups responsible for physical security. A little training on how to recognize obvious phishing attempts and IT security training for warehouse and other supply chain employees can go a long way towards securing company information. Similarly, IT professionals should receive basic physical security training to gain an understanding of how physical layers of security can aid cybersecurity efforts.

While it may be easy to undertake these mitigation measures at a company-owned sites, it’s much more difficult (due to resource or time constraints) to ensure that your suppliers and business partners have taken similar steps. These companies often hold substantial amounts of sensitive company data, underscoring the importance of their cyber and physical security efforts. BSI has worked with many companies to help them sort out which business partners are most crucial, evaluate the gaps in their security programs, and provide training and process improvements to ensure that both your data and physical products remain safe.